5118 lines
3 MiB
JSON
5118 lines
3 MiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--589f360a-932c-4558-a0b0-43dd02de0b81",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-14T11:04:44.000Z",
|
||
|
"modified": "2017-02-14T11:04:44.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "grouping",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "grouping--589f360a-932c-4558-a0b0-43dd02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-14T11:04:44.000Z",
|
||
|
"modified": "2017-02-14T11:04:44.000Z",
|
||
|
"name": "OSINT - Enhanced Analysis of GRIZZLY STEPPE Activity",
|
||
|
"context": "suspicious-activity",
|
||
|
"object_refs": [
|
||
|
"indicator--589f4869-c3fc-4d12-9b76-0ab502de0b81",
|
||
|
"indicator--589f4829-6744-4e0f-b3d7-401902de0b81",
|
||
|
"x-misp-attribute--589f4775-fb8c-4bf3-8ff6-433e02de0b81",
|
||
|
"indicator--589f4038-2120-4e06-b449-41cd02de0b81",
|
||
|
"indicator--589f4025-ae00-42f7-b50d-4c1502de0b81",
|
||
|
"indicator--589f4005-85b4-47fc-b7bc-4a2602de0b81",
|
||
|
"indicator--589f3ff2-c160-4594-8a6c-4f5902de0b81",
|
||
|
"indicator--589f3fbd-8280-4e28-8299-4ad102de0b81",
|
||
|
"indicator--589f3fa0-cb5c-4726-b61f-48ab02de0b81",
|
||
|
"indicator--589f3f85-d1b0-4f88-885b-43ae02de0b81",
|
||
|
"indicator--589f3f68-41e4-4733-be6e-419f02de0b81",
|
||
|
"indicator--589f3f55-bb50-47e8-be77-404d02de0b81",
|
||
|
"indicator--589f3eed-394c-4851-b0fd-46b702de0b81",
|
||
|
"indicator--589f3ed3-2974-4f8b-923b-42f702de0b81",
|
||
|
"indicator--589f3e95-9c44-4aa4-bbeb-42b602de0b81",
|
||
|
"indicator--589f3e78-b8e0-40a4-b7bf-461402de0b81",
|
||
|
"indicator--589f3e53-bd04-44cf-bfa5-471602de0b81",
|
||
|
"indicator--589f3e39-321c-415f-a2ea-4d4202de0b81",
|
||
|
"indicator--589f3e21-7f80-4804-9773-4e9002de0b81",
|
||
|
"indicator--589f3dca-7a44-4990-b12b-432802de0b81",
|
||
|
"indicator--589f3da4-85a0-45f1-9a4b-46c202de0b81",
|
||
|
"indicator--589f3d8b-443c-44c9-9f06-47a402de0b81",
|
||
|
"indicator--589f3d57-a834-461f-9fb3-4c6a02de0b81",
|
||
|
"indicator--589f3d37-f17c-42d0-b01d-4fd202de0b81",
|
||
|
"indicator--589f3d22-8428-42c7-a608-400302de0b81",
|
||
|
"indicator--589f3cff-a528-4477-9f3a-473102de0b81",
|
||
|
"indicator--589f3ce5-fab0-4f87-9547-4aa802de0b81",
|
||
|
"indicator--589f3cc8-2278-492c-8328-41d102de0b81",
|
||
|
"indicator--589f3cb3-b654-4384-9d93-4f5902de0b81",
|
||
|
"indicator--589f3c97-bf00-4e7c-9f14-4cf802de0b81",
|
||
|
"indicator--589f3c7d-bd60-4750-914e-427102de0b81",
|
||
|
"indicator--589f3c5f-e2b0-4ba0-80ac-4a2f02de0b81",
|
||
|
"indicator--589f3c3c-bc84-42de-8abe-456002de0b81",
|
||
|
"indicator--589f3c25-82b0-4461-8be2-46f202de0b81",
|
||
|
"indicator--589f3beb-b744-40ee-9af1-44a002de0b81",
|
||
|
"indicator--589f3bd2-7dd4-4434-b560-4f5302de0b81",
|
||
|
"indicator--589f3bbb-5324-4dd1-9c84-451102de0b81",
|
||
|
"indicator--589f3b9a-1ebc-472f-84e8-4ff502de0b81",
|
||
|
"indicator--589f3a65-2a8c-4da8-9f60-463c02de0b81",
|
||
|
"indicator--589f3a3d-3834-47da-a7f5-4c4302de0b81",
|
||
|
"indicator--589f3a12-2cf4-43b7-baf6-44fb02de0b81",
|
||
|
"indicator--589f39aa-9070-4a20-aa21-4a4e02de0b81",
|
||
|
"indicator--589f398e-d69c-4d8f-9d7f-4a8b02de0b81",
|
||
|
"indicator--589f38be-03a4-44e0-99e6-4e2402de0b81",
|
||
|
"indicator--589f3870-9704-45be-b9e9-40f902de0b81",
|
||
|
"indicator--589f3845-0bb4-490f-99d9-452b02de0b81",
|
||
|
"indicator--589f37f4-9fb4-4a54-a86c-4f1902de0b81",
|
||
|
"indicator--589f37a7-5160-4c3a-a3b0-49d902de0b81",
|
||
|
"observed-data--589f366a-aad4-4d33-bc17-4a0002de0b81",
|
||
|
"file--589f366a-aad4-4d33-bc17-4a0002de0b81",
|
||
|
"artifact--589f366a-aad4-4d33-bc17-4a0002de0b81",
|
||
|
"indicator--58a1d338-9ecc-4784-91fa-4793950d210f",
|
||
|
"indicator--58a1d337-bfcc-491c-8e96-42fa950d210f",
|
||
|
"indicator--58a1d335-82cc-4ee5-80a2-4d64950d210f",
|
||
|
"indicator--58a1d334-1798-48ab-9634-49ca950d210f",
|
||
|
"indicator--58a1d332-4a24-48ca-8328-4628950d210f",
|
||
|
"indicator--58a1d331-0850-4c66-a628-485e950d210f",
|
||
|
"indicator--58a1d32f-2404-45ca-830b-44d3950d210f",
|
||
|
"indicator--58a1d32d-93e0-4680-b943-42fd950d210f",
|
||
|
"indicator--58a1d32c-484c-48b7-b097-492a950d210f",
|
||
|
"indicator--58a1d32a-4988-465f-a227-421c950d210f",
|
||
|
"indicator--58a1d329-2d40-4699-979b-49ff950d210f",
|
||
|
"indicator--58a1d327-5168-4c0c-aa80-4a42950d210f",
|
||
|
"indicator--58a1d326-2148-4065-a82b-4aab950d210f",
|
||
|
"indicator--58a1d324-ca20-4547-9b1c-42c3950d210f",
|
||
|
"indicator--58a1d323-1250-4050-9008-47e7950d210f",
|
||
|
"indicator--58a1d321-d84c-4f3d-b737-4a0b950d210f",
|
||
|
"indicator--58a1d320-7d20-40d1-928a-4ae6950d210f",
|
||
|
"indicator--58a1d31e-dfd8-4b43-abc2-4a19950d210f",
|
||
|
"indicator--58a1d31d-5a60-4b6e-bb58-41f6950d210f",
|
||
|
"indicator--58a1d31b-8bf4-4e5e-9028-4aed950d210f",
|
||
|
"indicator--58a1d319-1078-41e7-b151-4c80950d210f",
|
||
|
"indicator--58a1d318-75c4-478b-b491-4169950d210f",
|
||
|
"indicator--58a1d316-cf60-4ba7-a3fa-4775950d210f",
|
||
|
"indicator--58a1d315-5bb8-4bc5-9bf5-4e67950d210f",
|
||
|
"indicator--58a1d313-0f6c-429a-90f6-4eb7950d210f",
|
||
|
"indicator--58a1d312-ea80-4149-970d-456d950d210f",
|
||
|
"indicator--58a1d310-24e0-4b11-a84c-4d96950d210f",
|
||
|
"indicator--58a1d30f-3934-4c8a-bebf-4b38950d210f",
|
||
|
"indicator--58a1d30d-46a0-41b3-a942-4ca6950d210f",
|
||
|
"indicator--58a1d30c-28b8-4fac-89c5-449b950d210f",
|
||
|
"indicator--58a1d30a-dc60-4dbb-a20f-49fd950d210f",
|
||
|
"indicator--58a1d309-97d0-4d23-82b6-4011950d210f",
|
||
|
"indicator--58a1d308-394c-487a-a0de-43b1950d210f",
|
||
|
"indicator--58a1d306-f9b8-491e-8a52-4b92950d210f",
|
||
|
"indicator--58a1d305-9e48-40ef-bc6d-4d15950d210f",
|
||
|
"indicator--58a1d303-0960-4e5e-879f-4595950d210f",
|
||
|
"indicator--58a1d302-902c-4ab0-a27c-4a18950d210f",
|
||
|
"indicator--58a1d300-506c-42cb-a6d8-46f8950d210f",
|
||
|
"indicator--58a1d2ff-4194-458e-8a62-4d70950d210f",
|
||
|
"indicator--58a1d2fd-61f4-4867-8784-41a8950d210f",
|
||
|
"indicator--58a1cbac-11dc-4580-928e-4bc2950d210f",
|
||
|
"indicator--58a1cbac-92f8-484f-8efa-4428950d210f",
|
||
|
"indicator--58a1cbab-2724-4152-8cf9-4ddf950d210f",
|
||
|
"indicator--58a1cbaa-0238-4ddb-a08d-4198950d210f",
|
||
|
"indicator--58a1cba9-a294-40d9-a890-405c950d210f",
|
||
|
"indicator--58a1cba9-31b4-4d8e-9a70-4f1d950d210f",
|
||
|
"indicator--58a1cba8-83bc-4723-a7fb-4dc7950d210f",
|
||
|
"indicator--58a1cba7-b964-4e52-9def-4492950d210f",
|
||
|
"indicator--58a1cba6-e23c-4128-bc40-4260950d210f",
|
||
|
"indicator--58a1cba6-df2c-48d9-a5fa-40f9950d210f",
|
||
|
"indicator--58a1cba5-91c0-4b1e-86d3-4be2950d210f",
|
||
|
"indicator--58a1cba4-0d00-4459-ab84-48a6950d210f",
|
||
|
"indicator--58a1cba3-3444-4e2b-9640-4f99950d210f",
|
||
|
"indicator--58a1cba3-1cf8-4060-9f66-48a0950d210f",
|
||
|
"indicator--58a1cba2-0b20-4955-b56e-4def950d210f",
|
||
|
"indicator--58a1cba1-9118-4b64-9e4c-4da0950d210f",
|
||
|
"indicator--58a1cba0-b7e4-4e4d-920f-4a85950d210f",
|
||
|
"indicator--58a1cb9f-af1c-4455-aa94-4155950d210f",
|
||
|
"indicator--58a1cb9f-6ac8-4e5a-b520-4a10950d210f",
|
||
|
"indicator--58a1cb9e-d5e8-48b8-a557-4504950d210f",
|
||
|
"indicator--58a1cb9d-80c4-48b4-9ba9-445b950d210f",
|
||
|
"indicator--58a1cb9c-58f4-4935-af4c-4b0f950d210f",
|
||
|
"indicator--58a1cb9b-3e94-481e-a9c1-490e950d210f",
|
||
|
"indicator--58a1cb9b-52a0-4550-bcf3-47dd950d210f",
|
||
|
"indicator--58a1cb9a-7360-47d5-9919-4e7b950d210f",
|
||
|
"indicator--58a1cb99-182c-4077-b385-455f950d210f",
|
||
|
"indicator--58a1cb98-8c48-4a9c-8d2f-4fdd950d210f",
|
||
|
"indicator--58a1cb98-3ed0-40d5-82af-4391950d210f",
|
||
|
"indicator--58a1cb97-6f58-4466-9fc9-496b950d210f",
|
||
|
"indicator--58a1cb96-d290-4c23-addb-4e72950d210f",
|
||
|
"indicator--58a1cb95-6a28-42a8-873c-47e3950d210f",
|
||
|
"indicator--58a1cb94-1cd8-4ff4-94bf-4818950d210f",
|
||
|
"indicator--58a1cb94-1324-498e-8c1a-43b9950d210f",
|
||
|
"indicator--58a1cb93-b7c0-4923-b96d-4df5950d210f",
|
||
|
"indicator--58a1cb92-0310-486f-b611-46e2950d210f",
|
||
|
"indicator--58a1cb91-54e8-40a5-b10c-4ee4950d210f",
|
||
|
"indicator--58a1cb91-9664-48f6-9918-4dfd950d210f",
|
||
|
"indicator--58a1cb90-2d9c-4108-bea3-48e4950d210f",
|
||
|
"indicator--58a1cb8f-545c-4d39-a9b2-490e950d210f",
|
||
|
"indicator--58a1cb8e-6770-493f-85b7-42bb950d210f",
|
||
|
"indicator--58a1cb8e-4a24-4ac8-9cdc-45d6950d210f",
|
||
|
"indicator--58a1cb8d-4cf4-4731-ac65-459c950d210f",
|
||
|
"indicator--58a03847-d098-4642-b0d1-41d802de0b81",
|
||
|
"indicator--58a03833-b3e4-43b6-9dfb-43d502de0b81",
|
||
|
"indicator--58a03819-172c-41de-9391-4db302de0b81",
|
||
|
"indicator--58a03801-e8b4-4694-8513-478902de0b81",
|
||
|
"indicator--58a037d1-67b8-4751-a1c0-482102de0b81",
|
||
|
"indicator--58a037b7-2934-4fdb-b2fd-421402de0b81",
|
||
|
"indicator--58a0378d-7e28-4467-9a72-400202de0b81",
|
||
|
"indicator--58a03770-0c20-4e6d-a937-4dc202de0b81",
|
||
|
"indicator--58a0375a-4750-4893-ac90-491402de0b81",
|
||
|
"indicator--589f4c24-d0c8-496b-87b0-0abc02de0b81",
|
||
|
"indicator--589f4c0c-fad8-4f22-ba6c-4e6802de0b81",
|
||
|
"indicator--589f4bec-c2fc-4333-9883-0aba02de0b81",
|
||
|
"indicator--589f4bd1-e658-4870-a51c-424a02de0b81",
|
||
|
"indicator--589f4b8c-eca0-481c-9661-47b202de0b81",
|
||
|
"indicator--589f4b73-51fc-4a40-a675-4be602de0b81",
|
||
|
"indicator--589f4b56-38f8-4906-904c-42e202de0b81",
|
||
|
"indicator--589f4b44-221c-43b4-8c4c-0abc02de0b81",
|
||
|
"indicator--589f4b26-1e48-4a14-b2ba-488502de0b81",
|
||
|
"indicator--589f4ad4-e914-429d-8a48-0abc02de0b81",
|
||
|
"indicator--589f4ab2-c5a0-4e61-b37e-4c7502de0b81",
|
||
|
"indicator--589f4a32-f09c-4bee-94c2-44c002de0b81",
|
||
|
"indicator--589f4a15-862c-42da-b3ba-416102de0b81",
|
||
|
"indicator--589f49fc-4fb0-4739-851e-440202de0b81",
|
||
|
"indicator--589f4956-b520-4647-a905-0abc02de0b81",
|
||
|
"indicator--58a1e5f2-5a5c-48d4-aa6b-418b02de0b81",
|
||
|
"observed-data--58a1e5f3-0f24-4532-b723-4d6402de0b81",
|
||
|
"url--58a1e5f3-0f24-4532-b723-4d6402de0b81",
|
||
|
"indicator--58a1e5f5-8a78-42d6-b4c8-4a0b02de0b81",
|
||
|
"observed-data--58a1e5f6-fb94-45ff-9e92-4f8c02de0b81",
|
||
|
"url--58a1e5f6-fb94-45ff-9e92-4f8c02de0b81",
|
||
|
"indicator--58a1e5f8-4698-444c-9e2c-47bd02de0b81",
|
||
|
"observed-data--58a1e5f9-e418-445f-a1c4-4a2e02de0b81",
|
||
|
"url--58a1e5f9-e418-445f-a1c4-4a2e02de0b81",
|
||
|
"indicator--58a1e5fb-4a0c-4bd2-8137-437502de0b81",
|
||
|
"observed-data--58a1e5fc-6984-4532-b55a-4e7a02de0b81",
|
||
|
"url--58a1e5fc-6984-4532-b55a-4e7a02de0b81",
|
||
|
"indicator--58a1e5fe-5d1c-4db9-9dab-428c02de0b81",
|
||
|
"observed-data--58a1e5ff-9624-49f8-ab48-451002de0b81",
|
||
|
"url--58a1e5ff-9624-49f8-ab48-451002de0b81",
|
||
|
"indicator--58a1e601-e0fc-48bc-a142-490a02de0b81",
|
||
|
"observed-data--58a1e602-63b0-431a-90c4-4a9402de0b81",
|
||
|
"url--58a1e602-63b0-431a-90c4-4a9402de0b81",
|
||
|
"indicator--58a1e604-3b3c-488b-a2cf-45e202de0b81",
|
||
|
"observed-data--58a1e605-c994-438a-a775-4c6602de0b81",
|
||
|
"url--58a1e605-c994-438a-a775-4c6602de0b81",
|
||
|
"indicator--58a1e607-1558-40e1-890f-477b02de0b81",
|
||
|
"observed-data--58a1e608-61c0-4d01-aadf-45d402de0b81",
|
||
|
"url--58a1e608-61c0-4d01-aadf-45d402de0b81",
|
||
|
"indicator--58a1e60a-8f08-4b70-81e3-41bb02de0b81",
|
||
|
"observed-data--58a1e60b-b240-49bd-9acd-468102de0b81",
|
||
|
"url--58a1e60b-b240-49bd-9acd-468102de0b81",
|
||
|
"indicator--58a1e60c-7410-4af9-a168-4e8002de0b81",
|
||
|
"observed-data--58a1e60e-bfc4-48c8-9b3b-4a8202de0b81",
|
||
|
"url--58a1e60e-bfc4-48c8-9b3b-4a8202de0b81",
|
||
|
"indicator--58a1e60e-5210-46d8-8060-4a1602de0b81",
|
||
|
"observed-data--58a1e610-e83c-4c44-981e-45c402de0b81",
|
||
|
"url--58a1e610-e83c-4c44-981e-45c402de0b81",
|
||
|
"indicator--58a1e612-b124-48b4-b43e-41e502de0b81",
|
||
|
"observed-data--58a1e613-1438-466e-92de-42bc02de0b81",
|
||
|
"url--58a1e613-1438-466e-92de-42bc02de0b81",
|
||
|
"indicator--58a1e615-4528-4b0f-a63f-431102de0b81",
|
||
|
"observed-data--58a1e617-ee1c-497e-8daa-4e1b02de0b81",
|
||
|
"url--58a1e617-ee1c-497e-8daa-4e1b02de0b81",
|
||
|
"indicator--58a1e617-9234-419f-8072-436c02de0b81",
|
||
|
"observed-data--58a1e619-8d50-48c6-80b0-45db02de0b81",
|
||
|
"url--58a1e619-8d50-48c6-80b0-45db02de0b81",
|
||
|
"indicator--58a1e61a-5e70-4d8b-ac5f-43ca02de0b81",
|
||
|
"observed-data--58a1e61c-ab14-411d-901f-4c0802de0b81",
|
||
|
"url--58a1e61c-ab14-411d-901f-4c0802de0b81",
|
||
|
"indicator--58a1e61d-bb38-4a5f-929b-4c6c02de0b81",
|
||
|
"observed-data--58a1e61f-a208-4892-b342-40e202de0b81",
|
||
|
"url--58a1e61f-a208-4892-b342-40e202de0b81",
|
||
|
"indicator--58a1e621-066c-492d-bb0e-466402de0b81",
|
||
|
"observed-data--58a1e623-de00-45eb-95cf-437602de0b81",
|
||
|
"url--58a1e623-de00-45eb-95cf-437602de0b81",
|
||
|
"indicator--58a1e623-5544-4128-a077-4aeb02de0b81",
|
||
|
"observed-data--58a1e625-cb5c-4699-9324-4b9202de0b81",
|
||
|
"url--58a1e625-cb5c-4699-9324-4b9202de0b81",
|
||
|
"indicator--58a1e626-4cb0-4be8-a4b9-4eac02de0b81",
|
||
|
"observed-data--58a1e628-1454-4e75-811f-4d4702de0b81",
|
||
|
"url--58a1e628-1454-4e75-811f-4d4702de0b81",
|
||
|
"indicator--58a1e628-7588-49fa-a07a-4d7a02de0b81",
|
||
|
"observed-data--58a1e62a-8f9c-463b-a6c7-41f902de0b81",
|
||
|
"url--58a1e62a-8f9c-463b-a6c7-41f902de0b81",
|
||
|
"indicator--58a1e62c-6e54-4433-aacf-4a6602de0b81",
|
||
|
"observed-data--58a1e62e-f904-4fff-9993-432b02de0b81",
|
||
|
"url--58a1e62e-f904-4fff-9993-432b02de0b81",
|
||
|
"x-misp-attribute--58a2091a-e01c-48e9-8a62-a6e4950d210f",
|
||
|
"indicator--58a2b323-52c4-42bf-84df-4ccd950d210f",
|
||
|
"indicator--58a2b324-b5a8-4c31-af7a-4a05950d210f",
|
||
|
"indicator--58a2b325-97c0-4a87-9079-427e950d210f",
|
||
|
"indicator--58a2b325-9b84-4ad5-bdaf-49bc950d210f",
|
||
|
"indicator--58a2b326-0b9c-4de3-854f-4106950d210f",
|
||
|
"indicator--58a2b327-1154-4ca4-b708-4c71950d210f",
|
||
|
"indicator--58a2b328-deb4-4464-93fe-4f56950d210f",
|
||
|
"indicator--58a2b328-eb74-448c-9e45-4a9b950d210f",
|
||
|
"indicator--58a2b329-ff64-4044-aad6-4334950d210f",
|
||
|
"indicator--58a2e1ca-0ff8-47ba-b4b4-448d950d210f",
|
||
|
"indicator--58a2e44d-a7a4-4eec-9531-42a2950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:threat-actor=\"Sofacy\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f4869-c3fc-4d12-9b76-0ab502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect X-Tunnel, referred to as IMPLANT 5 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_5_v2\r\n{\r\nstrings:\r\n$key0 = { 987AB999FE0924A2DF0A412B14E26093746FCDF9BA31DC05536892C33B116AD3 }\r\n$key1 = { 8B236C892D902B0C9A6D37AE4F9842C3070FBDC14099C6930158563C6AC00FF5 }\r\n$key2 = { E47B7F110CAA1DA617545567EC972AF3A6E7B4E6807B7981D3CFBD3D8FCC3373 }\r\n$key3 = { 48B284545CA1FA74F64FDBE2E605D68CED8A726D05EBEFD9BAAC164A7949BDC1 }\r\n$key4 = { FB421558E30FCCD95FA7BC45AC92D2991C44072230F6FBEAA211341B5BF2DC56 }\r\n$key5 = { 34F1AE17017AF16021ADA5CE3F77675BBC6E7DEC6478D6078A0B22E5FDFF3B31 }\r\n$key6 = { F0EA48F164395186E6F754256EBB812A2AFE168E77ED9501F8B8E6F5B72126A7 }\r\n$key7 = { 0B6E9970A8EAF68EE14AB45005357A2F3391BEAA7E53AB760B916BC2B3916ABE }\r\n$key8 = { FF032EA7ED2436CF6EEA1F741F99A3522A61FDA8B5A81EC03A8983ED1AEDAB1A }\r\n$key9 = { F0DAC1DDFEF7AC6DE1CBE1006584538FE650389BF8565B32E0DE1FFACBCB14BB }\r\n$key10 = { A5D699A3CD4510AF11F1AF767602055C523DF74B94527D74319D6EFC6883B80D }\r\n$key11 = { 5951B02696C1D5A7B2851D28872384DA607B25F4CEA268FF3FD7FBA75AB3B4B3 }\r\n$key12 = { 0465D99B26AF42D8346001BB838595E301BAD8CF5D40CE9C17C944717DF82481 }\r\n$key13 = { 5DFE1C83AD5F5CE1BF5D9C42E23225E3ECFDB2493E80E6554A2AC7C722EB4880 }\r\n$key14 = { E9650396C45F7783BC14C59F46EA8232E8357C26B5627BFF8C42C6AE2E0F2E17 }\r\n$key15 = { 7432AE389125BB4E3980ED7F6A6FB252A42E785A90F4591C3620CA642FF97CA3 }\r\n$key16 = { 2B2ADBBC4F960A8916F7088067BAD30BE84B65783FBF9476DF5FDA0E5856B183 }\r\n$key17 = { 808C3FD0224A59384161B8A81C8BB404D7197D16D8118CB77067C5C8BD764B3E }\r\n$key18 = { 028B0E24D5675C16C815BFE4A073E9778C668E65771A1CE881E2B03F58FC7D5B }\r\n$key19 = { 878B7F5CF2DC72BAF1319F91A4880931EE979665B1B24D3394FE72EDFAEF4881 }\r\n$key20 = { 7AC7DD6CA34F269481C526254D2F563BC6ECA1779FEEAA33EC1C20E60B686785 }\r\n$key21 = { 3044F1D394186815DD8E3A2BBD9166837D07FA1CF6A550E2C170C9CDD9305209 }\r\n$key22 = { 7544DC095C441E39D258648FE9CB1267D20D83C8B2D3AB734474401DA4932619 }\r\n$key23 = { D702223347406C1999D1A9829CBBE96EC86D377A40E2EE84562EA1FAC1C71498 }\r\n$key24 = { CA36CB1177382A1009D392A58F7C1357E94AD2292CC0AE82EE4F7DB0179148E1 }\r\n$key25 = { C714F23E4C1C4E55F0E1FA7F5D0DD64658A86F84681D07576D840784154F65DC }\r\n$key26 = { 63571BAF736904634AFEE2A70CB9ED64615DE8CA7AEF21E773286B8877D065DB }\r\n$key27 = { 27808A9BE98FFE348DE1DB999AC9FDFB26E6C5A0D5E688490EF3D186C43661EB }\r\n$key28 = { B6EB86A07A85D40866AFA100789FFB9E85C13F5AA7C7A3B6BA753C7EAB9D6A62 }\r\n$key29 = { 88F0020375D60BDB85ACDBFE4BD79CD098DB2B3FA2CEF55D4331DBEFCE455157 }\r\n$key30 = { 36535AAB296587AE1162AC5D39492DD1245811C72706246A38FF590645AA5D7B }\r\n$key31 = { FDB726261CADD52E10818B49CAB81BEF112CB63832DAA26AD9FC711EA6CE99A4 }\r\n$key32 = { 86C0CAA26D9FD07D215BC7EB14E2DA250E905D406AFFAB44FB1C62A2EAFC4670 }\r\n$key33 = { BC101329B0E3A7D13F6EBC535097785E27D59E92D449D6D06538725034B8C0F0 }\r\n$key34 = { C8D31A78B7C149F62F06497F9DC1DDC4967B566AC52C3A2A65AC7A99643B8A2D }\r\n$key35 = { 0EA4A5C565EFBB94F5041392C5F0565B6BADC630D9005B3EADD5D81110623E1F }\r\n$key36 = { 06E4E46BD3A0FFC8A4125A6A02B0C56D5D8B9E378CF97539CE4D4ADFAF89FEB5 }\r\n$key37 = { 6DE22040821F0827316291331256A170E23FA76E381CA7066AF1E5197AE3CFE7 }\r\n$key38 = { C6EF27480F2F6F40910074A45715143954BBA78CD74E92413F785BBA5B2AA121 }\r\n$key39 = { 19C96A28F8D9698ADADD2E31F2426A46FD11D2D45F64169EDC7158389BFA59B4 }\r\n$key40 = { C3C3DDBB9D4645772373A815B5125BB2232D8782919D206E0E79A6A973FF5D36 }\r\n$key41 = { C33AF1608037D7A3AA7FB860911312B4409936D236564044CFE6ED42E54B78A8 }\r\n$key42 = { 856A0806A1DFA94B5E62ABEF75BEA3B657D9888E30C8D2FFAEC042930BBA3C90 }\r\n$key43 = { 244496C524401182A2BC72177A15CDD2EF55601F1D321ECBF2605FFD1B9B8E3F }\r\n$key44 = { DF24050364168606D2F81E4D0DEB1FFC417F1B5EB13A2AA49A89A1B5242FF503 }\r\n$key45 = { 54FA07B8108DBFE285DD2F92C84E8F09CDAA687FE492237F1BC4343FF4294248 }\r\n$key46 = { 23490033D6BF165B9C45EE65947D6E6127D6E00C68038B83C8BFC2BCE905040C }\r\n$key47 = { 4E044025C45680609B6EC52FEB3491130A711F7375AAF63D69B9F952BEFD5F0C }\r\n$key48 = { 019F31C5F5B2269020EBC00C1F511F2AC23E9D37E89374514C6DA40A6A03176C }\r\n$key49 = { A2483197FA57271B43E7276238468CFB8429326CBDA7BD091461147F642BEB
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f4829-6744-4e0f-b3d7-401902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect X-Tunnel, referred to as IMPLANT 5 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_5_v1\r\n{\r\nstrings:\r\n$hexstr = {2D 00 53 00 69 00 00 00 2D 00 53 00 70 00 00 00 2D 00 55 00 70 00 00 00 2D 00 50 00\r\n69 00 00 00 2D 00 50 00 70 00 00 00}\r\n$UDPMSG1 = \"error 2005 recv from server UDP - %d\\x0a\"\r\n$TPSMSG1 = \"error 2004 send to TPS - %d\\x0a\"\r\n$TPSMSG2 = \"error 2003 recv from TPS - %d\\x0a\"\r\n$UDPMSG2 = \"error 2002 send to server UDP - %d\\x0a\"\r\ncondition:\r\nany of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--589f4775-fb8c-4bf3-8ff6-433e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"Internal reference\""
|
||
|
],
|
||
|
"x_misp_category": "Internal reference",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "58658c15-54ac-43c3-9beb-414502de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f4038-2120-4e06-b449-41cd02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect BlackEnergy / Voodoo Bear, referred to as IMPLANT 4 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_4_v13\r\n{\r\nstrings:\r\n$XMLDOM1 = {81 BF 33 29 36 7B D2 11 B2 0E 00 C0 4F 98 3E 60}\r\n$XMLDOM2 = {90 BF 33 29 36 7B D2 11 B2 0E 00 C0 4F 98 3E 60}\r\n$XMLPARSE = {8B 06 [0-2] 8D 55 ?C 52 FF 75 08 [0-2] 50 FF 91 04 01 00 00 66 83 7D ?C FF 75\r\n3? 8B 06 [0-2] 8D 55 F? 52 50 [0-2] FF 51 30 85 C0 78 2?}\r\n$EXP1 = \"DispatchCommand\"\r\n$EXP2 = \"DispatchEvent\"\r\n$BDATA = {85 C0 74 1? 0F B7 4? 06 83 C? 28 [0-6] 72 ?? 33 C0 5F 5E 5B 5D C2 08 00 8B 4?\r\n0? 8B 4? 0? 89 01 8B 4? 0C 03 [0-2] EB E?}\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) ==\r\n0x46445025 or uint32(1) == 0x6674725C) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f4025-ae00-42f7-b50d-4c1502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect BlackEnergy / Voodoo Bear, referred to as IMPLANT 4 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_4_v12\r\n{\r\nstrings:\r\n$CMP1 = {81 ?? 4D 5A 00 00 }\r\n$SUB1 = {81 ?? 00 10 00 00}\r\n$CMP2 = {66 81 38 4D 5A}\r\n$SUB2 = {2D 00 10 00 00}\r\n$HAL = \"HAL.dll\"\r\n$OUT = {E6 64 E9 ?? ?? FF FF}\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) ==\r\n0x46445025 or uint32(1) == 0x6674725C) and ($CMP1 or $CMP2) and ($SUB1 or $SUB2) and $OUT\r\nand $HAL\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f4005-85b4-47fc-b7bc-4a2602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect BlackEnergy / Voodoo Bear, referred to as IMPLANT 4 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_4_v11\r\n{\r\nstrings:\r\n$ = \"/c format %c: /Y /X /FS:NTFS\"\r\n$ = \".exe.sys.drv.doc.docx.xls.xlsx.mdb.ppt.pptx.xml.jpg.jpeg.ini.inf.ttf\" wide\r\n$ = \".dll.exe.xml.ttf.nfo.fon.ini.cfg.boot.jar\" wide\r\n$ =\r\n\".crt.bin.exe.db.dbf.pdf.djvu.doc.docx.xls.xlsx.jar.ppt.pptx.tib.vhd.iso.lib.mdb.accdb.sql.mdf.xml.rtf.ini.cf\r\ng.boot.txt.rar.msi.zip.jpg.bmp.jpeg.tiff\" wide\r\n$tempfilename = \"%ls_%ls_%ls_%d.~tmp\" ascii wide\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) ==\r\n0x46445025 or uint32(1) == 0x6674725C) and 2 of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3ff2-c160-4594-8a6c-4f5902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect BlackEnergy / Voodoo Bear, referred to as IMPLANT 4 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_4_v10\r\n{\r\nstrings:\r\n$ = {A1B05C72}\r\n$ = {EB3D0384}\r\n$ = {6F45594E}\r\n$ = {71815A4E}\r\n$ = {D5B03E72}\r\n$ = {6B43594E}\r\n$ = {F572993D}\r\n$ = {665D9DC0}\r\n$ = {0BE7A75A}\r\n$ = {F37443C5}\r\n$ = {A2A474BB}\r\n$ = {97DEEC67}\r\n$ = {7E0CB078}\r\n$ = {9C9678BF}\r\n$ = {4A37A149}\r\n$ = {8667416B}\r\n$ = {0A375BA4}\r\n$ = {DC505A8D}\r\n$ = {02F1F808}\r\n$ = {2C819712}\r\ncondition:\r\nuint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550 and 15 of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3fbd-8280-4e28-8299-4ad102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect BlackEnergy / Voodoo Bear, referred to as IMPLANT 4 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_4_v9\r\n{\r\nstrings:\r\n$a = \"wevtutil clear-log\" ascii wide nocase\r\n$b = \"vssadmin delete shadows\" ascii wide nocase\r\n$c = \"AGlobal\\\\23d1a259-88fa-41df-935f-cae523bab8e6\" ascii wide nocase\r\n$d = \"Global\\\\07fd3ab3-0724-4cfd-8cc2-60c0e450bb9a\" ascii wide nocase\r\n//$e = {57 55 33 c9 51 8b c3 99 57 52 50}\r\n$openPhysicalDiskOverwriteWithZeros = { 57 55 33 C9 51 8B C3 99 57 52 50 E8 ?? ?? ?? ?? 52 50\r\nE8 ?? ?? ?? ?? 83 C4 10 84 C0 75 21 33 C0 89 44 24 10 89 44 24 14 6A 01 8B C7 99 8D 4C 24 14 51 52\r\n50 56 FF 15 ?? ?? ?? ?? 85 C0 74 0B 83 C3 01 81 FB 00 01 00 00 7C B6 }\r\n$f = {83 c4 0c 53 53 6a 03 53 6a 03 68 00 00 00 c0}\r\ncondition:\r\n($a and $b) or $c or $d or ($openPhysicalDiskOverwriteWithZeros and $f)\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3fa0-cb5c-4726-b61f-48ab02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect BlackEnergy / Voodoo Bear, referred to as IMPLANT 4 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_4_v8\r\n{\r\nstrings:\r\n$f1 = {5E 81 EC 04 01 00 00 8B D4 68 04 01 00 00 52 6A 00 FF 57 1C 8B D4 33 C9 03 D0 4A 41\r\n3B C8 74 05 80 3A 5C 75 F5 42 81 EC 04 01 00 00 8B DC 52 51 53 68 04 01 00 00 FF 57 20 59 5A 66\r\nC7 04 03 5C 20 56 57 8D 3C 03 8B F2 F3 A4 C6 07 00 5F 5E 33 C0 50 68 80 00 00 00 6A 02 50 50 68\r\n00 00 00 40 53 FF 57 14 53 8B 4F 4C 8B D6 33 DB 30 1A 42 43 3B D9 7C F8 5B 83 EC 04 8B D4 50\r\n6A 00 52 FF 77 4C 8B D6 52 50 FF 57 24 FF 57 18}\r\n$f2 = {5E 83 EC 1C 8B 45 08 8B 4D 08 03 48 3C 89 4D E4 89 75 EC 8B 45 08 2B 45 10 89 45 E8\r\n33 C0 89 45 F4 8B 55 0C 3B 55 F4 0F 86 98 00 00 00 8B 45 EC 8B 4D F4 03 48 04 89 4D F4 8B 55 EC\r\n8B 42 04 83 E8 08 D1 E8 89 45 F8 8B 4D EC 83 C1 08 89 4D FC}\r\n$f3 = {5F 8B DF 83 C3 60 2B 5F 54 89 5C 24 20 8B 44 24 24 25 00 00 FF FF 66 8B 18 66 81 FB\r\n4D 5A 74 07 2D 00 00 01 00 EB EF 8B 48 3C 03 C8 66 8B 19 66 81 FB 50 45 75 E0 8B E8 8B F7 83\r\nEC 60 8B FC B9 60 00 00 00 F3 A4 83 EF 60 6A 0D 59 E8 88 00 00 00 E2 F9 68 6C 33 32 00 68 73 68\r\n65 6C 54 FF 57}\r\n$a1 = {83 EC 04 60 E9 1E 01 00 00}\r\ncondition:\r\n$a1 at entrypoint or any of ($f*)\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3f85-d1b0-4f88-885b-43ae02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect BlackEnergy / Voodoo Bear, referred to as IMPLANT 4 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_4_v7\r\n{\r\nstrings:\r\n$sb1 = {C7 [1-5] 33 32 2E 64 C7 [1-5] 77 73 32 5F 66 C7 [1-5] 6C 6C}\r\n$sb2 = {C7 [1-5] 75 73 65 72 C7 [1-5] 33 32 2E 64 66 C7 [1-5] 6C 6C}\r\n$sb3 = {C7 [1-5] 61 64 76 61 C7 [1-5] 70 69 33 32 C7 [1-5] 2E 64 6C 6C}\r\n$sb4 = {C7 [1-5] 77 69 6E 69 C7 [1-5] 6E 65 74 2E C7 [1-5] 64 6C 6C}\r\n$sb5 = {C7 [1-5] 73 68 65 6C C7 [1-5] 6C 33 32 2E C7 [1-5] 64 6C 6C}\r\n$sb6 = {C7 [1-5] 70 73 61 70 C7 [1-5] 69 2E 64 6C 66 C7 [1-5] 6C}\r\n$sb7 = {C7 [1-5] 6E 65 74 61 C7 [1-5] 70 69 33 32 C7 [1-5] 2E 64 6C 6C}\r\n$sb8 = {C7 [1-5] 76 65 72 73 C7 [1-5] 69 6F 6E 2E C7 [1-5] 64 6C 6C}\r\n$sb9 = {C7 [1-5] 6F 6C 65 61 C7 [1-5] 75 74 33 32 C7 [1-5] 2E 64 6C 6C}\r\n$sb10 = {C7 [1-5] 69 6D 61 67 C7 [1-5] 65 68 6C 70 C7 [1-5] 2E 64 6C 6C}\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) ==\r\n0x46445025 or uint32(1) == 0x6674725C) and 3 of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3f68-41e4-4733-be6e-419f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect BlackEnergy / Voodoo Bear, referred to as IMPLANT 4 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_4_v6\r\n{\r\nstrings:\r\n$STR1 = \"DispatchCommand\" wide ascii\r\n$STR2 = \"DispatchEvent\" wide ascii\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) ==\r\n0x46445025 or uint32(1) == 0x6674725C) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3f55-bb50-47e8-be77-404d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect BlackEnergy / Voodoo Bear, referred to as IMPLANT 4 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_4_v5\r\n{\r\nstrings:\r\n$GEN_HASH = {0F BE C9 C1 C0 07 33 C1}\r\ncondition:\r\nuint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) ==\r\n0x46445025 or uint32(1) == 0x6674725C) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3eed-394c-4851-b0fd-46b702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect BlackEnergy / Voodoo Bear, referred to as IMPLANT 4 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_4_v4\r\n{\r\nstrings:\r\n$DK_format1 = \"/c format %c: /Y /Q\" ascii\r\n$DK_format2 = \"/c format %c: /Y /X /FS:NTFS\" ascii\r\n$DK_physicaldrive = \"PhysicalDrive%d\" wide\r\n$DK_shutdown = \"shutdown /r /t %d\"\r\n$MZ = {4d 5a}\r\ncondition:\r\n$MZ at 0 and all of ($DK*)\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3ed3-2974-4f8b-923b-42f702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect BlackEnergy / Voodoo Bear, referred to as IMPLANT 4 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_4_v3\r\n{\r\nstrings:\r\n$a1 = \"Adobe Flash Player Installer\" wide nocase\r\n$a3 = \"regedt32.exe\" wide nocase\r\n$a4 = \"WindowsSysUtility\" wide nocase\r\n$a6 = \"USB MDM Driver\" wide nocase\r\n$b1 = {00 05 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00 4F 00 4E 00 5F 00 49\r\n00 4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00 00 01 00 01 00 05 00 88 15 28 0A 01 00 05 00 88 15\r\n28 0A 3F 00 00 00 00 00 00 00 04 00 04 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5C 04 00\r\n00 01 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00\r\n1C 02 00 00 01 00 30 00 30 00 31 00 35 00 30 00 34 00 62 00 30 00 00 00 4C 00 16 00 01 00 43 00 6F\r\n00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00\r\n73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 00\r\n00 46 00 0F 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6F\r\n00 6E 00 00 00 00 00 55 00 53 00 42 00 20 00 4D 00 44 00 4D 00 20 00 44 00 72 00 69 00 76 00 65 00\r\n72 00 00 00 00 00 3C 00 0E 00 01 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E\r\n00 00 00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 00 35 00 31 00 32 00 00 00\r\n4A 00 13 00 01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74\r\n00 00 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 20 00 28 00 43 00 29 00 20 00 32 00 30\r\n00 31 00 33 00 00 00 00 00 3E 00 0B 00 01 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00\r\n69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 75 00 73 00 62 00 6D 00 64 00 6D 00 2E 00 73 00 79\r\n00 73 00 00 00 00 00 66 00 23 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00\r\n65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 57 00 69 00 6E 00 64\r\n00 6F 00 77 00 73 00 20 00 4F 00 70 00 65 00 72 00 61 00 74 00 69 00 6E 00 67 00 20 00 53 00 79 00 73\r\n00 74 00 65 00 6D 00 00 00 00 00 40 00 0E 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00\r\n65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35\r\n00 35 00 31 00 32 00 00 00 1C 02 00 00 01 00 30 00 34 00 30 00 39 00 30 00 34 00 62 00 30 00 00 00\r\n4C 00 16 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D\r\n00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74\r\n00 69 00 6F 00 6E 00 00 00 46 00 0F 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00\r\n69 00 70 00 74 00 69 00 6F 00 6E 00 00 00 00 00 55 00 53 00 42 00 20 00 4D 00 44 00 4D 00 20 00 44\r\n00 72 00 69 00 76 00 65 00 72 00 00 00 00 00 3C 00 0E 00 01 00 46 00 69 00 6C 00 65 00 56 00 65 00\r\n72 00 73 00 69 00 6F 00 6E 00 00 00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35\r\n00 35 00 31 00 32 00 00 00 4A 00 13 00 01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00\r\n72 00 69 00 67 00 68 00 74 00 00 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 20 00 28 00\r\n43 00 29 00 20 00 32 00 30 00 31 00 33 00 00 00 00 00 3E 00 0B 00 01 00 4F 00 72 00 69 00 67 00 69\r\n00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 75 00 73 00 62 00 6D 00\r\n64 00 6D 00 2E 00 73 00 79 00 73 00 00 00 00 00 66 00 23 00 01 00 50 00 72 00 6F 00 64 00 75 00 63\r\n00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00\r\n20 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4F 00 70 00 65 00 72 00 61 00 74 00 69 00 6E\r\n00 67 00 20 00 53 00 79 00 73 00 74 00 65 00 6D 00 00 00 00 00 40 00 0E 00 01 00 50 00 72 00 6F 00\r\n64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 35 00 2E 00 31 00 2E 00 32\r\n00 36 00 30 00 30 00 2E 00 35 00 35 00 31 00 32 00 00 00 48 00 00 00 01 00 56 00 61 00 72 00 46 00 69\r\n00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 00 00 28 00 08 00 00 00 5
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3e95-9c44-4aa4-bbeb-42b602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect BlackEnergy / Voodoo Bear, referred to as IMPLANT 4 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_4_v2\r\n{\r\nstrings:\r\n$BUILD_USER32 = {75 73 65 72 ?? ?? ?? 33 32 2E 64}\r\n$BUILD_ADVAPI32 = {61 64 76 61 ?? ?? ?? 70 69 33 32}\r\n$CONSTANT = {26 80 AC C8}\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) ==\r\n0x46445025 or uint32(1) == 0x6674725C) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3e78-b8e0-40a4-b7bf-461402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect BlackEnergy / Voodoo Bear, referred to as IMPLANT 4 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_4_v1\r\n{\r\nstrings:\r\n$STR1 = {55 8B EC 81 EC 54 01 00 00 83 65 D4 00 C6 45 D8 61 C6 45 D9 64 C6 45 DA 76 C6 45\r\nDB 61 C6 45 DC 70 C6 45 DD 69 C6 45 DE 33 C6 45 DF 32 C6 45 E0 2EE9 ?? ?? ?? ??} $STR2 = {C7\r\n45 EC 5A 00 00 00 C7 45 E0 46 00 00 00 C7 45 E8 5A 00 00 00 C7 45 E4 46 00 00 00}\r\ncondition:\r\n(uint16(0)== 0x5A4D or uint16(0) == 0xCFD0 or uint16(0)== 0xC3D4 or uint32(0) == 0x46445025 or\r\nuint3\r\n2(1) == 0x6674725C) and 1 of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3e53-bd04-44cf-bfa5-471602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect X-Agent/CHOPSTICK, referred to as IMPLANT 3 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_3_v3\r\n{\r\nstrings:\r\n$STR1 = \".?AVAgentKernel@@\"\r\n$STR2 = \".?AVIAgentModule@@\"\r\n$STR3 = \"AgentKernel\"\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) ==\r\n0x46445025 or uint32(1) == 0x6674725C) and any of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3e39-321c-415f-a2ea-4d4202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect X-Agent/CHOPSTICK, referred to as IMPLANT 3 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_3_v2\r\n{\r\nstrings:\r\n$base_key_moved = {C7 45 ?? 3B C6 73 0F C7 45 ?? 8B 07 85 C0 C7 45 ?? 74 02 FF D0 C7 45 ??\r\n83 C7 04 3B C7 45 ?? FE 72 F1 5F C7 45 ?? 5E C3 8B FF C7 45 ?? 56 B8 D8 78 C7 45 ?? 75 07 50 E8\r\nC7 45 ?? B1 D1 FF FF C7 45 ?? 59 5D C3 8B C7 45 ?? FF 55 8B EC C7 45 ?? 83 EC 10 A1 66 C7 45 ??\r\n33 35}\r\n$base_key_b_array = {3B C6 73 0F 8B 07 85 C0 74 02 FF D0 83 C7 04 3B FE 72 F1 5F 5E C3 8B\r\nFF 56 B8 D8 78 75 07 50 E8 B1 D1 FF FF 59 5D C3 8B FF 55 8B EC 83 EC 10 A1 33 35 }\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) ==\r\n0x46445025 or uint32(1) == 0x6674725C) and any of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3e21-7f80-4804-9773-4e9002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect X-Agent/CHOPSTICK, referred to as IMPLANT 3 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_3_v1\r\n{\r\nstrings:\r\n$STR1 = \">process isn't exist<\" ascii wide\r\n$STR2 = \"shell\\\\open\\\\command=\\\"System Volume Information\\\\USBGuard.exe\\\" install\" ascii\r\nwide\r\n$STR3 = \"User-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101\r\nFirefox/20.0\" ascii wide\r\n$STR4 = \"webhp?rel=psy&hl=7&ai=\" ascii wide\r\n$STR5 = {0f b6 14 31 88 55 ?? 33 d2 8b c1 f7 75 ?? 8b 45 ?? 41 0f b6 14 02 8a 45 ?? 03 fa}\r\ncondition:\r\nany of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3dca-7a44-4990-b12b-432802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "Network Indicators for Implant 2",
|
||
|
"pattern": "[alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS\r\n(msg:\"Coreshell_HTTP_CALLOUT\"; flow:established,to_server; content:\"POST\"; http_method;\r\ncontent:\"User-Agent: MSIE \"; fast_pattern:only; pcre:\"/User-Agent: MSIE [89]\\.0\\x0d\\x0a/D\";\r\npcre:\"/^\\/(?:check|update|store|info)\\/$/I\";)]",
|
||
|
"pattern_type": "snort",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"snort\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3da4-85a0-45f1-9a4b-46c202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect CORESHELL/SOURFACE, referred to as IMPLANT 2 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_2_v20\r\n{\r\nstrings:\r\n$func = { 0F B6 5C 0A FE 8D 34 02 8B 45 D4 03 C2 0F AF D8 8D 7A 01 8D 42 FF 33 D2 F7 75\r\nF4 C1 EB 07 8B C7 32 1C 0A 33 D2 B9 06 00 00 00 F7 F1 8A 4D F8 8B 45 0C 80 E9 02 02 4D 0B 32\r\n0C 02 8B 45 F8 33 D2 F7 75 F4 8B 45 0C 22 0C 02 8B D7 02 D9 30 1E 8B 4D 0C 8D 42 FE 3B 45 E8\r\n8B 45 D8 89 55 F8 72 A0 }\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) ==\r\n0x46445025 or uint32(1) == 0x6674725C) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3d8b-443c-44c9-9f06-47a402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect CORESHELL/SOURFACE, referred to as IMPLANT 2 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_2_v19\r\n{\r\nstrings:\r\n$obfuscated_RSA1 = { 7C 41 B4 DB ED B0 B8 47 F1 9C A1 49 B6 57 A6 CC D6 74 B5 52 12 4D\r\nFC B1 B6 3B 85 73 DF AB 74 C9 25 D8 3C EA AE 8F 5E D2 E3 7B 1E B8 09 3C AF 76 A1 38 56 76\r\nBB A0 63 B6 9E 5D 86 E4 EC B0 DC 89 1E FA 4A E5 79 81 3F DB 56 63 1B 08 0C BF DC FC 75 19\r\n3E 1F B3 EE 9D 4C 17 8B 16 9D 99 C3 0C 89 06 BB F1 72 46 7E F4 0B F6 CB B9 C2 11 BE 5E 27 94\r\n5D 6D C0 9A 28 F2 2F FB EE 8D 82 C7 0F 58 51 03 BF 6A 8D CD 99 F8 04 D6 F7 F7 88 0E 51 88 B4\r\nE1 A9 A4 3B }\r\n$cleartext_RSA1 = { 06 02 00 00 00 A4 00 00 52 53 41 31 00 04 00 00 01 00 01 00 AF BD 26 C9\r\n04 65 45 9F 0E 3F C4 A8 9A 18 C8 92 00 B2 CC 6E 0F 2F B2 71 90 FC 70 2E 0A F0 CA AA 5D F4 CA\r\n7A 75 8D 5F 9C 4B 67 32 45 CE 6E 2F 16 3C F1 8C 42 35 9C 53 64 A7 4A BD FA 32 99 90 E6 AC EC\r\nC7 30 B2 9E 0B 90 F8 B2 94 90 1D 52 B5 2F F9 8B E2 E6 C5 9A 0A 1B 05 42 68 6A 3E 88 7F 38 97\r\n49 5F F6 EB ED 9D EF 63 FA 56 56 0C 7E ED 14 81 3A 1D B9 A8 02 BD 3A E6 E0 FA 4D A9 07 5B\r\nE6 }\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) ==\r\n0x46445025 or uint32(1) == 0x6674725C) and any of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3d57-a834-461f-9fb3-4c6a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect CORESHELL/SOURFACE, referred to as IMPLANT 2 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_2_v18\r\n{\r\nstrings:\r\n$STR1 = { 8A C1 02 C0 8D 1C 08 8B 45 F8 02 DB 8D 4A 02 8B 55 0C 88 5D FF 8B 5D EC 83 C2\r\nFE 03 D8 89 55 E0 89 5D DC 8D 49 00 03 C1 8D 34 0B 0F B6 1C 0A 0F AF D8 33 D2 8D 41 FF F7 75\r\nF4 8B 45 0C C1 EB 07 8D 79 01 32 1C 02 33 D2 8B C7 89 5D E4 BB 06 00 00 00 F7 F3 8B 45 0C 8D\r\n59 FE 02 5D FF 32 1C 02 8B C1 33 D2 B9 06 00 00 00 F7 F1 8B 45 0C 8B CF 22 1C 02 8B 45 E4 8B\r\n55 E0 02 C3 30 06 8B 5D DC 8D 41 FE 83 F8 06 8B 45 F8 72 9B 8B 4D F0 8B 5D D8 8B 7D 08 8B F0\r\n41 83 C6 06 89 4D F0 89 75 F8 3B 4D D4 0F 82 ?? ?? ?? ?? 8B 55 E8 3B CB 75 09 8D 04 5B 03 C0 2B\r\nF8 EB 02 33 FF 3B FA 0F 83 ?? ?? ?? ?? 8B 5D EC 8A C1 02 C0 83 C3 FE 8D 14 08 8D 04 49 02 D2 03\r\nC0 88 55 0B 8D 48 FE 8D 57 02 03 C3 89 4D D4 8B 4D 0C 89 55 F8 89 45 D8 EB 06 8D 9B 00 00 00\r\n00 0F B6 5C 0A FE 8D 34 02 8B 45 D4 03 C2 0F AF D8 8D 7A 01 8D 42 FF 33 D2 F7 75 F4 C1 EB 07\r\n8B C7 32 1C 0A 33 D2 B9 06 00 00 00 F7 F1 8A 4D F8 8B 45 0C 80 E9 02 02 4D 0B 32 0C 02 8B 45\r\nF8 33 D2 F7 75 F4 8B 45 0C 22 0C 02 8B D7 02 D9 30 1E 8B 4D 0C 8D 42 FE 3B 45 E8 }\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) ==\r\n0x46445025 or uint32(1) == 0x6674725C) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3d37-f17c-42d0-b01d-4fd202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect CORESHELL/SOURFACE, referred to as IMPLANT 2 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_2_v17\r\n{\r\nstrings:\r\n$STR1 = { 24108b44241c894424148b4424246836 }\r\n$STR2 = { 518d4ddc516a018bd08b4de4e8360400 }\r\n$STR3 = { e48178061591df75740433f6eb1a8b48 }\r\n$STR4 = { 33d2f775f88b45d402d903c641321c3a }\r\n$STR5 = { 006a0056ffd083f8ff74646a008d45f8 }\r\ncondition:\r\n(uint16(0) == 0x5A4D) and 2 of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3d22-8428-42c7-a608-400302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect CORESHELL/SOURFACE, referred to as IMPLANT 2 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_2_v16\r\n{\r\nstrings:\r\n$OBF_FUNCT = { 0F B6 1C 0B 8D 34 08 8D 04 0A 0F AF D8 33 D2 8D 41 FF F7 75 F8 8B 45\r\n0C C1 EB 07 8D 79 01 32 1C 02 33 D2 8B C7 89 5D E4 BB 06 00 00 00 F7 F3 8B 45 0C 8D 59 FE 02\r\n5D FF 32 1C 02 8B C1 33 D2 B9 06 00 00 00 F7 F1 8B 45 0C 8B CF 22 1C 02 8B 45 E4 8B 55 E0 02\r\nC3 30 06 8B 5D F0 8D 41 FE 83 F8 06 8B 45 DC 72 9A }\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) ==\r\n0x46445025 or uint32(1) == 0x6674725C) and $OBF_FUNCT\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3cff-a528-4477-9f3a-473102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect CORESHELL/SOURFACE, referred to as IMPLANT 2 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_2_v15\r\n{\r\nstrings:\r\n$XOR_LOOP1 = { 32 1C 02 33 D2 8B C7 89 5D E4 BB 06 00 00 00 F7 F3 }\r\n$XOR_LOOP2 = { 32 1C 02 8B C1 33 D2 B9 06 00 00 00 F7 F1 }\r\n$XOR_LOOP3 = { 02 C3 30 06 8B 5D F0 8D 41 FE 83 F8 06 }\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) ==\r\n0x46445025 or uint32(1) == 0x6674725C) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3ce5-fab0-4f87-9547-4aa802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect CORESHELL/SOURFACE, referred to as IMPLANT 2 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_2_v14\r\n{\r\nstrings:\r\n$STR1 =\r\n{8b??448944246041f7e08bf2b8abaaaaaac1ee0289742458448b??41f7??8bcaba03000000c1e902890c248\r\nd044903c0442b??4489??24043bf10f83??0100008d1c764c896c24 }\r\n$STR2 =\r\n{c541f7e0????????????8d0c5203c92bc18bc8??8d04??460fb60c??4002c7418d48ff4432c8b8abaaaaaaf7e\r\n1c1ea028d045203c02bc8b8abaaaaaa46220c??418d48fef7e1c1ea028d045203c02bc88bc1}\r\n$STR3 =\r\n{41f7e0c1ea02418bc08d0c5203c92bc18bc8428d041b460fb60c??4002c6418d48ff4432c8b8abaaaaaaf7e1\r\nc1ea028d045203c02bc8b8abaaaaaa}\r\n$STR4 =\r\n{46220c??418d48fef7e1c1ea028d04528b54245803c02bc88bc10fb64fff420fb604??410fafcbc1}\r\ncondition:\r\n(uint16(0) == 0x5A4D) and any of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3cc8-2278-492c-8328-41d102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect CORESHELL/SOURFACE, referred to as IMPLANT 2 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_2_v13\r\n{\r\nstrings:\r\n$STR1 = { 83 ?? 06 [7-17] fa [0-10] 45 [2-4] 48 [2-4] e8 [2] FF FF [6-8] 48 8d [3] 48 89 [3] 45 [2]\r\n4? [1-2] 01}\r\ncondition:\r\n(uint16(0) == 0x5A4D) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3cb3-b654-4384-9d93-4f5902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect CORESHELL/SOURFACE, referred to as IMPLANT 2 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_2_v12\r\n{\r\nstrings:\r\n$STR1 = {48 83 [2] 48 89 [3] c7 44 [6] 4c 8d 05 [3] 00 BA 01 00 00 00 33 C9 ff 15 [2] 00 00 ff 15\r\n[2] 00 00 3D B7 00 00 00 75 ?? 48 8D 15 ?? 00 00 00 48 8B CC E8}\r\ncondition:\r\n(uint16(0) == 0x5A4D) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3c97-bf00-4e7c-9f14-4cf802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect CORESHELL/SOURFACE, referred to as IMPLANT 2 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_2_v11\r\n{\r\nstrings:\r\n$STR1 = {55 8b ec 6a fe 68 [4] 68 [4] 64 A1 00 00 00 00 50 83 EC 0C 53 56 57 A1 [4] 31 45 F8 33\r\nC5 50 8D 45 F0 64 A3 00 00 00 00 [8-14] 68 [4] 6a 01 [1-2] FF 15 [4] FF 15 [4] 3D B7 00 00 00 75 27}\r\ncondition:\r\n(uint16(0) == 0x5A4D) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3c7d-bd60-4750-914e-427102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect CORESHELL/SOURFACE, referred to as IMPLANT 2 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_2_v10\r\n{\r\nstrings:\r\n$STR1 = { 83 ?? 06 [7-17] fa [0-10] 45 [2-4] 48 [2-4] e8 [2] FF FF [6-8] 48 8d [3] 48 89 [3] 45 [2]\r\n4? [1-2] 01}\r\ncondition:\r\n(uint16(0) == 0x5A4D) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3c5f-e2b0-4ba0-80ac-4a2f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect CORESHELL/SOURFACE, referred to as IMPLANT 2 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_2_v9\r\n{\r\nstrings:\r\n$STR1 = { 8A C3 02 C0 02 D8 8B 45 F8 02 DB 83 C1 02 03 45 08 88 5D 0F 89 45 E8 8B FF 0F\r\nB6 5C 0E FE 8B 45 F8 03 C1 0F AF D8 8D 51 01 89 55 F4 33 D2 BF 06 00 00 00 8D 41 FF F7 F7 8B\r\n45 F4 C1 EB 07 32 1C 32 33 D2 F7 F7 8A C1 02 45 0F 2C 02 32 04 32 33 D2 88 45 FF 8B C1 8B F7 F7\r\nF6 8A 45 FF 8B 75 14 22 04 32 02 D8 8B 45 E8 30 1C 08 8B 4D F4 8D 51 FE 3B D7 72 A4 8B 45 E4\r\n8B 7D E0 8B 5D F0 83 45 F8 06 43 89 5D F0 3B D8 0F 82 ?? ?? ?? ?? 3B DF 75 13 8D 04 7F 8B 7D 10\r\n03 C0 2B F8 EB 09 33 C9 E9 5B FF FF FF 33 FF 3B 7D EC 0F 83 ?? ?? ?? ?? 8B 55 08 8A CB 02 C9\r\n8D 04 19 02 C0 88 45 13 8D 04 5B 03 C0 8D 54 10 FE 89 45 E0 8D 4F 02 89 55 E4 EB 09 8D 9B 00 00\r\n00 00 8B 45 E0 0F B6 5C 31 FE 8D 44 01 FE 0F AF D8 8D 51 01 89 55 0C 33 D2 BF 06 00 00 00 8D\r\n41 FF F7 F7 8B 45 0C C1 EB 07 32 1C 32 33 D2 F7 F7 8A C1 02 45 13 2C 02 32 04 32 33 D2 88 45 0B\r\n8B C1 8B F7 F7 F6 8A 45 0B 8B 75 14 22 04 32 02 D8 8B 45 E4 30 1C 01 8B 4D 0C }\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) ==\r\n0x46445025 or uint32(1) == 0x6674725C) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3c3c-bc84-42de-8abe-456002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect CORESHELL/SOURFACE, referred to as IMPLANT 2 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_2_v8\r\n{\r\nstrings:\r\n$STR1 = {8b??448944246041f7e08bf2b8abaaaaaac1ee0289742458448b??41f7??\r\n8bcaba03000000c1e902890c248d044903c0442b??4489??24043bf10f83??0100008d1c764c896c24}\r\n$STR2 = {c541f7e0????????????8d0c5203c92bc18bc8??8d04??460fb60c??\r\n4002c7418d48ff4432c8b8abaaaaaaf7e1c1ea028d045203c02bc8b8abaaaaaa46220c??\r\n418d48fef7e1c1ea028d045203c02bc88bc1}\r\n$STR3 = {41f7e0c1ea02418bc08d0c5203c92bc18bc8428d041b460fb60c??\r\n4002c6418d48ff4432c8b8abaaaaaaf7e1c1ea028d045203c02bc8b8abaaaaaa}\r\n$STR4 = {46220c??\r\n418d48fef7e1c1ea028d04528b54245803c02bc88bc10fb64fff420fb604??410fafcbc1}\r\ncondition:\r\n(uint16(0) == 0x5A4D) and any of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3c25-82b0-4461-8be2-46f202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect CORESHELL/SOURFACE, referred to as IMPLANT 2 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_2_v7\r\n{\r\nstrings:\r\n$STR1 = {0a0fafd833d28d41fff775??\r\n8b450cc1eb078d7901321c0233d28bc7895de4bb06000000f7f38b450c8d59fe025dff321c028bc133d2b90\r\n6000000f7f18b450c8bcf221c028b45e48b55e008d41fe83f8068b45??72??8b4d??8b}\r\n$STR2 = {8d9b000000000fb65c0afe8d34028b45??\r\n03c20fafd88d7a018d42ff33d2f775??c1eb078bc7321c0a33d2b906000000f7f18a4d??\r\n8b450c80e902024d??320c028b45??33d2f775??\r\n8b450c220c028bd702d9301e8b4d0c8d42fe3b45e88b45??8955??72a05f5e5b8be55dc20800}\r\ncondition:\r\n(uint16(0) == 0x5A4D) and any of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3beb-b744-40ee-9af1-44a002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect CORESHELL/SOURFACE, referred to as IMPLANT 2 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_2_v6\r\n{\r\nstrings:\r\n$STR1 = { e8 [2] ff ff 8b [0-6] 00 04 00 00 7F ?? [1-2] 00 02 00 00 7F ?? [1-2] 00 01 00 00 7F ??\r\n[1-2] 80 00 00 00 7F ?? 83 ?? 40 7F}\r\ncondition:\r\n(uint16(0) == 0x5A4D) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3bd2-7dd4-4434-b560-4f5302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect CORESHELL/SOURFACE, referred to as IMPLANT 2 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_2_v5\r\n{\r\nstrings:\r\n$STR1 = {48 83 [2] 48 89 [3] c7 44 [6] 4c 8d 05 [3] 00 BA 01 00 00 00 33 C9 ff 15 [2] 00 00 ff 15\r\n[2] 00 00 3D B7 00 00 00 75 ?? 48 8D 15 ?? 00 00 00 48 8B CC E8}\r\ncondition:\r\n(uint16(0) == 0x5A4D) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3bbb-5324-4dd1-9c84-451102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect CORESHELL/SOURFACE, referred to as IMPLANT 2 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_2_v4\r\n{\r\nstrings:\r\n$STR1 = {55 8b ec 6a fe 68 [4] 68 [4] 64 A1 00 00 00 00 50 83 EC 0C 53 56 57 A1 [4] 31 45 F8 33\r\nC5 50 8D 45 F0 64 A3 00 00 00 00 [8-14] 68 [4] 6a 01 [1-2] FF 15 [4] FF 15 [4] 3D B7 00 00 00 75 27}\r\ncondition:\r\n(uint16(0) == 0x5A4D) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3b9a-1ebc-472f-84e8-4ff502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect Downrage, referred to as IMPLANT 1 with rule naming convention. These rules will also detect X - AGENT/CHOPSTICK, which shares characteristics with DOWNRAGE",
|
||
|
"pattern": "[Rule IMPLANT_2_v3\r\n{\r\nstrings:\r\n$STR1 = {c1eb078d??01321c??33d2}\r\n$STR2 = {2b??83??060f83??000000eb0233}\r\n$STR3 = {89????89????8955??8945??3b??0f83??0000008d????8d????fe}\r\ncondition:\r\n(uint16(0) == 0x5A4D) and any of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3a65-2a8c-4da8-9f60-463c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect CORESHELL/SOURFACE, referred to as IMPLANT 2 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_2_v2\r\n{\r\nstrings:\r\n$STR1 = { 83 ?? 06 [7-17] fa [0-10] 45 [2-4] 48 [2-4] e8 [2] FF FF [6-8] 48 8d [3] 48 89 [3] 45 [2]\r\n4? [1-2] 01}\r\ncondition:\r\n(uint16(0) == 0x5A4D) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3a3d-3834-47da-a7f5-4c4302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect CORESHELL/SOURFACE, referred to as IMPLANT 2 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_2_v1\r\n{\r\nstrings:\r\n$STR1 = { 8d ?? fa [2] e8 [2] FF FF C7 [2-5] 00 00 00 00 8D [2-5] 5? 6a 00 6a 01}\r\ncondition:\r\n(uint16(0) == 0x5A4D) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3a12-2cf4-43b7-baf6-44fb02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules d etect Downrage, referred to as IMPLANT 1 with rule naming convention. These rules will also detect X - AGENT/CHOPSTICK, which shares characteristics with DOWNRAGE.",
|
||
|
"pattern": "[alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:\"Downrage_HTTP_C2\";\r\nflow:established,to_server; content:\"POST\"; http_method; content:\"=\"; content:\"=|20|HTTP/1.1\";\r\nfast_pattern; distance:19; within:10; pcre:\"/^\\/(?:[a-zA-Z0-9]{2,6}\\/){2,5}[a-zA-Z0-9]{1,7}\\.[A-Za-z0-\r\n9\\+\\-\\_\\.]+\\/\\?[a-zA-Z0-9]{1,3}=[a-zA-Z0-9+\\/]{19}=$/I\";)]",
|
||
|
"pattern_type": "snort",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"snort\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f39aa-9070-4a20-aa21-4a4e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules d etect Downrage, referred to as IMPLANT 1 with rule naming convention. These rules will also detect X - AGENT/CHOPSTICK, which shares characteristics with DOWNRAGE.",
|
||
|
"pattern": "[Rule IMPLANT_1_v7\r\n{\r\nstrings:\r\n$XOR_FUNCT = { C7 45 ?? ?? ?? 00 10 8B 0E 6A ?? FF 75 ?? E8 ?? ?? FF FF }\r\ncondition:\r\n(uint16(0) == 0x5A4D) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f398e-d69c-4d8f-9d7f-4a8b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules d etect Downrage, referred to as IMPLANT 1 with rule naming convention. These rules will also detect X - AGENT/CHOPSTICK, which shares characteristics with DOWNRAGE.",
|
||
|
"pattern": "[Rule IMPLANT_1_v6\r\n{\r\nstrings:\r\n$XORopcodes_eax = { 35 (22 07 15 0e|56 d7 a7 0a) }\r\n$XORopcodes_others = { 81 (f1|f2|f3|f4|f5|f6|f7) (22 07 15 0e|56 d7 a7 0a) }\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == \r\n0x46445025) and any of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f38be-03a4-44e0-99e6-4e2402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules d etect Downrage, referred to as IMPLANT 1 with rule naming convention. These rules will also detect X - AGENT/CHOPSTICK, which shares characteristics with DOWNRAGE.",
|
||
|
"pattern": "[Rule IMPLANT_1_v5\r\n{\r\nstrings:\r\n$drivername = { 6A 30 ?? 6A 33 [5] 6A 37 [5] 6A 32 [5] 6A 31 [5] 6A 77 [5] 6A 69 [5] 6A 6E [5] \r\n6A 2E [5] 6A 73 [5\r\n-\r\n9] 6A 79 [5] 6A 73 }\r\n$mutexname = { C7 45 ?? 2F 2F 64 66 C7 45 ?? 63 30 31 65 C7 45 ?? 6C 6C 36 7A C7 45 ?? 73 71 \r\n33 2D C7 45 ?? 75 66 68 68 66 C7 45 ?? 66 }\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == \r\n0x464\r\n45025 or uint32(1) == 0x6674725C) and any of them }]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3870-9704-45be-b9e9-40f902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules d etect Downrage, referred to as IMPLANT 1 with rule naming convention. These rules will also detect X - AGENT/CHOPSTICK, which shares characteristics with DOWNRAGE.",
|
||
|
"pattern": "[Rule IMPLANT_1_v4\r\n{\r\nstrings:\r\n$XOR_LOOP = { 8B 45 FC 8D 0C 06 33 D2 6A 0B 8B C6 5B F7 F3 8A 82 ?? ?? ?? ?? 32 04 0F 46 \r\n88 01 3B 75 0C 7C E0 }\r\ncondi\r\ntion:\r\n(uint16(0) == 0x5A4D) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f3845-0bb4-490f-99d9-452b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules d etect Downrage, referred to as IMPLANT 1 with rule naming convention. These rules will also detect X - AGENT/CHOPSTICK, which shares characteristics with DOWNRAGE.",
|
||
|
"pattern": "[Rule IMPLANT_1_v3\r\n{\r\nstrings:\r\n$rol7encode = { 0F B7 C9 C1 C0 07 83 C2 02 33 C1 0F B7 0A 47 66 85 C9 75 }\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or \r\nuint16(0) == 0xC3D4 or uint32(0) == \r\n0x46445025 or uint32(1) == 0x6674725C) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f37f4-9fb4-4a54-a86c-4f1902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules d etect Downrage, referred to as IMPLANT 1 with rule naming convention. These rules will also detect X - AGENT/CHOPSTICK, which shares characteristics with DOWNRAGE.",
|
||
|
"pattern": "[Rule IMPLANT_1_v2\r\n{\r\nstrings:\r\n$STR1 = {83 3E 00 53 74 4F 8B 46 04 85 C0 74 48 83 C0 02 50 E8 ?? ?? 00 00 8B D8 59 85 DB 74 \r\n38 8B 4E 04 83 F9 FF 7E 21 57 }\r\n$STR2 = {55 8B EC 8B 45 08 3B 41 08 72 04 32 C0 EB 1B 8B 49 04 8B 04 81 80 78 19 01 75 0D \r\nFF 70 10 FF [5] 85 C0 74 \r\nE3 }\r\ncondition:\r\n(uint16(0) == 0x5A4D) and any of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f37a7-5160-4c3a-a3b0-49d902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules d etect Downrage, referred to as IMPLANT 1 with rule naming convention. These rules will also detect X - AGENT/CHOPSTICK, which shares characteristics with DOWNRAGE",
|
||
|
"pattern": "[Rule IMPLANT_1_v1\r\n{\r\nstrings:\r\n$STR1 = {6A ?? E8 ?? ?? FF FF 59 85 C0 74 0B 8B C8 E8\r\n?? ?? FF FF 8B F0 EB 02 33 F6 8B CE \r\nE8 ?? ?? FF FF 85 F6 74 0E 8B CE E8 ?? ?? FF FF 56 E8 ?? ?? FF FF 59}\r\ncondition:\r\n(uint16(0) == 0x5A4D) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--589f366a-aad4-4d33-bc17-4a0002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"first_observed": "2017-02-13T16:57:52Z",
|
||
|
"last_observed": "2017-02-13T16:57:52Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"file--589f366a-aad4-4d33-bc17-4a0002de0b81",
|
||
|
"artifact--589f366a-aad4-4d33-bc17-4a0002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"attachment\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"technical-report\"",
|
||
|
"admiralty-scale:source-reliability=\"b\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "file",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "file--589f366a-aad4-4d33-bc17-4a0002de0b81",
|
||
|
"name": "AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf",
|
||
|
"content_ref": "artifact--589f366a-aad4-4d33-bc17-4a0002de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "artifact",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "artifact--589f366a-aad4-4d33-bc17-4a0002de0b81",
|
||
|
"payload_bin": "JVBERi0xLjYNJeLjz9MNCjE5MTEgMCBvYmoNPDwvTGluZWFyaXplZCAxL0wgMjE2NTQzMi9PIDE5MTMvRSA0MDE2NjQvTiAxMTkvVCAyMTY0NDIwL0ggWyA2MDAgODQ0XT4+DWVuZG9iag0gICAgICAgDQoxOTMyIDAgb2JqDTw8L0RlY29kZVBhcm1zPDwvQ29sdW1ucyA1L1ByZWRpY3RvciAxMj4+L0ZpbHRlci9GbGF0ZURlY29kZS9JRFs8RkUxMTA3OTQ5MUQ0RTc0RDhGQkYxN0E0NUY5NzlDMzY+PDdENDc2NjlFNTRCODcyNDRBREU2QkE3RTI0MTA1MkFFPl0vSW5kZXhbMTkxMSA3Nl0vSW5mbyAxOTEwIDAgUi9MZW5ndGggMTA3L1ByZXYgMjE2NDQyMS9Sb290IDE5MTIgMCBSL1NpemUgMTk4Ny9UeXBlL1hSZWYvV1sxIDMgMV0+PnN0cmVhbQ0KaN5iYmRgEGBgYmBgnQIiGdtAJFMviOT0BpHMX0Akyzkw+RdMngKLd4BVloPJqWAyHyweCyQZnVpAZP17IMlk+xpuMmOUMljldhAptwJI/o4GijAysLOBRICqRkmSyf8Mv++dAQgwAMzaE/QNCmVuZHN0cmVhbQ1lbmRvYmoNc3RhcnR4cmVmDQowDQolJUVPRg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KMTk4NiAwIG9iag08PC9DIDEyMjEvRmlsdGVyL0ZsYXRlRGVjb2RlL0kgMTI0NS9MZW5ndGggNzQ0L08gMTIwNS9TIDExMDk+PnN0cmVhbQ0KaN7sVO1LU1EYf8592daceTeHDZntmCtmfmhS5OhD3obBFMn5Fk4oFCJKgszsQ2l6EsmrQsSQkHypbJCKih8M7EuNJppU+ikRezOSSsG0KBs4s3O9mhVJ/0DPPec5v9/vOc/lcvnxAABD1yvgaf4AkbAekcBSlQONBP8MFwiA6ckhcAqKhP927+GS38HpJbQJzKe4rcQB6iboJniKKYHMq7pDqAds8/wMPBaxj2uHbBz2jtGJKW7NR7SlIGqSTYDTgq4OXSSJRD2CanHigCoBBt3CALNZTGhXTcGVyTgjWwP19jANukzcWMvDPbyHqJvhvbDNyT7ye+zojG43/TZ1Er/QGx1iO5hB/+YB5Cf7Hepj5IVofhl/ANL7HpxFe29NFO8KjVWJxn1oERL7uWXwgREzt4lV4C5A5bBe0Hag1Js7Uvh0cgMMfUwTeCRtPToKCaX8cWhxRxYxlWLGvPob8ojxZq4cenoNJ1CbP61ffR1hP37CF5NRITKfm/bb8+qe5qdavanW2nir19rgPWmty547T7nXJWRx9PRl2dq8B421GTmZ24P0V4aSneOWkUuh2bSahc7A15o3wQrL70moTo4IzIfkVB2roDGlKhcWc5L7pnNrFlp2WiZKOwOLuYVLd9K6Ypc+zb+2hG+cQpUKGpLRalIK5UlDgfLKVfRrx0+q9M4ER5a75ixrl+kLAs/ftgbLKspARa3mIAaCbARJQESBhl2wi3a7iLFA3cVwLEv9yvEMwxK7G2OsUiETIInoXbRLAtNK1hATUfafD1nR18MmM5tccBAZOlY7qUZxHpFFVpJAIsRFVjiJotQhkf9W3tDK1J3fISavcGWIrE2CI6BHJrRISiaThBgI7+MOM9HQDNWkwGgo+9Lw2cFkewahW501WiQaY3yN98fRNa3NOUt4iJsiBQB8412DtUqZIygMcItZBnR56NYBbj1HuQEgZxjkocZH+KmOIZbxKffg2Q8BBgCySpVWDQplbmRzdHJlYW0NZW5kb2JqDTE5MTIgMCBvYmoNPDwvTWFya0luZm88PC9NYXJrZWQgZmFsc2U+Pi9NZXRhZGF0YSAyODYgMCBSL091dGxpbmVzIDM0NyAwIFIvUGFnZXMgMTg4MiAwIFIvU3RydWN0VHJlZVJvb3QgMzUyIDAgUi9UeXBlL0NhdGFsb2c+Pg1lbmRvYmoNMTkxMyAwIG9iag08PC9Bbm5vdHNbMTkzMyAwIFIgMTkzNCAwIFIgMTkzNSAwIFIgMTkzNiAwIFIgMTkzNyAwIFIgMTkzOCAwIFIgMTkzOSAwIFIgMTk0MCAwIFIgMTk0MSAwIFIgMTk0MiAwIFIgMTk0MyAwIFIgMTk0NCAwIFIgMTk0NSAwIFIgMTk0NiAwIFIgMTk0NyAwIFIgMTk0OCAwIFIgMTk0OSAwIFIgMTk1MCAwIFJdL0NvbnRlbnRzWzE5MTUgMCBSIDE5MTYgMCBSIDE5MTcgMCBSIDE5MTggMCBSIDE5MTkgMCBSIDE5MjAgMCBSIDE5MjIgMCBSIDE5MjMgMCBSXS9Dcm9wQm94WzAgMCA2MTIgNzkyXS9Hcm91cDw8L0NTL0RldmljZVJHQi9TL1RyYW5zcGFyZW5jeS9UeXBlL0dyb3VwPj4vTWVkaWFCb3hbMCAwIDYxMiA3OTJdL1BhcmVudCAxODg0IDAgUi9SZXNvdXJjZXM8PC9FeHRHU3RhdGU8PC9HUzUgMTk1MSAwIFIvR1M4IDE5NTIgMCBSPj4vRm9udDw8L0YxIDE5NTUgMCBSL0YyIDE5NTggMCBSL0YzIDE5NjEgMCBSL0Y0IDE5NjcgMCBSL0Y1IDE5NzAgMCBSL0Y2IDE5NzYgMCBSL0Y3IDE5NzkgMCBSL0Y4IDE5ODUgMCBSPj4vUHJvY1NldFsvUERGL1RleHQvSW1hZ2VCL0ltYWdlQy9JbWFnZUldL1hPYmplY3Q8PC9JbWFnZTk2IDE5MzEgMCBSPj4+Pi9Sb3RhdGUgMC9TdHJ1Y3RQYXJlbnRzIDAvVGFicy9TL1R5cGUvUGFnZT4+DWVuZG9iag0xOTE0IDAgb2JqDTw8L0ZpbHRlci9GbGF0ZURlY29kZS9GaXJzdCA1MTgvTGVuZ3RoIDIwMjMvTiA1My9UeXBlL09ialN0bT4+c3RyZWFtDQpo3sxZa2/bOBb9K/zYYhGJ78diUCCPZiZA2x00mc3sCvrgJtrU2MQObHXa/vu991Iv04otG53FwFBEkZc895KHR5eKCEoxzkRQmgkVsGCY1B4LlimjseCYtmTjmbEWC4FZJ6GgOXMOjbVg3qOxliwENNaKCR7QWkO95GRuAIQjioYGLajVMWGkwhIMZBX1BRMHsCIYePTYLRjR/cGhPNUpJrnA8cBRKSWVwH+j0MRYJi05ZRyTPlCrZ0qSxyYwpRWOArEpa6kkmAoS+1rJNKc4rGJaaKrTTCuPXoGxNoFKlmln0HsLs+QslTzT3iOaDcwIgSM7zoyiKXOCGaMwcng0xqMvTjHjBY7nNLOCU51hVlKozkLJUskxqxz19cwaml2HaxEQw3NmaeqCF8xxjnPlJXNSUqti4CiODFPirHNxEp2FiH76KT+F6zr/7eNVfvP9ucpP7+r5coHPrz7X9fP673n+9evX7Mv65K5a1dnD8o+8fnx+/eZNfnYNPW8Zh+Il0/nH6q4ulAsZLIHxOpMwQUFmELXlCp7K/Lpefbmrf52tqkXNvMmvv3yqEfLdfPHfN29gsMGIF9W6LkQQyNGP+e//+jfDKZWa8bJHsyGDyVKeZ0AZowU9BZ9xmYLZCWBDJCf5GJKFeGSHRLgpktuPZCYgaZMBGVokwk2R/IFIlrsNJHAfx5Yugx3bIhFuihT2I7ldMTVIHELrYyLcBCnwA5EMMHwbSQLvRB8T4aZI4kAkARIxguR0pruYIm6KJPcjhY2YkPTbSMZmvosp4qZI6kAkWO0xJBUy0cdEuAmSsQciwZhjSFJkpo+JcFOkCftJTNi6EjTI90ERcAo1YUNt6tE4lPA2A6FqoQg4hZqwo/yEqIT1GbzOGqgInEDZCVsquAlQhmehiyoCp1DiUCjrxwgoFLwv+qgIOIWasKkE35hBze0YljCZ7cMi5BRL/ZgZDC4LfVSEmyLpEaT3+Yfl6mn
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d338-9ecc-4784-91fa-4793950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'title.xml.php.239978' AND file:hashes.SHA256 = 'd285115e97c02063836f1cf8f91669c114052727c39bf4bd3c062ad5b3509e38']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d337-bfcc-491c-8e96-42fa950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'title.xml.php.239978' AND file:hashes.MD5 = 'fc45abdd5fb3ffa4d3799737b3f597f4']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d335-82cc-4ee5-80a2-4d64950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'pclass.php' AND file:hashes.SHA256 = '1343c905a9c8b0360c0665efa6af588161fda76b9d09682aaf585df1851ca751']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d334-1798-48ab-9634-49ca950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'pclass.php' AND file:hashes.MD5 = 'f3ecf4c56f16d57b260b9cf6ec4519d6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d332-4a24-48ca-8328-4628950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'include.php' AND file:hashes.SHA256 = 'ae67c121c7b81638a7cb655864d574f8a9e55e66bcb9a7b01f0719a05fab7975']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d331-0850-4c66-a628-485e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'include.php' AND file:hashes.MD5 = 'eddfe110da553a3dc721e0ad4ea1c95c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d32f-2404-45ca-830b-44d3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'pclass.php' AND file:hashes.SHA256 = '3bd682bb7870d5c8bc413cb4e0cc27e44b2358c8fc793b934c71b2a85b8169d7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d32d-93e0-4680-b943-42fd950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'pclass.php' AND file:hashes.MD5 = 'e80f92faa5e11007f9ffea6df2297993']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d32c-484c-48b7-b097-492a950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = '751925imgs.php' AND file:hashes.SHA256 = '9376e20164145d9589e43c39c29be3a07ecdfd9c5c3225a69f712dc0ef9d757f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d32a-4988-465f-a227-421c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = '751925imgs.php' AND file:hashes.MD5 = 'dc4594dbeafbc8edfa0ac5983b295d9b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d329-2d40-4699-979b-49ff950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'mail.6.php' AND file:hashes.SHA256 = '20f76ada1721b61963fa595e3a2006c96225351362b79d5d719197c190cd4239']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d327-5168-4c0c-aa80-4a42950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'mail.6.php' AND file:hashes.MD5 = 'c3e23ef7f5e41796b80ca9e59990fe9c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d326-2148-4065-a82b-4aab950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'intro.php.suspected' AND file:hashes.SHA256 = 'da9f2804b16b369156e1b629ad3d2aac79326b94284e43c7b8355f3db71912b8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d324-ca20-4547-9b1c-42c3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'intro.php.suspected' AND file:hashes.MD5 = 'bfcb50cffca601b33c285b9f54b64cb1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d323-1250-4050-9008-47e7950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = '9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0.bin' AND file:hashes.SHA256 = '9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d321-d84c-4f3d-b737-4a0b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = '9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0.bin' AND file:hashes.MD5 = 'ae7e3e531494b201fbf6021066ddd188']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d320-7d20-40d1-928a-4ae6950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = '404.php' AND file:hashes.SHA256 = '7dac01e818bd5a01fe75c3324f6250e3f51977111d7b4a94e41307bf463f122e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d31e-dfd8-4b43-abc2-4a19950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = '404.php' AND file:hashes.MD5 = 'a5e933d849367d623d1f2692b6691bbf']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d31d-5a60-4b6e-bb58-41f6950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'pas.php' AND file:hashes.SHA256 = '249ee048142d3d4b5f7ad15e8d4b98cf9491ee68db9749089f559ada4a33f93e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d31b-8bf4-4e5e-9028-4aed950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'pas.php' AND file:hashes.MD5 = '93f512e2d9d00bf0bcf1e03c6898cb1e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d319-1078-41e7-b151-4c80950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'fhyge.rtf' AND file:hashes.SHA256 = 'ac30321be90e85f7eb1ce7e211b91fed1d1f15b5d3235b9c1e0dad683538cc8e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d318-75c4-478b-b491-4169950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'fhyge.rtf' AND file:hashes.MD5 = '81f1af277010cb78755f08dfcc379ca6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d316-cf60-4ba7-a3fa-4775950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'default.php' AND file:hashes.SHA256 = '2d5afec034705d2dc398f01c100636d51eb446f459f1c2602512fd26e86368e4']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d315-5bb8-4bc5-9bf5-4e67950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'default.php' AND file:hashes.MD5 = '7fce89d5e3d59d8e849d55d604b70a6f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d313-0f6c-429a-90f6-4eb7950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'models.php' AND file:hashes.SHA256 = '6fad670ac8febb5909be73c9f6b428179c6a7e94294e3e6e358c994500fcce46']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d312-ea80-4149-970d-456d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'models.php' AND file:hashes.MD5 = '78abd4cdccab5462a64ab4908b6056bd']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d310-24e0-4b11-a84c-4d96950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'pas.php' AND file:hashes.SHA256 = 'bd7996752cac5d05ed9d1d4077ddf3abcb3d291321c274dbcf10600ab45ad4e4']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d30f-3934-4c8a-bebf-4b38950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'pas.php' AND file:hashes.MD5 = '70f93f4f17d0e46137718fe59591dafb']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d30d-46a0-41b3-a942-4ca6950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'newsfeeds.php' AND file:hashes.SHA256 = '449e7a7cbc393ae353e8e18b5c31d17bb13235d0c07e9e319137543608749602']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d30c-28b8-4fac-89c5-449b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'newsfeeds.php' AND file:hashes.MD5 = '66948b04173b523ca773c3073afb506d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d30a-dc60-4dbb-a20f-49fd950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'Star Polk.exe' AND file:hashes.SHA256 = '9f918fb741e951a10e68ce6874b839aef5a26d60486db31e509f8dcaa13acec5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d309-97d0-4d23-82b6-4011950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'Star Polk.exe' AND file:hashes.MD5 = '617ba99be8a7d0771628344d209e9d8a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d308-394c-487a-a0de-43b1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'shpas.php' AND file:hashes.SHA256 = '7b28b9b85f9943342787bae1c92cab39c01f9d82b99eb8628abc638afd9eddaf']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d306-f9b8-491e-8a52-4b92950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'shpas.php' AND file:hashes.MD5 = '38f7149d4ec01509c3a36d4567125b18']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d305-9e48-40ef-bc6d-4d15950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'klarna.php' AND file:hashes.SHA256 = 'a0c00aca2f34c1f5ddcf36be2ccca4ce63b38436faf45f097d212c59d337a806']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d303-0960-4e5e-879f-4595950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'klarna.php' AND file:hashes.MD5 = '1ec7f06f1ee4fa7cecd17244eec24e07']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d302-902c-4ab0-a27c-4a18950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'favico2n.ico' AND file:hashes.SHA256 = '0fd05095e5d2fa466bef897105dd943de29f6b585ba68a7bf58148767364e73e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d300-506c-42cb-a6d8-46f8950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'favico2n.ico' AND file:hashes.MD5 = '128cc715b25d0e55704ed9b4a3f2ef55']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d2ff-4194-458e-8a62-4d70950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'es.php' AND file:hashes.SHA256 = '0576cd0e9406e642c473cfa9cb67da4bc4963e0fd6811bb09d328d71b36faa09']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1d2fd-61f4-4867-8784-41a8950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:name = 'es.php' AND file:hashes.MD5 = '10b1306f322a590b9cef4d023854b850']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cbac-11dc-4580-928e-4bc2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'd285115e97c02063836f1cf8f91669c114052727c39bf4bd3c062ad5b3509e38']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cbac-92f8-484f-8efa-4428950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'fc45abdd5fb3ffa4d3799737b3f597f4']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cbab-2724-4152-8cf9-4ddf950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '1343c905a9c8b0360c0665efa6af588161fda76b9d09682aaf585df1851ca751']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cbaa-0238-4ddb-a08d-4198950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'f3ecf4c56f16d57b260b9cf6ec4519d6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cba9-a294-40d9-a890-405c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'ae67c121c7b81638a7cb655864d574f8a9e55e66bcb9a7b01f0719a05fab7975']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cba9-31b4-4d8e-9a70-4f1d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'eddfe110da553a3dc721e0ad4ea1c95c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cba8-83bc-4723-a7fb-4dc7950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '3bd682bb7870d5c8bc413cb4e0cc27e44b2358c8fc793b934c71b2a85b8169d7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cba7-b964-4e52-9def-4492950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'e80f92faa5e11007f9ffea6df2297993']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cba6-e23c-4128-bc40-4260950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '9376e20164145d9589e43c39c29be3a07ecdfd9c5c3225a69f712dc0ef9d757f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cba6-df2c-48d9-a5fa-40f9950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'dc4594dbeafbc8edfa0ac5983b295d9b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cba5-91c0-4b1e-86d3-4be2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '20f76ada1721b61963fa595e3a2006c96225351362b79d5d719197c190cd4239']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cba4-0d00-4459-ab84-48a6950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'c3e23ef7f5e41796b80ca9e59990fe9c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cba3-3444-4e2b-9640-4f99950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'da9f2804b16b369156e1b629ad3d2aac79326b94284e43c7b8355f3db71912b8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cba3-1cf8-4060-9f66-48a0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'bfcb50cffca601b33c285b9f54b64cb1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cba2-0b20-4955-b56e-4def950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cba1-9118-4b64-9e4c-4da0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'ae7e3e531494b201fbf6021066ddd188']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cba0-b7e4-4e4d-920f-4a85950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '7dac01e818bd5a01fe75c3324f6250e3f51977111d7b4a94e41307bf463f122e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cb9f-af1c-4455-aa94-4155950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'a5e933d849367d623d1f2692b6691bbf']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cb9f-6ac8-4e5a-b520-4a10950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '249ee048142d3d4b5f7ad15e8d4b98cf9491ee68db9749089f559ada4a33f93e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cb9e-d5e8-48b8-a557-4504950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '93f512e2d9d00bf0bcf1e03c6898cb1e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cb9d-80c4-48b4-9ba9-445b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '55058d3427ce932d8efcbe54dccf97c9a8d1e85c767814e34f4b2b6a6b305641']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cb9c-58f4-4935-af4c-4b0f950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '8f154d23ac2071d7f179959aaba37ad5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cb9b-3e94-481e-a9c1-490e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'ac30321be90e85f7eb1ce7e211b91fed1d1f15b5d3235b9c1e0dad683538cc8e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cb9b-52a0-4550-bcf3-47dd950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '81f1af277010cb78755f08dfcc379ca6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cb9a-7360-47d5-9919-4e7b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '2d5afec034705d2dc398f01c100636d51eb446f459f1c2602512fd26e86368e4']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cb99-182c-4077-b385-455f950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '7fce89d5e3d59d8e849d55d604b70a6f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cb98-8c48-4a9c-8d2f-4fdd950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '6fad670ac8febb5909be73c9f6b428179c6a7e94294e3e6e358c994500fcce46']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cb98-3ed0-40d5-82af-4391950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '78abd4cdccab5462a64ab4908b6056bd']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cb97-6f58-4466-9fc9-496b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'bd7996752cac5d05ed9d1d4077ddf3abcb3d291321c274dbcf10600ab45ad4e4']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cb96-d290-4c23-addb-4e72950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '70f93f4f17d0e46137718fe59591dafb']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cb95-6a28-42a8-873c-47e3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '449e7a7cbc393ae353e8e18b5c31d17bb13235d0c07e9e319137543608749602']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cb94-1cd8-4ff4-94bf-4818950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '66948b04173b523ca773c3073afb506d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cb94-1324-498e-8c1a-43b9950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '9f918fb741e951a10e68ce6874b839aef5a26d60486db31e509f8dcaa13acec5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cb93-b7c0-4923-b96d-4df5950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '617ba99be8a7d0771628344d209e9d8a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cb92-0310-486f-b611-46e2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '7b28b9b85f9943342787bae1c92cab39c01f9d82b99eb8628abc638afd9eddaf']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cb91-54e8-40a5-b10c-4ee4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '38f7149d4ec01509c3a36d4567125b18']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cb91-9664-48f6-9918-4dfd950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'a0c00aca2f34c1f5ddcf36be2ccca4ce63b38436faf45f097d212c59d337a806']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cb90-2d9c-4108-bea3-48e4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '1ec7f06f1ee4fa7cecd17244eec24e07']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cb8f-545c-4d39-a9b2-490e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '0fd05095e5d2fa466bef897105dd943de29f6b585ba68a7bf58148767364e73e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cb8e-6770-493f-85b7-42bb950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '128cc715b25d0e55704ed9b4a3f2ef55']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cb8e-4a24-4ac8-9cdc-45d6950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '0576cd0e9406e642c473cfa9cb67da4bc4963e0fd6811bb09d328d71b36faa09']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1cb8d-4cf4-4731-ac65-459c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '10b1306f322a590b9cef4d023854b850']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a03847-d098-4642-b0d1-41d802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "Network Indicators for IMPLANT 10",
|
||
|
"pattern": "[alert tcp any any -> any 80 (content:\".php? HTTP\"; content:\"=12&\"; distance:0;\r\npcre:\"/=12&[^&=]{1,7}?=2[^&=]{12,16}?==[^&=]{18,26}?==/\"; msg:\"CozyCarv2\"; sid:1234;)]",
|
||
|
"pattern_type": "snort",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"snort\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a03833-b3e4-43b6-9dfb-43d502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "Network Indicators for IMPLANT 10",
|
||
|
"pattern": "[alert tcp any any -> any 80 (content:\"=650&\";\r\npcre:\"/=11&[^&]{1,7}?=2[^&]{6,12}&[^&]{1,7}?=410&[^&]{1,7}?=650&[^&]{1,7}?=51\r\nHTTP\\/1\\.1/\"; msg:\"CozyCar\"; sid:1;)]",
|
||
|
"pattern_type": "snort",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"snort\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a03819-172c-41de-9391-4db302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following Yara rule detects CozyDuke, CozyCar, CozyBear, referred to as IMPLANT 10 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_10_v2\r\n{\r\nstrings:\r\n$MZ = \"MZ\"\r\n$xor = { 34 ?? 66 33 C1 48 FF C1 }\r\n$nop = { 66 66 66 66 66 66 0f 1f 84 00 00 00 00 00}\r\ncondition:\r\n$MZ at 0 and $xor and $nop\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a03801-e8b4-4694-8513-478902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following Yara rule detects CozyDuke, CozyCar, CozyBear, referred to as IMPLANT 10 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_10_v1\r\n{\r\nstrings:\r\n$MZ = \"MZ\"\r\n$STR1 = {33 ?? 83 F2 ?? 81 e2 ff 00 00 00}\r\n$STR2 = {0f be 14 01 33 d0 ?? f2 [1-4] 81 e2 ff 00 00 00 66 89 [6] 40 83 f8 ?? 72}\r\ncondition:\r\n$MZ at 0 and ($STR1 or $STR2)\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a037d1-67b8-4751-a1c0-482102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect OnionDuke, referred to as IMPLANT 9 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_9_v1\r\n{\r\nstrings:\r\n$STR1 = { 8B 03 8A 54 01 03 32 55 FF 41 88 54 39 FF 3B CE 72 EE }\r\n$STR2 = { 8B C8 83 E1 03 8A 54 19 08 8B 4D 08 32 54 01 04 40 88 54 38 FF 3B C6 72 E7 }\r\n$STR3 = { 8B 55 F8 8B C8 83 E1 03 8A 4C 11 08 8B 55 FC 32 0C 10 8B 17 88 4C 02 04 40 3B 06\r\n72 E3 }\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0)) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a037b7-2934-4fdb-b2fd-421402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "Network Indicator for Implant 8 (false positive rate to be reviewed)",
|
||
|
"pattern": "[alert tcp any any -> any any (msg: \"evil_twitter_callback\"; content:\"GET /api/asyncTwitter.php\r\nHTTP/1.1\";)]",
|
||
|
"pattern_type": "snort",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"snort\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a0378d-7e28-4467-9a72-400202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "Network Indicator for Implant 8",
|
||
|
"pattern": "[alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:\"MAL_REFERER\";\r\nflow:established,to_server; content:\"GET\"; http_method; content:\"&bvm=bv.81\"; fast_pattern;\r\nhttp_header; content:\",d.\"; distance:6; within:3; http_header; content:\"|0D 0A|\"; distance:3;within:2;\r\nhttp_header; content:!\"Cookie|3A 20|\"; http_header;\r\npcre:\"/https:\\/\\/www\\.google\\.com\\/url\\?sa=t&rct=j&q=&esrc=s&source=web&cd=(?:[0-\r\n9]|10|11)&ved=0C[A-L]{2}QFjA[A-L]&url=[^&]{1,512}&ei=[A-Za-z0-9]{20,22}&usg=[A-Za-z0-\r\n9_]{34}&bvm=bv\\.81[1-7]{6}\\,d\\.[A-Za-z0-9_]{3}\\x0d\\x0a/D\";sid:1234;rev:2;)]",
|
||
|
"pattern_type": "snort",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"snort\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a03770-0c20-4e6d-a937-4dc202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect HAMMERTOSS / HammerDuke, referred to as IMPLANT 8 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_8_v2\r\n{\r\nstrings:\r\n$DOTNET= \"mscorlib\" ascii\r\n$XOR = {61 20 AA 00 00 00 61}\r\ncondition:\r\n(uint16(0) == 0x5A4D) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a0375a-4750-4893-ac90-491402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect HAMMERTOSS / HammerDuke, referred to as IMPLANT 8 with rule naming convention.",
|
||
|
"pattern": "[rule IMPLANT_8_v1\r\n{\r\nstrings:\r\n$DOTNET = \"mscorlib\" ascii\r\n$REF_URL = \"https://www.google.com/url?sa=\" wide\r\n$REF_var_1 = \"&rct=\" wide\r\n$REF_var_2 = \"&q=&esrc=\" wide\r\n$REF_var_3 = \"&source=\" wide\r\n$REF_var_4 = \"&cd=\" wide\r\n$REF_var_5 = \"&ved=\" wide\r\n$REF_var_6 = \"&url=\" wide\r\n$REF_var_7 = \"&ei=\" wide\r\n$REF_var_8 = \"&usg=\" wide\r\n$REF_var_9 = \"&bvm=\" wide\r\n$REF_value_1 = \"QFj\" wide\r\n$REF_value_2 = \"bv.81\" wide\r\ncondition:\r\n(uint16(0) == 0x5A4D) and ($DOTNET) and ($REF_URL) and (3 of ($REF_var*)) and (1 of\r\n($REF_value*))\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f4c24-d0c8-496b-87b0-0abc02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "Network Indicators for Implant 7",
|
||
|
"pattern": "[alert tcp any any -> any 80 (content:\".php?\";\r\npcre:\"/\\/(?:index|status|captha|json|css|ajax|js)\\.php\\?(?:id|item|mode|page|status|s|f|t|k|l|m|n|b|v|c|app|js|css|\r\nim|code|search)=[a-z0-\r\n9]{0,26}\\&(?:id|item|mode|page|status|s|f|t|k|l|m|n|b|v|c|app|js|css|im|code|search)=[a-z0-\r\n9]{0,26}\\&(?:id|item|mode|page|status|s|f|t|k|l|m|n|b|v|c|app|js|css|im|code|search)=[a-z0-\r\n9]{0,26}\\&(?:id|item|mode|page|status|s|f|t|k|l|m|n|b|v|c|app|js|css|im|code|search)=[a-z0-9]{0,26} HTTP/\";\r\nmsg:\"Cache_DLL beacon GET 4 arg\"; sid:1234;)]",
|
||
|
"pattern_type": "snort",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"snort\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f4c0c-fad8-4f22-ba6c-4e6802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "Network Indicators for Implant 7",
|
||
|
"pattern": "[alert tcp any any -> any 80 (content:\".php?\";\r\npcre:\"/\\/(?:index|status|captha|json|css|ajax|js)\\.php\\?(?:id|item|mode|page|status|s|f|t|k|l|m|n|b|v|c|app|js|css|\r\nim|code|search)=[a-z0-9]{0,26}\\&(?:id|item|mode|page|status|s|f|t|k|l|m|n|b|v|c|app|js|css|im|code|search)=[a-z0-\r\n9]{0,26}\\&(?:id|item|mode|page|status|s|f|t|k|l|m|n|b|v|c|app|js|css|im|code|search)=[a-z0-9]{0,26} HTTP/\";\r\nmsg:\"Cache_DLL beacon GET 3 arg\"; sid:1234;)]",
|
||
|
"pattern_type": "snort",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"snort\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f4bec-c2fc-4333-9883-0aba02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "Network Indicators for Implant 7",
|
||
|
"pattern": "[alert tcp any any -> any 80 (content:\".php?\";\r\npcre:\"/\\/(?:index|status|captha|json|css|ajax|js)\\.php\\?(?:id|item|mode|page|status|s|f|t|k|l|m|n|b|v|c|app|js|css|\r\nim|code|search)=[a-z0-\r\n9]{0,26}\\&(?:id|item|mode|page|status|s|f|t|k|l|m|n|b|v|c|app|js|css|im|code|search)=[a-z0-9]{0,26} HTTP/\";\r\nmsg:\"Cache_DLL beacon GET 2 arg\"; sid:1234;)]",
|
||
|
"pattern_type": "snort",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"snort\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f4bd1-e658-4870-a51c-424a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect IMPLANT 7, with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_7_v1\r\n{\r\nstrings:\r\n$MZ = \"MZ\"\r\n$STR1 = { 8A 44 0A 03 32 C3 0F B6 C0 66 89 04 4E 41 3B CF 72 EE }\r\n$STR2 = { F3 0F 6F 04 08 66 0F EF C1 F3 0F 7F 04 11 83 C1 10 3B CF 72 EB }\r\ncondition:\r\n$MZ at 0 and ($STR1 or $STR2)\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f4b8c-eca0-481c-9661-47b202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect Sofacy, Sednit, EVILTOSS, referred to as IMPLANT 6 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_6_v7\r\n{\r\nstrings:\r\n$STR1 = \"Init1\"\r\n$OPT1 = \"ServiceMain\"\r\n$OPT2 = \"netids\" nocase wide ascii\r\n$OPT3 = \"netui\" nocase wide ascii\r\n$OPT4 = \"svchost.exe\" wide ascii\r\n$OPT5 = \"network\" nocase wide ascii\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) ==\r\n0x46445025 or uint32(1) == 0x6674725C) and $STR1 and 2 of ($OPT*)\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f4b73-51fc-4a40-a675-4be602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect Sofacy, Sednit, EVILTOSS, referred to as IMPLANT 6 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_6_v6\r\n{\r\nstrings:\r\n$Init1_fun = {68 10 27 00 00 FF 15 ?? ?? ?? ?? A1 ?? ?? ?? ?? 6A FF 50 FF 15 ?? ?? ?? ?? 33 C0\r\nC3}\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) ==\r\n0x46445025 or uint32(1) == 0x6674725C) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f4b56-38f8-4906-904c-42e202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect Sofacy, Sednit, EVILTOSS, referred to as IMPLANT 6 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_6_v5\r\n{\r\nstrings:\r\n$STR1 = { 83 EC 18 8B 4C 24 24 B8 AB AA AA AA F7 E1 8B 44 24 20 53 55 8B EA 8D 14 08\r\nB8 AB AA AA AA 89 54 24 1C F7 E2 56 8B F2 C1 ED 02 8B DD 57 8B 7C 24 38 89 6C 24 1C C1 EE\r\n02 3B DE 89 5C 24 18 89 74 24 20 0F 83 CF 00 00 00 8D 14 5B 8D 44 12 FE 89 44 24 10 3B DD 0F 85\r\nCF 00 00 00 8B C1 33 D2 B9 06 00 00 00 F7 F1 8B CA 83 F9 06 89 4C 24 38 0F 83 86 00 00 00 8A C3\r\nB2 06 F6 EA 8B 54 24 10 88 44 24 30 8B 44 24 2C 8D 71 02 03 D0 89 54 24 14 8B 54 24 10 33 C0 8A\r\n44 37 FE 03 D6 8B D8 8D 46 FF 0F AF DA 33 D2 BD 06 00 00 00 F7 F5 C1 EB 07 8A 04 3A 33 D2 32\r\nD8 8D 46 01 F7 F5 8A 44 24 30 02 C1 8A 0C 3A 33 D2 32 C8 8B C6 F7 F5 8A 04 3A 22 C8 8B 44 24\r\n14 02 D9 8A 0C 30 32 CB 88 0C 30 8B 4C 24 38 41 46 83 FE 08 89 4C 24 38 72 A1 8B 5C 24 18 8B 6C\r\n24 1C 8B 74 24 20 8B 4C 24 10 43 83 C1 06 3B DE 89 4C 24 10 8B 4C 24 34 89 5C 24 18 0F 82 3C FF\r\nFF FF 3B DD 75 1A 8B C1 33 D2 B9 06 00 00 00 F7 F1 8B CA EB 0D 33 C9 89 4C 24 38 E9 40 FF FF\r\nFF 33 C9 8B 44 24 24 33 D2 BE 06 00 00 00 89 4C 24 38 F7 F6 3B CA 89 54 24 24 0F 83 95 00 00 00\r\n8A C3 B2 06 F6 EA 8D 1C 5B 88 44 24 30 8B 44 24 2C 8D 71 02 D1 E3 89 5C 24 34 8D 54 03 FE 89\r\n54 24 14 EB 04 8B 5C 24 34 33 C0 BD 06 00 00 00 8A 44 3E FE 8B D0 8D 44 1E FE 0F AF D0 C1 EA\r\n07 89 54 24 2C 8D 46 FF 33 D2 BB 06 00 00 00 F7 F3 8B 5C 24 2C 8A 04 3A 33 D2 32 D8 8D 46 01\r\nF7 F5 8A 44 24 30 02 C1 8A 0C 3A 33 D2 32 C8 8B C6 F7 F5 8A 04 3A 22 C8 8B 44 24 14 02 D9 8A\r\n0C 06 32 CB 88 0C 06 8B 4C 24 38 8B 44 24 24 41 46 3B C8 89 4C 24 38 72 8F 5F 5E 5D 5B 83 C4 18\r\nC2 10 00 }\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) ==\r\n0x46445025 or uint32(1) == 0x6674725C) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f4b44-221c-43b4-8c4c-0abc02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect Sofacy, Sednit, EVILTOSS, referred to as IMPLANT 6 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_6_v4\r\n{\r\nstrings:\r\n$ASM = {53 5? 5? [6-15] ff d? 8b ?? b? a0 86 01 00 [7-13] ff d? ?b [6-10] c0 [0-1] c3}\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) ==\r\n0x46445025 or uint32(1) == 0x6674725C) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f4b26-1e48-4a14-b2ba-488502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect Sofacy, Sednit, EVILTOSS, referred to as IMPLANT 6 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_6_v3\r\n{\r\nstrings:\r\n$deob_func = { 8D 46 01 02 D1 83 E0 07 8A 04 38 F6 EA 8B D6 83 E2 07 0A 04 3A 33 D2 8A 54\r\n37 FE 03 D3 03 D1 D3 EA 32 C2 8D 56 FF 83 E2 07 8A 1C 3A 8A 14 2E 32 C3 32 D0 41 88 14 2E 46\r\n83 FE 0A 7C ?? }\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) ==\r\n0x46445025 or uint32(1) == 0x6674725C) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f4ad4-e914-429d-8a48-0abc02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect Sofacy, Sednit, EVILTOSS, referred to as IMPLANT 6 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_6_v2\r\n{\r\nstrings:\r\n$obf_func = { 8B 45 F8 6A 07 03 C7 33 D2 89 45 E8 8D 47 01 5B 02 4D 0F F7 F3 6A 07 8A 04 32\r\n33 D2 F6 E9 8A C8 8B C7 F7 F3 8A 44 3E FE 02 45 FC 02 0C 32 B2 03 F6 EA 8A D8 8D 47 FF 33 D2\r\n5F F7 F7 02 5D 14 8B 45 E8 8B 7D F4 C0 E3 06 02 1C 32 32 CB 30 08 8B 4D 14 41 47 83 FF 09 89 4D\r\n14 89 7D F4 72 A1 }\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) ==\r\n0x46445025 or uint32(1) == 0x6674725C) and all of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f4ab2-c5a0-4e61-b37e-4c7502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect Sofacy, Sednit, EVILTOSS, referred to as IMPLANT 6 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_6_v1\r\n{\r\nstrings:\r\n$STR1 = \"dll.dll\" wide ascii\r\n$STR2 = \"Init1\" wide ascii\r\n$STR3 = \"netui.dll\" wide ascii\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) ==\r\n0x46445025 or uint32(1) == 0x6674725C) and all of them }]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f4a32-f09c-4bee-94c2-44c002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "Network Indicators for Implant 5",
|
||
|
"pattern": "[alert tcp any any -> any 443 (msg:\"X Tunnel_UPSTREAM_CONNECTION_EVENT\";\r\nflow:established,to_server; stream_size:either,=,20; content:\"|02 00 00 10|\"; depth:4;)]",
|
||
|
"pattern_type": "snort",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"snort\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f4a15-862c-42da-b3ba-416102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "Network Indicators for Implant 5",
|
||
|
"pattern": "[alert tcp any any -> any [$HTTP_PORTS,44300] (msg:\"X Tunnel_HTTP_CONNECT_HANDSHAKE\";\r\nflow:established,to_server; dsize:4; content:\"|00 00 00|\"; offset:1; depth:3; byte_test:1,<,96,0;\r\ncontent:!\"HTTP\";)]",
|
||
|
"pattern_type": "snort",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"snort\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f49fc-4fb0-4739-851e-440202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect X-Tunnel, referred to as IMPLANT 5 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_5_v4\r\n{\r\nstrings:\r\n$FBKEY1 = { 987AB999FE0924A2DF0A412B14E26093746FCDF9BA31DC05536892C33B116AD3 }\r\n$FBKEY2 = { 8B236C892D902B0C9A6D37AE4F9842C3070FBDC14099C6930158563C6AC00FF5 }\r\n$FBKEY3 = { E47B7F110CAA1DA617545567EC972AF3A6E7B4E6807B7981D3CFBD3D8FCC3373 }\r\n$FBKEY4 = { 48B284545CA1FA74F64FDBE2E605D68CED8A726D05EBEFD9BAAC164A7949BDC1 }\r\n$FBKEY5 = { FB421558E30FCCD95FA7BC45AC92D2991C44072230F6FBEAA211341B5BF2DC56 }\r\ncondition:\r\nall of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--589f4956-b520-4647-a905-0abc02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:57:52.000Z",
|
||
|
"modified": "2017-02-13T16:57:52.000Z",
|
||
|
"description": "The following YARA rules detect X-Tunnel, referred to as IMPLANT 5 with rule naming convention.",
|
||
|
"pattern": "[Rule IMPLANT_5_v3\r\n{\r\nstrings:\r\n$BYTES1 = { 0F AF C0 6? C0 07 00 00 00 2D 01 00 00 00 0F AF ?? 39 ?8 }\r\n$BYTES2 = { 0F AF C0 6? C0 07 48 0F AF ?? 39 ?8 }\r\ncondition:\r\nany of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-13T16:57:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1e5f2-5a5c-48d4-aa6b-418b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:59:30.000Z",
|
||
|
"modified": "2017-02-13T16:59:30.000Z",
|
||
|
"description": "- Xchecked via VT: 0576cd0e9406e642c473cfa9cb67da4bc4963e0fd6811bb09d328d71b36faa09",
|
||
|
"pattern": "[file:hashes.SHA1 = 'eac98f414abd9e6a39ce96f5547284c371a30a74']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:59:30Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a1e5f3-0f24-4532-b723-4d6402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:59:31.000Z",
|
||
|
"modified": "2017-02-13T16:59:31.000Z",
|
||
|
"first_observed": "2017-02-13T16:59:31Z",
|
||
|
"last_observed": "2017-02-13T16:59:31Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a1e5f3-0f24-4532-b723-4d6402de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a1e5f3-0f24-4532-b723-4d6402de0b81",
|
||
|
"value": "https://www.virustotal.com/file/0576cd0e9406e642c473cfa9cb67da4bc4963e0fd6811bb09d328d71b36faa09/analysis/1484202427/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1e5f5-8a78-42d6-b4c8-4a0b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:59:33.000Z",
|
||
|
"modified": "2017-02-13T16:59:33.000Z",
|
||
|
"description": "- Xchecked via VT: 0fd05095e5d2fa466bef897105dd943de29f6b585ba68a7bf58148767364e73e",
|
||
|
"pattern": "[file:hashes.SHA1 = '93c3607147e24396cc8f508c21ce8ab53f9a0176']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:59:33Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a1e5f6-fb94-45ff-9e92-4f8c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:59:34.000Z",
|
||
|
"modified": "2017-02-13T16:59:34.000Z",
|
||
|
"first_observed": "2017-02-13T16:59:34Z",
|
||
|
"last_observed": "2017-02-13T16:59:34Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a1e5f6-fb94-45ff-9e92-4f8c02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a1e5f6-fb94-45ff-9e92-4f8c02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/0fd05095e5d2fa466bef897105dd943de29f6b585ba68a7bf58148767364e73e/analysis/1486038815/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1e5f8-4698-444c-9e2c-47bd02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:59:36.000Z",
|
||
|
"modified": "2017-02-13T16:59:36.000Z",
|
||
|
"description": "- Xchecked via VT: a0c00aca2f34c1f5ddcf36be2ccca4ce63b38436faf45f097d212c59d337a806",
|
||
|
"pattern": "[file:hashes.SHA1 = 'ae167bca0863cfccba9cc9cf5e3cafce6fa6b92c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:59:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a1e5f9-e418-445f-a1c4-4a2e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:59:37.000Z",
|
||
|
"modified": "2017-02-13T16:59:37.000Z",
|
||
|
"first_observed": "2017-02-13T16:59:37Z",
|
||
|
"last_observed": "2017-02-13T16:59:37Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a1e5f9-e418-445f-a1c4-4a2e02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a1e5f9-e418-445f-a1c4-4a2e02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/a0c00aca2f34c1f5ddcf36be2ccca4ce63b38436faf45f097d212c59d337a806/analysis/1483670261/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1e5fb-4a0c-4bd2-8137-437502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:59:39.000Z",
|
||
|
"modified": "2017-02-13T16:59:39.000Z",
|
||
|
"description": "- Xchecked via VT: 7b28b9b85f9943342787bae1c92cab39c01f9d82b99eb8628abc638afd9eddaf",
|
||
|
"pattern": "[file:hashes.SHA1 = 'd1828dce4bf476ca07629e1613dd77c3346e2c5a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:59:39Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a1e5fc-6984-4532-b55a-4e7a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:59:40.000Z",
|
||
|
"modified": "2017-02-13T16:59:40.000Z",
|
||
|
"first_observed": "2017-02-13T16:59:40Z",
|
||
|
"last_observed": "2017-02-13T16:59:40Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a1e5fc-6984-4532-b55a-4e7a02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a1e5fc-6984-4532-b55a-4e7a02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/7b28b9b85f9943342787bae1c92cab39c01f9d82b99eb8628abc638afd9eddaf/analysis/1484289086/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1e5fe-5d1c-4db9-9dab-428c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:59:42.000Z",
|
||
|
"modified": "2017-02-13T16:59:42.000Z",
|
||
|
"description": "- Xchecked via VT: 9f918fb741e951a10e68ce6874b839aef5a26d60486db31e509f8dcaa13acec5",
|
||
|
"pattern": "[file:hashes.SHA1 = '7cefb021fb30f985b427b584be9c16e364836739']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:59:42Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a1e5ff-9624-49f8-ab48-451002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:59:43.000Z",
|
||
|
"modified": "2017-02-13T16:59:43.000Z",
|
||
|
"first_observed": "2017-02-13T16:59:43Z",
|
||
|
"last_observed": "2017-02-13T16:59:43Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a1e5ff-9624-49f8-ab48-451002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a1e5ff-9624-49f8-ab48-451002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/9f918fb741e951a10e68ce6874b839aef5a26d60486db31e509f8dcaa13acec5/analysis/1485078058/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1e601-e0fc-48bc-a142-490a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:59:45.000Z",
|
||
|
"modified": "2017-02-13T16:59:45.000Z",
|
||
|
"description": "- Xchecked via VT: 449e7a7cbc393ae353e8e18b5c31d17bb13235d0c07e9e319137543608749602",
|
||
|
"pattern": "[file:hashes.SHA1 = 'e1ad80b0769b8b9dfb357a410af948127aabda97']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:59:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a1e602-63b0-431a-90c4-4a9402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:59:46.000Z",
|
||
|
"modified": "2017-02-13T16:59:46.000Z",
|
||
|
"first_observed": "2017-02-13T16:59:46Z",
|
||
|
"last_observed": "2017-02-13T16:59:46Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a1e602-63b0-431a-90c4-4a9402de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a1e602-63b0-431a-90c4-4a9402de0b81",
|
||
|
"value": "https://www.virustotal.com/file/449e7a7cbc393ae353e8e18b5c31d17bb13235d0c07e9e319137543608749602/analysis/1483670417/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1e604-3b3c-488b-a2cf-45e202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:59:48.000Z",
|
||
|
"modified": "2017-02-13T16:59:48.000Z",
|
||
|
"description": "- Xchecked via VT: bd7996752cac5d05ed9d1d4077ddf3abcb3d291321c274dbcf10600ab45ad4e4",
|
||
|
"pattern": "[file:hashes.SHA1 = '1e49a68c72ef40e8c333007a7e7f56de1b29c842']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:59:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a1e605-c994-438a-a775-4c6602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:59:49.000Z",
|
||
|
"modified": "2017-02-13T16:59:49.000Z",
|
||
|
"first_observed": "2017-02-13T16:59:49Z",
|
||
|
"last_observed": "2017-02-13T16:59:49Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a1e605-c994-438a-a775-4c6602de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a1e605-c994-438a-a775-4c6602de0b81",
|
||
|
"value": "https://www.virustotal.com/file/bd7996752cac5d05ed9d1d4077ddf3abcb3d291321c274dbcf10600ab45ad4e4/analysis/1483670280/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1e607-1558-40e1-890f-477b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:59:51.000Z",
|
||
|
"modified": "2017-02-13T16:59:51.000Z",
|
||
|
"description": "- Xchecked via VT: 6fad670ac8febb5909be73c9f6b428179c6a7e94294e3e6e358c994500fcce46",
|
||
|
"pattern": "[file:hashes.SHA1 = '1a42bc32bdfeb468e6a98f9b69514adb7cc963ae']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:59:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a1e608-61c0-4d01-aadf-45d402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:59:52.000Z",
|
||
|
"modified": "2017-02-13T16:59:52.000Z",
|
||
|
"first_observed": "2017-02-13T16:59:52Z",
|
||
|
"last_observed": "2017-02-13T16:59:52Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a1e608-61c0-4d01-aadf-45d402de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a1e608-61c0-4d01-aadf-45d402de0b81",
|
||
|
"value": "https://www.virustotal.com/file/6fad670ac8febb5909be73c9f6b428179c6a7e94294e3e6e358c994500fcce46/analysis/1483670204/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1e60a-8f08-4b70-81e3-41bb02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:59:54.000Z",
|
||
|
"modified": "2017-02-13T16:59:54.000Z",
|
||
|
"description": "- Xchecked via VT: 2d5afec034705d2dc398f01c100636d51eb446f459f1c2602512fd26e86368e4",
|
||
|
"pattern": "[file:hashes.SHA1 = 'a0a6978f7022f71ad977760f492704216318b5cd']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:59:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a1e60b-b240-49bd-9acd-468102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:59:55.000Z",
|
||
|
"modified": "2017-02-13T16:59:55.000Z",
|
||
|
"first_observed": "2017-02-13T16:59:55Z",
|
||
|
"last_observed": "2017-02-13T16:59:55Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a1e60b-b240-49bd-9acd-468102de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a1e60b-b240-49bd-9acd-468102de0b81",
|
||
|
"value": "https://www.virustotal.com/file/2d5afec034705d2dc398f01c100636d51eb446f459f1c2602512fd26e86368e4/analysis/1483670270/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1e60c-7410-4af9-a168-4e8002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:59:56.000Z",
|
||
|
"modified": "2017-02-13T16:59:56.000Z",
|
||
|
"description": "- Xchecked via VT: ac30321be90e85f7eb1ce7e211b91fed1d1f15b5d3235b9c1e0dad683538cc8e",
|
||
|
"pattern": "[file:hashes.SHA1 = '9cb7716d83c0d06ab356bdfa52def1af64bc5210']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:59:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a1e60e-bfc4-48c8-9b3b-4a8202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:59:58.000Z",
|
||
|
"modified": "2017-02-13T16:59:58.000Z",
|
||
|
"first_observed": "2017-02-13T16:59:58Z",
|
||
|
"last_observed": "2017-02-13T16:59:58Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a1e60e-bfc4-48c8-9b3b-4a8202de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a1e60e-bfc4-48c8-9b3b-4a8202de0b81",
|
||
|
"value": "https://www.virustotal.com/file/ac30321be90e85f7eb1ce7e211b91fed1d1f15b5d3235b9c1e0dad683538cc8e/analysis/1484831782/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1e60e-5210-46d8-8060-4a1602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T16:59:58.000Z",
|
||
|
"modified": "2017-02-13T16:59:58.000Z",
|
||
|
"description": "- Xchecked via VT: 55058d3427ce932d8efcbe54dccf97c9a8d1e85c767814e34f4b2b6a6b305641",
|
||
|
"pattern": "[file:hashes.SHA1 = '8ccaa941af229cf57a0a97327d99a46f989423f0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T16:59:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a1e610-e83c-4c44-981e-45c402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T17:00:00.000Z",
|
||
|
"modified": "2017-02-13T17:00:00.000Z",
|
||
|
"first_observed": "2017-02-13T17:00:00Z",
|
||
|
"last_observed": "2017-02-13T17:00:00Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a1e610-e83c-4c44-981e-45c402de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a1e610-e83c-4c44-981e-45c402de0b81",
|
||
|
"value": "https://www.virustotal.com/file/55058d3427ce932d8efcbe54dccf97c9a8d1e85c767814e34f4b2b6a6b305641/analysis/1484033875/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1e612-b124-48b4-b43e-41e502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T17:00:02.000Z",
|
||
|
"modified": "2017-02-13T17:00:02.000Z",
|
||
|
"description": "- Xchecked via VT: 249ee048142d3d4b5f7ad15e8d4b98cf9491ee68db9749089f559ada4a33f93e",
|
||
|
"pattern": "[file:hashes.SHA1 = 'b7c7446dc3c97909705899e3dcffc084081b5c9f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T17:00:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a1e613-1438-466e-92de-42bc02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T17:00:03.000Z",
|
||
|
"modified": "2017-02-13T17:00:03.000Z",
|
||
|
"first_observed": "2017-02-13T17:00:03Z",
|
||
|
"last_observed": "2017-02-13T17:00:03Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a1e613-1438-466e-92de-42bc02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a1e613-1438-466e-92de-42bc02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/249ee048142d3d4b5f7ad15e8d4b98cf9491ee68db9749089f559ada4a33f93e/analysis/1484046437/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1e615-4528-4b0f-a63f-431102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T17:00:05.000Z",
|
||
|
"modified": "2017-02-13T17:00:05.000Z",
|
||
|
"description": "- Xchecked via VT: 7dac01e818bd5a01fe75c3324f6250e3f51977111d7b4a94e41307bf463f122e",
|
||
|
"pattern": "[file:hashes.SHA1 = 'b788dce411fe0e1e1b7b476184aa6bbd0f8e3e31']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T17:00:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a1e617-ee1c-497e-8daa-4e1b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T17:00:07.000Z",
|
||
|
"modified": "2017-02-13T17:00:07.000Z",
|
||
|
"first_observed": "2017-02-13T17:00:07Z",
|
||
|
"last_observed": "2017-02-13T17:00:07Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a1e617-ee1c-497e-8daa-4e1b02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a1e617-ee1c-497e-8daa-4e1b02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/7dac01e818bd5a01fe75c3324f6250e3f51977111d7b4a94e41307bf463f122e/analysis/1483670442/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1e617-9234-419f-8072-436c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T17:00:07.000Z",
|
||
|
"modified": "2017-02-13T17:00:07.000Z",
|
||
|
"description": "- Xchecked via VT: 9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0",
|
||
|
"pattern": "[file:hashes.SHA1 = 'e9fb290ab3a57dd50f78596b3bb3d373f4391794']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T17:00:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a1e619-8d50-48c6-80b0-45db02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T17:00:09.000Z",
|
||
|
"modified": "2017-02-13T17:00:09.000Z",
|
||
|
"first_observed": "2017-02-13T17:00:09Z",
|
||
|
"last_observed": "2017-02-13T17:00:09Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a1e619-8d50-48c6-80b0-45db02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a1e619-8d50-48c6-80b0-45db02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0/analysis/1484020983/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1e61a-5e70-4d8b-ac5f-43ca02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T17:00:10.000Z",
|
||
|
"modified": "2017-02-13T17:00:10.000Z",
|
||
|
"description": "- Xchecked via VT: da9f2804b16b369156e1b629ad3d2aac79326b94284e43c7b8355f3db71912b8",
|
||
|
"pattern": "[file:hashes.SHA1 = 'efcc0c18e10072b50deeca9592c76bc90f4d18ce']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T17:00:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a1e61c-ab14-411d-901f-4c0802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T17:00:12.000Z",
|
||
|
"modified": "2017-02-13T17:00:12.000Z",
|
||
|
"first_observed": "2017-02-13T17:00:12Z",
|
||
|
"last_observed": "2017-02-13T17:00:12Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a1e61c-ab14-411d-901f-4c0802de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a1e61c-ab14-411d-901f-4c0802de0b81",
|
||
|
"value": "https://www.virustotal.com/file/da9f2804b16b369156e1b629ad3d2aac79326b94284e43c7b8355f3db71912b8/analysis/1486962430/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1e61d-bb38-4a5f-929b-4c6c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T17:00:13.000Z",
|
||
|
"modified": "2017-02-13T17:00:13.000Z",
|
||
|
"description": "- Xchecked via VT: 20f76ada1721b61963fa595e3a2006c96225351362b79d5d719197c190cd4239",
|
||
|
"pattern": "[file:hashes.SHA1 = '0a3f7e0d0729b648d7bb6839db13c97f0b741773']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T17:00:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a1e61f-a208-4892-b342-40e202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T17:00:15.000Z",
|
||
|
"modified": "2017-02-13T17:00:15.000Z",
|
||
|
"first_observed": "2017-02-13T17:00:15Z",
|
||
|
"last_observed": "2017-02-13T17:00:15Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a1e61f-a208-4892-b342-40e202de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a1e61f-a208-4892-b342-40e202de0b81",
|
||
|
"value": "https://www.virustotal.com/file/20f76ada1721b61963fa595e3a2006c96225351362b79d5d719197c190cd4239/analysis/1485949067/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1e621-066c-492d-bb0e-466402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T17:00:17.000Z",
|
||
|
"modified": "2017-02-13T17:00:17.000Z",
|
||
|
"description": "- Xchecked via VT: 9376e20164145d9589e43c39c29be3a07ecdfd9c5c3225a69f712dc0ef9d757f",
|
||
|
"pattern": "[file:hashes.SHA1 = '82c4d3753a8ee26f0468e79bf5d90ada04c612ea']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T17:00:17Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a1e623-de00-45eb-95cf-437602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T17:00:19.000Z",
|
||
|
"modified": "2017-02-13T17:00:19.000Z",
|
||
|
"first_observed": "2017-02-13T17:00:19Z",
|
||
|
"last_observed": "2017-02-13T17:00:19Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a1e623-de00-45eb-95cf-437602de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a1e623-de00-45eb-95cf-437602de0b81",
|
||
|
"value": "https://www.virustotal.com/file/9376e20164145d9589e43c39c29be3a07ecdfd9c5c3225a69f712dc0ef9d757f/analysis/1483670241/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1e623-5544-4128-a077-4aeb02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T17:00:19.000Z",
|
||
|
"modified": "2017-02-13T17:00:19.000Z",
|
||
|
"description": "- Xchecked via VT: 3bd682bb7870d5c8bc413cb4e0cc27e44b2358c8fc793b934c71b2a85b8169d7",
|
||
|
"pattern": "[file:hashes.SHA1 = '2c48e42c882b45861557ea1f139f3e8b31629c7c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T17:00:19Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a1e625-cb5c-4699-9324-4b9202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T17:00:21.000Z",
|
||
|
"modified": "2017-02-13T17:00:21.000Z",
|
||
|
"first_observed": "2017-02-13T17:00:21Z",
|
||
|
"last_observed": "2017-02-13T17:00:21Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a1e625-cb5c-4699-9324-4b9202de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a1e625-cb5c-4699-9324-4b9202de0b81",
|
||
|
"value": "https://www.virustotal.com/file/3bd682bb7870d5c8bc413cb4e0cc27e44b2358c8fc793b934c71b2a85b8169d7/analysis/1483670297/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1e626-4cb0-4be8-a4b9-4eac02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T17:00:22.000Z",
|
||
|
"modified": "2017-02-13T17:00:22.000Z",
|
||
|
"description": "- Xchecked via VT: ae67c121c7b81638a7cb655864d574f8a9e55e66bcb9a7b01f0719a05fab7975",
|
||
|
"pattern": "[file:hashes.SHA1 = '6b178cc9d630345356b9341613cd83bd588192e9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T17:00:22Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a1e628-1454-4e75-811f-4d4702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T17:00:24.000Z",
|
||
|
"modified": "2017-02-13T17:00:24.000Z",
|
||
|
"first_observed": "2017-02-13T17:00:24Z",
|
||
|
"last_observed": "2017-02-13T17:00:24Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a1e628-1454-4e75-811f-4d4702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a1e628-1454-4e75-811f-4d4702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/ae67c121c7b81638a7cb655864d574f8a9e55e66bcb9a7b01f0719a05fab7975/analysis/1483670232/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1e628-7588-49fa-a07a-4d7a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T17:00:24.000Z",
|
||
|
"modified": "2017-02-13T17:00:24.000Z",
|
||
|
"description": "- Xchecked via VT: 1343c905a9c8b0360c0665efa6af588161fda76b9d09682aaf585df1851ca751",
|
||
|
"pattern": "[file:hashes.SHA1 = '18eda2d7b0d42462cdef1794ad26e21a52d79dc6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T17:00:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a1e62a-8f9c-463b-a6c7-41f902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T17:00:26.000Z",
|
||
|
"modified": "2017-02-13T17:00:26.000Z",
|
||
|
"first_observed": "2017-02-13T17:00:26Z",
|
||
|
"last_observed": "2017-02-13T17:00:26Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a1e62a-8f9c-463b-a6c7-41f902de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a1e62a-8f9c-463b-a6c7-41f902de0b81",
|
||
|
"value": "https://www.virustotal.com/file/1343c905a9c8b0360c0665efa6af588161fda76b9d09682aaf585df1851ca751/analysis/1484010267/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a1e62c-6e54-4433-aacf-4a6602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T17:00:28.000Z",
|
||
|
"modified": "2017-02-13T17:00:28.000Z",
|
||
|
"description": "- Xchecked via VT: d285115e97c02063836f1cf8f91669c114052727c39bf4bd3c062ad5b3509e38",
|
||
|
"pattern": "[file:hashes.SHA1 = 'adf649354ff4d1812e7de745214362959e0174b1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-13T17:00:28Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58a1e62e-f904-4fff-9993-432b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T17:00:30.000Z",
|
||
|
"modified": "2017-02-13T17:00:30.000Z",
|
||
|
"first_observed": "2017-02-13T17:00:30Z",
|
||
|
"last_observed": "2017-02-13T17:00:30Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58a1e62e-f904-4fff-9993-432b02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58a1e62e-f904-4fff-9993-432b02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/d285115e97c02063836f1cf8f91669c114052727c39bf4bd3c062ad5b3509e38/analysis/1486978343/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--58a2091a-e01c-48e9-8a62-a6e4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-13T19:29:30.000Z",
|
||
|
"modified": "2017-02-13T19:29:30.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "The Department of Homeland Security (DHS) National Cybersecurity and Communications\r\nIntegration Center (NCCIC) has collaborated with interagency partners and private-industry\r\nstakeholders to provide an Analytical Report (AR) with specific signatures and recommendations\r\nto detect and mitigate threats from GRIZZLY STEPPE actors."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a2b323-52c4-42bf-84df-4ccd950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-14T07:34:59.000Z",
|
||
|
"modified": "2017-02-14T07:34:59.000Z",
|
||
|
"pattern": "[domain-name:value = 'private.directinvesting.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-14T07:34:59Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a2b324-b5a8-4c31-af7a-4a05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-14T07:35:00.000Z",
|
||
|
"modified": "2017-02-14T07:35:00.000Z",
|
||
|
"pattern": "[domain-name:value = 'cderlearn.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-14T07:35:00Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a2b325-97c0-4a87-9079-427e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-14T07:35:01.000Z",
|
||
|
"modified": "2017-02-14T07:35:01.000Z",
|
||
|
"pattern": "[domain-name:value = 'wilcarobbe.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-14T07:35:01Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a2b325-9b84-4ad5-bdaf-49bc950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-14T07:35:01.000Z",
|
||
|
"modified": "2017-02-14T07:35:01.000Z",
|
||
|
"pattern": "[domain-name:value = 'one2shoppee.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-14T07:35:01Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a2b326-0b9c-4de3-854f-4106950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-14T07:35:02.000Z",
|
||
|
"modified": "2017-02-14T07:35:02.000Z",
|
||
|
"pattern": "[domain-name:value = 'ritsoperrol.ru']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-14T07:35:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a2b327-1154-4ca4-b708-4c71950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-14T07:35:03.000Z",
|
||
|
"modified": "2017-02-14T07:35:03.000Z",
|
||
|
"pattern": "[domain-name:value = 'littjohnwilhap.ru']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-14T07:35:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a2b328-deb4-4464-93fe-4f56950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-14T07:35:04.000Z",
|
||
|
"modified": "2017-02-14T07:35:04.000Z",
|
||
|
"pattern": "[domain-name:value = 'insta.reduct.ru']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-14T07:35:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a2b328-eb74-448c-9e45-4a9b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-14T07:35:04.000Z",
|
||
|
"modified": "2017-02-14T07:35:04.000Z",
|
||
|
"pattern": "[domain-name:value = 'editprod.waterfilter.in.ua']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-14T07:35:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a2b329-ff64-4044-aad6-4334950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-14T07:35:05.000Z",
|
||
|
"modified": "2017-02-14T07:35:05.000Z",
|
||
|
"pattern": "[url:value = 'mymodule.waterfilter.in.ua/system/logs/xtool.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-02-14T07:35:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a2e1ca-0ff8-47ba-b4b4-448d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-14T10:54:02.000Z",
|
||
|
"modified": "2017-02-14T10:54:02.000Z",
|
||
|
"pattern": "[rule unidentified_malware\r\n{\r\nmeta:\r\nAuthor = \"US-CERT Code Analysis Team\"\r\nDate = 16JAN17\r\nIncident = 10105049\r\nFile = \"9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0\"\r\nMD5 = \"AE7E3E531494B201FBF6021066DDD188\"\r\nstrings:\r\n$my_string_one = { 8D 78 03 8A 65 FF 8D A4 24 00 00 00 00 8A 04 0F 32 C4 88 04 11 41 3B CE 72 F3 }\r\n$my_string_two = \"CryptAcquireCertificatePrivateKey\"\r\n$my_string_three = \"CertFreeCertificateContext\"\r\n$my_string_four = \"CertEnumCertificatesInStore\"\r\n$my_string_five = \"PFXImportCertStore\"\r\ncondition:\r\nall of them\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-14T10:54:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58a2e44d-a7a4-4eec-9531-42a2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-02-14T11:04:44.000Z",
|
||
|
"modified": "2017-02-14T11:04:44.000Z",
|
||
|
"pattern": "[rule unidentified_malware_two\r\n{\r\nmeta:\r\nAuthor = \"US-CERT Code Analysis Team\"\r\nDate = 16JAN17\r\nIncident = 10105049\r\nFile = \"9f918fb741e951a10e68ce6874b839aef5a26d60486db31e509f8dcaa13acec5\"\r\nMD5 = \"617BA99BE8A7D0771628344D209E9D8A\"\r\nstrings:\r\n$my_string_one = \"/zapoy/gate.php\"\r\n$my_string_two = { E3 40 FE 45 FD 0F B6 45 FD 0F B6 14 38 88 55 FF 00 55 FC 0F B6 45 FC 8A 14 38 88 55 FE 0F B6 45 FD 88 14 38\r\n0F B6 45 FC 8A 55 FF 88 14 38 8A 55 FF 02 55 FE 8A 14 3A 8B 45 F8 30 14 30 }\r\n$my_string_three = \"S:\\\\Lidstone\\\\renewing\\\\HA\\\\disable\\\\In.pdb\"\r\n$my_string_four = { 8B CF 0F AF CE 8B C6 99 2B C2 8B 55 08 D1 F8 03 C8 8B 45 FC 03 C2 89 45 10 8A 00 2B CB 32 C1 85 DB 74 07 }\r\n$my_string_five = \"fuckyou1\"\r\n$my_string_six = \"xtool.exe\"\r\ncondition:\r\n($my_string_one and $my_string_two) or ($my_string_three or $my_string_four) or ($my_string_five and $my_string_six)\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2017-02-14T11:04:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|