adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/5b6edeb7-5088-4fe9-89ab-40e902de0b81.json

525 lines
186 KiB
JSON
Raw Normal View History

chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5b6edeb7-5088-4fe9-89ab-40e902de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-11T14:24:33.000Z",
"modified": "2018-08-11T14:24:33.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5b6edeb7-5088-4fe9-89ab-40e902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-11T14:24:33.000Z",
"modified": "2018-08-11T14:24:33.000Z",
"name": "OSINT - Malware Analysis Report (AR18-221A) MAR-10135536-17 \u00e2\u20ac\u201c North Korean Trojan: KEYMARBLE- MAR-10135536.r17.v1",
"published": "2018-08-11T14:25:09Z",
"object_refs": [
"observed-data--7efc00cd-5af3-43af-b69c-847f4bc9abd2",
"file--7efc00cd-5af3-43af-b69c-847f4bc9abd2",
"artifact--7efc00cd-5af3-43af-b69c-847f4bc9abd2",
"x-misp-attribute--bfbbf011-8144-4495-98dd-bbbcf0649f53",
"indicator--df0f4d9a-90a4-4abf-a43d-60916a15f563",
"indicator--bbd1ad42-db78-4ebd-9957-74ae70de8b4b",
"indicator--bd1f34eb-d736-4b59-818f-64179291eccc",
"observed-data--5b6eee88-4620-4b7b-8619-62b802de0b81",
"url--5b6eee88-4620-4b7b-8619-62b802de0b81",
"x-misp-attribute--5b6ef008-dcb8-46bf-8395-f5ee02de0b81",
"indicator--5b6ef058-7ff4-456d-a57a-407502de0b81",
"observed-data--5b6ef19e-08f0-4065-9b61-494f02de0b81",
"url--5b6ef19e-08f0-4065-9b61-494f02de0b81",
"indicator--16f97fab-0abd-4e4f-92e8-bdd12f54787e",
"x-misp-object--9ea335b7-1fd3-480c-9291-68d0adba0ee4",
"indicator--493ad67c-c54a-406b-9c6b-270c30b4bf77",
"x-misp-object--5b649f38-b13f-4f8f-8883-738637a0d947",
"x-misp-object--ba2275da-03b3-457c-b216-9dfa3bc77834",
"x-misp-object--f7a867e5-1222-4fa2-87d2-9294cd9575b9",
"x-misp-object--47fa919a-9263-4d70-9c4c-7ceab62ae483"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"estimative-language:confidence-in-analytic-judgment=\"high\"",
"misp-galaxy:tool=\"KEYMARBLE\"",
"misp-galaxy:threat-actor=\"Lazarus Group\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--7efc00cd-5af3-43af-b69c-847f4bc9abd2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-11T13:03:51.000Z",
"modified": "2018-08-11T13:03:51.000Z",
"first_observed": "2018-08-11T13:03:51Z",
"last_observed": "2018-08-11T13:03:51Z",
"number_observed": 1,
"object_refs": [
"file--7efc00cd-5af3-43af-b69c-847f4bc9abd2",
"artifact--7efc00cd-5af3-43af-b69c-847f4bc9abd2"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--7efc00cd-5af3-43af-b69c-847f4bc9abd2",
"name": "Figure 1",
"content_ref": "artifact--7efc00cd-5af3-43af-b69c-847f4bc9abd2"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--7efc00cd-5af3-43af-b69c-847f4bc9abd2",
"payload_bin": "iVBORw0KGgoAAAANSUhEUgAAAcgAAAJYCAYAAADmL3Y0AAAWcWlDQ1BJQ0MgUHJvZmlsZQAAeJyVmAVUVF+3wM+dZIYZaugeYuju7u4OERiG7i4DREUFpaQkFFBBREEpEVTCAJFGQhElRERRMRAElTf6f+L7vvW+9dY7a905v7vn3H33vfvss8++ALD3kSMjQ2EMAISFx0bbm+jzu7q586MXABzAABLQAQkyJSZSz9bWEvzH9nUSQL/6calfuv7zuP+1Mfr6xVAAgGyp7OMbQwmjcjP1GKBERscCAE+lygUTYiN/8QUqM0dTDaRy2y8O+IcHfrHPPzz3e4yjvQGVvwBAgyOTowMAwP26F388JYCqB8cPAIop3DcoHAAmRSprUwLJvgCwU/8DkmFhEb+4gsqiPv9DT8C/6PTZ1UkmB+zyP8/yu9EYBsVEhpKT/p+v4/9uYaFxf+4hQD1wgdGm9tReiPrOLoVEWOxyuI+1zR8O8v09/jcHxpk6/WFKjIH7H/YlG1r84bgQJ70/TI7+e21QrJnjH46OsN/V7xdj5LCr38/McteGUOtd9g8yNvvDyYGOLn84PsjZ+g/HhDhY/B1jsCuPjrPftdk/2nj3GcNi/tpGIf+1ITbQ0fSvba67Nvj6GRrtysOddsdHxurv6owMtd0d7xdqsiuPiXfYvTaWOsH+cDDZ3PavHtvd9wMsgREwBPzAAASBcOAHwgCZemZIPYsBkSCUepYU65f4a84Bg4jIpOiggMBYfj1qBPnxm4VTpCX55WXlVAH4FY//uPuz/e84g1iH/8qiqNerqwEAK/8rI0sA0C5JDYMrf2VCygDQlgLQsUiJi47/R4b49YMEWEAPmAEH4AWCQBRIAXmgDDSALtV6c2ADHIEb8AQUEEi1PxokgP3gEEgHmSAHFIAScA6cB5fAVdAIboBboBs8AI/ACJgAM2AOLIG3YA18BdsQBKEhPESAOCA+SBiSgOQhVUgbMoIsIXvIDfKGAqBwKA7aDx2GMqE8qASqhGqh69BNqBt6CI1CT6B5aAX6BG3B4DAcjBnGAyPBZGCqMD2YBcwRthcWAIuCJcOOwLJgxbAq2BVYK6wb9gg2AZuDvYWtwwGcFs4KJ8Kl4KpwA7gN3B3uD4+GH4RnwAvhVfB6eDu8Fz4On4Ovwr8hUAgCgh8hhdBAmCKcEBREFOIg4iSiBHEJ0Yq4hxhHzCPWED+ReCQ3UgKpjjRDuiIDkAnIdGQhshrZgryPnEAuIb+iUChWlAhKBWWKckMFo/ahTqLKUQ2oLtQoahG1jkajOdASaC20DZqMjkWno8+gr6A70WPoJfQmDS0NH408jTGNO004TRpNIc1lmjs0YzTLNNsYBowwRh1jg/HFJGGyMRcw7ZhhzBJmG8uIFcFqYR2xwdhD2GJsPfY+9hn2My0trQCtGq0dbRBtKm0x7TXaPtp52m84Jpw4zgDngYvDZeFqcF24J7jPeDyehNfFu+Nj8Vn4Wvxd/HP8Jh2BTprOjM6XLoWulK6VbozuPT2GXphej96TPpm+kL6Jfph+lQHDQGIwYCAzHGQoZbjJMMWwzkhglGO0YQxjPMl4mfEh42smNBOJyYjJl+kI03mmu0yLBDhBkGBAoBAOEy4Q7hOWmFHMIsxmzMHMmcxXmYeY11iYWBRZnFkSWUpZbrPMscJZSaxmrKGs2ayNrJOsW2w8bHpsfmwn2OrZxtg22LnYddn92DPYG9gn2Lc4+DmMOEI4cjlucMxyIjjFOe04EzjPct7nXOVi5tLgonBlcDVyPeWGcYtz23Pv4z7PPcC9zsPLY8ITyXOG5y7PKi8rry5vMG8+7x3eFT4CnzZfEF8+XyffG34Wfj3+UP5i/nv8a0RuoikxjlhJHCJuC4gIOAmkCTQIzApiBVUF/QXzBXsE14T4hKyE9gvVCT0VxgirCgcKFwn3Cm+QREgupGOkG6TXIuwiZiLJInUiz0TxojqiUaJVoo/FUGKqYiFi5WIj4jBxJfFA8VLxYQmYhLJEkES5xKgkUlJNMlyySnJKCielJxUvVSc1L80qbSmdJn1D+r2MkIy7TK5Mr8xPWSXZUNkLsjNyTHLmcmly7XKf5MXlKfKl8o8V8ArGCikKbQofFSUU/RTPKk4rEZSslI4p9Sj9UFZRjlauV15REVLxVilTmVJlVrVVPanap4ZU01dLUbul9k1dWT1WvVH9g4aURojGZY3XmiKafpoXNBe1BLTIWpVac9r82t7aFdpzOkQdsk6VzoKuoK6vbrXusp6YXrDeFb33+rL60fot+hsG6gYHDLoM4YYmhhmGQ0ZMRk5GJUbPjQWMA4zrjNdMlEz2mXSZIk0tTHNNp8x4zChmtWZr5irmB8zvWeAsHCxKLBYsxS2jLdutYFbmVqetnlkLW4db37ABNmY2p21mbUVso2w77FB2tnaldq/s5ez32/c6EBy8HC47fHXUd8x2nHESdYpz6nGmd/ZwrnXecDF0yXOZc5VxPeD6yI3TLcitzR3t7uxe7b6+x2hPwZ4lDyWPdI/JvSJ7E/c+9OT0DPW87UXvRfZq8kZ6u3hf9v5OtiFXkdd9zHzKfNYoBpQiyltfXd983xU/Lb88v2V/Lf88/9cBWgGnA1YCdQILA1eDDIJKgj4GmwafC94IsQmpCdkJdQltCKMJ8w67Gc4UHhJ+L4I3IjFiNFIiMj1yLko9qiBqLdoiujoGitkb0xbLTN34DMSJxh2Nm4/Xji+N30xwTmhKZEwMTxxIEk86kbScbJx8cR9iH2Vfz37i/kP75w/oHag8CB30OdiTIphyJGUp1ST10iHsoZBDg2myaXlpXw67HG4/wnMk9cjiUZOjdel06dHpU8c0jp07jjgedHzohMKJMyd+Zvhm9GfKZhZmfj9JOdl/Su5U8amdLP+soWzl7LM5qJzwnMlcndxLeYx5yXmLp61Ot+bz52fkfynwKnhYqFh4rghbFFc0V2xZ3HZG6EzOme8lgSUTpfqlDWXcZSfKNsp9y8fO6p6tP8dzLvPcVkVQxXSlSWVrFamq8DzqfPz5VxecL/ReVL1YW81ZnVn9oya8Zu6S/aV7tSq1tZe5L2fXweri6laueFwZuWp4ta1eqr6ygbUh8xq4FnftzXXv65ONFo09TapN9c3CzWUthJaMVqg1qXXtRuCNuTa3ttGb5jd72jXaWzqkO2puEW+V3ma5nX0He+fInZ3O5M71rsiu1e6A7sUer56Zu653H9+zuzd03+J+3wPjB3d79Xo7+7T6bj1Uf3izX7X/xiPlR60DSgMtg0qDLUPKQ63DKsNtI2oj7aOao3fGdMa6xw3HHzw2e/xownpidNJpcnrKY2pu2nf69ZPQJx+fxj/dnkl9hnyWMcswW/ic+3nVC7EXDXPKc7fnDecHFhwWZhYpi29fxrz8vnTkFf5V4TLfcu1r+de3VoxXRt7sebP0NvLt9mr6O8Z3Ze9F3zd/0P0wsOa6tvQx+uPOp5OfOT7XfFH80rNuu/78a9jX7Y2MTY7NS99Uv/VuuWwtbyd8R38v/iH2o/2nxc9nO2E7O5HkaPLvrQCcesD8/QH4VAMA3g0AwggAWLp/9sv/3eDUzQeM2jtD0tBbWDncEyGGRCM/olbQUzQvMPPYDRwST6KzoI9lqGCcItAya7MkszawLXOIc5K5iriHeZF8Svx+xCyBRsExofckmAidKL0YLXXl+ybxTnJealz6rkyL7AW5HPkDCsGKzkq6yuIqBJXvqktqA+rNGmWah7WCte11tHUl9fj0WQ0YDDFGCKMfxhsma6avzebMpy2GLO9b3bJusrlqe9mu1v6yw1XHBqfrzk0uTa7Nbs3uTXsaPa7vbfBs8Gr0biN3+wxQnvi+8vvivxNIG8QaLBAiEaoUphNuFuEU6ReVEH0qpjq2M246/mMiJok/WWWf9X7KgcSDGSlFqRWHKtPOHS4+kn00PX3fsajj/ifcM6wz9U4qnRLN4s5myqHNxeTRnmbIZy8gFkoUKRZrnTEqsSp1KttTTjkbci62IrUyp6ryfMuF/osvqr9coqnlvixTp3/F6WpAfWLD8WuF16s
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--bfbbf011-8144-4495-98dd-bbbcf0649f53",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-11T13:03:52.000Z",
"modified": "2018-08-11T13:03:52.000Z",
"labels": [
"misp:type=\"port\"",
"misp:category=\"Network activity\""
],
"x_misp_category": "Network activity",
"x_misp_type": "port",
"x_misp_value": "443"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--df0f4d9a-90a4-4abf-a43d-60916a15f563",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-11T13:03:52.000Z",
"modified": "2018-08-11T13:03:52.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '212.143.21.43']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-11T13:03:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--bbd1ad42-db78-4ebd-9957-74ae70de8b4b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-11T13:03:53.000Z",
"modified": "2018-08-11T13:03:53.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '100.43.153.60']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-11T13:03:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--bd1f34eb-d736-4b59-818f-64179291eccc",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-11T13:03:53.000Z",
"modified": "2018-08-11T13:03:53.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.194.160.59']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-11T13:03:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b6eee88-4620-4b7b-8619-62b802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-11T14:11:20.000Z",
"modified": "2018-08-11T14:11:20.000Z",
"first_observed": "2018-08-11T14:11:20Z",
"last_observed": "2018-08-11T14:11:20Z",
"number_observed": 1,
"object_refs": [
"url--5b6eee88-4620-4b7b-8619-62b802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5b6eee88-4620-4b7b-8619-62b802de0b81",
"value": "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.r17.v1.WHITE_stix.xml"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b6ef008-dcb8-46bf-8395-f5ee02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-11T14:17:44.000Z",
"modified": "2018-08-11T14:17:44.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "This Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. Government partners, DHS and FBI identified Trojan malware variants used by the North Korean government. This malware variant has been identified as KEYMARBLE. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.\r\n\r\nDHS and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.\r\n\r\nThis MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware, report the activity to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.\r\n\r\nThis malware report contains analysis of one 32-bit Windows executable file, identified as a Remote Access Trojan (RAT). This malware is capable of accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screen shots, and exfiltrating data."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b6ef058-7ff4-456d-a57a-407502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-11T14:19:04.000Z",
"modified": "2018-08-11T14:19:04.000Z",
"pattern": "[rule rsa_modulus { meta: Author=\"NCCIC trusted 3rd party\" Incident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family = \"n/a\" description = \"n/a\" strings: $n = \"bc9b75a31177587245305cd418b8df78652d1c03e9da0cfc910d6d38ee4191d40\" condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them }]",
"pattern_type": "yara",
"valid_from": "2018-08-11T14:19:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b6ef19e-08f0-4065-9b61-494f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-11T14:24:30.000Z",
"modified": "2018-08-11T14:24:30.000Z",
"first_observed": "2018-08-11T14:24:30Z",
"last_observed": "2018-08-11T14:24:30Z",
"number_observed": 1,
"object_refs": [
"url--5b6ef19e-08f0-4065-9b61-494f02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5b6ef19e-08f0-4065-9b61-494f02de0b81",
"value": "https://www.us-cert.gov/ncas/analysis-reports/AR18-221A"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--16f97fab-0abd-4e4f-92e8-bdd12f54787e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-11T13:03:53.000Z",
"modified": "2018-08-11T13:03:53.000Z",
"pattern": "[file:hashes.MD5 = '704d491c155aad996f16377a35732cb4' AND file:hashes.SHA1 = 'd1410d073a6df8979712dd1b6122983f66d5bef8' AND file:hashes.SHA256 = 'e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-11T13:03:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--9ea335b7-1fd3-480c-9291-68d0adba0ee4",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-11T14:21:09.000Z",
"modified": "2018-08-11T14:21:09.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-08-10T21:54:59",
"category": "Other",
"uuid": "49c46869-358b-4022-af6e-2e868878d88f"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09/analysis/1533938099/",
"category": "External analysis",
"uuid": "2d41d2f3-9296-4a9c-8554-e2ecaa9835e4"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "52/66",
"category": "Other",
"uuid": "41c8f6e7-7be4-46ff-8c5b-15a3548be032"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--493ad67c-c54a-406b-9c6b-270c30b4bf77",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-11T13:04:01.000Z",
"modified": "2018-08-11T13:04:01.000Z",
"pattern": "[file:extensions.'windows-pebinary-ext'.number_of_sections = '4' AND file:extensions.'windows-pebinary-ext'.x_misp_internal_filename = '704d491c155aad996f16377a35732cb4' AND file:extensions.'windows-pebinary-ext'.x_misp_original_filename = '704d491c155aad996f16377a35732cb4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-11T13:04:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"pe\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5b649f38-b13f-4f8f-8883-738637a0d947",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-11T13:03:55.000Z",
"modified": "2018-08-11T13:03:55.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "float",
"object_relation": "entropy",
"value": "0.627182",
"category": "Other",
"uuid": "87501f1e-8070-4c40-86e3-cc5e11549b48"
},
{
"type": "md5",
"object_relation": "md5",
"value": "47f6fac41465e01dda5eac297ab250db",
"category": "Payload delivery",
"to_ids": true,
"uuid": "901c4607-150d-45e4-82da-aa92cb0f71d4"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "4096",
"category": "Other",
"uuid": "f904826e-c965-4b92-9469-d54c1c4d8269"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--ba2275da-03b3-457c-b216-9dfa3bc77834",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-11T13:03:56.000Z",
"modified": "2018-08-11T13:03:56.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "md5",
"object_relation": "md5",
"value": "30d34a8f4c29d7c2feb0f6e2b102b0a4",
"category": "Payload delivery",
"to_ids": true,
"uuid": "6e7b2cc6-71ae-44d0-87f1-4398cd9f103b"
},
{
"type": "float",
"object_relation": "entropy",
"value": "6.633409",
"category": "Other",
"uuid": "aeafa205-6148-41e4-9e4c-b72966d32f36"
},
{
"type": "text",
"object_relation": "name",
"value": ".text",
"category": "Other",
"uuid": "7ba5e83a-5400-4b58-9e83-2760aab368a9"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "94208",
"category": "Other",
"uuid": "99d04340-7c40-41f7-888c-cb53b9446aab"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--f7a867e5-1222-4fa2-87d2-9294cd9575b9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-11T13:03:57.000Z",
"modified": "2018-08-11T13:03:57.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "md5",
"object_relation": "md5",
"value": "77f4a11d375f0f35b64a0c43fab947b8",
"category": "Payload delivery",
"to_ids": true,
"uuid": "63f56ca4-a8f2-492d-a257-61494657b7b0"
},
{
"type": "float",
"object_relation": "entropy",
"value": "5.054283",
"category": "Other",
"uuid": "c971ad13-75d9-4782-9283-e6c59125a6ee"
},
{
"type": "text",
"object_relation": "name",
"value": ".rdata",
"category": "Other",
"uuid": "6297c420-bea6-453b-8d20-630820579075"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "8192",
"category": "Other",
"uuid": "37b0366d-fb15-4803-90b5-76f45a7827b2"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--47fa919a-9263-4d70-9c4c-7ceab62ae483",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-11T13:03:57.000Z",
"modified": "2018-08-11T13:03:57.000Z",
"labels": [
"misp:name=\"pe-section\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "md5",
"object_relation": "md5",
"value": "d4364f6d2f55a37f0036e9e0dc2c6a2b",
"category": "Payload delivery",
"to_ids": true,
"uuid": "94e7e585-a25c-4a6e-9760-5818268ce552"
},
{
"type": "float",
"object_relation": "entropy",
"value": "4.41698",
"category": "Other",
"uuid": "30a5d30a-a4ff-46eb-989e-79aadec715f7"
},
{
"type": "text",
"object_relation": "name",
"value": ".data",
"category": "Other",
"uuid": "f8282f7e-dcfb-4c0c-b93d-3cd1e2df6048"
},
{
"type": "size-in-bytes",
"object_relation": "size-in-bytes",
"value": "20480",
"category": "Other",
"uuid": "f44bb8a1-0fee-45fc-b7f5-5d710418e703"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "pe-section"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue Copy permalink