600 lines
25 KiB
JSON
600 lines
25 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--57c8398d-2238-41df-bbc7-45b7950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-09-01T14:35:16.000Z",
|
||
|
"modified": "2016-09-01T14:35:16.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--57c8398d-2238-41df-bbc7-45b7950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-09-01T14:35:16.000Z",
|
||
|
"modified": "2016-09-01T14:35:16.000Z",
|
||
|
"name": "Malware Posing as Human Rights Organizations and Commercial Software Targeting Iranians, Foreign Policy Institutions and Middle Eastern Countries (ExtremeDownloader and Strealer)",
|
||
|
"published": "2016-09-01T14:35:51Z",
|
||
|
"object_refs": [
|
||
|
"indicator--57c83a33-f6d4-4791-a524-47fe950d210f",
|
||
|
"indicator--57c83a33-53e8-4a85-88cb-4c30950d210f",
|
||
|
"indicator--57c83a34-7500-4033-a076-47f4950d210f",
|
||
|
"indicator--57c83a34-eb4c-4010-9c4f-432f950d210f",
|
||
|
"indicator--57c83a34-3e24-4416-8f90-4a25950d210f",
|
||
|
"indicator--57c83a35-0c04-4523-8f40-42bb950d210f",
|
||
|
"indicator--57c83a35-4ab4-49b0-80a3-43c3950d210f",
|
||
|
"indicator--57c83a36-7eb8-418f-8181-4bb4950d210f",
|
||
|
"indicator--57c83aa3-897c-4a04-ba98-435d950d210f",
|
||
|
"indicator--57c83aa4-42e4-40b0-a045-470c950d210f",
|
||
|
"indicator--57c83aa4-d7ac-4cb8-a9cb-4d31950d210f",
|
||
|
"indicator--57c83aa4-99b4-4d1a-9bbb-4542950d210f",
|
||
|
"observed-data--57c83bfb-4838-4a75-9522-41bc950d210f",
|
||
|
"url--57c83bfb-4838-4a75-9522-41bc950d210f",
|
||
|
"indicator--57c83ca4-d5bc-49b7-9778-48a102de0b81",
|
||
|
"indicator--57c83ca5-2308-4ce2-b870-4cc202de0b81",
|
||
|
"observed-data--57c83ca5-89ac-4e60-b7d0-4eda02de0b81",
|
||
|
"url--57c83ca5-89ac-4e60-b7d0-4eda02de0b81",
|
||
|
"indicator--57c83ca5-ec84-4e30-90f7-4f8d02de0b81",
|
||
|
"indicator--57c83ca5-f860-4991-b6ee-486302de0b81",
|
||
|
"observed-data--57c83ca5-971c-45a8-89ae-428d02de0b81",
|
||
|
"url--57c83ca5-971c-45a8-89ae-428d02de0b81",
|
||
|
"indicator--57c83ca6-be84-471d-bc23-428402de0b81",
|
||
|
"indicator--57c83ca6-d4e0-46d3-9a59-4e8702de0b81",
|
||
|
"observed-data--57c83ca6-ca38-4a27-805b-4e8702de0b81",
|
||
|
"url--57c83ca6-ca38-4a27-805b-4e8702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"circl:incident-classification=\"malware\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57c83a33-f6d4-4791-a524-47fe950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-09-01T14:29:34.000Z",
|
||
|
"modified": "2016-09-01T14:29:34.000Z",
|
||
|
"description": "Payloads",
|
||
|
"pattern": "[file:name = 'newlity.exe' AND file:hashes.SHA256 = 'a62dde31eecf650c2dd39eeda9daf8fd35b1dff5330e72035d1846579ea838dc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-01T14:29:34Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57c83a33-53e8-4a85-88cb-4c30950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-09-01T14:29:34.000Z",
|
||
|
"modified": "2016-09-01T14:29:34.000Z",
|
||
|
"description": "Payloads",
|
||
|
"pattern": "[file:name = 'private_chat.exe' AND file:hashes.SHA256 = '1a24714fd99030bd63804ab96fc2612f148a5f08d1c2845152c3a0e168600db9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-01T14:29:34Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57c83a34-7500-4033-a076-47f4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-09-01T14:29:34.000Z",
|
||
|
"modified": "2016-09-01T14:29:34.000Z",
|
||
|
"description": "Payloads",
|
||
|
"pattern": "[file:name = 'multiplay-register.exe' AND file:hashes.SHA256 = 'e6cd39cf0af6a0b7d8129bf6400e671d5fd2a3797b92e0fe4a8e93f3de46b716']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-01T14:29:34Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57c83a34-eb4c-4010-9c4f-432f950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-09-01T14:29:34.000Z",
|
||
|
"modified": "2016-09-01T14:29:34.000Z",
|
||
|
"description": "Payloads",
|
||
|
"pattern": "[file:name = 'TeamSpeak.EXE' AND file:hashes.SHA256 = '13c462f6606c20d23796d6b937b0fa6887029dc68f2a3376cc3fa1e068a833e9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-01T14:29:34Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57c83a34-3e24-4416-8f90-4a25950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-09-01T14:29:52.000Z",
|
||
|
"modified": "2016-09-01T14:29:52.000Z",
|
||
|
"description": "Extreme downloader",
|
||
|
"pattern": "[file:name = 'dwm.exe' AND file:hashes.SHA256 = 'e6cd39cf0af6a0b7d8129bf6400e671d5fd2a3797b92e0fe4a8e93f3de46b716']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-01T14:29:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57c83a35-0c04-4523-8f40-42bb950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-09-01T14:30:01.000Z",
|
||
|
"modified": "2016-09-01T14:30:01.000Z",
|
||
|
"description": "Dropper / Moreoriz",
|
||
|
"pattern": "[file:name = 'contask.exe' AND file:hashes.SHA256 = 'b0afef1ee97c8a9a7a7d4a83b5d8aab3a710062d9df98f909a3306c031e2cc21']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-01T14:30:01Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57c83a35-4ab4-49b0-80a3-43c3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-09-01T14:30:13.000Z",
|
||
|
"modified": "2016-09-01T14:30:13.000Z",
|
||
|
"description": "Strealer",
|
||
|
"pattern": "[file:name = 'mozilla.exe' AND file:hashes.SHA256 = '3a8995413b8e63dca766999c5a3220114e4ab4c446130c5bd7c852a618dd2fa7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-01T14:30:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57c83a36-7eb8-418f-8181-4bb4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-09-01T14:30:16.000Z",
|
||
|
"modified": "2016-09-01T14:30:16.000Z",
|
||
|
"description": "TightVNC",
|
||
|
"pattern": "[file:name = 'vn.exe' AND file:hashes.SHA256 = '1ba26bcd857944b0486a76928f41f74d91dad492b46ea93c4ca246a0503cdaae']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-01T14:30:16Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename|sha256\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57c83aa3-897c-4a04-ba98-435d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-09-01T14:26:43.000Z",
|
||
|
"modified": "2016-09-01T14:26:43.000Z",
|
||
|
"description": "C2",
|
||
|
"pattern": "[domain-name:value = 'apache-utility.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-01T14:26:43Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57c83aa4-42e4-40b0-a045-470c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-09-01T14:26:44.000Z",
|
||
|
"modified": "2016-09-01T14:26:44.000Z",
|
||
|
"description": "C2",
|
||
|
"pattern": "[domain-name:value = 'microsoft-hotfix.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-01T14:26:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57c83aa4-d7ac-4cb8-a9cb-4d31950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-09-01T14:26:44.000Z",
|
||
|
"modified": "2016-09-01T14:26:44.000Z",
|
||
|
"description": "C2",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.152.202.53']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-01T14:26:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57c83aa4-99b4-4d1a-9bbb-4542950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-09-01T14:26:44.000Z",
|
||
|
"modified": "2016-09-01T14:26:44.000Z",
|
||
|
"description": "C2",
|
||
|
"pattern": "[domain-name:value = 'update-finder.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-01T14:26:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--57c83bfb-4838-4a75-9522-41bc950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-09-01T14:32:27.000Z",
|
||
|
"modified": "2016-09-01T14:32:27.000Z",
|
||
|
"first_observed": "2016-09-01T14:32:27Z",
|
||
|
"last_observed": "2016-09-01T14:32:27Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--57c83bfb-4838-4a75-9522-41bc950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--57c83bfb-4838-4a75-9522-41bc950d210f",
|
||
|
"value": "https://iranthreats.github.io/resources/human-rights-impersonation-malware/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57c83ca4-d5bc-49b7-9778-48a102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-09-01T14:35:16.000Z",
|
||
|
"modified": "2016-09-01T14:35:16.000Z",
|
||
|
"description": "TightVNC - Xchecked via VT: 1ba26bcd857944b0486a76928f41f74d91dad492b46ea93c4ca246a0503cdaae",
|
||
|
"pattern": "[file:hashes.SHA1 = 'b89d8b5bd6f9bf1c1d61f0d3851dec9cf4216b9b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-01T14:35:16Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57c83ca5-2308-4ce2-b870-4cc202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-09-01T14:35:17.000Z",
|
||
|
"modified": "2016-09-01T14:35:17.000Z",
|
||
|
"description": "TightVNC - Xchecked via VT: 1ba26bcd857944b0486a76928f41f74d91dad492b46ea93c4ca246a0503cdaae",
|
||
|
"pattern": "[file:hashes.MD5 = 'a2ff24322c12558eb1f29aea3ca6f24a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-01T14:35:17Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--57c83ca5-89ac-4e60-b7d0-4eda02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-09-01T14:35:17.000Z",
|
||
|
"modified": "2016-09-01T14:35:17.000Z",
|
||
|
"first_observed": "2016-09-01T14:35:17Z",
|
||
|
"last_observed": "2016-09-01T14:35:17Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--57c83ca5-89ac-4e60-b7d0-4eda02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--57c83ca5-89ac-4e60-b7d0-4eda02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/1ba26bcd857944b0486a76928f41f74d91dad492b46ea93c4ca246a0503cdaae/analysis/1452468082/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57c83ca5-ec84-4e30-90f7-4f8d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-09-01T14:35:17.000Z",
|
||
|
"modified": "2016-09-01T14:35:17.000Z",
|
||
|
"description": "Extreme downloader - Xchecked via VT: e6cd39cf0af6a0b7d8129bf6400e671d5fd2a3797b92e0fe4a8e93f3de46b716",
|
||
|
"pattern": "[file:hashes.SHA1 = 'd5144c73f7e7c961bc2823cf002892eee70c4dbf']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-01T14:35:17Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57c83ca5-f860-4991-b6ee-486302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-09-01T14:35:17.000Z",
|
||
|
"modified": "2016-09-01T14:35:17.000Z",
|
||
|
"description": "Extreme downloader - Xchecked via VT: e6cd39cf0af6a0b7d8129bf6400e671d5fd2a3797b92e0fe4a8e93f3de46b716",
|
||
|
"pattern": "[file:hashes.MD5 = 'ccaf21e122ca9d2e2397a9e28eb4cc87']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-01T14:35:17Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--57c83ca5-971c-45a8-89ae-428d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-09-01T14:35:17.000Z",
|
||
|
"modified": "2016-09-01T14:35:17.000Z",
|
||
|
"first_observed": "2016-09-01T14:35:17Z",
|
||
|
"last_observed": "2016-09-01T14:35:17Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--57c83ca5-971c-45a8-89ae-428d02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--57c83ca5-971c-45a8-89ae-428d02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/e6cd39cf0af6a0b7d8129bf6400e671d5fd2a3797b92e0fe4a8e93f3de46b716/analysis/1470948989/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57c83ca6-be84-471d-bc23-428402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-09-01T14:35:18.000Z",
|
||
|
"modified": "2016-09-01T14:35:18.000Z",
|
||
|
"description": "Payloads - Xchecked via VT: 13c462f6606c20d23796d6b937b0fa6887029dc68f2a3376cc3fa1e068a833e9",
|
||
|
"pattern": "[file:hashes.SHA1 = 'f2179dbba6a4f132864d8edd38c26991ac21559d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-01T14:35:18Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57c83ca6-d4e0-46d3-9a59-4e8702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-09-01T14:35:18.000Z",
|
||
|
"modified": "2016-09-01T14:35:18.000Z",
|
||
|
"description": "Payloads - Xchecked via VT: 13c462f6606c20d23796d6b937b0fa6887029dc68f2a3376cc3fa1e068a833e9",
|
||
|
"pattern": "[file:hashes.MD5 = '77857588c41f778b7660d4e52634a4e3']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-09-01T14:35:18Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--57c83ca6-ca38-4a27-805b-4e8702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-09-01T14:35:18.000Z",
|
||
|
"modified": "2016-09-01T14:35:18.000Z",
|
||
|
"first_observed": "2016-09-01T14:35:18Z",
|
||
|
"last_observed": "2016-09-01T14:35:18Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--57c83ca6-ca38-4a27-805b-4e8702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--57c83ca6-ca38-4a27-805b-4e8702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/13c462f6606c20d23796d6b937b0fa6887029dc68f2a3376cc3fa1e068a833e9/analysis/1470330553/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|