543 lines
24 KiB
JSON
543 lines
24 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--586ccbb7-3b08-4fdb-a034-4a8b950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-04T10:25:55.000Z",
|
||
|
"modified": "2017-01-04T10:25:55.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--586ccbb7-3b08-4fdb-a034-4a8b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-04T10:25:55.000Z",
|
||
|
"modified": "2017-01-04T10:25:55.000Z",
|
||
|
"name": "OSINT - Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan",
|
||
|
"published": "2017-01-04T10:26:01Z",
|
||
|
"object_refs": [
|
||
|
"x-misp-attribute--586ccbd5-0478-4d13-bcce-43c1950d210f",
|
||
|
"observed-data--586ccbf5-f54c-4456-b041-475b950d210f",
|
||
|
"url--586ccbf5-f54c-4456-b041-475b950d210f",
|
||
|
"indicator--586ccc86-8444-4cb1-9cb2-4172950d210f",
|
||
|
"indicator--586ccca0-1a7c-4d38-a541-4cdf950d210f",
|
||
|
"indicator--586cccb9-bf7c-4b6b-97f2-41da950d210f",
|
||
|
"indicator--586cccc9-c97c-4291-be73-4956950d210f",
|
||
|
"indicator--586cccda-f028-4aef-b394-4eb4950d210f",
|
||
|
"indicator--586cccf0-fdc0-4761-b125-4e99950d210f",
|
||
|
"indicator--586ccd03-db28-4afc-afb0-4b86950d210f",
|
||
|
"indicator--586ccd18-bd60-4870-af14-423b950d210f",
|
||
|
"indicator--586ccd2f-3a24-4a6d-8585-4bc1950d210f",
|
||
|
"indicator--586ccd4f-af68-4426-b9f6-4dbd02de0b81",
|
||
|
"indicator--586ccd4f-0104-4bb0-86e9-45fe02de0b81",
|
||
|
"observed-data--586ccd50-9fd8-4b0a-acd3-4b6d02de0b81",
|
||
|
"url--586ccd50-9fd8-4b0a-acd3-4b6d02de0b81",
|
||
|
"indicator--586ccd51-847c-452f-be60-48a202de0b81",
|
||
|
"indicator--586ccd51-357c-44b1-adcc-4b4e02de0b81",
|
||
|
"observed-data--586ccd52-ad44-487c-8b58-428e02de0b81",
|
||
|
"url--586ccd52-ad44-487c-8b58-428e02de0b81",
|
||
|
"indicator--586ccd53-4f1c-418a-881a-4efc02de0b81",
|
||
|
"indicator--586ccd53-ad1c-4728-8817-41ed02de0b81",
|
||
|
"observed-data--586ccd54-4b88-4996-b19d-49c702de0b81",
|
||
|
"url--586ccd54-4b88-4996-b19d-49c702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:tool=\"Chthonic\"",
|
||
|
"osint:source-type=\"blog-post\"",
|
||
|
"admiralty-scale:source-reliability=\"b\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--586ccbd5-0478-4d13-bcce-43c1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-04T10:17:57.000Z",
|
||
|
"modified": "2017-01-04T10:17:57.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "While many email providers, clients, and anti-spam engines have become adept at detecting spam, malicious messages sent via high-profile, legitimate providers are much harder to catch. Threat actors continue to look for new ways to bypass these engines and, in the latest example of innovative approaches to malware distribution, have managed to co-opt PayPal services in a small campaign.\r\n\r\nProofpoint analysts recently noticed an interesting abuse of legitimate service in order to deliver malicious content. Specifically, we observed emails with the subject \u00e2\u20ac\u0153You\u00e2\u20ac\u2122ve got a money request\u00e2\u20ac\u009d that came from PayPal. The sender does not appear to be faked: instead, the spam is generated by registering with PayPal (or using stolen accounts) and then using the portal to \u00e2\u20ac\u0153request money.\u00e2\u20ac\u009d We are not sure how much of this process was automated and how much manual, but the email volume was low."
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--586ccbf5-f54c-4456-b041-475b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-04T10:18:29.000Z",
|
||
|
"modified": "2017-01-04T10:18:29.000Z",
|
||
|
"first_observed": "2017-01-04T10:18:29Z",
|
||
|
"last_observed": "2017-01-04T10:18:29Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--586ccbf5-f54c-4456-b041-475b950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--586ccbf5-f54c-4456-b041-475b950d210f",
|
||
|
"value": "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--586ccc86-8444-4cb1-9cb2-4172950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-04T10:20:54.000Z",
|
||
|
"modified": "2017-01-04T10:20:54.000Z",
|
||
|
"description": "Chthonic 2nd Stage (AZORult)",
|
||
|
"pattern": "[file:hashes.SHA256 = '10d159b0ddb92e9f4b395e90f9cfaa554622c4e77f66f7da176783777db5526a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-04T10:20:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--586ccca0-1a7c-4d38-a541-4cdf950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-04T10:21:20.000Z",
|
||
|
"modified": "2017-01-04T10:21:20.000Z",
|
||
|
"description": "AZORult C&C",
|
||
|
"pattern": "[url:value = '91.215.154.202/AZORult/gate.php']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-04T10:21:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--586cccb9-bf7c-4b6b-97f2-41da950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-04T10:21:45.000Z",
|
||
|
"modified": "2017-01-04T10:21:45.000Z",
|
||
|
"description": "Chthonic 2nd Stage hosting",
|
||
|
"pattern": "[url:value = 'http://www.viscot.com/system/helper/bzr.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-04T10:21:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--586cccc9-c97c-4291-be73-4956950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-04T10:22:01.000Z",
|
||
|
"modified": "2017-01-04T10:22:01.000Z",
|
||
|
"description": "Chthonic C&C",
|
||
|
"pattern": "[domain-name:value = 'kingstonevikte.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-04T10:22:01Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--586cccda-f028-4aef-b394-4eb4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-04T10:22:18.000Z",
|
||
|
"modified": "2017-01-04T10:22:18.000Z",
|
||
|
"description": "flash.exe",
|
||
|
"pattern": "[file:hashes.SHA256 = '0d2def167ecf39a69a7e949c88bb2096cfd76f7d4bf72f1b0fe27a9da686c141']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-04T10:22:18Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--586cccf0-fdc0-4761-b125-4e99950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-04T10:22:40.000Z",
|
||
|
"modified": "2017-01-04T10:22:40.000Z",
|
||
|
"description": "JavaScript payload",
|
||
|
"pattern": "[url:value = 'http://wasingo.info/2/flash.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-04T10:22:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--586ccd03-db28-4afc-afb0-4b86950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-04T10:22:59.000Z",
|
||
|
"modified": "2017-01-04T10:22:59.000Z",
|
||
|
"description": "paypalTransactionDetails.jpeg.js",
|
||
|
"pattern": "[file:hashes.SHA256 = '865d2e9cbf5d88ae8b483f0f5e2397449298651381f66c55b7afd4b750eb4da4']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-04T10:22:59Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--586ccd18-bd60-4870-af14-423b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-04T10:23:20.000Z",
|
||
|
"modified": "2017-01-04T10:23:20.000Z",
|
||
|
"description": "URL after the goo.gl redirect (hosting the js)",
|
||
|
"pattern": "[url:value = 'http://katyaflash.com/pp.php']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-04T10:23:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--586ccd2f-3a24-4a6d-8585-4bc1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-04T10:23:43.000Z",
|
||
|
"modified": "2017-01-04T10:23:43.000Z",
|
||
|
"description": "URL in the email message",
|
||
|
"pattern": "[url:value = 'http://goo.gl/G7z1aS?paypal-nonauthtransaction.jpg']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-04T10:23:43Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--586ccd4f-af68-4426-b9f6-4dbd02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-04T10:24:15.000Z",
|
||
|
"modified": "2017-01-04T10:24:15.000Z",
|
||
|
"description": "Chthonic 2nd Stage (AZORult) - Xchecked via VT: 10d159b0ddb92e9f4b395e90f9cfaa554622c4e77f66f7da176783777db5526a",
|
||
|
"pattern": "[file:hashes.SHA1 = 'c887916b08543cb3e3f112add117a9dfa790b9ee']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-04T10:24:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--586ccd4f-0104-4bb0-86e9-45fe02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-04T10:24:15.000Z",
|
||
|
"modified": "2017-01-04T10:24:15.000Z",
|
||
|
"description": "Chthonic 2nd Stage (AZORult) - Xchecked via VT: 10d159b0ddb92e9f4b395e90f9cfaa554622c4e77f66f7da176783777db5526a",
|
||
|
"pattern": "[file:hashes.MD5 = 'd7c19ba47401f69aafed551138ad7e7c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-04T10:24:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--586ccd50-9fd8-4b0a-acd3-4b6d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-04T10:24:16.000Z",
|
||
|
"modified": "2017-01-04T10:24:16.000Z",
|
||
|
"first_observed": "2017-01-04T10:24:16Z",
|
||
|
"last_observed": "2017-01-04T10:24:16Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--586ccd50-9fd8-4b0a-acd3-4b6d02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--586ccd50-9fd8-4b0a-acd3-4b6d02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/10d159b0ddb92e9f4b395e90f9cfaa554622c4e77f66f7da176783777db5526a/analysis/1476464665/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--586ccd51-847c-452f-be60-48a202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-04T10:24:17.000Z",
|
||
|
"modified": "2017-01-04T10:24:17.000Z",
|
||
|
"description": "flash.exe - Xchecked via VT: 0d2def167ecf39a69a7e949c88bb2096cfd76f7d4bf72f1b0fe27a9da686c141",
|
||
|
"pattern": "[file:hashes.SHA1 = '47bff3e98e086f821fff1721a8a4b2674102a2ff']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-04T10:24:17Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--586ccd51-357c-44b1-adcc-4b4e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-04T10:24:17.000Z",
|
||
|
"modified": "2017-01-04T10:24:17.000Z",
|
||
|
"description": "flash.exe - Xchecked via VT: 0d2def167ecf39a69a7e949c88bb2096cfd76f7d4bf72f1b0fe27a9da686c141",
|
||
|
"pattern": "[file:hashes.MD5 = 'c136a0702442b8b02fbad5ed7e6203d7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-04T10:24:17Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--586ccd52-ad44-487c-8b58-428e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-04T10:24:18.000Z",
|
||
|
"modified": "2017-01-04T10:24:18.000Z",
|
||
|
"first_observed": "2017-01-04T10:24:18Z",
|
||
|
"last_observed": "2017-01-04T10:24:18Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--586ccd52-ad44-487c-8b58-428e02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--586ccd52-ad44-487c-8b58-428e02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/0d2def167ecf39a69a7e949c88bb2096cfd76f7d4bf72f1b0fe27a9da686c141/analysis/1470300877/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--586ccd53-4f1c-418a-881a-4efc02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-04T10:24:19.000Z",
|
||
|
"modified": "2017-01-04T10:24:19.000Z",
|
||
|
"description": "paypalTransactionDetails.jpeg.js - Xchecked via VT: 865d2e9cbf5d88ae8b483f0f5e2397449298651381f66c55b7afd4b750eb4da4",
|
||
|
"pattern": "[file:hashes.SHA1 = 'c53fca1e1fee6f0be377837f258ae671a7604677']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-04T10:24:19Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--586ccd53-ad1c-4728-8817-41ed02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-04T10:24:19.000Z",
|
||
|
"modified": "2017-01-04T10:24:19.000Z",
|
||
|
"description": "paypalTransactionDetails.jpeg.js - Xchecked via VT: 865d2e9cbf5d88ae8b483f0f5e2397449298651381f66c55b7afd4b750eb4da4",
|
||
|
"pattern": "[file:hashes.MD5 = '04f75d12660b13d972ac4c8cbf143de9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-04T10:24:19Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--586ccd54-4b88-4996-b19d-49c702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-04T10:24:20.000Z",
|
||
|
"modified": "2017-01-04T10:24:20.000Z",
|
||
|
"first_observed": "2017-01-04T10:24:20Z",
|
||
|
"last_observed": "2017-01-04T10:24:20Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--586ccd54-4b88-4996-b19d-49c702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--586ccd54-4b88-4996-b19d-49c702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/865d2e9cbf5d88ae8b483f0f5e2397449298651381f66c55b7afd4b750eb4da4/analysis/1476581905/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|