misp-circl-feed/feeds/circl/stix-2.1/59d34428-803c-4eab-bac7-49c0950d210f.json

999 lines
43 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--59d34428-803c-4eab-bac7-49c0950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:51:18.000Z",
"modified": "2017-10-04T08:51:18.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--59d34428-803c-4eab-bac7-49c0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:51:18.000Z",
"modified": "2017-10-04T08:51:18.000Z",
"name": "OSINT - Evidence Aurora Operation Still Active Part 2: More Ties Uncovered Between CCleaner Hack & Chinese Hackers",
"published": "2017-10-04T08:51:30Z",
"object_refs": [
"observed-data--59d34439-4454-45a8-94dc-3e8a950d210f",
"url--59d34439-4454-45a8-94dc-3e8a950d210f",
"x-misp-attribute--59d344c1-426c-49c5-9ff5-4eed950d210f",
"indicator--59d34505-26c0-45b8-ad15-3e8b950d210f",
"indicator--59d34505-22e0-4906-90c3-3e8b950d210f",
"indicator--59d34505-2e78-4dc1-a67b-3e8b950d210f",
"indicator--59d34505-3db8-4638-9c56-3e8b950d210f",
"indicator--59d34505-f7d0-4def-8e96-3e8b950d210f",
"indicator--59d34544-1b60-4b87-8b28-42df950d210f",
"indicator--59d345d3-66fc-41a9-a259-4762950d210f",
"indicator--59d345d3-b880-404c-8dfa-43d3950d210f",
"indicator--59d34660-03b0-4649-93dc-4236950d210f",
"indicator--59d34915-eb94-48f5-8e04-3e86950d210f",
"observed-data--59d34b35-0d00-462b-903a-43a4950d210f",
"windows-registry-key--59d34b35-0d00-462b-903a-43a4950d210f",
"observed-data--59d34b35-12cc-4033-9114-400e950d210f",
"windows-registry-key--59d34b35-12cc-4033-9114-400e950d210f",
"observed-data--59d34b35-3b98-432e-b9f2-40d1950d210f",
"windows-registry-key--59d34b35-3b98-432e-b9f2-40d1950d210f",
"observed-data--59d34b35-7ebc-4b87-b031-45fc950d210f",
"windows-registry-key--59d34b35-7ebc-4b87-b031-45fc950d210f",
"observed-data--59d34b35-f05c-4193-b489-4d53950d210f",
"windows-registry-key--59d34b35-f05c-4193-b489-4d53950d210f",
"indicator--59d4a0da-b11c-4106-bb81-424502de0b81",
"indicator--59d4a0da-0ce0-47c9-a313-48fc02de0b81",
"observed-data--59d4a0da-d74c-4b70-870f-48ab02de0b81",
"url--59d4a0da-d74c-4b70-870f-48ab02de0b81",
"indicator--59d4a0da-9b60-478f-b63b-4e1802de0b81",
"indicator--59d4a0da-edd8-4715-a50d-43ec02de0b81",
"observed-data--59d4a0da-c5f8-42d4-8dfd-450402de0b81",
"url--59d4a0da-c5f8-42d4-8dfd-450402de0b81",
"indicator--59d4a0da-52f0-421f-93cf-46b902de0b81",
"indicator--59d4a0da-e200-4df3-9afe-44d302de0b81",
"observed-data--59d4a0da-8964-4305-9aac-4cc602de0b81",
"url--59d4a0da-8964-4305-9aac-4cc602de0b81",
"indicator--59d4a0da-4c70-4d6c-858b-43ff02de0b81",
"indicator--59d4a0da-f260-4592-a320-451a02de0b81",
"observed-data--59d4a0da-b5c0-4500-923c-458d02de0b81",
"url--59d4a0da-b5c0-4500-923c-458d02de0b81",
"indicator--59d4a0da-2b88-4315-af2a-4dee02de0b81",
"indicator--59d4a0da-54ec-44d7-a611-45f502de0b81",
"observed-data--59d4a0da-55f0-4dd3-853e-452302de0b81",
"url--59d4a0da-55f0-4dd3-853e-452302de0b81",
"indicator--59d4a0da-24ac-4c9a-9ed0-46d202de0b81",
"indicator--59d4a0da-b468-4875-a528-4f0902de0b81",
"observed-data--59d4a0da-55b8-4813-a62a-42aa02de0b81",
"url--59d4a0da-55b8-4813-a62a-42aa02de0b81",
"indicator--59d4a0da-3e44-4d72-a76f-46b802de0b81",
"indicator--59d4a0da-dc90-4b07-9a85-47ac02de0b81",
"observed-data--59d4a0da-a858-4517-8dfe-4f5502de0b81",
"url--59d4a0da-a858-4517-8dfe-4f5502de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"osint:source-type=\"blog-post\"",
"misp-galaxy:threat-actor=\"Aurora Panda\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59d34439-4454-45a8-94dc-3e8a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"first_observed": "2017-10-04T08:50:34Z",
"last_observed": "2017-10-04T08:50:34Z",
"number_observed": 1,
"object_refs": [
"url--59d34439-4454-45a8-94dc-3e8a950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59d34439-4454-45a8-94dc-3e8a950d210f",
"value": "http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59d344c1-426c-49c5-9ff5-4eed950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Since my last post, we have found new evidence in the next stage payloads of the CCleaner supply chain attack that provide a stronger link between this attack and the Axiom group.\r\n\r\nFirst of all, our researchers would like to thank the entire team at Cisco Talos for their excellent work on this attack (their post regarding stage 2 can be found here) as well as their cooperation by allowing us access to the stage 2 payload. Also, we would like to give a special thanks to Kaspersky Labs for their collaboration."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59d34505-26c0-45b8-ad15-3e8b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"description": "x86 Registry Payload",
"pattern": "[file:hashes.SHA256 = 'f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-04T08:50:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59d34505-22e0-4906-90c3-3e8b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"pattern": "[file:hashes.SHA256 = '07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-04T08:50:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59d34505-2e78-4dc1-a67b-3e8b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"pattern": "[file:hashes.SHA256 = '0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-04T08:50:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59d34505-3db8-4638-9c56-3e8b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"pattern": "[file:hashes.SHA256 = '20cd49fd0f244944a8f5ba1d7656af3026e67d170133c1b3546c8b2de38d4f27']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-04T08:50:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59d34505-f7d0-4def-8e96-3e8b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"pattern": "[file:hashes.SHA256 = 'ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-04T08:50:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59d34544-1b60-4b87-8b28-42df950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"description": "Stage 2 Payload",
"pattern": "[file:hashes.SHA256 = 'dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-04T08:50:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59d345d3-66fc-41a9-a259-4762950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"description": "x86 Trojanized Binary",
"pattern": "[file:hashes.SHA256 = '07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-04T08:50:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59d345d3-b880-404c-8dfa-43d3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"description": "x64 Trojanized Binary",
"pattern": "[file:hashes.SHA256 = '128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-04T08:50:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59d34660-03b0-4649-93dc-4236950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '13.59.9.90']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-04T08:50:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59d34915-eb94-48f5-8e04-3e86950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"description": "x64 Registry Payload",
"pattern": "[file:hashes.SHA256 = '75eaa1889dbc93f11544cf3e40e3b9342b81b1678af5d83026496ee6a1b2ef79']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-04T08:50:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59d34b35-0d00-462b-903a-43a4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"first_observed": "2017-10-04T08:50:34Z",
"last_observed": "2017-10-04T08:50:34Z",
"number_observed": 1,
"object_refs": [
"windows-registry-key--59d34b35-0d00-462b-903a-43a4950d210f"
],
"labels": [
"misp:type=\"regkey\"",
"misp:category=\"Persistence mechanism\""
]
},
{
"type": "windows-registry-key",
"spec_version": "2.1",
"id": "windows-registry-key--59d34b35-0d00-462b-903a-43a4950d210f",
"key": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\001"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59d34b35-12cc-4033-9114-400e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"first_observed": "2017-10-04T08:50:34Z",
"last_observed": "2017-10-04T08:50:34Z",
"number_observed": 1,
"object_refs": [
"windows-registry-key--59d34b35-12cc-4033-9114-400e950d210f"
],
"labels": [
"misp:type=\"regkey\"",
"misp:category=\"Persistence mechanism\""
]
},
{
"type": "windows-registry-key",
"spec_version": "2.1",
"id": "windows-registry-key--59d34b35-12cc-4033-9114-400e950d210f",
"key": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\002"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59d34b35-3b98-432e-b9f2-40d1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"first_observed": "2017-10-04T08:50:34Z",
"last_observed": "2017-10-04T08:50:34Z",
"number_observed": 1,
"object_refs": [
"windows-registry-key--59d34b35-3b98-432e-b9f2-40d1950d210f"
],
"labels": [
"misp:type=\"regkey\"",
"misp:category=\"Persistence mechanism\""
]
},
{
"type": "windows-registry-key",
"spec_version": "2.1",
"id": "windows-registry-key--59d34b35-3b98-432e-b9f2-40d1950d210f",
"key": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\003"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59d34b35-7ebc-4b87-b031-45fc950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"first_observed": "2017-10-04T08:50:34Z",
"last_observed": "2017-10-04T08:50:34Z",
"number_observed": 1,
"object_refs": [
"windows-registry-key--59d34b35-7ebc-4b87-b031-45fc950d210f"
],
"labels": [
"misp:type=\"regkey\"",
"misp:category=\"Persistence mechanism\""
]
},
{
"type": "windows-registry-key",
"spec_version": "2.1",
"id": "windows-registry-key--59d34b35-7ebc-4b87-b031-45fc950d210f",
"key": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\004"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59d34b35-f05c-4193-b489-4d53950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"first_observed": "2017-10-04T08:50:34Z",
"last_observed": "2017-10-04T08:50:34Z",
"number_observed": 1,
"object_refs": [
"windows-registry-key--59d34b35-f05c-4193-b489-4d53950d210f"
],
"labels": [
"misp:type=\"regkey\"",
"misp:category=\"Persistence mechanism\""
]
},
{
"type": "windows-registry-key",
"spec_version": "2.1",
"id": "windows-registry-key--59d34b35-f05c-4193-b489-4d53950d210f",
"key": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\HBP"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59d4a0da-b11c-4106-bb81-424502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"description": "x64 Trojanized Binary - Xchecked via VT: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f",
"pattern": "[file:hashes.SHA1 = '82691bf5d8ca1c760e0dbc67c99f89ecd890de08']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-04T08:50:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59d4a0da-0ce0-47c9-a313-48fc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"description": "x64 Trojanized Binary - Xchecked via VT: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f",
"pattern": "[file:hashes.MD5 = '52dda1e6ac12c24f2997cf05e0ea42c9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-04T08:50:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59d4a0da-d74c-4b70-870f-48ab02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"first_observed": "2017-10-04T08:50:34Z",
"last_observed": "2017-10-04T08:50:34Z",
"number_observed": 1,
"object_refs": [
"url--59d4a0da-d74c-4b70-870f-48ab02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59d4a0da-d74c-4b70-870f-48ab02de0b81",
"value": "https://www.virustotal.com/file/128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f/analysis/1507088207/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59d4a0da-9b60-478f-b63b-4e1802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"description": "x86 Trojanized Binary - Xchecked via VT: 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902",
"pattern": "[file:hashes.SHA1 = '53c9ea5ac9b2efc5e8e0b4e3a051fa1615cc09a9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-04T08:50:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59d4a0da-edd8-4715-a50d-43ec02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"description": "x86 Trojanized Binary - Xchecked via VT: 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902",
"pattern": "[file:hashes.MD5 = 'd6fd2df91432ca21c79ece2c6637d1c6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-04T08:50:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59d4a0da-c5f8-42d4-8dfd-450402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"first_observed": "2017-10-04T08:50:34Z",
"last_observed": "2017-10-04T08:50:34Z",
"number_observed": 1,
"object_refs": [
"url--59d4a0da-c5f8-42d4-8dfd-450402de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59d4a0da-c5f8-42d4-8dfd-450402de0b81",
"value": "https://www.virustotal.com/file/07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902/analysis/1507103949/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59d4a0da-52f0-421f-93cf-46b902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"description": "Stage 2 Payload - Xchecked via VT: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83",
"pattern": "[file:hashes.SHA1 = 'e7cca2da5161a313161a81a38a8b5773310a6801']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-04T08:50:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59d4a0da-e200-4df3-9afe-44d302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"description": "Stage 2 Payload - Xchecked via VT: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83",
"pattern": "[file:hashes.MD5 = '748aa5fcfa2af451c76039faf6a8684d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-04T08:50:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59d4a0da-8964-4305-9aac-4cc602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"first_observed": "2017-10-04T08:50:34Z",
"last_observed": "2017-10-04T08:50:34Z",
"number_observed": 1,
"object_refs": [
"url--59d4a0da-8964-4305-9aac-4cc602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59d4a0da-8964-4305-9aac-4cc602de0b81",
"value": "https://www.virustotal.com/file/dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83/analysis/1507084318/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59d4a0da-4c70-4d6c-858b-43ff02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"description": "- Xchecked via VT: ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550",
"pattern": "[file:hashes.SHA1 = '7dd556415487cc192b647c9a7fde70896eeee7a2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-04T08:50:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59d4a0da-f260-4592-a320-451a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"description": "- Xchecked via VT: ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550",
"pattern": "[file:hashes.MD5 = 'e77e708924168afd17dbe26bba8621af']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-04T08:50:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59d4a0da-b5c0-4500-923c-458d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"first_observed": "2017-10-04T08:50:34Z",
"last_observed": "2017-10-04T08:50:34Z",
"number_observed": 1,
"object_refs": [
"url--59d4a0da-b5c0-4500-923c-458d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59d4a0da-b5c0-4500-923c-458d02de0b81",
"value": "https://www.virustotal.com/file/ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550/analysis/1506960621/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59d4a0da-2b88-4315-af2a-4dee02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"description": "- Xchecked via VT: 20cd49fd0f244944a8f5ba1d7656af3026e67d170133c1b3546c8b2de38d4f27",
"pattern": "[file:hashes.SHA1 = '590ddc140152c2c5ce2f0dc7b21a297fd4102ba3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-04T08:50:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59d4a0da-54ec-44d7-a611-45f502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"description": "- Xchecked via VT: 20cd49fd0f244944a8f5ba1d7656af3026e67d170133c1b3546c8b2de38d4f27",
"pattern": "[file:hashes.MD5 = '8ad22f3e9e603ff89228f3c66d9949d9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-04T08:50:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59d4a0da-55f0-4dd3-853e-452302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"first_observed": "2017-10-04T08:50:34Z",
"last_observed": "2017-10-04T08:50:34Z",
"number_observed": 1,
"object_refs": [
"url--59d4a0da-55f0-4dd3-853e-452302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59d4a0da-55f0-4dd3-853e-452302de0b81",
"value": "https://www.virustotal.com/file/20cd49fd0f244944a8f5ba1d7656af3026e67d170133c1b3546c8b2de38d4f27/analysis/1446757665/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59d4a0da-24ac-4c9a-9ed0-46d202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"description": "- Xchecked via VT: 0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2",
"pattern": "[file:hashes.SHA1 = '40f9cde4ccd1b1b17a647c6fc72c5c5cd40d2b08']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-04T08:50:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59d4a0da-b468-4875-a528-4f0902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"description": "- Xchecked via VT: 0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2",
"pattern": "[file:hashes.MD5 = 'ba86c0c1d9a08284c61c4251762ad0df']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-04T08:50:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59d4a0da-55b8-4813-a62a-42aa02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"first_observed": "2017-10-04T08:50:34Z",
"last_observed": "2017-10-04T08:50:34Z",
"number_observed": 1,
"object_refs": [
"url--59d4a0da-55b8-4813-a62a-42aa02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59d4a0da-55b8-4813-a62a-42aa02de0b81",
"value": "https://www.virustotal.com/file/0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2/analysis/1506960528/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59d4a0da-3e44-4d72-a76f-46b802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"description": "- Xchecked via VT: 07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d",
"pattern": "[file:hashes.SHA1 = '60415999bc82dc9c8f4425f90e41a98d514f76a2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-04T08:50:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59d4a0da-dc90-4b07-9a85-47ac02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"description": "- Xchecked via VT: 07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d",
"pattern": "[file:hashes.MD5 = '35a4783a1db27f159d7506a78ca89101']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-04T08:50:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59d4a0da-a858-4517-8dfe-4f5502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-04T08:50:34.000Z",
"modified": "2017-10-04T08:50:34.000Z",
"first_observed": "2017-10-04T08:50:34Z",
"last_observed": "2017-10-04T08:50:34Z",
"number_observed": 1,
"object_refs": [
"url--59d4a0da-a858-4517-8dfe-4f5502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59d4a0da-a858-4517-8dfe-4f5502de0b81",
"value": "https://www.virustotal.com/file/07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d/analysis/1507055418/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}