misp-circl-feed/feeds/circl/stix-2.1/5a3cc84d-2434-4ae6-8d76-c328950d210f.json

763 lines
32 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5a3cc84d-2434-4ae6-8d76-c328950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-16T03:00:22.000Z",
"modified": "2018-01-16T03:00:22.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5a3cc84d-2434-4ae6-8d76-c328950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-16T03:00:22.000Z",
"modified": "2018-01-16T03:00:22.000Z",
"name": "OSINT - Sednit espionage group now using custom exploit kit",
"published": "2018-02-16T08:50:00Z",
"object_refs": [
"observed-data--5a3cc85e-39cc-4aaf-8eec-4c5c950d210f",
"url--5a3cc85e-39cc-4aaf-8eec-4c5c950d210f",
"indicator--5a5c62c4-5fa8-47a1-ac11-42d1950d210f",
"indicator--5a5c62c4-d124-4726-be84-4da3950d210f",
"x-misp-attribute--5a5c62d9-9f74-422c-8f34-4b01950d210f",
"indicator--5a5c638d-0124-4863-9ec0-4887950d210f",
"indicator--5a5c638e-8a7c-43e1-937f-4b3b950d210f",
"indicator--5a5c638e-bf5c-4a8b-95a1-46b8950d210f",
"indicator--5a5c638f-4cec-4f74-827a-4e65950d210f",
"indicator--5a5c638f-4558-4ffb-84e6-4e5c950d210f",
"indicator--5a5c638f-aad4-4cda-b677-420f950d210f",
"indicator--5a5c6390-a4a4-408c-ad20-45a1950d210f",
"indicator--5a5c6390-ffd0-4f5b-a8e9-4b66950d210f",
"indicator--5a5c6391-5ec8-4f4d-9dd1-4195950d210f",
"observed-data--5a5c64c3-16fc-4549-ba11-46fb950d210f",
"mutex--5a5c64c3-16fc-4549-ba11-46fb950d210f",
"indicator--5a5c658d-553c-4781-b2b4-42e0950d210f",
"indicator--5a5c658d-692c-41e7-bff7-4273950d210f",
"indicator--5a5c658e-b0c0-4b6c-95b3-4a10950d210f",
"indicator--5a5c65a4-a200-44f5-8df6-416f950d210f",
"indicator--5a5c65a4-acbc-44bd-84eb-4716950d210f",
"indicator--5a5c65ee-e860-4444-911d-4da6950d210f",
"indicator--5a5c65ef-8130-414c-95a8-4513950d210f",
"indicator--5a5c65ef-25c8-40c4-bcca-4adc950d210f",
"indicator--5a5c65ef-9280-45a6-8a0d-40df950d210f",
"indicator--935f70e3-fd7e-4dcd-80a9-71f5122d366e",
"x-misp-object--6fb315f6-2c07-4d90-a911-0e19777e1ece",
"indicator--a480344a-22a8-4fc6-9f8e-40ca8337e6f7",
"x-misp-object--644f91bf-274d-4743-ae1e-075b0118c184",
"relationship--0a4711e9-6aca-4767-b74f-b06871b4a17b",
"relationship--b0ca2827-1fcf-4c84-b94b-5737e128e982"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:exploit-kit=\"Sednit EK\"",
"veris:actor:motive=\"Espionage\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a3cc85e-39cc-4aaf-8eec-4c5c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T09:33:18.000Z",
"modified": "2018-01-15T09:33:18.000Z",
"first_observed": "2018-01-15T09:33:18Z",
"last_observed": "2018-01-15T09:33:18Z",
"number_observed": 1,
"object_refs": [
"url--5a3cc85e-39cc-4aaf-8eec-4c5c950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5a3cc85e-39cc-4aaf-8eec-4c5c950d210f",
"value": "https://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5c62c4-5fa8-47a1-ac11-42d1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T09:33:19.000Z",
"modified": "2018-01-15T09:33:19.000Z",
"pattern": "[url:value = 'http://defenceiq.us/2rfKZL_BGwEQ']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-15T09:33:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5c62c4-d124-4726-be84-4da3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T09:33:19.000Z",
"modified": "2018-01-15T09:33:19.000Z",
"pattern": "[url:value = 'http://cntt.akcdndata.com/gpw?file=stat.js']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-15T09:33:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5a5c62d9-9f74-422c-8f34-4b01950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T09:33:20.000Z",
"modified": "2018-01-15T09:33:20.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "For at least five years the Sednit group has been relentlessly attacking various institutions, most notably in Eastern Europe. The group used several advanced pieces of malware for these targeted attacks, in particular the one we named Win32/Sednit, also known as Sofacy.\r\n\r\nWe recently came across cases of legitimate financial websites being redirected to a custom exploit kit. Based on our research and on some information provided by the Google Security Team, we were able to establish that it is used by the Sednit group. This is a new strategy for this group which has relied mostly on spear-phishing emails up until now.\r\n\r\nIn this blog, we will first examine on recent cases of spear-phishing emails using the CVE-2014-1761 Microsoft Word exploit. We will then focus on the exploit kit, which appears to still be in development and testing phase, and briefly describe the actual payload."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5c638d-0124-4863-9ec0-4887950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T09:33:20.000Z",
"modified": "2018-01-15T09:33:20.000Z",
"description": "Military news",
"pattern": "[domain-name:value = 'defenceiq.us']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-15T09:33:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5c638e-8a7c-43e1-937f-4b3b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T09:33:20.000Z",
"modified": "2018-01-15T09:33:20.000Z",
"description": "Military news",
"pattern": "[domain-name:value = 'defenceiq.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-15T09:33:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5c638e-bf5c-4a8b-95a1-46b8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T09:33:20.000Z",
"modified": "2018-01-15T09:33:20.000Z",
"description": "Military news",
"pattern": "[domain-name:value = 'armypress.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-15T09:33:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5c638f-4cec-4f74-827a-4e65950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T09:33:21.000Z",
"modified": "2018-01-15T09:33:21.000Z",
"description": "Military news",
"pattern": "[domain-name:value = 'armytime.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-15T09:33:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5c638f-4558-4ffb-84e6-4e5c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T09:33:21.000Z",
"modified": "2018-01-15T09:33:21.000Z",
"description": "Foreign Affairs magazine",
"pattern": "[domain-name:value = 'mfapress.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-15T09:33:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5c638f-aad4-4cda-b677-420f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T09:33:22.000Z",
"modified": "2018-01-15T09:33:22.000Z",
"description": "Foreign Affairs magazine",
"pattern": "[domain-name:value = 'foreignaffairs.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-15T09:33:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5c6390-a4a4-408c-ad20-45a1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T09:33:22.000Z",
"modified": "2018-01-15T09:33:22.000Z",
"description": "Foreign Affairs magazine",
"pattern": "[domain-name:value = 'mfapress.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-15T09:33:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5c6390-ffd0-4f5b-a8e9-4b66950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T09:33:22.000Z",
"modified": "2018-01-15T09:33:22.000Z",
"description": "CACI International, defense & cyber security contractor",
"pattern": "[domain-name:value = 'caciltd.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-15T09:33:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5c6391-5ec8-4f4d-9dd1-4195950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T09:33:23.000Z",
"modified": "2018-01-15T09:33:23.000Z",
"description": "CACI International, defense & cyber security contractor",
"pattern": "[domain-name:value = 'caci.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-15T09:33:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a5c64c3-16fc-4549-ba11-46fb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T09:33:23.000Z",
"modified": "2018-01-15T09:33:23.000Z",
"first_observed": "2018-01-15T09:33:23Z",
"last_observed": "2018-01-15T09:33:23Z",
"number_observed": 1,
"object_refs": [
"mutex--5a5c64c3-16fc-4549-ba11-46fb950d210f"
],
"labels": [
"misp:type=\"mutex\"",
"misp:category=\"Artifacts dropped\""
]
},
{
"type": "mutex",
"spec_version": "2.1",
"id": "mutex--5a5c64c3-16fc-4549-ba11-46fb950d210f",
"name": "XSQWERSystemCriticalSection_for_1232321"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5c658d-553c-4781-b2b4-42e0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T09:33:23.000Z",
"modified": "2018-01-15T09:33:23.000Z",
"pattern": "[domain-name:value = 'msonlinelive.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-15T09:33:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5c658d-692c-41e7-bff7-4273950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T09:33:24.000Z",
"modified": "2018-01-15T09:33:24.000Z",
"pattern": "[domain-name:value = 'windows-updater.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-15T09:33:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5c658e-b0c0-4b6c-95b3-4a10950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T09:33:24.000Z",
"modified": "2018-01-15T09:33:24.000Z",
"pattern": "[domain-name:value = 'azureon-line.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-15T09:33:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5c65a4-a200-44f5-8df6-416f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T09:33:25.000Z",
"modified": "2018-01-15T09:33:25.000Z",
"pattern": "[file:name = 'edg6EF885E2.tmp']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-15T09:33:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5c65a4-acbc-44bd-84eb-4716950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T09:33:26.000Z",
"modified": "2018-01-15T09:33:26.000Z",
"pattern": "[file:name = 'edg6E85F98675.tmp']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-15T09:33:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5c65ee-e860-4444-911d-4da6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T08:27:26.000Z",
"modified": "2018-01-15T08:27:26.000Z",
"description": "Word exploit",
"pattern": "[file:hashes.SHA1 = '86092636e7ffa22481ca89ac1b023c32c56b24cf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-15T08:27:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5c65ef-8130-414c-95a8-4513950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T08:27:27.000Z",
"modified": "2018-01-15T08:27:27.000Z",
"description": "Word exploit",
"pattern": "[file:hashes.SHA1 = '12223f098ba3088379ec1dc59440c662752ddabd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-15T08:27:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5c65ef-25c8-40c4-bcca-4adc950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T08:27:27.000Z",
"modified": "2018-01-15T08:27:27.000Z",
"description": "Dropper",
"pattern": "[file:hashes.SHA1 = 'd61ee0b0d4ed95f3300735c81740a21b8beef337']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-15T08:27:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a5c65ef-9280-45a6-8a0d-40df950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T08:27:27.000Z",
"modified": "2018-01-15T08:27:27.000Z",
"description": "Payload",
"pattern": "[file:hashes.SHA1 = 'd0db619a7a160949528d46d20fc0151bf9775c32']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-15T08:27:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--935f70e3-fd7e-4dcd-80a9-71f5122d366e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T09:33:29.000Z",
"modified": "2018-01-15T09:33:29.000Z",
"pattern": "[file:hashes.MD5 = 'df895e6479abf85c4c65d7d3a2451ddb' AND file:hashes.SHA1 = 'd61ee0b0d4ed95f3300735c81740a21b8beef337' AND file:hashes.SHA256 = '6ffaa374cfa9504b061b52a353913c6c120bd4fe43e1a79f69fba7f964e30a4e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-15T09:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--6fb315f6-2c07-4d90-a911-0e19777e1ece",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T09:33:28.000Z",
"modified": "2018-01-15T09:33:28.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/6ffaa374cfa9504b061b52a353913c6c120bd4fe43e1a79f69fba7f964e30a4e/analysis/1515795459/",
"category": "External analysis",
"comment": "Dropper",
"uuid": "5a5c7568-9fa0-46fb-b5e0-482d02de0b81"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "51/68",
"category": "Other",
"comment": "Dropper",
"uuid": "5a5c7568-b834-46be-af37-4b5f02de0b81"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-01-12T22:17:39",
"category": "Other",
"comment": "Dropper",
"uuid": "5a5c7568-8aec-4806-9c81-425c02de0b81"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a480344a-22a8-4fc6-9f8e-40ca8337e6f7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T09:33:32.000Z",
"modified": "2018-01-15T09:33:32.000Z",
"pattern": "[file:hashes.MD5 = 'ee64d3273f9b4d80020c24edcbbf961e' AND file:hashes.SHA1 = 'd0db619a7a160949528d46d20fc0151bf9775c32' AND file:hashes.SHA256 = 'e031299fa1381b40c660b8cd831bb861654f900a1e2952b1a76bedf140972a81']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-01-15T09:33:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--644f91bf-274d-4743-ae1e-075b0118c184",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-15T09:33:30.000Z",
"modified": "2018-01-15T09:33:30.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/e031299fa1381b40c660b8cd831bb861654f900a1e2952b1a76bedf140972a81/analysis/1490591462/",
"category": "External analysis",
"comment": "Payload",
"uuid": "5a5c756a-6948-4c29-89dc-443c02de0b81"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "44/61",
"category": "Other",
"comment": "Payload",
"uuid": "5a5c756a-63e8-4ebb-af6b-49f602de0b81"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2017-03-27T05:11:02",
"category": "Other",
"comment": "Payload",
"uuid": "5a5c756b-c6a8-4d3b-9ab5-426302de0b81"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--0a4711e9-6aca-4767-b74f-b06871b4a17b",
"created": "2018-02-16T08:50:00.000Z",
"modified": "2018-02-16T08:50:00.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--935f70e3-fd7e-4dcd-80a9-71f5122d366e",
"target_ref": "x-misp-object--6fb315f6-2c07-4d90-a911-0e19777e1ece"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--b0ca2827-1fcf-4c84-b94b-5737e128e982",
"created": "2018-02-16T08:50:00.000Z",
"modified": "2018-02-16T08:50:00.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--a480344a-22a8-4fc6-9f8e-40ca8337e6f7",
"target_ref": "x-misp-object--644f91bf-274d-4743-ae1e-075b0118c184"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}