723 lines
32 KiB
JSON
723 lines
32 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5d0c8dcc-eae0-4020-b1d0-5526950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-06-21T15:53:14.000Z",
|
||
|
"modified": "2019-06-21T15:53:14.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5d0c8dcc-eae0-4020-b1d0-5526950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-06-21T15:53:14.000Z",
|
||
|
"modified": "2019-06-21T15:53:14.000Z",
|
||
|
"name": "OSINT - Hide \u00e2\u20ac\u02dcN Seek Botnet Updates Arsenal with Exploits Against Nexus Repository Manager & ThinkPHP",
|
||
|
"published": "2019-06-21T15:53:29Z",
|
||
|
"object_refs": [
|
||
|
"x-misp-attribute--5d0c9804-7248-45ae-ab57-47fa950d210f",
|
||
|
"observed-data--5d0c9e1b-623c-4552-9a6c-41e1950d210f",
|
||
|
"url--5d0c9e1b-623c-4552-9a6c-41e1950d210f",
|
||
|
"indicator--5d0cae62-69cc-495e-932c-478e950d210f",
|
||
|
"indicator--5d0cae78-e888-4c47-b54e-42b5950d210f",
|
||
|
"indicator--5d0caf46-8778-4c85-b528-41cf950d210f",
|
||
|
"indicator--5d0cb1e1-86b0-4d8c-8c6b-4283950d210f",
|
||
|
"indicator--5d0cb1fd-b8a8-44a1-bde0-4b6e950d210f",
|
||
|
"indicator--5d0cb217-01d4-460f-bb99-20b8950d210f",
|
||
|
"indicator--5d0cb4d6-883c-4e2b-89b6-4bc1950d210f",
|
||
|
"indicator--5d0cb4e8-48d8-492e-88e4-48bf950d210f",
|
||
|
"indicator--6f9865b9-4cb9-42cc-9351-1fb8fd4f3b2b",
|
||
|
"x-misp-object--360b84b9-09a3-414f-a88d-558b8503d0eb",
|
||
|
"indicator--c3d5088e-84f5-4ef5-b213-67beb35b4e23",
|
||
|
"x-misp-object--46bcd5b2-85e1-4961-ad0c-add96cfc111c",
|
||
|
"indicator--50675af8-63e6-45fc-8705-fe07a29bcf6a",
|
||
|
"x-misp-object--5fc7be9f-fde9-45be-a619-1952b90e8506",
|
||
|
"indicator--9803a8e8-e8b7-4708-9565-3f261694a5cb",
|
||
|
"x-misp-object--20480301-47fb-4a64-81c9-8aa80a18dc89",
|
||
|
"indicator--4e6b8d5b-af14-4a65-833d-5e41861d39a3",
|
||
|
"x-misp-object--599d8b4a-50a0-4a83-a25a-dd8b2879fe32",
|
||
|
"indicator--40227e50-2444-4a4a-80fe-fe4eeddd8a0c",
|
||
|
"x-misp-object--4aaab1e9-b177-41dc-b0a3-891174e327a5",
|
||
|
"relationship--20d4a940-eaeb-4611-ba4a-bda58ef61574",
|
||
|
"relationship--f29f83d1-be03-4bf5-b434-c083527cd103",
|
||
|
"relationship--bdc243a9-4f05-42f1-9a57-be5979b0a914",
|
||
|
"relationship--cefbb46b-6eaa-4fc2-847c-e2df15ad7d4c",
|
||
|
"relationship--09803ca0-3434-4d97-9b58-70e55caaa4c2",
|
||
|
"relationship--5b023ce6-c06e-410e-80f1-f9f8bdbff7aa"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:botnet=\"Hide and Seek\"",
|
||
|
"misp-galaxy:malpedia=\"Hide and Seek\"",
|
||
|
"type:OSINT",
|
||
|
"osint:lifetime=\"perpetual\"",
|
||
|
"osint:certainty=\"50\"",
|
||
|
"\tmalware_classification:malware-category=\"Botnet\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5d0c9804-7248-45ae-ab57-47fa950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-06-21T08:40:36.000Z",
|
||
|
"modified": "2019-06-21T08:40:36.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "The Hide \u00e2\u20ac\u02dcN Seek botnet was first discovered in January 2018 and is known for its unique use of Peer-to-Peer communication between bots.\r\n\r\nSince its discovery, the malware family has seen a couple of upgrades, from the addition of persistence and new exploits, to targeting Android devices via the Android Debug Bridge (ADB).\r\n\r\nThis post details a variant of the family first seen on the 21st of February 2019, incorporating two new exploits \u00e2\u20ac\u201c CVE-2018-20062 which targets ThinkPHP installations, and CVE-2019-7238, a Remote Code Execution (RCE) vulnerability in Sonatype Nexus Repository Manager (NXRM) 3 software installations.\r\n\r\nWhile the ThinkPHP exploit has already been seen employed by several Mirai variants, the only other instance of the CVE-2019-7238 vulnerability being exploited in the wild has been by the DDG botnet. Our research, outlined below, shows that the Hide \u00e2\u20ac\u02dcN Seek botnet incorporated this exploit back in February 2019, even before the DDG botnet."
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5d0c9e1b-623c-4552-9a6c-41e1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-06-21T09:06:35.000Z",
|
||
|
"modified": "2019-06-21T09:06:35.000Z",
|
||
|
"first_observed": "2019-06-21T09:06:35Z",
|
||
|
"last_observed": "2019-06-21T09:06:35Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5d0c9e1b-623c-4552-9a6c-41e1950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5d0c9e1b-623c-4552-9a6c-41e1950d210f",
|
||
|
"value": "https://unit42.paloaltonetworks.com/hide-n-seek-botnet-updates-arsenal-with-exploits-against-nexus-repository-manager-thinkphp/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d0cae62-69cc-495e-932c-478e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-06-21T10:16:02.000Z",
|
||
|
"modified": "2019-06-21T10:16:02.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '49495c9aa08d7859fec1f99f487560b59d8a8914811746181e4e7edbee85341f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-06-21T10:16:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d0cae78-e888-4c47-b54e-42b5950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-06-21T10:16:24.000Z",
|
||
|
"modified": "2019-06-21T10:16:24.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'd068e8f781879774f0bcc1f2a116211d41194b67024fe45966c8272a8038a7a1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-06-21T10:16:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d0caf46-8778-4c85-b528-41cf950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-06-21T10:19:50.000Z",
|
||
|
"modified": "2019-06-21T10:19:50.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '1583fd1c6607b77f51411c4ad7c9225324fd1b069645062a348cd885de0ac382']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-06-21T10:19:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d0cb1e1-86b0-4d8c-8c6b-4283950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-06-21T10:30:57.000Z",
|
||
|
"modified": "2019-06-21T10:30:57.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'c082c39e595c7f23c04ce0d6597657d6e649585d5da49b5bd896e664b712e60d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-06-21T10:30:57Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d0cb1fd-b8a8-44a1-bde0-4b6e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-06-21T10:31:25.000Z",
|
||
|
"modified": "2019-06-21T10:31:25.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '0b05202f4da9bbe1af1811707a76544453282c4f3c0ac9b353759c86742f4369']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-06-21T10:31:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d0cb217-01d4-460f-bb99-20b8950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-06-21T10:31:51.000Z",
|
||
|
"modified": "2019-06-21T10:31:51.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '73df4e952c581afc427fa18fa2d0bcfa409c1814cd872a3ccf05d44f934ce780']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-06-21T10:31:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d0cb4d6-883c-4e2b-89b6-4bc1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-06-21T10:43:34.000Z",
|
||
|
"modified": "2019-06-21T10:43:34.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '500dd4c1a5c24495c3bb8173ce5c7b15ba3344aef855090b9b9585b2bfeea974']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-06-21T10:43:34Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5d0cb4e8-48d8-492e-88e4-48bf950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-06-21T10:43:52.000Z",
|
||
|
"modified": "2019-06-21T10:43:52.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '7e20c6cea88ade6a6c4a08ce48fe4ac2451069b7662a8dda4362a304b4854ec7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-06-21T10:43:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--6f9865b9-4cb9-42cc-9351-1fb8fd4f3b2b",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-06-21T15:52:47.000Z",
|
||
|
"modified": "2019-06-21T15:52:47.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'cc4662e589e8fa58d26f1a8d1c0da21f' AND file:hashes.SHA1 = '15c5554d24169096e756beee8c15e96c6708f06c' AND file:hashes.SHA256 = '1583fd1c6607b77f51411c4ad7c9225324fd1b069645062a348cd885de0ac382']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-06-21T15:52:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--360b84b9-09a3-414f-a88d-558b8503d0eb",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-06-21T15:52:48.000Z",
|
||
|
"modified": "2019-06-21T15:52:48.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-06-13T22:39:35",
|
||
|
"category": "Other",
|
||
|
"uuid": "56d8e60e-215c-4291-8f44-dfeb61084447"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/1583fd1c6607b77f51411c4ad7c9225324fd1b069645062a348cd885de0ac382/analysis/1560465575/",
|
||
|
"category": "Payload delivery",
|
||
|
"uuid": "c1da88a6-b89a-436f-90a0-dac5f2040c94"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "34/57",
|
||
|
"category": "Payload delivery",
|
||
|
"uuid": "fa401d1d-e971-4d5b-96d4-5f9a142d1c6f"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--c3d5088e-84f5-4ef5-b213-67beb35b4e23",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-06-21T15:52:48.000Z",
|
||
|
"modified": "2019-06-21T15:52:48.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '01a9c99b6c8b812b61ddda76ee5c1899' AND file:hashes.SHA1 = 'e919ad0e40298f1f79d67c2e8ccdbb0acdde5a2b' AND file:hashes.SHA256 = '7e20c6cea88ade6a6c4a08ce48fe4ac2451069b7662a8dda4362a304b4854ec7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-06-21T15:52:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--46bcd5b2-85e1-4961-ad0c-add96cfc111c",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-06-21T15:52:48.000Z",
|
||
|
"modified": "2019-06-21T15:52:48.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-06-18T19:16:22",
|
||
|
"category": "Other",
|
||
|
"uuid": "a9cd7679-ab30-44f0-a181-a34756f08f3f"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/7e20c6cea88ade6a6c4a08ce48fe4ac2451069b7662a8dda4362a304b4854ec7/analysis/1560885382/",
|
||
|
"category": "Payload delivery",
|
||
|
"uuid": "052fb771-186d-402c-8be5-02ea4657c5ae"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "31/55",
|
||
|
"category": "Payload delivery",
|
||
|
"uuid": "22f740bd-ce13-43d6-b566-5d09c5cfd814"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--50675af8-63e6-45fc-8705-fe07a29bcf6a",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-06-21T15:52:48.000Z",
|
||
|
"modified": "2019-06-21T15:52:48.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '6de70812923df430cff73fcf66830e6d' AND file:hashes.SHA1 = '13cc834fbf30e32146ae1be4a6bbba5b7be41ae3' AND file:hashes.SHA256 = '49495c9aa08d7859fec1f99f487560b59d8a8914811746181e4e7edbee85341f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-06-21T15:52:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--5fc7be9f-fde9-45be-a619-1952b90e8506",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-06-21T15:52:48.000Z",
|
||
|
"modified": "2019-06-21T15:52:48.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-06-13T22:39:35",
|
||
|
"category": "Other",
|
||
|
"uuid": "3c70bbea-cf02-4b93-8295-b3b4a116c77c"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/49495c9aa08d7859fec1f99f487560b59d8a8914811746181e4e7edbee85341f/analysis/1560465575/",
|
||
|
"category": "Payload delivery",
|
||
|
"uuid": "a330507d-9192-4e56-ad08-eeb3401a64ab"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "29/58",
|
||
|
"category": "Payload delivery",
|
||
|
"uuid": "0ef769b9-de75-41b6-86d4-e97d6edef792"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--9803a8e8-e8b7-4708-9565-3f261694a5cb",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-06-21T15:52:48.000Z",
|
||
|
"modified": "2019-06-21T15:52:48.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'f54c7e19bc1db3b3897b6fe81a403db0' AND file:hashes.SHA1 = '20ee3e5634a7a826a68ec858474f65cd58190870' AND file:hashes.SHA256 = '0b05202f4da9bbe1af1811707a76544453282c4f3c0ac9b353759c86742f4369']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-06-21T15:52:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--20480301-47fb-4a64-81c9-8aa80a18dc89",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-06-21T15:52:49.000Z",
|
||
|
"modified": "2019-06-21T15:52:49.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-06-14T16:31:05",
|
||
|
"category": "Other",
|
||
|
"uuid": "ad41b356-c3b3-4dcd-855e-7bd45c6d2891"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/0b05202f4da9bbe1af1811707a76544453282c4f3c0ac9b353759c86742f4369/analysis/1560529865/",
|
||
|
"category": "Payload delivery",
|
||
|
"uuid": "4f643b42-1af6-49d6-b5e8-43f72941844a"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "24/50",
|
||
|
"category": "Payload delivery",
|
||
|
"uuid": "baa30bab-f182-4eb5-bba6-db9551c005d1"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--4e6b8d5b-af14-4a65-833d-5e41861d39a3",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-06-21T15:52:49.000Z",
|
||
|
"modified": "2019-06-21T15:52:49.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '7c48b82ee08fbf7b4f4190b0973dfd5c' AND file:hashes.SHA1 = '1b278755efb2fefde2c32be6d0aa329ae35a9fc6' AND file:hashes.SHA256 = 'd068e8f781879774f0bcc1f2a116211d41194b67024fe45966c8272a8038a7a1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-06-21T15:52:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--599d8b4a-50a0-4a83-a25a-dd8b2879fe32",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-06-21T15:52:49.000Z",
|
||
|
"modified": "2019-06-21T15:52:49.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-06-13T22:39:39",
|
||
|
"category": "Other",
|
||
|
"uuid": "e850ba03-ed6c-474a-ae87-db0f0c31551d"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/d068e8f781879774f0bcc1f2a116211d41194b67024fe45966c8272a8038a7a1/analysis/1560465579/",
|
||
|
"category": "Payload delivery",
|
||
|
"uuid": "4ed5c275-ec23-49f5-accf-23d17dfd73b8"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "31/55",
|
||
|
"category": "Payload delivery",
|
||
|
"uuid": "6aeb3a94-650e-4c76-99da-75e53081eaba"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--40227e50-2444-4a4a-80fe-fe4eeddd8a0c",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-06-21T15:52:49.000Z",
|
||
|
"modified": "2019-06-21T15:52:49.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '784ab23904c34c2033b8ab3fbb18645d' AND file:hashes.SHA1 = '75374fe86e63b1c60b02be4ebe3770a58a4423e1' AND file:hashes.SHA256 = 'c082c39e595c7f23c04ce0d6597657d6e649585d5da49b5bd896e664b712e60d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-06-21T15:52:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--4aaab1e9-b177-41dc-b0a3-891174e327a5",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-06-21T15:52:49.000Z",
|
||
|
"modified": "2019-06-21T15:52:49.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-06-21T08:57:11",
|
||
|
"category": "Other",
|
||
|
"uuid": "67e1c498-a970-46de-8907-61e496935893"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/c082c39e595c7f23c04ce0d6597657d6e649585d5da49b5bd896e664b712e60d/analysis/1561107431/",
|
||
|
"category": "Payload delivery",
|
||
|
"uuid": "e57632b1-769b-4c66-bd28-0c73fdb20fa5"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "31/57",
|
||
|
"category": "Payload delivery",
|
||
|
"uuid": "528491e6-7f21-401a-9749-cb93d8c6fa29"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--20d4a940-eaeb-4611-ba4a-bda58ef61574",
|
||
|
"created": "2019-06-21T15:52:49.000Z",
|
||
|
"modified": "2019-06-21T15:52:49.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--6f9865b9-4cb9-42cc-9351-1fb8fd4f3b2b",
|
||
|
"target_ref": "x-misp-object--360b84b9-09a3-414f-a88d-558b8503d0eb"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--f29f83d1-be03-4bf5-b434-c083527cd103",
|
||
|
"created": "2019-06-21T15:52:49.000Z",
|
||
|
"modified": "2019-06-21T15:52:49.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--c3d5088e-84f5-4ef5-b213-67beb35b4e23",
|
||
|
"target_ref": "x-misp-object--46bcd5b2-85e1-4961-ad0c-add96cfc111c"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--bdc243a9-4f05-42f1-9a57-be5979b0a914",
|
||
|
"created": "2019-06-21T15:52:49.000Z",
|
||
|
"modified": "2019-06-21T15:52:49.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--50675af8-63e6-45fc-8705-fe07a29bcf6a",
|
||
|
"target_ref": "x-misp-object--5fc7be9f-fde9-45be-a619-1952b90e8506"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--cefbb46b-6eaa-4fc2-847c-e2df15ad7d4c",
|
||
|
"created": "2019-06-21T15:52:49.000Z",
|
||
|
"modified": "2019-06-21T15:52:49.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--9803a8e8-e8b7-4708-9565-3f261694a5cb",
|
||
|
"target_ref": "x-misp-object--20480301-47fb-4a64-81c9-8aa80a18dc89"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--09803ca0-3434-4d97-9b58-70e55caaa4c2",
|
||
|
"created": "2019-06-21T15:52:50.000Z",
|
||
|
"modified": "2019-06-21T15:52:50.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--4e6b8d5b-af14-4a65-833d-5e41861d39a3",
|
||
|
"target_ref": "x-misp-object--599d8b4a-50a0-4a83-a25a-dd8b2879fe32"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--5b023ce6-c06e-410e-80f1-f9f8bdbff7aa",
|
||
|
"created": "2019-06-21T15:52:50.000Z",
|
||
|
"modified": "2019-06-21T15:52:50.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--40227e50-2444-4a4a-80fe-fe4eeddd8a0c",
|
||
|
"target_ref": "x-misp-object--4aaab1e9-b177-41dc-b0a3-891174e327a5"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|