822 lines
36 KiB
JSON
822 lines
36 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5841317a-9604-4ffe-9260-46b9950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T21:43:44.000Z",
|
||
|
"modified": "2016-12-02T21:43:44.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5841317a-9604-4ffe-9260-46b9950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T21:43:44.000Z",
|
||
|
"modified": "2016-12-02T21:43:44.000Z",
|
||
|
"name": "OSINT - Shamoon 2: Return of the Disttrack Wiper",
|
||
|
"published": "2016-12-02T21:45:22Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--5841318b-b420-4045-8732-4127950d210f",
|
||
|
"url--5841318b-b420-4045-8732-4127950d210f",
|
||
|
"x-misp-attribute--584131a6-d7c0-4216-8d24-496a950d210f",
|
||
|
"indicator--584131f3-8ee4-41a4-b93f-4127950d210f",
|
||
|
"indicator--584131f4-8a10-4e55-9815-4127950d210f",
|
||
|
"indicator--584131f4-8f2c-480d-ab3d-4127950d210f",
|
||
|
"indicator--584131f4-2214-48bd-b78e-4127950d210f",
|
||
|
"indicator--584131f4-77b4-46c6-a6ce-4127950d210f",
|
||
|
"indicator--584131f5-613c-4f10-b689-4127950d210f",
|
||
|
"indicator--584131f5-87fc-4c17-944a-4127950d210f",
|
||
|
"indicator--584131f5-0b74-4737-8548-4127950d210f",
|
||
|
"indicator--5841eb10-a028-4116-b3c6-413002de0b81",
|
||
|
"indicator--5841eb10-e004-4bb5-aa85-413002de0b81",
|
||
|
"observed-data--5841eb10-d44c-4a9f-b0f6-413002de0b81",
|
||
|
"url--5841eb10-d44c-4a9f-b0f6-413002de0b81",
|
||
|
"indicator--5841eb11-d71c-4d40-b4bb-413002de0b81",
|
||
|
"indicator--5841eb11-98a4-44fa-b804-413002de0b81",
|
||
|
"observed-data--5841eb11-e5d8-4a65-b668-413002de0b81",
|
||
|
"url--5841eb11-e5d8-4a65-b668-413002de0b81",
|
||
|
"indicator--5841eb12-f118-4e7c-ac67-413002de0b81",
|
||
|
"indicator--5841eb12-9c70-4a8f-ab97-413002de0b81",
|
||
|
"observed-data--5841eb12-e324-4d2a-bd71-413002de0b81",
|
||
|
"url--5841eb12-e324-4d2a-bd71-413002de0b81",
|
||
|
"indicator--5841eb12-c558-40d5-ae37-413002de0b81",
|
||
|
"indicator--5841eb13-768c-4ef9-a118-413002de0b81",
|
||
|
"observed-data--5841eb13-94d8-4e1d-b940-413002de0b81",
|
||
|
"url--5841eb13-94d8-4e1d-b940-413002de0b81",
|
||
|
"indicator--5841eb13-3bac-4932-9ee5-413002de0b81",
|
||
|
"indicator--5841eb13-3134-4f78-9800-413002de0b81",
|
||
|
"observed-data--5841eb14-4ecc-4f2c-adbd-413002de0b81",
|
||
|
"url--5841eb14-4ecc-4f2c-adbd-413002de0b81",
|
||
|
"indicator--5841eb14-e8dc-4c7d-9328-413002de0b81",
|
||
|
"indicator--5841eb14-1750-4fde-ae95-413002de0b81",
|
||
|
"observed-data--5841eb14-6124-4602-ab99-413002de0b81",
|
||
|
"url--5841eb14-6124-4602-ab99-413002de0b81",
|
||
|
"indicator--5841eb15-2480-44b2-b5ce-413002de0b81",
|
||
|
"indicator--5841eb15-89c0-42b0-b138-413002de0b81",
|
||
|
"observed-data--5841eb15-6ea0-4083-937f-413002de0b81",
|
||
|
"url--5841eb15-6ea0-4083-937f-413002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"type:OSINT",
|
||
|
"osint:source-type=\"blog-post\"",
|
||
|
"misp-galaxy:threat-actor=\"TERBIUM\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5841318b-b420-4045-8732-4127950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T08:32:11.000Z",
|
||
|
"modified": "2016-12-02T08:32:11.000Z",
|
||
|
"first_observed": "2016-12-02T08:32:11Z",
|
||
|
"last_observed": "2016-12-02T08:32:11Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5841318b-b420-4045-8732-4127950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5841318b-b420-4045-8732-4127950d210f",
|
||
|
"value": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--584131a6-d7c0-4216-8d24-496a950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T08:32:38.000Z",
|
||
|
"modified": "2016-12-02T08:32:38.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "In August 2012, an attack campaign known as Shamoon targeted a Saudi Arabian energy company to deliver a malware called Disttrack. Disttrack is a multipurpose tool that exhibits worm-like behavior by attempting to spread to other systems on a local network using stolen administrator credentials. More importantly, its claim to fame is the ability to destroy data and to render infected systems unusable. The attack four years ago resulted in 30,000 or more systems being damaged.\r\n\r\nLast week, Unit 42 came across new Disttrack samples that appear to have been used in an updated attack campaign. The attack targeted at least one organization in Saudi Arabia, which aligns with the targeting of the initial Shamoon attacks. It appears the purpose of the new Disttrack samples were solely focused on destruction, as the samples were configured with a non-operational C2 server to report to and were set to begin wiping data exactly on 2016/11/17 20:45. In another similarity to Shamoon, this is the end of the work week in Saudi Arabia (their work week is from Sunday to Thursdays), so the malware had potentially the entire weekend to spread. The Shamoon attacks took place on Lailat al Qadr, the holiest night of the year for Muslims; another time the attackers could be reasonably certain employees would not be at work."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--584131f3-8ee4-41a4-b93f-4127950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T08:33:55.000Z",
|
||
|
"modified": "2016-12-02T08:33:55.000Z",
|
||
|
"description": "Disttrack Droppers",
|
||
|
"pattern": "[file:hashes.SHA256 = '47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T08:33:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--584131f4-8a10-4e55-9815-4127950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T08:33:56.000Z",
|
||
|
"modified": "2016-12-02T08:33:56.000Z",
|
||
|
"description": "Disttrack Droppers",
|
||
|
"pattern": "[file:hashes.SHA256 = '394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T08:33:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--584131f4-8f2c-480d-ab3d-4127950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T08:33:56.000Z",
|
||
|
"modified": "2016-12-02T08:33:56.000Z",
|
||
|
"description": "Communication Components",
|
||
|
"pattern": "[file:hashes.SHA256 = '772ceedbc2cacf7b16ae967de310350e42aa47e5cef19f4423220d41501d86a5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T08:33:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--584131f4-2214-48bd-b78e-4127950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T08:33:56.000Z",
|
||
|
"modified": "2016-12-02T08:33:56.000Z",
|
||
|
"description": "Communication Components",
|
||
|
"pattern": "[file:hashes.SHA256 = '61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T08:33:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--584131f4-77b4-46c6-a6ce-4127950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T08:33:56.000Z",
|
||
|
"modified": "2016-12-02T08:33:56.000Z",
|
||
|
"description": "Wiper Components",
|
||
|
"pattern": "[file:hashes.SHA256 = 'c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T08:33:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--584131f5-613c-4f10-b689-4127950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T08:33:57.000Z",
|
||
|
"modified": "2016-12-02T08:33:57.000Z",
|
||
|
"description": "Wiper Components",
|
||
|
"pattern": "[file:hashes.SHA256 = '128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T08:33:57Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--584131f5-87fc-4c17-944a-4127950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T08:33:57.000Z",
|
||
|
"modified": "2016-12-02T08:33:57.000Z",
|
||
|
"description": "EldoS RawDisk Samples",
|
||
|
"pattern": "[file:hashes.SHA256 = '5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T08:33:57Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--584131f5-0b74-4737-8548-4127950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T08:33:57.000Z",
|
||
|
"modified": "2016-12-02T08:33:57.000Z",
|
||
|
"description": "EldoS RawDisk Samples",
|
||
|
"pattern": "[file:hashes.SHA256 = '4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T08:33:57Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5841eb10-a028-4116-b3c6-413002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T21:43:44.000Z",
|
||
|
"modified": "2016-12-02T21:43:44.000Z",
|
||
|
"description": "EldoS RawDisk Samples - Xchecked via VT: 4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6",
|
||
|
"pattern": "[file:hashes.SHA1 = 'ce549714a11bd43b52be709581c6e144957136ec']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T21:43:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5841eb10-e004-4bb5-aa85-413002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T21:43:44.000Z",
|
||
|
"modified": "2016-12-02T21:43:44.000Z",
|
||
|
"description": "EldoS RawDisk Samples - Xchecked via VT: 4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6",
|
||
|
"pattern": "[file:hashes.MD5 = '1493d342e7a36553c56b2adea150949e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T21:43:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5841eb10-d44c-4a9f-b0f6-413002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T21:43:44.000Z",
|
||
|
"modified": "2016-12-02T21:43:44.000Z",
|
||
|
"first_observed": "2016-12-02T21:43:44Z",
|
||
|
"last_observed": "2016-12-02T21:43:44Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5841eb10-d44c-4a9f-b0f6-413002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5841eb10-d44c-4a9f-b0f6-413002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6/analysis/1480627726/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5841eb11-d71c-4d40-b4bb-413002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T21:43:45.000Z",
|
||
|
"modified": "2016-12-02T21:43:45.000Z",
|
||
|
"description": "EldoS RawDisk Samples - Xchecked via VT: 5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a",
|
||
|
"pattern": "[file:hashes.SHA1 = '1292c7dd60214d96a71e7705e519006b9de7968f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T21:43:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5841eb11-98a4-44fa-b804-413002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T21:43:45.000Z",
|
||
|
"modified": "2016-12-02T21:43:45.000Z",
|
||
|
"description": "EldoS RawDisk Samples - Xchecked via VT: 5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a",
|
||
|
"pattern": "[file:hashes.MD5 = '76c643ab29d497317085e5db8c799960']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T21:43:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5841eb11-e5d8-4a65-b668-413002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T21:43:45.000Z",
|
||
|
"modified": "2016-12-02T21:43:45.000Z",
|
||
|
"first_observed": "2016-12-02T21:43:45Z",
|
||
|
"last_observed": "2016-12-02T21:43:45Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5841eb11-e5d8-4a65-b668-413002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5841eb11-e5d8-4a65-b668-413002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a/analysis/1480709297/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5841eb12-f118-4e7c-ac67-413002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T21:43:46.000Z",
|
||
|
"modified": "2016-12-02T21:43:46.000Z",
|
||
|
"description": "Wiper Components - Xchecked via VT: 128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd",
|
||
|
"pattern": "[file:hashes.SHA1 = 'ad6744c7ea5fee854261efa403ca06b68761e290']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T21:43:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5841eb12-9c70-4a8f-ab97-413002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T21:43:46.000Z",
|
||
|
"modified": "2016-12-02T21:43:46.000Z",
|
||
|
"description": "Wiper Components - Xchecked via VT: 128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd",
|
||
|
"pattern": "[file:hashes.MD5 = '2cd0a5f1e9bcce6807e57ec8477d222a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T21:43:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5841eb12-e324-4d2a-bd71-413002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T21:43:46.000Z",
|
||
|
"modified": "2016-12-02T21:43:46.000Z",
|
||
|
"first_observed": "2016-12-02T21:43:46Z",
|
||
|
"last_observed": "2016-12-02T21:43:46Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5841eb12-e324-4d2a-bd71-413002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5841eb12-e324-4d2a-bd71-413002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd/analysis/1480658187/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5841eb12-c558-40d5-ae37-413002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T21:43:46.000Z",
|
||
|
"modified": "2016-12-02T21:43:46.000Z",
|
||
|
"description": "Wiper Components - Xchecked via VT: c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a",
|
||
|
"pattern": "[file:hashes.SHA1 = '425f02028dcc4e89a07d2892fef9346dac6c140a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T21:43:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5841eb13-768c-4ef9-a118-413002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T21:43:47.000Z",
|
||
|
"modified": "2016-12-02T21:43:47.000Z",
|
||
|
"description": "Wiper Components - Xchecked via VT: c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a",
|
||
|
"pattern": "[file:hashes.MD5 = 'c843046e54b755ec63ccb09d0a689674']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T21:43:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5841eb13-94d8-4e1d-b940-413002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T21:43:47.000Z",
|
||
|
"modified": "2016-12-02T21:43:47.000Z",
|
||
|
"first_observed": "2016-12-02T21:43:47Z",
|
||
|
"last_observed": "2016-12-02T21:43:47Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5841eb13-94d8-4e1d-b940-413002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5841eb13-94d8-4e1d-b940-413002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a/analysis/1480658982/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5841eb13-3bac-4932-9ee5-413002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T21:43:47.000Z",
|
||
|
"modified": "2016-12-02T21:43:47.000Z",
|
||
|
"description": "Communication Components - Xchecked via VT: 61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842",
|
||
|
"pattern": "[file:hashes.SHA1 = 'b094d0287dc4d654f0fca38559c3d6248ef09bbb']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T21:43:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5841eb13-3134-4f78-9800-413002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T21:43:47.000Z",
|
||
|
"modified": "2016-12-02T21:43:47.000Z",
|
||
|
"description": "Communication Components - Xchecked via VT: 61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842",
|
||
|
"pattern": "[file:hashes.MD5 = '5bac4381c00044d7f4e4cbfd368ba03b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T21:43:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5841eb14-4ecc-4f2c-adbd-413002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T21:43:48.000Z",
|
||
|
"modified": "2016-12-02T21:43:48.000Z",
|
||
|
"first_observed": "2016-12-02T21:43:48Z",
|
||
|
"last_observed": "2016-12-02T21:43:48Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5841eb14-4ecc-4f2c-adbd-413002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5841eb14-4ecc-4f2c-adbd-413002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842/analysis/1480657971/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5841eb14-e8dc-4c7d-9328-413002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T21:43:48.000Z",
|
||
|
"modified": "2016-12-02T21:43:48.000Z",
|
||
|
"description": "Disttrack Droppers - Xchecked via VT: 394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b",
|
||
|
"pattern": "[file:hashes.SHA1 = 'e7c7f41babdb279c099526ece03ede9076edca4e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T21:43:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5841eb14-1750-4fde-ae95-413002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T21:43:48.000Z",
|
||
|
"modified": "2016-12-02T21:43:48.000Z",
|
||
|
"description": "Disttrack Droppers - Xchecked via VT: 394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b",
|
||
|
"pattern": "[file:hashes.MD5 = '5446f46d89124462ae7aca4fce420423']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T21:43:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5841eb14-6124-4602-ab99-413002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T21:43:48.000Z",
|
||
|
"modified": "2016-12-02T21:43:48.000Z",
|
||
|
"first_observed": "2016-12-02T21:43:48Z",
|
||
|
"last_observed": "2016-12-02T21:43:48Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5841eb14-6124-4602-ab99-413002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5841eb14-6124-4602-ab99-413002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b/analysis/1480691328/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5841eb15-2480-44b2-b5ce-413002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T21:43:49.000Z",
|
||
|
"modified": "2016-12-02T21:43:49.000Z",
|
||
|
"description": "Disttrack Droppers - Xchecked via VT: 47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34",
|
||
|
"pattern": "[file:hashes.SHA1 = '5c52253b0a2741c4c2e3f1f9a2f82114a254c8d6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T21:43:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5841eb15-89c0-42b0-b138-413002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T21:43:49.000Z",
|
||
|
"modified": "2016-12-02T21:43:49.000Z",
|
||
|
"description": "Disttrack Droppers - Xchecked via VT: 47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34",
|
||
|
"pattern": "[file:hashes.MD5 = '8fbe990c2d493f58a2afa2b746e49c86']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-02T21:43:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5841eb15-6ea0-4083-937f-413002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-02T21:43:49.000Z",
|
||
|
"modified": "2016-12-02T21:43:49.000Z",
|
||
|
"first_observed": "2016-12-02T21:43:49Z",
|
||
|
"last_observed": "2016-12-02T21:43:49Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5841eb15-6ea0-4083-937f-413002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5841eb15-6ea0-4083-937f-413002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34/analysis/1480695517/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|