2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type" : "bundle" ,
"id" : "bundle--5894f679-33c8-4642-8e51-8cd902de0b81" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:42:04.000Z" ,
"modified" : "2017-02-03T21:42:04.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--5894f679-33c8-4642-8e51-8cd902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:42:04.000Z" ,
"modified" : "2017-02-03T21:42:04.000Z" ,
"name" : "OSINT - Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX" ,
"published" : "2017-02-03T21:42:45Z" ,
"object_refs" : [
"observed-data--5894f698-4df4-47de-b058-46c802de0b81" ,
"url--5894f698-4df4-47de-b058-46c802de0b81" ,
"x-misp-attribute--5894f6c6-9b98-41eb-b759-8c2302de0b81" ,
"indicator--5894f6e9-7698-4db5-a2eb-0e7202de0b81" ,
"indicator--5894f6ea-77c0-486b-8d81-0e7202de0b81" ,
"indicator--5894f6eb-9078-49f1-b87a-0e7202de0b81" ,
"indicator--5894f6ec-097c-4ee6-8414-0e7202de0b81" ,
"indicator--5894f6f9-2cdc-41c8-ab62-0e7202de0b81" ,
"indicator--5894f6f9-a598-441c-a2aa-0e7202de0b81" ,
"indicator--5894f6fa-0710-41ae-9c18-0e7202de0b81" ,
"indicator--5894f706-d434-43d7-9e92-7dba02de0b81" ,
"indicator--5894f723-62b8-46b9-afb1-46f902de0b81" ,
"indicator--5894f724-9ac4-45a9-a528-49d502de0b81" ,
"indicator--5894f725-8180-42cc-984f-4bf402de0b81" ,
"indicator--5894f725-24a0-42bc-8861-4c4e02de0b81" ,
"indicator--5894f726-3c9c-4193-97b1-4aeb02de0b81" ,
"indicator--5894f727-1fc0-4264-89e3-486002de0b81" ,
"indicator--5894f727-35dc-4fd4-af4e-480702de0b81" ,
"indicator--5894f728-2060-4201-bb24-445802de0b81" ,
"indicator--5894f729-c338-490f-87b2-4c6f02de0b81" ,
"indicator--5894f72a-8a18-4468-b070-45d802de0b81" ,
"indicator--5894f72a-e3e4-4456-99ee-4c0b02de0b81" ,
"indicator--5894f72b-b238-4c1f-bc46-493402de0b81" ,
"indicator--5894f72c-24ec-4712-88ac-4db202de0b81" ,
"indicator--5894f72d-7a14-48bb-b228-477a02de0b81" ,
"indicator--5894f72d-e640-46be-87db-49f402de0b81" ,
"indicator--5894f72e-a43c-407a-90dc-4c1002de0b81" ,
"indicator--5894f73c-e224-4212-8b2a-451802de0b81" ,
"indicator--5894f73d-5e10-469f-96a3-469e02de0b81" ,
"indicator--5894f73d-256c-4459-9e24-474e02de0b81" ,
"indicator--5894f74a-0890-451d-b6bc-4bfb02de0b81" ,
"indicator--5894f74b-66dc-4ac3-90d3-40ed02de0b81" ,
"indicator--5894f74c-b294-41b6-932a-4c8c02de0b81" ,
"indicator--5894f75d-0acc-47e4-95c8-8cd702de0b81" ,
"indicator--5894f75e-13d0-4093-8d7b-8cd702de0b81" ,
"indicator--5894f76e-ebe4-4ea0-aea4-4fe002de0b81" ,
"indicator--5894f76e-29f0-4a49-bdf5-44dd02de0b81" ,
"x-misp-attribute--5894f78e-8c64-40bf-8132-8cd902de0b81" ,
"indicator--5894f7a4-f394-4ffe-9c10-874d02de0b81" ,
"indicator--5894f7a4-201c-49b5-b4f9-874d02de0b81" ,
"observed-data--5894f7a5-f100-47d2-84f6-874d02de0b81" ,
"url--5894f7a5-f100-47d2-84f6-874d02de0b81" ,
"indicator--5894f7a6-0548-474e-9571-874d02de0b81" ,
"indicator--5894f7a7-22f4-4785-87ce-874d02de0b81" ,
"observed-data--5894f7a7-1b30-4134-a970-874d02de0b81" ,
"url--5894f7a7-1b30-4134-a970-874d02de0b81" ,
"indicator--5894f7a8-a7b8-4ba8-974b-874d02de0b81" ,
"indicator--5894f7a9-6a58-4577-8ed7-874d02de0b81" ,
"observed-data--5894f7aa-8818-40c8-816c-874d02de0b81" ,
"url--5894f7aa-8818-40c8-816c-874d02de0b81" ,
"indicator--5894f7ab-3024-4e0e-be6b-874d02de0b81" ,
"indicator--5894f7ac-b12c-461e-9e7d-874d02de0b81" ,
"observed-data--5894f7ac-767c-4d03-8433-874d02de0b81" ,
"url--5894f7ac-767c-4d03-8433-874d02de0b81" ,
"indicator--5894f7ad-b52c-4b44-b537-874d02de0b81" ,
"indicator--5894f7ae-4d58-447b-8832-874d02de0b81" ,
"observed-data--5894f7af-f3d0-48fd-b5da-874d02de0b81" ,
"url--5894f7af-f3d0-48fd-b5da-874d02de0b81" ,
"indicator--5894f7af-5cd4-48a3-aa87-874d02de0b81" ,
"indicator--5894f7b0-cf18-49f4-bf02-874d02de0b81" ,
"observed-data--5894f7b1-f3b4-46dc-bc97-874d02de0b81" ,
"url--5894f7b1-f3b4-46dc-bc97-874d02de0b81" ,
"indicator--5894f7b2-495c-4bb6-ae90-874d02de0b81" ,
"indicator--5894f7b3-42e4-482d-bbdc-874d02de0b81" ,
"observed-data--5894f7b3-5d58-4632-a725-874d02de0b81" ,
"url--5894f7b3-5d58-4632-a725-874d02de0b81" ,
"indicator--5894f7b4-399c-4bb3-9bc3-874d02de0b81" ,
"indicator--5894f7b5-f100-42f2-8f76-874d02de0b81" ,
"observed-data--5894f7b6-9ba4-4b30-9289-874d02de0b81" ,
"url--5894f7b6-9ba4-4b30-9289-874d02de0b81" ,
"indicator--5894f7b7-45e4-4820-95f9-874d02de0b81" ,
"indicator--5894f7b7-4fec-43df-946b-874d02de0b81" ,
"observed-data--5894f7b8-b570-45da-849c-874d02de0b81" ,
"url--5894f7b8-b570-45da-849c-874d02de0b81" ,
"indicator--5894f7b9-2e88-4ddc-80cc-874d02de0b81" ,
"indicator--5894f7ba-6218-4476-8b6a-874d02de0b81" ,
"observed-data--5894f7bb-4cc4-4cdb-af81-874d02de0b81" ,
"url--5894f7bb-4cc4-4cdb-af81-874d02de0b81" ,
"indicator--5894f7bb-8cd4-4351-87ea-874d02de0b81" ,
"indicator--5894f7bc-f890-45eb-97c1-874d02de0b81" ,
"observed-data--5894f7bd-267c-49fa-9bc8-874d02de0b81" ,
"url--5894f7bd-267c-49fa-9bc8-874d02de0b81" ,
"indicator--5894f7be-9a98-410c-89b1-874d02de0b81" ,
"indicator--5894f7be-f7c8-49e9-b21b-874d02de0b81" ,
"observed-data--5894f7bf-05a0-4442-a42c-874d02de0b81" ,
"url--5894f7bf-05a0-4442-a42c-874d02de0b81" ,
"indicator--5894f7c0-8550-4723-97db-874d02de0b81" ,
"indicator--5894f7c1-0ac8-487d-8ce2-874d02de0b81" ,
"observed-data--5894f7c1-3fd0-45f4-9dd3-874d02de0b81" ,
"url--5894f7c1-3fd0-45f4-9dd3-874d02de0b81" ,
"indicator--5894f7c2-966c-4b2f-8bd8-874d02de0b81" ,
"indicator--5894f7c3-0314-4673-86b4-874d02de0b81" ,
"observed-data--5894f7c4-1b28-4ff0-98ea-874d02de0b81" ,
"url--5894f7c4-1b28-4ff0-98ea-874d02de0b81" ,
"indicator--5894f7c4-8ce0-4857-810d-874d02de0b81" ,
"indicator--5894f7c5-95c8-4da7-8c5d-874d02de0b81" ,
"observed-data--5894f7c6-d09c-4b4c-ad3b-874d02de0b81" ,
"url--5894f7c6-d09c-4b4c-ad3b-874d02de0b81" ,
"indicator--5894f7c6-6274-4788-ab7c-874d02de0b81" ,
"indicator--5894f7c7-073c-4308-a20e-874d02de0b81" ,
"observed-data--5894f7c8-f694-487b-8647-874d02de0b81" ,
"url--5894f7c8-f694-487b-8647-874d02de0b81" ,
"indicator--5894f7c9-35bc-46bd-8b25-874d02de0b81" ,
"indicator--5894f7ca-5fa4-4da5-a064-874d02de0b81" ,
"observed-data--5894f7cb-6d18-4303-ac70-874d02de0b81" ,
"url--5894f7cb-6d18-4303-ac70-874d02de0b81" ,
"indicator--5894f7cc-0218-4f9d-bf11-874d02de0b81" ,
"indicator--5894f7cd-6124-481c-a7a6-874d02de0b81" ,
"observed-data--5894f7cd-b09c-43b5-976f-874d02de0b81" ,
"url--5894f7cd-b09c-43b5-976f-874d02de0b81" ,
"indicator--5894f7ce-f1fc-46b6-8ead-874d02de0b81" ,
"indicator--5894f7cf-43bc-4b5f-a376-874d02de0b81" ,
"observed-data--5894f7cf-fe64-4c55-a629-874d02de0b81" ,
"url--5894f7cf-fe64-4c55-a629-874d02de0b81" ,
"indicator--5894f7d0-7268-45dd-99ea-874d02de0b81" ,
"indicator--5894f7d1-b6c4-46c5-b719-874d02de0b81" ,
"observed-data--5894f7d2-da64-4b71-9c5f-874d02de0b81" ,
"url--5894f7d2-da64-4b71-9c5f-874d02de0b81" ,
"indicator--5894f7d3-69c0-40e2-985d-874d02de0b81" ,
"indicator--5894f7d3-bd40-4342-a53f-874d02de0b81" ,
"observed-data--5894f7d4-856c-4159-9e00-874d02de0b81" ,
"url--5894f7d4-856c-4159-9e00-874d02de0b81" ,
"indicator--5894f7d5-3984-430e-9e61-874d02de0b81" ,
"indicator--5894f7d6-9608-4941-85f5-874d02de0b81" ,
"observed-data--5894f7d6-8534-4c0f-b126-874d02de0b81" ,
"url--5894f7d6-8534-4c0f-b126-874d02de0b81" ,
"indicator--5894f7d7-e764-48d6-898c-874d02de0b81" ,
"indicator--5894f7d8-7d10-403d-b3fa-874d02de0b81" ,
"observed-data--5894f7d9-afd0-47c3-bfdf-874d02de0b81" ,
"url--5894f7d9-afd0-47c3-bfdf-874d02de0b81" ,
"observed-data--5894f8d2-d7e0-4225-834c-874d02de0b81" ,
"url--5894f8d2-d7e0-4225-834c-874d02de0b81" ,
"observed-data--5894f8d2-f494-476c-a034-874d02de0b81" ,
"url--5894f8d2-f494-476c-a034-874d02de0b81" ,
"observed-data--5894f8d3-6008-437d-bec0-874d02de0b81" ,
"url--5894f8d3-6008-437d-bec0-874d02de0b81" ,
"observed-data--5894f8d4-7700-4a87-8aa3-874d02de0b81" ,
"url--5894f8d4-7700-4a87-8aa3-874d02de0b81" ,
"observed-data--5894f8d5-a2c4-41d4-b4b7-874d02de0b81" ,
"url--5894f8d5-a2c4-41d4-b4b7-874d02de0b81"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"misp-galaxy:tool=\"PlugX\"" ,
"misp-galaxy:tool=\"ZeroT\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f698-4df4-47de-b058-46c802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:31:25.000Z" ,
"modified" : "2017-02-03T21:31:25.000Z" ,
"first_observed" : "2017-02-03T21:31:25Z" ,
"last_observed" : "2017-02-03T21:31:25Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f698-4df4-47de-b058-46c802de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\"" ,
"admiralty-scale:source-reliability=\"b\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f698-4df4-47de-b058-46c802de0b81" ,
"value" : "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5894f6c6-9b98-41eb-b759-8c2302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:31:50.000Z" ,
"modified" : "2017-02-03T21:31:50.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "Although state-sponsored attacks against the United States by Chinese threat actors have decreased dramatically since the signing of the US-China Cyber Agreement in 2016, Proofpoint researchers have continued to observe advanced persistent threat (APT) activity associated with Chinese actors targeting other regions. We have previously written about related activity [2][3] in which a particular China-based attack group used PlugX and NetTraveler Trojans for espionage in Europe, Russia, Mongolia, Belarus, and other neighboring countries. Most recently, we have observed the same group targeting military and aerospace interests in Russia and Belarus. Since the summer of 2016, this group began using a new downloader known as ZeroT to install the PlugX remote access Trojan (RAT) and added Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-phishing emails.\r\n\r\nThis blog details the function of the new malware, provides delivery details for elements of the APT activity, and describes additional changes in tactics, techniques, and procedures (TTPs) associated with this group."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f6e9-7698-4db5-a2eb-0e7202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:32:25.000Z" ,
"modified" : "2017-02-03T21:32:25.000Z" ,
"description" : "RAR / 7-Zip archives" ,
"pattern" : "[file:hashes.SHA256 = '38566230e5f19d2fd151eaf1744ef2aef946e17873924b91bbeaede0fbfb38cf']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:32:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f6ea-77c0-486b-8d81-0e7202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:32:26.000Z" ,
"modified" : "2017-02-03T21:32:26.000Z" ,
"description" : "RAR / 7-Zip archives" ,
"pattern" : "[file:hashes.SHA256 = 'ee81c939eec30bf9351c9246ecfdc39a2fed78be08cc9923d48781f6c9bd7097']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:32:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f6eb-9078-49f1-b87a-0e7202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:32:27.000Z" ,
"modified" : "2017-02-03T21:32:27.000Z" ,
"description" : "RAR / 7-Zip archives" ,
"pattern" : "[file:hashes.SHA256 = 'ec3405e058b3be958a1d3db410dd438fba7b8a8c28355939c2319e2e2a338462']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:32:27Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f6ec-097c-4ee6-8414-0e7202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:32:28.000Z" ,
"modified" : "2017-02-03T21:32:28.000Z" ,
"description" : "RAR / 7-Zip archives" ,
"pattern" : "[file:hashes.SHA256 = 'f2b6f7e0fcf4611cb25f9a24f002ba104ee5cf84528769b2ab82c63ba4476168']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:32:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f6f9-2cdc-41c8-ab62-0e7202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:32:41.000Z" ,
"modified" : "2017-02-03T21:32:41.000Z" ,
"description" : "CHM droppers" ,
"pattern" : "[file:hashes.SHA256 = '4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:32:41Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f6f9-a598-441c-a2aa-0e7202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:32:41.000Z" ,
"modified" : "2017-02-03T21:32:41.000Z" ,
"description" : "CHM droppers" ,
"pattern" : "[file:hashes.SHA256 = 'ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:32:41Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f6fa-0710-41ae-9c18-0e7202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:32:42.000Z" ,
"modified" : "2017-02-03T21:32:42.000Z" ,
"description" : "CHM droppers" ,
"pattern" : "[file:hashes.SHA256 = '74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:32:42Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f706-d434-43d7-9e92-7dba02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:32:54.000Z" ,
"modified" : "2017-02-03T21:32:54.000Z" ,
"description" : "Word Exploit documents" ,
"pattern" : "[file:hashes.SHA256 = '9dd730f615824a7992a67400fce754df6eaa770f643ad7e425ff252324671b58']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:32:54Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f723-62b8-46b9-afb1-46f902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:33:23.000Z" ,
"modified" : "2017-02-03T21:33:23.000Z" ,
"description" : "ZeroT" ,
"pattern" : "[file:hashes.SHA256 = '09061c603a32ac99b664f7434febfc8c1f9fd7b6469be289bb130a635a6c47c0']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:33:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f724-9ac4-45a9-a528-49d502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:33:24.000Z" ,
"modified" : "2017-02-03T21:33:24.000Z" ,
"description" : "ZeroT" ,
"pattern" : "[file:hashes.SHA256 = '1e25a8bd1ac2df82d4f6d280af0ecd57d5e4aef88298a2f14414df76db54bcc4']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:33:24Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f725-8180-42cc-984f-4bf402de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:33:25.000Z" ,
"modified" : "2017-02-03T21:33:25.000Z" ,
"description" : "ZeroT" ,
"pattern" : "[file:hashes.SHA256 = '399693f48a457d77530ab88d4763cbd9d3f73606bd860adc0638f36b811bf343']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:33:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f725-24a0-42bc-8861-4c4e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:33:25.000Z" ,
"modified" : "2017-02-03T21:33:25.000Z" ,
"description" : "ZeroT" ,
"pattern" : "[file:hashes.SHA256 = '3be2e226cd477138d03428f6046a216103ba9fa5597ec407e542ab2f86c37425']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:33:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f726-3c9c-4193-97b1-4aeb02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:33:26.000Z" ,
"modified" : "2017-02-03T21:33:26.000Z" ,
"description" : "ZeroT" ,
"pattern" : "[file:hashes.SHA256 = '67693ddb6236d3ef790059409ae240212c47acfd8c1c76d65c3ef19096fdf43b']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:33:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f727-1fc0-4264-89e3-486002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:33:27.000Z" ,
"modified" : "2017-02-03T21:33:27.000Z" ,
"description" : "ZeroT" ,
"pattern" : "[file:hashes.SHA256 = '74eb592ef7f5967b14794acdc916686e061a43169f06e5be4dca70811b9815df']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:33:27Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f727-35dc-4fd4-af4e-480702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:33:27.000Z" ,
"modified" : "2017-02-03T21:33:27.000Z" ,
"description" : "ZeroT" ,
"pattern" : "[file:hashes.SHA256 = 'a16078c6d09fcfc9d6ff7a91e39e6d72e2d6d6ab6080930e1e2169ec002b37d3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:33:27Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f728-2060-4201-bb24-445802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:33:28.000Z" ,
"modified" : "2017-02-03T21:33:28.000Z" ,
"description" : "ZeroT" ,
"pattern" : "[file:hashes.SHA256 = 'a685cf4dca6a58213e67d041bba637dca9cb3ea6bb9ad3eae3ba85229118bce0']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:33:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f729-c338-490f-87b2-4c6f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:33:29.000Z" ,
"modified" : "2017-02-03T21:33:29.000Z" ,
"description" : "ZeroT" ,
"pattern" : "[file:hashes.SHA256 = 'a9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f72a-8a18-4468-b070-45d802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:33:30.000Z" ,
"modified" : "2017-02-03T21:33:30.000Z" ,
"description" : "ZeroT" ,
"pattern" : "[file:hashes.SHA256 = 'aa7810862ef43d4ef6bec463266b7eb169dbf3f7f953ef955e380e4269137267']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:33:30Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f72a-e3e4-4456-99ee-4c0b02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:33:30.000Z" ,
"modified" : "2017-02-03T21:33:30.000Z" ,
"description" : "ZeroT" ,
"pattern" : "[file:hashes.SHA256 = 'b7ee556d1d1b83c5ce6b0c903244c1d3b79654cb950105b2c03996cdd4a70be8']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:33:30Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f72b-b238-4c1f-bc46-493402de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:33:31.000Z" ,
"modified" : "2017-02-03T21:33:31.000Z" ,
"description" : "ZeroT" ,
"pattern" : "[file:hashes.SHA256 = 'c15255b9a55e7a025cf36aca85eb6cc48571d0b997a93d4dfa4eacb49001cc8d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:33:31Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f72c-24ec-4712-88ac-4db202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:33:32.000Z" ,
"modified" : "2017-02-03T21:33:32.000Z" ,
"description" : "ZeroT" ,
"pattern" : "[file:hashes.SHA256 = 'c5d022f0815aeaa27afb8f1efbce2771d95914be881d288b0841713dbbbeda1a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:33:32Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f72d-7a14-48bb-b228-477a02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:33:33.000Z" ,
"modified" : "2017-02-03T21:33:33.000Z" ,
"description" : "ZeroT" ,
"pattern" : "[file:hashes.SHA256 = 'd1c4a51064aeec4c11a8f90f80a3b60a36c07cce2dde0756c114e477d63ce375']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:33:33Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f72d-e640-46be-87db-49f402de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:33:33.000Z" ,
"modified" : "2017-02-03T21:33:33.000Z" ,
"description" : "ZeroT" ,
"pattern" : "[file:hashes.SHA256 = 'fc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:33:33Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f72e-a43c-407a-90dc-4c1002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:33:34.000Z" ,
"modified" : "2017-02-03T21:33:34.000Z" ,
"description" : "ZeroT" ,
"pattern" : "[file:hashes.SHA256 = '97016593c53c7eeecd9d3a2788199f6473899ca8f07fafcd4173464f38ee0ab4']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:33:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f73c-e224-4212-8b2a-451802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:33:48.000Z" ,
"modified" : "2017-02-03T21:33:48.000Z" ,
"description" : "PlugX" ,
"pattern" : "[file:hashes.SHA256 = 'b185401a8562614ef42a84bc29f6c21aca31b7811c2c0e680f455b061229a77f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:33:48Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f73d-5e10-469f-96a3-469e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:33:49.000Z" ,
"modified" : "2017-02-03T21:33:49.000Z" ,
"description" : "PlugX" ,
"pattern" : "[file:hashes.SHA256 = '3149fb0ddd89b77ecfb797c4ab4676c63d157a6b22ba4c8f98e8478c24104dfa']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:33:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f73d-256c-4459-9e24-474e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:33:49.000Z" ,
"modified" : "2017-02-03T21:33:49.000Z" ,
"description" : "PlugX" ,
"pattern" : "[file:hashes.SHA256 = '07343a069dd2340a63bc04ba2e5c6fad4f9e3cf8a6226eb2a82eb4edc4926f67']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:33:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f74a-0890-451d-b6bc-4bfb02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:34:02.000Z" ,
"modified" : "2017-02-03T21:34:02.000Z" ,
"description" : "ZeroT C&C" ,
"pattern" : "[domain-name:value = 'www.tassnews.net']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:34:02Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"hostname\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f74b-66dc-4ac3-90d3-40ed02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:34:03.000Z" ,
"modified" : "2017-02-03T21:34:03.000Z" ,
"description" : "ZeroT C&C" ,
"pattern" : "[domain-name:value = 'www.versig.net']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:34:03Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"hostname\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f74c-b294-41b6-932a-4c8c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:34:04.000Z" ,
"modified" : "2017-02-03T21:34:04.000Z" ,
"description" : "ZeroT C&C" ,
"pattern" : "[domain-name:value = 'www.riaru.net']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:34:04Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"hostname\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f75d-0acc-47e4-95c8-8cd702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:34:21.000Z" ,
"modified" : "2017-02-03T21:34:21.000Z" ,
"description" : "PlugX C&C" ,
"pattern" : "[domain-name:value = 'www.micrnet.net']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:34:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"hostname\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f75e-13d0-4093-8d7b-8cd702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:34:22.000Z" ,
"modified" : "2017-02-03T21:34:22.000Z" ,
"description" : "PlugX C&C" ,
"pattern" : "[domain-name:value = 'www.dicemention.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:34:22Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"hostname\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f76e-ebe4-4ea0-aea4-4fe002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:34:38.000Z" ,
"modified" : "2017-02-03T21:34:38.000Z" ,
"description" : "Likely Related C&C" ,
"pattern" : "[domain-name:value = 'www.rumiany.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:34:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"hostname\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f76e-29f0-4a49-bdf5-44dd02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:34:38.000Z" ,
"modified" : "2017-02-03T21:34:38.000Z" ,
"description" : "Likely Related C&C" ,
"pattern" : "[domain-name:value = 'www.yandcx.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:34:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"hostname\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5894f78e-8c64-40bf-8132-8cd902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:10.000Z" ,
"modified" : "2017-02-03T21:35:10.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : " A p p e n d i x A : E x a m p l e P l u g X C o n f i g u r a t i o n \ r \ n \ r \ n S a m p l e h a s h : 0 7343 a 0 69 d d 2340 a 63 b c 0 4 b a 2e5 c 6 f a d 4 f 9e3 c f 8 a 6226 e b 2 a 82 e b 4 e d c 4926 f 67 \ r \ n \ r \ n P l u g X C o n f i g ( 0 x 36 a 4 b y t e s ) : \ r \ n \ r \ n H i d e D l l : 0 \ r \ n \ r \ n K e y l o g g e r : -1 \ r \ n \ r \ n S l e e p 1 : 167772160 \ r \ n \ r \ n S l e e p 2 : 0 \ r \ n \ r \ n C n c : w w w . m i c r n e t [ . ] n e t : 80 ( H T T P / U D P ) \ r \ n \ r \ n C n c : w w w . m i c r n e t [ . ] n e t : 80 ( T C P / H T T P ) \ r \ n \ r \ n C n c : w w w . m i c r n e t [ . ] n e t : 80 ( U D P ) \ r \ n \ r \ n C n c : w w w . m i c r n e t [ . ] n e t : 443 ( H T T P / U D P ) \ r \ n \ r \ n C n c : w w w . m i c r n e t [ . ] n e t : 443 ( T C P / H T T P ) \ r \ n \ r \ n C n c : w w w . m i c r n e t [ . ] n e t : 443 ( U D P ) \ r \ n \ r \ n C n c : w w w . m i c r n e t [ . ] n e t : 53 ( H T T P / U D P ) \ r \ n \ r \ n C n c : w w w . m i c r n e t [ . ] n e t : 53 ( T C P / H T T P ) \ r \ n \ r \ n C n c : w w w . m i c r n e t [ . ] n e t : 53 ( U D P ) \ r \ n \ r \ n P e r s i s t e n c e : R u n k e y \ r \ n \ r \ n I n s t a l l F o l d e r : % A U T O % \ \ T C M y X f e F A d \ r \ n \ r \ n S e r v i c e N a m e : p Q w E P n z \ r \ n \ r \ n S e r v i c e D i s p l a y N a m e : p Q w E P n z \ r \ n \ r \ n S e r v i c e D e s % W I N D I R % \ \ p Q w E P n z S e r v i c e \ r \ n \ r \ n R e g H i v e : H K C U \ r \ n \ r \ n R e g K e y : S o f t w a r e \ \ M i c r o s o f t \ \ W i n d o w s \ \ C u r r e n t V e r s i o n \ \ R u n \ r \ n \ r \ n R e g V a l u e : m J q y C s N G B s g e \ r \ n \ r \ n I n j e c t i o n : 1 \ r \ n \ r \ n I n j e c t P r o c e s s : % w i n d i r % \ \ e x p l o r e r . e x e \ r \ n \ r \ n I n j e c t P r o c e s s : % P r o g r a m F i l e s ( x 86 ) % \ \ W i n d o w s M e d i a P l a y e r \ \ w m p l a y e r . e x e \ r \ n \ r \ n I n j e c t P r o c e s s : % w i n d i r % \ \ s y s t e m 32 \ \ s v c h o s t . e x e \ r \ n \ r \ n U a c B y p a s s I n j e c t i o n : 1 \ r \ n \ r \ n U a c B y p a s s I n j e c t : % w i n d i r % \ \ e x p l o r e r . e x e \ r \ n \ r \ n U a c B y p a s s I n j e c t : % w i n d i r % \ \ s y s t e m 32 \ \ r u n d l l 32 . e x e \ r \ n \ r \ n U a c B y p a s s I n j e c t : % w i n d i r % \ \ s y s t e m 32 \ \ d l l h o s t . e x e \ r \ n \ r \ n U a c B y p a s s I n j e c t : % w i n d i r % \ \ s y s t e m 32 \ \ m s i e x e c . e x e \ r \ n \ r \ n P l u g x A u t h S t r : T E S T \ r \ n \ r \ n C n c A u t h S t r : D u I C S \ r \ n \ r \ n M u t e x : G l o b a l \ \ W t M K A P Y Y x o W M o W W \ r \ n \ r \ n S c r e e n s h o t s : 0 \ r \ n \ r \ n S c r e e n s h o t s S e c : 10 \ r \ n \ r \ n S c r e e n s h o t s Z o o m : 50 \ r \ n \ r \ n S c r e e n s h o t s B i t s : 16 \ r \ n \ r \ n S c r e e n s h o t s Q u a l : 50 \ r \ n \ r \ n S c r e e n s h o t s K e e p : 3 \ r \ n \ r \ n S c r e e n s h o t F o l d e r : % A U T O % \ \ F S \ \ s c r e e n \ r \ n \ r \ n E n a b l e T c p P 2 P : 1 \ r \ n \ r \ n T c p P 2 P P o r t : 1357 \ r \ n \ r \ n E n a b l e U d p P 2 P : 1 \ r \ n \ r \ n U d p P 2 P P o r t : 1357 \ r \ n \ r \ n E n a b l e I c m p P 2 P : 1 \ r \ n \ r \ n I c m p P 2 P P o r t : 1357 \ r \ n \ r \ n E n a b l e I p p r o t o P 2 P : 1 \ r \ n \ r \ n I p p r o t o P 2 P P o r t : 1357 \ r \ n \ r \ n E n a b l e P 2 P S c a n : 1 \ r \ n \ r \ n P 2 P S t a r t S c a n 1 : 0.0 . 0.0 \ r \ n \ r \ n P 2 P S t a r t S c a n 2 : 0.0 . 0.0 \ r \ n \ r \ n P 2 P S t a r t S c a n 3 : 0.0 . 0.0 \ r \ n \ r \ n P 2 P S t a r t S c a n 4 : 0.0 . 0.0 \ r \ n \ r \ n P 2 P E n d S c a n 1 : 0.0 . 0.0 \ r \ n \ r \ n P 2 P E n d S c a n 2 : 0.0 . 0.0 \ r \ n \ r \ n P 2 P E n d S c a n 3 : 0.0 . 0.0 \ r \ n \ r \ n P 2 P E n d S c a n 4 : 0.0 . 0.0 \ r \ n \ r \ n M a c D i s a b l e : 0 0 : 0 0 : 0 0 : 0 0 : 0 0 : 0 0 \ r \ n \ r \ n A p p e n d i x B : E x a m p l e P l u g X C o n f i g u r a t i o n \ r \ n \ r \ n S a m p l e h a s h : 3149 f b 0 d d d 89 b 77 e c f b 797 c 4 a b 4676 c 63 d 157 a 6 b 22 b a 4 c 8 f 98e8478 c 24104 d f a \ r \ n \ r \ n P r o c e s s : f s g u i d l l . e x e ( 3980 ) \ r \ n \ r \ n P l u g X C o n f i g ( 0 x 36 a 4 b y t e s ) : \ r \ n \ r \ n H i d e D l l : 0 \ r \ n \ r \ n K e y l o g g e r : -1 \ r \ n \ r \ n S l e e p 1 : 167772160 \ r \ n \ r \ n S l e e p 2 : 0 \ r \ n \ r \ n C n c : w w w . d i c e m e n t i o n [ . ] c o m : 80 ( H T T P / U D P ) \ r \ n \ r \ n C n c : w w w . d i c e m e n t i o n [ . ] c o m : 443 ( H T T P / U D P ) \ r \ n \ r \ n C n c : w w w . d i c e m e n t i o n [ . ] c o m : 25 ( H T T P / U D P ) \ r \ n \ r \ n C n c : w w w . d i c e m e n t i o n [ . ] c o m : 80 ( T C P / H T T P ) \ r \ n \ r \ n C n c : w w w . d i c e m e n t i o n [ . ] c o m : 443 ( T C P / H T T P ) \ r \ n \ r \ n C n c : w w w . d i c e m e n t i o n [ . ] c o m : 25 ( T C P / H T T P ) \ r \ n \ r \ n C n c : w w w . d i c e m e n t i o n [ . ] c o m : 80 ( U D P ) \ r \ n \ r \ n C n c : w w w . d i c e m e n t i o n [ . ] c o m : 443 ( U D P ) \ r \ n \ r \ n C n c : w w w . d i c e m e n t i o n [ . ] c o m : 25 ( U D P ) \ r \ n \ r \ n P e r s i s t e n c e : S e r v i c e + R u n K e y \ r \ n \ r \ n I n s t a l l F o l d e r : % A U T O % \ \ I Z B p I c i i f \ r \ n \ r \ n S e r v i c e N a m e : y A j U g U d M G H u v G a Z \ r \ n \ r \ n S e r v i c e D i s p l a y N a m e : y A j U g U d M G H u v G a Z \ r \ n \ r \ n S e r v i c e D e s % W I N D I R % \ \ y A j U g U d M G H u v G a Z S e r v i c e \ r \ n \ r \ n R e g H i v e : H K C U \ r \ n \ r \ n R e g K e y : S o f t w a r e \ \ M i c r o s o f t \ \ W i n d o w s \ \ C u r r e n t V e r s i o n \ \ R u n \ r \ n \ r \ n R e g V a l u e : R q d F q F S Y a B x \ r \ n \ r \ n I n j e c t i o n : 1 \ r \ n \ r \ n I n j e c t P r o c e s s : % w i n d i r % \ \ s y s t e m 32 \ \ s v c h o s t . e x e \ r \ n \ r \ n I n j e c t P r o c e s s : % w i n d i r % \ \ e x p l o r e r . e x e \ r \ n \ r \ n I n j e c t P
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7a4-f394-4ffe-9c10-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:31.000Z" ,
"modified" : "2017-02-03T21:35:31.000Z" ,
"description" : "ZeroT - Xchecked via VT: 97016593c53c7eeecd9d3a2788199f6473899ca8f07fafcd4173464f38ee0ab4" ,
"pattern" : "[file:hashes.SHA1 = 'ddd643d447e6ff3af7298c2a1858b52f86fcd0ef']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:35:31Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7a4-201c-49b5-b4f9-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:32.000Z" ,
"modified" : "2017-02-03T21:35:32.000Z" ,
"description" : "ZeroT - Xchecked via VT: 97016593c53c7eeecd9d3a2788199f6473899ca8f07fafcd4173464f38ee0ab4" ,
"pattern" : "[file:hashes.MD5 = 'c7a4292834dd2f75577af3a1fcaaf7b4']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:35:32Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f7a5-f100-47d2-84f6-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:33.000Z" ,
"modified" : "2017-02-03T21:35:33.000Z" ,
"first_observed" : "2017-02-03T21:35:33Z" ,
"last_observed" : "2017-02-03T21:35:33Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f7a5-f100-47d2-84f6-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f7a5-f100-47d2-84f6-874d02de0b81" ,
"value" : "https://www.virustotal.com/file/97016593c53c7eeecd9d3a2788199f6473899ca8f07fafcd4173464f38ee0ab4/analysis/1481642491/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7a6-0548-474e-9571-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:34.000Z" ,
"modified" : "2017-02-03T21:35:34.000Z" ,
"description" : "ZeroT - Xchecked via VT: fc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478" ,
"pattern" : "[file:hashes.SHA1 = '4b7088444def62d77c00efd11c3a16e0f26c54c9']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:35:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7a7-22f4-4785-87ce-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:35.000Z" ,
"modified" : "2017-02-03T21:35:35.000Z" ,
"description" : "ZeroT - Xchecked via VT: fc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478" ,
"pattern" : "[file:hashes.MD5 = '0892d0e0cf63d50a8ea8d55baea4ea33']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:35:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f7a7-1b30-4134-a970-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:35.000Z" ,
"modified" : "2017-02-03T21:35:35.000Z" ,
"first_observed" : "2017-02-03T21:35:35Z" ,
"last_observed" : "2017-02-03T21:35:35Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f7a7-1b30-4134-a970-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f7a7-1b30-4134-a970-874d02de0b81" ,
"value" : "https://www.virustotal.com/file/fc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478/analysis/1469547952/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7a8-a7b8-4ba8-974b-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:36.000Z" ,
"modified" : "2017-02-03T21:35:36.000Z" ,
"description" : "ZeroT - Xchecked via VT: d1c4a51064aeec4c11a8f90f80a3b60a36c07cce2dde0756c114e477d63ce375" ,
"pattern" : "[file:hashes.SHA1 = 'fd33857fdc9f88c258920a1d53bfcd5f79ecabb7']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:35:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7a9-6a58-4577-8ed7-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:37.000Z" ,
"modified" : "2017-02-03T21:35:37.000Z" ,
"description" : "ZeroT - Xchecked via VT: d1c4a51064aeec4c11a8f90f80a3b60a36c07cce2dde0756c114e477d63ce375" ,
"pattern" : "[file:hashes.MD5 = '0b227712315620cd737809f288a32f2b']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:35:37Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f7aa-8818-40c8-816c-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:38.000Z" ,
"modified" : "2017-02-03T21:35:38.000Z" ,
"first_observed" : "2017-02-03T21:35:38Z" ,
"last_observed" : "2017-02-03T21:35:38Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f7aa-8818-40c8-816c-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f7aa-8818-40c8-816c-874d02de0b81" ,
"value" : "https://www.virustotal.com/file/d1c4a51064aeec4c11a8f90f80a3b60a36c07cce2dde0756c114e477d63ce375/analysis/1479838803/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7ab-3024-4e0e-be6b-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:39.000Z" ,
"modified" : "2017-02-03T21:35:39.000Z" ,
"description" : "ZeroT - Xchecked via VT: c15255b9a55e7a025cf36aca85eb6cc48571d0b997a93d4dfa4eacb49001cc8d" ,
"pattern" : "[file:hashes.SHA1 = 'f4425e0a543e3efda38378c0884d8e2200d2821a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:35:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7ac-b12c-461e-9e7d-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:40.000Z" ,
"modified" : "2017-02-03T21:35:40.000Z" ,
"description" : "ZeroT - Xchecked via VT: c15255b9a55e7a025cf36aca85eb6cc48571d0b997a93d4dfa4eacb49001cc8d" ,
"pattern" : "[file:hashes.MD5 = '0530c718660fa2d1b4679570c7d0ae97']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:35:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f7ac-767c-4d03-8433-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:40.000Z" ,
"modified" : "2017-02-03T21:35:40.000Z" ,
"first_observed" : "2017-02-03T21:35:40Z" ,
"last_observed" : "2017-02-03T21:35:40Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f7ac-767c-4d03-8433-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f7ac-767c-4d03-8433-874d02de0b81" ,
"value" : "https://www.virustotal.com/file/c15255b9a55e7a025cf36aca85eb6cc48571d0b997a93d4dfa4eacb49001cc8d/analysis/1477322459/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7ad-b52c-4b44-b537-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:41.000Z" ,
"modified" : "2017-02-03T21:35:41.000Z" ,
"description" : "ZeroT - Xchecked via VT: b7ee556d1d1b83c5ce6b0c903244c1d3b79654cb950105b2c03996cdd4a70be8" ,
"pattern" : "[file:hashes.SHA1 = '935d02e4e5077c14df649b9887722b9cddcca4b7']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:35:41Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7ae-4d58-447b-8832-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:42.000Z" ,
"modified" : "2017-02-03T21:35:42.000Z" ,
"description" : "ZeroT - Xchecked via VT: b7ee556d1d1b83c5ce6b0c903244c1d3b79654cb950105b2c03996cdd4a70be8" ,
"pattern" : "[file:hashes.MD5 = 'b1b4b54dfa4b57885a74ef1c4a7cb6d6']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:35:42Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f7af-f3d0-48fd-b5da-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:43.000Z" ,
"modified" : "2017-02-03T21:35:43.000Z" ,
"first_observed" : "2017-02-03T21:35:43Z" ,
"last_observed" : "2017-02-03T21:35:43Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f7af-f3d0-48fd-b5da-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f7af-f3d0-48fd-b5da-874d02de0b81" ,
"value" : "https://www.virustotal.com/file/b7ee556d1d1b83c5ce6b0c903244c1d3b79654cb950105b2c03996cdd4a70be8/analysis/1486130149/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7af-5cd4-48a3-aa87-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:43.000Z" ,
"modified" : "2017-02-03T21:35:43.000Z" ,
"description" : "ZeroT - Xchecked via VT: aa7810862ef43d4ef6bec463266b7eb169dbf3f7f953ef955e380e4269137267" ,
"pattern" : "[file:hashes.SHA1 = '16ca9dc8a8d35f4e7cbbeda2bf337e8e1c9b7a1f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:35:43Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7b0-cf18-49f4-bf02-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:44.000Z" ,
"modified" : "2017-02-03T21:35:44.000Z" ,
"description" : "ZeroT - Xchecked via VT: aa7810862ef43d4ef6bec463266b7eb169dbf3f7f953ef955e380e4269137267" ,
"pattern" : "[file:hashes.MD5 = 'df2a485a3eb76b3243ce7d25b5893b40']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:35:44Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f7b1-f3b4-46dc-bc97-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:45.000Z" ,
"modified" : "2017-02-03T21:35:45.000Z" ,
"first_observed" : "2017-02-03T21:35:45Z" ,
"last_observed" : "2017-02-03T21:35:45Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f7b1-f3b4-46dc-bc97-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f7b1-f3b4-46dc-bc97-874d02de0b81" ,
"value" : "https://www.virustotal.com/file/aa7810862ef43d4ef6bec463266b7eb169dbf3f7f953ef955e380e4269137267/analysis/1476267631/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7b2-495c-4bb6-ae90-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:46.000Z" ,
"modified" : "2017-02-03T21:35:46.000Z" ,
"description" : "ZeroT - Xchecked via VT: a9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8" ,
"pattern" : "[file:hashes.SHA1 = 'e06fce249eefd4c65b57e2dd1300b0e40d417563']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:35:46Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7b3-42e4-482d-bbdc-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:47.000Z" ,
"modified" : "2017-02-03T21:35:47.000Z" ,
"description" : "ZeroT - Xchecked via VT: a9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8" ,
"pattern" : "[file:hashes.MD5 = 'aea45c19234d85f31881eddd24dfe88f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:35:47Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f7b3-5d58-4632-a725-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:47.000Z" ,
"modified" : "2017-02-03T21:35:47.000Z" ,
"first_observed" : "2017-02-03T21:35:47Z" ,
"last_observed" : "2017-02-03T21:35:47Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f7b3-5d58-4632-a725-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f7b3-5d58-4632-a725-874d02de0b81" ,
"value" : "https://www.virustotal.com/file/a9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8/analysis/1486145225/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7b4-399c-4bb3-9bc3-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:48.000Z" ,
"modified" : "2017-02-03T21:35:48.000Z" ,
"description" : "ZeroT - Xchecked via VT: a685cf4dca6a58213e67d041bba637dca9cb3ea6bb9ad3eae3ba85229118bce0" ,
"pattern" : "[file:hashes.SHA1 = 'ae4cf0457505fb774df04d7ba2f8fc1c891328a9']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:35:48Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7b5-f100-42f2-8f76-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:49.000Z" ,
"modified" : "2017-02-03T21:35:49.000Z" ,
"description" : "ZeroT - Xchecked via VT: a685cf4dca6a58213e67d041bba637dca9cb3ea6bb9ad3eae3ba85229118bce0" ,
"pattern" : "[file:hashes.MD5 = 'a3c41c9cace716707c629dc8087af371']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:35:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f7b6-9ba4-4b30-9289-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:50.000Z" ,
"modified" : "2017-02-03T21:35:50.000Z" ,
"first_observed" : "2017-02-03T21:35:50Z" ,
"last_observed" : "2017-02-03T21:35:50Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f7b6-9ba4-4b30-9289-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f7b6-9ba4-4b30-9289-874d02de0b81" ,
"value" : "https://www.virustotal.com/file/a685cf4dca6a58213e67d041bba637dca9cb3ea6bb9ad3eae3ba85229118bce0/analysis/1486130149/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7b7-45e4-4820-95f9-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:51.000Z" ,
"modified" : "2017-02-03T21:35:51.000Z" ,
"description" : "ZeroT - Xchecked via VT: a16078c6d09fcfc9d6ff7a91e39e6d72e2d6d6ab6080930e1e2169ec002b37d3" ,
"pattern" : "[file:hashes.SHA1 = 'b6718ed9a64857e13b2894f5c50669a4306195ba']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:35:51Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7b7-4fec-43df-946b-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:51.000Z" ,
"modified" : "2017-02-03T21:35:51.000Z" ,
"description" : "ZeroT - Xchecked via VT: a16078c6d09fcfc9d6ff7a91e39e6d72e2d6d6ab6080930e1e2169ec002b37d3" ,
"pattern" : "[file:hashes.MD5 = '4a49a5358e6841ba625956fac62483ca']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:35:51Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f7b8-b570-45da-849c-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:52.000Z" ,
"modified" : "2017-02-03T21:35:52.000Z" ,
"first_observed" : "2017-02-03T21:35:52Z" ,
"last_observed" : "2017-02-03T21:35:52Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f7b8-b570-45da-849c-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f7b8-b570-45da-849c-874d02de0b81" ,
"value" : "https://www.virustotal.com/file/a16078c6d09fcfc9d6ff7a91e39e6d72e2d6d6ab6080930e1e2169ec002b37d3/analysis/1486130148/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7b9-2e88-4ddc-80cc-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:53.000Z" ,
"modified" : "2017-02-03T21:35:53.000Z" ,
"description" : "ZeroT - Xchecked via VT: 74eb592ef7f5967b14794acdc916686e061a43169f06e5be4dca70811b9815df" ,
"pattern" : "[file:hashes.SHA1 = 'b66c11c8ecd3d5c064f7ada4e84e50ef0f4f6b4e']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:35:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7ba-6218-4476-8b6a-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:54.000Z" ,
"modified" : "2017-02-03T21:35:54.000Z" ,
"description" : "ZeroT - Xchecked via VT: 74eb592ef7f5967b14794acdc916686e061a43169f06e5be4dca70811b9815df" ,
"pattern" : "[file:hashes.MD5 = '3cff0e45be3bc3d8904151499da5a354']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:35:54Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f7bb-4cc4-4cdb-af81-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:55.000Z" ,
"modified" : "2017-02-03T21:35:55.000Z" ,
"first_observed" : "2017-02-03T21:35:55Z" ,
"last_observed" : "2017-02-03T21:35:55Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f7bb-4cc4-4cdb-af81-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f7bb-4cc4-4cdb-af81-874d02de0b81" ,
"value" : "https://www.virustotal.com/file/74eb592ef7f5967b14794acdc916686e061a43169f06e5be4dca70811b9815df/analysis/1486130147/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7bb-8cd4-4351-87ea-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:55.000Z" ,
"modified" : "2017-02-03T21:35:55.000Z" ,
"description" : "ZeroT - Xchecked via VT: 67693ddb6236d3ef790059409ae240212c47acfd8c1c76d65c3ef19096fdf43b" ,
"pattern" : "[file:hashes.SHA1 = '39094640c5d3eb6d2b43282d724d792c81706a20']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:35:55Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7bc-f890-45eb-97c1-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:56.000Z" ,
"modified" : "2017-02-03T21:35:56.000Z" ,
"description" : "ZeroT - Xchecked via VT: 67693ddb6236d3ef790059409ae240212c47acfd8c1c76d65c3ef19096fdf43b" ,
"pattern" : "[file:hashes.MD5 = 'b0b7e48f76bf7cabd46bd23be6a044c3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:35:56Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f7bd-267c-49fa-9bc8-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:57.000Z" ,
"modified" : "2017-02-03T21:35:57.000Z" ,
"first_observed" : "2017-02-03T21:35:57Z" ,
"last_observed" : "2017-02-03T21:35:57Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f7bd-267c-49fa-9bc8-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f7bd-267c-49fa-9bc8-874d02de0b81" ,
"value" : "https://www.virustotal.com/file/67693ddb6236d3ef790059409ae240212c47acfd8c1c76d65c3ef19096fdf43b/analysis/1486130147/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7be-9a98-410c-89b1-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:58.000Z" ,
"modified" : "2017-02-03T21:35:58.000Z" ,
"description" : "ZeroT - Xchecked via VT: 3be2e226cd477138d03428f6046a216103ba9fa5597ec407e542ab2f86c37425" ,
"pattern" : "[file:hashes.SHA1 = '462e09c090d48fe4c7d9c5bab37666cb25a787f4']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:35:58Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7be-f7c8-49e9-b21b-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:58.000Z" ,
"modified" : "2017-02-03T21:35:58.000Z" ,
"description" : "ZeroT - Xchecked via VT: 3be2e226cd477138d03428f6046a216103ba9fa5597ec407e542ab2f86c37425" ,
"pattern" : "[file:hashes.MD5 = 'f973c23d96ff11b593068b06c727a94c']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:35:58Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f7bf-05a0-4442-a42c-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:35:59.000Z" ,
"modified" : "2017-02-03T21:35:59.000Z" ,
"first_observed" : "2017-02-03T21:35:59Z" ,
"last_observed" : "2017-02-03T21:35:59Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f7bf-05a0-4442-a42c-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f7bf-05a0-4442-a42c-874d02de0b81" ,
"value" : "https://www.virustotal.com/file/3be2e226cd477138d03428f6046a216103ba9fa5597ec407e542ab2f86c37425/analysis/1486130147/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7c0-8550-4723-97db-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:00.000Z" ,
"modified" : "2017-02-03T21:36:00.000Z" ,
"description" : "ZeroT - Xchecked via VT: 399693f48a457d77530ab88d4763cbd9d3f73606bd860adc0638f36b811bf343" ,
"pattern" : "[file:hashes.SHA1 = '15f5f735dd60d295b826c0bebfca9625ffce725d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:36:00Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7c1-0ac8-487d-8ce2-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:01.000Z" ,
"modified" : "2017-02-03T21:36:01.000Z" ,
"description" : "ZeroT - Xchecked via VT: 399693f48a457d77530ab88d4763cbd9d3f73606bd860adc0638f36b811bf343" ,
"pattern" : "[file:hashes.MD5 = '4abb9a2b65ecd19b952e7b5ea0c2a854']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:36:01Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f7c1-3fd0-45f4-9dd3-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:01.000Z" ,
"modified" : "2017-02-03T21:36:01.000Z" ,
"first_observed" : "2017-02-03T21:36:01Z" ,
"last_observed" : "2017-02-03T21:36:01Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f7c1-3fd0-45f4-9dd3-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f7c1-3fd0-45f4-9dd3-874d02de0b81" ,
"value" : "https://www.virustotal.com/file/399693f48a457d77530ab88d4763cbd9d3f73606bd860adc0638f36b811bf343/analysis/1486130147/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7c2-966c-4b2f-8bd8-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:02.000Z" ,
"modified" : "2017-02-03T21:36:02.000Z" ,
"description" : "ZeroT - Xchecked via VT: 1e25a8bd1ac2df82d4f6d280af0ecd57d5e4aef88298a2f14414df76db54bcc4" ,
"pattern" : "[file:hashes.SHA1 = 'c15b209a8fcdc8a6c2b8fbc9eadc7a641cc771c5']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:36:02Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7c3-0314-4673-86b4-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:03.000Z" ,
"modified" : "2017-02-03T21:36:03.000Z" ,
"description" : "ZeroT - Xchecked via VT: 1e25a8bd1ac2df82d4f6d280af0ecd57d5e4aef88298a2f14414df76db54bcc4" ,
"pattern" : "[file:hashes.MD5 = '25b30aa5ab498408d46c1042f121df3f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:36:03Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f7c4-1b28-4ff0-98ea-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:04.000Z" ,
"modified" : "2017-02-03T21:36:04.000Z" ,
"first_observed" : "2017-02-03T21:36:04Z" ,
"last_observed" : "2017-02-03T21:36:04Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f7c4-1b28-4ff0-98ea-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f7c4-1b28-4ff0-98ea-874d02de0b81" ,
"value" : "https://www.virustotal.com/file/1e25a8bd1ac2df82d4f6d280af0ecd57d5e4aef88298a2f14414df76db54bcc4/analysis/1486130146/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7c4-8ce0-4857-810d-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:04.000Z" ,
"modified" : "2017-02-03T21:36:04.000Z" ,
"description" : "ZeroT - Xchecked via VT: 09061c603a32ac99b664f7434febfc8c1f9fd7b6469be289bb130a635a6c47c0" ,
"pattern" : "[file:hashes.SHA1 = '1b86e4ead3ac8421ac83d9a39412f07706b6dd2e']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:36:04Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7c5-95c8-4da7-8c5d-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:05.000Z" ,
"modified" : "2017-02-03T21:36:05.000Z" ,
"description" : "ZeroT - Xchecked via VT: 09061c603a32ac99b664f7434febfc8c1f9fd7b6469be289bb130a635a6c47c0" ,
"pattern" : "[file:hashes.MD5 = '47ff1d275bd63bb2e0b4820b121485c3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:36:05Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f7c6-d09c-4b4c-ad3b-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:06.000Z" ,
"modified" : "2017-02-03T21:36:06.000Z" ,
"first_observed" : "2017-02-03T21:36:06Z" ,
"last_observed" : "2017-02-03T21:36:06Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f7c6-d09c-4b4c-ad3b-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f7c6-d09c-4b4c-ad3b-874d02de0b81" ,
"value" : "https://www.virustotal.com/file/09061c603a32ac99b664f7434febfc8c1f9fd7b6469be289bb130a635a6c47c0/analysis/1486130146/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7c6-6274-4788-ab7c-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:06.000Z" ,
"modified" : "2017-02-03T21:36:06.000Z" ,
"description" : "Word Exploit documents - Xchecked via VT: 9dd730f615824a7992a67400fce754df6eaa770f643ad7e425ff252324671b58" ,
"pattern" : "[file:hashes.SHA1 = '74f4086f2d93b8f40b8a011c10b8c26da7f35eb2']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:36:06Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7c7-073c-4308-a20e-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:07.000Z" ,
"modified" : "2017-02-03T21:36:07.000Z" ,
"description" : "Word Exploit documents - Xchecked via VT: 9dd730f615824a7992a67400fce754df6eaa770f643ad7e425ff252324671b58" ,
"pattern" : "[file:hashes.MD5 = '970369ddf7ffff8806aea81b1093a06a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:36:07Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f7c8-f694-487b-8647-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:08.000Z" ,
"modified" : "2017-02-03T21:36:08.000Z" ,
"first_observed" : "2017-02-03T21:36:08Z" ,
"last_observed" : "2017-02-03T21:36:08Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f7c8-f694-487b-8647-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f7c8-f694-487b-8647-874d02de0b81" ,
"value" : "https://www.virustotal.com/file/9dd730f615824a7992a67400fce754df6eaa770f643ad7e425ff252324671b58/analysis/1482473568/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7c9-35bc-46bd-8b25-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:09.000Z" ,
"modified" : "2017-02-03T21:36:09.000Z" ,
"description" : "CHM droppers - Xchecked via VT: 74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d" ,
"pattern" : "[file:hashes.SHA1 = 'd6ab70f6a889077a28c5f4a7dae096e223759ebf']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:36:09Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7ca-5fa4-4da5-a064-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:10.000Z" ,
"modified" : "2017-02-03T21:36:10.000Z" ,
"description" : "CHM droppers - Xchecked via VT: 74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d" ,
"pattern" : "[file:hashes.MD5 = 'da00090169a373606ef0707ea45cefa9']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:36:10Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f7cb-6d18-4303-ac70-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:11.000Z" ,
"modified" : "2017-02-03T21:36:11.000Z" ,
"first_observed" : "2017-02-03T21:36:11Z" ,
"last_observed" : "2017-02-03T21:36:11Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f7cb-6d18-4303-ac70-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f7cb-6d18-4303-ac70-874d02de0b81" ,
"value" : "https://www.virustotal.com/file/74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d/analysis/1481628229/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7cc-0218-4f9d-bf11-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:12.000Z" ,
"modified" : "2017-02-03T21:36:12.000Z" ,
"description" : "CHM droppers - Xchecked via VT: ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2" ,
"pattern" : "[file:hashes.SHA1 = '65913c8ea66b1c7a516e52f3ce5d33e1fc36ae66']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:36:12Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7cd-6124-481c-a7a6-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:13.000Z" ,
"modified" : "2017-02-03T21:36:13.000Z" ,
"description" : "CHM droppers - Xchecked via VT: ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2" ,
"pattern" : "[file:hashes.MD5 = 'e899619a5b12b9d90d07b87128a1430c']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:36:13Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f7cd-b09c-43b5-976f-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:13.000Z" ,
"modified" : "2017-02-03T21:36:13.000Z" ,
"first_observed" : "2017-02-03T21:36:13Z" ,
"last_observed" : "2017-02-03T21:36:13Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f7cd-b09c-43b5-976f-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f7cd-b09c-43b5-976f-874d02de0b81" ,
"value" : "https://www.virustotal.com/file/ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2/analysis/1477566896/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7ce-f1fc-46b6-8ead-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:14.000Z" ,
"modified" : "2017-02-03T21:36:14.000Z" ,
"description" : "CHM droppers - Xchecked via VT: 4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff" ,
"pattern" : "[file:hashes.SHA1 = '0a48de42d2ba2f3c9536c7646eeeb8e279e25cfd']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:36:14Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7cf-43bc-4b5f-a376-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:15.000Z" ,
"modified" : "2017-02-03T21:36:15.000Z" ,
"description" : "CHM droppers - Xchecked via VT: 4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff" ,
"pattern" : "[file:hashes.MD5 = '2d9a3057512a6bca6aeecd124068471f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:36:15Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f7cf-fe64-4c55-a629-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:15.000Z" ,
"modified" : "2017-02-03T21:36:15.000Z" ,
"first_observed" : "2017-02-03T21:36:15Z" ,
"last_observed" : "2017-02-03T21:36:15Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f7cf-fe64-4c55-a629-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f7cf-fe64-4c55-a629-874d02de0b81" ,
"value" : "https://www.virustotal.com/file/4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff/analysis/1486130147/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7d0-7268-45dd-99ea-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:16.000Z" ,
"modified" : "2017-02-03T21:36:16.000Z" ,
"description" : "RAR / 7-Zip archives - Xchecked via VT: f2b6f7e0fcf4611cb25f9a24f002ba104ee5cf84528769b2ab82c63ba4476168" ,
"pattern" : "[file:hashes.SHA1 = 'b005a426a17d32694c9cf224350e72a777d7d62c']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:36:16Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7d1-b6c4-46c5-b719-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:17.000Z" ,
"modified" : "2017-02-03T21:36:17.000Z" ,
"description" : "RAR / 7-Zip archives - Xchecked via VT: f2b6f7e0fcf4611cb25f9a24f002ba104ee5cf84528769b2ab82c63ba4476168" ,
"pattern" : "[file:hashes.MD5 = 'bc96303c24aaa86c8acfbf2162b43e90']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:36:17Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f7d2-da64-4b71-9c5f-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:18.000Z" ,
"modified" : "2017-02-03T21:36:18.000Z" ,
"first_observed" : "2017-02-03T21:36:18Z" ,
"last_observed" : "2017-02-03T21:36:18Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f7d2-da64-4b71-9c5f-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f7d2-da64-4b71-9c5f-874d02de0b81" ,
"value" : "https://www.virustotal.com/file/f2b6f7e0fcf4611cb25f9a24f002ba104ee5cf84528769b2ab82c63ba4476168/analysis/1486130146/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7d3-69c0-40e2-985d-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:19.000Z" ,
"modified" : "2017-02-03T21:36:19.000Z" ,
"description" : "RAR / 7-Zip archives - Xchecked via VT: ec3405e058b3be958a1d3db410dd438fba7b8a8c28355939c2319e2e2a338462" ,
"pattern" : "[file:hashes.SHA1 = '83f57b2910627cba851b01be3b4c316873252e73']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:36:19Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7d3-bd40-4342-a53f-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:19.000Z" ,
"modified" : "2017-02-03T21:36:19.000Z" ,
"description" : "RAR / 7-Zip archives - Xchecked via VT: ec3405e058b3be958a1d3db410dd438fba7b8a8c28355939c2319e2e2a338462" ,
"pattern" : "[file:hashes.MD5 = '55fd25ef423da52ba60b76a27650f485']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:36:19Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f7d4-856c-4159-9e00-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:20.000Z" ,
"modified" : "2017-02-03T21:36:20.000Z" ,
"first_observed" : "2017-02-03T21:36:20Z" ,
"last_observed" : "2017-02-03T21:36:20Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f7d4-856c-4159-9e00-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f7d4-856c-4159-9e00-874d02de0b81" ,
"value" : "https://www.virustotal.com/file/ec3405e058b3be958a1d3db410dd438fba7b8a8c28355939c2319e2e2a338462/analysis/1486130151/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7d5-3984-430e-9e61-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:21.000Z" ,
"modified" : "2017-02-03T21:36:21.000Z" ,
"description" : "RAR / 7-Zip archives - Xchecked via VT: ee81c939eec30bf9351c9246ecfdc39a2fed78be08cc9923d48781f6c9bd7097" ,
"pattern" : "[file:hashes.SHA1 = 'cdc08d31a935e66e5ae6a3ba2b39cd2f506cc8fb']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:36:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7d6-9608-4941-85f5-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:22.000Z" ,
"modified" : "2017-02-03T21:36:22.000Z" ,
"description" : "RAR / 7-Zip archives - Xchecked via VT: ee81c939eec30bf9351c9246ecfdc39a2fed78be08cc9923d48781f6c9bd7097" ,
"pattern" : "[file:hashes.MD5 = '2be3003e464b3e56bc678cd182aac73d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:36:22Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f7d6-8534-4c0f-b126-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:22.000Z" ,
"modified" : "2017-02-03T21:36:22.000Z" ,
"first_observed" : "2017-02-03T21:36:22Z" ,
"last_observed" : "2017-02-03T21:36:22Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f7d6-8534-4c0f-b126-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f7d6-8534-4c0f-b126-874d02de0b81" ,
"value" : "https://www.virustotal.com/file/ee81c939eec30bf9351c9246ecfdc39a2fed78be08cc9923d48781f6c9bd7097/analysis/1486130150/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7d7-e764-48d6-898c-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:23.000Z" ,
"modified" : "2017-02-03T21:36:23.000Z" ,
"description" : "RAR / 7-Zip archives - Xchecked via VT: 38566230e5f19d2fd151eaf1744ef2aef946e17873924b91bbeaede0fbfb38cf" ,
"pattern" : "[file:hashes.SHA1 = 'b35fc02b19f331f78e83d44b40116a2bf6f1252e']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:36:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5894f7d8-7d10-403d-b3fa-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:24.000Z" ,
"modified" : "2017-02-03T21:36:24.000Z" ,
"description" : "RAR / 7-Zip archives - Xchecked via VT: 38566230e5f19d2fd151eaf1744ef2aef946e17873924b91bbeaede0fbfb38cf" ,
"pattern" : "[file:hashes.MD5 = '4fa0bff0626ebe8253c04fd33462b5fc']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-03T21:36:24Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f7d9-afd0-47c3-bfdf-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:36:25.000Z" ,
"modified" : "2017-02-03T21:36:25.000Z" ,
"first_observed" : "2017-02-03T21:36:25Z" ,
"last_observed" : "2017-02-03T21:36:25Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f7d9-afd0-47c3-bfdf-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f7d9-afd0-47c3-bfdf-874d02de0b81" ,
"value" : "https://www.virustotal.com/file/38566230e5f19d2fd151eaf1744ef2aef946e17873924b91bbeaede0fbfb38cf/analysis/1486130150/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f8d2-d7e0-4225-834c-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:40:34.000Z" ,
"modified" : "2017-02-03T21:40:34.000Z" ,
"first_observed" : "2017-02-03T21:40:34Z" ,
"last_observed" : "2017-02-03T21:40:34Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f8d2-d7e0-4225-834c-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f8d2-d7e0-4225-834c-874d02de0b81" ,
"value" : "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f8d2-f494-476c-a034-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:41:23.000Z" ,
"modified" : "2017-02-03T21:41:23.000Z" ,
"first_observed" : "2017-02-03T21:41:23Z" ,
"last_observed" : "2017-02-03T21:41:23Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f8d2-f494-476c-a034-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f8d2-f494-476c-a034-874d02de0b81" ,
"value" : "https://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f8d3-6008-437d-bec0-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:41:16.000Z" ,
"modified" : "2017-02-03T21:41:16.000Z" ,
"first_observed" : "2017-02-03T21:41:16Z" ,
"last_observed" : "2017-02-03T21:41:16Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f8d3-6008-437d-bec0-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f8d3-6008-437d-bec0-874d02de0b81" ,
"value" : "https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f8d4-7700-4a87-8aa3-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:41:45.000Z" ,
"modified" : "2017-02-03T21:41:45.000Z" ,
"first_observed" : "2017-02-03T21:41:45Z" ,
"last_observed" : "2017-02-03T21:41:45Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f8d4-7700-4a87-8aa3-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f8d4-7700-4a87-8aa3-874d02de0b81" ,
"value" : "http://researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5894f8d5-a2c4-41d4-b4b7-874d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-03T21:41:53.000Z" ,
"modified" : "2017-02-03T21:41:53.000Z" ,
"first_observed" : "2017-02-03T21:41:53Z" ,
"last_observed" : "2017-02-03T21:41:53Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5894f8d5-a2c4-41d4-b4b7-874d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"technical-report\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5894f8d5-a2c4-41d4-b4b7-874d02de0b81" ,
"value" : "https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-office-exploit-generators-szappanos.pdf"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
2023-04-21 13:25:09 +00:00
]
}
