adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/5a37c286-b27c-49e7-8c79-ed2e950d210f.json

744 lines
31 KiB
JSON
Raw Normal View History

chg: [feed] feed updated
2023-06-14 17:31:25 +00:00
{
"type": "bundle",
"id": "bundle--5a37c286-b27c-49e7-8c79-ed2e950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:57:37.000Z",
"modified": "2017-12-18T13:57:37.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--5a37c286-b27c-49e7-8c79-ed2e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:57:37.000Z",
"modified": "2017-12-18T13:57:37.000Z",
"name": "OSINT - Rehashed RAT Used in APT Campaign Against Vietnamese Organizations",
"context": "suspicious-activity",
"object_refs": [
"x-misp-attribute--5a37c310-fe98-4e0c-8a85-ed7e950d210f",
"observed-data--5a37c320-10e0-40fe-b101-41be950d210f",
"url--5a37c320-10e0-40fe-b101-41be950d210f",
"indicator--5a37c39a-e51c-4e94-aa70-4624950d210f",
"indicator--5a37c39a-94b4-4e3c-9920-487e950d210f",
"indicator--5a37c39a-0990-4dee-807d-412e950d210f",
"indicator--5a37c39a-11b0-4a56-ad0d-4a9b950d210f",
"indicator--5a37c39a-2b88-49d7-9d70-4995950d210f",
"indicator--5a37c39a-2b98-44e8-b2a8-40de950d210f",
"indicator--5a37c39a-e7a4-4601-8090-44dd950d210f",
"indicator--5a37c39a-a58c-4d47-a1c7-4ab0950d210f",
"indicator--5a37c39a-4848-4c04-bedb-42e4950d210f",
"indicator--5a37c39a-b858-4a24-b196-4ec8950d210f",
"indicator--5a37c3ae-68e8-4c93-8990-ed2e950d210f",
"indicator--5a37c3ae-8fd8-4d9e-b951-ed2e950d210f",
"indicator--5a37c3c2-1348-469b-9f4c-4697950d210f",
"indicator--5a37c3c2-e3dc-46a1-869d-4bf5950d210f",
"indicator--5a37c3c2-9f14-4ffd-8bcc-4955950d210f",
"indicator--5a37c3d8-006c-4fd8-b4f9-4ce0950d210f",
"indicator--5a37c3ed-1a24-4906-89b8-48eb950d210f",
"indicator--5a37c3ed-05a0-407e-9c80-4ed0950d210f",
"indicator--5a37c3ed-eedc-4f84-8374-4da3950d210f",
"indicator--5a37c838-6cf4-4379-ab05-46c3950d210f",
"indicator--5a37c838-7e94-443d-ac6c-442c950d210f",
"indicator--5a37c838-2f18-4d4c-bb82-447a950d210f",
"indicator--5a37c838-99e0-407b-b49f-45b6950d210f",
"indicator--5a37c838-b1a0-4941-a998-44b7950d210f",
"indicator--5a37c838-ac4c-48db-8a98-49d8950d210f",
"indicator--5a37c838-0394-4a48-878b-4a60950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:rat=\"NewCore\"",
"type:OSINT",
"osint:source-type=\"blog-post\"",
"workflow:todo=\"expansion\"",
"enisa:nefarious-activity-abuse=\"remote-access-tool\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5a37c310-fe98-4e0c-8a85-ed7e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:31:26.000Z",
"modified": "2017-12-18T13:31:26.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Recently, FortiGuard Labs came across several malicious documents that exploit the vulnerability CVE-2012-0158. To evade suspicion from the victim, these RTF files drop decoy documents containing politically themed texts about a variety of Vietnamese government-related information. It was believed in a recent report that the hacking campaign where these documents were used was led by the Chinese hacking group 1937CN. The link to the group was found through malicious domains used as command and control servers by the attacker. In this blog, we will delve into the malware used in this campaign and will try to provide more clues as to the instigator of this campaign."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a37c320-10e0-40fe-b101-41be950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:31:19.000Z",
"modified": "2017-12-18T13:31:19.000Z",
"first_observed": "2017-12-18T13:31:19Z",
"last_observed": "2017-12-18T13:31:19Z",
"number_observed": 1,
"object_refs": [
"url--5a37c320-10e0-40fe-b101-41be950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5a37c320-10e0-40fe-b101-41be950d210f",
"value": "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c39a-e51c-4e94-aa70-4624950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:14.000Z",
"modified": "2017-12-18T13:33:14.000Z",
"description": "Lure",
"pattern": "[file:hashes.SHA256 = '2a4e8ae006be3a5ed2327b6422c4c6f8f274cfa9385c4a540bc617bff6a0f060']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c39a-94b4-4e3c-9920-487e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:14.000Z",
"modified": "2017-12-18T13:33:14.000Z",
"description": "Lure",
"pattern": "[file:hashes.SHA256 = '3faacef20002f9deb1305c43ea75b8422fd29a1559c0cf01cf1cee6a1b94fc0e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c39a-0990-4dee-807d-412e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:14.000Z",
"modified": "2017-12-18T13:33:14.000Z",
"description": "Lure",
"pattern": "[file:hashes.SHA256 = '5bdbf536e12c9150d15ae4af2d825ff2ec432d5147b0c3404c5d24655d9ebe52']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c39a-11b0-4a56-ad0d-4a9b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:14.000Z",
"modified": "2017-12-18T13:33:14.000Z",
"description": "Lure",
"pattern": "[file:hashes.SHA256 = '14b4d8f787d11c7d72f66231e80997ef6ffa1d868d9d8f964bea36871e1c2ff2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c39a-2b88-49d7-9d70-4995950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:14.000Z",
"modified": "2017-12-18T13:33:14.000Z",
"description": "Lure",
"pattern": "[file:hashes.SHA256 = '637c156508949c881763c019d2dca7c912da9ec63f01e3d3ba604f31b36e52ab']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c39a-2b98-44e8-b2a8-40de950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:14.000Z",
"modified": "2017-12-18T13:33:14.000Z",
"description": "Lure",
"pattern": "[file:hashes.SHA256 = '5573f6ec22026b0c00945eec177f04212492bb05c33b4b80f73c65ce7fe5119a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c39a-e7a4-4601-8090-44dd950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:14.000Z",
"modified": "2017-12-18T13:33:14.000Z",
"description": "Lure",
"pattern": "[file:hashes.SHA256 = '00466938836129a634b573d2b57311200ab04aba7252cfbf6b77f435612ca6c6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c39a-a58c-4d47-a1c7-4ab0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:14.000Z",
"modified": "2017-12-18T13:33:14.000Z",
"description": "Lure",
"pattern": "[file:hashes.SHA256 = 'c375946ba8abee48948f79a89ea5b4f823d8287c2feb3515755b22ba5bd8849d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c39a-4848-4c04-bedb-42e4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:14.000Z",
"modified": "2017-12-18T13:33:14.000Z",
"description": "Lure",
"pattern": "[file:hashes.SHA256 = 'f6a4bab7d5664d7802f1007daa04ae71e0e2b829cd06faa9b93a465546837eb4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c39a-b858-4a24-b196-4ec8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:14.000Z",
"modified": "2017-12-18T13:33:14.000Z",
"description": "Lure",
"pattern": "[file:hashes.SHA256 = 'fabf4debacb7950d403a84f4af25c084d0b576783006d334052ebf7ea432196e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c3ae-68e8-4c93-8990-ed2e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:34.000Z",
"modified": "2017-12-18T13:33:34.000Z",
"description": "Loader",
"pattern": "[file:hashes.SHA256 = '9cebae97a067cd7c2be50d7fd8afe5e9cf935c11914a1ab5ff59e91c1e7e5fc4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c3ae-8fd8-4d9e-b951-ed2e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:34.000Z",
"modified": "2017-12-18T13:33:34.000Z",
"description": "Loader",
"pattern": "[file:hashes.SHA256 = 'ea5b3320c5bbe2331fa3c0bd0adb3ec91f0aed97709e1b869b79f6a604ba002f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c3c2-1348-469b-9f4c-4697950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:54.000Z",
"modified": "2017-12-18T13:33:54.000Z",
"description": "Trojan Downloader",
"pattern": "[file:hashes.SHA256 = 'edbcc384b8ae0a2f52f239e2e599c3d2053f98cc1f4bc91548ec420bec063be6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c3c2-e3dc-46a1-869d-4bf5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:54.000Z",
"modified": "2017-12-18T13:33:54.000Z",
"description": "Trojan Downloader",
"pattern": "[file:hashes.SHA256 = '49efab1dedc6fffe5a8f980688a5ebefce1be3d0d180d5dd035f02ce396c9966']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c3c2-9f14-4ffd-8bcc-4955950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:54.000Z",
"modified": "2017-12-18T13:33:54.000Z",
"description": "Trojan Downloader",
"pattern": "[file:hashes.SHA256 = 'df8475669a14a335c46c802f642dd5569c52f915093a680175c30cc9f28aacdb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c3d8-006c-4fd8-b4f9-4ce0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:34:16.000Z",
"modified": "2017-12-18T13:34:16.000Z",
"description": "NewCore RAT",
"pattern": "[file:hashes.SHA256 = '37bd97779e854ea2fc43486ddb831a5acfd19cf89f06823c9fd3b20134cb1c35']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:34:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c3ed-1a24-4906-89b8-48eb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:34:37.000Z",
"modified": "2017-12-18T13:34:37.000Z",
"description": "Command and Control Servers",
"pattern": "[domain-name:value = 'web.thoitietvietnam.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:34:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c3ed-05a0-407e-9c80-4ed0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:34:37.000Z",
"modified": "2017-12-18T13:34:37.000Z",
"description": "Command and Control Servers",
"pattern": "[domain-name:value = 'dalat.dulichovietnam.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:34:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c3ed-eedc-4f84-8374-4da3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:34:37.000Z",
"modified": "2017-12-18T13:34:37.000Z",
"description": "Command and Control Servers",
"pattern": "[domain-name:value = 'halong.dulichculao.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:34:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c838-6cf4-4379-ab05-46c3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:52:56.000Z",
"modified": "2017-12-18T13:52:56.000Z",
"description": "signed legitimate GoogleUpdate.exe version 1.3.33.5",
"pattern": "[file:name = 'Taskeng.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:52:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c838-7e94-443d-ac6c-442c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:52:56.000Z",
"modified": "2017-12-18T13:52:56.000Z",
"description": "encrypted blob containing malware file",
"pattern": "[file:name = 'Psisrndrx.ebd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:52:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c838-2f18-4d4c-bb82-447a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:52:56.000Z",
"modified": "2017-12-18T13:52:56.000Z",
"description": "decrypter and loader of malware file",
"pattern": "[file:name = 'Goopdate.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:52:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c838-99e0-407b-b49f-45b6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:52:56.000Z",
"modified": "2017-12-18T13:52:56.000Z",
"description": "signed legitimate McAfee AV application",
"pattern": "[file:name = 'SC&Cfg.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:52:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c838-b1a0-4941-a998-44b7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:52:56.000Z",
"modified": "2017-12-18T13:52:56.000Z",
"description": "contains the malware file",
"pattern": "[file:name = 'Vsodscpl.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:52:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c838-ac4c-48db-8a98-49d8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:52:56.000Z",
"modified": "2017-12-18T13:52:56.000Z",
"description": "signed legitimate GoogleUpdate.exe version 1.3.30.3",
"pattern": "[file:name = 'Systemm.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:52:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c838-0394-4a48-878b-4a60950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:52:56.000Z",
"modified": "2017-12-18T13:52:56.000Z",
"description": "encrypted blob containing malware file",
"pattern": "[file:name = 'Systemsfb.ebd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:52:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue Copy permalink