misp-circl-feed/feeds/circl/misp/5cac8884-5a80-4a5b-b3f9-ada3950d210f.json

1423 lines
93 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type": "bundle",
"id": "bundle--5cac8884-5a80-4a5b-b3f9-ada3950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:21:59.000Z",
"modified": "2019-04-09T19:21:59.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5cac8884-5a80-4a5b-b3f9-ada3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:21:59.000Z",
"modified": "2019-04-09T19:21:59.000Z",
"name": "OSINT - STUXSHOP The Oldest Stuxnet Component Dials Up",
"published": "2019-04-09T19:26:39Z",
"object_refs": [
"x-misp-attribute--5cac88a1-c61c-43b2-81cb-2bc9950d210f",
"observed-data--5cac88b4-82f0-40c1-bf5c-3009950d210f",
"url--5cac88b4-82f0-40c1-bf5c-3009950d210f",
"indicator--5cac8f36-c224-4ca1-b482-c1da950d210f",
"indicator--5cac8f36-bee8-41f2-97ba-c1da950d210f",
"indicator--5cac8f36-a064-4c8f-9b64-c1da950d210f",
"indicator--5cac8f36-3c18-4fec-8be3-c1da950d210f",
"indicator--5cacea3f-924c-4319-8993-43a302de0b81",
"indicator--5cacea3f-0ee0-4dd4-a623-418202de0b81",
"indicator--5cacea53-f988-4e9c-8d3a-467302de0b81",
"indicator--5cacea6e-5a00-489d-aab9-46c502de0b81",
"indicator--5cacea6e-74d8-45d6-905e-45ad02de0b81",
"indicator--5cacea82-abf4-4c0d-907c-4bb402de0b81",
"indicator--5caceaaa-e558-4992-99be-4a1b02de0b81",
"indicator--5caceaaa-2ebc-4fbc-bdbe-411802de0b81",
"indicator--5caceaaa-4660-45bc-92c7-4c9702de0b81",
"indicator--5caceaaa-78dc-4a6d-83e6-4ff002de0b81",
"indicator--5caceaaa-f400-4670-8acd-4c5b02de0b81",
"indicator--5caceae8-f6cc-4959-97cf-a79102de0b81",
"indicator--5caceed5-75f0-4a37-adbf-4c8702de0b81",
"indicator--5cacf076-9a94-4851-83c9-4ecd02de0b81",
"indicator--5cac89aa-7884-4eb1-95fd-4a27950d210f",
"x-misp-object--d66ade80-17a6-47a9-9efe-7b5a922dfaa1",
"indicator--5cac8b2f-87ec-4432-bb7d-2c32950d210f",
"indicator--5cac8cc9-7984-4dfa-85f8-49af950d210f",
"indicator--5cac8dc1-95dc-466e-85ce-4b0c950d210f",
"indicator--5cacea17-9ba0-4939-95e7-474c02de0b81",
"indicator--2868aeaa-a19a-4b36-b693-e55b1a32d633",
"x-misp-object--95f4e9d8-aec9-4e52-b133-8688a3857540",
"indicator--d7f8c044-89dc-411c-a777-6110c35e1185",
"x-misp-object--73ebef95-1302-4712-b237-7aba3002f249",
"indicator--308606ca-729c-4050-8d8e-72f00f17a981",
"x-misp-object--7403084a-f132-4ff9-a53b-6342ed8032ee",
"indicator--dbbdfe4d-13dc-4fc2-b189-0582aec45f8f",
"x-misp-object--67191d81-2968-4471-b804-e92b25166e28",
"indicator--de4d97dc-5512-4f11-b590-7f56e1877cdc",
"x-misp-object--555db026-ee1b-4775-91f4-a1b52245a78c",
"indicator--6b9bfb62-ea86-4bb9-9d1e-7aa8ed2150eb",
"x-misp-object--ddaf5a99-1963-4a4a-93eb-0b69396bbb46",
"indicator--6edd0812-8c25-4923-8e60-1872a7a81a1c",
"x-misp-object--b7b2cc69-43cb-4213-9dfd-d7b5043a819d",
"indicator--421a889c-305d-4fee-a7c9-6b0114a2beb9",
"x-misp-object--596ec4c3-ec57-4be1-8edf-777fb2b48aa0",
"x-misp-object--5cacf023-7368-4a33-a5a4-4e8502de0b81",
"indicator--5cacf0d7-870c-4b90-a5bb-4c1c02de0b81",
"relationship--9d2caeb2-c8c9-4122-865c-29f1dfb7569b",
"relationship--ef0f105e-6d14-4f3d-8734-a52b8e9ec292",
"relationship--0664a1eb-942a-42f7-820e-a40806dee68a",
"relationship--4b1324ec-9ca3-4edf-8f37-1f1312c10d0f",
"relationship--c2e74e7f-9a1d-4abb-918b-e4fc9dc5d36f",
"relationship--2675ff0a-8a8c-4a29-9f1c-28bebef585d2",
"relationship--1b0d0c58-9f57-47f9-8599-e5ec43bcc370",
"relationship--c5fa940f-68ec-4e55-9038-69c4e8c62360",
"relationship--2a4d6da7-81fe-470f-b6ab-ecb1ea227ac4",
"relationship--75862b57-771d-45ed-afd7-d84cbbbf1716",
"relationship--3921f8c1-5e0b-446d-bd1a-5866378b4ad3",
"relationship--59bcf66f-d7ca-40ea-b1d4-d50f3b99a7e0",
"relationship--aaa6d270-413a-43a5-880e-177ec54fd5e5"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"misp-galaxy:malpedia=\"Stuxnet\"",
"misp-galaxy:tool=\"Stuxnet\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5cac88a1-c61c-43b2-81cb-2bc9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T11:57:21.000Z",
"modified": "2019-04-09T11:57:21.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "During our research into the GossipGirl Supra Threat Actor (STA) cluster, we discovered apreviously unknown relationship exemplified in an early Stuxnet component \u00e2\u20ac\u201cbuilt in part on theFlowershop malware framework. While other known versions of Stuxnet were partially linked tothe Flame platform (a.k.a. Flamer, SkyWiper) or the \u00e2\u20ac\u02dcTilded Platform\u00e2\u20ac\u2122 (a.k.a. DuQu), this older1component shares code with Flowershop \u00e2\u20ac\u201can even older malware framework active as early as2002. In an interesting show of longevity, this Stuxnet component \u00e2\u20ac\u201cwhich we\u00e2\u20ac\u2122ve dubbedStuxshop\u00e2\u20ac\u2039\u00e2\u20ac\u201c is configured to communicate with known Stuxnet command-and-control (C&C)servers and even includes logic to suppress dial-up prompts for disconnected (or possiblyairgapped) machines.The value of this recent finding is twofold: First, it suggests that yet another team withits own malware platform was involved in the early development of Stuxnet. And secondly, itsupports the view that Stuxnet is in fact the product of a modular development frameworkmeant to enable collaboration among diverse, independent threat actors. Our recent findings,alongside the outstanding body of previously reported technical analysis on this threat, wouldplace the \u00e2\u20ac\u02dcFlowershop team\u00e2\u20ac\u2122 alongside Equation, Flame, and Duqu as those involved in toolingthe different phases of Stuxnet as an operation active perhaps as early as 2006. Perhaps themost apt metaphor for Stuxnet is that of a \u00e2\u20ac\u02dcplane built as its being flown\u00e2\u20ac\u2122."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5cac88b4-82f0-40c1-bf5c-3009950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T11:57:40.000Z",
"modified": "2019-04-09T11:57:40.000Z",
"first_observed": "2019-04-09T11:57:40Z",
"last_observed": "2019-04-09T11:57:40Z",
"number_observed": 1,
"object_refs": [
"url--5cac88b4-82f0-40c1-bf5c-3009950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5cac88b4-82f0-40c1-bf5c-3009950d210f",
"value": "https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cac8f36-c224-4ca1-b482-c1da950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T12:25:26.000Z",
"modified": "2019-04-09T12:25:26.000Z",
"description": "Stuxshop samples identified thus far contain four hardcoded C&C servers such as",
"pattern": "[url:value = 'http://211.24.237.226/index.php?data=']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T12:25:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cac8f36-bee8-41f2-97ba-c1da950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T12:25:26.000Z",
"modified": "2019-04-09T12:25:26.000Z",
"description": "Stuxshop samples identified thus far contain four hardcoded C&C servers such as",
"pattern": "[url:value = 'http://todaysfutbol.com/index.php?data=']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T12:25:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cac8f36-a064-4c8f-9b64-c1da950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T12:25:26.000Z",
"modified": "2019-04-09T12:25:26.000Z",
"description": "Stuxshop samples identified thus far contain four hardcoded C&C servers such as",
"pattern": "[url:value = 'http://78.111.169.146/index.php?data=']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T12:25:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cac8f36-3c18-4fec-8be3-c1da950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T12:25:26.000Z",
"modified": "2019-04-09T12:25:26.000Z",
"description": "Stuxshop samples identified thus far contain four hardcoded C&C servers such as",
"pattern": "[url:value = 'http://mypremierfutbol.com/index.php?data=']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T12:25:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacea3f-924c-4319-8993-43a302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:53:51.000Z",
"modified": "2019-04-09T18:53:51.000Z",
"description": "Stuxshop Modules",
"pattern": "[file:hashes.SHA256 = 'c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T18:53:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacea3f-0ee0-4dd4-a623-418202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:53:51.000Z",
"modified": "2019-04-09T18:53:51.000Z",
"description": "Stuxshop Modules",
"pattern": "[file:hashes.SHA256 = '1daa2b15b70e486927c8fc06eed434080ab408a1b320be9fefe193c20d1d9a7f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T18:53:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacea53-f988-4e9c-8d3a-467302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:54:11.000Z",
"modified": "2019-04-09T18:54:11.000Z",
"description": "Stuxnet Installer with Embedded Stuxshop",
"pattern": "[file:hashes.SHA256 = 'f34c85bb4fcd87225468d0e8ee4441ebc92f42b3f69500d85e28be3c553ce433']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T18:54:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacea6e-5a00-489d-aab9-46c502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:54:38.000Z",
"modified": "2019-04-09T18:54:38.000Z",
"description": "Stuxnet Installers with Resource 231",
"pattern": "[file:hashes.SHA256 = '77211838bb6783121fe1aeff182c8cc1cba9c9f0c1e5a0027e0c0b9dfa18e2ac']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T18:54:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacea6e-74d8-45d6-905e-45ad02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:54:38.000Z",
"modified": "2019-04-09T18:54:38.000Z",
"description": "Stuxnet Installers with Resource 231",
"pattern": "[file:hashes.SHA256 = 'a01845255bdc61b610cac269a5562ad09415aaf2a1490d53d55c4c3597670803']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T18:54:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacea82-abf4-4c0d-907c-4bb402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:54:58.000Z",
"modified": "2019-04-09T18:54:58.000Z",
"description": "Deobfuscated Resource 231/Stuxshop modules",
"pattern": "[file:hashes.SHA256 = 'a248c9eeb8e53bbebce42f55e2bfa71bfc70ffcd9dff3271bfd338e1578f37a1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T18:54:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5caceaaa-e558-4992-99be-4a1b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:55:38.000Z",
"modified": "2019-04-09T18:55:38.000Z",
"description": "Flowershop samples with relevant code overlap",
"pattern": "[file:hashes.SHA256 = '32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T18:55:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5caceaaa-2ebc-4fbc-bdbe-411802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:55:38.000Z",
"modified": "2019-04-09T18:55:38.000Z",
"description": "Flowershop samples with relevant code overlap",
"pattern": "[file:hashes.SHA256 = '63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T18:55:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5caceaaa-4660-45bc-92c7-4c9702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:55:38.000Z",
"modified": "2019-04-09T18:55:38.000Z",
"description": "Flowershop samples with relevant code overlap",
"pattern": "[file:hashes.SHA256 = '683ce2c7c80b180768fe4d2a39030dc7c4f67db79d1953ee4803522131f533a3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T18:55:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5caceaaa-78dc-4a6d-83e6-4ff002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:55:38.000Z",
"modified": "2019-04-09T18:55:38.000Z",
"description": "Flowershop samples with relevant code overlap",
"pattern": "[file:hashes.SHA256 = 'c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T18:55:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5caceaaa-f400-4670-8acd-4c5b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:55:38.000Z",
"modified": "2019-04-09T18:55:38.000Z",
"description": "Flowershop samples with relevant code overlap",
"pattern": "[file:hashes.SHA256 = 'ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T18:55:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5caceae8-f6cc-4959-97cf-a79102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:56:40.000Z",
"modified": "2019-04-09T18:56:40.000Z",
"pattern": "[rule STUXSHOP_OSCheck\r\n{\r\nmeta:\r\nauthor = \"\u00e2\u20ac\u2039 Silas Cutler (havex@Chronicle.Security)\u00e2\u20ac\u2039 \"\r\ndesc = \"\u00e2\u20ac\u2039 Identifies the OS Check function in STUXSHOP and CheshireCat\u00e2\u20ac\u2039 \"\r\nhash = \"\u00e2\u20ac\u2039 c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579\u00e2\u20ac\u2039 \"\r\nstrings:\r\n$ = {10 F7 D8 1B C0 83 C0 ?? E9 ?? 01 00 00 39 85 7C FF FF FF 0F 85 ?? 01 00\r\n00 83 BD 70 FF FF FF 04 8B 8D 74 FF FF FF 75 0B 85 C9 0F 85 ?? 01 00 00 6A 05\r\n5E }\r\n$ = {01 00 00 3B FA 0F 84 ?? 01 00 00 80 7D 80 00 B1 62 74 1D 6A 0D 8D 45 80\r\n68 ?? ?? ?? 10 50 FF 15 ?? ?? ?? 10 83 C4 0C B1 6F 85 C0 75 03 8A 4D 8D 8B C6\r\n}\r\ncondition:\r\nany of them\r\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2019-04-09T18:56:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5caceed5-75f0-4a37-adbf-4c8702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:13:25.000Z",
"modified": "2019-04-09T19:13:25.000Z",
"pattern": "[rule STUXSHOP_config\r\n{\r\n\tmeta:\r\n desc \u00e2\u20ac\u2039 = \u00e2\u20ac\u2039 \"Stuxshop standalone sample configuration\"\r\n author = \"JAG-S (turla@chronicle.security)\"\r\n hash \u00e2\u20ac\u2039 = \u00e2\u20ac\u2039 \"c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579\"\r\n strings:\r\n $cnc1 = \"http://211.24.237.226/index.php?data=\"\u00e2\u20ac\u2039 ascii wide\r\n $cnc2 = \"http://todaysfutbol.com/index.php?data=\"\u00e2\u20ac\u2039 ascii wide\r\n $cnc3 = \"http://78.111.169.146/index.php?data=\"\u00e2\u20ac\u2039 ascii wide\"\r\n $cnc4 = \"http://mypremierfutbol.com/index.php?data=\"\u00e2\u20ac\u2039 ascii wide\r\n\r\n\t $regkey1 \u00e2\u20ac\u2039 = \u00e2\u20ac\u2039\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\MS-DOS Emulation\" ascii wide\r\n $regkey2 = \"NTVDMParams\"\u00e2\u20ac\u2039 ascii wide\r\n $flowerOverlap1 = {85 C0 75 3B 57 FF 75 1C FF 75 18 FF 75 14 50 FF 75 10 FF 75 FC FF 15\u00e2\u20ac\u2039}\r\n $flowerOverlap2 = {85 C0 75 4C 8B 45 1C 89 45 0C 8D 45 0C 50 8D 45 08 FF 75 18 50 6A 00 FF 75 10 FF 75 20 FF 15\u00e2\u20ac\u2039}\r\n $flowerOverlap3 = {55 8B EC 53 56 8B 75 20 85 F6 74 03 83 26 00 8D 45 20 50 68 19 00 02 00 6A 00 FF 75 0C FF 75 08\u00e2\u20ac\u2039}\r\n $flowerOverlap4 = {55 8B EC 51 8D 4D FC 33 C0 51 50 6A 26 50 89 45 FC FF 15 }\r\n $flowerOverlap5 \u00e2\u20ac\u2039= {85 DB 74 04 8B C3 EB 1A 8B 45 08 3B 45 14 74 07 B8 5D 06 00 00 EB 0B 85 F6 74 05 8B 45 0C 89 06\u00e2\u20ac\u2039}\r\n $flowerOverlap6 = {85 FF 74 12 83 7D F8 01 75 0C FF 75 0C FF 75 08 FF 15\u00e2\u20ac\u2039}\r\n condition:\r\n all of \u00e2\u20ac\u2039 ( \u00e2\u20ac\u2039 $flowerOverlap\u00e2\u20ac\u2039 *)\r\n or\r\n 2\u00e2\u20ac\u2039 of \u00e2\u20ac\u2039 ( \u00e2\u20ac\u2039 $cnc\u00e2\u20ac\u2039 *)\r\n or\r\n all of \u00e2\u20ac\u2039 ( \u00e2\u20ac\u2039 $regkey\u00e2\u20ac\u2039 *)\r\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:13:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacf076-9a94-4851-83c9-4ecd02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:20:22.000Z",
"modified": "2019-04-09T19:20:22.000Z",
"pattern": "[windows-registry-key:key = 'HKEY_CURRENT_USER\\\\Control Panel\\\\Appearance\\\\Old']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:20:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"regkey\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cac89aa-7884-4eb1-95fd-4a27950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T12:21:53.000Z",
"modified": "2019-04-09T12:21:53.000Z",
"pattern": "[file:hashes.MD5 = '455abb43295b9a69e355e4e43457bf30' AND file:hashes.SHA1 = '1e0fe0400e04440942a4a1a5bcd3bcd3150a2eea' AND file:hashes.SHA256 = 'c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T12:21:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--d66ade80-17a6-47a9-9efe-7b5a922dfaa1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T12:07:08.000Z",
"modified": "2019-04-09T12:07:08.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09T09:00:19",
"category": "Other",
"uuid": "fe2cf46c-9b9f-45e4-9909-009d17c89312"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579/analysis/1554800419/",
"category": "Payload delivery",
"uuid": "4dc602d6-a883-4d96-9a6d-08d62774f5af"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "44/70",
"category": "Payload delivery",
"uuid": "6127da9f-dbd0-4a70-b003-f73444bdafa6"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cac8b2f-87ec-4432-bb7d-2c32950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T12:21:03.000Z",
"modified": "2019-04-09T12:21:03.000Z",
"pattern": "[file:hashes.MD5 = '455abb43295b9a69e355e4e43457bf30' AND file:hashes.SHA1 = '1e0fe0400e04440942a4a1a5bcd3bcd3150a2eea' AND file:hashes.SHA256 = 'c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579' AND file:name = 'c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579' AND file:size = '72456' AND (file:content_ref.payload_bin = 'UEsDBBQACQAIAAhhiU6Cbwf/0UoAAAgbAQAgABwANDU1YWJiNDMyOTViOWE2OWUzNTVlNGU0MzQ1N2JmMzBVVAkAAy+LrFwvi6xcdXgLAAEEIQAAAAQhAAAAXWx30pzG0qXDihDntIGFcB3uLBJt8j5oo/CZ15N7nYm4UomLesE9trJgBKvo1hLoz6nVvw7+uWaRJIF9akwxNcmO5J0kZJpLFJ52CRLnQSyZMCi+5x5ntEjZ+ELbAVQLzZuGYIUp2tnIkrNW6zq6Bjyh+meeaYQcFOOO+W7ODf1zCvembSyd6KbCjGRtmUosbFHDRGRNY0QPnGv88X3YTBSq4l5KylxKRfV6mbqFFd9r0p9m5d5aTUeG3/mdjqZF5ydDMj+fw8jLe5Ebnghy5yA855hgedP7fNyohVRQH5m47prWus9WFOspnyC9tQHaTTPwI4edeCwPZV0CmcIlJfL/+VSgY0XVfGFu7hyj/uOqOvnA3LilY6lGOmEY174vu55150aOgGVkaKY8a8DWilcN8jhAYb1neqaVuvUDY5JPkDbiNrkwqs8Wf5ThHIm65jfa64Ki/rx8mVUDs315ir0I+oJuoqxnEJdTI97lKZA4YBn5QKDEhW5CJg3OF10yIYPARfCy65Gzp9y6VKbYxOTjhZBN3OxuyK4HAUYQi78Av9wKjAV3zV07ngNBlwIOwqIXejZiZlsJBhfdpx66pgGFVWJyzeXDzSBioKHwwnuXK8GvKTj3+yvUOnRlWi9x3jATLZtU3kim/vL4vx4XB8+cgbVFdyb/hiL0lpeRFHX0U13YDv0VlOzsgw8Tc0fcp0Gz1nG07yJP9BzXtXZH9lX1KhyKch4bq9r42Jxmn6SAVElW2TQB6P5MSuz6jR7K0RU8QXpkQJ9ahph/3cUdLDspmvGvkY/Yil57NsIRLKZ3qJczq7b3uxFW4f+otad+9eNzUY5cgcLXazs9UhEEHVxp8qAFuZGhgmQgFERLj3IayEzade/SAur19O/1B3SDltJu22j4osvRCFM8OtuCsfaXfJdFjKFQiOYqAvco9COwzvOtYYtTtcQCFgtRX6xqukvjj20qTvNQPRTq4/6ukwvEOvgRrU6y1AVcy5rtduE3giUn1dw90Ca4FN3th5IjWUCB1MICjB1fq3YwQm9AAWahLDW5EVGWPGsehZjffaKby9VHLb5+2NEj+Gq1qTjjiUhSVdkg3mzvkAW17d48y+RzZEJ6YuuiEdB67HAhNT7WNmDGZZYNAzgemviXWc0pdk3w9egm0Vt99H8E+2GkJt8Z9n9gnv0bpIbb6CirR6tJm6VbN/rOTg9QhQW8ZoSfY/FaXDf4Cz7oQ6venuZAr68bd/ssaJPacWwrY0FY+UbN4l1cHgWbsfXih6fGzk20jyStm8TjvYj+rIoq1KidH9oegcj6DKaZNPKrn9YHtJ9RtOztQeOizsGTwPCBh7UxN21a1Sz/wxdtImKg0ogXYooWx4wvbvFmcTtlBEpLJr/R9GwaxxtOktAbl88EEl9rsPB8+6heNhYkXk4t5DxjsABz0trnIg69yXVoh/FHd7QZMBbDkROFoNLcvaQTwLtwHLH4AXsICG0JL4MITG+jr0UngTRnwbeWfhUtR1aKy9dTM2EDs9X0lCP+nr8IByUyzJewj3UzSpGdfPyErQeAO2cpuW9O3tfvF5GgsY6SmlT+5W3jizn3kMPEB13XkpzQyKx3DdU0MqR6zzmxFz+BoLocu04n7b+2RqqTvruNf7kadnh8WcN//C1v6TBnJ57GGFxzsPqjm0940LqszT252bjCOHgfUauE0RNWJolklFHfZ47dZACsYyshYIYsN2+lkrSkI/foYHCSFGMiZbInROpdzu2aUmkqxOfqyCAgp1lDG+qg94jpqVdzZsTUINvDxVbTk+fnvHxjM/kMVazoDBdK2z30Pc09ZigwQ3+4w5vKSH6w5D3ap3TnqubKIaWksaTPiTYxVTZRoju1jYBOdmiQNoPfCN/dOCPoOj4rWZr1Xw0650g5ZHw0KkXRIKosS5zgY/RUUyeO3qYbw7ksKHcQI3+PsdSqmlsuKqR6wWumn2wlB4EiJWo72k2hZGgxYS53QgqMXARf7CQ+aN65iES9m0i45zqalyi3NyDfqqHrbTL+Wcln29fyfnjS9unQYFupnbbGYMdKjaT1dhN95K0W/t6A+kdrTXE77bc0+B29UzY2fh4WRrxyUvPpxPJ6f4POJ+9FHeI7p4SlikWHn3nfxWzmW1LwHLIugwUQmFN0u9gkEG2qWH/4gYEjTwi8iyfVxjUe+YotocfjNJTR2rXuiPeX9D6z4YCFi5cNMYcJBvwa0XNu1jN6a+ZcrFyD78+Qgy+bZASsD2hVsK2i1sQ4xx3aFxK0bFfrR4TX2vdulocaYjOZsu4Q9Xmu51eHVm/VZBC8IBKDkwT6+0wBhoCrfYhnsVKuaMRmh7k+YCfWXkB8QROmAtcS5FX3ZlRl/+v1fLzGG+DsLe0NZXss+DrLVikXu5GzK2WMkutuWj2VJzdyKSyIV+wnXEZk5H72imoChGAbd2Gug2t2uIAH3kwibgVOMorUavXFYsBPC85CQRjRP/Yx3dWnbx4YtX6ik+RG81XGDdr1auOrP4jvh8ihjx683kOufdZ7B/w6v2kk01Dmx0XAdqjardedU0tXWZOFrxer9CFxljLOxQvMj5z6CO9OjFbZt9zXMGjx+QztjRfAO8Sg+CsucxKZ7IvgewbGtb9Ngcs0vCeNNPN6FSTKE07SnrasWivIszEmKfd4sX9+l1pBTTD1GpvUPsSwrVo1EWk5e4spnh3uNAWXuj1RF8GmoDR6CQIeYpE9HxkiCdMHbjRalPyxAZi4ra21G5rh8cVi6ZEPIS7rfKNvrZGacq6tMZJA35/EaxOZtQrCO6a3YFI9VbuoWAj/CUl8dGBYXUF9re9QS175hW+/ZY4UrJTX/a+HvO/5RUSsXnyR7Q/hInugDt7WeBblRF2Kj63ntBRKp0c1iEjLUIBbkoEdcGJ0Pw+fEZZxD735NtMBVDntDLRbHwSPcHhLY+RAi4yEqz3orJgVuJjUfyKxLZaRm8Jb3dM/cQUq5TZ1fuOFm1y15f7RDCXAECIp9xkxX/C/B6QPDkfHXWUYJb6O7kgvONoreG6NiRf2Dh6LA3X2cNDuibwQy0cy94d77vwr3gGnW0vmOPxSQQQ3wmlkm5eLq3brm0ZNlr5JZOUur3FB4Lcu+y/5W8ihsOexgSbjrKyS20Vxt1dxyj2adJGl4XmLU2NvbdcBTdo0Tr7T/HVxa6MPORBCAefwlX4xPzWiLH1Ls6OWvpkC6vyhnDYq2408iuzMQUAV/y2Tolif3jIIjFAJ4xCXBfT4WOT0umag3YV0rMZYab5Cz558e7a30XKoMRHahC3Df8b9t9hKAU4X1Ljk/nYa8bZp0Ew9UYyAP9ZiTgwoCM+xRfHQezPm6lC8pHqieLLpQV5X5HaIyMmCGEFMCxkESunnWQqQsae+7oiV3w+5Dz8pVCLSh0y6FAnlnGZ6dYIuo+MTwv6VJSw9OaI1nJHNMe9guGM9wYMxX25HDH9JUItQIhtyyFIkFkiK/BrleAaEmqOrQvovkzmttGJ96TcvK5hGadJOq4lIq4ZYyyaEt5YQ6AxUOFVOggjyekGQgvINoFrE+z4o5odPHVv9NoBmLhiI8kATeCBAcG15RTn97v6
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T12:21:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cac8cc9-7984-4dfa-85f8-49af950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T12:15:05.000Z",
"modified": "2019-04-09T12:15:05.000Z",
"pattern": "[domain-name:value = 'todaysfutbol.com' AND domain-name:resolves_to_refs[*].value = '211.24.237.226']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T12:15:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cac8dc1-95dc-466e-85ce-4b0c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T12:19:13.000Z",
"modified": "2019-04-09T12:19:13.000Z",
"pattern": "[domain-name:value = 'mypremierfutbol.com' AND domain-name:resolves_to_refs[*].value = '78.111.169.146']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T12:19:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacea17-9ba0-4939-95e7-474c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:53:11.000Z",
"modified": "2019-04-09T18:53:11.000Z",
"pattern": "[file:hashes.MD5 = '360752e2f6938ae91ac8fb212c62c0c4' AND file:hashes.SHA1 = '346de24b4081b0dbccd0f3458734b08258eed8a7' AND file:hashes.SHA256 = 'f34c85bb4fcd87225468d0e8ee4441ebc92f42b3f69500d85e28be3c553ce433' AND file:x_misp_text = 'We wondered about the deployment of these curious samples. All of the functionality pointed to\r\na command-and-control module meant to function alongside other components, and not as a\r\nstandalone piece. As we hunted, we came across an unpacked/unobfuscated sample of\r\nStuxnet presumably compiled in 2009 that contained Stuxshop in its entirety' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T18:53:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2868aeaa-a19a-4b36-b693-e55b1a32d633",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:10.000Z",
"modified": "2019-04-09T19:14:10.000Z",
"pattern": "[file:hashes.MD5 = 'fa1e5eec39910a34ede1c4351ccecec8' AND file:hashes.SHA1 = 'ca3c5872080ec86a041b2b887caec9f28ba7b884' AND file:hashes.SHA256 = 'c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:14:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--95f4e9d8-aec9-4e52-b133-8688a3857540",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:10.000Z",
"modified": "2019-04-09T19:14:10.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09T14:27:10",
"category": "Other",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "b0d502dd-ff60-4d76-a5a3-7ffd57be3fe0"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532/analysis/1554820030/",
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "6094c770-b3db-4eff-9f59-3e51787a615a"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "45/70",
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "eb3ecbbe-9ed5-487c-9321-967a75105a4d"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d7f8c044-89dc-411c-a777-6110c35e1185",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:10.000Z",
"modified": "2019-04-09T19:14:10.000Z",
"pattern": "[file:hashes.MD5 = '984c7734a61f5b0c22291a4e26b224be' AND file:hashes.SHA1 = '2a1cc9c615cc2a798cf491a81e52ca050d4e828b' AND file:hashes.SHA256 = '683ce2c7c80b180768fe4d2a39030dc7c4f67db79d1953ee4803522131f533a3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:14:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--73ebef95-1302-4712-b237-7aba3002f249",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:10.000Z",
"modified": "2019-04-09T19:14:10.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09T17:37:54",
"category": "Other",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "ad8d9850-f381-49c6-b650-62a57c8bf3b6"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/683ce2c7c80b180768fe4d2a39030dc7c4f67db79d1953ee4803522131f533a3/analysis/1554831474/",
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "1a976776-aafe-414e-bcf5-acd3caf060cf"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "27/65",
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "bcf66b81-63ce-495d-aee2-1dffdf10aae4"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--308606ca-729c-4050-8d8e-72f00f17a981",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:10.000Z",
"modified": "2019-04-09T19:14:10.000Z",
"pattern": "[file:hashes.MD5 = '4e0a3498438adda8c50c3e101cfa86c5' AND file:hashes.SHA1 = '0655670f1cb40e84ba12adb9711f001269712054' AND file:hashes.SHA256 = 'ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:14:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--7403084a-f132-4ff9-a53b-6342ed8032ee",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:10.000Z",
"modified": "2019-04-09T19:14:10.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09T14:27:24",
"category": "Other",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "7176c395-37ca-4d30-941c-0b19c00a2996"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300/analysis/1554820044/",
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "958ba48c-fd6d-489d-8c11-2f6bc6f79191"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "45/69",
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "c149c768-5027-4e7e-a5d6-8ebac9b6bb3c"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--dbbdfe4d-13dc-4fc2-b189-0582aec45f8f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:10.000Z",
"modified": "2019-04-09T19:14:10.000Z",
"pattern": "[file:hashes.MD5 = '3ba57784d7fd4302fe74beb648b28dc1' AND file:hashes.SHA1 = '648a62d74ab1076e66a7a70f0899b8093eca2b01' AND file:hashes.SHA256 = '32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:14:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--67191d81-2968-4471-b804-e92b25166e28",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:10.000Z",
"modified": "2019-04-09T19:14:10.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09T14:25:43",
"category": "Other",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "0052a797-5299-43f8-bb60-fc6f0e5b8827"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a/analysis/1554819943/",
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "fafdb38f-5748-48f9-8873-6c6086237764"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "44/70",
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "5d48d630-34cc-4288-aabf-4186fcaede15"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--de4d97dc-5512-4f11-b590-7f56e1877cdc",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:11.000Z",
"modified": "2019-04-09T19:14:11.000Z",
"pattern": "[file:hashes.MD5 = '300d2a3f47803c2814a45382d84d3446' AND file:hashes.SHA1 = 'ec5dd52971f550a77c3544819c56674378976509' AND file:hashes.SHA256 = '1daa2b15b70e486927c8fc06eed434080ab408a1b320be9fefe193c20d1d9a7f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:14:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--555db026-ee1b-4775-91f4-a1b52245a78c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:11.000Z",
"modified": "2019-04-09T19:14:11.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09T17:37:53",
"category": "Other",
"comment": "Stuxshop Modules",
"uuid": "54971c2b-ffc5-4568-a9dc-9ba3ec8e95e3"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/1daa2b15b70e486927c8fc06eed434080ab408a1b320be9fefe193c20d1d9a7f/analysis/1554831473/",
"category": "Payload delivery",
"comment": "Stuxshop Modules",
"uuid": "ae87b543-4eaf-4790-847a-9e81e2576099"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "43/68",
"category": "Payload delivery",
"comment": "Stuxshop Modules",
"uuid": "e44ee586-67fa-4411-a3d4-329acf59622b"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6b9bfb62-ea86-4bb9-9d1e-7aa8ed2150eb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:11.000Z",
"modified": "2019-04-09T19:14:11.000Z",
"pattern": "[file:hashes.MD5 = '7b0e7297d5157586f4075098be9efc8c' AND file:hashes.SHA1 = '421156c4858878ef8beeadf54c4549095445b682' AND file:hashes.SHA256 = '63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:14:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--ddaf5a99-1963-4a4a-93eb-0b69396bbb46",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:11.000Z",
"modified": "2019-04-09T19:14:11.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09T14:20:50",
"category": "Other",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "46da9467-63b7-4c06-9c57-d83d362007b6"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb/analysis/1554819650/",
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "2de83530-15bd-4536-a3d9-51752d3a52fd"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "45/71",
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "ffca2167-370b-44d8-8eb2-7bfbd7118538"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6edd0812-8c25-4923-8e60-1872a7a81a1c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:11.000Z",
"modified": "2019-04-09T19:14:11.000Z",
"pattern": "[file:hashes.MD5 = '79c02836b6b6939ecea43691278424e8' AND file:hashes.SHA1 = '62e021e7ce7e6c382820b5a083221732ef5649b9' AND file:hashes.SHA256 = 'a01845255bdc61b610cac269a5562ad09415aaf2a1490d53d55c4c3597670803']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:14:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--b7b2cc69-43cb-4213-9dfd-d7b5043a819d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:11.000Z",
"modified": "2019-04-09T19:14:11.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09T17:37:55",
"category": "Other",
"comment": "Stuxnet Installers with Resource 231",
"uuid": "be7cd761-b99d-441d-8fe3-98c0fe63ff8a"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/a01845255bdc61b610cac269a5562ad09415aaf2a1490d53d55c4c3597670803/analysis/1554831475/",
"category": "Payload delivery",
"comment": "Stuxnet Installers with Resource 231",
"uuid": "9a5f1b2c-0306-4d7f-8ad9-d8d57a895f7b"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "44/64",
"category": "Payload delivery",
"comment": "Stuxnet Installers with Resource 231",
"uuid": "01cbe4d0-780b-4530-9812-d999bc1938d2"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--421a889c-305d-4fee-a7c9-6b0114a2beb9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:11.000Z",
"modified": "2019-04-09T19:14:11.000Z",
"pattern": "[file:hashes.MD5 = '6df1c77d4aabc3e3d91fcfdba8e7986d' AND file:hashes.SHA1 = '39b106c2405c3b5d65ddbb17571fc53b26893e9a' AND file:hashes.SHA256 = '77211838bb6783121fe1aeff182c8cc1cba9c9f0c1e5a0027e0c0b9dfa18e2ac']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:14:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--596ec4c3-ec57-4be1-8edf-777fb2b48aa0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:11.000Z",
"modified": "2019-04-09T19:14:11.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09T17:37:55",
"category": "Other",
"comment": "Stuxnet Installers with Resource 231",
"uuid": "ea99549b-5bd3-47dd-aa68-bda0ce2c3b42"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/77211838bb6783121fe1aeff182c8cc1cba9c9f0c1e5a0027e0c0b9dfa18e2ac/analysis/1554831475/",
"category": "Payload delivery",
"comment": "Stuxnet Installers with Resource 231",
"uuid": "e50ac7c2-3672-445d-92bb-bc78d3742ba2"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "53/70",
"category": "Payload delivery",
"comment": "Stuxnet Installers with Resource 231",
"uuid": "a6e18bf7-3d93-4c64-9b6d-021a3b2c3542"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5cacf023-7368-4a33-a5a4-4e8502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:18:59.000Z",
"modified": "2019-04-09T19:18:59.000Z",
"labels": [
"misp:name=\"malware-config\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "password",
"value": "F117FA1CE233C1D7BB7726C0E49615C4622E2D1895F0D8AD4B23BADC4FD70C",
"category": "Other",
"uuid": "5cacf023-5f50-43d4-a585-44cc02de0b81"
},
{
"type": "text",
"object_relation": "config",
"value": "not included",
"category": "Other",
"uuid": "5cacf023-fdf0-45af-9095-431502de0b81"
},
{
"type": "text",
"object_relation": "format",
"value": "other",
"category": "Other",
"uuid": "5cacf023-a61c-4c80-9eff-40e202de0b81"
}
],
"x_misp_comment": "The control server response is decoded using the same 31-byte XOR encoding, with yet another\r\nkey",
"x_misp_meta_category": "file",
"x_misp_name": "malware-config"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacf0d7-870c-4b90-a5bb-4c1c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:21:59.000Z",
"modified": "2019-04-09T19:21:59.000Z",
"pattern": "[windows-registry-key:key = 'SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\MS-DOS Emulation' AND windows-registry-key:values[0].data = '19790509' AND windows-registry-key:values[0].data_type = 'REG_NONE' AND windows-registry-key:values[0].name = 'NTVDM \u00e2\u20ac\u2039 TRACE' AND windows-registry-key:x_misp_root_keys = 'HKCC']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:21:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"registry-key\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9d2caeb2-c8c9-4122-865c-29f1dfb7569b",
"created": "2019-04-09T12:07:08.000Z",
"modified": "2019-04-09T12:07:08.000Z",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-06-14 17:31:25 +00:00
"source_ref": "indicator--5cac89aa-7884-4eb1-95fd-4a27950d210f",
"target_ref": "x-misp-object--d66ade80-17a6-47a9-9efe-7b5a922dfaa1"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ef0f105e-6d14-4f3d-8734-a52b8e9ec292",
"created": "2019-04-09T12:21:25.000Z",
"modified": "2019-04-09T12:21:25.000Z",
2023-04-21 13:25:09 +00:00
"relationship_type": "connects-to",
2023-06-14 17:31:25 +00:00
"source_ref": "indicator--5cac89aa-7884-4eb1-95fd-4a27950d210f",
"target_ref": "indicator--5cac8cc9-7984-4dfa-85f8-49af950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--0664a1eb-942a-42f7-820e-a40806dee68a",
"created": "2019-04-09T12:21:53.000Z",
"modified": "2019-04-09T12:21:53.000Z",
2023-04-21 13:25:09 +00:00
"relationship_type": "connects-to",
2023-06-14 17:31:25 +00:00
"source_ref": "indicator--5cac89aa-7884-4eb1-95fd-4a27950d210f",
"target_ref": "indicator--5cac8dc1-95dc-466e-85ce-4b0c950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--4b1324ec-9ca3-4edf-8f37-1f1312c10d0f",
"created": "2019-04-09T12:20:32.000Z",
"modified": "2019-04-09T12:20:32.000Z",
2023-04-21 13:25:09 +00:00
"relationship_type": "connects-to",
2023-06-14 17:31:25 +00:00
"source_ref": "indicator--5cac8b2f-87ec-4432-bb7d-2c32950d210f",
"target_ref": "indicator--5cac8cc9-7984-4dfa-85f8-49af950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c2e74e7f-9a1d-4abb-918b-e4fc9dc5d36f",
"created": "2019-04-09T12:21:02.000Z",
"modified": "2019-04-09T12:21:02.000Z",
2023-04-21 13:25:09 +00:00
"relationship_type": "connects-to",
2023-06-14 17:31:25 +00:00
"source_ref": "indicator--5cac8b2f-87ec-4432-bb7d-2c32950d210f",
"target_ref": "indicator--5cac8dc1-95dc-466e-85ce-4b0c950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--2675ff0a-8a8c-4a29-9f1c-28bebef585d2",
"created": "2019-04-09T19:14:11.000Z",
"modified": "2019-04-09T19:14:11.000Z",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-06-14 17:31:25 +00:00
"source_ref": "indicator--2868aeaa-a19a-4b36-b693-e55b1a32d633",
"target_ref": "x-misp-object--95f4e9d8-aec9-4e52-b133-8688a3857540"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1b0d0c58-9f57-47f9-8599-e5ec43bcc370",
"created": "2019-04-09T19:14:11.000Z",
"modified": "2019-04-09T19:14:11.000Z",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-06-14 17:31:25 +00:00
"source_ref": "indicator--d7f8c044-89dc-411c-a777-6110c35e1185",
"target_ref": "x-misp-object--73ebef95-1302-4712-b237-7aba3002f249"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c5fa940f-68ec-4e55-9038-69c4e8c62360",
"created": "2019-04-09T19:14:11.000Z",
"modified": "2019-04-09T19:14:11.000Z",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-06-14 17:31:25 +00:00
"source_ref": "indicator--308606ca-729c-4050-8d8e-72f00f17a981",
"target_ref": "x-misp-object--7403084a-f132-4ff9-a53b-6342ed8032ee"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--2a4d6da7-81fe-470f-b6ab-ecb1ea227ac4",
"created": "2019-04-09T19:14:12.000Z",
"modified": "2019-04-09T19:14:12.000Z",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-06-14 17:31:25 +00:00
"source_ref": "indicator--dbbdfe4d-13dc-4fc2-b189-0582aec45f8f",
"target_ref": "x-misp-object--67191d81-2968-4471-b804-e92b25166e28"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--75862b57-771d-45ed-afd7-d84cbbbf1716",
"created": "2019-04-09T19:14:12.000Z",
"modified": "2019-04-09T19:14:12.000Z",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-06-14 17:31:25 +00:00
"source_ref": "indicator--de4d97dc-5512-4f11-b590-7f56e1877cdc",
"target_ref": "x-misp-object--555db026-ee1b-4775-91f4-a1b52245a78c"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--3921f8c1-5e0b-446d-bd1a-5866378b4ad3",
"created": "2019-04-09T19:14:12.000Z",
"modified": "2019-04-09T19:14:12.000Z",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-06-14 17:31:25 +00:00
"source_ref": "indicator--6b9bfb62-ea86-4bb9-9d1e-7aa8ed2150eb",
"target_ref": "x-misp-object--ddaf5a99-1963-4a4a-93eb-0b69396bbb46"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--59bcf66f-d7ca-40ea-b1d4-d50f3b99a7e0",
"created": "2019-04-09T19:14:12.000Z",
"modified": "2019-04-09T19:14:12.000Z",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-06-14 17:31:25 +00:00
"source_ref": "indicator--6edd0812-8c25-4923-8e60-1872a7a81a1c",
"target_ref": "x-misp-object--b7b2cc69-43cb-4213-9dfd-d7b5043a819d"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--aaa6d270-413a-43a5-880e-177ec54fd5e5",
"created": "2019-04-09T19:14:12.000Z",
"modified": "2019-04-09T19:14:12.000Z",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-06-14 17:31:25 +00:00
"source_ref": "indicator--421a889c-305d-4fee-a7c9-6b0114a2beb9",
"target_ref": "x-misp-object--596ec4c3-ec57-4be1-8edf-777fb2b48aa0"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
2023-04-21 13:25:09 +00:00
]
}