misp-circl-feed/feeds/circl/misp/5cc3fa33-2fac-4dbd-9e06-60de02de0b81.json

586 lines
159 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type": "bundle",
"id": "bundle--5cc3fa33-2fac-4dbd-9e06-60de02de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-27T07:43:18.000Z",
"modified": "2019-04-27T07:43:18.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5cc3fa33-2fac-4dbd-9e06-60de02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-27T07:43:18.000Z",
"modified": "2019-04-27T07:43:18.000Z",
"name": "OSINT - BabyShark Malware Part Two \u00e2\u20ac\u201c Attacks Continue Using KimJongRAT and PCRat",
"published": "2019-04-27T09:02:41Z",
"object_refs": [
"x-misp-attribute--5cc3fa44-db00-4a96-9e27-607502de0b81",
"observed-data--5cc3fa72-76e4-4a59-9290-bdbe02de0b81",
"file--5cc3fa72-76e4-4a59-9290-bdbe02de0b81",
"artifact--5cc3fa72-76e4-4a59-9290-bdbe02de0b81",
"indicator--5cc3fafa-8580-46cb-916a-44db02de0b81",
"indicator--5cc3fafb-5408-433e-8b31-408b02de0b81",
"indicator--5cc3fafb-c8c0-42e6-bc0b-44a502de0b81",
"indicator--5cc3fafb-7a28-4088-8973-4cc602de0b81",
"indicator--5cc3fafb-5174-4cf6-b028-4e1202de0b81",
"indicator--5cc3fafb-7744-4075-838a-49c702de0b81",
"x-misp-object--5cc4069c-ed84-47b2-8f41-43b0950d210f",
"indicator--c5a73ecb-7963-487b-9c12-4b0e86a495ae",
"x-misp-object--ec43ff24-211c-430f-84ab-5f57fa153d60",
"indicator--e04af19f-c666-456b-95c9-b1b19d401d5d",
"x-misp-object--af318753-2c6d-41cc-a37b-f9db1cec6b7a",
"indicator--1ca9e3cc-11cf-4417-ae89-12d0db9e9240",
"x-misp-object--210c73d6-356a-4be2-ba0a-cbf5b9ed607e",
"indicator--41e3fdee-552a-4961-8183-635188ef931d",
"x-misp-object--5620ac27-0a6e-466a-90ff-6e97ab1e498d",
"relationship--5fe8c54f-8aff-4a86-aed9-153a1ce7c6b4",
"relationship--d15387bc-41c2-4c48-8361-4632e88d7574",
"relationship--94b31eab-e3dd-47d1-81b1-ef9ae4f873f0",
"relationship--378ad4b8-7033-405a-af92-eae0543c5587"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:tool=\"BabyShark\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5cc3fa44-db00-4a96-9e27-607502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-27T06:44:20.000Z",
"modified": "2019-04-27T06:44:20.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "In February 2019, Unit 42 published a blog about the BabyShark malware family and the associated spear phishing campaigns targeting U.S. national think tanks. Since that publication, malicious attacks leveraging BabyShark have continued through March and April 2019. The attackers expanded targeting to the cryptocurrency industry, showing that those behind these attacks also have interests in financial gain.\r\n\r\nWhile tracking the latest activities of the threat group, Unit 42 researchers were able to collect both the BabyShark malware\u00e2\u20ac\u2122s server-side and client-side files, as well as two encoded secondary PE payload files that the malware installs on the victim hosts upon receiving an operator\u00e2\u20ac\u2122s command. By analyzing the files, we were able to further understand the overall multi-staging structure of the BabyShark malware and features, such as how it attempts to maintain operational security and supported remote administration commands. Based on our research, it appears the malware author calls the encoded secondary payload \u00e2\u20ac\u0153Cowboy\u00e2\u20ac\u009d regardless of what malware family is delivered.\r\n\r\nOur research shows the most recent malicious activities involving BabyShark malware appear to be carried out for two purposes:\r\n\r\n Espionage on nuclear security and the Korean peninsula\u00e2\u20ac\u2122s national security issues\r\n Financial gain with focus on the cryptocurrency industry based on the decoy contents used in the samples, shown in Figure 1. Xcryptocrash is an online cryptocurrency gambling game."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5cc3fa72-76e4-4a59-9290-bdbe02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-27T06:45:06.000Z",
"modified": "2019-04-27T06:45:06.000Z",
"first_observed": "2019-04-27T06:45:06Z",
"last_observed": "2019-04-27T06:45:06Z",
"number_observed": 1,
"object_refs": [
"file--5cc3fa72-76e4-4a59-9290-bdbe02de0b81",
"artifact--5cc3fa72-76e4-4a59-9290-bdbe02de0b81"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5cc3fa72-76e4-4a59-9290-bdbe02de0b81",
"name": "Fig-2.-BabyShark-flowchart.png",
"content_ref": "artifact--5cc3fa72-76e4-4a59-9290-bdbe02de0b81"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--5cc3fa72-76e4-4a59-9290-bdbe02de0b81",
"payload_bin": "iVBORw0KGgoAAAANSUhEUgAAA00AAAHHCAYAAABjt7O7AAAKrWlDQ1BJQ0MgUHJvZmlsZQAASImVlgdUU2kWx7/30hstIdIJNXTpVXoNIEQ6iEpIKKGEEAggdmRwBMeCiggoIzoIouCoFFERsWAbBBTBOiCDgroOFrCgsg9Yws7u2d2z/5yb73duvvd/931595wLAHmAIxSmwDIApAoyRUHeboyIyCgGbhiggSwgACNA4XAzhK5stj9ANL/+VZP3ATSz3jWe8fr33/+rZHlxGVwAIDbCsbwMbirCZ5Bo4wpFmQCgkABa2ZnCGS5FmCZCCkT4+AwnzHH7DMfO8b3ZPSFB7giPAoAncziiBABIH5A8I4ubgPiQaQibCnh8AcIeCDtxEzk8hPMRNkpNTZvhkwjrxf6TT8JfPGMlnhxOgoTnnmVWeA9+hjCFs/r/PI7/rdQU8fw9NJEgJ4p8gpCVjpxZTXKan4QFsQGB88znze6f5USxT+g8czPco+aZx/Hwm2dxcqjrPHNEC9fyM1kh8yxKC5L4C1IC/CX+cSwJx2V4Bs9zPN+LNc+5iSHh85zFDwuY54zkYL+FPe6SvEgcJKk5XuQlecbUjIXauJyFe2Umhvgs1BAhqYcX5+EpyQtCJfuFmW4ST2EKe6H+FG9JPiMrWHJtJvKCzXMSx5e94MOWnA/wAJ7AH/kwABuYA0tgBuwAUlVmXM7MOw3c04SrRfyExEyGK9I1cQyWgGtixDA3NbMDYKYH5/7i9wOzvQXR8Qs53ggAFjN9oreQS0I6+Nwk0k6NCznmEAAyBwBoZ3PFoqy5HHrmCwOIQBrQgCJQA1pADxgj9VkDB+CCVOwLAkEIiAQrARckglQgAtlgLdgECkAR2An2gjJQCQ6DGnACnALN4Dy4BK6BW6Ab9IFHYBCMgFdgHEyCKQiCcBAFokKKkDqkAxlC5pAt5AR5Qv5QEBQJxUAJkAASQ2uhzVARVAyVQYegWuhX6Cx0CboB9UAPoCFoDHoHfYFRMBmmwaqwLrwYtoVdYT84BF4BJ8DpcC6cD2+HS+Eq+DjcBF+Cb8F98CD8Cp5AARQJRUdpoIxRtih3VCAqChWPEqHWowpRJagqVD2qFdWJuosaRL1GfUZj0VQ0A22MdkD7oEPRXHQ6ej16G7oMXYNuQl9B30UPocfR3zEUjArGEGOPYWEiMAmYbEwBpgRTjWnEXMX0YUYwk1gslo5lYm2wPthIbBJ2DXYb9gC2AduO7cEOYydwOJwizhDniAvEcXCZuALcftxx3EVcL24E9wlPwqvjzfFe+Ci8AJ+HL8Efw7fhe/Ev8FMEGYIOwZ4QSOARVhN2EI4QWgl3CCOEKaIskUl0JIYQk4ibiKXEeuJV4mPiexKJpEmyIy0j8UkbSaWkk6TrpCHSZ7Ic2YDsTo4mi8nbyUfJ7eQH5PcUCkWX4kKJomRStlNqKZcpTymfpKhSJlIsKZ7UBqlyqSapXqk30gRpHWlX6ZXSudIl0qel70i/liHI6Mq4y3Bk1suUy5yV6ZeZkKXKmskGyqbKbpM9JntDdlQOJ6cr5ynHk8uXOyx3WW6YiqJqUd2pXOpm6hHqVeoIDUtj0li0JFoR7QStizYuLydvKR8mnyNfLn9BfpCOouvSWfQU+g76Kfp9+pdFqotcF8Ut2rqoflHvoo8KygouCnEKhQoNCn0KXxQZip6KyYq7FJsVnyihlQyUlillKx1Uuqr0Wpmm7KDMVS5UPqX8UAVWMVAJUlmjcljltsqEqpqqt6pQdb/qZdXXanQ1F7UktT1qbWpj6lR1J3W++h71i+ovGfIMV0YKo5RxhTGuoaLhoyHWOKTRpTGlydQM1czTbNB8okXUstWK19qj1aE1rq2uvVR7rXad9kMdgo6tTqLOPp1OnY+6TN1w3S26zbqjTAUmi5nLrGM+1qPoOeul61Xp3dPH6tvqJ+sf0O82gA2sDBINyg3uGMKG1oZ8wwOGPUYYIzsjgVGVUb8x2djVOMu4znjIhG7ib5Jn0mzyZrH24qjFuxZ3Lv5uamWaYnrE9JGZnJmvWZ5Zq9k7cwNzrnm5+T0LioWXxQaLFou3loaWcZYHLQesqFZLrbZYdVh9s7axFlnXW4/ZaNvE2FTY9NvSbNm222yv22Hs3Ow22J23+2xvbZ9pf8r+Twdjh2SHYw6jS5hL4pYcWTLsqOnIcTzkOOjEcIpx+tlp0FnDmeNc5fzMRcuF51Lt8sJV3zXJ9bjrGzdTN5Fbo9tHd3v3de7tHigPb49Cjy5POc9QzzLPp16aXgledV7j3lbea7zbfTA+fj67fPpZqiwuq5Y17mvju873ih/ZL9ivzO+Zv4G/yL91KbzUd+nupY8DdAIEAc2BIJAVuDvwCZvJTmefW4Zdxl5Wvux5kFnQ2qDOYGrwquBjwZMhbiE7Qh6F6oWKQzvCpMOiw2rDPoZ7hBeHD0YsjlgXcStSKZIf2RKFiwqLqo6aWO65fO/ykWir6ILo+yuYK3JW3FiptDJl5YVV0qs4q07HYGLCY47FfOUEcqo4E7Gs2IrYca47dx/3Fc+Ft4c3FucYVxz3It4xvjh+NMExYXfCWKJzYknia747v4z/NsknqTLpY3Jg8tHk6ZTwlIZUfGpM6lmBnCBZcCVNLS0nrUdoKCwQDqbbp+9NHxf5iaozoIwVGS2ZNGTYuS3WE/8gHspyyirP+pQdln06RzZHkHN7tcHqratf5Hrl/rIGvYa7pmOtxtpNa4fWua47tB5aH7u+Y4PWhvwNIxu9N9ZsIm5K3vRbnmlecd6HzeGbW/NV8zfmD//g/UNdgVSBqKB/i8OWyh/RP/J/7NpqsXX/1u+FvMKbRaZFJUVft3G33fzJ7KfSn6a3x2/v2mG94+BO7E7Bzvu7nHfVFMsW5xYP7166u2kPY0/hng97V+29UWJZUrmPuE+8b7DUv7Rlv/b+nfu/liWW9ZW7lTdUqFRsrfh4gHeg96DLwfpK1cqiyi8/838eOOR9qKlKt6rkMPZw1uHnR8KOdP5i+0tttVJ1UfW3o4KjgzVBNVdqbWprj6kc21EH14nrxo5HH+8+4XGipd64/lADvaHoJDgpPvny15hf75/yO9Vx2vZ0/RmdMxWN1MbCJqhpddN4c2LzYEtkS89Z37MdrQ6tjedMzh09r3G+/IL8hR1txLb8tumLuRcn2oXtry8lXBruWNXx6HLE5XtXll3puup39fo1r2uXO107L153vH7+hv2Nszdtbzbfsr7VdNvqduNvVr81dll3Nd2xudPSbdfd2rOkp63XuffSXY+71+6x7t3qC+jruR96f6A/un9wgDcw+iDlwduHWQ+nHm18jHlc+ETmSclTladVv+v/3jBoPXhhyGPo9rPgZ4+GucOv/sj44+tI/nPK85IX6i9qR81Hz495jXW/XP5y5JXw1dTrgr/J/q3ijd6bM3+6/Hl7PGJ85K3o7fS7be8V3x/9YPmhY4I98XQydXLqY+EnxU81n20/d34J//JiKvsr7mvpN/1vrd/9vj+eTp2eFnJEnNlRAIUEHB8PwLujAFAiAaB2A0CUmpuRZwXNzfWzBP4Tz83Rs7IGALECYUgEuQBQgQQTCemNALCRNcQFwBYWkviHMuItzOe8SM3IaFIyPf0emQ1x+gB865+enmqenv5WjRT7EJljJudm8xnJIPN/9wNTC1///tAh8K/6Oze9BkYKTefQAAABnWlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczpleGlmPSJodHRwOi8vbnMuYWRvYmUuY29tL2V4aWYvMS4wLyI+CiAgICAgICAgIDxleGlmOlBpeGV
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cc3fafa-8580-46cb-916a-44db02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-27T06:47:22.000Z",
"modified": "2019-04-27T06:47:22.000Z",
"pattern": "[file:hashes.SHA256 = '75917cc1bd9ecd7ef57b7ef428107778b19f46e8c38c00f1c70efc118cb8aab5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-27T06:47:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cc3fafb-5408-433e-8b31-408b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-27T06:47:23.000Z",
"modified": "2019-04-27T06:47:23.000Z",
"pattern": "[file:hashes.SHA256 = 'f86d05c1d7853c06fc5561f8df19b53506b724a83bb29c69b39f004a0f7f82d8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-27T06:47:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"misp-galaxy:malpedia=\"Ghost RAT\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cc3fafb-c8c0-42e6-bc0b-44a502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-27T06:47:23.000Z",
"modified": "2019-04-27T06:47:23.000Z",
"pattern": "[file:hashes.SHA256 = 'd50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-27T06:47:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cc3fafb-7a28-4088-8973-4cc602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-27T06:47:41.000Z",
"modified": "2019-04-27T06:47:41.000Z",
"description": "Malicious Word Macro Document",
"pattern": "[file:hashes.SHA256 = '4b3416fb6d1ed1f762772b4dd4f4f652e63ba41f7809b25c5fa0ee9010f7dae7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-27T06:47:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cc3fafb-5174-4cf6-b028-4e1202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-27T06:47:23.000Z",
"modified": "2019-04-27T06:47:23.000Z",
"pattern": "[file:hashes.SHA256 = '33ce9bcaeb0733a77ff0d85263ce03502ac20873bf58a118d1810861caced254']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-27T06:47:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cc3fafb-7744-4075-838a-49c702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-27T06:47:23.000Z",
"modified": "2019-04-27T06:47:23.000Z",
"pattern": "[file:hashes.SHA256 = 'bd6efb16527b025a5fd256bb357a91b4ff92aff599105252e50b87f1335db9e1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-27T06:47:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5cc4069c-ed84-47b2-8f41-43b0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-27T07:37:00.000Z",
"modified": "2019-04-27T07:37:00.000Z",
"labels": [
"misp:name=\"script\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "script",
"value": "import base64\r\n\r\nwith open(\u00e2\u20ac\u02dccowboy\u00e2\u20ac\u2122, \u00e2\u20ac\u02dcr\u00e2\u20ac\u2122) as file_in, open(\u00e2\u20ac\u02dccowboy_clear.bin\u00e2\u20ac\u2122, \u00e2\u20ac\u02dcwb\u00e2\u20ac\u2122) as file_out:\r\n\r\n EncStr = file_in.read()\r\n\r\n BlkSz = 10\r\n\r\n len_EncStr = len(EncStr)\r\n\r\n NonBlk10_ptr = len_EncStr \u00e2\u20ac\u201c (BlkSz -1) * (len_EncStr // BlkSz)\r\n\r\n NonBlk10 = EncStr [:NonBlk10_ptr]\r\n\r\n result = \u00e2\u20ac\u009d\r\n\r\n EncStr = EncStr [NonBlk10_ptr::]\r\n\r\n #print EncStr\r\n\r\n x = range (-1,BlkSz-1)\r\n\r\n Blksize1 = len_EncStr // BlkSz\r\n\r\n for n in x:\r\n\r\n loop_buff1_ptr = n * (len_EncStr // BlkSz)\r\n\r\n loop_buff1 = EncStr [loop_buff1_ptr:loop_buff1_ptr+Blksize1]\r\n\r\n #print loop_buff1\r\n\r\n result = loop_buff1 + result\r\n\r\n result = result + NonBlk10\r\n\r\n clear = base64.b64decode(result)[::-1]\r\n\r\n print clear\r\n\r\nfile_out.write(clear)",
"category": "Other",
"uuid": "5cc4069d-e05c-4b0b-a27b-42ee950d210f"
},
{
"type": "text",
"object_relation": "language",
"value": "Python",
"category": "Other",
"uuid": "5cc4069d-8094-4565-8c48-4b4c950d210f"
},
{
"type": "text",
"object_relation": "comment",
"value": "Python Script for Decoding Cowboy",
"category": "Other",
"uuid": "5cc4069d-95dc-4ca0-ab95-4114950d210f"
},
{
"type": "text",
"object_relation": "state",
"value": "Trusted",
"category": "Other",
"uuid": "5cc4069d-0010-4538-93dc-4a8d950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "script"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c5a73ecb-7963-487b-9c12-4b0e86a495ae",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-27T07:43:16.000Z",
"modified": "2019-04-27T07:43:16.000Z",
"pattern": "[file:hashes.MD5 = '03dbc1b3d79a4ff70f06fd6e67e00985' AND file:hashes.SHA1 = 'dbfdf474c76428f02fc4fbe408a8fe81a9402421' AND file:hashes.SHA256 = '75917cc1bd9ecd7ef57b7ef428107778b19f46e8c38c00f1c70efc118cb8aab5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-27T07:43:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--ec43ff24-211c-430f-84ab-5f57fa153d60",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-27T07:43:17.000Z",
"modified": "2019-04-27T07:43:17.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-27T00:43:44",
"category": "Other",
"uuid": "1ef7752b-f188-42f5-8df8-5eb52e7c1a3e"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/75917cc1bd9ecd7ef57b7ef428107778b19f46e8c38c00f1c70efc118cb8aab5/analysis/1556325824/",
"category": "Payload delivery",
"uuid": "8e8a2ce7-e747-4d32-9183-77f4d3439518"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "24/63",
"category": "Payload delivery",
"uuid": "10278f12-9615-4779-8ec1-d851b3124373"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e04af19f-c666-456b-95c9-b1b19d401d5d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-27T07:43:17.000Z",
"modified": "2019-04-27T07:43:17.000Z",
"pattern": "[file:hashes.MD5 = '57ef27823865c8f7784b0d37fd2c4aa8' AND file:hashes.SHA1 = 'd953005a70bf9d6282a9792c2598218657f31e25' AND file:hashes.SHA256 = 'bd6efb16527b025a5fd256bb357a91b4ff92aff599105252e50b87f1335db9e1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-27T07:43:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--af318753-2c6d-41cc-a37b-f9db1cec6b7a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-27T07:43:17.000Z",
"modified": "2019-04-27T07:43:17.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-24T20:00:44",
"category": "Other",
"uuid": "52406c92-c58c-45e1-a839-40a456d351a1"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/bd6efb16527b025a5fd256bb357a91b4ff92aff599105252e50b87f1335db9e1/analysis/1556136044/",
"category": "Payload delivery",
"uuid": "cd77c1bb-6b7e-41c2-a379-e94a091812aa"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "3/71",
"category": "Payload delivery",
"uuid": "34e8e79b-d608-4c84-91bd-d00813a4e0f8"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--1ca9e3cc-11cf-4417-ae89-12d0db9e9240",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-27T07:43:17.000Z",
"modified": "2019-04-27T07:43:17.000Z",
"pattern": "[file:hashes.MD5 = '6590830061f85c0acc5259013555d079' AND file:hashes.SHA1 = 'b014e1b20499fcbab4c8e7af351ce08ac7f7832e' AND file:hashes.SHA256 = '4b3416fb6d1ed1f762772b4dd4f4f652e63ba41f7809b25c5fa0ee9010f7dae7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-27T07:43:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--210c73d6-356a-4be2-ba0a-cbf5b9ed607e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-27T07:43:17.000Z",
"modified": "2019-04-27T07:43:17.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-26T09:23:39",
"category": "Other",
"comment": "Malicious Word Macro Document",
"uuid": "9ed264d6-a346-4239-b5af-573ec35466d9"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/4b3416fb6d1ed1f762772b4dd4f4f652e63ba41f7809b25c5fa0ee9010f7dae7/analysis/1556270619/",
"category": "Payload delivery",
"comment": "Malicious Word Macro Document",
"uuid": "b7329de0-871d-4813-84a6-ca73093ef4a7"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "5/71",
"category": "Payload delivery",
"comment": "Malicious Word Macro Document",
"uuid": "a5f82c6b-902f-4b62-8bb2-a4b00f39e40b"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--41e3fdee-552a-4961-8183-635188ef931d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-27T07:43:17.000Z",
"modified": "2019-04-27T07:43:17.000Z",
"pattern": "[file:hashes.MD5 = '61f42c2dc1da18b046c6b274abe6f4ca' AND file:hashes.SHA1 = 'da188539e0dddae87245bcbc6e30eeb8ea607657' AND file:hashes.SHA256 = 'd50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-27T07:43:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5620ac27-0a6e-466a-90ff-6e97ab1e498d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-27T07:43:17.000Z",
"modified": "2019-04-27T07:43:17.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-12-31T07:08:17",
"category": "Other",
"uuid": "74fc5c3e-b17b-4d9e-88a5-f222d2fd231e"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712/analysis/1546240097/",
"category": "Payload delivery",
"uuid": "4afc8fc9-8686-4923-8dba-43f8fcc94109"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "11/68",
"category": "Payload delivery",
"uuid": "67182b20-bb11-4fa0-b212-31ac0634bc3a"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--5fe8c54f-8aff-4a86-aed9-153a1ce7c6b4",
"created": "2019-04-27T07:43:18.000Z",
"modified": "2019-04-27T07:43:18.000Z",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-06-14 17:31:25 +00:00
"source_ref": "indicator--c5a73ecb-7963-487b-9c12-4b0e86a495ae",
"target_ref": "x-misp-object--ec43ff24-211c-430f-84ab-5f57fa153d60"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--d15387bc-41c2-4c48-8361-4632e88d7574",
"created": "2019-04-27T07:43:18.000Z",
"modified": "2019-04-27T07:43:18.000Z",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-06-14 17:31:25 +00:00
"source_ref": "indicator--e04af19f-c666-456b-95c9-b1b19d401d5d",
"target_ref": "x-misp-object--af318753-2c6d-41cc-a37b-f9db1cec6b7a"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--94b31eab-e3dd-47d1-81b1-ef9ae4f873f0",
"created": "2019-04-27T07:43:18.000Z",
"modified": "2019-04-27T07:43:18.000Z",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-06-14 17:31:25 +00:00
"source_ref": "indicator--1ca9e3cc-11cf-4417-ae89-12d0db9e9240",
"target_ref": "x-misp-object--210c73d6-356a-4be2-ba0a-cbf5b9ed607e"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--378ad4b8-7033-405a-af92-eae0543c5587",
"created": "2019-04-27T07:43:18.000Z",
"modified": "2019-04-27T07:43:18.000Z",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-06-14 17:31:25 +00:00
"source_ref": "indicator--41e3fdee-552a-4961-8183-635188ef931d",
"target_ref": "x-misp-object--5620ac27-0a6e-466a-90ff-6e97ab1e498d"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
2023-04-21 13:25:09 +00:00
]
}