adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/57221ede-4084-4c2b-9463-4e1e950d210f.json

1948 lines
7 MiB
JSON
Raw Normal View History

chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--57221ede-4084-4c2b-9463-4e1e950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-06-01T09:26:25.000Z",
"modified": "2016-06-01T09:26:25.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--57221ede-4084-4c2b-9463-4e1e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-06-01T09:26:25.000Z",
"modified": "2016-06-01T09:26:25.000Z",
"name": "OSINT - PLATINUM Targeted attacks in South and Southeast Asia",
"published": "2016-06-01T11:50:05Z",
"object_refs": [
"observed-data--57221f02-6b1c-4b51-b40c-462d950d210f",
"file--57221f02-6b1c-4b51-b40c-462d950d210f",
"artifact--57221f02-6b1c-4b51-b40c-462d950d210f",
"vulnerability--57222bfe-4068-4151-aa6d-40a6950d210f",
"indicator--57222c60-7300-4608-a6da-407f950d210f",
"indicator--57222c76-7a74-4696-bfef-4a72950d210f",
"indicator--57222caf-8748-4ea3-9e48-4cd8950d210f",
"indicator--57222ccd-c09c-402a-af7b-42a5950d210f",
"indicator--57222ce1-6800-4ad5-81d7-461e950d210f",
"indicator--57222d07-9af0-482f-ad9a-446d950d210f",
"indicator--57222d55-3684-4ca9-8552-4ea1950d210f",
"indicator--57222d70-8a40-438e-8d32-411f950d210f",
"indicator--57222da1-3824-4b9f-aeaa-48ee950d210f",
"indicator--57222dc9-3924-415f-b9af-411e950d210f",
"indicator--57222ddc-86f4-4857-a0b7-4d30950d210f",
"indicator--57222dee-bc1c-45cd-990c-4384950d210f",
"indicator--57222e07-30ec-4c0a-b189-494a950d210f",
"indicator--57222e22-aa2c-415e-8a7b-462d950d210f",
"indicator--57222e6b-89f4-4baa-9984-4e7b950d210f",
"indicator--57222e81-ba14-49a1-adcf-4445950d210f",
"indicator--57222ea3-46a4-48aa-a848-4a89950d210f",
"indicator--57222ec6-0e78-4173-9f07-4cb8950d210f",
"indicator--57222edf-cb54-45e0-bbcc-4210950d210f",
"x-misp-attribute--57222f0f-ca58-4844-8763-4c13950d210f",
"indicator--57222f56-1be8-471b-a27f-4ce4950d210f",
"indicator--57222f57-87fc-44ef-8b30-41c2950d210f",
"indicator--57222f57-30c0-40e6-be3f-430e950d210f",
"indicator--57222f58-f4c0-423c-9e35-4356950d210f",
"indicator--57222f58-75c4-4151-bc5d-4728950d210f",
"indicator--57222fe7-e234-4ba0-8667-45b4950d210f",
"indicator--57222fe7-82c0-41a5-b39f-4790950d210f",
"indicator--57222fe8-e138-41ca-8e0f-48b1950d210f",
"indicator--57222fe8-5f0c-45fa-a8ed-4c3b950d210f",
"indicator--57222fe9-9958-4f02-9560-4f43950d210f",
"indicator--57222fe9-9edc-43b7-bc6a-43b7950d210f",
"indicator--57222fe9-515c-4e40-8b67-40cf950d210f",
"indicator--57222fea-00b4-4c25-86b6-47b8950d210f",
"indicator--57222fea-022c-4a86-8c6e-4760950d210f",
"indicator--57222feb-9550-414b-aa37-403b950d210f",
"indicator--57223015-2b48-4137-afae-4aaf950d210f",
"indicator--57223015-7138-4387-a596-4b3d950d210f",
"indicator--57223016-2264-4e5f-8211-4468950d210f",
"indicator--57223016-b9bc-4df8-934c-4076950d210f",
"indicator--57223016-cb40-4ea5-b383-4511950d210f",
"indicator--57223017-2e54-4205-9c7b-485e950d210f",
"indicator--57223017-99cc-41de-abc6-4f39950d210f",
"indicator--57223018-d2f0-4939-b72b-46e0950d210f",
"indicator--57223018-368c-428b-a315-4482950d210f",
"indicator--57223018-bde4-46d2-b4a1-4a67950d210f",
"indicator--57223019-3f84-4531-b4db-45ed950d210f",
"indicator--57223019-2de8-4914-b9a9-4b15950d210f",
"indicator--5722301a-b6d0-4690-b82c-447a950d210f",
"indicator--5722301a-6a0c-4bd3-973c-4cf3950d210f",
"indicator--5722301a-264c-4eb4-8e87-4f0f950d210f",
"x-misp-attribute--57223037-e7e0-4004-8cfe-424d950d210f",
"indicator--572230b7-32b8-4f91-8c2a-47cd02de0b81",
"indicator--572230b8-3e68-44d6-9b51-4f7502de0b81",
"observed-data--572230b8-2b30-4d0e-b33d-487802de0b81",
"url--572230b8-2b30-4d0e-b33d-487802de0b81",
"indicator--572230b8-dbac-426b-a9ac-4cbe02de0b81",
"indicator--572230b9-c428-47ce-a5f3-42ed02de0b81",
"observed-data--572230b9-3bd4-4ae8-9fb0-443602de0b81",
"url--572230b9-3bd4-4ae8-9fb0-443602de0b81",
"indicator--572230b9-7c5c-44a4-9840-435d02de0b81",
"indicator--572230ba-e524-4a2d-8640-4af602de0b81",
"observed-data--572230ba-8100-4cb3-851a-49b602de0b81",
"url--572230ba-8100-4cb3-851a-49b602de0b81",
"indicator--572230ba-0d08-41d7-9bc8-4b4e02de0b81",
"indicator--572230bb-c9d4-44d2-a86b-467002de0b81",
"observed-data--572230bb-817c-4de6-a794-42d302de0b81",
"url--572230bb-817c-4de6-a794-42d302de0b81",
"indicator--572230bc-4f94-48a2-9906-48ca02de0b81",
"indicator--572230bc-6474-420c-aad7-466502de0b81",
"observed-data--572230bc-23f4-44b5-82af-405902de0b81",
"url--572230bc-23f4-44b5-82af-405902de0b81",
"vulnerability--572301cb-39dc-48ab-8569-4bbc950d210f",
"vulnerability--57230233-264c-4424-9865-4b32950d210f",
"observed-data--57230362-94fc-4f8a-8e59-4696950d210f",
"windows-registry-key--57230362-94fc-4f8a-8e59-4696950d210f",
"observed-data--57230368-035c-4607-af86-4634950d210f",
"windows-registry-key--57230368-035c-4607-af86-4634950d210f",
"observed-data--57230368-52dc-4e88-92c0-48cf950d210f",
"windows-registry-key--57230368-52dc-4e88-92c0-48cf950d210f",
"observed-data--57230368-4350-45bb-a5ef-4a2f950d210f",
"windows-registry-key--57230368-4350-45bb-a5ef-4a2f950d210f",
"observed-data--57230369-2ca4-487e-81c1-4f49950d210f",
"windows-registry-key--57230369-2ca4-487e-81c1-4f49950d210f",
"observed-data--57230369-3458-43b5-b0b4-474c950d210f",
"windows-registry-key--57230369-3458-43b5-b0b4-474c950d210f",
"observed-data--57228030-4c14-48c9-899f-45a202de0b81",
"url--57228030-4c14-48c9-899f-45a202de0b81",
"observed-data--57228030-5328-4860-976e-42a802de0b81",
"url--57228030-5328-4860-976e-42a802de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57221f02-6b1c-4b51-b40c-462d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T14:32:34.000Z",
"modified": "2016-04-28T14:32:34.000Z",
"first_observed": "2016-04-28T14:32:34Z",
"last_observed": "2016-04-28T14:32:34Z",
"number_observed": 1,
"object_refs": [
"file--57221f02-6b1c-4b51-b40c-462d950d210f",
"artifact--57221f02-6b1c-4b51-b40c-462d950d210f"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--57221f02-6b1c-4b51-b40c-462d950d210f",
"name": "Platinum feature article - Targeted attacks in South and Southeast Asia April 2016.pdf",
"content_ref": "artifact--57221f02-6b1c-4b51-b40c-462d950d210f"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--57221f02-6b1c-4b51-b40c-462d950d210f",
"payload_bin": "JVBERi0xLjYNJeLjz9MNCjI4OTQgMCBvYmoNPDwvTGluZWFyaXplZCAxL0wgNTQyMzU4NS9PIDI4OTYvRSA0NDc0MTQ5L04gMzIvVCA1NDIyNjcxL0ggWyA0ODggNjc1XT4+DWVuZG9iag0gICAgICAgDQoyOTA2IDAgb2JqDTw8L0RlY29kZVBhcm1zPDwvQ29sdW1ucyA0L1ByZWRpY3RvciAxMj4+L0ZpbHRlci9GbGF0ZURlY29kZS9JRFs8N0Q3NkEwRjVDMTJFRTc0N0JGMjE5QTU5MDA4MkI5OUE+PEUwNjY4QzYyRUQ5RDNDNEE5MTFDMUY1N0E3QzdGNTlEPl0vSW5kZXhbMjg5NCAyNF0vSW5mbyAyODkzIDAgUi9MZW5ndGggNzQvUHJldiA1NDIyNjcyL1Jvb3QgMjg5NSAwIFIvU2l6ZSAyOTE4L1R5cGUvWFJlZi9XWzEgMiAxXT4+c3RyZWFtDQpo3mJiZBBgYGJgqQYSjPtBhBqQ4AgBEswBQIKpD0gYmIEk4oCExDSQ2Fwgwf8TSEwWYmBi5L4LZDEwMBJN/P82/TtAgAEAU9YLGw0KZW5kc3RyZWFtDWVuZG9iag1zdGFydHhyZWYNCjANCiUlRU9GDQogICAgICAgDQoyOTE3IDAgb2JqDTw8L0MgNzI5L0ZpbHRlci9GbGF0ZURlY29kZS9JIDc1My9MZW5ndGggNTczL08gNjkxL1MgNTY3L1YgNzA3Pj5zdHJlYW0NCmjetFLNaxNBFP/NZvLRpDG7apOYEJOqlAo9xMY0CRjZumlMC8UYjLZi6R5yqIdAxCqWGt1AkFUR4kEoglhUUhAPiqClVAlSDwptFQMGDx6q4E0sBUHowZmU1r/AYWZ+H+/Ng5l5AAQ2Z0AB8zhc+DdczDOxZSn3ku47O0VRko7s4AG9sERyddIWxFya+GvhJ3LHduGS1TDxgo5P4bRuc6nes9Nkrja0CtszuF9jl4qcjtWA8/e066FsfoN4CcbDED/AO4veAFRgDYKN1Q7duluuXvuTf/dzcikUCvUA/q6ZRdr9XqwpxX3LaaWSzY3GZSVmTBSDSvhC+YCmFKuJfE25LDMyKL1spZFFnhxeGGahdolGvsSTmRjxZhdGD4n1GGmjkc8SP3Us/Z3m3/JqpfOVE0myzXz/TNJXLCgDhnrMRPvSSjHlGAlVpJNOGvUfVIh97RM7Msz8qIOTU8s0HBj8VpGy90o/1InG7ovmLVKyfwQp6ey1dJCeMV3XmhSUa7cOC2BklOoQosxhEcmpb2btYdI41FSU7zTFDCT0ZoE+DkKnRiQ310In39F0NcvmNI1p//Ob2DiHdIyjla32ppNlLUMewL8ORwN7K8b1AAS5NaCRFHz9jpFZTLJLB60eFeFmfgO+KG7Owy7DLcKjSS0QW0Ae42gS5gJsKvn1lK6o7ikQFnwO66PN1tSR6bjNkACG4wyvI7N/ZUMLX7ca+AYyXTWGHuBqP3ijm65wv4rMK9NGNhn4K8AA7MvAEQ0KZW5kc3RyZWFtDWVuZG9iag0yODk1IDAgb2JqDTw8L0Fjcm9Gb3JtIDI5MDcgMCBSL0xhbmco/v8ARQBOAC0AVQBTKS9NYXJrSW5mbzw8L01hcmtlZCB0cnVlPj4vTWV0YWRhdGEgMTY0IDAgUi9PdXRsaW5lcyAzMzYgMCBSL1BhZ2VMYXlvdXQvT25lQ29sdW1uL1BhZ2VzIDI4ODYgMCBSL1N0cnVjdFRyZWVSb290IDM3MiAwIFIvVHlwZS9DYXRhbG9nPj4NZW5kb2JqDTI4OTYgMCBvYmoNPDwvQ29udGVudHMgMjg5OCAwIFIvQ3JvcEJveFswLjAgMC4wIDYxMi4wIDc5Mi4wXS9Hcm91cCAyOTE2IDAgUi9NZWRpYUJveFswLjAgMC4wIDYxMi4wIDc5Mi4wXS9QYXJlbnQgMjg4NyAwIFIvUmVzb3VyY2VzPDwvRXh0R1N0YXRlPDwvR1MwIDI5MDggMCBSPj4vRm9udDw8L0MyXzAgMjkxMyAwIFIvVFQwIDI5MTUgMCBSPj4vUHJvY1NldFsvUERGL1RleHQvSW1hZ2VDXS9YT2JqZWN0PDwvSW0wIDI5MDUgMCBSPj4+Pi9Sb3RhdGUgMC9TdHJ1Y3RQYXJlbnRzIDAvVHlwZS9QYWdlPj4NZW5kb2JqDTI4OTcgMCBvYmoNPDwvRmlsdGVyL0ZsYXRlRGVjb2RlL0ZpcnN0IDkzL0xlbmd0aCAyMDMzL04gMTAvVHlwZS9PYmpTdG0+PnN0cmVhbQ0KaN6UWNtu3EYS/ZV+tLHwsu8XIBAgaSJbgBUbGmW9WIIPtETLgx3NCDN0EP19zqkmR1bkOA4Eqsi+Vp2qOtU9tuiktLJFZ2WM4UtRFm22GDSHwhejgmOXscr5+ubw5uXNKxdi5ltQLhuZGZV3xauffmoWxy+aN8P6N+xx9Qn/btXLZnGJjp8319ub1eYWr+8XZ4vt9dygXDIYeHl01JxtNyP6Zb6Lha3N//rFRwzRdQgHrYb1zb7tjo4w9Ph8qT716/3QnFw0v2x3d/26OT1W5t+6efd+6nn3/kKZZnmsxt2XoVle9Pv/Y+hmaK4e7ofm59/H18uxH4fmupd52/s6T9Z/t7sZdlDyxfnNsBlX48PL5nK4Xe3H3cOL45vtx+Fls/xyf78e7tCtdNVpf80Po71uTs8Xy2EkymJjc9rfvxlWt59HlbRuFkMd+spm25yt+9u98gLCycn29/aViVq64KhoZL1Oes/6u9X64cVyuN0O6v1uq5bD3eotV31Z+1frwXJPK3uy6Zf+bmjOX/96ebH8l8zDtFeHaTJkOe6G8frzjCKbPlRVXdDN+divV9fHm9v1oHSzHIe7/6joK4QcSlN2q/txu2v+O1kYdMXjpN8PHPKd/QnTwx6Lnm8+bWtMClrni6vt6/PFRX/fzA5oFh8ABcB7umuNX05afvk4UitM5hBqaB/1bD60uo0+dohlDHetdU7ZjKCOToWSVLBJZXgrabRb2yEZDMGEF1zr8RUjQt4U5UqpMmWZ5FLoLFa18mVdG3zprMfitQEjdZ1gFPbkMs63yBtVfFHRRRWQfdFqFTOmYHufkop8ClTxHK4xBu3RqxyDSlgzBagcbJUYG5CfwWRZPkJxZmlIWNvjSVoMccmJ5BiPfhu4H5I+eeWxPiXXsUhpeQ+6wxJY3cKelFvPhfCawQjoxCDXZYdPGZ5D62CV1xGmYuVgoHFkwCsPCzzIw4csGlhnD5oQgeiSIEDrZ+vQ1xkdkARatARrtdASjmFiBNEUCYKniFLG6pYaG0vP0XoHiX6sR12M061LltzVGUe3OnGQoTc8dNNVX1Ag+sGSsCVn7O91m4gckKdt1DnDK9QRNNgZvBt6Eu0mQAesGZC3lBE6JgAVzRwr2AecmkJQ2VUdGQkMRMGCoNo04YK1QYYGoHvqkUwbGXvJd4a2AXJiZ1JoqUuBzgU4IP06k7Uy2ZCxIWFrZlADg+xbrh2wLv3B6DCMEIu9CuYUzIF+ptg2ANcAnxAzKxhP65lSnUZnQXYWfGPxzm+rfa0qAMWi1Fg4j8pZlhzjpiTyLR3GcHQEBWMcHZwJRJC1HB1LA1INexYoOpwOYDhLIMGJkjI+iCFiEFICsdhZx/7qFIvgsx6OZ8Z712aNfo81MS8RfB9bJrWkBAwVQGAox1c7zXNptaTMX0roFX2VkkrEx/y9ZNpz/F9KUAIzb5aCM8nmOzJgLHUijbANVNI5Jin8xIx2GplNjNH3RCJwqiySlNzvzzKUr9qEitwzSXoiMTyTsz+fyVwJhJLMPH1L4Abzw5IUSPI5xMYUN4f4gf9JPPQnE5oJedB50kUCnwmAxKXvrWHyaElqh/mZhACmz4wdtM90Ttzq2k72o78kD+gPiZNyoPIw5Qgrj8SvqRhQ70QiEQ6OQhoyH+0RxOhdrjGAfUk4bAskNSYucof9HnE/MXUdR98WzIN+AeTofSUhIahIv3MtzMuVxGLhmlnszcznaS/BCJJtwgOlxkw01a/UswCzgvbEMaHaRhw
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--57222bfe-4068-4151-aa6d-40a6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:27:58.000Z",
"modified": "2016-04-28T15:27:58.000Z",
"name": "CVE-2015-2545",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload delivery\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2015-2545"
}
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222c60-7300-4608-a6da-407f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T07:05:07.000Z",
"modified": "2016-04-29T07:05:07.000Z",
"pattern": "[rule Trojan_Win32_PlaSrv : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Hotpatching Injector\"\r\noriginal_sample_sha1 = \"ff7f949da665ba8ce9fb01da357b51415634eaad\"\r\nunpacked_sample_sha1 = \"dff2fee984ba9f5a8f5d97582c83fca4fa1fe131\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$Section_name = \".hotp1\"\r\n$offset_x59 = { C7 80 64 01 00 00 00 00 01 00 }\r\ncondition:\r\n$Section_name and $offset_x59\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-04-29T07:05:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222c76-7a74-4696-bfef-4a72950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:29:58.000Z",
"modified": "2016-04-28T15:29:58.000Z",
"pattern": "[rule Trojan_Win32_Platual : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Installer component\"\r\noriginal_sample_sha1 = \"e0ac2ae221328313a7eee33e9be0924c46e2beb9\"\r\nunpacked_sample_sha1 = \"ccaf36c2d02c3c5ca24eeeb7b1eae7742a23a86a\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$class_name = \"AVCObfuscation\"\r\n$scrambled_dir = { A8 8B B8 E3 B1 D7 FE 85 51 32 3E C0 F1 B7 73 99 }\r\ncondition:\r\n$class_name and $scrambled_dir\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-04-28T15:29:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222caf-8748-4ea3-9e48-4cd8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:30:55.000Z",
"modified": "2016-04-28T15:30:55.000Z",
"pattern": "[rule Trojan_Win32_Plaplex : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Variant of the JPin backdoor\"\r\noriginal_sample_sha1 = \"ca3bda30a3cdc15afb78e54fa1bbb9300d268d66\"\r\nunpacked_sample_sha1 = \"2fe3c80e98bbb0cf5a0c4da286cd48ec78130a24\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$class_name1 = \"AVCObfuscation\"\r\n$class_name2 = \"AVCSetiriControl\"\r\ncondition:\r\n$class_name1 and $class_name2\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-04-28T15:30:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222ccd-c09c-402a-af7b-42a5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:31:25.000Z",
"modified": "2016-04-28T15:31:25.000Z",
"pattern": "[rule Trojan_Win32_Dipsind_B : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Dipsind Family\"\r\nsample_sha1 = \"09e0dfbb5543c708c0dd6a89fd22bbb96dc4ca1c\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$frg1 = {8D 90 04 01 00 00 33 C0 F2 AE F7 D1 2B F9 8B C1 8B F7 8B FA C1 E9 02 F3\r\nA5 8B C8 83 E1 03 F3 A4 8B 4D EC 8B 15 ?? ?? ?? ?? 89 91 ?? 07 00 00 }\r\n$frg2 = {68 A1 86 01 00 C1 E9 02 F3 AB 8B CA 83 E1 03 F3 AA}\r\n$frg3 = {C0 E8 07 D0 E1 0A C1 8A C8 32 D0 C0 E9 07 D0 E0 0A C8 32 CA 80 F1 63}\r\ncondition:\r\n$frg1 and $frg2 and $frg3\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-04-28T15:31:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222ce1-6800-4ad5-81d7-461e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:31:45.000Z",
"modified": "2016-04-28T15:31:45.000Z",
"pattern": "[rule Trojan_Win32_PlaKeylog_B : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Keylogger component\"\r\noriginal_sample_sha1 = \"0096a3e0c97b85ca75164f48230ae530c94a2b77\"\r\nunpacked_sample_sha1 = \"6a1412daaa9bdc553689537df0a004d44f8a45fd\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$hook = {C6 06 FF 46 C6 06 25}\r\n$dasm_engine = {80 C9 10 88 0E 8A CA 80 E1 07 43 88 56 03 80 F9 05}\r\ncondition:\r\n$hook and $dasm_engine\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-04-28T15:31:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222d07-9af0-482f-ad9a-446d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:32:23.000Z",
"modified": "2016-04-28T15:32:23.000Z",
"pattern": "[rule Trojan_Win32_Adupib : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Adupib SSL Backdoor\"\r\noriginal_sample_sha1 = \"d3ad0933e1b114b14c2b3a2c59d7f8a95ea0bcbd\"\r\nunpacked_sample_sha1 = \"a80051d5ae124fd9e5cc03e699dd91c2b373978b\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = \"POLL_RATE\"\r\n$str2 = \"OP_TIME(end hour)\"\r\n$str3 = \"%d:TCP:*:Enabled\"\r\n$str4 = \"%s[PwFF_cfg%d]\"\r\n$str5 = \"Fake_GetDlgItemTextW: ***value***=\"\r\ncondition:\r\n$str1 and $str2 and $str3 and $str4 and $str5\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-04-28T15:32:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222d55-3684-4ca9-8552-4ea1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T07:05:16.000Z",
"modified": "2016-04-29T07:05:16.000Z",
"pattern": "[rule Trojan_Win32_Plagon : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Dipsind variant\"\r\noriginal_sample_sha1 = \"48b89f61d58b57dba6a0ca857bce97bab636af65\"\r\nunpacked_sample_sha1 = \"6dccf88d89ad7b8611b1bc2e9fb8baea41bdb65a\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 =\"VPLRXZHTU\"\r\n$str2 ={64 6F 67 32 6A 7E 6C}\r\n$str3 =\"Dqpqftk(Wou\\\"Isztk)\"\r\n$str4 =\"StartThreadAtWinLogon\"\r\ncondition:\r\n$str1 and $str2 and $str3 and $str4\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-04-29T07:05:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222d70-8a40-438e-8d32-411f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T07:05:20.000Z",
"modified": "2016-04-29T07:05:20.000Z",
"pattern": "[rule Trojan_Win32_Plakelog : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Raw-input based keylogger\"\r\noriginal_sample_sha1 = \"3907a9e41df805f912f821a47031164b6636bd04\"\r\nunpacked_sample_sha1 = \"960feeb15a0939ec0b53dcb6815adbf7ac1e7bb2\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 =\"<0x02>\" wide\r\n$str2 =\"[CTR-BRK]\" wide\r\n$str3 =\"[/WIN]\" wide\r\n$str4 ={8A 16 8A 18 32 DA 46 88 18 8B 15 08 E6 42 00 40 41 3B CA 72 EB 5E 5B}\r\ncondition:\r\n$str1 and $str2 and $str3 and $str4\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-04-29T07:05:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222da1-3824-4b9f-aeaa-48ee950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T07:05:23.000Z",
"modified": "2016-04-29T07:05:23.000Z",
"pattern": "[rule Trojan_Win32_Plainst : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Installer component\"\r\noriginal_sample_sha1 = \"99c08d31af211a0e17f92dd312ec7ca2b9469ecb\"\r\nunpacked_sample_sha1 = \"dcb6cf7cf7c8fdfc89656a042f81136bda354ba6\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = {66 8B 14 4D 18 50 01 10 8B 45 08 66 33 14 70 46 66 89 54 77 FE 66 83 7C 77 FE 00 75 B7 8B 4D FC 89 41 08 8D 04 36 89 41 0C 89 79 04}\r\n$str2 = {4b D3 91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97}\r\ncondition:\r\n$str1 and $str2\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-04-29T07:05:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222dc9-3924-415f-b9af-411e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:35:37.000Z",
"modified": "2016-04-28T15:35:37.000Z",
"pattern": "[rule Trojan_Win32_Plagicom : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Installer component\"\r\noriginal_sample_sha1 = \"99dcb148b053f4cef6df5fa1ec5d33971a58bd1e\"\r\nunpacked_sample_sha1 = \"c1c950bc6a2ad67488e675da4dfc8916831239a7\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = {C6 44 24 ?? 68 C6 44 24 ?? 4D C6 44 24 ?? 53 C6 44 24 ?? 56 C6 44 24 ??\r\n00}\r\n$str2 = \"OUEMM/EMM\"\r\n$str3 = {85 C9 7E 08 FE 0C 10 40 3B C1 7C F8 C3}\r\ncondition:\r\n$str1 and $str2 and $str3\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-04-28T15:35:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222ddc-86f4-4857-a0b7-4d30950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:35:56.000Z",
"modified": "2016-04-28T15:35:56.000Z",
"pattern": "[rule Trojan_Win32_Plaklog : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Hook-based keylogger\"\r\noriginal_sample_sha1 = \"831a5a29d47ab85ee3216d4e75f18d93641a9819\"\r\nunpacked_sample_sha1 = \"e18750207ddbd939975466a0e01bd84e75327dda\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = \"++[%s^^unknown^^%s]++\"\r\n$str2 = \"vtfs43/emm\"\r\n$str3 = {33 C9 39 4C 24 08 7E 10 8B 44 24 04 03 C1 80 00 08 41 3B 4C 24 08 7C F0\r\nC3}\r\ncondition:\r\n$str1 and $str2 and $str3\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-04-28T15:35:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222dee-bc1c-45cd-990c-4384950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:36:14.000Z",
"modified": "2016-04-28T15:36:14.000Z",
"pattern": "[rule Trojan_Win32_Plapiio : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"JPin backdoor\"\r\noriginal_sample_sha1 = \"3119de80088c52bd8097394092847cd984606c88\"\r\nunpacked_sample_sha1 = \"3acb8fe2a5eb3478b4553907a571b6614eb5455c\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = \"ServiceMain\"\r\n$str2 = \"Startup\"\r\n$str3 = {C6 45 ?? 68 C6 45 ?? 4D C6 45 ?? 53 C6 45 ?? 56 C6 45 ?? 6D C6 45 ?? 6D}\r\ncondition:\r\n$str1 and $str2 and $str3\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-04-28T15:36:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222e07-30ec-4c0a-b189-494a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-06-01T09:26:25.000Z",
"modified": "2016-06-01T09:26:25.000Z",
"pattern": "[rule Trojan_Win32_Plabit : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft Installer component\"\r\nsample_sha1 = \"6d1169775a552230302131f9385135d385efd166\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = {4b D3 91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97}\r\n$str2 = \"GetInstanceW\"\r\n$str3 = {8B D0 83 E2 1F 8A 14 0A 30 14 30 40 3B 44 24 04 72 EE}\r\ncondition:\r\n$str1 and $str2 and $str3\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-06-01T09:26:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222e22-aa2c-415e-8a7b-462d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:37:06.000Z",
"modified": "2016-04-28T15:37:06.000Z",
"pattern": "[rule Trojan_Win32_Placisc2 : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Dipsind variant\"\r\noriginal_sample_sha1 = \"bf944eb70a382bd77ee5b47548ea9a4969de0527\"\r\nunpacked_sample_sha1 = \"d807648ddecc4572c7b04405f496d25700e0be6e\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = {76 16 8B D0 83 E2 07 8A 4C 14 24 8A 14 18 32 D1 88 14 18 40 3B C7 72 EA\r\n}\r\n$str2 = \"VPLRXZHTU\"\r\n$str3 = \"%d) Command:%s\"\r\n$str4 = {0D 0A 2D 2D 2D 2D 2D 09 2D 2D 2D 2D 2D 2D 0D 0A}\r\ncondition:\r\n$str1 and $str2 and $str3 and $str4\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-04-28T15:37:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222e6b-89f4-4baa-9984-4e7b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:38:19.000Z",
"modified": "2016-04-28T15:38:19.000Z",
"pattern": "[rule Trojan_Win32_Placisc3 : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Dipsind variant\"\r\noriginal_sample_sha1 = \"1b542dd0dacfcd4200879221709f5fa9683cdcda\"\r\nunpacked_sample_sha1 = \"bbd4992ee3f3a3267732151636359cf94fb4575d\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = {BA 6E 00 00 00 66 89 95 ?? ?? FF FF B8 73 00 00 00 66 89 85 ?? ?? FF FF\r\nB9 64 00 00 00 66 89 8D ?? ?? FF FF BA 65 00 00 00 66 89 95 ?? ?? FF FF B8 6C 00 00\r\n00}\r\n$str2 = \"VPLRXZHTU\"\r\n$str3 = {8B 44 24 ?? 8A 04 01 41 32 C2 3B CF 7C F2 88 03}\r\ncondition:\r\n$str1 and $str2 and $str3\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-04-28T15:38:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222e81-ba14-49a1-adcf-4445950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:38:41.000Z",
"modified": "2016-04-28T15:38:41.000Z",
"pattern": "[rule Trojan_Win32_Placisc4 : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Installer for Dipsind variant\"\r\noriginal_sample_sha1 = \"3d17828632e8ff1560f6094703ece5433bc69586\"\r\nunpacked_sample_sha1 = \"2abb8e1e9cac24be474e4955c63108ff86d1a034\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = {8D 71 01 8B C6 99 BB 0A 00 00 00 F7 FB 0F BE D2 0F BE 04 39 2B C2 88 04\r\n39 84 C0 74 0A}\r\n$str2 = {6A 04 68 00 20 00 00 68 00 00 40 00 6A 00 FF D5}\r\n$str3 = {C6 44 24 ?? 64 C6 44 24 ?? 6F C6 44 24 ?? 67 C6 44 24 ?? 32 C6 44 24 ??\r\n6A}\r\ncondition:\r\n$str1 and $str2 and $str3\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-04-28T15:38:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222ea3-46a4-48aa-a848-4a89950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:39:15.000Z",
"modified": "2016-04-28T15:39:15.000Z",
"pattern": "[rule Trojan_Win32_Plakpers : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Injector / loader component\"\r\noriginal_sample_sha1 = \"fa083d744d278c6f4865f095cfd2feabee558056\"\r\nunpacked_sample_sha1 = \"3a678b5c9c46b5b87bfcb18306ed50fadfc6372e\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = \"MyFileMappingObject\"\r\n$str2 = \"[%.3u] %s %s %s [%s:\" wide\r\n$str3 = \"%s\\\\{%s}\\\\%s\" wide\r\ncondition:\r\n$str1 and $str2 and $str3\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-04-28T15:39:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222ec6-0e78-4173-9f07-4cb8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:39:50.000Z",
"modified": "2016-04-28T15:39:50.000Z",
"pattern": "[rule Trojan_Win32_Plainst2 : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Zc tool\"\r\noriginal_sample_sha1 = \"3f2ce812c38ff5ac3d813394291a5867e2cddcf2\"\r\nunpacked_sample_sha1 = \"88ff852b1b8077ad5a19cc438afb2402462fbd1a\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = \"Connected [%s:%d]...\"\r\n$str2 = \"reuse possible: %c\"\r\n$str3 = \"] => %d%%\\x0a\"\r\ncondition:\r\n$str1 and $str2 and $str3\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-04-28T15:39:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222edf-cb54-45e0-bbcc-4210950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:40:15.000Z",
"modified": "2016-04-28T15:40:15.000Z",
"pattern": "[rule Trojan_Win32_Plakpeer : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Zc tool v2\"\r\noriginal_sample_sha1 = \"2155c20483528377b5e3fde004bb604198463d29\"\r\nunpacked_sample_sha1 = \"dc991ef598825daabd9e70bac92c79154363bab2\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = \"@@E0020(%d)\" wide\r\n$str2 = /exit.{0,3}@exit.{0,3}new.{0,3}query.{0,3}rcz.{0,3}scz/ wide\r\n$str3 = \"---###---\" wide\r\n$str4 = \"---@@@---\" wide\r\ncondition:\r\n$str1 and $str2 and $str3 and $str4\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-04-28T15:40:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--57222f0f-ca58-4844-8763-4c13950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:41:03.000Z",
"modified": "2016-04-28T15:41:03.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "PLATINUM: Targeted attacks in South\r\nand Southeast Asia\r\nMicrosoft proactively monitors the threat landscape for emerging threats. Part of this job involves\r\nkeeping tabs on targeted activity groups, which are often the first ones to introduce new exploits and\r\ntechniques that are later used widely by other attackers. In the previous volume, \u00e2\u20ac\u0153STRONTIUM: A\r\nprofile of a persistent and motivated adversary,\u00e2\u20ac\u009d on page 3 of Microsoft Security Intelligence Report,\r\nVolume 19 (January\u00e2\u20ac\u201cJune 2015), chronicled the activities of one such group, which had attracted\r\ninterest because of its aggressive, persistent tactics and techniques as well as its repeated use of new\r\nzero-day exploits to attack its targets.\r\nThis section describes the history, behavior, and tactics of a newly discovered targeted activity group,\r\nwhich Microsoft has code-named PLATINUM. Microsoft is sharing some of the information it has\r\ngathered on this group in the hope that it will raise awareness of the group\u00e2\u20ac\u2122s activities and help\r\norganizations take immediate advantage of available mitigations that can significantly reduce the risks\r\nthey face from this and similar groups.\r\nAdversary profile\r\nPLATINUM has been targeting its victims since at least as early as 2009, and may have been active for\r\nseveral years prior. Its activities are distinctly different not only from those typically seen in untargeted\r\nattacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized\r\nas opportunistic: the activity group changes its target profiles and attack geographies based on\r\ngeopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM\r\nseeks to steal sensitive intellectual property related to government interests, but its range of preferred\r\ntargets is consistently limited to specific governmental organizations, defense institutes, intelligence\r\nagencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The\r\ngroup\u00e2\u20ac\u2122s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and\r\naccess to previously undiscovered zero-day exploits have made it a highly resilient threat."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222f56-1be8-471b-a27f-4ce4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:42:14.000Z",
"modified": "2016-04-28T15:42:14.000Z",
"description": "Gambar gambar Rumah Gay Didiet Prabowo di Sentul Bogor.doc",
"pattern": "[file:hashes.SHA1 = 'e9f900b5d01320ccd4990fd322a459d709d43e4b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:42:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222f57-87fc-44ef-8b30-41c2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:42:15.000Z",
"modified": "2016-04-28T15:42:15.000Z",
"description": "The real reason Prabowo wants to be President.doc",
"pattern": "[file:hashes.SHA1 = '9a4e82ba371cd2fedea0b889c879daee7a01e1b1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:42:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222f57-30c0-40e6-be3f-430e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:42:15.000Z",
"modified": "2016-04-28T15:42:15.000Z",
"description": "Malaysia a victim of American irregular warfare ops.doc",
"pattern": "[file:hashes.SHA1 = '92a3ece981bb5e0a3ee4277f08236c1d38b54053']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:42:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222f58-f4c0-423c-9e35-4356950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:42:16.000Z",
"modified": "2016-04-28T15:42:16.000Z",
"description": "Tu Vi Nam Tan Mao 2011.doc",
"pattern": "[file:hashes.SHA1 = '0bc08dca86bd95f43ccc78ef4b27d81f28b4b769']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:42:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222f58-75c4-4151-bc5d-4728950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:42:16.000Z",
"modified": "2016-04-28T15:42:16.000Z",
"description": "Indians having fun.doc",
"pattern": "[file:hashes.SHA1 = 'f4af574124e9020ef3d0a7be9f1e42c2261e97e6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:42:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222fe7-e234-4ba0-8667-45b4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:44:39.000Z",
"modified": "2016-04-28T15:44:39.000Z",
"description": "Gerakan Anti SBY II.doc",
"pattern": "[file:hashes.SHA1 = '1bdc1a0bc995c1beb363b11b71c14324be8577c9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:44:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222fe7-82c0-41a5-b39f-4790950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:44:39.000Z",
"modified": "2016-04-28T15:44:39.000Z",
"description": "URL for PNG Exploit",
"pattern": "[url:value = 'mister.nofrillspace.com/users/web8_dice/4226/space.gif']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:44:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222fe8-e138-41ca-8e0f-48b1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:44:40.000Z",
"modified": "2016-04-28T15:44:40.000Z",
"description": "Tu_Vi_Nam_Tan_ Mao_2011.doc",
"pattern": "[file:hashes.SHA1 = '2a33542038a85db4911d7b846573f6b251e16b2d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:44:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222fe8-5f0c-45fa-a8ed-4c3b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:44:40.000Z",
"modified": "2016-04-28T15:44:40.000Z",
"description": "URL for PNG Exploit",
"pattern": "[url:value = 'intent.nofrillspace.com/users/web11_focus/3807/space.gif']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:44:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222fe9-9958-4f02-9560-4f43950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:44:41.000Z",
"modified": "2016-04-28T15:44:41.000Z",
"description": "Wikileaks Indonesia.doc",
"pattern": "[file:hashes.SHA1 = 'd6a795e839f51c1a5aeabf5c10664936ebbef8ea']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:44:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222fe9-9edc-43b7-bc6a-43b7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:44:41.000Z",
"modified": "2016-04-28T15:44:41.000Z",
"description": "URL for PNG Exploit",
"pattern": "[url:value = 'mister.nofrillspace.com/users/web8_dice/3791/space.gif']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:44:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222fe9-515c-4e40-8b67-40cf950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:44:41.000Z",
"modified": "2016-04-28T15:44:41.000Z",
"description": "Top 11 Aerial Surveillance Devices.doc",
"pattern": "[file:hashes.SHA1 = 'f362feedc046899a78c4480c32dda4ea82a3e8c0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:44:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222fea-00b4-4c25-86b6-47b8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:44:42.000Z",
"modified": "2016-04-28T15:44:42.000Z",
"description": "URL for PNG Exploit",
"pattern": "[url:value = 'intent.nofrillspace.com/users/web11_focus/4307/space.gif']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:44:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222fea-022c-4a86-8c6e-4760950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:44:42.000Z",
"modified": "2016-04-28T15:44:42.000Z",
"description": "SEMBOYAN_1.doc",
"pattern": "[file:hashes.SHA1 = 'f751cdfaef99c6184f45a563f3d81ff1ada25565']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:44:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57222feb-9550-414b-aa37-403b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:44:43.000Z",
"modified": "2016-04-28T15:44:43.000Z",
"description": "URL for PNG Exploit",
"pattern": "[url:value = 'www.police28122011.0fees.net/pages/013/space.gif']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:44:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57223015-2b48-4137-afae-4aaf950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:45:25.000Z",
"modified": "2016-04-28T15:45:25.000Z",
"description": "Imported via the freetext import.",
"pattern": "[domain-name:value = 'box62.a-inet.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:45:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57223015-7138-4387-a596-4b3d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:45:25.000Z",
"modified": "2016-04-28T15:45:25.000Z",
"description": "Imported via the freetext import.",
"pattern": "[domain-name:value = 'scienceweek.scieron.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:45:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57223016-2264-4e5f-8211-4468950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:45:26.000Z",
"modified": "2016-04-28T15:45:26.000Z",
"description": "Imported via the freetext import.",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '200.61.248.8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:45:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57223016-b9bc-4df8-934c-4076950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:45:26.000Z",
"modified": "2016-04-28T15:45:26.000Z",
"description": "Imported via the freetext import.",
"pattern": "[domain-name:value = 'eclipse.a-inet.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:45:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57223016-cb40-4ea5-b383-4511950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:45:26.000Z",
"modified": "2016-04-28T15:45:26.000Z",
"description": "Imported via the freetext import.",
"pattern": "[domain-name:value = 'mobileworld.darktech.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:45:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57223017-2e54-4205-9c7b-485e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:45:27.000Z",
"modified": "2016-04-28T15:45:27.000Z",
"description": "Imported via the freetext import.",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '209.45.65.163']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:45:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57223017-99cc-41de-abc6-4f39950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:45:27.000Z",
"modified": "2016-04-28T15:45:27.000Z",
"description": "Imported via the freetext import.",
"pattern": "[domain-name:value = 'joomlastats.a-inet.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:45:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57223018-d2f0-4939-b72b-46e0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:45:28.000Z",
"modified": "2016-04-28T15:45:28.000Z",
"description": "Imported via the freetext import.",
"pattern": "[domain-name:value = 'geocities.efnet.at']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:45:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57223018-368c-428b-a315-4482950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:45:28.000Z",
"modified": "2016-04-28T15:45:28.000Z",
"description": "Imported via the freetext import.",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '190.96.47.9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:45:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57223018-bde4-46d2-b4a1-4a67950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:45:28.000Z",
"modified": "2016-04-28T15:45:28.000Z",
"description": "Imported via the freetext import.",
"pattern": "[domain-name:value = 'updates.joomlastats.co.cc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:45:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57223019-3f84-4531-b4db-45ed950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:45:29.000Z",
"modified": "2016-04-28T15:45:29.000Z",
"description": "Imported via the freetext import.",
"pattern": "[domain-name:value = 'bpl.blogsite.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:45:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57223019-2de8-4914-b9a9-4b15950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:45:29.000Z",
"modified": "2016-04-28T15:45:29.000Z",
"description": "Imported via the freetext import.",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.192.114.1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:45:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5722301a-b6d0-4690-b82c-447a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:45:30.000Z",
"modified": "2016-04-28T15:45:30.000Z",
"description": "Imported via the freetext import.",
"pattern": "[domain-name:value = 'server.joomlastats.co.cc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:45:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5722301a-6a0c-4bd3-973c-4cf3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:45:30.000Z",
"modified": "2016-04-28T15:45:30.000Z",
"description": "Imported via the freetext import.",
"pattern": "[domain-name:value = 'wiki.servebbs.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:45:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5722301a-264c-4eb4-8e87-4f0f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:45:30.000Z",
"modified": "2016-04-28T15:45:30.000Z",
"description": "Imported via the freetext import.",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '61.31.203.98']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:45:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--57223037-e7e0-4004-8cfe-424d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:45:59.000Z",
"modified": "2016-04-28T15:45:59.000Z",
"labels": [
"misp:type=\"pattern-in-memory\"",
"misp:category=\"Artifacts dropped\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_type": "pattern-in-memory",
"x_misp_value": "AOPSH03SK09POKSID7FF674PSLI91965"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572230b7-32b8-4f91-8c2a-47cd02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:48:07.000Z",
"modified": "2016-04-28T15:48:07.000Z",
"description": "SEMBOYAN_1.doc - Xchecked via VT: f751cdfaef99c6184f45a563f3d81ff1ada25565",
"pattern": "[file:hashes.SHA256 = '66a85a846c816821635337b61da6bff58cbb5d4a8dc5a87b05f08d4a9e934372']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:48:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572230b8-3e68-44d6-9b51-4f7502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:48:08.000Z",
"modified": "2016-04-28T15:48:08.000Z",
"description": "SEMBOYAN_1.doc - Xchecked via VT: f751cdfaef99c6184f45a563f3d81ff1ada25565",
"pattern": "[file:hashes.MD5 = '28e81ca00146165385c8916bf0a61046']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:48:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--572230b8-2b30-4d0e-b33d-487802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:48:08.000Z",
"modified": "2016-04-28T15:48:08.000Z",
"first_observed": "2016-04-28T15:48:08Z",
"last_observed": "2016-04-28T15:48:08Z",
"number_observed": 1,
"object_refs": [
"url--572230b8-2b30-4d0e-b33d-487802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--572230b8-2b30-4d0e-b33d-487802de0b81",
"value": "https://www.virustotal.com/file/66a85a846c816821635337b61da6bff58cbb5d4a8dc5a87b05f08d4a9e934372/analysis/1461733388/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572230b8-dbac-426b-a9ac-4cbe02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:48:08.000Z",
"modified": "2016-04-28T15:48:08.000Z",
"description": "Top 11 Aerial Surveillance Devices.doc - Xchecked via VT: f362feedc046899a78c4480c32dda4ea82a3e8c0",
"pattern": "[file:hashes.SHA256 = '1cd003a5e089ce906e035efee222785bba679276356b8409c24b3fe5bb863d15']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:48:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572230b9-c428-47ce-a5f3-42ed02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:48:09.000Z",
"modified": "2016-04-28T15:48:09.000Z",
"description": "Top 11 Aerial Surveillance Devices.doc - Xchecked via VT: f362feedc046899a78c4480c32dda4ea82a3e8c0",
"pattern": "[file:hashes.MD5 = '70511e6e75aa38a4d92cd134caba16ef']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:48:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--572230b9-3bd4-4ae8-9fb0-443602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:48:09.000Z",
"modified": "2016-04-28T15:48:09.000Z",
"first_observed": "2016-04-28T15:48:09Z",
"last_observed": "2016-04-28T15:48:09Z",
"number_observed": 1,
"object_refs": [
"url--572230b9-3bd4-4ae8-9fb0-443602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--572230b9-3bd4-4ae8-9fb0-443602de0b81",
"value": "https://www.virustotal.com/file/1cd003a5e089ce906e035efee222785bba679276356b8409c24b3fe5bb863d15/analysis/1461732971/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572230b9-7c5c-44a4-9840-435d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:48:09.000Z",
"modified": "2016-04-28T15:48:09.000Z",
"description": "Wikileaks Indonesia.doc - Xchecked via VT: d6a795e839f51c1a5aeabf5c10664936ebbef8ea",
"pattern": "[file:hashes.SHA256 = '527ff3a10bd6af99df29f8b2e58fa9fafaf2beae9219c7a82127e5d89d36617e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:48:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572230ba-e524-4a2d-8640-4af602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:48:10.000Z",
"modified": "2016-04-28T15:48:10.000Z",
"description": "Wikileaks Indonesia.doc - Xchecked via VT: d6a795e839f51c1a5aeabf5c10664936ebbef8ea",
"pattern": "[file:hashes.MD5 = '7eb17991ed13960d57ed75c01f6f7fd5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:48:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--572230ba-8100-4cb3-851a-49b602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:48:10.000Z",
"modified": "2016-04-28T15:48:10.000Z",
"first_observed": "2016-04-28T15:48:10Z",
"last_observed": "2016-04-28T15:48:10Z",
"number_observed": 1,
"object_refs": [
"url--572230ba-8100-4cb3-851a-49b602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--572230ba-8100-4cb3-851a-49b602de0b81",
"value": "https://www.virustotal.com/file/527ff3a10bd6af99df29f8b2e58fa9fafaf2beae9219c7a82127e5d89d36617e/analysis/1461735840/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572230ba-0d08-41d7-9bc8-4b4e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:48:10.000Z",
"modified": "2016-04-28T15:48:10.000Z",
"description": "Tu_Vi_Nam_Tan_ Mao_2011.doc - Xchecked via VT: 2a33542038a85db4911d7b846573f6b251e16b2d",
"pattern": "[file:hashes.SHA256 = '5f7499ef0eb5cd67f04c4b4f7cd4ac5ce11abad6d7523d275a7f7f3cd70d4c4d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:48:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572230bb-c9d4-44d2-a86b-467002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:48:11.000Z",
"modified": "2016-04-28T15:48:11.000Z",
"description": "Tu_Vi_Nam_Tan_ Mao_2011.doc - Xchecked via VT: 2a33542038a85db4911d7b846573f6b251e16b2d",
"pattern": "[file:hashes.MD5 = '2f1ab543b38a7ad61d5dbd72eb0524c4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:48:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--572230bb-817c-4de6-a794-42d302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:48:11.000Z",
"modified": "2016-04-28T15:48:11.000Z",
"first_observed": "2016-04-28T15:48:11Z",
"last_observed": "2016-04-28T15:48:11Z",
"number_observed": 1,
"object_refs": [
"url--572230bb-817c-4de6-a794-42d302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--572230bb-817c-4de6-a794-42d302de0b81",
"value": "https://www.virustotal.com/file/5f7499ef0eb5cd67f04c4b4f7cd4ac5ce11abad6d7523d275a7f7f3cd70d4c4d/analysis/1461792783/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572230bc-4f94-48a2-9906-48ca02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:48:12.000Z",
"modified": "2016-04-28T15:48:12.000Z",
"description": "Gerakan Anti SBY II.doc - Xchecked via VT: 1bdc1a0bc995c1beb363b11b71c14324be8577c9",
"pattern": "[file:hashes.SHA256 = '2e71ded564eb42881e93202bbcc00fd7f9decaaa3b82643c0fbe75f0fa118040']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:48:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572230bc-6474-420c-aad7-466502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:48:12.000Z",
"modified": "2016-04-28T15:48:12.000Z",
"description": "Gerakan Anti SBY II.doc - Xchecked via VT: 1bdc1a0bc995c1beb363b11b71c14324be8577c9",
"pattern": "[file:hashes.MD5 = 'fde37e60cc4be73dada0fb1ad3d5f273']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-28T15:48:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--572230bc-23f4-44b5-82af-405902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T15:48:12.000Z",
"modified": "2016-04-28T15:48:12.000Z",
"first_observed": "2016-04-28T15:48:12Z",
"last_observed": "2016-04-28T15:48:12Z",
"number_observed": 1,
"object_refs": [
"url--572230bc-23f4-44b5-82af-405902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--572230bc-23f4-44b5-82af-405902de0b81",
"value": "https://www.virustotal.com/file/2e71ded564eb42881e93202bbcc00fd7f9decaaa3b82643c0fbe75f0fa118040/analysis/1461733063/"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--572301cb-39dc-48ab-8569-4bbc950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T06:40:11.000Z",
"modified": "2016-04-29T06:40:11.000Z",
"name": "CVE-2013-7331",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload delivery\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2013-7331"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--57230233-264c-4424-9865-4b32950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T06:41:55.000Z",
"modified": "2016-04-29T06:41:55.000Z",
"name": "CVE-2015-2546",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload delivery\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2015-2546"
}
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57230362-94fc-4f8a-8e59-4696950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T06:46:58.000Z",
"modified": "2016-04-29T06:46:58.000Z",
"first_observed": "2016-04-29T06:46:58Z",
"last_observed": "2016-04-29T06:46:58Z",
"number_observed": 1,
"object_refs": [
"windows-registry-key--57230362-94fc-4f8a-8e59-4696950d210f"
],
"labels": [
"misp:type=\"regkey\"",
"misp:category=\"Persistence mechanism\""
]
},
{
"type": "windows-registry-key",
"spec_version": "2.1",
"id": "windows-registry-key--57230362-94fc-4f8a-8e59-4696950d210f",
"key": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\Cscdll32\\Asynchronous"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57230368-035c-4607-af86-4634950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T06:47:04.000Z",
"modified": "2016-04-29T06:47:04.000Z",
"first_observed": "2016-04-29T06:47:04Z",
"last_observed": "2016-04-29T06:47:04Z",
"number_observed": 1,
"object_refs": [
"windows-registry-key--57230368-035c-4607-af86-4634950d210f"
],
"labels": [
"misp:type=\"regkey\"",
"misp:category=\"Persistence mechanism\""
]
},
{
"type": "windows-registry-key",
"spec_version": "2.1",
"id": "windows-registry-key--57230368-035c-4607-af86-4634950d210f",
"key": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\Cscdll32\\DllName"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57230368-52dc-4e88-92c0-48cf950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T06:47:04.000Z",
"modified": "2016-04-29T06:47:04.000Z",
"first_observed": "2016-04-29T06:47:04Z",
"last_observed": "2016-04-29T06:47:04Z",
"number_observed": 1,
"object_refs": [
"windows-registry-key--57230368-52dc-4e88-92c0-48cf950d210f"
],
"labels": [
"misp:type=\"regkey\"",
"misp:category=\"Persistence mechanism\""
]
},
{
"type": "windows-registry-key",
"spec_version": "2.1",
"id": "windows-registry-key--57230368-52dc-4e88-92c0-48cf950d210f",
"key": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\Cscdll32\\Impersonate"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57230368-4350-45bb-a5ef-4a2f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T06:47:04.000Z",
"modified": "2016-04-29T06:47:04.000Z",
"first_observed": "2016-04-29T06:47:04Z",
"last_observed": "2016-04-29T06:47:04Z",
"number_observed": 1,
"object_refs": [
"windows-registry-key--57230368-4350-45bb-a5ef-4a2f950d210f"
],
"labels": [
"misp:type=\"regkey\"",
"misp:category=\"Persistence mechanism\""
]
},
{
"type": "windows-registry-key",
"spec_version": "2.1",
"id": "windows-registry-key--57230368-4350-45bb-a5ef-4a2f950d210f",
"key": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\Cscdll32\\Startup"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57230369-2ca4-487e-81c1-4f49950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T06:47:05.000Z",
"modified": "2016-04-29T06:47:05.000Z",
"first_observed": "2016-04-29T06:47:05Z",
"last_observed": "2016-04-29T06:47:05Z",
"number_observed": 1,
"object_refs": [
"windows-registry-key--57230369-2ca4-487e-81c1-4f49950d210f"
],
"labels": [
"misp:type=\"regkey\"",
"misp:category=\"Persistence mechanism\""
]
},
{
"type": "windows-registry-key",
"spec_version": "2.1",
"id": "windows-registry-key--57230369-2ca4-487e-81c1-4f49950d210f",
"key": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\Cscdll32\\shutdown"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57230369-3458-43b5-b0b4-474c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-29T06:47:05.000Z",
"modified": "2016-04-29T06:47:05.000Z",
"first_observed": "2016-04-29T06:47:05Z",
"last_observed": "2016-04-29T06:47:05Z",
"number_observed": 1,
"object_refs": [
"windows-registry-key--57230369-3458-43b5-b0b4-474c950d210f"
],
"labels": [
"misp:type=\"regkey\"",
"misp:category=\"Persistence mechanism\""
]
},
{
"type": "windows-registry-key",
"spec_version": "2.1",
"id": "windows-registry-key--57230369-3458-43b5-b0b4-474c950d210f",
"key": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\cscdll32"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57228030-4c14-48c9-899f-45a202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T21:27:12.000Z",
"modified": "2016-04-28T21:27:12.000Z",
"first_observed": "2016-04-28T21:27:12Z",
"last_observed": "2016-04-28T21:27:12Z",
"number_observed": 1,
"object_refs": [
"url--57228030-4c14-48c9-899f-45a202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57228030-4c14-48c9-899f-45a202de0b81",
"value": "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57228030-5328-4860-976e-42a802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-28T21:27:12.000Z",
"modified": "2016-04-28T21:27:12.000Z",
"first_observed": "2016-04-28T21:27:12Z",
"last_observed": "2016-04-28T21:27:12Z",
"number_observed": 1,
"object_refs": [
"url--57228030-5328-4860-976e-42a802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57228030-5328-4860-976e-42a802de0b81",
"value": "https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue Copy permalink