1976 lines
86 KiB
JSON
1976 lines
86 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--592144d2-9100-4405-b018-4fd902de0b81",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--592144d2-9100-4405-b018-4fd902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"name": "OSINT - New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two",
|
||
|
"published": "2017-05-21T07:54:33Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--592144dc-42e8-4149-97a3-4fbb02de0b81",
|
||
|
"url--592144dc-42e8-4149-97a3-4fbb02de0b81",
|
||
|
"x-misp-attribute--592144eb-a280-449c-97ba-4d3702de0b81",
|
||
|
"observed-data--59214509-454c-474d-bacf-443802de0b81",
|
||
|
"url--59214509-454c-474d-bacf-443802de0b81",
|
||
|
"indicator--59214567-aa10-4200-a3c7-4b8502de0b81",
|
||
|
"indicator--59214568-9d58-416f-b034-474502de0b81",
|
||
|
"indicator--59214568-7a90-4544-b7e3-4e8c02de0b81",
|
||
|
"indicator--5921458c-c068-44cd-94de-499302de0b81",
|
||
|
"indicator--5921458c-5bd4-4aad-ac0d-4edd02de0b81",
|
||
|
"indicator--5921458d-69e0-4865-ae74-4be902de0b81",
|
||
|
"indicator--5921458d-6d7c-4955-bfe8-462902de0b81",
|
||
|
"indicator--5921458e-dbc4-4695-88d6-4c3002de0b81",
|
||
|
"indicator--5921458e-4f3c-48a3-906f-44b602de0b81",
|
||
|
"indicator--5921458f-f984-4709-b3c4-465c02de0b81",
|
||
|
"indicator--5921458f-4f50-4859-a4f3-4a6b02de0b81",
|
||
|
"indicator--59214590-96e4-4e1a-8211-4de102de0b81",
|
||
|
"indicator--59214590-48c0-4936-85b3-45bc02de0b81",
|
||
|
"indicator--59214591-83c8-44cd-bb90-4ccb02de0b81",
|
||
|
"indicator--59214591-bee4-4a98-ba15-46eb02de0b81",
|
||
|
"indicator--59214592-c22c-4c34-bc20-407602de0b81",
|
||
|
"indicator--592145ba-0934-4078-86f7-44cb02de0b81",
|
||
|
"indicator--592145ba-0978-4a0e-b799-461102de0b81",
|
||
|
"indicator--592145bb-e7f8-4ba7-90e6-487a02de0b81",
|
||
|
"indicator--592145de-8f1c-47bd-9d64-4b0a02de0b81",
|
||
|
"x-misp-attribute--59214605-2fa4-41ad-9301-40b502de0b81",
|
||
|
"x-misp-attribute--59214606-b5fc-4f4b-bdbf-484f02de0b81",
|
||
|
"x-misp-attribute--59214606-2d44-4445-8469-400d02de0b81",
|
||
|
"x-misp-attribute--59214606-c884-4c98-8672-4b3402de0b81",
|
||
|
"x-misp-attribute--59214607-0ae4-4de2-b171-46ce02de0b81",
|
||
|
"observed-data--5921462e-a604-4be3-85a9-472a02de0b81",
|
||
|
"url--5921462e-a604-4be3-85a9-472a02de0b81",
|
||
|
"observed-data--59214647-9828-44af-bab7-434002de0b81",
|
||
|
"url--59214647-9828-44af-bab7-434002de0b81",
|
||
|
"indicator--5921465f-ec80-4d55-862b-497a02de0b81",
|
||
|
"indicator--59214676-e704-412d-b4db-451202de0b81",
|
||
|
"x-misp-attribute--59214697-2604-4d4d-8336-406402de0b81",
|
||
|
"x-misp-attribute--59214697-11bc-4454-adf2-4c6502de0b81",
|
||
|
"indicator--59214798-f018-439b-aea9-4c7f02de0b81",
|
||
|
"indicator--59214798-7234-4525-8617-4ed202de0b81",
|
||
|
"observed-data--59214799-3164-4fc4-a193-416e02de0b81",
|
||
|
"url--59214799-3164-4fc4-a193-416e02de0b81",
|
||
|
"indicator--59214799-da18-4be2-a503-42d602de0b81",
|
||
|
"indicator--59214799-35f8-4858-a660-46ef02de0b81",
|
||
|
"observed-data--5921479a-3a84-4b4d-88c8-410d02de0b81",
|
||
|
"url--5921479a-3a84-4b4d-88c8-410d02de0b81",
|
||
|
"indicator--5921479a-9534-40ba-9010-44c602de0b81",
|
||
|
"indicator--5921479b-4544-4031-97b3-408002de0b81",
|
||
|
"observed-data--5921479b-6fd0-4131-ba06-4fd302de0b81",
|
||
|
"url--5921479b-6fd0-4131-ba06-4fd302de0b81",
|
||
|
"indicator--5921479b-3d7c-4620-878e-4f3c02de0b81",
|
||
|
"indicator--5921479c-7c70-4d05-bb56-4f9302de0b81",
|
||
|
"observed-data--5921479c-47fc-4946-a54c-410d02de0b81",
|
||
|
"url--5921479c-47fc-4946-a54c-410d02de0b81",
|
||
|
"indicator--5921479c-bac0-4c02-883f-49ee02de0b81",
|
||
|
"indicator--5921479d-c6ac-43c7-b8fe-4fa702de0b81",
|
||
|
"observed-data--5921479d-8944-410b-b861-442a02de0b81",
|
||
|
"url--5921479d-8944-410b-b861-442a02de0b81",
|
||
|
"indicator--5921479e-4180-4d80-a484-466802de0b81",
|
||
|
"indicator--5921479e-3174-407f-961b-4d9d02de0b81",
|
||
|
"observed-data--5921479e-52f8-4333-894c-441802de0b81",
|
||
|
"url--5921479e-52f8-4333-894c-441802de0b81",
|
||
|
"indicator--5921479f-b5b4-4437-83e0-449902de0b81",
|
||
|
"indicator--5921479f-0ca8-445d-a6ef-4f5902de0b81",
|
||
|
"observed-data--592147a0-e5dc-4358-b8a8-44da02de0b81",
|
||
|
"url--592147a0-e5dc-4358-b8a8-44da02de0b81",
|
||
|
"indicator--592147a0-8434-45c4-ab3a-435302de0b81",
|
||
|
"indicator--592147a1-6984-43e2-be35-430802de0b81",
|
||
|
"observed-data--592147a1-b764-420e-bcf8-4e7302de0b81",
|
||
|
"url--592147a1-b764-420e-bcf8-4e7302de0b81",
|
||
|
"indicator--592147a2-f2bc-4bcd-92cd-4f0102de0b81",
|
||
|
"indicator--592147a2-49c8-4a16-ab00-4ada02de0b81",
|
||
|
"observed-data--592147a2-9c98-4a76-9053-4c3902de0b81",
|
||
|
"url--592147a2-9c98-4a76-9053-4c3902de0b81",
|
||
|
"indicator--592147a3-1ed8-4ffb-86c9-421202de0b81",
|
||
|
"indicator--592147a3-1200-4f89-a06f-440202de0b81",
|
||
|
"observed-data--592147a3-3234-4995-99a3-4c8102de0b81",
|
||
|
"url--592147a3-3234-4995-99a3-4c8102de0b81",
|
||
|
"indicator--592147a4-34e0-45f3-90a5-411e02de0b81",
|
||
|
"indicator--592147a4-c318-4643-ba8e-4ab902de0b81",
|
||
|
"observed-data--592147a5-40c0-451d-b787-42d202de0b81",
|
||
|
"url--592147a5-40c0-451d-b787-42d202de0b81",
|
||
|
"indicator--592147a5-3c38-445e-a467-414302de0b81",
|
||
|
"indicator--592147a5-9bf4-484a-8562-442f02de0b81",
|
||
|
"observed-data--592147a6-3a08-4eb8-b971-475b02de0b81",
|
||
|
"url--592147a6-3a08-4eb8-b971-475b02de0b81",
|
||
|
"indicator--592147a6-09b4-45c5-9ef5-4c6802de0b81",
|
||
|
"indicator--592147a7-e34c-4d74-ae52-4f5202de0b81",
|
||
|
"observed-data--592147a7-7f0c-4001-aec3-4e5902de0b81",
|
||
|
"url--592147a7-7f0c-4001-aec3-4e5902de0b81",
|
||
|
"indicator--592147a7-07ac-445c-897e-44e502de0b81",
|
||
|
"indicator--592147a8-5e20-497b-91f0-4e2302de0b81",
|
||
|
"observed-data--592147a8-c034-4647-aaa5-486e02de0b81",
|
||
|
"url--592147a8-c034-4647-aaa5-486e02de0b81",
|
||
|
"indicator--592147a9-7998-4c9d-92b2-4d3102de0b81",
|
||
|
"indicator--592147a9-5074-491b-945a-479b02de0b81",
|
||
|
"observed-data--592147a9-e100-4719-b4d7-4f2e02de0b81",
|
||
|
"url--592147a9-e100-4719-b4d7-4f2e02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"ms-caro-malware:malware-platform=\"Win64\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--592144dc-42e8-4149-97a3-4fbb02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"first_observed": "2017-05-21T07:53:45Z",
|
||
|
"last_observed": "2017-05-21T07:53:45Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--592144dc-42e8-4149-97a3-4fbb02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--592144dc-42e8-4149-97a3-4fbb02de0b81",
|
||
|
"value": "https://www.bleepingcomputer.com/news/security/new-smb-worm-uses-seven-nsa-hacking-tools-wannacry-used-just-two/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--592144eb-a280-449c-97ba-4d3702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "Researchers have detected a new worm that is spreading via SMB, but unlike the worm component of the WannaCry ransomware, this one is using seven NSA tools instead of two.\r\n\r\nThe worm's existence first came to light on Wednesday, after it infected the SMB honeypot of Miroslav Stampar, member of the Croatian Government CERT, and creator of the sqlmap tool used for detecting and exploiting SQL injection flaws.\r\n\r\nEternalRocks uses seven NSA tools\r\nThe worm, which Stampar named EternalRocks based on worm executable properties found in one sample, works by using six SMB-centric NSA tools to infect a computer with SMB ports exposed online. These are ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY, which are SMB exploits used to compromise vulnerable computers, while SMBTOUCH and ARCHITOUCH are two NSA tools used for SMB reconnaissance operations.\r\n\r\nOnce the worm has obtained this initial foothold, it then uses another NSA tool, DOUBLEPULSAR, to propagate to new vulnerable machines."
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59214509-454c-474d-bacf-443802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"first_observed": "2017-05-21T07:53:45Z",
|
||
|
"last_observed": "2017-05-21T07:53:45Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59214509-454c-474d-bacf-443802de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59214509-454c-474d-bacf-443802de0b81",
|
||
|
"value": "https://github.com/stamparm/EternalRocks/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59214567-aa10-4200-a3c7-4b8502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"pattern": "[mutex:name = '{8F6F00C4-B901-45fd-08CF-72FDEFF}']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:53:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"mutex\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59214568-9d58-416f-b034-474502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"pattern": "[mutex:name = '{8F6F0AC4-B9A1-45fd-A8CF-72FDEFF}']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:53:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"mutex\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59214568-7a90-4544-b7e3-4e8c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"pattern": "[mutex:name = '20b70e57-1c2e-4de9-99e5-69f369006912']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:53:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"mutex\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5921458c-c068-44cd-94de-499302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"description": "UpdateInstaller.exe (captured)",
|
||
|
"pattern": "[file:hashes.SHA256 = 'e049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:53:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5921458c-5bd4-4aad-ac0d-4edd02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant)",
|
||
|
"pattern": "[file:name = 'UpdateInstaller.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:53:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5921458d-69e0-4865-ae74-4be902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant)",
|
||
|
"pattern": "[file:hashes.SHA256 = '1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:53:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5921458d-6d7c-4955-bfe8-462902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant)",
|
||
|
"pattern": "[file:hashes.SHA256 = '64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:53:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5921458e-dbc4-4695-88d6-4c3002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant)",
|
||
|
"pattern": "[file:hashes.SHA256 = '94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:53:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5921458e-4f3c-48a3-906f-44b602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant)",
|
||
|
"pattern": "[file:hashes.SHA256 = '9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:53:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5921458f-f984-4709-b3c4-465c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant)",
|
||
|
"pattern": "[file:hashes.SHA256 = 'a7c387b4929f51e38706d8b0f8641e032253b07bc2869a450dfa3df5663d7392']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:53:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5921458f-4f50-4859-a4f3-4a6b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant)",
|
||
|
"pattern": "[file:hashes.SHA256 = 'ad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:53:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59214590-96e4-4e1a-8211-4de102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant)",
|
||
|
"pattern": "[file:hashes.SHA256 = 'b2ca4093b2e0271cb7a3230118843fccc094e0160a0968994ed9f10c8702d867']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:53:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59214590-48c0-4936-85b3-45bc02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant)",
|
||
|
"pattern": "[file:hashes.SHA256 = 'c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:53:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59214591-83c8-44cd-bb90-4ccb02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant)",
|
||
|
"pattern": "[file:hashes.SHA256 = 'd43c10a2c983049d4a32487ab1e8fe7727646052228554e0112f6651f4833d2c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:53:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59214591-bee4-4a98-ba15-46eb02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant)",
|
||
|
"pattern": "[file:hashes.SHA256 = 'd86af736644e20e62807f03c49f4d0ad7de9cbd0723049f34ec79f8c7308fdd5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:53:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59214592-c22c-4c34-bc20-407602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant)",
|
||
|
"pattern": "[file:hashes.SHA256 = 'fc75410aa8f76154f5ae8fe035b9a13c76f6e132077346101a0d673ed9f3a0dd']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:53:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--592145ba-0934-4078-86f7-44cb02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"description": "# taskhost.exe (captured)",
|
||
|
"pattern": "[file:hashes.SHA256 = 'cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:53:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--592145ba-0978-4a0e-b799-461102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"description": "# taskhost.exe (variant)",
|
||
|
"pattern": "[file:hashes.SHA256 = 'a77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:53:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--592145bb-e7f8-4ba7-90e6-487a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"description": "# shadowbrokers.zip (exploits)",
|
||
|
"pattern": "[file:hashes.SHA256 = '70ec0e2b6f9ff88b54618a5f7fbd55b383cf62f8e7c3795c25e2f613bfddf45d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:53:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--592145de-8f1c-47bd-9d64-4b0a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"pattern": "[domain-name:value = 'ubgdgno5eswkhmpy.onion']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:53:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--59214605-2fa4-41ad-9301-40b502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"pattern-in-file\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_category": "Artifacts dropped",
|
||
|
"x_misp_comment": "Debug strings",
|
||
|
"x_misp_type": "pattern-in-file",
|
||
|
"x_misp_value": "%PROGRAMFILES%\\(x86)\\Microsoft Visual Studio\\VB98\\VB6.OLB"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--59214606-b5fc-4f4b-bdbf-484f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"pattern-in-file\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_category": "Artifacts dropped",
|
||
|
"x_misp_comment": "Debug strings",
|
||
|
"x_misp_type": "pattern-in-file",
|
||
|
"x_misp_value": "%USERPROFILE%\\Documents\\DownLoader\\Project1.vbp"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--59214606-2d44-4445-8469-400d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"pattern-in-file\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_category": "Artifacts dropped",
|
||
|
"x_misp_comment": "Debug strings",
|
||
|
"x_misp_type": "pattern-in-file",
|
||
|
"x_misp_value": "%USERPROFILE%\\Documents\\TorUnzip\\Project1.vbp"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--59214606-c884-4c98-8672-4b3402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"pattern-in-file\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_category": "Artifacts dropped",
|
||
|
"x_misp_comment": "Debug strings",
|
||
|
"x_misp_type": "pattern-in-file",
|
||
|
"x_misp_value": "%USERPROFILE%\\Documents\\Visual Studio 2015\\Projects\\MicroBotMassiveNet\\taskhost\\obj\\x86\\Debug\\taskhost.pdb"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--59214607-0ae4-4de2-b171-46ce02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"pattern-in-file\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_category": "Artifacts dropped",
|
||
|
"x_misp_comment": "Debug strings",
|
||
|
"x_misp_type": "pattern-in-file",
|
||
|
"x_misp_value": "%USERPROFILE%\\Documents\\Visual Studio 2015\\Projects\\WindowsServices\\svchost\\bin\\svchost.pdb"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5921462e-a604-4be3-85a9-472a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"first_observed": "2017-05-21T07:53:45Z",
|
||
|
"last_observed": "2017-05-21T07:53:45Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5921462e-a604-4be3-85a9-472a02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5921462e-a604-4be3-85a9-472a02de0b81",
|
||
|
"value": "https://raw.githubusercontent.com/stamparm/EternalRocks/master/misc/exploitation.pcap"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59214647-9828-44af-bab7-434002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"first_observed": "2017-05-21T07:53:45Z",
|
||
|
"last_observed": "2017-05-21T07:53:45Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59214647-9828-44af-bab7-434002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59214647-9828-44af-bab7-434002de0b81",
|
||
|
"value": "https://raw.githubusercontent.com/stamparm/EternalRocks/master/misc/svchost.7z"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5921465f-ec80-4d55-862b-497a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"description": "# older (VB6) variants of UpdateInstaller.exe",
|
||
|
"pattern": "[file:hashes.IMPHASH = '8ef751c540fdc6962ddc6799f35a907c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:53:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"imphash\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59214676-e704-412d-b4db-451202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"pattern": "[file:name = '\\\\%PROGRAMFILES\\\\%\\\\Microsoft Updates\\\\']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:53:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--59214697-2604-4d4d-8336-406402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"windows-scheduled-task\"",
|
||
|
"misp:category=\"Artifacts dropped\""
|
||
|
],
|
||
|
"x_misp_category": "Artifacts dropped",
|
||
|
"x_misp_type": "windows-scheduled-task",
|
||
|
"x_misp_value": "ServiceHost"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--59214697-11bc-4454-adf2-4c6502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:53:45.000Z",
|
||
|
"modified": "2017-05-21T07:53:45.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"windows-scheduled-task\"",
|
||
|
"misp:category=\"Artifacts dropped\""
|
||
|
],
|
||
|
"x_misp_category": "Artifacts dropped",
|
||
|
"x_misp_type": "windows-scheduled-task",
|
||
|
"x_misp_value": "TaskHost"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59214798-f018-439b-aea9-4c7f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:00.000Z",
|
||
|
"modified": "2017-05-21T07:54:00.000Z",
|
||
|
"description": "# shadowbrokers.zip (exploits) - Xchecked via VT: 70ec0e2b6f9ff88b54618a5f7fbd55b383cf62f8e7c3795c25e2f613bfddf45d",
|
||
|
"pattern": "[file:hashes.SHA1 = 'd553d55d3a9d99453550c9493468db663e0af4ec']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:00Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59214798-7234-4525-8617-4ed202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:00.000Z",
|
||
|
"modified": "2017-05-21T07:54:00.000Z",
|
||
|
"description": "# shadowbrokers.zip (exploits) - Xchecked via VT: 70ec0e2b6f9ff88b54618a5f7fbd55b383cf62f8e7c3795c25e2f613bfddf45d",
|
||
|
"pattern": "[file:hashes.MD5 = '6fdbee99dc99a63ac6a5809450d55ad5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:00Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59214799-3164-4fc4-a193-416e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:01.000Z",
|
||
|
"modified": "2017-05-21T07:54:01.000Z",
|
||
|
"first_observed": "2017-05-21T07:54:01Z",
|
||
|
"last_observed": "2017-05-21T07:54:01Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59214799-3164-4fc4-a193-416e02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59214799-3164-4fc4-a193-416e02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/70ec0e2b6f9ff88b54618a5f7fbd55b383cf62f8e7c3795c25e2f613bfddf45d/analysis/1495120618/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59214799-da18-4be2-a503-42d602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:01.000Z",
|
||
|
"modified": "2017-05-21T07:54:01.000Z",
|
||
|
"description": "# taskhost.exe (variant) - Xchecked via VT: a77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0",
|
||
|
"pattern": "[file:hashes.SHA1 = 'e8b40f35af4d5bb24d73faa5a4babb86191b5310']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:01Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59214799-35f8-4858-a660-46ef02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:01.000Z",
|
||
|
"modified": "2017-05-21T07:54:01.000Z",
|
||
|
"description": "# taskhost.exe (variant) - Xchecked via VT: a77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0",
|
||
|
"pattern": "[file:hashes.MD5 = '198f27f5ab972bfd99e89802e40d6ba7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:01Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5921479a-3a84-4b4d-88c8-410d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:02.000Z",
|
||
|
"modified": "2017-05-21T07:54:02.000Z",
|
||
|
"first_observed": "2017-05-21T07:54:02Z",
|
||
|
"last_observed": "2017-05-21T07:54:02Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5921479a-3a84-4b4d-88c8-410d02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5921479a-3a84-4b4d-88c8-410d02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/a77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0/analysis/1495206561/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5921479a-9534-40ba-9010-44c602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:02.000Z",
|
||
|
"modified": "2017-05-21T07:54:02.000Z",
|
||
|
"description": "# taskhost.exe (captured) - Xchecked via VT: cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30",
|
||
|
"pattern": "[file:hashes.SHA1 = '8a2cfe220eebde096c17266f1ba597a1065211ab']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5921479b-4544-4031-97b3-408002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:03.000Z",
|
||
|
"modified": "2017-05-21T07:54:03.000Z",
|
||
|
"description": "# taskhost.exe (captured) - Xchecked via VT: cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30",
|
||
|
"pattern": "[file:hashes.MD5 = 'c52f20a854efb013a0a1248fd84aaa95']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5921479b-6fd0-4131-ba06-4fd302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:03.000Z",
|
||
|
"modified": "2017-05-21T07:54:03.000Z",
|
||
|
"first_observed": "2017-05-21T07:54:03Z",
|
||
|
"last_observed": "2017-05-21T07:54:03Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5921479b-6fd0-4131-ba06-4fd302de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5921479b-6fd0-4131-ba06-4fd302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30/analysis/1495334571/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5921479b-3d7c-4620-878e-4f3c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:03.000Z",
|
||
|
"modified": "2017-05-21T07:54:03.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant) - Xchecked via VT: fc75410aa8f76154f5ae8fe035b9a13c76f6e132077346101a0d673ed9f3a0dd",
|
||
|
"pattern": "[file:hashes.SHA1 = '7ffc0e123e6111e558fb99844d3b317694e419b2']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5921479c-7c70-4d05-bb56-4f9302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:04.000Z",
|
||
|
"modified": "2017-05-21T07:54:04.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant) - Xchecked via VT: fc75410aa8f76154f5ae8fe035b9a13c76f6e132077346101a0d673ed9f3a0dd",
|
||
|
"pattern": "[file:hashes.MD5 = '5e8e046cb09f73b1e02aa4ac69c5765e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5921479c-47fc-4946-a54c-410d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:04.000Z",
|
||
|
"modified": "2017-05-21T07:54:04.000Z",
|
||
|
"first_observed": "2017-05-21T07:54:04Z",
|
||
|
"last_observed": "2017-05-21T07:54:04Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5921479c-47fc-4946-a54c-410d02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5921479c-47fc-4946-a54c-410d02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/fc75410aa8f76154f5ae8fe035b9a13c76f6e132077346101a0d673ed9f3a0dd/analysis/1495312487/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5921479c-bac0-4c02-883f-49ee02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:04.000Z",
|
||
|
"modified": "2017-05-21T07:54:04.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant) - Xchecked via VT: d86af736644e20e62807f03c49f4d0ad7de9cbd0723049f34ec79f8c7308fdd5",
|
||
|
"pattern": "[file:hashes.SHA1 = '0d1535b51fd21a976a9c1184a56fbde4592a0f8f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5921479d-c6ac-43c7-b8fe-4fa702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:05.000Z",
|
||
|
"modified": "2017-05-21T07:54:05.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant) - Xchecked via VT: d86af736644e20e62807f03c49f4d0ad7de9cbd0723049f34ec79f8c7308fdd5",
|
||
|
"pattern": "[file:hashes.MD5 = 'c0321a1a0d33cd88bb04ec0250f8e924']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5921479d-8944-410b-b861-442a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:05.000Z",
|
||
|
"modified": "2017-05-21T07:54:05.000Z",
|
||
|
"first_observed": "2017-05-21T07:54:05Z",
|
||
|
"last_observed": "2017-05-21T07:54:05Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5921479d-8944-410b-b861-442a02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5921479d-8944-410b-b861-442a02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/d86af736644e20e62807f03c49f4d0ad7de9cbd0723049f34ec79f8c7308fdd5/analysis/1495132402/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5921479e-4180-4d80-a484-466802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:06.000Z",
|
||
|
"modified": "2017-05-21T07:54:06.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant) - Xchecked via VT: d43c10a2c983049d4a32487ab1e8fe7727646052228554e0112f6651f4833d2c",
|
||
|
"pattern": "[file:hashes.SHA1 = 'ae461ac186c4e42f935ff9e49408bbae47899706']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:06Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5921479e-3174-407f-961b-4d9d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:06.000Z",
|
||
|
"modified": "2017-05-21T07:54:06.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant) - Xchecked via VT: d43c10a2c983049d4a32487ab1e8fe7727646052228554e0112f6651f4833d2c",
|
||
|
"pattern": "[file:hashes.MD5 = 'b61068f85f030ee23d5b33b5b0c03930']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:06Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5921479e-52f8-4333-894c-441802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:06.000Z",
|
||
|
"modified": "2017-05-21T07:54:06.000Z",
|
||
|
"first_observed": "2017-05-21T07:54:06Z",
|
||
|
"last_observed": "2017-05-21T07:54:06Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5921479e-52f8-4333-894c-441802de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5921479e-52f8-4333-894c-441802de0b81",
|
||
|
"value": "https://www.virustotal.com/file/d43c10a2c983049d4a32487ab1e8fe7727646052228554e0112f6651f4833d2c/analysis/1495133936/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5921479f-b5b4-4437-83e0-449902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:07.000Z",
|
||
|
"modified": "2017-05-21T07:54:07.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant) - Xchecked via VT: c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491",
|
||
|
"pattern": "[file:hashes.SHA1 = '64cb5c3f2cbd238f7f1d707f99dd98713c539f11']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5921479f-0ca8-445d-a6ef-4f5902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:07.000Z",
|
||
|
"modified": "2017-05-21T07:54:07.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant) - Xchecked via VT: c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491",
|
||
|
"pattern": "[file:hashes.MD5 = '35c29de908e04eca97b39b96b3cadc2d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--592147a0-e5dc-4358-b8a8-44da02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:08.000Z",
|
||
|
"modified": "2017-05-21T07:54:08.000Z",
|
||
|
"first_observed": "2017-05-21T07:54:08Z",
|
||
|
"last_observed": "2017-05-21T07:54:08Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--592147a0-e5dc-4358-b8a8-44da02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--592147a0-e5dc-4358-b8a8-44da02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491/analysis/1495319617/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--592147a0-8434-45c4-ab3a-435302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:08.000Z",
|
||
|
"modified": "2017-05-21T07:54:08.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant) - Xchecked via VT: b2ca4093b2e0271cb7a3230118843fccc094e0160a0968994ed9f10c8702d867",
|
||
|
"pattern": "[file:hashes.SHA1 = '0cc1d20c48a0ec73329fac801ef5bf212a5a8dd6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--592147a1-6984-43e2-be35-430802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:09.000Z",
|
||
|
"modified": "2017-05-21T07:54:09.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant) - Xchecked via VT: b2ca4093b2e0271cb7a3230118843fccc094e0160a0968994ed9f10c8702d867",
|
||
|
"pattern": "[file:hashes.MD5 = '344d431a88391fc89f97f3ccf87a603e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:09Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--592147a1-b764-420e-bcf8-4e7302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:09.000Z",
|
||
|
"modified": "2017-05-21T07:54:09.000Z",
|
||
|
"first_observed": "2017-05-21T07:54:09Z",
|
||
|
"last_observed": "2017-05-21T07:54:09Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--592147a1-b764-420e-bcf8-4e7302de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--592147a1-b764-420e-bcf8-4e7302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/b2ca4093b2e0271cb7a3230118843fccc094e0160a0968994ed9f10c8702d867/analysis/1495133695/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--592147a2-f2bc-4bcd-92cd-4f0102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:10.000Z",
|
||
|
"modified": "2017-05-21T07:54:10.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant) - Xchecked via VT: ad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa",
|
||
|
"pattern": "[file:hashes.SHA1 = '822db2fd78b39b49547cce2f7fb92b276c74bcef']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--592147a2-49c8-4a16-ab00-4ada02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:10.000Z",
|
||
|
"modified": "2017-05-21T07:54:10.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant) - Xchecked via VT: ad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa",
|
||
|
"pattern": "[file:hashes.MD5 = '2d540860d91cd25cc8d61555523c76ff']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--592147a2-9c98-4a76-9053-4c3902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:10.000Z",
|
||
|
"modified": "2017-05-21T07:54:10.000Z",
|
||
|
"first_observed": "2017-05-21T07:54:10Z",
|
||
|
"last_observed": "2017-05-21T07:54:10Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--592147a2-9c98-4a76-9053-4c3902de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--592147a2-9c98-4a76-9053-4c3902de0b81",
|
||
|
"value": "https://www.virustotal.com/file/ad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa/analysis/1495132708/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--592147a3-1ed8-4ffb-86c9-421202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:11.000Z",
|
||
|
"modified": "2017-05-21T07:54:11.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant) - Xchecked via VT: a7c387b4929f51e38706d8b0f8641e032253b07bc2869a450dfa3df5663d7392",
|
||
|
"pattern": "[file:hashes.SHA1 = '7d0a8cef28518f9be8ad083dcbd719ac4c85d89c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:11Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--592147a3-1200-4f89-a06f-440202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:11.000Z",
|
||
|
"modified": "2017-05-21T07:54:11.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant) - Xchecked via VT: a7c387b4929f51e38706d8b0f8641e032253b07bc2869a450dfa3df5663d7392",
|
||
|
"pattern": "[file:hashes.MD5 = '67ef79ee308b8625d5f20ea3e5379436']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:11Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--592147a3-3234-4995-99a3-4c8102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:11.000Z",
|
||
|
"modified": "2017-05-21T07:54:11.000Z",
|
||
|
"first_observed": "2017-05-21T07:54:11Z",
|
||
|
"last_observed": "2017-05-21T07:54:11Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--592147a3-3234-4995-99a3-4c8102de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--592147a3-3234-4995-99a3-4c8102de0b81",
|
||
|
"value": "https://www.virustotal.com/file/a7c387b4929f51e38706d8b0f8641e032253b07bc2869a450dfa3df5663d7392/analysis/1495116317/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--592147a4-34e0-45f3-90a5-411e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:12.000Z",
|
||
|
"modified": "2017-05-21T07:54:12.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant) - Xchecked via VT: 9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1b",
|
||
|
"pattern": "[file:hashes.SHA1 = '1cbc9d531ba0e5e67a1ada95cff19bf0020f88f8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:12Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--592147a4-c318-4643-ba8e-4ab902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:12.000Z",
|
||
|
"modified": "2017-05-21T07:54:12.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant) - Xchecked via VT: 9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1b",
|
||
|
"pattern": "[file:hashes.MD5 = 'b7cf3852a0168777f8856e6565d8fe2e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:12Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--592147a5-40c0-451d-b787-42d202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:13.000Z",
|
||
|
"modified": "2017-05-21T07:54:13.000Z",
|
||
|
"first_observed": "2017-05-21T07:54:13Z",
|
||
|
"last_observed": "2017-05-21T07:54:13Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--592147a5-40c0-451d-b787-42d202de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--592147a5-40c0-451d-b787-42d202de0b81",
|
||
|
"value": "https://www.virustotal.com/file/9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1b/analysis/1495206518/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--592147a5-3c38-445e-a467-414302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:13.000Z",
|
||
|
"modified": "2017-05-21T07:54:13.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant) - Xchecked via VT: 94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97",
|
||
|
"pattern": "[file:hashes.SHA1 = 'f1c027679d5009da067b12af258adc8afaade178']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--592147a5-9bf4-484a-8562-442f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:13.000Z",
|
||
|
"modified": "2017-05-21T07:54:13.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant) - Xchecked via VT: 94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97",
|
||
|
"pattern": "[file:hashes.MD5 = '496131b90f83e8278462d2dd21213646']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--592147a6-3a08-4eb8-b971-475b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:14.000Z",
|
||
|
"modified": "2017-05-21T07:54:14.000Z",
|
||
|
"first_observed": "2017-05-21T07:54:14Z",
|
||
|
"last_observed": "2017-05-21T07:54:14Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--592147a6-3a08-4eb8-b971-475b02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--592147a6-3a08-4eb8-b971-475b02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97/analysis/1495116293/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--592147a6-09b4-45c5-9ef5-4c6802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:14.000Z",
|
||
|
"modified": "2017-05-21T07:54:14.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant) - Xchecked via VT: 64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15",
|
||
|
"pattern": "[file:hashes.SHA1 = 'f57f71ae1e52f25ec9f643760551e1b6cfb9c7ff']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:14Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--592147a7-e34c-4d74-ae52-4f5202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:15.000Z",
|
||
|
"modified": "2017-05-21T07:54:15.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant) - Xchecked via VT: 64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15",
|
||
|
"pattern": "[file:hashes.MD5 = '3771b97552810a0ed107730b718f6fe1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--592147a7-7f0c-4001-aec3-4e5902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:15.000Z",
|
||
|
"modified": "2017-05-21T07:54:15.000Z",
|
||
|
"first_observed": "2017-05-21T07:54:15Z",
|
||
|
"last_observed": "2017-05-21T07:54:15Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--592147a7-7f0c-4001-aec3-4e5902de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--592147a7-7f0c-4001-aec3-4e5902de0b81",
|
||
|
"value": "https://www.virustotal.com/file/64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15/analysis/1495260898/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--592147a7-07ac-445c-897e-44e502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:15.000Z",
|
||
|
"modified": "2017-05-21T07:54:15.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant) - Xchecked via VT: 1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d",
|
||
|
"pattern": "[file:hashes.SHA1 = '70181383eedd8e93e3ecf1c05238c928e267163d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--592147a8-5e20-497b-91f0-4e2302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:16.000Z",
|
||
|
"modified": "2017-05-21T07:54:16.000Z",
|
||
|
"description": "UpdateInstaller.exe (variant) - Xchecked via VT: 1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d",
|
||
|
"pattern": "[file:hashes.MD5 = '76e94e525a2d1a350ff989d532239976']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:16Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--592147a8-c034-4647-aaa5-486e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:16.000Z",
|
||
|
"modified": "2017-05-21T07:54:16.000Z",
|
||
|
"first_observed": "2017-05-21T07:54:16Z",
|
||
|
"last_observed": "2017-05-21T07:54:16Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--592147a8-c034-4647-aaa5-486e02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--592147a8-c034-4647-aaa5-486e02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d/analysis/1495312044/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--592147a9-7998-4c9d-92b2-4d3102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:17.000Z",
|
||
|
"modified": "2017-05-21T07:54:17.000Z",
|
||
|
"description": "UpdateInstaller.exe (captured) - Xchecked via VT: e049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc",
|
||
|
"pattern": "[file:hashes.SHA1 = 'b05f2d07d0af1184066f766bc78d1b680236c1b3']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:17Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--592147a9-5074-491b-945a-479b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:17.000Z",
|
||
|
"modified": "2017-05-21T07:54:17.000Z",
|
||
|
"description": "UpdateInstaller.exe (captured) - Xchecked via VT: e049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc",
|
||
|
"pattern": "[file:hashes.MD5 = '994bd0b23cce98b86e58218b9032ffab']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-05-21T07:54:17Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--592147a9-e100-4719-b4d7-4f2e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-05-21T07:54:17.000Z",
|
||
|
"modified": "2017-05-21T07:54:17.000Z",
|
||
|
"first_observed": "2017-05-21T07:54:17Z",
|
||
|
"last_observed": "2017-05-21T07:54:17Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--592147a9-e100-4719-b4d7-4f2e02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--592147a9-e100-4719-b4d7-4f2e02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/e049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc/analysis/1495348433/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|