1983 lines
84 KiB
JSON
1983 lines
84 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5a1e6e1d-4cc0-4ce6-aeba-7e44950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-30T03:00:40.000Z",
|
||
|
"modified": "2017-11-30T03:00:40.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5a1e6e1d-4cc0-4ce6-aeba-7e44950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-30T03:00:40.000Z",
|
||
|
"modified": "2017-11-30T03:00:40.000Z",
|
||
|
"name": "OSINT - UBoatRAT Navigates East Asia",
|
||
|
"published": "2017-12-28T13:25:39Z",
|
||
|
"object_refs": [
|
||
|
"indicator--5a1e6e92-b21c-4355-83bc-7e3d950d210f",
|
||
|
"indicator--5a1e6e93-357c-4320-a5df-7e3d950d210f",
|
||
|
"indicator--5a1e6e93-1ed4-40d6-837d-7e3d950d210f",
|
||
|
"indicator--5a1e6e93-feb4-4918-b303-7e3d950d210f",
|
||
|
"indicator--5a1e6fb8-21e0-46a4-9a14-42bb950d210f",
|
||
|
"indicator--5a1e6fb8-0dc0-42a7-ab67-44a0950d210f",
|
||
|
"indicator--5a1e7047-f180-48e6-abe3-ad09950d210f",
|
||
|
"indicator--5a1e7201-b744-4bba-b544-acff950d210f",
|
||
|
"indicator--5a1e7201-c980-4731-bca2-acff950d210f",
|
||
|
"indicator--5a1e7201-68a8-43af-8d79-acff950d210f",
|
||
|
"indicator--5a1e7201-3560-4100-a6a3-acff950d210f",
|
||
|
"indicator--5a1e7201-f338-4937-a779-acff950d210f",
|
||
|
"indicator--5a1e7201-befc-4df5-be4e-acff950d210f",
|
||
|
"indicator--5a1e7201-4538-462c-adf7-acff950d210f",
|
||
|
"indicator--5a1e7201-4d24-49e4-bc30-acff950d210f",
|
||
|
"indicator--5a1e7201-433c-43fd-83cf-acff950d210f",
|
||
|
"indicator--5a1e7201-0db0-42d3-b8a7-acff950d210f",
|
||
|
"indicator--5a1e7201-61ec-43e5-8249-acff950d210f",
|
||
|
"indicator--5a1e7202-7cbc-4824-b342-acff950d210f",
|
||
|
"indicator--5a1e7202-cb70-43c3-a458-acff950d210f",
|
||
|
"indicator--5a1e7202-df9c-48d3-9105-acff950d210f",
|
||
|
"indicator--5a1e7366-3338-4056-a20a-acff950d210f",
|
||
|
"indicator--5a1e7383-fef4-40da-bb60-7e41950d210f",
|
||
|
"indicator--5a1e7383-4c5c-45d4-9e1d-7e41950d210f",
|
||
|
"indicator--5a1e7383-0664-463e-80d9-7e41950d210f",
|
||
|
"indicator--5a1e8049-b69c-43a4-96a5-494b02de0b81",
|
||
|
"indicator--5a1e8049-979c-4d90-897b-4b7302de0b81",
|
||
|
"observed-data--5a1e8049-e1b0-4576-b543-4a8d02de0b81",
|
||
|
"url--5a1e8049-e1b0-4576-b543-4a8d02de0b81",
|
||
|
"indicator--5a1e8049-dcb8-4f36-a9b0-4d9b02de0b81",
|
||
|
"indicator--5a1e8049-0fc0-4609-ba7e-44db02de0b81",
|
||
|
"observed-data--5a1e8049-1298-425d-a5cd-4e7302de0b81",
|
||
|
"url--5a1e8049-1298-425d-a5cd-4e7302de0b81",
|
||
|
"indicator--5a1e8049-ce98-4b73-9cf0-4fe902de0b81",
|
||
|
"indicator--5a1e8049-9988-45e7-bdc0-47f102de0b81",
|
||
|
"observed-data--5a1e8049-47e4-4922-9b3b-4ec802de0b81",
|
||
|
"url--5a1e8049-47e4-4922-9b3b-4ec802de0b81",
|
||
|
"indicator--5a1e8049-1f4c-4a0e-9058-4d9502de0b81",
|
||
|
"indicator--5a1e8049-dc30-4b6f-b0b5-4df202de0b81",
|
||
|
"observed-data--5a1e8049-fbcc-40ac-b6a0-4d1902de0b81",
|
||
|
"url--5a1e8049-fbcc-40ac-b6a0-4d1902de0b81",
|
||
|
"indicator--5a1e8049-2574-4b8b-b0f9-4f5d02de0b81",
|
||
|
"indicator--5a1e8049-b830-4eed-be4c-470002de0b81",
|
||
|
"observed-data--5a1e8049-8b3c-4179-95b1-4d9202de0b81",
|
||
|
"url--5a1e8049-8b3c-4179-95b1-4d9202de0b81",
|
||
|
"indicator--5a1e8049-2220-4788-8461-433702de0b81",
|
||
|
"indicator--5a1e8049-08fc-4965-9237-4d8a02de0b81",
|
||
|
"observed-data--5a1e8049-05d4-42a7-8f65-4b9302de0b81",
|
||
|
"url--5a1e8049-05d4-42a7-8f65-4b9302de0b81",
|
||
|
"indicator--5a1e8049-ace0-42c5-bb84-4cc102de0b81",
|
||
|
"indicator--5a1e8049-5b58-4001-81a2-45a602de0b81",
|
||
|
"observed-data--5a1e8049-da68-4a49-8bed-4a7802de0b81",
|
||
|
"url--5a1e8049-da68-4a49-8bed-4a7802de0b81",
|
||
|
"indicator--5a1e8049-3cec-4105-9987-498d02de0b81",
|
||
|
"indicator--5a1e8049-e118-4099-b7fb-47d102de0b81",
|
||
|
"observed-data--5a1e8049-28b0-456e-a8ce-4b7402de0b81",
|
||
|
"url--5a1e8049-28b0-456e-a8ce-4b7402de0b81",
|
||
|
"indicator--5a1e8049-9618-4c87-974c-40f102de0b81",
|
||
|
"indicator--5a1e8049-89d8-4cb8-a0fc-493302de0b81",
|
||
|
"observed-data--5a1e8049-33c4-40de-b45c-454302de0b81",
|
||
|
"url--5a1e8049-33c4-40de-b45c-454302de0b81",
|
||
|
"indicator--5a1e8049-aba8-4247-83fb-4be402de0b81",
|
||
|
"indicator--5a1e8049-3888-4811-8660-444802de0b81",
|
||
|
"observed-data--5a1e8049-a068-49ac-8650-4bb602de0b81",
|
||
|
"url--5a1e8049-a068-49ac-8650-4bb602de0b81",
|
||
|
"indicator--5a1e8049-cd94-4382-92cf-410202de0b81",
|
||
|
"indicator--5a1e8049-db38-4b22-a47c-499f02de0b81",
|
||
|
"observed-data--5a1e8049-2a3c-4635-b8dc-492c02de0b81",
|
||
|
"url--5a1e8049-2a3c-4635-b8dc-492c02de0b81",
|
||
|
"indicator--5a1e8049-72d8-44da-8e6e-4b5f02de0b81",
|
||
|
"indicator--5a1e8049-e7bc-4a42-8956-4b6d02de0b81",
|
||
|
"observed-data--5a1e8049-a034-436b-9d4d-442302de0b81",
|
||
|
"url--5a1e8049-a034-436b-9d4d-442302de0b81",
|
||
|
"indicator--5a1e8049-043c-43d5-bad4-428002de0b81",
|
||
|
"indicator--5a1e8049-8134-4d5d-853b-4a5a02de0b81",
|
||
|
"observed-data--5a1e8049-7768-4dd7-9831-466002de0b81",
|
||
|
"url--5a1e8049-7768-4dd7-9831-466002de0b81",
|
||
|
"indicator--5a1e8049-2340-4ea4-9040-4be202de0b81",
|
||
|
"indicator--5a1e8049-df00-4dce-b580-4c1f02de0b81",
|
||
|
"observed-data--5a1e8049-6e54-4386-a4da-433902de0b81",
|
||
|
"url--5a1e8049-6e54-4386-a4da-433902de0b81",
|
||
|
"indicator--5a1e8049-4de0-4df9-b443-4a0502de0b81",
|
||
|
"indicator--5a1e8049-03c4-4862-8761-4df902de0b81",
|
||
|
"observed-data--5a1e804a-b920-4d71-85dc-478602de0b81",
|
||
|
"url--5a1e804a-b920-4d71-85dc-478602de0b81",
|
||
|
"indicator--5a1e75a8-4948-48c0-badd-acff950d210f",
|
||
|
"indicator--5a1e75bb-62c4-482b-ac3d-7e3d950d210f",
|
||
|
"indicator--5a1e75e2-d86c-4630-ae37-48b2950d210f",
|
||
|
"indicator--5a1e75f5-b104-487d-a256-4731950d210f",
|
||
|
"indicator--5a1e783a-aef0-4a28-ad00-453d950d210f",
|
||
|
"indicator--5a1e784f-971c-40c2-bca6-aa74950d210f",
|
||
|
"indicator--5a1e785d-404c-45f8-8d98-aa74950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"type:OSINT",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e6e92-b21c-4355-83bc-7e3d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:20.000Z",
|
||
|
"modified": "2017-11-29T09:39:20.000Z",
|
||
|
"description": "2017 annual salary raise inquiry related feedback survey",
|
||
|
"pattern": "[file:name = '2017\u00eb\u2026\u201e \u00ec\u2014\u00b0\u00eb\u00b4\u2030\u00ec\u009d\u00b8\u00ec\u0192\u0081 \u00eb\u00ac\u00b8\u00ec\u009d\u02dc \u00ec\u201a\u00ac\u00ed\u2022\u00ad\u00ea\u00b4\u20ac\u00eb\u00a0\u00a8 \u00ed\u201d\u00bc\u00eb\u201c\u0153\u00eb\u00b0\u00b1 \u00ec\u00a1\u00b0\u00ec\u201a\u00ac.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e6e93-357c-4320-a5df-7e3d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:20.000Z",
|
||
|
"modified": "2017-11-29T09:39:20.000Z",
|
||
|
"description": "2017 annual salary raise feedback",
|
||
|
"pattern": "[file:name = '2017\u00eb\u2026\u201e \u00ec\u2014\u00b0\u00eb\u00b4\u2030\u00ec\u009d\u00b8\u00ec\u0192\u0081 \u00eb\u00ac\u00b8\u00ec\u009d\u02dc \u00ec\u201a\u00ac\u00ed\u2022\u00ad\u00ea\u00b4\u20ac\u00eb\u00a0\u00a8 \u00ed\u201d\u00bc\u00eb\u201c\u0153\u00eb\u00b0\u00b1 \u00ec\u00a0\u201e\u00eb\u2039\u00ac.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e6e93-1ed4-40d6-837d-7e3d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:20.000Z",
|
||
|
"modified": "2017-11-29T09:39:20.000Z",
|
||
|
"pattern": "[file:name = '[Business]RyoKim\u00e2\u20ac\u2122s__resume__20170629.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e6e93-feb4-4918-b303-7e3d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:20.000Z",
|
||
|
"modified": "2017-11-29T09:39:20.000Z",
|
||
|
"pattern": "[file:name = '[Project W]Gravity business cooperation.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e6fb8-21e0-46a4-9a14-42bb950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:20.000Z",
|
||
|
"modified": "2017-11-29T09:39:20.000Z",
|
||
|
"pattern": "[file:name = '\\\\%ALLUSERSPROFILE\\\\%\\\\svchost.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e6fb8-0dc0-42a7-ab67-44a0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:20.000Z",
|
||
|
"modified": "2017-11-29T09:39:20.000Z",
|
||
|
"pattern": "[file:name = '\\\\%ALLUSERSPROFILE\\\\%\\\\init.bat']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e7047-f180-48e6-abe3-ad09950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:20.000Z",
|
||
|
"modified": "2017-11-29T09:39:20.000Z",
|
||
|
"description": "Web Access",
|
||
|
"pattern": "[url:value = 'https://raw.githubusercontent.com/r1ng/news/master/README.md']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e7201-b744-4bba-b544-acff950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:20.000Z",
|
||
|
"modified": "2017-11-29T09:39:20.000Z",
|
||
|
"description": "UBoatRAT SHA256",
|
||
|
"pattern": "[file:hashes.SHA256 = 'bf7c6e911f14a1f8679c9b0c2b183d74d5accd559e17297adcd173d76755e271']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e7201-c980-4731-bca2-acff950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:20.000Z",
|
||
|
"modified": "2017-11-29T09:39:20.000Z",
|
||
|
"description": "UBoatRAT SHA256",
|
||
|
"pattern": "[file:hashes.SHA256 = '6bea49e4260f083ed6b73e100550ecd22300806071f4a6326e0544272a84526c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e7201-68a8-43af-8d79-acff950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:20.000Z",
|
||
|
"modified": "2017-11-29T09:39:20.000Z",
|
||
|
"description": "UBoatRAT SHA256",
|
||
|
"pattern": "[file:hashes.SHA256 = 'cf832f32b8d27cf9911031910621c21bd3c20e71cc062716923304dacf4dadb7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e7201-3560-4100-a6a3-acff950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:20.000Z",
|
||
|
"modified": "2017-11-29T09:39:20.000Z",
|
||
|
"description": "UBoatRAT SHA256",
|
||
|
"pattern": "[file:hashes.SHA256 = '7b32f401e2ad577e8398b2975ecb5c5ce68c5b07717b1e0d762f90a6fbd8add1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e7201-f338-4937-a779-acff950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:20.000Z",
|
||
|
"modified": "2017-11-29T09:39:20.000Z",
|
||
|
"description": "UBoatRAT SHA256",
|
||
|
"pattern": "[file:hashes.SHA256 = '04873dbd63279228a0a4bb1184933b64adb880e874bd3d14078161d06e232c9b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e7201-befc-4df5-be4e-acff950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:20.000Z",
|
||
|
"modified": "2017-11-29T09:39:20.000Z",
|
||
|
"description": "UBoatRAT SHA256",
|
||
|
"pattern": "[file:hashes.SHA256 = '42d8a84cd49ff3afacf3d549fbab1fa80d5eda0c8625938b6d32e18004b0edac']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e7201-4538-462c-adf7-acff950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:20.000Z",
|
||
|
"modified": "2017-11-29T09:39:20.000Z",
|
||
|
"description": "UBoatRAT SHA256",
|
||
|
"pattern": "[file:hashes.SHA256 = '7be6eaa3f9eb288de5606d02bc79e6c8e7fc63935894cd793bc1fab08c7f86c7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e7201-4d24-49e4-bc30-acff950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:20.000Z",
|
||
|
"modified": "2017-11-29T09:39:20.000Z",
|
||
|
"description": "UBoatRAT SHA256",
|
||
|
"pattern": "[file:hashes.SHA256 = '460328fe57110fc01837d80c0519fb99ea4a35ea5b890785d1e88c91bea9ade5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e7201-433c-43fd-83cf-acff950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:20.000Z",
|
||
|
"modified": "2017-11-29T09:39:20.000Z",
|
||
|
"description": "UBoatRAT SHA256",
|
||
|
"pattern": "[file:hashes.SHA256 = '55dd22448e9340d13b439272a177565ace9f5cf69586f8be0443b6f9c81aa6e7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e7201-0db0-42d3-b8a7-acff950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:20.000Z",
|
||
|
"modified": "2017-11-29T09:39:20.000Z",
|
||
|
"description": "UBoatRAT SHA256",
|
||
|
"pattern": "[file:hashes.SHA256 = '9db387138a1fdfa04127a4841cf024192e41e47491388e133c00325122b3ea82']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e7201-61ec-43e5-8249-acff950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256",
|
||
|
"pattern": "[file:hashes.SHA256 = 'e52d866e5b77e885e36398249f242f8ff1a224ecce065892dc200c57595bb494']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e7202-7cbc-4824-b342-acff950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256",
|
||
|
"pattern": "[file:hashes.SHA256 = 'eb92456bf3ab86bd71d74942bb955062550fa10248d67faeeeedd9ff4785f41e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e7202-cb70-43c3-a458-acff950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256",
|
||
|
"pattern": "[file:hashes.SHA256 = '452b1675437ef943988c48932787e2e4decfe8e4c3bed728f490d55b3d496875']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e7202-df9c-48d3-9105-acff950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256",
|
||
|
"pattern": "[file:hashes.SHA256 = '66c2baa370125448ddf3053d59085b3d6ab78659efee9f152b310e61d2e7edb5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e7366-3338-4056-a20a-acff950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "Downloader SHA256",
|
||
|
"pattern": "[file:hashes.SHA256 = 'f4c659238ffab95e87894d2c556f887774dce2431e8cb87f881df4e4d26253a3']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e7383-fef4-40da-bb60-7e41950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "Web Access",
|
||
|
"pattern": "[url:value = 'https://raw.githubusercontent.com/elsa999/uuu/master/README.md']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e7383-4c5c-45d4-9e1d-7e41950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "Web Access",
|
||
|
"pattern": "[url:value = 'http://www.ak(masked).jp/images/']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e7383-0664-463e-80d9-7e41950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "Web Access",
|
||
|
"pattern": "[url:value = 'http://elsakrblog.blogspot.hk/2017/03/test.html']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-b69c-43a4-96a5-494b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "Downloader SHA256 - Xchecked via VT: f4c659238ffab95e87894d2c556f887774dce2431e8cb87f881df4e4d26253a3",
|
||
|
"pattern": "[file:hashes.SHA1 = 'ea26c32d2a31d2bc5575ef9ff4d32458e1c7ff58']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-979c-4d90-897b-4b7302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "Downloader SHA256 - Xchecked via VT: f4c659238ffab95e87894d2c556f887774dce2431e8cb87f881df4e4d26253a3",
|
||
|
"pattern": "[file:hashes.MD5 = 'fe4be1bd2c058d8aa53c38eb02dd0255']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a1e8049-e1b0-4576-b543-4a8d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"first_observed": "2017-11-29T09:39:21Z",
|
||
|
"last_observed": "2017-11-29T09:39:21Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a1e8049-e1b0-4576-b543-4a8d02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a1e8049-e1b0-4576-b543-4a8d02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/f4c659238ffab95e87894d2c556f887774dce2431e8cb87f881df4e4d26253a3/analysis/1498777151/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-dcb8-4f36-a9b0-4d9b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: 66c2baa370125448ddf3053d59085b3d6ab78659efee9f152b310e61d2e7edb5",
|
||
|
"pattern": "[file:hashes.SHA1 = '35ed718e257b6b1fc3eb30059d0233c0fa4eb4c4']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-0fc0-4609-ba7e-44db02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: 66c2baa370125448ddf3053d59085b3d6ab78659efee9f152b310e61d2e7edb5",
|
||
|
"pattern": "[file:hashes.MD5 = '46665b820a922b61816aa2aa6e022304']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a1e8049-1298-425d-a5cd-4e7302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"first_observed": "2017-11-29T09:39:21Z",
|
||
|
"last_observed": "2017-11-29T09:39:21Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a1e8049-1298-425d-a5cd-4e7302de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a1e8049-1298-425d-a5cd-4e7302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/66c2baa370125448ddf3053d59085b3d6ab78659efee9f152b310e61d2e7edb5/analysis/1496917903/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-ce98-4b73-9cf0-4fe902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: 452b1675437ef943988c48932787e2e4decfe8e4c3bed728f490d55b3d496875",
|
||
|
"pattern": "[file:hashes.SHA1 = '95887abfea573a0e21ded335068a897893665033']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-9988-45e7-bdc0-47f102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: 452b1675437ef943988c48932787e2e4decfe8e4c3bed728f490d55b3d496875",
|
||
|
"pattern": "[file:hashes.MD5 = 'b46e9f052ed043ecc89641390c20884b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a1e8049-47e4-4922-9b3b-4ec802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"first_observed": "2017-11-29T09:39:21Z",
|
||
|
"last_observed": "2017-11-29T09:39:21Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a1e8049-47e4-4922-9b3b-4ec802de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a1e8049-47e4-4922-9b3b-4ec802de0b81",
|
||
|
"value": "https://www.virustotal.com/file/452b1675437ef943988c48932787e2e4decfe8e4c3bed728f490d55b3d496875/analysis/1511928794/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-1f4c-4a0e-9058-4d9502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: eb92456bf3ab86bd71d74942bb955062550fa10248d67faeeeedd9ff4785f41e",
|
||
|
"pattern": "[file:hashes.SHA1 = '6310a51b921ffed41f01ced009e90b774f41f3bf']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-dc30-4b6f-b0b5-4df202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: eb92456bf3ab86bd71d74942bb955062550fa10248d67faeeeedd9ff4785f41e",
|
||
|
"pattern": "[file:hashes.MD5 = 'b1c97373575f0be0a1391959c4aed24b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a1e8049-fbcc-40ac-b6a0-4d1902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"first_observed": "2017-11-29T09:39:21Z",
|
||
|
"last_observed": "2017-11-29T09:39:21Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a1e8049-fbcc-40ac-b6a0-4d1902de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a1e8049-fbcc-40ac-b6a0-4d1902de0b81",
|
||
|
"value": "https://www.virustotal.com/file/eb92456bf3ab86bd71d74942bb955062550fa10248d67faeeeedd9ff4785f41e/analysis/1511928784/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-2574-4b8b-b0f9-4f5d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: e52d866e5b77e885e36398249f242f8ff1a224ecce065892dc200c57595bb494",
|
||
|
"pattern": "[file:hashes.SHA1 = 'd1795a10bbd8883e442547634e9a89cf67b8ebd8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-b830-4eed-be4c-470002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: e52d866e5b77e885e36398249f242f8ff1a224ecce065892dc200c57595bb494",
|
||
|
"pattern": "[file:hashes.MD5 = '02a7993fcd5fea4442271e91e12d2df7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a1e8049-8b3c-4179-95b1-4d9202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"first_observed": "2017-11-29T09:39:21Z",
|
||
|
"last_observed": "2017-11-29T09:39:21Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a1e8049-8b3c-4179-95b1-4d9202de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a1e8049-8b3c-4179-95b1-4d9202de0b81",
|
||
|
"value": "https://www.virustotal.com/file/e52d866e5b77e885e36398249f242f8ff1a224ecce065892dc200c57595bb494/analysis/1511928640/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-2220-4788-8461-433702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: 9db387138a1fdfa04127a4841cf024192e41e47491388e133c00325122b3ea82",
|
||
|
"pattern": "[file:hashes.SHA1 = '6d729ff088d06fa5a24c474b97bd6de368da281b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-08fc-4965-9237-4d8a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: 9db387138a1fdfa04127a4841cf024192e41e47491388e133c00325122b3ea82",
|
||
|
"pattern": "[file:hashes.MD5 = '447b4aae6a8b286b846367e59a6960c8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a1e8049-05d4-42a7-8f65-4b9302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"first_observed": "2017-11-29T09:39:21Z",
|
||
|
"last_observed": "2017-11-29T09:39:21Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a1e8049-05d4-42a7-8f65-4b9302de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a1e8049-05d4-42a7-8f65-4b9302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/9db387138a1fdfa04127a4841cf024192e41e47491388e133c00325122b3ea82/analysis/1511941637/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-ace0-42c5-bb84-4cc102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: 55dd22448e9340d13b439272a177565ace9f5cf69586f8be0443b6f9c81aa6e7",
|
||
|
"pattern": "[file:hashes.SHA1 = 'd959f60eef45678e1885c5ce128380faf6c24298']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-5b58-4001-81a2-45a602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: 55dd22448e9340d13b439272a177565ace9f5cf69586f8be0443b6f9c81aa6e7",
|
||
|
"pattern": "[file:hashes.MD5 = '61e89917c5efa241d5130afe53b2bbfd']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a1e8049-da68-4a49-8bed-4a7802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"first_observed": "2017-11-29T09:39:21Z",
|
||
|
"last_observed": "2017-11-29T09:39:21Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a1e8049-da68-4a49-8bed-4a7802de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a1e8049-da68-4a49-8bed-4a7802de0b81",
|
||
|
"value": "https://www.virustotal.com/file/55dd22448e9340d13b439272a177565ace9f5cf69586f8be0443b6f9c81aa6e7/analysis/1511912899/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-3cec-4105-9987-498d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: 460328fe57110fc01837d80c0519fb99ea4a35ea5b890785d1e88c91bea9ade5",
|
||
|
"pattern": "[file:hashes.SHA1 = 'ad1d8d3b27cc3a269bcf2b7b0c52228c2e5ab18c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-e118-4099-b7fb-47d102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: 460328fe57110fc01837d80c0519fb99ea4a35ea5b890785d1e88c91bea9ade5",
|
||
|
"pattern": "[file:hashes.MD5 = '6cdd41daf6f36231b608b11cbe3c159b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a1e8049-28b0-456e-a8ce-4b7402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"first_observed": "2017-11-29T09:39:21Z",
|
||
|
"last_observed": "2017-11-29T09:39:21Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a1e8049-28b0-456e-a8ce-4b7402de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a1e8049-28b0-456e-a8ce-4b7402de0b81",
|
||
|
"value": "https://www.virustotal.com/file/460328fe57110fc01837d80c0519fb99ea4a35ea5b890785d1e88c91bea9ade5/analysis/1507085530/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-9618-4c87-974c-40f102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: 7be6eaa3f9eb288de5606d02bc79e6c8e7fc63935894cd793bc1fab08c7f86c7",
|
||
|
"pattern": "[file:hashes.SHA1 = '3a2c1f4a013da2f79f40f227e14d5cfc0de05afc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-89d8-4cb8-a0fc-493302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: 7be6eaa3f9eb288de5606d02bc79e6c8e7fc63935894cd793bc1fab08c7f86c7",
|
||
|
"pattern": "[file:hashes.MD5 = '80501fa0d1880fd84f49a84eb8b8cb8e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a1e8049-33c4-40de-b45c-454302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"first_observed": "2017-11-29T09:39:21Z",
|
||
|
"last_observed": "2017-11-29T09:39:21Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a1e8049-33c4-40de-b45c-454302de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a1e8049-33c4-40de-b45c-454302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/7be6eaa3f9eb288de5606d02bc79e6c8e7fc63935894cd793bc1fab08c7f86c7/analysis/1507104251/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-aba8-4247-83fb-4be402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: 42d8a84cd49ff3afacf3d549fbab1fa80d5eda0c8625938b6d32e18004b0edac",
|
||
|
"pattern": "[file:hashes.SHA1 = '8ea67fb6bb931d17ef0c889385684586404900f0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-3888-4811-8660-444802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: 42d8a84cd49ff3afacf3d549fbab1fa80d5eda0c8625938b6d32e18004b0edac",
|
||
|
"pattern": "[file:hashes.MD5 = '3bc02082ff458cd0134460b7a5c0c0cf']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a1e8049-a068-49ac-8650-4bb602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"first_observed": "2017-11-29T09:39:21Z",
|
||
|
"last_observed": "2017-11-29T09:39:21Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a1e8049-a068-49ac-8650-4bb602de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a1e8049-a068-49ac-8650-4bb602de0b81",
|
||
|
"value": "https://www.virustotal.com/file/42d8a84cd49ff3afacf3d549fbab1fa80d5eda0c8625938b6d32e18004b0edac/analysis/1506053846/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-cd94-4382-92cf-410202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: 04873dbd63279228a0a4bb1184933b64adb880e874bd3d14078161d06e232c9b",
|
||
|
"pattern": "[file:hashes.SHA1 = '51cb7116a6710cebbc3c63f8a28ab6a873f6d9aa']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-db38-4b22-a47c-499f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: 04873dbd63279228a0a4bb1184933b64adb880e874bd3d14078161d06e232c9b",
|
||
|
"pattern": "[file:hashes.MD5 = 'c06ed2a7fa9f6d2364912942d2dc0312']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a1e8049-2a3c-4635-b8dc-492c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"first_observed": "2017-11-29T09:39:21Z",
|
||
|
"last_observed": "2017-11-29T09:39:21Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a1e8049-2a3c-4635-b8dc-492c02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a1e8049-2a3c-4635-b8dc-492c02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/04873dbd63279228a0a4bb1184933b64adb880e874bd3d14078161d06e232c9b/analysis/1507120388/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-72d8-44da-8e6e-4b5f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: 7b32f401e2ad577e8398b2975ecb5c5ce68c5b07717b1e0d762f90a6fbd8add1",
|
||
|
"pattern": "[file:hashes.SHA1 = '850b53088e71b5445a5aba5a6c1f9e8a9570165a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-e7bc-4a42-8956-4b6d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: 7b32f401e2ad577e8398b2975ecb5c5ce68c5b07717b1e0d762f90a6fbd8add1",
|
||
|
"pattern": "[file:hashes.MD5 = '8c46853cce03a402d1f62403fd064f68']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a1e8049-a034-436b-9d4d-442302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"first_observed": "2017-11-29T09:39:21Z",
|
||
|
"last_observed": "2017-11-29T09:39:21Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a1e8049-a034-436b-9d4d-442302de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a1e8049-a034-436b-9d4d-442302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/7b32f401e2ad577e8398b2975ecb5c5ce68c5b07717b1e0d762f90a6fbd8add1/analysis/1507671973/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-043c-43d5-bad4-428002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: cf832f32b8d27cf9911031910621c21bd3c20e71cc062716923304dacf4dadb7",
|
||
|
"pattern": "[file:hashes.SHA1 = 'ba2006c89c2de8735135ca73e6de4990432d8043']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-8134-4d5d-853b-4a5a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: cf832f32b8d27cf9911031910621c21bd3c20e71cc062716923304dacf4dadb7",
|
||
|
"pattern": "[file:hashes.MD5 = 'ea3209b83b3493419c61a2c30602a06d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a1e8049-7768-4dd7-9831-466002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"first_observed": "2017-11-29T09:39:21Z",
|
||
|
"last_observed": "2017-11-29T09:39:21Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a1e8049-7768-4dd7-9831-466002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a1e8049-7768-4dd7-9831-466002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/cf832f32b8d27cf9911031910621c21bd3c20e71cc062716923304dacf4dadb7/analysis/1511913145/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-2340-4ea4-9040-4be202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: 6bea49e4260f083ed6b73e100550ecd22300806071f4a6326e0544272a84526c",
|
||
|
"pattern": "[file:hashes.SHA1 = 'eb23b1962cf1a9492aa864d93583a10afec02b48']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-df00-4dce-b580-4c1f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: 6bea49e4260f083ed6b73e100550ecd22300806071f4a6326e0544272a84526c",
|
||
|
"pattern": "[file:hashes.MD5 = 'e3c63cfcd9fa3fbff4215b1a812c6b77']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a1e8049-6e54-4386-a4da-433902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"first_observed": "2017-11-29T09:39:21Z",
|
||
|
"last_observed": "2017-11-29T09:39:21Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a1e8049-6e54-4386-a4da-433902de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a1e8049-6e54-4386-a4da-433902de0b81",
|
||
|
"value": "https://www.virustotal.com/file/6bea49e4260f083ed6b73e100550ecd22300806071f4a6326e0544272a84526c/analysis/1511947376/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-4de0-4df9-b443-4a0502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: bf7c6e911f14a1f8679c9b0c2b183d74d5accd559e17297adcd173d76755e271",
|
||
|
"pattern": "[file:hashes.SHA1 = 'd3b74adb11e1267d46f434c34fdfb45b295019cf']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e8049-03c4-4862-8761-4df902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"description": "UBoatRAT SHA256 - Xchecked via VT: bf7c6e911f14a1f8679c9b0c2b183d74d5accd559e17297adcd173d76755e271",
|
||
|
"pattern": "[file:hashes.MD5 = '6fc94b35c3ae2c824becbe3619ef5634']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:39:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a1e804a-b920-4d71-85dc-478602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:39:21.000Z",
|
||
|
"modified": "2017-11-29T09:39:21.000Z",
|
||
|
"first_observed": "2017-11-29T09:39:21Z",
|
||
|
"last_observed": "2017-11-29T09:39:21Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a1e804a-b920-4d71-85dc-478602de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a1e804a-b920-4d71-85dc-478602de0b81",
|
||
|
"value": "https://www.virustotal.com/file/bf7c6e911f14a1f8679c9b0c2b183d74d5accd559e17297adcd173d76755e271/analysis/1511913412/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e75a8-4948-48c0-badd-acff950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T08:54:00.000Z",
|
||
|
"modified": "2017-11-29T08:54:00.000Z",
|
||
|
"description": "C2",
|
||
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '115.68.49.179') AND network-traffic:dst_port = '80']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T08:54:00Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"ip-port\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e75bb-62c4-482b-ac3d-7e3d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T08:54:19.000Z",
|
||
|
"modified": "2017-11-29T08:54:19.000Z",
|
||
|
"description": "C2",
|
||
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '115.68.49.179') AND network-traffic:dst_port = '443']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T08:54:19Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"ip-port\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e75e2-d86c-4630-ae37-48b2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T08:54:58.000Z",
|
||
|
"modified": "2017-11-29T08:54:58.000Z",
|
||
|
"description": "C2",
|
||
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '60.248.190.36') AND network-traffic:dst_port = '443']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T08:54:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"ip-port\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e75f5-b104-487d-a256-4731950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T08:55:17.000Z",
|
||
|
"modified": "2017-11-29T08:55:17.000Z",
|
||
|
"description": "C2",
|
||
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '115.68.52.66') AND network-traffic:dst_port = '443']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T08:55:17Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"ip-port\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e783a-aef0-4a28-ad00-453d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:04:58.000Z",
|
||
|
"modified": "2017-11-29T09:04:58.000Z",
|
||
|
"description": "C2",
|
||
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '115.68.49.180') AND network-traffic:dst_port = '443']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:04:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"ip-port\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e784f-971c-40c2-bca6-aa74950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:05:19.000Z",
|
||
|
"modified": "2017-11-29T09:05:19.000Z",
|
||
|
"description": "C2",
|
||
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '122.147.187.173') AND network-traffic:dst_port = '443']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:05:19Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"ip-port\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a1e785d-404c-45f8-8d98-aa74950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-29T09:05:33.000Z",
|
||
|
"modified": "2017-11-29T09:05:33.000Z",
|
||
|
"description": "C2",
|
||
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '124.150.140.131') AND network-traffic:dst_port = '443']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-29T09:05:33Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"ip-port\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|