2023-04-21 14:44:17 +00:00
{
"type" : "bundle" ,
"id" : "bundle--5a3cc84d-2434-4ae6-8d76-c328950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-16T03:00:22.000Z" ,
"modified" : "2018-01-16T03:00:22.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--5a3cc84d-2434-4ae6-8d76-c328950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-16T03:00:22.000Z" ,
"modified" : "2018-01-16T03:00:22.000Z" ,
"name" : "OSINT - Sednit espionage group now using custom exploit kit" ,
"published" : "2018-02-16T08:50:00Z" ,
"object_refs" : [
"observed-data--5a3cc85e-39cc-4aaf-8eec-4c5c950d210f" ,
"url--5a3cc85e-39cc-4aaf-8eec-4c5c950d210f" ,
"indicator--5a5c62c4-5fa8-47a1-ac11-42d1950d210f" ,
"indicator--5a5c62c4-d124-4726-be84-4da3950d210f" ,
"x-misp-attribute--5a5c62d9-9f74-422c-8f34-4b01950d210f" ,
"indicator--5a5c638d-0124-4863-9ec0-4887950d210f" ,
"indicator--5a5c638e-8a7c-43e1-937f-4b3b950d210f" ,
"indicator--5a5c638e-bf5c-4a8b-95a1-46b8950d210f" ,
"indicator--5a5c638f-4cec-4f74-827a-4e65950d210f" ,
"indicator--5a5c638f-4558-4ffb-84e6-4e5c950d210f" ,
"indicator--5a5c638f-aad4-4cda-b677-420f950d210f" ,
"indicator--5a5c6390-a4a4-408c-ad20-45a1950d210f" ,
"indicator--5a5c6390-ffd0-4f5b-a8e9-4b66950d210f" ,
"indicator--5a5c6391-5ec8-4f4d-9dd1-4195950d210f" ,
"observed-data--5a5c64c3-16fc-4549-ba11-46fb950d210f" ,
"mutex--5a5c64c3-16fc-4549-ba11-46fb950d210f" ,
"indicator--5a5c658d-553c-4781-b2b4-42e0950d210f" ,
"indicator--5a5c658d-692c-41e7-bff7-4273950d210f" ,
"indicator--5a5c658e-b0c0-4b6c-95b3-4a10950d210f" ,
"indicator--5a5c65a4-a200-44f5-8df6-416f950d210f" ,
"indicator--5a5c65a4-acbc-44bd-84eb-4716950d210f" ,
"indicator--5a5c65ee-e860-4444-911d-4da6950d210f" ,
"indicator--5a5c65ef-8130-414c-95a8-4513950d210f" ,
"indicator--5a5c65ef-25c8-40c4-bcca-4adc950d210f" ,
"indicator--5a5c65ef-9280-45a6-8a0d-40df950d210f" ,
"indicator--935f70e3-fd7e-4dcd-80a9-71f5122d366e" ,
"x-misp-object--6fb315f6-2c07-4d90-a911-0e19777e1ece" ,
"indicator--a480344a-22a8-4fc6-9f8e-40ca8337e6f7" ,
"x-misp-object--644f91bf-274d-4743-ae1e-075b0118c184" ,
2023-05-19 09:05:37 +00:00
"relationship--c937e21c-55ff-4ea6-8fd7-9a0260bf14e3" ,
"relationship--c3a55e8a-ded1-4b84-a189-5cdcbf1968a5"
2023-04-21 14:44:17 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"misp-galaxy:exploit-kit=\"Sednit EK\"" ,
"veris:actor:motive=\"Espionage\"" ,
"osint:source-type=\"blog-post\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5a3cc85e-39cc-4aaf-8eec-4c5c950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T09:33:18.000Z" ,
"modified" : "2018-01-15T09:33:18.000Z" ,
"first_observed" : "2018-01-15T09:33:18Z" ,
"last_observed" : "2018-01-15T09:33:18Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5a3cc85e-39cc-4aaf-8eec-4c5c950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5a3cc85e-39cc-4aaf-8eec-4c5c950d210f" ,
"value" : "https://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a5c62c4-5fa8-47a1-ac11-42d1950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T09:33:19.000Z" ,
"modified" : "2018-01-15T09:33:19.000Z" ,
"pattern" : "[url:value = 'http://defenceiq.us/2rfKZL_BGwEQ']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-01-15T09:33:19Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a5c62c4-d124-4726-be84-4da3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T09:33:19.000Z" ,
"modified" : "2018-01-15T09:33:19.000Z" ,
"pattern" : "[url:value = 'http://cntt.akcdndata.com/gpw?file=stat.js']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-01-15T09:33:19Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5a5c62d9-9f74-422c-8f34-4b01950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T09:33:20.000Z" ,
"modified" : "2018-01-15T09:33:20.000Z" ,
"labels" : [
"misp:type=\"comment\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "comment" ,
"x_misp_value" : "For at least five years the Sednit group has been relentlessly attacking various institutions, most notably in Eastern Europe. The group used several advanced pieces of malware for these targeted attacks, in particular the one we named Win32/Sednit, also known as Sofacy.\r\n\r\nWe recently came across cases of legitimate financial websites being redirected to a custom exploit kit. Based on our research and on some information provided by the Google Security Team, we were able to establish that it is used by the Sednit group. This is a new strategy for this group which has relied mostly on spear-phishing emails up until now.\r\n\r\nIn this blog, we will first examine on recent cases of spear-phishing emails using the CVE-2014-1761 Microsoft Word exploit. We will then focus on the exploit kit, which appears to still be in development and testing phase, and briefly describe the actual payload."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a5c638d-0124-4863-9ec0-4887950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T09:33:20.000Z" ,
"modified" : "2018-01-15T09:33:20.000Z" ,
"description" : "Military news" ,
"pattern" : "[domain-name:value = 'defenceiq.us']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-01-15T09:33:20Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a5c638e-8a7c-43e1-937f-4b3b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T09:33:20.000Z" ,
"modified" : "2018-01-15T09:33:20.000Z" ,
"description" : "Military news" ,
"pattern" : "[domain-name:value = 'defenceiq.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-01-15T09:33:20Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a5c638e-bf5c-4a8b-95a1-46b8950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T09:33:20.000Z" ,
"modified" : "2018-01-15T09:33:20.000Z" ,
"description" : "Military news" ,
"pattern" : "[domain-name:value = 'armypress.org']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-01-15T09:33:20Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a5c638f-4cec-4f74-827a-4e65950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T09:33:21.000Z" ,
"modified" : "2018-01-15T09:33:21.000Z" ,
"description" : "Military news" ,
"pattern" : "[domain-name:value = 'armytime.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-01-15T09:33:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a5c638f-4558-4ffb-84e6-4e5c950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T09:33:21.000Z" ,
"modified" : "2018-01-15T09:33:21.000Z" ,
"description" : "Foreign Affairs magazine" ,
"pattern" : "[domain-name:value = 'mfapress.org']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-01-15T09:33:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a5c638f-aad4-4cda-b677-420f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T09:33:22.000Z" ,
"modified" : "2018-01-15T09:33:22.000Z" ,
"description" : "Foreign Affairs magazine" ,
"pattern" : "[domain-name:value = 'foreignaffairs.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-01-15T09:33:22Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a5c6390-a4a4-408c-ad20-45a1950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T09:33:22.000Z" ,
"modified" : "2018-01-15T09:33:22.000Z" ,
"description" : "Foreign Affairs magazine" ,
"pattern" : "[domain-name:value = 'mfapress.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-01-15T09:33:22Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a5c6390-ffd0-4f5b-a8e9-4b66950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T09:33:22.000Z" ,
"modified" : "2018-01-15T09:33:22.000Z" ,
"description" : "CACI International, defense & cyber security contractor" ,
"pattern" : "[domain-name:value = 'caciltd.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-01-15T09:33:22Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a5c6391-5ec8-4f4d-9dd1-4195950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T09:33:23.000Z" ,
"modified" : "2018-01-15T09:33:23.000Z" ,
"description" : "CACI International, defense & cyber security contractor" ,
"pattern" : "[domain-name:value = 'caci.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-01-15T09:33:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5a5c64c3-16fc-4549-ba11-46fb950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T09:33:23.000Z" ,
"modified" : "2018-01-15T09:33:23.000Z" ,
"first_observed" : "2018-01-15T09:33:23Z" ,
"last_observed" : "2018-01-15T09:33:23Z" ,
"number_observed" : 1 ,
"object_refs" : [
"mutex--5a5c64c3-16fc-4549-ba11-46fb950d210f"
] ,
"labels" : [
"misp:type=\"mutex\"" ,
"misp:category=\"Artifacts dropped\""
]
} ,
{
"type" : "mutex" ,
"spec_version" : "2.1" ,
"id" : "mutex--5a5c64c3-16fc-4549-ba11-46fb950d210f" ,
"name" : "XSQWERSystemCriticalSection_for_1232321"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a5c658d-553c-4781-b2b4-42e0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T09:33:23.000Z" ,
"modified" : "2018-01-15T09:33:23.000Z" ,
"pattern" : "[domain-name:value = 'msonlinelive.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-01-15T09:33:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a5c658d-692c-41e7-bff7-4273950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T09:33:24.000Z" ,
"modified" : "2018-01-15T09:33:24.000Z" ,
"pattern" : "[domain-name:value = 'windows-updater.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-01-15T09:33:24Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a5c658e-b0c0-4b6c-95b3-4a10950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T09:33:24.000Z" ,
"modified" : "2018-01-15T09:33:24.000Z" ,
"pattern" : "[domain-name:value = 'azureon-line.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-01-15T09:33:24Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a5c65a4-a200-44f5-8df6-416f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T09:33:25.000Z" ,
"modified" : "2018-01-15T09:33:25.000Z" ,
"pattern" : "[file:name = 'edg6EF885E2.tmp']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-01-15T09:33:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a5c65a4-acbc-44bd-84eb-4716950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T09:33:26.000Z" ,
"modified" : "2018-01-15T09:33:26.000Z" ,
"pattern" : "[file:name = 'edg6E85F98675.tmp']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-01-15T09:33:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a5c65ee-e860-4444-911d-4da6950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T08:27:26.000Z" ,
"modified" : "2018-01-15T08:27:26.000Z" ,
"description" : "Word exploit" ,
"pattern" : "[file:hashes.SHA1 = '86092636e7ffa22481ca89ac1b023c32c56b24cf']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-01-15T08:27:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a5c65ef-8130-414c-95a8-4513950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T08:27:27.000Z" ,
"modified" : "2018-01-15T08:27:27.000Z" ,
"description" : "Word exploit" ,
"pattern" : "[file:hashes.SHA1 = '12223f098ba3088379ec1dc59440c662752ddabd']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-01-15T08:27:27Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a5c65ef-25c8-40c4-bcca-4adc950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T08:27:27.000Z" ,
"modified" : "2018-01-15T08:27:27.000Z" ,
"description" : "Dropper" ,
"pattern" : "[file:hashes.SHA1 = 'd61ee0b0d4ed95f3300735c81740a21b8beef337']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-01-15T08:27:27Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a5c65ef-9280-45a6-8a0d-40df950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T08:27:27.000Z" ,
"modified" : "2018-01-15T08:27:27.000Z" ,
"description" : "Payload" ,
"pattern" : "[file:hashes.SHA1 = 'd0db619a7a160949528d46d20fc0151bf9775c32']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-01-15T08:27:27Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--935f70e3-fd7e-4dcd-80a9-71f5122d366e" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T09:33:29.000Z" ,
"modified" : "2018-01-15T09:33:29.000Z" ,
"pattern" : "[file:hashes.MD5 = 'df895e6479abf85c4c65d7d3a2451ddb' AND file:hashes.SHA1 = 'd61ee0b0d4ed95f3300735c81740a21b8beef337' AND file:hashes.SHA256 = '6ffaa374cfa9504b061b52a353913c6c120bd4fe43e1a79f69fba7f964e30a4e']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-01-15T09:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--6fb315f6-2c07-4d90-a911-0e19777e1ece" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T09:33:28.000Z" ,
"modified" : "2018-01-15T09:33:28.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/6ffaa374cfa9504b061b52a353913c6c120bd4fe43e1a79f69fba7f964e30a4e/analysis/1515795459/" ,
"category" : "External analysis" ,
"comment" : "Dropper" ,
"uuid" : "5a5c7568-9fa0-46fb-b5e0-482d02de0b81"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "51/68" ,
"category" : "Other" ,
"comment" : "Dropper" ,
"uuid" : "5a5c7568-b834-46be-af37-4b5f02de0b81"
} ,
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-01-12T22:17:39" ,
"category" : "Other" ,
"comment" : "Dropper" ,
"uuid" : "5a5c7568-8aec-4806-9c81-425c02de0b81"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--a480344a-22a8-4fc6-9f8e-40ca8337e6f7" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T09:33:32.000Z" ,
"modified" : "2018-01-15T09:33:32.000Z" ,
"pattern" : "[file:hashes.MD5 = 'ee64d3273f9b4d80020c24edcbbf961e' AND file:hashes.SHA1 = 'd0db619a7a160949528d46d20fc0151bf9775c32' AND file:hashes.SHA256 = 'e031299fa1381b40c660b8cd831bb861654f900a1e2952b1a76bedf140972a81']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-01-15T09:33:32Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--644f91bf-274d-4743-ae1e-075b0118c184" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-01-15T09:33:30.000Z" ,
"modified" : "2018-01-15T09:33:30.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/e031299fa1381b40c660b8cd831bb861654f900a1e2952b1a76bedf140972a81/analysis/1490591462/" ,
"category" : "External analysis" ,
"comment" : "Payload" ,
"uuid" : "5a5c756a-6948-4c29-89dc-443c02de0b81"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "44/61" ,
"category" : "Other" ,
"comment" : "Payload" ,
"uuid" : "5a5c756a-63e8-4ebb-af6b-49f602de0b81"
} ,
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2017-03-27T05:11:02" ,
"category" : "Other" ,
"comment" : "Payload" ,
"uuid" : "5a5c756b-c6a8-4d3b-9ab5-426302de0b81"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-05-19 09:05:37 +00:00
"id" : "relationship--c937e21c-55ff-4ea6-8fd7-9a0260bf14e3" ,
2023-04-21 14:44:17 +00:00
"created" : "2018-02-16T08:50:00.000Z" ,
"modified" : "2018-02-16T08:50:00.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--935f70e3-fd7e-4dcd-80a9-71f5122d366e" ,
"target_ref" : "x-misp-object--6fb315f6-2c07-4d90-a911-0e19777e1ece"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-05-19 09:05:37 +00:00
"id" : "relationship--c3a55e8a-ded1-4b84-a189-5cdcbf1968a5" ,
2023-04-21 14:44:17 +00:00
"created" : "2018-02-16T08:50:00.000Z" ,
"modified" : "2018-02-16T08:50:00.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--a480344a-22a8-4fc6-9f8e-40ca8337e6f7" ,
"target_ref" : "x-misp-object--644f91bf-274d-4743-ae1e-075b0118c184"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}