misp-circl-feed/feeds/circl/stix-2.1/571a87f2-13e0-4396-83e5-4780950d210f.json

783 lines
33 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--571a87f2-13e0-4396-83e5-4780950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:25:49.000Z",
"modified": "2016-04-22T20:25:49.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--571a87f2-13e0-4396-83e5-4780950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:25:49.000Z",
"modified": "2016-04-22T20:25:49.000Z",
"name": "OSINT - New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists",
"published": "2016-04-22T20:26:23Z",
"object_refs": [
"observed-data--571a8816-0ed8-4575-a709-4c0a950d210f",
"url--571a8816-0ed8-4575-a709-4c0a950d210f",
"x-misp-attribute--571a8824-8a5c-44b9-9f31-4530950d210f",
"vulnerability--571a883e-bcdc-4fee-9ea8-4c53950d210f",
"indicator--571a8856-6624-497d-a423-4aa2950d210f",
"indicator--571a8857-814c-4806-973b-4cad950d210f",
"indicator--571a8857-2c0c-4800-b4db-4a24950d210f",
"indicator--571a886d-05c8-4a7a-aa10-4157950d210f",
"indicator--571a886e-0314-4f2b-aca3-4845950d210f",
"indicator--571a887c-6cb8-4016-9961-48e2950d210f",
"indicator--571a887d-f61c-48c1-becf-47f8950d210f",
"observed-data--571a88af-94b4-434b-b71a-4d46950d210f",
"file--571a88af-94b4-434b-b71a-4d46950d210f",
"observed-data--571a88af-3544-4294-928e-40c3950d210f",
"file--571a88af-3544-4294-928e-40c3950d210f",
"observed-data--571a88b0-719c-412f-9467-4cb0950d210f",
"file--571a88b0-719c-412f-9467-4cb0950d210f",
"observed-data--571a88b0-fc5c-4f6c-a9a9-490a950d210f",
"file--571a88b0-fc5c-4f6c-a9a9-490a950d210f",
"observed-data--571a88cd-6d50-45e8-8ce0-4af802de0b81",
"file--571a88cd-6d50-45e8-8ce0-4af802de0b81",
"observed-data--571a88cd-d5e8-47cd-babc-464402de0b81",
"file--571a88cd-d5e8-47cd-babc-464402de0b81",
"observed-data--571a88ce-cec0-41e5-8deb-458d02de0b81",
"url--571a88ce-cec0-41e5-8deb-458d02de0b81",
"observed-data--571a88ce-d5fc-4cb3-84d2-446b02de0b81",
"file--571a88ce-d5fc-4cb3-84d2-446b02de0b81",
"observed-data--571a88ce-3634-407f-b0f9-432302de0b81",
"file--571a88ce-3634-407f-b0f9-432302de0b81",
"observed-data--571a88ce-274c-4e90-a2e7-490602de0b81",
"url--571a88ce-274c-4e90-a2e7-490602de0b81",
"indicator--571a88cf-6db4-4145-9579-47ba02de0b81",
"indicator--571a88cf-9f4c-4a9b-bb6d-4c1202de0b81",
"observed-data--571a88cf-2694-462c-a1fd-497802de0b81",
"url--571a88cf-2694-462c-a1fd-497802de0b81",
"indicator--571a88d0-28b4-486e-a523-421502de0b81",
"indicator--571a88d0-71cc-4ed6-90e6-4dc802de0b81",
"observed-data--571a88d1-5970-43ee-a4fd-4a2e02de0b81",
"url--571a88d1-5970-43ee-a4fd-4a2e02de0b81",
"indicator--571a88d1-0264-4cec-a6ae-465a02de0b81",
"indicator--571a88d1-9650-43b7-976c-4cd502de0b81",
"observed-data--571a88d2-28a0-4dda-93fb-449802de0b81",
"url--571a88d2-28a0-4dda-93fb-449802de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571a8816-0ed8-4575-a709-4c0a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:22:46.000Z",
"modified": "2016-04-22T20:22:46.000Z",
"first_observed": "2016-04-22T20:22:46Z",
"last_observed": "2016-04-22T20:22:46Z",
"number_observed": 1,
"object_refs": [
"url--571a8816-0ed8-4575-a709-4c0a950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571a8816-0ed8-4575-a709-4c0a950d210f",
"value": "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--571a8824-8a5c-44b9-9f31-4530950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:23:00.000Z",
"modified": "2016-04-22T20:23:00.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Malware writers have always sought to develop feature-rich, easy to use tools that are also somewhat hard to detect via both host- and network-based detection systems. For many years, one of the go-to families of malware used by both less-skilled and advanced actors has been the Poison Ivy (aka PIVY) RAT. Poison Ivy has a convenient graphical user interface (GUI) for managing compromised hosts and provides easy access to a rich suite of post-compromise tools. It is no surprise it\u00e2\u20ac\u2122s now being used against pro-democracy organizations and supporters in Hong Kong that have long been a target of advanced attack campaigns."
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--571a883e-bcdc-4fee-9ea8-4c53950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:23:26.000Z",
"modified": "2016-04-22T20:23:26.000Z",
"name": "CVE-2015-2545",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload delivery\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2015-2545"
}
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a8856-6624-497d-a423-4aa2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:23:50.000Z",
"modified": "2016-04-22T20:23:50.000Z",
"description": "Weaponized EPS Docs",
"pattern": "[file:hashes.SHA256 = '13bdc52c2066e4b02bae5cc42bc9ec7dfcc1f19fbf35007aea93e9d62e3e3fd0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T20:23:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a8857-814c-4806-973b-4cad950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:23:51.000Z",
"modified": "2016-04-22T20:23:51.000Z",
"description": "Weaponized EPS Docs",
"pattern": "[file:hashes.SHA256 = '4d38d4ee5b625e09b61a253a52eb29fcf9c506ee9329b3a90a0b3911e59174f2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T20:23:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a8857-2c0c-4800-b4db-4a24950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:23:51.000Z",
"modified": "2016-04-22T20:23:51.000Z",
"description": "Weaponized EPS Docs",
"pattern": "[file:hashes.SHA256 = '9c6dc1c2ea5b2370b58b0ac11fde8287cd49aee3e089dbdf589cc8d51c1f7a9e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T20:23:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a886d-05c8-4a7a-aa10-4157950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:24:13.000Z",
"modified": "2016-04-22T20:24:13.000Z",
"description": "Poison Ivy shellcode files",
"pattern": "[file:hashes.SHA256 = 'c707716afde80a41ce6eb7d6d93da2ea5ce00aa9e36944c20657d062330e13d8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T20:24:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a886e-0314-4f2b-aca3-4845950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:24:14.000Z",
"modified": "2016-04-22T20:24:14.000Z",
"description": "Poison Ivy shellcode files",
"pattern": "[file:hashes.SHA256 = '0414bd2186d9748d129f66ff16e2c15df41bf173dc8e3c9cbd450571c99b3403']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T20:24:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a887c-6cb8-4016-9961-48e2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:24:28.000Z",
"modified": "2016-04-22T20:24:28.000Z",
"description": "C2 Domains",
"pattern": "[domain-name:value = 'sent.leeh0m.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T20:24:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a887d-f61c-48c1-becf-47f8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:24:29.000Z",
"modified": "2016-04-22T20:24:29.000Z",
"description": "C2 Domains",
"pattern": "[domain-name:value = 'found.leeh0m.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T20:24:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571a88af-94b4-434b-b71a-4d46950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:25:19.000Z",
"modified": "2016-04-22T20:25:19.000Z",
"first_observed": "2016-04-22T20:25:19Z",
"last_observed": "2016-04-22T20:25:19Z",
"number_observed": 1,
"object_refs": [
"file--571a88af-94b4-434b-b71a-4d46950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--571a88af-94b4-434b-b71a-4d46950d210f",
"name": "RasTls.exe"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571a88af-3544-4294-928e-40c3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:25:19.000Z",
"modified": "2016-04-22T20:25:19.000Z",
"first_observed": "2016-04-22T20:25:19Z",
"last_observed": "2016-04-22T20:25:19Z",
"number_observed": 1,
"object_refs": [
"file--571a88af-3544-4294-928e-40c3950d210f"
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--571a88af-3544-4294-928e-40c3950d210f",
"hashes": {
"SHA-256": "0191cb2a2624b532b2dffef6690824f7f32ea00730e5aef5d86c4bad6edf9ead"
}
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571a88b0-719c-412f-9467-4cb0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:25:20.000Z",
"modified": "2016-04-22T20:25:20.000Z",
"first_observed": "2016-04-22T20:25:20Z",
"last_observed": "2016-04-22T20:25:20Z",
"number_observed": 1,
"object_refs": [
"file--571a88b0-719c-412f-9467-4cb0950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--571a88b0-719c-412f-9467-4cb0950d210f",
"name": "ssMUIDLL.dll"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571a88b0-fc5c-4f6c-a9a9-490a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:25:20.000Z",
"modified": "2016-04-22T20:25:20.000Z",
"first_observed": "2016-04-22T20:25:20Z",
"last_observed": "2016-04-22T20:25:20Z",
"number_observed": 1,
"object_refs": [
"file--571a88b0-fc5c-4f6c-a9a9-490a950d210f"
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--571a88b0-fc5c-4f6c-a9a9-490a950d210f",
"hashes": {
"SHA-256": "7a424ad3f3106b87e8e82c7125834d7d8af8730a2a97485a639928f66d5f6bf4"
}
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571a88cd-6d50-45e8-8ce0-4af802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:25:49.000Z",
"modified": "2016-04-22T20:25:49.000Z",
"first_observed": "2016-04-22T20:25:49Z",
"last_observed": "2016-04-22T20:25:49Z",
"number_observed": 1,
"object_refs": [
"file--571a88cd-6d50-45e8-8ce0-4af802de0b81"
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--571a88cd-6d50-45e8-8ce0-4af802de0b81",
"hashes": {
"SHA-1": "e9ccf4e139bbbd114b67cc3cee260d1cb638c9d0"
}
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571a88cd-d5e8-47cd-babc-464402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:25:49.000Z",
"modified": "2016-04-22T20:25:49.000Z",
"first_observed": "2016-04-22T20:25:49Z",
"last_observed": "2016-04-22T20:25:49Z",
"number_observed": 1,
"object_refs": [
"file--571a88cd-d5e8-47cd-babc-464402de0b81"
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--571a88cd-d5e8-47cd-babc-464402de0b81",
"hashes": {
"MD5": "2fecb7d30ac753db36973a72048b4173"
}
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571a88ce-cec0-41e5-8deb-458d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:25:49.000Z",
"modified": "2016-04-22T20:25:49.000Z",
"first_observed": "2016-04-22T20:25:49Z",
"last_observed": "2016-04-22T20:25:49Z",
"number_observed": 1,
"object_refs": [
"url--571a88ce-cec0-41e5-8deb-458d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571a88ce-cec0-41e5-8deb-458d02de0b81",
"value": "https://www.virustotal.com/file/7a424ad3f3106b87e8e82c7125834d7d8af8730a2a97485a639928f66d5f6bf4/analysis/1459770131/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571a88ce-d5fc-4cb3-84d2-446b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:25:50.000Z",
"modified": "2016-04-22T20:25:50.000Z",
"first_observed": "2016-04-22T20:25:50Z",
"last_observed": "2016-04-22T20:25:50Z",
"number_observed": 1,
"object_refs": [
"file--571a88ce-d5fc-4cb3-84d2-446b02de0b81"
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--571a88ce-d5fc-4cb3-84d2-446b02de0b81",
"hashes": {
"SHA-1": "11d8bbd1a76e2e9ad43539480fed29bb07ef0a4d"
}
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571a88ce-3634-407f-b0f9-432302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:25:50.000Z",
"modified": "2016-04-22T20:25:50.000Z",
"first_observed": "2016-04-22T20:25:50Z",
"last_observed": "2016-04-22T20:25:50Z",
"number_observed": 1,
"object_refs": [
"file--571a88ce-3634-407f-b0f9-432302de0b81"
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--571a88ce-3634-407f-b0f9-432302de0b81",
"hashes": {
"MD5": "8ddc664747b4c424c4ed576362134f3c"
}
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571a88ce-274c-4e90-a2e7-490602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:25:50.000Z",
"modified": "2016-04-22T20:25:50.000Z",
"first_observed": "2016-04-22T20:25:50Z",
"last_observed": "2016-04-22T20:25:50Z",
"number_observed": 1,
"object_refs": [
"url--571a88ce-274c-4e90-a2e7-490602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571a88ce-274c-4e90-a2e7-490602de0b81",
"value": "https://www.virustotal.com/file/0191cb2a2624b532b2dffef6690824f7f32ea00730e5aef5d86c4bad6edf9ead/analysis/1461310950/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a88cf-6db4-4145-9579-47ba02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:25:51.000Z",
"modified": "2016-04-22T20:25:51.000Z",
"description": "Weaponized EPS Docs - Xchecked via VT: 9c6dc1c2ea5b2370b58b0ac11fde8287cd49aee3e089dbdf589cc8d51c1f7a9e",
"pattern": "[file:hashes.SHA1 = '0e06e99c8f1c8882fd1f35793c50213f1905494f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T20:25:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a88cf-9f4c-4a9b-bb6d-4c1202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:25:51.000Z",
"modified": "2016-04-22T20:25:51.000Z",
"description": "Weaponized EPS Docs - Xchecked via VT: 9c6dc1c2ea5b2370b58b0ac11fde8287cd49aee3e089dbdf589cc8d51c1f7a9e",
"pattern": "[file:hashes.MD5 = '50064d33625970a8145add7e3e242fe3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T20:25:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571a88cf-2694-462c-a1fd-497802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:25:51.000Z",
"modified": "2016-04-22T20:25:51.000Z",
"first_observed": "2016-04-22T20:25:51Z",
"last_observed": "2016-04-22T20:25:51Z",
"number_observed": 1,
"object_refs": [
"url--571a88cf-2694-462c-a1fd-497802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571a88cf-2694-462c-a1fd-497802de0b81",
"value": "https://www.virustotal.com/file/9c6dc1c2ea5b2370b58b0ac11fde8287cd49aee3e089dbdf589cc8d51c1f7a9e/analysis/1461331258/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a88d0-28b4-486e-a523-421502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:25:52.000Z",
"modified": "2016-04-22T20:25:52.000Z",
"description": "Weaponized EPS Docs - Xchecked via VT: 4d38d4ee5b625e09b61a253a52eb29fcf9c506ee9329b3a90a0b3911e59174f2",
"pattern": "[file:hashes.SHA1 = 'c3ed7bd750192bd43e7fb30d515a109850fb6342']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T20:25:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a88d0-71cc-4ed6-90e6-4dc802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:25:52.000Z",
"modified": "2016-04-22T20:25:52.000Z",
"description": "Weaponized EPS Docs - Xchecked via VT: 4d38d4ee5b625e09b61a253a52eb29fcf9c506ee9329b3a90a0b3911e59174f2",
"pattern": "[file:hashes.MD5 = 'e1b4a5a565fdfcec52346d3b6063c587']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T20:25:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571a88d1-5970-43ee-a4fd-4a2e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:25:53.000Z",
"modified": "2016-04-22T20:25:53.000Z",
"first_observed": "2016-04-22T20:25:53Z",
"last_observed": "2016-04-22T20:25:53Z",
"number_observed": 1,
"object_refs": [
"url--571a88d1-5970-43ee-a4fd-4a2e02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571a88d1-5970-43ee-a4fd-4a2e02de0b81",
"value": "https://www.virustotal.com/file/4d38d4ee5b625e09b61a253a52eb29fcf9c506ee9329b3a90a0b3911e59174f2/analysis/1461331255/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a88d1-0264-4cec-a6ae-465a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:25:53.000Z",
"modified": "2016-04-22T20:25:53.000Z",
"description": "Weaponized EPS Docs - Xchecked via VT: 13bdc52c2066e4b02bae5cc42bc9ec7dfcc1f19fbf35007aea93e9d62e3e3fd0",
"pattern": "[file:hashes.SHA1 = '12627ba5fea1f00d6ac0704d053c519db93f9122']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T20:25:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a88d1-9650-43b7-976c-4cd502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:25:53.000Z",
"modified": "2016-04-22T20:25:53.000Z",
"description": "Weaponized EPS Docs - Xchecked via VT: 13bdc52c2066e4b02bae5cc42bc9ec7dfcc1f19fbf35007aea93e9d62e3e3fd0",
"pattern": "[file:hashes.MD5 = '3fe0cbedec6969803a72b8c76a4a0a03']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T20:25:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571a88d2-28a0-4dda-93fb-449802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T20:25:54.000Z",
"modified": "2016-04-22T20:25:54.000Z",
"first_observed": "2016-04-22T20:25:54Z",
"last_observed": "2016-04-22T20:25:54Z",
"number_observed": 1,
"object_refs": [
"url--571a88d2-28a0-4dda-93fb-449802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571a88d2-28a0-4dda-93fb-449802de0b81",
"value": "https://www.virustotal.com/file/13bdc52c2066e4b02bae5cc42bc9ec7dfcc1f19fbf35007aea93e9d62e3e3fd0/analysis/1461331255/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}