adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/5cac8884-5a80-4a5b-b3f9-ada3950d210f.json

1421 lines
93 KiB
JSON
Raw Normal View History

chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5cac8884-5a80-4a5b-b3f9-ada3950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:21:59.000Z",
"modified": "2019-04-09T19:21:59.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5cac8884-5a80-4a5b-b3f9-ada3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:21:59.000Z",
"modified": "2019-04-09T19:21:59.000Z",
"name": "OSINT - STUXSHOP The Oldest Stuxnet Component Dials Up",
"published": "2019-04-09T19:26:39Z",
"object_refs": [
"x-misp-attribute--5cac88a1-c61c-43b2-81cb-2bc9950d210f",
"observed-data--5cac88b4-82f0-40c1-bf5c-3009950d210f",
"url--5cac88b4-82f0-40c1-bf5c-3009950d210f",
"indicator--5cac8f36-c224-4ca1-b482-c1da950d210f",
"indicator--5cac8f36-bee8-41f2-97ba-c1da950d210f",
"indicator--5cac8f36-a064-4c8f-9b64-c1da950d210f",
"indicator--5cac8f36-3c18-4fec-8be3-c1da950d210f",
"indicator--5cacea3f-924c-4319-8993-43a302de0b81",
"indicator--5cacea3f-0ee0-4dd4-a623-418202de0b81",
"indicator--5cacea53-f988-4e9c-8d3a-467302de0b81",
"indicator--5cacea6e-5a00-489d-aab9-46c502de0b81",
"indicator--5cacea6e-74d8-45d6-905e-45ad02de0b81",
"indicator--5cacea82-abf4-4c0d-907c-4bb402de0b81",
"indicator--5caceaaa-e558-4992-99be-4a1b02de0b81",
"indicator--5caceaaa-2ebc-4fbc-bdbe-411802de0b81",
"indicator--5caceaaa-4660-45bc-92c7-4c9702de0b81",
"indicator--5caceaaa-78dc-4a6d-83e6-4ff002de0b81",
"indicator--5caceaaa-f400-4670-8acd-4c5b02de0b81",
"indicator--5caceae8-f6cc-4959-97cf-a79102de0b81",
"indicator--5caceed5-75f0-4a37-adbf-4c8702de0b81",
"indicator--5cacf076-9a94-4851-83c9-4ecd02de0b81",
"indicator--5cac89aa-7884-4eb1-95fd-4a27950d210f",
"x-misp-object--d66ade80-17a6-47a9-9efe-7b5a922dfaa1",
"indicator--5cac8b2f-87ec-4432-bb7d-2c32950d210f",
"indicator--5cac8cc9-7984-4dfa-85f8-49af950d210f",
"indicator--5cac8dc1-95dc-466e-85ce-4b0c950d210f",
"indicator--5cacea17-9ba0-4939-95e7-474c02de0b81",
"indicator--2868aeaa-a19a-4b36-b693-e55b1a32d633",
"x-misp-object--95f4e9d8-aec9-4e52-b133-8688a3857540",
"indicator--d7f8c044-89dc-411c-a777-6110c35e1185",
"x-misp-object--73ebef95-1302-4712-b237-7aba3002f249",
"indicator--308606ca-729c-4050-8d8e-72f00f17a981",
"x-misp-object--7403084a-f132-4ff9-a53b-6342ed8032ee",
"indicator--dbbdfe4d-13dc-4fc2-b189-0582aec45f8f",
"x-misp-object--67191d81-2968-4471-b804-e92b25166e28",
"indicator--de4d97dc-5512-4f11-b590-7f56e1877cdc",
"x-misp-object--555db026-ee1b-4775-91f4-a1b52245a78c",
"indicator--6b9bfb62-ea86-4bb9-9d1e-7aa8ed2150eb",
"x-misp-object--ddaf5a99-1963-4a4a-93eb-0b69396bbb46",
"indicator--6edd0812-8c25-4923-8e60-1872a7a81a1c",
"x-misp-object--b7b2cc69-43cb-4213-9dfd-d7b5043a819d",
"indicator--421a889c-305d-4fee-a7c9-6b0114a2beb9",
"x-misp-object--596ec4c3-ec57-4be1-8edf-777fb2b48aa0",
"x-misp-object--5cacf023-7368-4a33-a5a4-4e8502de0b81",
"indicator--5cacf0d7-870c-4b90-a5bb-4c1c02de0b81",
"relationship--5bd2a529-686f-48a3-8b7f-28246db6bba2",
"relationship--8d427229-e2a1-4c54-b1ba-17e87d468700",
"relationship--8a573012-4f60-47cb-880a-e708100f06d2",
"relationship--c6583e5d-e4a6-403b-ade0-51d8ba89f2bd",
"relationship--78fab0fb-a395-4769-acb9-2f2c3b05b478",
"relationship--d748fbc5-d4d9-46ab-b262-b5d970955b98",
"relationship--7fd7b8e9-f42d-47a0-a7cb-c23976c2d191",
"relationship--8c28c7df-495d-491d-93ad-45aff328446a",
"relationship--45541b1a-8e80-48d5-8d58-21e064431965",
"relationship--ec6616ea-0d55-4616-a8d7-0e662e68bbcb",
"relationship--435520b6-e4e0-41b9-97af-39bd8592dde0",
"relationship--951c32c0-473c-47a2-a7bb-6a3d19fdb121",
"relationship--4f67aa15-235e-4298-aa09-ee408c762566"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"misp-galaxy:malpedia=\"Stuxnet\"",
"misp-galaxy:tool=\"Stuxnet\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5cac88a1-c61c-43b2-81cb-2bc9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T11:57:21.000Z",
"modified": "2019-04-09T11:57:21.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "During our research into the GossipGirl Supra Threat Actor (STA) cluster, we discovered apreviously unknown relationship exemplified in an early Stuxnet component \u00e2\u20ac\u201cbuilt in part on theFlowershop malware framework. While other known versions of Stuxnet were partially linked tothe Flame platform (a.k.a. Flamer, SkyWiper) or the \u00e2\u20ac\u02dcTilded Platform\u00e2\u20ac\u2122 (a.k.a. DuQu), this older1component shares code with Flowershop \u00e2\u20ac\u201can even older malware framework active as early as2002. In an interesting show of longevity, this Stuxnet component \u00e2\u20ac\u201cwhich we\u00e2\u20ac\u2122ve dubbedStuxshop\u00e2\u20ac\u2039\u00e2\u20ac\u201c is configured to communicate with known Stuxnet command-and-control (C&C)servers and even includes logic to suppress dial-up prompts for disconnected (or possiblyairgapped) machines.The value of this recent finding is twofold: First, it suggests that yet another team withits own malware platform was involved in the early development of Stuxnet. And secondly, itsupports the view that Stuxnet is in fact the product of a modular development frameworkmeant to enable collaboration among diverse, independent threat actors. Our recent findings,alongside the outstanding body of previously reported technical analysis on this threat, wouldplace the \u00e2\u20ac\u02dcFlowershop team\u00e2\u20ac\u2122 alongside Equation, Flame, and Duqu as those involved in toolingthe different phases of Stuxnet as an operation active perhaps as early as 2006. Perhaps themost apt metaphor for Stuxnet is that of a \u00e2\u20ac\u02dcplane built as its being flown\u00e2\u20ac\u2122."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5cac88b4-82f0-40c1-bf5c-3009950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T11:57:40.000Z",
"modified": "2019-04-09T11:57:40.000Z",
"first_observed": "2019-04-09T11:57:40Z",
"last_observed": "2019-04-09T11:57:40Z",
"number_observed": 1,
"object_refs": [
"url--5cac88b4-82f0-40c1-bf5c-3009950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5cac88b4-82f0-40c1-bf5c-3009950d210f",
"value": "https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cac8f36-c224-4ca1-b482-c1da950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T12:25:26.000Z",
"modified": "2019-04-09T12:25:26.000Z",
"description": "Stuxshop samples identified thus far contain four hardcoded C&C servers such as",
"pattern": "[url:value = 'http://211.24.237.226/index.php?data=']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T12:25:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cac8f36-bee8-41f2-97ba-c1da950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T12:25:26.000Z",
"modified": "2019-04-09T12:25:26.000Z",
"description": "Stuxshop samples identified thus far contain four hardcoded C&C servers such as",
"pattern": "[url:value = 'http://todaysfutbol.com/index.php?data=']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T12:25:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cac8f36-a064-4c8f-9b64-c1da950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T12:25:26.000Z",
"modified": "2019-04-09T12:25:26.000Z",
"description": "Stuxshop samples identified thus far contain four hardcoded C&C servers such as",
"pattern": "[url:value = 'http://78.111.169.146/index.php?data=']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T12:25:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cac8f36-3c18-4fec-8be3-c1da950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T12:25:26.000Z",
"modified": "2019-04-09T12:25:26.000Z",
"description": "Stuxshop samples identified thus far contain four hardcoded C&C servers such as",
"pattern": "[url:value = 'http://mypremierfutbol.com/index.php?data=']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T12:25:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacea3f-924c-4319-8993-43a302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:53:51.000Z",
"modified": "2019-04-09T18:53:51.000Z",
"description": "Stuxshop Modules",
"pattern": "[file:hashes.SHA256 = 'c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T18:53:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacea3f-0ee0-4dd4-a623-418202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:53:51.000Z",
"modified": "2019-04-09T18:53:51.000Z",
"description": "Stuxshop Modules",
"pattern": "[file:hashes.SHA256 = '1daa2b15b70e486927c8fc06eed434080ab408a1b320be9fefe193c20d1d9a7f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T18:53:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacea53-f988-4e9c-8d3a-467302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:54:11.000Z",
"modified": "2019-04-09T18:54:11.000Z",
"description": "Stuxnet Installer with Embedded Stuxshop",
"pattern": "[file:hashes.SHA256 = 'f34c85bb4fcd87225468d0e8ee4441ebc92f42b3f69500d85e28be3c553ce433']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T18:54:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacea6e-5a00-489d-aab9-46c502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:54:38.000Z",
"modified": "2019-04-09T18:54:38.000Z",
"description": "Stuxnet Installers with Resource 231",
"pattern": "[file:hashes.SHA256 = '77211838bb6783121fe1aeff182c8cc1cba9c9f0c1e5a0027e0c0b9dfa18e2ac']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T18:54:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacea6e-74d8-45d6-905e-45ad02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:54:38.000Z",
"modified": "2019-04-09T18:54:38.000Z",
"description": "Stuxnet Installers with Resource 231",
"pattern": "[file:hashes.SHA256 = 'a01845255bdc61b610cac269a5562ad09415aaf2a1490d53d55c4c3597670803']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T18:54:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacea82-abf4-4c0d-907c-4bb402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:54:58.000Z",
"modified": "2019-04-09T18:54:58.000Z",
"description": "Deobfuscated Resource 231/Stuxshop modules",
"pattern": "[file:hashes.SHA256 = 'a248c9eeb8e53bbebce42f55e2bfa71bfc70ffcd9dff3271bfd338e1578f37a1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T18:54:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5caceaaa-e558-4992-99be-4a1b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:55:38.000Z",
"modified": "2019-04-09T18:55:38.000Z",
"description": "Flowershop samples with relevant code overlap",
"pattern": "[file:hashes.SHA256 = '32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T18:55:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5caceaaa-2ebc-4fbc-bdbe-411802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:55:38.000Z",
"modified": "2019-04-09T18:55:38.000Z",
"description": "Flowershop samples with relevant code overlap",
"pattern": "[file:hashes.SHA256 = '63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T18:55:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5caceaaa-4660-45bc-92c7-4c9702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:55:38.000Z",
"modified": "2019-04-09T18:55:38.000Z",
"description": "Flowershop samples with relevant code overlap",
"pattern": "[file:hashes.SHA256 = '683ce2c7c80b180768fe4d2a39030dc7c4f67db79d1953ee4803522131f533a3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T18:55:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5caceaaa-78dc-4a6d-83e6-4ff002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:55:38.000Z",
"modified": "2019-04-09T18:55:38.000Z",
"description": "Flowershop samples with relevant code overlap",
"pattern": "[file:hashes.SHA256 = 'c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T18:55:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5caceaaa-f400-4670-8acd-4c5b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:55:38.000Z",
"modified": "2019-04-09T18:55:38.000Z",
"description": "Flowershop samples with relevant code overlap",
"pattern": "[file:hashes.SHA256 = 'ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T18:55:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5caceae8-f6cc-4959-97cf-a79102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:56:40.000Z",
"modified": "2019-04-09T18:56:40.000Z",
"pattern": "[rule STUXSHOP_OSCheck\r\n{\r\nmeta:\r\nauthor = \"\u00e2\u20ac\u2039 Silas Cutler (havex@Chronicle.Security)\u00e2\u20ac\u2039 \"\r\ndesc = \"\u00e2\u20ac\u2039 Identifies the OS Check function in STUXSHOP and CheshireCat\u00e2\u20ac\u2039 \"\r\nhash = \"\u00e2\u20ac\u2039 c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579\u00e2\u20ac\u2039 \"\r\nstrings:\r\n$ = {10 F7 D8 1B C0 83 C0 ?? E9 ?? 01 00 00 39 85 7C FF FF FF 0F 85 ?? 01 00\r\n00 83 BD 70 FF FF FF 04 8B 8D 74 FF FF FF 75 0B 85 C9 0F 85 ?? 01 00 00 6A 05\r\n5E }\r\n$ = {01 00 00 3B FA 0F 84 ?? 01 00 00 80 7D 80 00 B1 62 74 1D 6A 0D 8D 45 80\r\n68 ?? ?? ?? 10 50 FF 15 ?? ?? ?? 10 83 C4 0C B1 6F 85 C0 75 03 8A 4D 8D 8B C6\r\n}\r\ncondition:\r\nany of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2019-04-09T18:56:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5caceed5-75f0-4a37-adbf-4c8702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:13:25.000Z",
"modified": "2019-04-09T19:13:25.000Z",
"pattern": "[rule STUXSHOP_config\r\n{\r\n\tmeta:\r\n desc \u00e2\u20ac\u2039 = \u00e2\u20ac\u2039 \"Stuxshop standalone sample configuration\"\r\n author = \"JAG-S (turla@chronicle.security)\"\r\n hash \u00e2\u20ac\u2039 = \u00e2\u20ac\u2039 \"c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579\"\r\n strings:\r\n $cnc1 = \"http://211.24.237.226/index.php?data=\"\u00e2\u20ac\u2039 ascii wide\r\n $cnc2 = \"http://todaysfutbol.com/index.php?data=\"\u00e2\u20ac\u2039 ascii wide\r\n $cnc3 = \"http://78.111.169.146/index.php?data=\"\u00e2\u20ac\u2039 ascii wide\"\r\n $cnc4 = \"http://mypremierfutbol.com/index.php?data=\"\u00e2\u20ac\u2039 ascii wide\r\n\r\n\t $regkey1 \u00e2\u20ac\u2039 = \u00e2\u20ac\u2039\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\MS-DOS Emulation\" ascii wide\r\n $regkey2 = \"NTVDMParams\"\u00e2\u20ac\u2039 ascii wide\r\n $flowerOverlap1 = {85 C0 75 3B 57 FF 75 1C FF 75 18 FF 75 14 50 FF 75 10 FF 75 FC FF 15\u00e2\u20ac\u2039}\r\n $flowerOverlap2 = {85 C0 75 4C 8B 45 1C 89 45 0C 8D 45 0C 50 8D 45 08 FF 75 18 50 6A 00 FF 75 10 FF 75 20 FF 15\u00e2\u20ac\u2039}\r\n $flowerOverlap3 = {55 8B EC 53 56 8B 75 20 85 F6 74 03 83 26 00 8D 45 20 50 68 19 00 02 00 6A 00 FF 75 0C FF 75 08\u00e2\u20ac\u2039}\r\n $flowerOverlap4 = {55 8B EC 51 8D 4D FC 33 C0 51 50 6A 26 50 89 45 FC FF 15 }\r\n $flowerOverlap5 \u00e2\u20ac\u2039= {85 DB 74 04 8B C3 EB 1A 8B 45 08 3B 45 14 74 07 B8 5D 06 00 00 EB 0B 85 F6 74 05 8B 45 0C 89 06\u00e2\u20ac\u2039}\r\n $flowerOverlap6 = {85 FF 74 12 83 7D F8 01 75 0C FF 75 0C FF 75 08 FF 15\u00e2\u20ac\u2039}\r\n condition:\r\n all of \u00e2\u20ac\u2039 ( \u00e2\u20ac\u2039 $flowerOverlap\u00e2\u20ac\u2039 *)\r\n or\r\n 2\u00e2\u20ac\u2039 of \u00e2\u20ac\u2039 ( \u00e2\u20ac\u2039 $cnc\u00e2\u20ac\u2039 *)\r\n or\r\n all of \u00e2\u20ac\u2039 ( \u00e2\u20ac\u2039 $regkey\u00e2\u20ac\u2039 *)\r\n}]",
"pattern_type": "yara",
"valid_from": "2019-04-09T19:13:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacf076-9a94-4851-83c9-4ecd02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:20:22.000Z",
"modified": "2019-04-09T19:20:22.000Z",
"pattern": "[windows-registry-key:key = 'HKEY_CURRENT_USER\\\\Control Panel\\\\Appearance\\\\Old']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:20:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"regkey\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cac89aa-7884-4eb1-95fd-4a27950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T12:21:53.000Z",
"modified": "2019-04-09T12:21:53.000Z",
"pattern": "[file:hashes.MD5 = '455abb43295b9a69e355e4e43457bf30' AND file:hashes.SHA1 = '1e0fe0400e04440942a4a1a5bcd3bcd3150a2eea' AND file:hashes.SHA256 = 'c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T12:21:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--d66ade80-17a6-47a9-9efe-7b5a922dfaa1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T12:07:08.000Z",
"modified": "2019-04-09T12:07:08.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09T09:00:19",
"category": "Other",
"uuid": "fe2cf46c-9b9f-45e4-9909-009d17c89312"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579/analysis/1554800419/",
"category": "Payload delivery",
"uuid": "4dc602d6-a883-4d96-9a6d-08d62774f5af"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "44/70",
"category": "Payload delivery",
"uuid": "6127da9f-dbd0-4a70-b003-f73444bdafa6"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cac8b2f-87ec-4432-bb7d-2c32950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T12:21:03.000Z",
"modified": "2019-04-09T12:21:03.000Z",
"pattern": "[file:hashes.MD5 = '455abb43295b9a69e355e4e43457bf30' AND file:hashes.SHA1 = '1e0fe0400e04440942a4a1a5bcd3bcd3150a2eea' AND file:hashes.SHA256 = 'c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579' AND file:name = 'c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579' AND file:size = '72456' AND (file:content_ref.payload_bin = 'UEsDBBQACQAIAAhhiU6Cbwf/0UoAAAgbAQAgABwANDU1YWJiNDMyOTViOWE2OWUzNTVlNGU0MzQ1N2JmMzBVVAkAAy+LrFwvi6xcdXgLAAEEIQAAAAQhAAAAXWx30pzG0qXDihDntIGFcB3uLBJt8j5oo/CZ15N7nYm4UomLesE9trJgBKvo1hLoz6nVvw7+uWaRJIF9akwxNcmO5J0kZJpLFJ52CRLnQSyZMCi+5x5ntEjZ+ELbAVQLzZuGYIUp2tnIkrNW6zq6Bjyh+meeaYQcFOOO+W7ODf1zCvembSyd6KbCjGRtmUosbFHDRGRNY0QPnGv88X3YTBSq4l5KylxKRfV6mbqFFd9r0p9m5d5aTUeG3/mdjqZF5ydDMj+fw8jLe5Ebnghy5yA855hgedP7fNyohVRQH5m47prWus9WFOspnyC9tQHaTTPwI4edeCwPZV0CmcIlJfL/+VSgY0XVfGFu7hyj/uOqOvnA3LilY6lGOmEY174vu55150aOgGVkaKY8a8DWilcN8jhAYb1neqaVuvUDY5JPkDbiNrkwqs8Wf5ThHIm65jfa64Ki/rx8mVUDs315ir0I+oJuoqxnEJdTI97lKZA4YBn5QKDEhW5CJg3OF10yIYPARfCy65Gzp9y6VKbYxOTjhZBN3OxuyK4HAUYQi78Av9wKjAV3zV07ngNBlwIOwqIXejZiZlsJBhfdpx66pgGFVWJyzeXDzSBioKHwwnuXK8GvKTj3+yvUOnRlWi9x3jATLZtU3kim/vL4vx4XB8+cgbVFdyb/hiL0lpeRFHX0U13YDv0VlOzsgw8Tc0fcp0Gz1nG07yJP9BzXtXZH9lX1KhyKch4bq9r42Jxmn6SAVElW2TQB6P5MSuz6jR7K0RU8QXpkQJ9ahph/3cUdLDspmvGvkY/Yil57NsIRLKZ3qJczq7b3uxFW4f+otad+9eNzUY5cgcLXazs9UhEEHVxp8qAFuZGhgmQgFERLj3IayEzade/SAur19O/1B3SDltJu22j4osvRCFM8OtuCsfaXfJdFjKFQiOYqAvco9COwzvOtYYtTtcQCFgtRX6xqukvjj20qTvNQPRTq4/6ukwvEOvgRrU6y1AVcy5rtduE3giUn1dw90Ca4FN3th5IjWUCB1MICjB1fq3YwQm9AAWahLDW5EVGWPGsehZjffaKby9VHLb5+2NEj+Gq1qTjjiUhSVdkg3mzvkAW17d48y+RzZEJ6YuuiEdB67HAhNT7WNmDGZZYNAzgemviXWc0pdk3w9egm0Vt99H8E+2GkJt8Z9n9gnv0bpIbb6CirR6tJm6VbN/rOTg9QhQW8ZoSfY/FaXDf4Cz7oQ6venuZAr68bd/ssaJPacWwrY0FY+UbN4l1cHgWbsfXih6fGzk20jyStm8TjvYj+rIoq1KidH9oegcj6DKaZNPKrn9YHtJ9RtOztQeOizsGTwPCBh7UxN21a1Sz/wxdtImKg0ogXYooWx4wvbvFmcTtlBEpLJr/R9GwaxxtOktAbl88EEl9rsPB8+6heNhYkXk4t5DxjsABz0trnIg69yXVoh/FHd7QZMBbDkROFoNLcvaQTwLtwHLH4AXsICG0JL4MITG+jr0UngTRnwbeWfhUtR1aKy9dTM2EDs9X0lCP+nr8IByUyzJewj3UzSpGdfPyErQeAO2cpuW9O3tfvF5GgsY6SmlT+5W3jizn3kMPEB13XkpzQyKx3DdU0MqR6zzmxFz+BoLocu04n7b+2RqqTvruNf7kadnh8WcN//C1v6TBnJ57GGFxzsPqjm0940LqszT252bjCOHgfUauE0RNWJolklFHfZ47dZACsYyshYIYsN2+lkrSkI/foYHCSFGMiZbInROpdzu2aUmkqxOfqyCAgp1lDG+qg94jpqVdzZsTUINvDxVbTk+fnvHxjM/kMVazoDBdK2z30Pc09ZigwQ3+4w5vKSH6w5D3ap3TnqubKIaWksaTPiTYxVTZRoju1jYBOdmiQNoPfCN/dOCPoOj4rWZr1Xw0650g5ZHw0KkXRIKosS5zgY/RUUyeO3qYbw7ksKHcQI3+PsdSqmlsuKqR6wWumn2wlB4EiJWo72k2hZGgxYS53QgqMXARf7CQ+aN65iES9m0i45zqalyi3NyDfqqHrbTL+Wcln29fyfnjS9unQYFupnbbGYMdKjaT1dhN95K0W/t6A+kdrTXE77bc0+B29UzY2fh4WRrxyUvPpxPJ6f4POJ+9FHeI7p4SlikWHn3nfxWzmW1LwHLIugwUQmFN0u9gkEG2qWH/4gYEjTwi8iyfVxjUe+YotocfjNJTR2rXuiPeX9D6z4YCFi5cNMYcJBvwa0XNu1jN6a+ZcrFyD78+Qgy+bZASsD2hVsK2i1sQ4xx3aFxK0bFfrR4TX2vdulocaYjOZsu4Q9Xmu51eHVm/VZBC8IBKDkwT6+0wBhoCrfYhnsVKuaMRmh7k+YCfWXkB8QROmAtcS5FX3ZlRl/+v1fLzGG+DsLe0NZXss+DrLVikXu5GzK2WMkutuWj2VJzdyKSyIV+wnXEZk5H72imoChGAbd2Gug2t2uIAH3kwibgVOMorUavXFYsBPC85CQRjRP/Yx3dWnbx4YtX6ik+RG81XGDdr1auOrP4jvh8ihjx683kOufdZ7B/w6v2kk01Dmx0XAdqjardedU0tXWZOFrxer9CFxljLOxQvMj5z6CO9OjFbZt9zXMGjx+QztjRfAO8Sg+CsucxKZ7IvgewbGtb9Ngcs0vCeNNPN6FSTKE07SnrasWivIszEmKfd4sX9+l1pBTTD1GpvUPsSwrVo1EWk5e4spnh3uNAWXuj1RF8GmoDR6CQIeYpE9HxkiCdMHbjRalPyxAZi4ra21G5rh8cVi6ZEPIS7rfKNvrZGacq6tMZJA35/EaxOZtQrCO6a3YFI9VbuoWAj/CUl8dGBYXUF9re9QS175hW+/ZY4UrJTX/a+HvO/5RUSsXnyR7Q/hInugDt7WeBblRF2Kj63ntBRKp0c1iEjLUIBbkoEdcGJ0Pw+fEZZxD735NtMBVDntDLRbHwSPcHhLY+RAi4yEqz3orJgVuJjUfyKxLZaRm8Jb3dM/cQUq5TZ1fuOFm1y15f7RDCXAECIp9xkxX/C/B6QPDkfHXWUYJb6O7kgvONoreG6NiRf2Dh6LA3X2cNDuibwQy0cy94d77vwr3gGnW0vmOPxSQQQ3wmlkm5eLq3brm0ZNlr5JZOUur3FB4Lcu+y/5W8ihsOexgSbjrKyS20Vxt1dxyj2adJGl4XmLU2NvbdcBTdo0Tr7T/HVxa6MPORBCAefwlX4xPzWiLH1Ls6OWvpkC6vyhnDYq2408iuzMQUAV/y2Tolif3jIIjFAJ4xCXBfT4WOT0umag3YV0rMZYab5Cz558e7a30XKoMRHahC3Df8b9t9hKAU4X1Ljk/nYa8bZp0Ew9UYyAP9ZiTgwoCM+xRfHQezPm6lC8pHqieLLpQV5X5HaIyMmCGEFMCxkESunnWQqQsae+7oiV3w+5Dz8pVCLSh0y6FAnlnGZ6dYIuo+MTwv6VJSw9OaI1nJHNMe9guGM9wYMxX25HDH9JUItQIhtyyFIkFkiK/BrleAaEmqOrQvovkzmttGJ96TcvK5hGadJOq4lIq4ZYyyaEt5YQ6AxUOFVOggjyekGQgvINoFrE+z4o5odPHVv9NoBmLhiI8kATeCBAcG15RTn97v6
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T12:21:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cac8cc9-7984-4dfa-85f8-49af950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T12:15:05.000Z",
"modified": "2019-04-09T12:15:05.000Z",
"pattern": "[domain-name:value = 'todaysfutbol.com' AND domain-name:resolves_to_refs[*].value = '211.24.237.226']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T12:15:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cac8dc1-95dc-466e-85ce-4b0c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T12:19:13.000Z",
"modified": "2019-04-09T12:19:13.000Z",
"pattern": "[domain-name:value = 'mypremierfutbol.com' AND domain-name:resolves_to_refs[*].value = '78.111.169.146']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T12:19:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacea17-9ba0-4939-95e7-474c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T18:53:11.000Z",
"modified": "2019-04-09T18:53:11.000Z",
"pattern": "[file:hashes.MD5 = '360752e2f6938ae91ac8fb212c62c0c4' AND file:hashes.SHA1 = '346de24b4081b0dbccd0f3458734b08258eed8a7' AND file:hashes.SHA256 = 'f34c85bb4fcd87225468d0e8ee4441ebc92f42b3f69500d85e28be3c553ce433' AND file:x_misp_text = 'We wondered about the deployment of these curious samples. All of the functionality pointed to\r\na command-and-control module meant to function alongside other components, and not as a\r\nstandalone piece. As we hunted, we came across an unpacked/unobfuscated sample of\r\nStuxnet presumably compiled in 2009 that contained Stuxshop in its entirety' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T18:53:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2868aeaa-a19a-4b36-b693-e55b1a32d633",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:10.000Z",
"modified": "2019-04-09T19:14:10.000Z",
"pattern": "[file:hashes.MD5 = 'fa1e5eec39910a34ede1c4351ccecec8' AND file:hashes.SHA1 = 'ca3c5872080ec86a041b2b887caec9f28ba7b884' AND file:hashes.SHA256 = 'c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:14:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--95f4e9d8-aec9-4e52-b133-8688a3857540",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:10.000Z",
"modified": "2019-04-09T19:14:10.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09T14:27:10",
"category": "Other",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "b0d502dd-ff60-4d76-a5a3-7ffd57be3fe0"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532/analysis/1554820030/",
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "6094c770-b3db-4eff-9f59-3e51787a615a"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "45/70",
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "eb3ecbbe-9ed5-487c-9321-967a75105a4d"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d7f8c044-89dc-411c-a777-6110c35e1185",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:10.000Z",
"modified": "2019-04-09T19:14:10.000Z",
"pattern": "[file:hashes.MD5 = '984c7734a61f5b0c22291a4e26b224be' AND file:hashes.SHA1 = '2a1cc9c615cc2a798cf491a81e52ca050d4e828b' AND file:hashes.SHA256 = '683ce2c7c80b180768fe4d2a39030dc7c4f67db79d1953ee4803522131f533a3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:14:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--73ebef95-1302-4712-b237-7aba3002f249",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:10.000Z",
"modified": "2019-04-09T19:14:10.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09T17:37:54",
"category": "Other",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "ad8d9850-f381-49c6-b650-62a57c8bf3b6"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/683ce2c7c80b180768fe4d2a39030dc7c4f67db79d1953ee4803522131f533a3/analysis/1554831474/",
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "1a976776-aafe-414e-bcf5-acd3caf060cf"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "27/65",
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "bcf66b81-63ce-495d-aee2-1dffdf10aae4"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--308606ca-729c-4050-8d8e-72f00f17a981",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:10.000Z",
"modified": "2019-04-09T19:14:10.000Z",
"pattern": "[file:hashes.MD5 = '4e0a3498438adda8c50c3e101cfa86c5' AND file:hashes.SHA1 = '0655670f1cb40e84ba12adb9711f001269712054' AND file:hashes.SHA256 = 'ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:14:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--7403084a-f132-4ff9-a53b-6342ed8032ee",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:10.000Z",
"modified": "2019-04-09T19:14:10.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09T14:27:24",
"category": "Other",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "7176c395-37ca-4d30-941c-0b19c00a2996"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300/analysis/1554820044/",
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "958ba48c-fd6d-489d-8c11-2f6bc6f79191"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "45/69",
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "c149c768-5027-4e7e-a5d6-8ebac9b6bb3c"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--dbbdfe4d-13dc-4fc2-b189-0582aec45f8f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:10.000Z",
"modified": "2019-04-09T19:14:10.000Z",
"pattern": "[file:hashes.MD5 = '3ba57784d7fd4302fe74beb648b28dc1' AND file:hashes.SHA1 = '648a62d74ab1076e66a7a70f0899b8093eca2b01' AND file:hashes.SHA256 = '32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:14:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--67191d81-2968-4471-b804-e92b25166e28",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:10.000Z",
"modified": "2019-04-09T19:14:10.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09T14:25:43",
"category": "Other",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "0052a797-5299-43f8-bb60-fc6f0e5b8827"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a/analysis/1554819943/",
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "fafdb38f-5748-48f9-8873-6c6086237764"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "44/70",
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "5d48d630-34cc-4288-aabf-4186fcaede15"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--de4d97dc-5512-4f11-b590-7f56e1877cdc",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:11.000Z",
"modified": "2019-04-09T19:14:11.000Z",
"pattern": "[file:hashes.MD5 = '300d2a3f47803c2814a45382d84d3446' AND file:hashes.SHA1 = 'ec5dd52971f550a77c3544819c56674378976509' AND file:hashes.SHA256 = '1daa2b15b70e486927c8fc06eed434080ab408a1b320be9fefe193c20d1d9a7f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:14:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--555db026-ee1b-4775-91f4-a1b52245a78c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:11.000Z",
"modified": "2019-04-09T19:14:11.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09T17:37:53",
"category": "Other",
"comment": "Stuxshop Modules",
"uuid": "54971c2b-ffc5-4568-a9dc-9ba3ec8e95e3"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/1daa2b15b70e486927c8fc06eed434080ab408a1b320be9fefe193c20d1d9a7f/analysis/1554831473/",
"category": "Payload delivery",
"comment": "Stuxshop Modules",
"uuid": "ae87b543-4eaf-4790-847a-9e81e2576099"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "43/68",
"category": "Payload delivery",
"comment": "Stuxshop Modules",
"uuid": "e44ee586-67fa-4411-a3d4-329acf59622b"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6b9bfb62-ea86-4bb9-9d1e-7aa8ed2150eb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:11.000Z",
"modified": "2019-04-09T19:14:11.000Z",
"pattern": "[file:hashes.MD5 = '7b0e7297d5157586f4075098be9efc8c' AND file:hashes.SHA1 = '421156c4858878ef8beeadf54c4549095445b682' AND file:hashes.SHA256 = '63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:14:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--ddaf5a99-1963-4a4a-93eb-0b69396bbb46",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:11.000Z",
"modified": "2019-04-09T19:14:11.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09T14:20:50",
"category": "Other",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "46da9467-63b7-4c06-9c57-d83d362007b6"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb/analysis/1554819650/",
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "2de83530-15bd-4536-a3d9-51752d3a52fd"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "45/71",
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"uuid": "ffca2167-370b-44d8-8eb2-7bfbd7118538"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6edd0812-8c25-4923-8e60-1872a7a81a1c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:11.000Z",
"modified": "2019-04-09T19:14:11.000Z",
"pattern": "[file:hashes.MD5 = '79c02836b6b6939ecea43691278424e8' AND file:hashes.SHA1 = '62e021e7ce7e6c382820b5a083221732ef5649b9' AND file:hashes.SHA256 = 'a01845255bdc61b610cac269a5562ad09415aaf2a1490d53d55c4c3597670803']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:14:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--b7b2cc69-43cb-4213-9dfd-d7b5043a819d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:11.000Z",
"modified": "2019-04-09T19:14:11.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09T17:37:55",
"category": "Other",
"comment": "Stuxnet Installers with Resource 231",
"uuid": "be7cd761-b99d-441d-8fe3-98c0fe63ff8a"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/a01845255bdc61b610cac269a5562ad09415aaf2a1490d53d55c4c3597670803/analysis/1554831475/",
"category": "Payload delivery",
"comment": "Stuxnet Installers with Resource 231",
"uuid": "9a5f1b2c-0306-4d7f-8ad9-d8d57a895f7b"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "44/64",
"category": "Payload delivery",
"comment": "Stuxnet Installers with Resource 231",
"uuid": "01cbe4d0-780b-4530-9812-d999bc1938d2"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--421a889c-305d-4fee-a7c9-6b0114a2beb9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:11.000Z",
"modified": "2019-04-09T19:14:11.000Z",
"pattern": "[file:hashes.MD5 = '6df1c77d4aabc3e3d91fcfdba8e7986d' AND file:hashes.SHA1 = '39b106c2405c3b5d65ddbb17571fc53b26893e9a' AND file:hashes.SHA256 = '77211838bb6783121fe1aeff182c8cc1cba9c9f0c1e5a0027e0c0b9dfa18e2ac']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:14:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--596ec4c3-ec57-4be1-8edf-777fb2b48aa0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:14:11.000Z",
"modified": "2019-04-09T19:14:11.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09T17:37:55",
"category": "Other",
"comment": "Stuxnet Installers with Resource 231",
"uuid": "ea99549b-5bd3-47dd-aa68-bda0ce2c3b42"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/77211838bb6783121fe1aeff182c8cc1cba9c9f0c1e5a0027e0c0b9dfa18e2ac/analysis/1554831475/",
"category": "Payload delivery",
"comment": "Stuxnet Installers with Resource 231",
"uuid": "e50ac7c2-3672-445d-92bb-bc78d3742ba2"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "53/70",
"category": "Payload delivery",
"comment": "Stuxnet Installers with Resource 231",
"uuid": "a6e18bf7-3d93-4c64-9b6d-021a3b2c3542"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5cacf023-7368-4a33-a5a4-4e8502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:18:59.000Z",
"modified": "2019-04-09T19:18:59.000Z",
"labels": [
"misp:name=\"malware-config\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "password",
"value": "F117FA1CE233C1D7BB7726C0E49615C4622E2D1895F0D8AD4B23BADC4FD70C",
"category": "Other",
"uuid": "5cacf023-5f50-43d4-a585-44cc02de0b81"
},
{
"type": "text",
"object_relation": "config",
"value": "not included",
"category": "Other",
"uuid": "5cacf023-fdf0-45af-9095-431502de0b81"
},
{
"type": "text",
"object_relation": "format",
"value": "other",
"category": "Other",
"uuid": "5cacf023-a61c-4c80-9eff-40e202de0b81"
}
],
"x_misp_comment": "The control server response is decoded using the same 31-byte XOR encoding, with yet another\r\nkey",
"x_misp_meta_category": "file",
"x_misp_name": "malware-config"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacf0d7-870c-4b90-a5bb-4c1c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:21:59.000Z",
"modified": "2019-04-09T19:21:59.000Z",
"pattern": "[windows-registry-key:key = 'SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\MS-DOS Emulation' AND windows-registry-key:values[0].data = '19790509' AND windows-registry-key:values[0].data_type = 'REG_NONE' AND windows-registry-key:values[0].name = 'NTVDM \u00e2\u20ac\u2039 TRACE' AND windows-registry-key:x_misp_root_keys = 'HKCC']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:21:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"registry-key\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--5bd2a529-686f-48a3-8b7f-28246db6bba2",
"created": "2019-04-09T12:07:08.000Z",
"modified": "2019-04-09T12:07:08.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--5cac89aa-7884-4eb1-95fd-4a27950d210f",
"target_ref": "x-misp-object--d66ade80-17a6-47a9-9efe-7b5a922dfaa1"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--8d427229-e2a1-4c54-b1ba-17e87d468700",
"created": "2019-04-09T12:21:25.000Z",
"modified": "2019-04-09T12:21:25.000Z",
"relationship_type": "connects-to",
"source_ref": "indicator--5cac89aa-7884-4eb1-95fd-4a27950d210f",
"target_ref": "indicator--5cac8cc9-7984-4dfa-85f8-49af950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--8a573012-4f60-47cb-880a-e708100f06d2",
"created": "2019-04-09T12:21:53.000Z",
"modified": "2019-04-09T12:21:53.000Z",
"relationship_type": "connects-to",
"source_ref": "indicator--5cac89aa-7884-4eb1-95fd-4a27950d210f",
"target_ref": "indicator--5cac8dc1-95dc-466e-85ce-4b0c950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c6583e5d-e4a6-403b-ade0-51d8ba89f2bd",
"created": "2019-04-09T12:20:32.000Z",
"modified": "2019-04-09T12:20:32.000Z",
"relationship_type": "connects-to",
"source_ref": "indicator--5cac8b2f-87ec-4432-bb7d-2c32950d210f",
"target_ref": "indicator--5cac8cc9-7984-4dfa-85f8-49af950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--78fab0fb-a395-4769-acb9-2f2c3b05b478",
"created": "2019-04-09T12:21:02.000Z",
"modified": "2019-04-09T12:21:02.000Z",
"relationship_type": "connects-to",
"source_ref": "indicator--5cac8b2f-87ec-4432-bb7d-2c32950d210f",
"target_ref": "indicator--5cac8dc1-95dc-466e-85ce-4b0c950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--d748fbc5-d4d9-46ab-b262-b5d970955b98",
"created": "2019-04-09T19:14:11.000Z",
"modified": "2019-04-09T19:14:11.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--2868aeaa-a19a-4b36-b693-e55b1a32d633",
"target_ref": "x-misp-object--95f4e9d8-aec9-4e52-b133-8688a3857540"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--7fd7b8e9-f42d-47a0-a7cb-c23976c2d191",
"created": "2019-04-09T19:14:11.000Z",
"modified": "2019-04-09T19:14:11.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--d7f8c044-89dc-411c-a777-6110c35e1185",
"target_ref": "x-misp-object--73ebef95-1302-4712-b237-7aba3002f249"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--8c28c7df-495d-491d-93ad-45aff328446a",
"created": "2019-04-09T19:14:11.000Z",
"modified": "2019-04-09T19:14:11.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--308606ca-729c-4050-8d8e-72f00f17a981",
"target_ref": "x-misp-object--7403084a-f132-4ff9-a53b-6342ed8032ee"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--45541b1a-8e80-48d5-8d58-21e064431965",
"created": "2019-04-09T19:14:12.000Z",
"modified": "2019-04-09T19:14:12.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--dbbdfe4d-13dc-4fc2-b189-0582aec45f8f",
"target_ref": "x-misp-object--67191d81-2968-4471-b804-e92b25166e28"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ec6616ea-0d55-4616-a8d7-0e662e68bbcb",
"created": "2019-04-09T19:14:12.000Z",
"modified": "2019-04-09T19:14:12.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--de4d97dc-5512-4f11-b590-7f56e1877cdc",
"target_ref": "x-misp-object--555db026-ee1b-4775-91f4-a1b52245a78c"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--435520b6-e4e0-41b9-97af-39bd8592dde0",
"created": "2019-04-09T19:14:12.000Z",
"modified": "2019-04-09T19:14:12.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--6b9bfb62-ea86-4bb9-9d1e-7aa8ed2150eb",
"target_ref": "x-misp-object--ddaf5a99-1963-4a4a-93eb-0b69396bbb46"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--951c32c0-473c-47a2-a7bb-6a3d19fdb121",
"created": "2019-04-09T19:14:12.000Z",
"modified": "2019-04-09T19:14:12.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--6edd0812-8c25-4923-8e60-1872a7a81a1c",
"target_ref": "x-misp-object--b7b2cc69-43cb-4213-9dfd-d7b5043a819d"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--4f67aa15-235e-4298-aa09-ee408c762566",
"created": "2019-04-09T19:14:12.000Z",
"modified": "2019-04-09T19:14:12.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--421a889c-305d-4fee-a7c9-6b0114a2beb9",
"target_ref": "x-misp-object--596ec4c3-ec57-4be1-8edf-777fb2b48aa0"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue Copy permalink