630 lines
28 KiB
JSON
630 lines
28 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5cc209b3-82e0-4d0e-980d-4a6002de0b81",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-25T19:32:04.000Z",
|
||
|
"modified": "2019-04-25T19:32:04.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5cc209b3-82e0-4d0e-980d-4a6002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-25T19:32:04.000Z",
|
||
|
"modified": "2019-04-25T19:32:04.000Z",
|
||
|
"name": "OSINT - Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware",
|
||
|
"published": "2019-04-25T19:34:52Z",
|
||
|
"object_refs": [
|
||
|
"indicator--5cc20a1e-8ef4-4468-bd53-48ca02de0b81",
|
||
|
"indicator--5cc20a1e-20b0-4f51-a8f5-45cc02de0b81",
|
||
|
"indicator--5cc20a1e-1184-4ed9-9d66-409a02de0b81",
|
||
|
"indicator--5cc20a1e-0bb8-401f-9cbd-45a002de0b81",
|
||
|
"indicator--5cc20a1e-35f8-49e0-b7d2-49a302de0b81",
|
||
|
"indicator--5cc20a1e-7e0c-40f1-b9dd-429c02de0b81",
|
||
|
"indicator--5cc20a1e-cfe4-459a-8837-4ce702de0b81",
|
||
|
"indicator--5cc20a1e-0e98-4860-acf2-48e602de0b81",
|
||
|
"observed-data--5cc20a2e-6408-4271-a41f-41da02de0b81",
|
||
|
"url--5cc20a2e-6408-4271-a41f-41da02de0b81",
|
||
|
"x-misp-attribute--5cc20a3f-8e84-4d6c-b3b0-47d702de0b81",
|
||
|
"observed-data--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9",
|
||
|
"network-traffic--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9",
|
||
|
"ipv4-addr--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9",
|
||
|
"indicator--2f52d11d-5df6-44ca-8934-12cce8d33395",
|
||
|
"x-misp-object--5ea2997f-c82f-4ea7-88b8-c468ba4f136a",
|
||
|
"indicator--60c23628-c767-4b08-9cb4-0d55c6432479",
|
||
|
"x-misp-object--9ad338a8-5f89-44f4-becf-21bc9b8fb072",
|
||
|
"indicator--b278e19f-e981-47bc-be90-072138554a61",
|
||
|
"x-misp-object--7f6c6430-6be4-4b8a-907e-8e71dcedb01c",
|
||
|
"indicator--e4b67b34-d84d-4e77-8453-814d9fa42d87",
|
||
|
"x-misp-object--a6d17903-91e1-4a0c-9cf3-48ff6f7b22cd",
|
||
|
"relationship--ca6819fb-5e5a-4789-ab4c-6972b2794581",
|
||
|
"relationship--94bd6358-df7b-4581-9b34-b4ba751d9c67",
|
||
|
"relationship--b246fe92-0e38-4298-8ae9-38b933a07373",
|
||
|
"relationship--9b1a1df4-ea01-49ec-897e-0796fbb207a7"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:threat-actor=\"TA505\"",
|
||
|
"type:OSINT",
|
||
|
"osint:lifetime=\"perpetual\"",
|
||
|
"osint:certainty=\"50\"",
|
||
|
"misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"",
|
||
|
"misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cc20a1e-8ef4-4468-bd53-48ca02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-25T19:27:26.000Z",
|
||
|
"modified": "2019-04-25T19:27:26.000Z",
|
||
|
"description": "011042019.xls",
|
||
|
"pattern": "[file:hashes.SHA1 = '880b383532534e32f3fa49692d676d9488aabac1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-25T19:27:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cc20a1e-20b0-4f51-a8f5-45cc02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-25T19:27:26.000Z",
|
||
|
"modified": "2019-04-25T19:27:26.000Z",
|
||
|
"pattern": "[file:hashes.SHA1 = '63aeb16b5d001cbd94b636e9f557fe97b8467c8d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-25T19:27:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cc20a1e-1184-4ed9-9d66-409a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-25T19:27:26.000Z",
|
||
|
"modified": "2019-04-25T19:27:26.000Z",
|
||
|
"description": "msie988.tmp",
|
||
|
"pattern": "[file:hashes.SHA1 = 'ad35fa0b3799562931b4bfa3abd057214b8721ff']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-25T19:27:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cc20a1e-0bb8-401f-9cbd-45a002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-25T19:27:26.000Z",
|
||
|
"modified": "2019-04-25T19:27:26.000Z",
|
||
|
"description": "pegas.dll",
|
||
|
"pattern": "[file:hashes.SHA1 = '06f232210e507f09f01155e7d0cb5389b8a31042']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-25T19:27:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cc20a1e-35f8-49e0-b7d2-49a302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-25T19:27:26.000Z",
|
||
|
"modified": "2019-04-25T19:27:26.000Z",
|
||
|
"description": "First C2",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '79.141.171.160']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-25T19:27:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cc20a1e-7e0c-40f1-b9dd-429c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-25T19:27:26.000Z",
|
||
|
"modified": "2019-04-25T19:27:26.000Z",
|
||
|
"description": "Second C2",
|
||
|
"pattern": "[domain-name:value = 'aasdkkkdsa3442.icu']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-25T19:27:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cc20a1e-cfe4-459a-8837-4ce702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-25T19:27:26.000Z",
|
||
|
"modified": "2019-04-25T19:27:26.000Z",
|
||
|
"description": "Second C2",
|
||
|
"pattern": "[domain-name:value = 'joisf333.icu']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-25T19:27:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5cc20a1e-0e98-4860-acf2-48e602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-25T19:27:26.000Z",
|
||
|
"modified": "2019-04-25T19:27:26.000Z",
|
||
|
"description": "Second C2",
|
||
|
"pattern": "[domain-name:value = 'zxskjkkjsk3232.pw']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-25T19:27:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5cc20a2e-6408-4271-a41f-41da02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-25T19:27:42.000Z",
|
||
|
"modified": "2019-04-25T19:27:42.000Z",
|
||
|
"first_observed": "2019-04-25T19:27:42Z",
|
||
|
"last_observed": "2019-04-25T19:27:42Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5cc20a2e-6408-4271-a41f-41da02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5cc20a2e-6408-4271-a41f-41da02de0b81",
|
||
|
"value": "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5cc20a3f-8e84-4d6c-b3b0-47d702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-25T19:27:59.000Z",
|
||
|
"modified": "2019-04-25T19:27:59.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "The cybersecurity community has long known that any information technology tool that is used for legitimate purposes can also be manipulated by attackers to enhance their malware. Recently, however, many native Windows OS processes are being used for malicious purposes as well. \r\n\r\nIn this research, we introduce a meticulously planned, malicious operation against a financial institution in April of 2019. This advanced operation combines a targeted phishing attack with advanced tools that gather intel on the environment. The operation chooses whether or not to create persistence and installs a sophisticated backdoor called ServHelper used to take over the network.\r\nKey Aspects of TA505\u00e2\u20ac\u2122s Operation\r\n\r\n Highly targeted phishing campaign to a small number of specific accounts within the company.\r\n Signed and verified malicious code. This is an extra percussion taken to avoid detection.\r\n A deliberate timeline, indicated by the timing of the phishing attack and signing of the malicious code.\r\n A selective persistence mechanism and self destruct commands based on autonomous reconnaissance.\r\n Large emphasis on removal of evidence using self destruct commands and deleting scripts.\r\n Multiple C2 domains, in the event of blacklisting or inability to connect for another reason.\r\n The operation integrates four different LOLBins, which indicates the attackers continued, advanced attempts to avoid detection."
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-25T19:34:31.000Z",
|
||
|
"modified": "2019-04-25T19:34:31.000Z",
|
||
|
"first_observed": "2019-04-25T19:34:31Z",
|
||
|
"last_observed": "2019-04-25T19:34:31Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9",
|
||
|
"ipv4-addr--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-src\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9",
|
||
|
"src_ref": "ipv4-addr--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9",
|
||
|
"value": "195.123.227.79"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--2f52d11d-5df6-44ca-8934-12cce8d33395",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-25T19:28:25.000Z",
|
||
|
"modified": "2019-04-25T19:28:25.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '4ca90e372982c864b8eae6d95161a213' AND file:hashes.SHA1 = 'ad35fa0b3799562931b4bfa3abd057214b8721ff' AND file:hashes.SHA256 = '843578299d9e60e52f781ca487aa83f5df4c5f4ca71d3a941a8ea249476c5c3c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-25T19:28:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--5ea2997f-c82f-4ea7-88b8-c468ba4f136a",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-25T19:28:25.000Z",
|
||
|
"modified": "2019-04-25T19:28:25.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-04-22T09:26:21",
|
||
|
"category": "Other",
|
||
|
"comment": "msie988.tmp",
|
||
|
"uuid": "39e083d0-2e54-439d-92e0-bd5ceb8a6603"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/843578299d9e60e52f781ca487aa83f5df4c5f4ca71d3a941a8ea249476c5c3c/analysis/1555925181/",
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "msie988.tmp",
|
||
|
"uuid": "a83aa4df-1f72-4b3a-bdb2-cef656e4a0dc"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "48/70",
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "msie988.tmp",
|
||
|
"uuid": "cebb4a53-f987-4755-b609-f65fc6721b4f"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--60c23628-c767-4b08-9cb4-0d55c6432479",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-25T19:28:25.000Z",
|
||
|
"modified": "2019-04-25T19:28:25.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '4acd155b901884134f01b383eb035c23' AND file:hashes.SHA1 = '63aeb16b5d001cbd94b636e9f557fe97b8467c8d' AND file:hashes.SHA256 = 'cd7bb7396f21c88742fefb278e6e7c9a564dfe109b434494d159518175739c40']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-25T19:28:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--9ad338a8-5f89-44f4-becf-21bc9b8fb072",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-25T19:28:25.000Z",
|
||
|
"modified": "2019-04-25T19:28:25.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-04-25T13:10:17",
|
||
|
"category": "Other",
|
||
|
"uuid": "e018eb15-af9b-422d-8d19-cfb07e16b0c6"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/cd7bb7396f21c88742fefb278e6e7c9a564dfe109b434494d159518175739c40/analysis/1556197817/",
|
||
|
"category": "Payload delivery",
|
||
|
"uuid": "0097e14c-21ec-49da-b18d-d24ad3cb346c"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "37/60",
|
||
|
"category": "Payload delivery",
|
||
|
"uuid": "3087c659-8379-415a-9da4-23b7eb460be2"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--b278e19f-e981-47bc-be90-072138554a61",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-25T19:28:25.000Z",
|
||
|
"modified": "2019-04-25T19:28:25.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '2d3238185537429ea693a81a1c6ca4c0' AND file:hashes.SHA1 = '880b383532534e32f3fa49692d676d9488aabac1' AND file:hashes.SHA256 = 'c0bcd76c486a8c8994fc005d83d64716ed3604c8559463867412c446e5364169']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-25T19:28:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--7f6c6430-6be4-4b8a-907e-8e71dcedb01c",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-25T19:28:25.000Z",
|
||
|
"modified": "2019-04-25T19:28:25.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-04-25T16:23:40",
|
||
|
"category": "Other",
|
||
|
"comment": "011042019.xls",
|
||
|
"uuid": "6cdfbbe1-b251-4207-84c5-870c9d1369ca"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/c0bcd76c486a8c8994fc005d83d64716ed3604c8559463867412c446e5364169/analysis/1556209420/",
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "011042019.xls",
|
||
|
"uuid": "202d31f1-719e-4245-a692-bdab4419e08e"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "28/59",
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "011042019.xls",
|
||
|
"uuid": "4c3e9b5e-41d5-4fa6-8ed3-38a17934b789"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--e4b67b34-d84d-4e77-8453-814d9fa42d87",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-25T19:28:25.000Z",
|
||
|
"modified": "2019-04-25T19:28:25.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '4a8198fca604a78dd210803aebd5cbba' AND file:hashes.SHA1 = '06f232210e507f09f01155e7d0cb5389b8a31042' AND file:hashes.SHA256 = '9dc1381816b8b18aead256bdc05486171968abbc6ff01766088fbfe7badd194e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2019-04-25T19:28:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--a6d17903-91e1-4a0c-9cf3-48ff6f7b22cd",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2019-04-25T19:28:25.000Z",
|
||
|
"modified": "2019-04-25T19:28:25.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2019-04-22T13:10:47",
|
||
|
"category": "Other",
|
||
|
"comment": "pegas.dll",
|
||
|
"uuid": "f0b9cbb0-ecd0-4c07-8d12-8d57a3086e89"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/9dc1381816b8b18aead256bdc05486171968abbc6ff01766088fbfe7badd194e/analysis/1555938647/",
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "pegas.dll",
|
||
|
"uuid": "ebbf25ae-2093-4f10-a4fe-742ed2f9c82f"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "39/66",
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "pegas.dll",
|
||
|
"uuid": "30c4a904-f9c8-489f-ac44-b89617fd734b"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--ca6819fb-5e5a-4789-ab4c-6972b2794581",
|
||
|
"created": "2019-04-25T19:28:26.000Z",
|
||
|
"modified": "2019-04-25T19:28:26.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--2f52d11d-5df6-44ca-8934-12cce8d33395",
|
||
|
"target_ref": "x-misp-object--5ea2997f-c82f-4ea7-88b8-c468ba4f136a"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--94bd6358-df7b-4581-9b34-b4ba751d9c67",
|
||
|
"created": "2019-04-25T19:28:26.000Z",
|
||
|
"modified": "2019-04-25T19:28:26.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--60c23628-c767-4b08-9cb4-0d55c6432479",
|
||
|
"target_ref": "x-misp-object--9ad338a8-5f89-44f4-becf-21bc9b8fb072"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--b246fe92-0e38-4298-8ae9-38b933a07373",
|
||
|
"created": "2019-04-25T19:28:26.000Z",
|
||
|
"modified": "2019-04-25T19:28:26.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--b278e19f-e981-47bc-be90-072138554a61",
|
||
|
"target_ref": "x-misp-object--7f6c6430-6be4-4b8a-907e-8e71dcedb01c"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--9b1a1df4-ea01-49ec-897e-0796fbb207a7",
|
||
|
"created": "2019-04-25T19:28:26.000Z",
|
||
|
"modified": "2019-04-25T19:28:26.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--e4b67b34-d84d-4e77-8453-814d9fa42d87",
|
||
|
"target_ref": "x-misp-object--a6d17903-91e1-4a0c-9cf3-48ff6f7b22cd"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|