2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type" : "bundle" ,
"id" : "bundle--59d34428-803c-4eab-bac7-49c0950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:51:18.000Z" ,
"modified" : "2017-10-04T08:51:18.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--59d34428-803c-4eab-bac7-49c0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:51:18.000Z" ,
"modified" : "2017-10-04T08:51:18.000Z" ,
"name" : "OSINT - Evidence Aurora Operation Still Active Part 2: More Ties Uncovered Between CCleaner Hack & Chinese Hackers" ,
"published" : "2017-10-04T08:51:30Z" ,
"object_refs" : [
"observed-data--59d34439-4454-45a8-94dc-3e8a950d210f" ,
"url--59d34439-4454-45a8-94dc-3e8a950d210f" ,
"x-misp-attribute--59d344c1-426c-49c5-9ff5-4eed950d210f" ,
"indicator--59d34505-26c0-45b8-ad15-3e8b950d210f" ,
"indicator--59d34505-22e0-4906-90c3-3e8b950d210f" ,
"indicator--59d34505-2e78-4dc1-a67b-3e8b950d210f" ,
"indicator--59d34505-3db8-4638-9c56-3e8b950d210f" ,
"indicator--59d34505-f7d0-4def-8e96-3e8b950d210f" ,
"indicator--59d34544-1b60-4b87-8b28-42df950d210f" ,
"indicator--59d345d3-66fc-41a9-a259-4762950d210f" ,
"indicator--59d345d3-b880-404c-8dfa-43d3950d210f" ,
"indicator--59d34660-03b0-4649-93dc-4236950d210f" ,
"indicator--59d34915-eb94-48f5-8e04-3e86950d210f" ,
"observed-data--59d34b35-0d00-462b-903a-43a4950d210f" ,
"windows-registry-key--59d34b35-0d00-462b-903a-43a4950d210f" ,
"observed-data--59d34b35-12cc-4033-9114-400e950d210f" ,
"windows-registry-key--59d34b35-12cc-4033-9114-400e950d210f" ,
"observed-data--59d34b35-3b98-432e-b9f2-40d1950d210f" ,
"windows-registry-key--59d34b35-3b98-432e-b9f2-40d1950d210f" ,
"observed-data--59d34b35-7ebc-4b87-b031-45fc950d210f" ,
"windows-registry-key--59d34b35-7ebc-4b87-b031-45fc950d210f" ,
"observed-data--59d34b35-f05c-4193-b489-4d53950d210f" ,
"windows-registry-key--59d34b35-f05c-4193-b489-4d53950d210f" ,
"indicator--59d4a0da-b11c-4106-bb81-424502de0b81" ,
"indicator--59d4a0da-0ce0-47c9-a313-48fc02de0b81" ,
"observed-data--59d4a0da-d74c-4b70-870f-48ab02de0b81" ,
"url--59d4a0da-d74c-4b70-870f-48ab02de0b81" ,
"indicator--59d4a0da-9b60-478f-b63b-4e1802de0b81" ,
"indicator--59d4a0da-edd8-4715-a50d-43ec02de0b81" ,
"observed-data--59d4a0da-c5f8-42d4-8dfd-450402de0b81" ,
"url--59d4a0da-c5f8-42d4-8dfd-450402de0b81" ,
"indicator--59d4a0da-52f0-421f-93cf-46b902de0b81" ,
"indicator--59d4a0da-e200-4df3-9afe-44d302de0b81" ,
"observed-data--59d4a0da-8964-4305-9aac-4cc602de0b81" ,
"url--59d4a0da-8964-4305-9aac-4cc602de0b81" ,
"indicator--59d4a0da-4c70-4d6c-858b-43ff02de0b81" ,
"indicator--59d4a0da-f260-4592-a320-451a02de0b81" ,
"observed-data--59d4a0da-b5c0-4500-923c-458d02de0b81" ,
"url--59d4a0da-b5c0-4500-923c-458d02de0b81" ,
"indicator--59d4a0da-2b88-4315-af2a-4dee02de0b81" ,
"indicator--59d4a0da-54ec-44d7-a611-45f502de0b81" ,
"observed-data--59d4a0da-55f0-4dd3-853e-452302de0b81" ,
"url--59d4a0da-55f0-4dd3-853e-452302de0b81" ,
"indicator--59d4a0da-24ac-4c9a-9ed0-46d202de0b81" ,
"indicator--59d4a0da-b468-4875-a528-4f0902de0b81" ,
"observed-data--59d4a0da-55b8-4813-a62a-42aa02de0b81" ,
"url--59d4a0da-55b8-4813-a62a-42aa02de0b81" ,
"indicator--59d4a0da-3e44-4d72-a76f-46b802de0b81" ,
"indicator--59d4a0da-dc90-4b07-9a85-47ac02de0b81" ,
"observed-data--59d4a0da-a858-4517-8dfe-4f5502de0b81" ,
"url--59d4a0da-a858-4517-8dfe-4f5502de0b81"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"type:OSINT" ,
"osint:source-type=\"blog-post\"" ,
"misp-galaxy:threat-actor=\"Aurora Panda\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59d34439-4454-45a8-94dc-3e8a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"first_observed" : "2017-10-04T08:50:34Z" ,
"last_observed" : "2017-10-04T08:50:34Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59d34439-4454-45a8-94dc-3e8a950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59d34439-4454-45a8-94dc-3e8a950d210f" ,
"value" : "http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--59d344c1-426c-49c5-9ff5-4eed950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"labels" : [
"misp:type=\"comment\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "comment" ,
"x_misp_value" : "Since my last post, we have found new evidence in the next stage payloads of the CCleaner supply chain attack that provide a stronger link between this attack and the Axiom group.\r\n\r\nFirst of all, our researchers would like to thank the entire team at Cisco Talos for their excellent work on this attack (their post regarding stage 2 can be found here) as well as their cooperation by allowing us access to the stage 2 payload. Also, we would like to give a special thanks to Kaspersky Labs for their collaboration."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59d34505-26c0-45b8-ad15-3e8b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"description" : "x86 Registry Payload" ,
"pattern" : "[file:hashes.SHA256 = 'f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-04T08:50:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59d34505-22e0-4906-90c3-3e8b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"pattern" : "[file:hashes.SHA256 = '07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-04T08:50:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59d34505-2e78-4dc1-a67b-3e8b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"pattern" : "[file:hashes.SHA256 = '0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-04T08:50:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59d34505-3db8-4638-9c56-3e8b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"pattern" : "[file:hashes.SHA256 = '20cd49fd0f244944a8f5ba1d7656af3026e67d170133c1b3546c8b2de38d4f27']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-04T08:50:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59d34505-f7d0-4def-8e96-3e8b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"pattern" : "[file:hashes.SHA256 = 'ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-04T08:50:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59d34544-1b60-4b87-8b28-42df950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"description" : "Stage 2 Payload" ,
"pattern" : "[file:hashes.SHA256 = 'dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-04T08:50:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59d345d3-66fc-41a9-a259-4762950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"description" : "x86 Trojanized Binary" ,
"pattern" : "[file:hashes.SHA256 = '07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-04T08:50:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59d345d3-b880-404c-8dfa-43d3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"description" : "x64 Trojanized Binary" ,
"pattern" : "[file:hashes.SHA256 = '128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-04T08:50:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59d34660-03b0-4649-93dc-4236950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '13.59.9.90']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-04T08:50:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59d34915-eb94-48f5-8e04-3e86950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"description" : "x64 Registry Payload" ,
"pattern" : "[file:hashes.SHA256 = '75eaa1889dbc93f11544cf3e40e3b9342b81b1678af5d83026496ee6a1b2ef79']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-04T08:50:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59d34b35-0d00-462b-903a-43a4950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"first_observed" : "2017-10-04T08:50:34Z" ,
"last_observed" : "2017-10-04T08:50:34Z" ,
"number_observed" : 1 ,
"object_refs" : [
"windows-registry-key--59d34b35-0d00-462b-903a-43a4950d210f"
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Persistence mechanism\""
]
} ,
{
"type" : "windows-registry-key" ,
"spec_version" : "2.1" ,
"id" : "windows-registry-key--59d34b35-0d00-462b-903a-43a4950d210f" ,
"key" : "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\001"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59d34b35-12cc-4033-9114-400e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"first_observed" : "2017-10-04T08:50:34Z" ,
"last_observed" : "2017-10-04T08:50:34Z" ,
"number_observed" : 1 ,
"object_refs" : [
"windows-registry-key--59d34b35-12cc-4033-9114-400e950d210f"
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Persistence mechanism\""
]
} ,
{
"type" : "windows-registry-key" ,
"spec_version" : "2.1" ,
"id" : "windows-registry-key--59d34b35-12cc-4033-9114-400e950d210f" ,
"key" : "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\002"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59d34b35-3b98-432e-b9f2-40d1950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"first_observed" : "2017-10-04T08:50:34Z" ,
"last_observed" : "2017-10-04T08:50:34Z" ,
"number_observed" : 1 ,
"object_refs" : [
"windows-registry-key--59d34b35-3b98-432e-b9f2-40d1950d210f"
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Persistence mechanism\""
]
} ,
{
"type" : "windows-registry-key" ,
"spec_version" : "2.1" ,
"id" : "windows-registry-key--59d34b35-3b98-432e-b9f2-40d1950d210f" ,
"key" : "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\003"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59d34b35-7ebc-4b87-b031-45fc950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"first_observed" : "2017-10-04T08:50:34Z" ,
"last_observed" : "2017-10-04T08:50:34Z" ,
"number_observed" : 1 ,
"object_refs" : [
"windows-registry-key--59d34b35-7ebc-4b87-b031-45fc950d210f"
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Persistence mechanism\""
]
} ,
{
"type" : "windows-registry-key" ,
"spec_version" : "2.1" ,
"id" : "windows-registry-key--59d34b35-7ebc-4b87-b031-45fc950d210f" ,
"key" : "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\004"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59d34b35-f05c-4193-b489-4d53950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"first_observed" : "2017-10-04T08:50:34Z" ,
"last_observed" : "2017-10-04T08:50:34Z" ,
"number_observed" : 1 ,
"object_refs" : [
"windows-registry-key--59d34b35-f05c-4193-b489-4d53950d210f"
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Persistence mechanism\""
]
} ,
{
"type" : "windows-registry-key" ,
"spec_version" : "2.1" ,
"id" : "windows-registry-key--59d34b35-f05c-4193-b489-4d53950d210f" ,
"key" : "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\HBP"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59d4a0da-b11c-4106-bb81-424502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"description" : "x64 Trojanized Binary - Xchecked via VT: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f" ,
"pattern" : "[file:hashes.SHA1 = '82691bf5d8ca1c760e0dbc67c99f89ecd890de08']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-04T08:50:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59d4a0da-0ce0-47c9-a313-48fc02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"description" : "x64 Trojanized Binary - Xchecked via VT: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f" ,
"pattern" : "[file:hashes.MD5 = '52dda1e6ac12c24f2997cf05e0ea42c9']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-04T08:50:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59d4a0da-d74c-4b70-870f-48ab02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"first_observed" : "2017-10-04T08:50:34Z" ,
"last_observed" : "2017-10-04T08:50:34Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59d4a0da-d74c-4b70-870f-48ab02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59d4a0da-d74c-4b70-870f-48ab02de0b81" ,
"value" : "https://www.virustotal.com/file/128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f/analysis/1507088207/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59d4a0da-9b60-478f-b63b-4e1802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"description" : "x86 Trojanized Binary - Xchecked via VT: 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902" ,
"pattern" : "[file:hashes.SHA1 = '53c9ea5ac9b2efc5e8e0b4e3a051fa1615cc09a9']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-04T08:50:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59d4a0da-edd8-4715-a50d-43ec02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"description" : "x86 Trojanized Binary - Xchecked via VT: 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902" ,
"pattern" : "[file:hashes.MD5 = 'd6fd2df91432ca21c79ece2c6637d1c6']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-04T08:50:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59d4a0da-c5f8-42d4-8dfd-450402de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"first_observed" : "2017-10-04T08:50:34Z" ,
"last_observed" : "2017-10-04T08:50:34Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59d4a0da-c5f8-42d4-8dfd-450402de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59d4a0da-c5f8-42d4-8dfd-450402de0b81" ,
"value" : "https://www.virustotal.com/file/07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902/analysis/1507103949/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59d4a0da-52f0-421f-93cf-46b902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"description" : "Stage 2 Payload - Xchecked via VT: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83" ,
"pattern" : "[file:hashes.SHA1 = 'e7cca2da5161a313161a81a38a8b5773310a6801']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-04T08:50:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59d4a0da-e200-4df3-9afe-44d302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"description" : "Stage 2 Payload - Xchecked via VT: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83" ,
"pattern" : "[file:hashes.MD5 = '748aa5fcfa2af451c76039faf6a8684d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-04T08:50:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59d4a0da-8964-4305-9aac-4cc602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"first_observed" : "2017-10-04T08:50:34Z" ,
"last_observed" : "2017-10-04T08:50:34Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59d4a0da-8964-4305-9aac-4cc602de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59d4a0da-8964-4305-9aac-4cc602de0b81" ,
"value" : "https://www.virustotal.com/file/dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83/analysis/1507084318/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59d4a0da-4c70-4d6c-858b-43ff02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"description" : "- Xchecked via VT: ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550" ,
"pattern" : "[file:hashes.SHA1 = '7dd556415487cc192b647c9a7fde70896eeee7a2']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-04T08:50:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59d4a0da-f260-4592-a320-451a02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"description" : "- Xchecked via VT: ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550" ,
"pattern" : "[file:hashes.MD5 = 'e77e708924168afd17dbe26bba8621af']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-04T08:50:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59d4a0da-b5c0-4500-923c-458d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"first_observed" : "2017-10-04T08:50:34Z" ,
"last_observed" : "2017-10-04T08:50:34Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59d4a0da-b5c0-4500-923c-458d02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59d4a0da-b5c0-4500-923c-458d02de0b81" ,
"value" : "https://www.virustotal.com/file/ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550/analysis/1506960621/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59d4a0da-2b88-4315-af2a-4dee02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"description" : "- Xchecked via VT: 20cd49fd0f244944a8f5ba1d7656af3026e67d170133c1b3546c8b2de38d4f27" ,
"pattern" : "[file:hashes.SHA1 = '590ddc140152c2c5ce2f0dc7b21a297fd4102ba3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-04T08:50:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59d4a0da-54ec-44d7-a611-45f502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"description" : "- Xchecked via VT: 20cd49fd0f244944a8f5ba1d7656af3026e67d170133c1b3546c8b2de38d4f27" ,
"pattern" : "[file:hashes.MD5 = '8ad22f3e9e603ff89228f3c66d9949d9']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-04T08:50:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59d4a0da-55f0-4dd3-853e-452302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"first_observed" : "2017-10-04T08:50:34Z" ,
"last_observed" : "2017-10-04T08:50:34Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59d4a0da-55f0-4dd3-853e-452302de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59d4a0da-55f0-4dd3-853e-452302de0b81" ,
"value" : "https://www.virustotal.com/file/20cd49fd0f244944a8f5ba1d7656af3026e67d170133c1b3546c8b2de38d4f27/analysis/1446757665/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59d4a0da-24ac-4c9a-9ed0-46d202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"description" : "- Xchecked via VT: 0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2" ,
"pattern" : "[file:hashes.SHA1 = '40f9cde4ccd1b1b17a647c6fc72c5c5cd40d2b08']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-04T08:50:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59d4a0da-b468-4875-a528-4f0902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"description" : "- Xchecked via VT: 0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2" ,
"pattern" : "[file:hashes.MD5 = 'ba86c0c1d9a08284c61c4251762ad0df']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-04T08:50:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59d4a0da-55b8-4813-a62a-42aa02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"first_observed" : "2017-10-04T08:50:34Z" ,
"last_observed" : "2017-10-04T08:50:34Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59d4a0da-55b8-4813-a62a-42aa02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59d4a0da-55b8-4813-a62a-42aa02de0b81" ,
"value" : "https://www.virustotal.com/file/0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2/analysis/1506960528/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59d4a0da-3e44-4d72-a76f-46b802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"description" : "- Xchecked via VT: 07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d" ,
"pattern" : "[file:hashes.SHA1 = '60415999bc82dc9c8f4425f90e41a98d514f76a2']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-04T08:50:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59d4a0da-dc90-4b07-9a85-47ac02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"description" : "- Xchecked via VT: 07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d" ,
"pattern" : "[file:hashes.MD5 = '35a4783a1db27f159d7506a78ca89101']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-04T08:50:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59d4a0da-a858-4517-8dfe-4f5502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-04T08:50:34.000Z" ,
"modified" : "2017-10-04T08:50:34.000Z" ,
"first_observed" : "2017-10-04T08:50:34Z" ,
"last_observed" : "2017-10-04T08:50:34Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59d4a0da-a858-4517-8dfe-4f5502de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59d4a0da-a858-4517-8dfe-4f5502de0b81" ,
"value" : "https://www.virustotal.com/file/07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d/analysis/1507055418/"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
2023-04-21 13:25:09 +00:00
]
}