2023-04-21 13:25:09 +00:00
|
|
|
{
|
2023-06-14 17:31:25 +00:00
|
|
|
"type": "bundle",
|
|
|
|
"id": "bundle--5c066053-0e94-46eb-9746-4b7d950d210f",
|
|
|
|
"objects": [
|
|
|
|
{
|
|
|
|
"type": "identity",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2018-12-05T10:18:49.000Z",
|
|
|
|
"modified": "2018-12-05T10:18:49.000Z",
|
|
|
|
"name": "CIRCL",
|
|
|
|
"identity_class": "organization"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "report",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "report--5c066053-0e94-46eb-9746-4b7d950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2018-12-05T10:18:49.000Z",
|
|
|
|
"modified": "2018-12-05T10:18:49.000Z",
|
|
|
|
"name": "MAR-10164494.r1.v1 (SamSam ransomware)",
|
|
|
|
"published": "2018-12-05T10:18:56Z",
|
|
|
|
"object_refs": [
|
|
|
|
"x-misp-object--9b90b222-5a6e-4a68-8980-c85eb5e4e079",
|
|
|
|
"indicator--7f58ce95-cc60-466d-b405-d47226c5f0bf",
|
|
|
|
"indicator--bd1dbb31-d316-4911-b2cb-4e71d16d1dbb",
|
|
|
|
"indicator--a7364364-e48d-4a7c-b3bd-ece622f7f31e",
|
|
|
|
"observed-data--eaf7e1bc-5f82-425b-91b0-c16bb3cf7913",
|
|
|
|
"file--eaf7e1bc-5f82-425b-91b0-c16bb3cf7913",
|
|
|
|
"observed-data--2d2d53cf-43da-42fa-81c2-e10aec13b33a",
|
|
|
|
"file--2d2d53cf-43da-42fa-81c2-e10aec13b33a",
|
|
|
|
"observed-data--a4420cf2-b1ec-4dde-9895-0935df731c95",
|
|
|
|
"file--a4420cf2-b1ec-4dde-9895-0935df731c95",
|
|
|
|
"indicator--5afacb97-2453-4507-84cf-2e4c5d9c3fa4",
|
|
|
|
"indicator--5dd2cbdd-b576-4e07-970f-dc3c40164068",
|
|
|
|
"x-misp-object--855cd93b-6e6c-4827-9cfa-479873ce217a",
|
|
|
|
"x-misp-object--b1432908-95e3-47e7-8ae3-ee66ea5ff4f8",
|
|
|
|
"x-misp-object--d0951bc8-2196-4ad1-94bf-191486da007a",
|
|
|
|
"x-misp-object--46929908-aa81-4a2e-922d-0888eef9c399",
|
|
|
|
"x-misp-object--65e8a61f-cd5e-46b3-8e43-f6ee835fb3ec",
|
|
|
|
"x-misp-object--39cb5a66-0f5f-4e01-a711-6cd8e9f09843",
|
|
|
|
"x-misp-object--1f222148-e8da-40d6-9f6c-6972afbaf41d",
|
|
|
|
"x-misp-object--8b5d0a9d-268b-42fa-8d68-a4df4450d56e"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"Threat-Report",
|
|
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
|
|
"misp-galaxy:malpedia=\"SamSam\"",
|
|
|
|
"misp-galaxy:ransomware=\"Samas-Samsam\""
|
|
|
|
],
|
|
|
|
"object_marking_refs": [
|
|
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "x-misp-object",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "x-misp-object--9b90b222-5a6e-4a68-8980-c85eb5e4e079",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2018-12-04T11:09:07.000Z",
|
|
|
|
"modified": "2018-12-04T11:09:07.000Z",
|
|
|
|
"labels": [
|
|
|
|
"misp:name=\"original-imported-file\"",
|
|
|
|
"misp:meta-category=\"file\""
|
|
|
|
],
|
|
|
|
"x_misp_attributes": [
|
|
|
|
{
|
|
|
|
"type": "attachment",
|
|
|
|
"object_relation": "imported-sample",
|
|
|
|
"value": "MAR-10164494.r1.v1.stix.xml",
|
|
|
|
"category": "External analysis",
|
|
|
|
"uuid": "dc91e612-5d87-475c-aa4d-7e1f490cb62d",
|
|
|
|
"data": "PHN0aXg6U1RJWF9QYWNrYWdlIHhtbG5zOmN5Ym94Q29tbW9uPSJodHRwOi8vY3lib3gubWl0cmUub3JnL2NvbW1vbi0yIiB4bWxuczpjeWJveD0iaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9jeWJveC0yIiB4bWxuczpjeWJveFZvY2Ficz0iaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9kZWZhdWx0X3ZvY2FidWxhcmllcy0yIiB4bWxuczpGaWxlT2JqPSJodHRwOi8vY3lib3gubWl0cmUub3JnL29iamVjdHMjRmlsZU9iamVjdC0yIiB4bWxuczpXaW5FeGVjdXRhYmxlRmlsZU9iaj0iaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9vYmplY3RzI1dpbkV4ZWN1dGFibGVGaWxlT2JqZWN0LTIiIHhtbG5zOldpbkZpbGVPYmo9Imh0dHA6Ly9jeWJveC5taXRyZS5vcmcvb2JqZWN0cyNXaW5GaWxlT2JqZWN0LTIiIHhtbG5zOm1hcmtpbmc9Imh0dHA6Ly9kYXRhLW1hcmtpbmcubWl0cmUub3JnL01hcmtpbmctMSIgeG1sbnM6dGxwTWFya2luZz0iaHR0cDovL2RhdGEtbWFya2luZy5taXRyZS5vcmcvZXh0ZW5zaW9ucy9NYXJraW5nU3RydWN0dXJlI1RMUC0xIiB4bWxuczpUT1VNYXJraW5nPSJodHRwOi8vZGF0YS1tYXJraW5nLm1pdHJlLm9yZy9leHRlbnNpb25zL01hcmtpbmdTdHJ1Y3R1cmUjVGVybXNfT2ZfVXNlLTEiIHhtbG5zOm1hZWNCdW5kbGU9Imh0dHA6Ly9tYWVjLm1pdHJlLm9yZy9YTUxTY2hlbWEvbWFlYy1idW5kbGUtNCIgeG1sbnM6bWFlY1BhY2thZ2U9Imh0dHA6Ly9tYWVjLm1pdHJlLm9yZy9YTUxTY2hlbWEvbWFlYy1wYWNrYWdlLTIiIHhtbG5zOm1hZWNWb2NhYnM9Imh0dHA6Ly9tYWVjLm1pdHJlLm9yZy9kZWZhdWx0X3ZvY2FidWxhcmllcy0xIiB4bWxuczppbmNpZGVudD0iaHR0cDovL3N0aXgubWl0cmUub3JnL0luY2lkZW50LTEiIHhtbG5zOmluZGljYXRvcj0iaHR0cDovL3N0aXgubWl0cmUub3JnL0luZGljYXRvci0yIiB4bWxuczp0dHA9Imh0dHA6Ly9zdGl4Lm1pdHJlLm9yZy9UVFAtMSIgeG1sbnM6c3RpeENvbW1vbj0iaHR0cDovL3N0aXgubWl0cmUub3JnL2NvbW1vbi0xIiB4bWxuczpzdGl4Vm9jYWJzPSJodHRwOi8vc3RpeC5taXRyZS5vcmcvZGVmYXVsdF92b2NhYnVsYXJpZXMtMSIgeG1sbnM6c3RpeC1tYWVjPSJodHRwOi8vc3RpeC5taXRyZS5vcmcvZXh0ZW5zaW9ucy9NYWx3YXJlI01BRUM0LjEtMSIgeG1sbnM6c3RpeD0iaHR0cDovL3N0aXgubWl0cmUub3JnL3N0aXgtMSIgeG1sbnM6TkNDSUM9Imh0dHA6Ly93d3cudXMtY2VydC5nb3YvIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6c2NoZW1hTG9jYXRpb249IiAgaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9jb21tb24tMiBodHRwOi8vY3lib3gubWl0cmUub3JnL1hNTFNjaGVtYS9jb21tb24vMi4xL2N5Ym94X2NvbW1vbi54c2QgIGh0dHA6Ly9jeWJveC5taXRyZS5vcmcvY3lib3gtMiBodHRwOi8vY3lib3gubWl0cmUub3JnL1hNTFNjaGVtYS9jb3JlLzIuMS9jeWJveF9jb3JlLnhzZCAgaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9kZWZhdWx0X3ZvY2FidWxhcmllcy0yIGh0dHA6Ly9jeWJveC5taXRyZS5vcmcvWE1MU2NoZW1hL2RlZmF1bHRfdm9jYWJ1bGFyaWVzLzIuMS9jeWJveF9kZWZhdWx0X3ZvY2FidWxhcmllcy54c2QgIGh0dHA6Ly9jeWJveC5taXRyZS5vcmcvb2JqZWN0cyNGaWxlT2JqZWN0LTIgaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9YTUxTY2hlbWEvb2JqZWN0cy9GaWxlLzIuMS9GaWxlX09iamVjdC54c2QgIGh0dHA6Ly9jeWJveC5taXRyZS5vcmcvb2JqZWN0cyNXaW5FeGVjdXRhYmxlRmlsZU9iamVjdC0yIGh0dHA6Ly9jeWJveC5taXRyZS5vcmcvWE1MU2NoZW1hL29iamVjdHMvV2luX0V4ZWN1dGFibGVfRmlsZS8yLjEvV2luX0V4ZWN1dGFibGVfRmlsZV9PYmplY3QueHNkICBodHRwOi8vY3lib3gubWl0cmUub3JnL29iamVjdHMjV2luRmlsZU9iamVjdC0yIGh0dHA6Ly9jeWJveC5taXRyZS5vcmcvWE1MU2NoZW1hL29iamVjdHMvV2luX0ZpbGUvMi4xL1dpbl9GaWxlX09iamVjdC54c2QgIGh0dHA6Ly9kYXRhLW1hcmtpbmcubWl0cmUub3JnL01hcmtpbmctMSBodHRwOi8vc3RpeC5taXRyZS5vcmcvWE1MU2NoZW1hL2RhdGFfbWFya2luZy8xLjEuMS9kYXRhX21hcmtpbmcueHNkICBodHRwOi8vZGF0YS1tYXJraW5nLm1pdHJlLm9yZy9leHRlbnNpb25zL01hcmtpbmdTdHJ1Y3R1cmUjVExQLTEgaHR0cDovL3N0aXgubWl0cmUub3JnL1hNTFNjaGVtYS9leHRlbnNpb25zL21hcmtpbmcvdGxwLzEuMS4xL3RscF9tYXJraW5nLnhzZCAgaHR0cDovL2RhdGEtbWFya2luZy5taXRyZS5vcmcvZXh0ZW5zaW9ucy9NYXJraW5nU3RydWN0dXJlI1Rlcm1zX09mX1VzZS0xIGh0dHA6Ly9zdGl4Lm1pdHJlLm9yZy9YTUxTY2hlbWEvZXh0ZW5zaW9ucy9tYXJraW5nL3Rlcm1zX29mX3VzZS8xLjAuMS90ZXJtc19vZl91c2VfbWFya2luZy54c2QgIGh0dHA6Ly9tYWVjLm1pdHJlLm9yZy9YTUxTY2hlbWEvbWFlYy1idW5kbGUtNCBodHRwOi8vbWFlYy5taXRyZS5vcmcvbGFuZ3VhZ2UvdmVyc2lvbjQuMS9tYWVjX2J1bmRsZV9zY2hlbWEueHNkICBodHRwOi8vbWFlYy5taXRyZS5vcmcvWE1MU2NoZW1hL21hZWMtcGFja2FnZS0yIGh0dHA6Ly9tYWVjLm1pdHJlLm9yZy9sYW5ndWFnZS92ZXJzaW9uNC4xL21hZWNfcGFja2FnZV9zY2hlbWEueHNkICBodHRwOi8vbWFlYy5taXRyZS5vcmcvZGVmYXVsdF92b2NhYnVsYXJpZXMtMSBodHRwOi8vbWFlYy5taXRyZS5vcmcvbGFuZ3VhZ2UvdmVyc2lvbjQuMS9tYWVjX2RlZmF1bHRfdm9jYWJ1bGFyaWVzLnhzZCAgaHR0cDovL3N0aXgubWl0cmUub3JnL0luY2lkZW50LTEgaHR0cDovL3N0aXgubWl0cmUub3JnL1hNTFNjaGVtYS9pbmNpZGVudC8xLjEuMS9pbmNpZGVudC54c2QgIGh0dHA6Ly9zdGl4Lm1pdHJlLm9yZy9JbmRpY2F0b3ItMiBodHRwOi8vc3RpeC5taXRyZS5vcmcvWE1MU2NoZW1hL2luZGljYXRvci8yLjEuMS9pbmRpY2F0b3IueHNkICBodHRwOi8vc3RpeC5taXRyZS5vcmcvVFRQLTEgaHR0cDovL3N0aXgubWl0cmUub3JnL1hNTFNjaGVtYS90dHAvMS4xLjEvdHRwLnhzZCAgaHR0cDovL3
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "text",
|
|
|
|
"object_relation": "format",
|
|
|
|
"value": "STIX 1.1.1",
|
|
|
|
"category": "Other",
|
|
|
|
"uuid": "82d92392-8ee1-4db9-857c-89cb1cf93a54"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"x_misp_meta_category": "file",
|
|
|
|
"x_misp_name": "original-imported-file"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--7f58ce95-cc60-466d-b405-d47226c5f0bf",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2018-12-04T11:09:08.000Z",
|
|
|
|
"modified": "2018-12-04T11:09:08.000Z",
|
|
|
|
"pattern": "[file:hashes.MD5 = '76bd79f774ae892fd6a30b6463050a91' AND file:hashes.SHA1 = '4d7a60bd1fb3677a553f26d95430c107c8485129' AND file:hashes.SHA256 = '9b23bfc35b18ed80104c496b2aa722b3e56ff9ceb9dae60d1aff7230321c1d12']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2018-12-04T11:09:08Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "file"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:name=\"file\"",
|
|
|
|
"misp:meta-category=\"file\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--bd1dbb31-d316-4911-b2cb-4e71d16d1dbb",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2018-12-04T11:09:10.000Z",
|
|
|
|
"modified": "2018-12-04T11:09:10.000Z",
|
|
|
|
"pattern": "[file:hashes.MD5 = 'b96620d8a08fa436ea22ef480dd883ce' AND file:hashes.SHA1 = 'a1ab74d2f06a542e77ea2c6d641aae4ed163a2da' AND file:hashes.SHA256 = '738c95f5bfe63a530b200a0d73f363d46c5671c1fcbb69c217e15a3516501a86']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2018-12-04T11:09:10Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "file"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:name=\"file\"",
|
|
|
|
"misp:meta-category=\"file\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--a7364364-e48d-4a7c-b3bd-ece622f7f31e",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2018-12-04T11:09:11.000Z",
|
|
|
|
"modified": "2018-12-04T11:09:11.000Z",
|
|
|
|
"pattern": "[file:hashes.MD5 = '02c19bbf8e19bb69fc7870ec872d355e' AND file:hashes.SHA1 = 'cc76586ef94122329e825c78aad2ecb9ac064343' AND file:hashes.SHA256 = 'bbd4102fe25e73c0815d0c020d60d47dbbfbe79ef1e490e7b4f97640dd932b58']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2018-12-04T11:09:11Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "file"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:name=\"file\"",
|
|
|
|
"misp:meta-category=\"file\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--eaf7e1bc-5f82-425b-91b0-c16bb3cf7913",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2018-12-04T11:09:15.000Z",
|
|
|
|
"modified": "2018-12-04T11:09:15.000Z",
|
|
|
|
"first_observed": "2018-12-04T11:09:15Z",
|
|
|
|
"last_observed": "2018-12-04T11:09:15Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--eaf7e1bc-5f82-425b-91b0-c16bb3cf7913"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:name=\"file\"",
|
|
|
|
"misp:meta-category=\"file\"",
|
|
|
|
"misp:to_ids=\"False\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--eaf7e1bc-5f82-425b-91b0-c16bb3cf7913",
|
|
|
|
"hashes": {
|
|
|
|
"MD5": "76bd79f774ae892fd6a30b6463050a91",
|
|
|
|
"SHA-1": "4d7a60bd1fb3677a553f26d95430c107c8485129",
|
|
|
|
"SHA-256": "9b23bfc35b18ed80104c496b2aa722b3e56ff9ceb9dae60d1aff7230321c1d12",
|
|
|
|
"SHA-512": "67e0046db0b565a1ac1862bbd536016c3ea984f8fceadaa31b4c99e7a8b434b170d5badbb10c2c25e264b17bbf2f97576f252e7ef74279b3b845b1553cef9829",
|
|
|
|
"SSDEEP": "48:6DhamfhRd4tvDo4Xbgj/aarU3LT88VMM8UX8i02+KfANbU7gjBRd1trWO8lGO+3L:m+5DoAbgfU88Spi0oANbsgjMPYp3XII"
|
|
|
|
},
|
|
|
|
"size": 5120,
|
|
|
|
"name": "ClassLibrary1.dll",
|
|
|
|
"x_misp_entropy": "4.004964",
|
|
|
|
"x_misp_mimetype": "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--2d2d53cf-43da-42fa-81c2-e10aec13b33a",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2018-12-04T11:09:19.000Z",
|
|
|
|
"modified": "2018-12-04T11:09:19.000Z",
|
|
|
|
"first_observed": "2018-12-04T11:09:19Z",
|
|
|
|
"last_observed": "2018-12-04T11:09:19Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--2d2d53cf-43da-42fa-81c2-e10aec13b33a"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:name=\"file\"",
|
|
|
|
"misp:meta-category=\"file\"",
|
|
|
|
"misp:to_ids=\"False\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--2d2d53cf-43da-42fa-81c2-e10aec13b33a",
|
|
|
|
"hashes": {
|
|
|
|
"MD5": "b96620d8a08fa436ea22ef480dd883ce",
|
|
|
|
"SHA-1": "a1ab74d2f06a542e77ea2c6d641aae4ed163a2da",
|
|
|
|
"SHA-256": "738c95f5bfe63a530b200a0d73f363d46c5671c1fcbb69c217e15a3516501a86",
|
|
|
|
"SHA-512": "2a9f4ebb025c8e7b4e074d301477656ffad66318da5ea35ddc8363c17f4bdbf501778539133261adbb9f441066a1e2b79240306ad1877f5ef17009c8f05ff4a6",
|
|
|
|
"SSDEEP": "48:6ZMMEikGAgS7zfMFmZUX7OLbqMMou6ZVqsPIUlf41cjGPRMfNFrbvZiJY527qnfF:/ikGAgS7b0807M+And6c6mBiJYPezNt"
|
|
|
|
},
|
|
|
|
"size": 6144,
|
|
|
|
"name": "mswinupdate.exe",
|
|
|
|
"x_misp_entropy": "4.238961",
|
|
|
|
"x_misp_mimetype": "PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--a4420cf2-b1ec-4dde-9895-0935df731c95",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2018-12-04T11:09:22.000Z",
|
|
|
|
"modified": "2018-12-04T11:09:22.000Z",
|
|
|
|
"first_observed": "2018-12-04T11:09:22Z",
|
|
|
|
"last_observed": "2018-12-04T11:09:22Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"file--a4420cf2-b1ec-4dde-9895-0935df731c95"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:name=\"file\"",
|
|
|
|
"misp:meta-category=\"file\"",
|
|
|
|
"misp:to_ids=\"False\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "file",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "file--a4420cf2-b1ec-4dde-9895-0935df731c95",
|
|
|
|
"hashes": {
|
|
|
|
"MD5": "02c19bbf8e19bb69fc7870ec872d355e",
|
|
|
|
"SHA-1": "cc76586ef94122329e825c78aad2ecb9ac064343",
|
|
|
|
"SHA-256": "bbd4102fe25e73c0815d0c020d60d47dbbfbe79ef1e490e7b4f97640dd932b58",
|
|
|
|
"SHA-512": "283681b5b8e78440bf474c8e50504e6e82f25bd3f6240d5e70600e43fc9fd609a78ee7b837c9b68aa25ed13f2ee735f360a18e614ded15e11bb62043cd028c99",
|
|
|
|
"SSDEEP": "6:JF1ZzA+QragXsoNLYjClAVyXHI+CIwZALICLA9XEUXR/JgW:L1J4aSJF+dyXo+Bb0LEUhyW"
|
|
|
|
},
|
|
|
|
"size": 276,
|
|
|
|
"name": "g04inst.bat",
|
|
|
|
"x_misp_entropy": "4.962735",
|
|
|
|
"x_misp_mimetype": "ASCII text, with CRLF line terminators"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5afacb97-2453-4507-84cf-2e4c5d9c3fa4",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2018-12-04T11:09:15.000Z",
|
|
|
|
"modified": "2018-12-04T11:09:15.000Z",
|
|
|
|
"pattern": "[file:extensions.'windows-pebinary-ext'.number_of_sections = '4' AND file:extensions.'windows-pebinary-ext'.x_misp_internal_filename = 'ClassLibrary1.dll' AND file:extensions.'windows-pebinary-ext'.x_misp_original_filename = 'ClassLibrary1.dll']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2018-12-04T11:09:15Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "file"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:name=\"pe\"",
|
|
|
|
"misp:meta-category=\"file\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5dd2cbdd-b576-4e07-970f-dc3c40164068",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2018-12-04T11:09:19.000Z",
|
|
|
|
"modified": "2018-12-04T11:09:19.000Z",
|
|
|
|
"pattern": "[file:extensions.'windows-pebinary-ext'.number_of_sections = '4' AND file:extensions.'windows-pebinary-ext'.x_misp_internal_filename = 'mswinupdate.exe' AND file:extensions.'windows-pebinary-ext'.x_misp_original_filename = 'mswinupdate.exe']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2018-12-04T11:09:19Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "file"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:name=\"pe\"",
|
|
|
|
"misp:meta-category=\"file\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "x-misp-object",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "x-misp-object--855cd93b-6e6c-4827-9cfa-479873ce217a",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2018-12-04T11:09:13.000Z",
|
|
|
|
"modified": "2018-12-04T11:09:13.000Z",
|
|
|
|
"labels": [
|
|
|
|
"misp:name=\"pe-section\"",
|
|
|
|
"misp:meta-category=\"file\""
|
|
|
|
],
|
|
|
|
"x_misp_attributes": [
|
|
|
|
{
|
|
|
|
"type": "float",
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"value": "2.54792",
|
|
|
|
"category": "Other",
|
|
|
|
"uuid": "faaecaa5-c3d4-4437-b4d0-77a0f471c147"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "md5",
|
|
|
|
"object_relation": "md5",
|
|
|
|
"value": "34943f18fd2a99cc3f5cabe43b4765f8",
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"to_ids": true,
|
|
|
|
"uuid": "975863e8-6eac-4f53-9857-30ce88281312"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"value": "512",
|
|
|
|
"category": "Other",
|
|
|
|
"uuid": "fbd9f037-6344-455d-aa3a-a1c827c2cb91"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"x_misp_meta_category": "file",
|
|
|
|
"x_misp_name": "pe-section"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "x-misp-object",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "x-misp-object--b1432908-95e3-47e7-8ae3-ee66ea5ff4f8",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2018-12-04T11:09:13.000Z",
|
|
|
|
"modified": "2018-12-04T11:09:13.000Z",
|
|
|
|
"labels": [
|
|
|
|
"misp:name=\"pe-section\"",
|
|
|
|
"misp:meta-category=\"file\""
|
|
|
|
],
|
|
|
|
"x_misp_attributes": [
|
|
|
|
{
|
|
|
|
"type": "md5",
|
|
|
|
"object_relation": "md5",
|
|
|
|
"value": "06219fe6e30e15dce12688ca2b434890",
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"to_ids": true,
|
|
|
|
"uuid": "2534ce8b-44fc-4021-a4f7-36bce8a11484"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "float",
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"value": "4.85667",
|
|
|
|
"category": "Other",
|
|
|
|
"uuid": "814011e2-3808-4228-a2d2-49db8e211c59"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "text",
|
|
|
|
"object_relation": "name",
|
|
|
|
"value": ".text",
|
|
|
|
"category": "Other",
|
|
|
|
"uuid": "e574c16b-d9a0-442a-b61b-67631517cc75"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"value": "3072",
|
|
|
|
"category": "Other",
|
|
|
|
"uuid": "b996c7bf-9c1f-47d9-9798-cee99cd331a3"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"x_misp_meta_category": "file",
|
|
|
|
"x_misp_name": "pe-section"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "x-misp-object",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "x-misp-object--d0951bc8-2196-4ad1-94bf-191486da007a",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2018-12-04T11:09:14.000Z",
|
|
|
|
"modified": "2018-12-04T11:09:14.000Z",
|
|
|
|
"labels": [
|
|
|
|
"misp:name=\"pe-section\"",
|
|
|
|
"misp:meta-category=\"file\""
|
|
|
|
],
|
|
|
|
"x_misp_attributes": [
|
|
|
|
{
|
|
|
|
"type": "md5",
|
|
|
|
"object_relation": "md5",
|
|
|
|
"value": "11b58fc9ac45168b871cc50399b7c86c",
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"to_ids": true,
|
|
|
|
"uuid": "81809d10-f2c2-4db2-9434-f02ee1062389"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "float",
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"value": "2.888335",
|
|
|
|
"category": "Other",
|
|
|
|
"uuid": "6410600b-0dc3-48de-a5de-3894cb33d76b"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "text",
|
|
|
|
"object_relation": "name",
|
|
|
|
"value": ".rsrc",
|
|
|
|
"category": "Other",
|
|
|
|
"uuid": "6de6fcae-866a-42ec-a084-e824075d8f31"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"value": "1024",
|
|
|
|
"category": "Other",
|
|
|
|
"uuid": "d606f2f8-d8e4-4591-9681-237e5324c42a"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"x_misp_meta_category": "file",
|
|
|
|
"x_misp_name": "pe-section"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "x-misp-object",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "x-misp-object--46929908-aa81-4a2e-922d-0888eef9c399",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2018-12-04T11:09:14.000Z",
|
|
|
|
"modified": "2018-12-04T11:09:14.000Z",
|
|
|
|
"labels": [
|
|
|
|
"misp:name=\"pe-section\"",
|
|
|
|
"misp:meta-category=\"file\""
|
|
|
|
],
|
|
|
|
"x_misp_attributes": [
|
|
|
|
{
|
|
|
|
"type": "md5",
|
|
|
|
"object_relation": "md5",
|
|
|
|
"value": "ec45a535f38fb6dc4ac4ed7cbf63b754",
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"to_ids": true,
|
|
|
|
"uuid": "4bbd64ab-476e-47a1-9e48-70c23aa90b39"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "float",
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"value": "0.081539",
|
|
|
|
"category": "Other",
|
|
|
|
"uuid": "1fa3c44f-75b9-4330-9d55-5eeac9047851"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "text",
|
|
|
|
"object_relation": "name",
|
|
|
|
"value": ".reloc",
|
|
|
|
"category": "Other",
|
|
|
|
"uuid": "b8aac6e6-7e01-4af7-9063-a93ff88b2f5b"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"value": "512",
|
|
|
|
"category": "Other",
|
|
|
|
"uuid": "d1b2d7c2-d9c0-4d80-b591-e71de543928f"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"x_misp_meta_category": "file",
|
|
|
|
"x_misp_name": "pe-section"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "x-misp-object",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "x-misp-object--65e8a61f-cd5e-46b3-8e43-f6ee835fb3ec",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2018-12-04T11:09:17.000Z",
|
|
|
|
"modified": "2018-12-04T11:09:17.000Z",
|
|
|
|
"labels": [
|
|
|
|
"misp:name=\"pe-section\"",
|
|
|
|
"misp:meta-category=\"file\""
|
|
|
|
],
|
|
|
|
"x_misp_attributes": [
|
|
|
|
{
|
|
|
|
"type": "float",
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"value": "2.538579",
|
|
|
|
"category": "Other",
|
|
|
|
"uuid": "c5911227-4c80-4705-bd3b-67f3d1aaa83f"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "md5",
|
|
|
|
"object_relation": "md5",
|
|
|
|
"value": "7f1dc4bd716bc037dea251c4dff12cdd",
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"to_ids": true,
|
|
|
|
"uuid": "ad11b1f4-d965-4ef2-b1bc-96c42475805f"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"value": "512",
|
|
|
|
"category": "Other",
|
|
|
|
"uuid": "e0326762-3601-4967-8d7f-f2365dc3f7a2"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"x_misp_meta_category": "file",
|
|
|
|
"x_misp_name": "pe-section"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "x-misp-object",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "x-misp-object--39cb5a66-0f5f-4e01-a711-6cd8e9f09843",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2018-12-04T11:09:18.000Z",
|
|
|
|
"modified": "2018-12-04T11:09:18.000Z",
|
|
|
|
"labels": [
|
|
|
|
"misp:name=\"pe-section\"",
|
|
|
|
"misp:meta-category=\"file\""
|
|
|
|
],
|
|
|
|
"x_misp_attributes": [
|
|
|
|
{
|
|
|
|
"type": "md5",
|
|
|
|
"object_relation": "md5",
|
|
|
|
"value": "c8076584486a2745281e4945da9b8b13",
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"to_ids": true,
|
|
|
|
"uuid": "406d93ff-2c26-426f-870b-d3d8992ea4d1"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "float",
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"value": "4.946272",
|
|
|
|
"category": "Other",
|
|
|
|
"uuid": "ae1e0206-92ae-4dc1-93a6-9d51d9472ccd"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "text",
|
|
|
|
"object_relation": "name",
|
|
|
|
"value": ".text",
|
|
|
|
"category": "Other",
|
|
|
|
"uuid": "01404fa1-ba6f-4563-bc08-14152d211892"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"value": "3072",
|
|
|
|
"category": "Other",
|
|
|
|
"uuid": "05362ad8-db47-410a-9224-ede9e9f8848c"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"x_misp_meta_category": "file",
|
|
|
|
"x_misp_name": "pe-section"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "x-misp-object",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "x-misp-object--1f222148-e8da-40d6-9f6c-6972afbaf41d",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2018-12-04T11:09:18.000Z",
|
|
|
|
"modified": "2018-12-04T11:09:18.000Z",
|
|
|
|
"labels": [
|
|
|
|
"misp:name=\"pe-section\"",
|
|
|
|
"misp:meta-category=\"file\""
|
|
|
|
],
|
|
|
|
"x_misp_attributes": [
|
|
|
|
{
|
|
|
|
"type": "md5",
|
|
|
|
"object_relation": "md5",
|
|
|
|
"value": "1efe88aa4756d059ec1d3b49e342de5d",
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"to_ids": true,
|
|
|
|
"uuid": "3f0fa297-a812-449f-87d7-ef05305e47f8"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "float",
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"value": "3.917395",
|
|
|
|
"category": "Other",
|
|
|
|
"uuid": "6c5b147b-6a38-4d37-9268-7b7cd55f66bc"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "text",
|
|
|
|
"object_relation": "name",
|
|
|
|
"value": ".rsrc",
|
|
|
|
"category": "Other",
|
|
|
|
"uuid": "4f2e09db-03f3-4b74-8d54-a71c90aa96ac"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"value": "2048",
|
|
|
|
"category": "Other",
|
|
|
|
"uuid": "ea0281d0-cc3b-4aef-a90a-12b4b6e67942"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"x_misp_meta_category": "file",
|
|
|
|
"x_misp_name": "pe-section"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "x-misp-object",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "x-misp-object--8b5d0a9d-268b-42fa-8d68-a4df4450d56e",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2018-12-04T11:09:19.000Z",
|
|
|
|
"modified": "2018-12-04T11:09:19.000Z",
|
|
|
|
"labels": [
|
|
|
|
"misp:name=\"pe-section\"",
|
|
|
|
"misp:meta-category=\"file\""
|
|
|
|
],
|
|
|
|
"x_misp_attributes": [
|
|
|
|
{
|
|
|
|
"type": "md5",
|
|
|
|
"object_relation": "md5",
|
|
|
|
"value": "7048daac38c935b38e086adcd8035d2a",
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"to_ids": true,
|
|
|
|
"uuid": "484bf645-2a7e-4663-b740-117f1528e0d5"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "float",
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"value": "0.081539",
|
|
|
|
"category": "Other",
|
|
|
|
"uuid": "e26f47c7-57ba-4fcb-aa9c-acbd5db5beb8"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "text",
|
|
|
|
"object_relation": "name",
|
|
|
|
"value": ".reloc",
|
|
|
|
"category": "Other",
|
|
|
|
"uuid": "ff47d3a8-a634-403a-b35b-9d2743afaced"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"value": "512",
|
|
|
|
"category": "Other",
|
|
|
|
"uuid": "01ce6561-f841-4a07-a3ef-eb64593ae9bc"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"x_misp_meta_category": "file",
|
|
|
|
"x_misp_name": "pe-section"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "marking-definition",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
|
|
"definition_type": "tlp",
|
|
|
|
"name": "TLP:WHITE",
|
|
|
|
"definition": {
|
|
|
|
"tlp": "white"
|
|
|
|
}
|
|
|
|
}
|
2023-04-21 13:25:09 +00:00
|
|
|
]
|
|
|
|
}
|