2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type" : "bundle" ,
"id" : "bundle--5c706a30-8ad4-4fcc-9e17-4d3d02de0b81" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-24T14:45:36.000Z" ,
"modified" : "2019-02-24T14:45:36.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--5c706a30-8ad4-4fcc-9e17-4d3d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-24T14:45:36.000Z" ,
"modified" : "2019-02-24T14:45:36.000Z" ,
"name" : "OSINT - New BabyShark Malware Targets U.S. National Security Think Tanks" ,
"published" : "2019-02-24T14:45:43Z" ,
"object_refs" : [
"observed-data--5c706a3f-bfc4-43aa-8158-4ba702de0b81" ,
"url--5c706a3f-bfc4-43aa-8158-4ba702de0b81" ,
"x-misp-attribute--5c706a50-24a0-41c5-abcc-4a8c02de0b81" ,
"indicator--5c706a6a-e8dc-4bdd-b4a6-455002de0b81" ,
"indicator--5c706aa9-6d34-4e8e-9eee-4baf02de0b81" ,
"indicator--5c706aa9-5228-42ab-9124-429e02de0b81" ,
"indicator--5c706aa9-c114-48bf-ad10-414e02de0b81" ,
"indicator--5c706aa9-633c-4553-a6d5-4f6002de0b81" ,
"indicator--5c706aaa-033c-4199-abb5-47d502de0b81" ,
"indicator--5c706aaa-e2bc-4506-85f2-4af102de0b81" ,
"indicator--5c706aaa-65e8-447c-bc54-46a502de0b81" ,
"indicator--5c706aaa-4ca8-4489-bbde-4c2f02de0b81" ,
"indicator--5c706aaa-090c-47e7-b8ca-4c8f02de0b81" ,
"indicator--5c706ada-4610-4c99-a616-416a02de0b81" ,
"indicator--5c706b8e-91f8-4722-ac8b-4aff02de0b81" ,
"indicator--5c706b8e-f1a4-404c-9a5d-41a902de0b81" ,
"indicator--5c706b8e-e198-4d15-a8d6-4f9702de0b81" ,
"indicator--5c706b8e-f3ec-4eb9-9829-4f3f02de0b81" ,
"observed-data--5c706dae-90f4-4374-b312-489102de0b81" ,
"file--5c706dae-90f4-4374-b312-489102de0b81" ,
"artifact--5c706dae-90f4-4374-b312-489102de0b81" ,
"indicator--5c72ae10-aa9c-4068-853b-4b4602de0b81" ,
"indicator--1db36cab-7b13-4758-b16a-9e9862d0973e" ,
"x-misp-object--aea77d6f-2193-40e9-82c5-59726e0dfd2d" ,
"indicator--3b8f6a45-0b7f-4bea-ad61-0369f01cc306" ,
"x-misp-object--7ba926a9-161b-4412-99ff-cee104b6a329" ,
"indicator--8cc1ffb8-e4b2-4641-a536-ea843ff9bc7a" ,
"x-misp-object--5de67962-66f3-48c8-b33f-734e4b8dc989" ,
"indicator--89e0ad73-a186-4959-b978-2311ee49e4af" ,
"x-misp-object--99e0b99b-e1cf-4451-8eec-972978c821d8" ,
"indicator--4dbf697b-11ce-447f-85c6-cd02a2365a7f" ,
"x-misp-object--1d288045-6e66-43a6-94b7-600044369fa7" ,
"indicator--6860e975-938c-413d-b144-74cde72c25dc" ,
"x-misp-object--ee3df33a-a5df-4f0a-887d-9fe0aba2d90a" ,
"indicator--df5dd372-ecd6-4595-ab34-45bff1decb63" ,
"x-misp-object--f2146c3b-d6f7-471c-bb4a-2b831e2849f6" ,
"indicator--3061d73f-2f4f-4c6e-8478-3d5d1e74c1bc" ,
"x-misp-object--a6c1afed-624f-4d81-b96a-4ff02a693e66" ,
"indicator--fd57be37-61cc-4452-85b5-518d55586335" ,
"x-misp-object--e59804a1-c4d9-4228-93bb-1a1f626c25ef" ,
"indicator--56b391e4-f005-4caa-ae12-a90db6664ebd" ,
"x-misp-object--fd828b7c-f7c6-41d6-8b1e-3c19b0c98b2d" ,
2023-06-24 09:36:52 +00:00
"relationship--d8385e74-e4c4-4adf-873a-2db1afeabf4d" ,
"relationship--b0a5e13b-af4c-4477-ba10-14bac1ea11f7" ,
"relationship--b5f1d49a-e9ee-4dcc-8654-b79b0978febc" ,
"relationship--2c8848f4-82a4-4b2e-b64c-9e0634e508dc" ,
"relationship--a336f312-dca8-416a-9d85-2826b1f79ff2" ,
"relationship--b5d44059-7665-4a64-8c52-cc25a675d884" ,
"relationship--e0beefea-df08-458d-ae9a-e7f0abffb789" ,
"relationship--80a28785-4b35-48ba-bda5-c80013543d2f" ,
"relationship--cde4f120-4b64-47bb-a9a7-7a9b78be69fd" ,
"relationship--5d29899a-04e1-4101-85a4-1e2235bbcca5"
2023-06-14 17:31:25 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"misp-galaxy:mitre-attack-pattern=\"Stolen Developer Credentials or Signing Keys - T1441\"" ,
"misp-galaxy:tool=\"BabyShark\"" ,
"misp-galaxy:threat-actor=\"STOLEN PENCIL\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5c706a3f-bfc4-43aa-8158-4ba702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:31:43.000Z" ,
"modified" : "2019-02-22T21:31:43.000Z" ,
"first_observed" : "2019-02-22T21:31:43Z" ,
"last_observed" : "2019-02-22T21:31:43Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5c706a3f-bfc4-43aa-8158-4ba702de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5c706a3f-bfc4-43aa-8158-4ba702de0b81" ,
"value" : "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5c706a50-24a0-41c5-abcc-4a8c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:32:00.000Z" ,
"modified" : "2019-02-22T21:32:00.000Z" ,
"labels" : [
"misp:type=\"comment\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "comment" ,
"x_misp_value" : "In February 2019, Palo Alto Networks Unit 42 researchers identified spear phishing emails sent in November 2018 containing new malware that shares infrastructure with playbooks associated with North Korean campaigns. The spear phishing emails were written to appear as though they were sent from a nuclear security expert who currently works as a consultant for in the U.S. The emails were sent using a public email address with the expert\u00e2\u20ac\u2122s name and had a subject referencing North Korea\u00e2\u20ac\u2122s nuclear issues. The emails had a malicious Excel macro document attached, which when executed led to a new Microsoft Visual Basic (VB) script-based malware family which we are dubbing \u00e2\u20ac\u0153BabyShark\u00e2\u20ac\u009d.\r\n\r\nBabyShark is a relatively new malware. The earliest sample we found from open source repositories and our internal data sets was seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator. Figure 1, below, shows the flow of execution."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c706a6a-e8dc-4bdd-b4a6-455002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:32:26.000Z" ,
"modified" : "2019-02-22T21:32:26.000Z" ,
"pattern" : "[url:value = 'https://tdalpacafarm.com/files/kr/contents/Vkggy0.hta']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-22T21:32:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c706aa9-6d34-4e8e-9eee-4baf02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:29.000Z" ,
"modified" : "2019-02-22T21:33:29.000Z" ,
"description" : "Malicious Documents" ,
"pattern" : "[file:hashes.SHA256 = '7b77112ac7cbb7193bcd891ce48ab2acff35e4f8d523980dff834cb42eaffafa']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-22T21:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c706aa9-5228-42ab-9124-429e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:29.000Z" ,
"modified" : "2019-02-22T21:33:29.000Z" ,
"description" : "Malicious Documents" ,
"pattern" : "[file:hashes.SHA256 = '9d842c9c269345cd3b2a9ce7d338a03ffbf3765661f1ee6d5e178f40d409c3f8']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-22T21:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c706aa9-c114-48bf-ad10-414e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:29.000Z" ,
"modified" : "2019-02-22T21:33:29.000Z" ,
"description" : "Malicious Documents" ,
"pattern" : "[file:hashes.SHA256 = '2b6dc1a826a4d5d5de5a30b458e6ed995a4cfb9cad8114d1197541a86905d60e']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-22T21:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c706aa9-633c-4553-a6d5-4f6002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:29.000Z" ,
"modified" : "2019-02-22T21:33:29.000Z" ,
"description" : "Malicious Documents" ,
"pattern" : "[file:hashes.SHA256 = '66439f0e377bbe8cda3e516e801a86c64688e7c3dde0287b1bfb298a5bdbc2a2']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-22T21:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c706aaa-033c-4199-abb5-47d502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:29.000Z" ,
"modified" : "2019-02-22T21:33:29.000Z" ,
"description" : "Malicious Documents" ,
"pattern" : "[file:hashes.SHA256 = '8ef4bc09a9534910617834457114b9217cac9cb33ae22b37889040cde4cabea6']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-22T21:33:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c706aaa-e2bc-4506-85f2-4af102de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:30.000Z" ,
"modified" : "2019-02-22T21:33:30.000Z" ,
"description" : "Malicious Documents" ,
"pattern" : "[file:hashes.SHA256 = '331d17dbe4ee61d8f2c91d7e4af17fb38102003663872223efaa4a15099554d7']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-22T21:33:30Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c706aaa-65e8-447c-bc54-46a502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:30.000Z" ,
"modified" : "2019-02-22T21:33:30.000Z" ,
"description" : "Malicious Documents" ,
"pattern" : "[file:hashes.SHA256 = '1334c087390fb946c894c1863dfc9f0a659f594a3d6307fb48f24c30a23e0fc0']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-22T21:33:30Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c706aaa-4ca8-4489-bbde-4c2f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:30.000Z" ,
"modified" : "2019-02-22T21:33:30.000Z" ,
"description" : "Malicious Documents" ,
"pattern" : "[file:hashes.SHA256 = 'dc425e93e83fe02da9c76b56f6fd286eace282eaad6d8d497e17b3ec4059020a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-22T21:33:30Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c706aaa-090c-47e7-b8ca-4c8f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:30.000Z" ,
"modified" : "2019-02-22T21:33:30.000Z" ,
"description" : "Malicious Documents" ,
"pattern" : "[file:hashes.SHA256 = '94a09aff59c0c27d1049509032d5ba05e9285fd522eb20b033b8188e0fee4ff0']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-22T21:33:30Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c706ada-4610-4c99-a616-416a02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:34:18.000Z" ,
"modified" : "2019-02-22T21:34:18.000Z" ,
"description" : "PE version loader, signed with stolen certificate:" ,
"pattern" : "[file:hashes.SHA256 = '6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-22T21:34:18Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c706b8e-91f8-4722-ac8b-4aff02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:37:18.000Z" ,
"modified" : "2019-02-22T21:37:18.000Z" ,
"description" : "Decoy Filename" ,
"pattern" : "[file:name = 'Kendall-AFA 2014 Conference-17Sept14.pdf']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-22T21:37:18Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c706b8e-f1a4-404c-9a5d-41a902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:37:18.000Z" ,
"modified" : "2019-02-22T21:37:18.000Z" ,
"description" : "Decoy Filename" ,
"pattern" : "[file:name = 'U.S. Nuclear Deterrence.pdf']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-22T21:37:18Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c706b8e-e198-4d15-a8d6-4f9702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:37:18.000Z" ,
"modified" : "2019-02-22T21:37:18.000Z" ,
"description" : "Decoy Filename" ,
"pattern" : "[file:name = '\u00ec\u00a0\u015330\u00ec\u00b0\u00a8\u00ed\u2022\u0153\u00eb\u00af\u00b8\u00ec\u2022\u02c6\u00eb\u00b3\u00b4 \u00ec\u2022\u02c6\u00eb\u201a\u00b4\u00ec\u017e\u00a5 ENKO.fdp.etadpU.scr (translates to 30th Korea-U.S. National Security Invitation Update)']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-22T21:37:18Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c706b8e-f3ec-4eb9-9829-4f3f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:37:18.000Z" ,
"modified" : "2019-02-22T21:37:18.000Z" ,
"description" : "Decoy Filename" ,
"pattern" : "[file:name = 'Conference Information_2010 IFANS Conference on Global Affairs (1001).pdf']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-22T21:37:18Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5c706dae-90f4-4374-b312-489102de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:46:22.000Z" ,
"modified" : "2019-02-22T21:46:22.000Z" ,
"first_observed" : "2019-02-22T21:46:22Z" ,
"last_observed" : "2019-02-22T21:46:22Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--5c706dae-90f4-4374-b312-489102de0b81" ,
"artifact--5c706dae-90f4-4374-b312-489102de0b81"
] ,
"labels" : [
"misp:type=\"attachment\"" ,
"misp:category=\"Payload delivery\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--5c706dae-90f4-4374-b312-489102de0b81" ,
"name" : "Figure-1-BabyShark-execution-flow.png" ,
"content_ref" : "artifact--5c706dae-90f4-4374-b312-489102de0b81"
} ,
{
"type" : "artifact" ,
"spec_version" : "2.1" ,
"id" : "artifact--5c706dae-90f4-4374-b312-489102de0b81" ,
"payload_bin" : " i V B O R w 0 K G g o A A A A N S U h E U g A A B c 4 A A A O K C A Y A A A H V b v P 3 A A A A A X N S R 0 I A r s 4 c 6 Q A A A A R n Q U 1 B A A C x j w v 8 Y Q U A A A A J c E h Z c w A A I d U A A C H V A Q S c t J 0 A A P + l S U R B V H h e 7 N 0 H u B N F + z b w v y i 9 S Z E i v V l A F C w g K I I F R V E U C / a G U h R R w N 4 V u 4 I N s I E V R P E V E Q U U p K i o F E E Q a U p H k N 6 R j v t 993 P m y Z n s 2 b R z k p x N c v + u a 67 d m S 3 Z J J v J k 83 s z P 85 R B m A J z p l B J 7 o l B F 4 o l N G 4 I l O G Y E n O m U E n u i U E X i i U 0 b g i U 4 Z I e S J X r 169 Z C J I v u //2Md4ich3w28UZ07d3Y6deoUlFDONzEyvEbly5d3ChcubEooP4U90b2gvEKFCjzZI9DXZ+/evXytfCBXJzpUqlQpI99APOdonre9TsuWLZ0DBw6YXGTYFt8G4YQ7hilTppg5x/nvv/+cefPmmVzu6ePNmTNH5gsWLBj2GPwm5JGGehIod6dME83zdi+P5XXCuvXr15d5nKheevbsKdMNGzbIFHbt2iXb4kTXx5swYYJMYd++fWbOcQ4ePCjT/fv3y1TzvXv3dr7//nvnr7/+crp06RLYj+5X51NNyCOO9smk4pMOJ5rn0759ezkx3OuWK1dOypAeffRRU5oFJ+ztt98eWI60ceNGszQYlsGAAQNkavvss8/MXLYdO3bIdNasWTK1T/SJEyfKNFoNGzY0c8F0f4D5X375RV6Dl156yZT6W8h31X5i4URaD8tTMUWi60S7fijYdvfu3SYXWV4eK1qo5ZPxOMkU8tnoE61SpYrMeyXQaSjubVIphaPLBw4cKNO8qFatmpmjRAn5buobWa9ePadYsWKeCaI5IVIxhWOv9/nnn0dcX9nb6TbRbkt5E/JVjvYNSLc3Kprn89Zbb5m5bNju77//NrnQ9BsAP/h4kidPxBO9RYsWUqt7JeCblfUa6OuAacmSJWXe/cNx586dQetS8kQ80atWrRp4c9wJdEo5Pfjgg2aOr1N+i3iiR8I3MDRWBv4R9kTHnxGREt9Eb3hdNFH+C3uiR5uI/I5nKWUEnuiUEXiiU0YIeaLjh2asDjvsMDPnOOPHj3cWL15scuFpnI9t4gH7mzFjhvPqq6+aEsp0nie6/r2Plm84aXDS23fK6ImJ6erVqwPzJUqUcCZPnizzOGkvueSSwLp33nmnzF944YUyLVq0qJRjXtc59NBDpXmq5tHmeevWrYH1Mf3nn39kmf4pA/Y+APM1a9Z0XnvtNZnHn15afv7558v8tm3bnOLFi8s82vPAcccdJ1NKP9lnh0VPGtw6B17NSdu0aWPmsunJCDjRL7vsMplH2ZFHHinz7dq1k6lNtylUqJDMjx49WvIrV66UDx3KNNm6du0qUy23WwHWqVNHTnSbrvf0008727dvl3nbuHHjzFze9O/fP5DIH4LPnAwxaNAgzxM9XkJ9MCn/8J1IAJ7o/pOrd2LUqFFmLvn69u1r5uJPbyfLK57o/hP2nfj333+dPn36yHyDBg2cM844Q+Zxy9jzzz8vt1HpPY3oGQCee+455+yzz3bmz5/vrF+/Xsp0CvrmlypVSqbqm2++kel3330n01NPPdXp1auXrH/ttdcG+pMZOnSoTAEhCITap5v+6MQJ/fjjjwd+YMf7hMT+NJE/eL4T5513nkxxor/77rtyNQQnur55ONHvuOOOHDUglnXr1i3QhFd/xOqJ/sMPP8gUN/F6wQ9VXKLEfq655hrnqquuMktycp9E+IHpxV5P5ytWrCgfntNPP13y8YbH0UT+EPU7sWLFCmfmzJlyfRrXx7ds2RJ0V7nehLtnzx5n3bp1ztq1ayUPS5cuNXOO88Ybb8h05MiRMv3iiy9kCthu7ty5Mo8bfO1r+WPHjpUpruysWbNG5pVe3dB9hmJ/MO2bJLxupMgLnuj+w3ciAXii+0++vBPx+tHnVzzR/SfsO4EYHbTfEDeU46TVcANhjS3aO+TRixX+qUT3bW7awxVCJ/j9999lqvCnEkS6Lo57NAHhVyLZJzlPdv/wfBf0zdETHTp06JDjzStSpIjz/vvvO8uWLZO8/qUOWAcnunsbm7vcaz2v7SKpXbu23AIIus/p06dL3paobxZ9zNwcOyVG2HcClw7xZmnbF/wAPeSQQ2QePTrhR+Dy5csljx+f+sZedNFFMv3ggw+cSy+9VC5Lut90fCg++eQTuQKCXq2wHGVDhgwJdMeGMt3Ovb3yKsdVnxo1aphc9jr41gi1n3hL1uNQdPhuUEbgiU4ZIeyJ3qhRIzMXmv4zan9Vh/ra/umnn8xcsGi/5u1r87nFkCIzeb7rdvNSnBh6crhPksGDBwd+0GGZtj9HQpz+8MMP59gGtMx9BcWG3wJNmzYNxO+AP5RCwfqtWrUyOccZM2aMmXOcl19+2cxlrUeZJ+dZaMFJgZMM7bwxtU9abVeiZfYUCe1IcOME/tLXfzi1/25N2s0y9lW6dGnn1ltvlfXQ3EDpjRpLliyRE/3nn3+W8saNG0s56LRt27YyhZNPPlmmuAFDHwP/0Oq6lFmS+q7r3+4ffvihTImShdUbZQSe6AmCEAktJMkfeKIniPv3A+UvvgsJYp/gPNnzH9+BGOGkjebEda+Du65i8eKLLzqzZ882udhhyEV32yPbE088IW38Qz2XSHdraWO6VMETPRdwcuCuK9xlFYr7BEIel0ijhfVxRxbaCek4UoAWoujmQ/OhhmfEcpzMOq/rv/POO87mzZtlHo3ytNzNPtFxswzWw0AGgFarw4cPlz58UoX3s6SI0GcNrv1rXzKHH3544ISKNPhWs2bNAuuGgsZt2DduKdT/DNAaFJ1E6bZ6H60X/c/CXl+HSjziiCPkeHXIey840fW/CNzHi/V0tLrTTjuNJ3qm0BME01hqarcCBQqEPNkofvgK5xJOTq3p8qJfv37OokWLTI4ShSd6LuDkRtK2+NGe7LqdJrQTinZbyhu+yrmkJ6jeXaXtgqKFdRPV3QblxBM9j3DCIqGDVDuP1Lp1aykD9I+j5UcddZQppWThiZ4L9smMFErlypXNXNY2lH/46ueCfYKHO4GjWYeSg+9ALuiJrsmLLtM+JSl/8USnjMATnTICT3TKCDzRKSPwRKeMwBOdMgJPdMoIPNETBG29NSVauI6dKAtP9AQJ9YeSV1koEyZMkCkGI65Vq5Y0573xxhtlOBx0DPXbb7/J2E0YBgd0v9HuP5PwFUkQPaHtky7aE/DLL7+UqZ7ouCMIt9BNnTrV+fHHH6UMUI4uNTACIPY9bdo0Z+HChWYp2XiiJ0heTvTcCjUyCfFET5hQJ7pXOSUeX+0E8TqhMY/hKd3llHh8tRNET2b7hLbL7PJQEKPrAGaPPPJIYBzVOXPmBLq50G6we/ToIVNAlxZw1113yRR69uwp07vvvlumbr1795ZRudHacsSIEaY0m44Vq+PEphqe6AkSywntptvgRK9UqZJTpkwZOdHRFTf6YsGVF/w4xXp6ons9jpbZg5KhTGN5+4etvT3m0W/N6tWrZV6XpXLf8jlfHYoLPUH0JMkN+woK+lFp0qSJDLaAka5xY7Y98IFdoyu9ZQ8nuo7Sp8PXQ5cuXcycE1iOTo/wGPgwbN26VTpQgo8++kimqYonegLYJ3leT3aKD74DCcKT3F/4LiQQT3L/4DtBGYEnOmUEnuhpQruWDpUyHV+BNIETPRSe7DzR0wZP9PB4oqcJPdG9Tmqe6DzR00Yya3TdXzTJL3iiJxDeaB0vKNGSfaKjyYDuE9N///038Dh28mK3mdFmCJdeeqlMYfz48TLVZgdoxKbdc2PImtzgiZ5AeKPDjfwWT+4TXU80jE6n8/Gi+4smeRk1apSZyxofSb322ms5tsM87onVcjRoyw2e6AnkfsMSKZk1Olo26j4jpVDKly8vrTKRAN989evXl3mM66S05SWe39y5c517771X8rHiiZ4Lkd5EZa9jtxpMFD0ur/Tee++ZtcLDjSGRYH86wgeaEmP6ySefBB7LTn7BEz2Xonkj7QFtAesj3oxFsk8WPJ7e7BGKPvdokl/wRM+lunX
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c72ae10-aa9c-4068-853b-4b4602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-24T14:45:36.000Z" ,
"modified" : "2019-02-24T14:45:36.000Z" ,
"pattern" : "[import \"pe\"\r\n\r\nrule MAL_PE_Type_BabyShark_Loader {\r\n meta:\r\n description = \"Detects PE Type babyShark loader mentioned in February 2019 blog post by PaloAltNetworks\"\r\n author = \"Florian Roth\"\r\n reference = \"https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\"\r\n date = \"2019-02-24\"\r\n hash1 = \"6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c\"\r\n strings:\r\n $x1 = \"reg add \\\"HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Command Processor\\\" /v AutoRun /t REG_SZ /d \\\"%s\\\" /f\" fullword ascii\r\n $x2 = /mshta\\.exe http:\\/\\/[a-z0-9\\.\\/]{5,30}\\.hta/\r\n\r\n $xc1 = { 57 69 6E 45 78 65 63 00 6B 65 72 6E 65 6C 33 32\r\n 2E 44 4C 4C 00 00 00 00 } /* WinExec kernel32.DLL */\r\n condition:\r\n uint16(0) == 0x5a4d and (\r\n pe.imphash() == \"57b6d88707d9cd1c87169076c24f962e\" or\r\n 1 of them or\r\n for any i in (0 .. pe.number_of_signatures) : (\r\n pe.signatures[i].issuer contains \"thawte SHA256 Code Signing CA\" and\r\n pe.signatures[i].serial == \"0f:ff:e4:32:a5:3f:f0:3b:92:23:f8:8b:e1:b8:3d:9d\"\r\n )\r\n )\r\n}]" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-24T14:45:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"yara\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--1db36cab-7b13-4758-b16a-9e9862d0973e" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:48.000Z" ,
"modified" : "2019-02-22T21:33:48.000Z" ,
"pattern" : "[file:hashes.MD5 = '404ab5a93767a986b47c9fec33eb8be9' AND file:hashes.SHA1 = '0a631b0072cee1e20854b187276a0ba560d6d4f8' AND file:hashes.SHA256 = '94a09aff59c0c27d1049509032d5ba05e9285fd522eb20b033b8188e0fee4ff0']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-22T21:33:48Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--aea77d6f-2193-40e9-82c5-59726e0dfd2d" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:48.000Z" ,
"modified" : "2019-02-22T21:33:48.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-02-22T20:12:18" ,
"category" : "Other" ,
"comment" : "Malicious Documents" ,
"uuid" : "4eb49e21-42c9-4653-93da-600ca773ffa9"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/94a09aff59c0c27d1049509032d5ba05e9285fd522eb20b033b8188e0fee4ff0/analysis/1550866338/" ,
"category" : "Payload delivery" ,
"comment" : "Malicious Documents" ,
"uuid" : "0a0bda5b-9761-44e3-a0da-c365c6fbab76"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "25/60" ,
"category" : "Payload delivery" ,
"comment" : "Malicious Documents" ,
"uuid" : "6fa3c325-b92c-41bd-8ab3-283272c6b440"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--3b8f6a45-0b7f-4bea-ad61-0369f01cc306" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:48.000Z" ,
"modified" : "2019-02-22T21:33:48.000Z" ,
"pattern" : "[file:hashes.MD5 = 'd40c20a77371309045f5123af76637b2' AND file:hashes.SHA1 = 'd1207b7b846b80418b459e9d03e1b5afbd3e97a7' AND file:hashes.SHA256 = '66439f0e377bbe8cda3e516e801a86c64688e7c3dde0287b1bfb298a5bdbc2a2']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-22T21:33:48Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--7ba926a9-161b-4412-99ff-cee104b6a329" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:48.000Z" ,
"modified" : "2019-02-22T21:33:48.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-02-22T20:07:15" ,
"category" : "Other" ,
"comment" : "Malicious Documents" ,
"uuid" : "6e483df8-fa53-4b98-b6da-100b79de2663"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/66439f0e377bbe8cda3e516e801a86c64688e7c3dde0287b1bfb298a5bdbc2a2/analysis/1550866035/" ,
"category" : "Payload delivery" ,
"comment" : "Malicious Documents" ,
"uuid" : "ce797b8c-fa71-4267-a4ee-94eb6e873e88"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "20/60" ,
"category" : "Payload delivery" ,
"comment" : "Malicious Documents" ,
"uuid" : "86a138ea-5eba-4594-a3fb-e8af55be9dbe"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--8cc1ffb8-e4b2-4641-a536-ea843ff9bc7a" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:48.000Z" ,
"modified" : "2019-02-22T21:33:48.000Z" ,
"pattern" : "[file:hashes.MD5 = '093ecb712d438ab01b3f07718428dcc7' AND file:hashes.SHA1 = '89b9b7f2c3eb275eabe78c04a30dc09281a201e6' AND file:hashes.SHA256 = '7b77112ac7cbb7193bcd891ce48ab2acff35e4f8d523980dff834cb42eaffafa']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-22T21:33:48Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5de67962-66f3-48c8-b33f-734e4b8dc989" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:48.000Z" ,
"modified" : "2019-02-22T21:33:48.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-02-22T20:03:13" ,
"category" : "Other" ,
"comment" : "Malicious Documents" ,
"uuid" : "0bd77c93-27ad-47e8-bd9d-c38732323fd5"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/7b77112ac7cbb7193bcd891ce48ab2acff35e4f8d523980dff834cb42eaffafa/analysis/1550865793/" ,
"category" : "Payload delivery" ,
"comment" : "Malicious Documents" ,
"uuid" : "155a8b3c-e603-4283-91b2-1a6258b93bf8"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "22/60" ,
"category" : "Payload delivery" ,
"comment" : "Malicious Documents" ,
"uuid" : "162fe627-abe9-4abb-8095-c39dee340f84"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--89e0ad73-a186-4959-b978-2311ee49e4af" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:49.000Z" ,
"modified" : "2019-02-22T21:33:49.000Z" ,
"pattern" : "[file:hashes.MD5 = '711eb1d89764d45f4ff2622143f744c2' AND file:hashes.SHA1 = '548b64c0f904733dd5433f6f3878487eeda54fa1' AND file:hashes.SHA256 = '1334c087390fb946c894c1863dfc9f0a659f594a3d6307fb48f24c30a23e0fc0']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-22T21:33:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--99e0b99b-e1cf-4451-8eec-972978c821d8" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:49.000Z" ,
"modified" : "2019-02-22T21:33:49.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-11-27T12:07:50" ,
"category" : "Other" ,
"comment" : "Malicious Documents" ,
"uuid" : "f2a9431e-464e-4ae7-a53f-e24685f03b82"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/1334c087390fb946c894c1863dfc9f0a659f594a3d6307fb48f24c30a23e0fc0/analysis/1543320470/" ,
"category" : "Payload delivery" ,
"comment" : "Malicious Documents" ,
"uuid" : "2ce90e53-a834-4ac6-9db6-6213d7629ccc"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "22/60" ,
"category" : "Payload delivery" ,
"comment" : "Malicious Documents" ,
"uuid" : "99bd1115-adc9-42b0-9500-878f593f001c"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--4dbf697b-11ce-447f-85c6-cd02a2365a7f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:49.000Z" ,
"modified" : "2019-02-22T21:33:49.000Z" ,
"pattern" : "[file:hashes.MD5 = '6b116d471a787eb520869ed5c6965fa8' AND file:hashes.SHA1 = 'ec4bd72fcb440f47912d06c75a9d56ad86953f70' AND file:hashes.SHA256 = 'dc425e93e83fe02da9c76b56f6fd286eace282eaad6d8d497e17b3ec4059020a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-22T21:33:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--1d288045-6e66-43a6-94b7-600044369fa7" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:49.000Z" ,
"modified" : "2019-02-22T21:33:49.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-02-22T20:11:49" ,
"category" : "Other" ,
"comment" : "Malicious Documents" ,
"uuid" : "2ca3b301-e08c-4cfa-b005-90ff52d13af0"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/dc425e93e83fe02da9c76b56f6fd286eace282eaad6d8d497e17b3ec4059020a/analysis/1550866309/" ,
"category" : "Payload delivery" ,
"comment" : "Malicious Documents" ,
"uuid" : "1082dea9-353d-4932-a02c-3f87fe6c059a"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "22/58" ,
"category" : "Payload delivery" ,
"comment" : "Malicious Documents" ,
"uuid" : "9675abe7-0743-435a-881d-bfd772c55225"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--6860e975-938c-413d-b144-74cde72c25dc" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:49.000Z" ,
"modified" : "2019-02-22T21:33:49.000Z" ,
"pattern" : "[file:hashes.MD5 = '1f1f44a01d5784028302d6ad5e7133aa' AND file:hashes.SHA1 = 'cb1125d5a57a529bf88bf590c0cb675f37261839' AND file:hashes.SHA256 = '2b6dc1a826a4d5d5de5a30b458e6ed995a4cfb9cad8114d1197541a86905d60e']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-22T21:33:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--ee3df33a-a5df-4f0a-887d-9fe0aba2d90a" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:49.000Z" ,
"modified" : "2019-02-22T21:33:49.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-02-22T20:04:58" ,
"category" : "Other" ,
"comment" : "Malicious Documents" ,
"uuid" : "03562590-3096-4587-b05d-11a6e257b5d9"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/2b6dc1a826a4d5d5de5a30b458e6ed995a4cfb9cad8114d1197541a86905d60e/analysis/1550865898/" ,
"category" : "Payload delivery" ,
"comment" : "Malicious Documents" ,
"uuid" : "bf0ca902-1a55-4640-a8d9-41f0e0f7a29d"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "21/55" ,
"category" : "Payload delivery" ,
"comment" : "Malicious Documents" ,
"uuid" : "68ed8acc-bb3c-4654-b65b-c25b8a3c37cd"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--df5dd372-ecd6-4595-ab34-45bff1decb63" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:49.000Z" ,
"modified" : "2019-02-22T21:33:49.000Z" ,
"pattern" : "[file:hashes.MD5 = '76e71cf45e99d03a92c8271998a1caee' AND file:hashes.SHA1 = '818bfc1fdb8126b58835e77f13afa9435e883919' AND file:hashes.SHA256 = '331d17dbe4ee61d8f2c91d7e4af17fb38102003663872223efaa4a15099554d7']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-22T21:33:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--f2146c3b-d6f7-471c-bb4a-2b831e2849f6" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:49.000Z" ,
"modified" : "2019-02-22T21:33:49.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-02-22T20:10:06" ,
"category" : "Other" ,
"comment" : "Malicious Documents" ,
"uuid" : "b1e2fbea-a39d-41ce-a748-bc257b01aa2b"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/331d17dbe4ee61d8f2c91d7e4af17fb38102003663872223efaa4a15099554d7/analysis/1550866206/" ,
"category" : "Payload delivery" ,
"comment" : "Malicious Documents" ,
"uuid" : "9c2da65e-0e42-454e-9b9f-0daafbb29344"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "9/61" ,
"category" : "Payload delivery" ,
"comment" : "Malicious Documents" ,
"uuid" : "3e79140e-f74f-4b0b-8e17-496f1058e477"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--3061d73f-2f4f-4c6e-8478-3d5d1e74c1bc" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:49.000Z" ,
"modified" : "2019-02-22T21:33:49.000Z" ,
"pattern" : "[file:hashes.MD5 = '1a6f9190e7c53cd4e9ca4532547131af' AND file:hashes.SHA1 = '88708e9562a8c4ee4601b3990a664bc63b378753' AND file:hashes.SHA256 = '9d842c9c269345cd3b2a9ce7d338a03ffbf3765661f1ee6d5e178f40d409c3f8']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-22T21:33:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--a6c1afed-624f-4d81-b96a-4ff02a693e66" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:49.000Z" ,
"modified" : "2019-02-22T21:33:49.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-02-22T20:03:34" ,
"category" : "Other" ,
"comment" : "Malicious Documents" ,
"uuid" : "741b8b1f-d387-4dff-9809-a2a5cc0e76f8"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/9d842c9c269345cd3b2a9ce7d338a03ffbf3765661f1ee6d5e178f40d409c3f8/analysis/1550865814/" ,
"category" : "Payload delivery" ,
"comment" : "Malicious Documents" ,
"uuid" : "b55b0030-557e-4368-9429-5e431a631b7e"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "22/60" ,
"category" : "Payload delivery" ,
"comment" : "Malicious Documents" ,
"uuid" : "0f619020-6f30-4b40-a3c0-9f13b13fc9b3"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--fd57be37-61cc-4452-85b5-518d55586335" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:50.000Z" ,
"modified" : "2019-02-22T21:33:50.000Z" ,
"pattern" : "[file:hashes.MD5 = '056b178bbeea109d705439aa4e203d09' AND file:hashes.SHA1 = '5ae5ca0daccfa21706e157a19bdb67e48cbfe137' AND file:hashes.SHA256 = '8ef4bc09a9534910617834457114b9217cac9cb33ae22b37889040cde4cabea6']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-22T21:33:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--e59804a1-c4d9-4228-93bb-1a1f626c25ef" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:33:50.000Z" ,
"modified" : "2019-02-22T21:33:50.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-02-22T20:08:55" ,
"category" : "Other" ,
"comment" : "Malicious Documents" ,
"uuid" : "d2f63c18-56a3-44a8-83b8-bf9bbfe22b05"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/8ef4bc09a9534910617834457114b9217cac9cb33ae22b37889040cde4cabea6/analysis/1550866135/" ,
"category" : "Payload delivery" ,
"comment" : "Malicious Documents" ,
"uuid" : "c077dd9c-a1a5-4941-94a7-b69610709486"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "23/60" ,
"category" : "Payload delivery" ,
"comment" : "Malicious Documents" ,
"uuid" : "c248a416-67d8-4f60-ab77-8d537265a29a"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56b391e4-f005-4caa-ae12-a90db6664ebd" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:34:30.000Z" ,
"modified" : "2019-02-22T21:34:30.000Z" ,
"pattern" : "[file:hashes.MD5 = '9f76d2f73020064374efe67dc28fa006' AND file:hashes.SHA1 = 'd96c04952ba0cb61b64bc7f08d7257913d8b7968' AND file:hashes.SHA256 = '6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2019-02-22T21:34:30Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--fd828b7c-f7c6-41d6-8b1e-3c19b0c98b2d" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2019-02-22T21:34:30.000Z" ,
"modified" : "2019-02-22T21:34:30.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2019-02-22T20:15:46" ,
"category" : "Other" ,
"comment" : "PE version loader, signed with stolen certificate:" ,
"uuid" : "17038529-b686-4618-946f-6ac94dddf423"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c/analysis/1550866546/" ,
"category" : "Payload delivery" ,
"comment" : "PE version loader, signed with stolen certificate:" ,
"uuid" : "45431bd9-aea9-46b1-a9e3-ed17d1fcf05f"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "15/68" ,
"category" : "Payload delivery" ,
"comment" : "PE version loader, signed with stolen certificate:" ,
"uuid" : "f4343cea-ba6d-4c9b-99e8-d7a157be74f3"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-06-24 09:36:52 +00:00
"id" : "relationship--d8385e74-e4c4-4adf-873a-2db1afeabf4d" ,
2023-06-14 17:31:25 +00:00
"created" : "2019-02-22T21:33:50.000Z" ,
"modified" : "2019-02-22T21:33:50.000Z" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-06-14 17:31:25 +00:00
"source_ref" : "indicator--1db36cab-7b13-4758-b16a-9e9862d0973e" ,
"target_ref" : "x-misp-object--aea77d6f-2193-40e9-82c5-59726e0dfd2d"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-06-24 09:36:52 +00:00
"id" : "relationship--b0a5e13b-af4c-4477-ba10-14bac1ea11f7" ,
2023-06-14 17:31:25 +00:00
"created" : "2019-02-22T21:33:50.000Z" ,
"modified" : "2019-02-22T21:33:50.000Z" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-06-14 17:31:25 +00:00
"source_ref" : "indicator--3b8f6a45-0b7f-4bea-ad61-0369f01cc306" ,
"target_ref" : "x-misp-object--7ba926a9-161b-4412-99ff-cee104b6a329"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-06-24 09:36:52 +00:00
"id" : "relationship--b5f1d49a-e9ee-4dcc-8654-b79b0978febc" ,
2023-06-14 17:31:25 +00:00
"created" : "2019-02-22T21:33:50.000Z" ,
"modified" : "2019-02-22T21:33:50.000Z" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-06-14 17:31:25 +00:00
"source_ref" : "indicator--8cc1ffb8-e4b2-4641-a536-ea843ff9bc7a" ,
"target_ref" : "x-misp-object--5de67962-66f3-48c8-b33f-734e4b8dc989"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-06-24 09:36:52 +00:00
"id" : "relationship--2c8848f4-82a4-4b2e-b64c-9e0634e508dc" ,
2023-06-14 17:31:25 +00:00
"created" : "2019-02-22T21:33:50.000Z" ,
"modified" : "2019-02-22T21:33:50.000Z" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-06-14 17:31:25 +00:00
"source_ref" : "indicator--89e0ad73-a186-4959-b978-2311ee49e4af" ,
"target_ref" : "x-misp-object--99e0b99b-e1cf-4451-8eec-972978c821d8"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-06-24 09:36:52 +00:00
"id" : "relationship--a336f312-dca8-416a-9d85-2826b1f79ff2" ,
2023-06-14 17:31:25 +00:00
"created" : "2019-02-22T21:33:50.000Z" ,
"modified" : "2019-02-22T21:33:50.000Z" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-06-14 17:31:25 +00:00
"source_ref" : "indicator--4dbf697b-11ce-447f-85c6-cd02a2365a7f" ,
"target_ref" : "x-misp-object--1d288045-6e66-43a6-94b7-600044369fa7"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-06-24 09:36:52 +00:00
"id" : "relationship--b5d44059-7665-4a64-8c52-cc25a675d884" ,
2023-06-14 17:31:25 +00:00
"created" : "2019-02-22T21:33:50.000Z" ,
"modified" : "2019-02-22T21:33:50.000Z" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-06-14 17:31:25 +00:00
"source_ref" : "indicator--6860e975-938c-413d-b144-74cde72c25dc" ,
"target_ref" : "x-misp-object--ee3df33a-a5df-4f0a-887d-9fe0aba2d90a"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-06-24 09:36:52 +00:00
"id" : "relationship--e0beefea-df08-458d-ae9a-e7f0abffb789" ,
2023-06-14 17:31:25 +00:00
"created" : "2019-02-22T21:33:50.000Z" ,
"modified" : "2019-02-22T21:33:50.000Z" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-06-14 17:31:25 +00:00
"source_ref" : "indicator--df5dd372-ecd6-4595-ab34-45bff1decb63" ,
"target_ref" : "x-misp-object--f2146c3b-d6f7-471c-bb4a-2b831e2849f6"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-06-24 09:36:52 +00:00
"id" : "relationship--80a28785-4b35-48ba-bda5-c80013543d2f" ,
2023-06-14 17:31:25 +00:00
"created" : "2019-02-22T21:33:50.000Z" ,
"modified" : "2019-02-22T21:33:50.000Z" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-06-14 17:31:25 +00:00
"source_ref" : "indicator--3061d73f-2f4f-4c6e-8478-3d5d1e74c1bc" ,
"target_ref" : "x-misp-object--a6c1afed-624f-4d81-b96a-4ff02a693e66"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-06-24 09:36:52 +00:00
"id" : "relationship--cde4f120-4b64-47bb-a9a7-7a9b78be69fd" ,
2023-06-14 17:31:25 +00:00
"created" : "2019-02-22T21:33:50.000Z" ,
"modified" : "2019-02-22T21:33:50.000Z" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-06-14 17:31:25 +00:00
"source_ref" : "indicator--fd57be37-61cc-4452-85b5-518d55586335" ,
"target_ref" : "x-misp-object--e59804a1-c4d9-4228-93bb-1a1f626c25ef"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-06-24 09:36:52 +00:00
"id" : "relationship--5d29899a-04e1-4101-85a4-1e2235bbcca5" ,
2023-06-14 17:31:25 +00:00
"created" : "2019-02-22T21:34:31.000Z" ,
"modified" : "2019-02-22T21:34:31.000Z" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-06-14 17:31:25 +00:00
"source_ref" : "indicator--56b391e4-f005-4caa-ae12-a90db6664ebd" ,
"target_ref" : "x-misp-object--fd828b7c-f7c6-41d6-8b1e-3c19b0c98b2d"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
2023-04-21 13:25:09 +00:00
]
}