502 lines
22 KiB
JSON
502 lines
22 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--57fc8ec7-2c10-4c24-8565-452002de0b81",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-11T07:07:08.000Z",
|
||
|
"modified": "2016-10-11T07:07:08.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--57fc8ec7-2c10-4c24-8565-452002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-11T07:07:08.000Z",
|
||
|
"modified": "2016-10-11T07:07:08.000Z",
|
||
|
"name": "OSINT - How Stampado Ransomware Analysis Led To Yara Improvements",
|
||
|
"published": "2016-10-11T07:07:32Z",
|
||
|
"object_refs": [
|
||
|
"indicator--57fc8efa-2754-48b9-a10c-4b9902de0b81",
|
||
|
"indicator--57fc8f12-fa10-4675-b20e-467e02de0b81",
|
||
|
"indicator--57fc8f13-b3ac-4994-a131-45eb02de0b81",
|
||
|
"indicator--57fc8f13-c1d0-45ab-953e-446c02de0b81",
|
||
|
"indicator--57fc8f13-02c4-4968-9ceb-465602de0b81",
|
||
|
"observed-data--57fc8f90-4bbc-45ef-a3d6-43b902de0b81",
|
||
|
"url--57fc8f90-4bbc-45ef-a3d6-43b902de0b81",
|
||
|
"indicator--57fc8f9c-0c5c-4198-bc44-4d6802de0b81",
|
||
|
"indicator--57fc8f9c-c388-426f-af60-488202de0b81",
|
||
|
"observed-data--57fc8f9d-4864-487c-ad6c-49d402de0b81",
|
||
|
"url--57fc8f9d-4864-487c-ad6c-49d402de0b81",
|
||
|
"indicator--57fc8f9d-6288-4871-858d-4db402de0b81",
|
||
|
"indicator--57fc8f9e-2674-45ad-8e3e-423002de0b81",
|
||
|
"observed-data--57fc8f9e-7bcc-4f08-9733-40a302de0b81",
|
||
|
"url--57fc8f9e-7bcc-4f08-9733-40a302de0b81",
|
||
|
"indicator--57fc8f9f-eb94-47ef-a5d5-4e4702de0b81",
|
||
|
"indicator--57fc8f9f-bd9c-4b63-804a-4f4502de0b81",
|
||
|
"observed-data--57fc8fa0-d80c-4fbb-9765-43d902de0b81",
|
||
|
"url--57fc8fa0-d80c-4fbb-9765-43d902de0b81",
|
||
|
"indicator--57fc8fa0-c834-4580-8703-475b02de0b81",
|
||
|
"indicator--57fc8fa1-83f8-4c65-8633-450d02de0b81",
|
||
|
"observed-data--57fc8fa1-c47c-4095-8a49-46a802de0b81",
|
||
|
"url--57fc8fa1-c47c-4095-8a49-46a802de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"circl:incident-classification=\"malware\"",
|
||
|
"ms-caro-malware:malware-type=\"Ransom\"",
|
||
|
"osint:source-type=\"blog-post\"",
|
||
|
"ecsirt:malicious-code=\"ransomware\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57fc8efa-2754-48b9-a10c-4b9902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-11T07:04:26.000Z",
|
||
|
"modified": "2016-10-11T07:04:26.000Z",
|
||
|
"pattern": "[rule stampado_overlay\r\n{\r\nmeta:\r\ndescription = \"Catches Stampado samples looking for \\\\r at the beginning of PE overlay section\"\r\nreference = \"\"\r\nauthor = \"Fernando Merces, FTR, Trend Micro\"\r\ndate = \"2016-07\"\r\nmd5 = \"a393b9536a1caa34914636d3da7378b5\"\r\nmd5 = \"dbf3707a9cd090853a11dda9cfa78ff0\"\r\nmd5 = \"dd5686ca7ec28815c3cf3ed3dbebdff2\"\r\nmd5 = \"6337f0938e4a9c0ef44ab99deb0ef466\"\r\n\r\ncondition:\r\npe.characteristics == 0x122 and\r\npe.number_of_sections == 5 and\r\npe.imports(\"VERSION.dll\", \"VerQueryValueW\") and uint8(pe.sections[4].raw_data_offset + pe.sections[4].raw_data_size) == 0x0d\r\n\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2016-10-11T07:04:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57fc8f12-fa10-4675-b20e-467e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-11T07:04:50.000Z",
|
||
|
"modified": "2016-10-11T07:04:50.000Z",
|
||
|
"description": "Imported via the Freetext Import Tool",
|
||
|
"pattern": "[file:hashes.MD5 = 'a393b9536a1caa34914636d3da7378b5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-10-11T07:04:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57fc8f13-b3ac-4994-a131-45eb02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-11T07:04:51.000Z",
|
||
|
"modified": "2016-10-11T07:04:51.000Z",
|
||
|
"description": "Imported via the Freetext Import Tool",
|
||
|
"pattern": "[file:hashes.MD5 = 'dbf3707a9cd090853a11dda9cfa78ff0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-10-11T07:04:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57fc8f13-c1d0-45ab-953e-446c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-11T07:04:51.000Z",
|
||
|
"modified": "2016-10-11T07:04:51.000Z",
|
||
|
"description": "Imported via the Freetext Import Tool",
|
||
|
"pattern": "[file:hashes.MD5 = 'dd5686ca7ec28815c3cf3ed3dbebdff2']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-10-11T07:04:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57fc8f13-02c4-4968-9ceb-465602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-11T07:04:51.000Z",
|
||
|
"modified": "2016-10-11T07:04:51.000Z",
|
||
|
"description": "Imported via the Freetext Import Tool",
|
||
|
"pattern": "[file:hashes.MD5 = '6337f0938e4a9c0ef44ab99deb0ef466']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-10-11T07:04:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--57fc8f90-4bbc-45ef-a3d6-43b902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-11T07:06:56.000Z",
|
||
|
"modified": "2016-10-11T07:06:56.000Z",
|
||
|
"first_observed": "2016-10-11T07:06:56Z",
|
||
|
"last_observed": "2016-10-11T07:06:56Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--57fc8f90-4bbc-45ef-a3d6-43b902de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--57fc8f90-4bbc-45ef-a3d6-43b902de0b81",
|
||
|
"value": "http://blog.trendmicro.com/trendlabs-security-intelligence/stampado-ransomware-analysis-led-yara-improvements"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57fc8f9c-0c5c-4198-bc44-4d6802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-11T07:07:08.000Z",
|
||
|
"modified": "2016-10-11T07:07:08.000Z",
|
||
|
"description": "Imported via the Freetext Import Tool - Xchecked via VT: 6337f0938e4a9c0ef44ab99deb0ef466",
|
||
|
"pattern": "[file:hashes.SHA256 = '3f147a037baac4220a84b5fed4c167fc75cf331126735d70f67c2c8fb7f50c87']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-10-11T07:07:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57fc8f9c-c388-426f-af60-488202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-11T07:07:08.000Z",
|
||
|
"modified": "2016-10-11T07:07:08.000Z",
|
||
|
"description": "Imported via the Freetext Import Tool - Xchecked via VT: 6337f0938e4a9c0ef44ab99deb0ef466",
|
||
|
"pattern": "[file:hashes.SHA1 = '55e796d55c2938130ededc476ad7c92b42487cfd']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-10-11T07:07:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--57fc8f9d-4864-487c-ad6c-49d402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-11T07:07:09.000Z",
|
||
|
"modified": "2016-10-11T07:07:09.000Z",
|
||
|
"first_observed": "2016-10-11T07:07:09Z",
|
||
|
"last_observed": "2016-10-11T07:07:09Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--57fc8f9d-4864-487c-ad6c-49d402de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--57fc8f9d-4864-487c-ad6c-49d402de0b81",
|
||
|
"value": "https://www.virustotal.com/file/3f147a037baac4220a84b5fed4c167fc75cf331126735d70f67c2c8fb7f50c87/analysis/1475531539/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57fc8f9d-6288-4871-858d-4db402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-11T07:07:09.000Z",
|
||
|
"modified": "2016-10-11T07:07:09.000Z",
|
||
|
"description": "Imported via the Freetext Import Tool - Xchecked via VT: dd5686ca7ec28815c3cf3ed3dbebdff2",
|
||
|
"pattern": "[file:hashes.SHA256 = 'cfe1c48aae527864b3f96fabdc771decf3ba388456010a83a17a52b1d40b88ef']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-10-11T07:07:09Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57fc8f9e-2674-45ad-8e3e-423002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-11T07:07:10.000Z",
|
||
|
"modified": "2016-10-11T07:07:10.000Z",
|
||
|
"description": "Imported via the Freetext Import Tool - Xchecked via VT: dd5686ca7ec28815c3cf3ed3dbebdff2",
|
||
|
"pattern": "[file:hashes.SHA1 = 'd0edac41ba0556e2ba5f334328a4e7888b807065']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-10-11T07:07:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--57fc8f9e-7bcc-4f08-9733-40a302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-11T07:07:10.000Z",
|
||
|
"modified": "2016-10-11T07:07:10.000Z",
|
||
|
"first_observed": "2016-10-11T07:07:10Z",
|
||
|
"last_observed": "2016-10-11T07:07:10Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--57fc8f9e-7bcc-4f08-9733-40a302de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--57fc8f9e-7bcc-4f08-9733-40a302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/cfe1c48aae527864b3f96fabdc771decf3ba388456010a83a17a52b1d40b88ef/analysis/1475870104/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57fc8f9f-eb94-47ef-a5d5-4e4702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-11T07:07:11.000Z",
|
||
|
"modified": "2016-10-11T07:07:11.000Z",
|
||
|
"description": "Imported via the Freetext Import Tool - Xchecked via VT: dbf3707a9cd090853a11dda9cfa78ff0",
|
||
|
"pattern": "[file:hashes.SHA256 = '78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-10-11T07:07:11Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57fc8f9f-bd9c-4b63-804a-4f4502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-11T07:07:11.000Z",
|
||
|
"modified": "2016-10-11T07:07:11.000Z",
|
||
|
"description": "Imported via the Freetext Import Tool - Xchecked via VT: dbf3707a9cd090853a11dda9cfa78ff0",
|
||
|
"pattern": "[file:hashes.SHA1 = '5af5403d8e003812a34c7b085d878680d7130ad5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-10-11T07:07:11Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--57fc8fa0-d80c-4fbb-9765-43d902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-11T07:07:12.000Z",
|
||
|
"modified": "2016-10-11T07:07:12.000Z",
|
||
|
"first_observed": "2016-10-11T07:07:12Z",
|
||
|
"last_observed": "2016-10-11T07:07:12Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--57fc8fa0-d80c-4fbb-9765-43d902de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--57fc8fa0-d80c-4fbb-9765-43d902de0b81",
|
||
|
"value": "https://www.virustotal.com/file/78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669/analysis/1474984811/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57fc8fa0-c834-4580-8703-475b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-11T07:07:12.000Z",
|
||
|
"modified": "2016-10-11T07:07:12.000Z",
|
||
|
"description": "Imported via the Freetext Import Tool - Xchecked via VT: a393b9536a1caa34914636d3da7378b5",
|
||
|
"pattern": "[file:hashes.SHA256 = '342933cb4cbb31a2c30ac1733afc318a6e5cd0226160a59197686d635ec71b20']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-10-11T07:07:12Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57fc8fa1-83f8-4c65-8633-450d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-11T07:07:13.000Z",
|
||
|
"modified": "2016-10-11T07:07:13.000Z",
|
||
|
"description": "Imported via the Freetext Import Tool - Xchecked via VT: a393b9536a1caa34914636d3da7378b5",
|
||
|
"pattern": "[file:hashes.SHA1 = '5aced706d9f6a0bb6a95c8bdf1e123485219a123']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-10-11T07:07:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--57fc8fa1-c47c-4095-8a49-46a802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-10-11T07:07:13.000Z",
|
||
|
"modified": "2016-10-11T07:07:13.000Z",
|
||
|
"first_observed": "2016-10-11T07:07:13Z",
|
||
|
"last_observed": "2016-10-11T07:07:13Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--57fc8fa1-c47c-4095-8a49-46a802de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--57fc8fa1-c47c-4095-8a49-46a802de0b81",
|
||
|
"value": "https://www.virustotal.com/file/342933cb4cbb31a2c30ac1733afc318a6e5cd0226160a59197686d635ec71b20/analysis/1474984808/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|