1074 lines
388 KiB
JSON
1074 lines
388 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5abf6421-c1b8-477b-a9d2-9c0902de0b81",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:46:24.000Z",
|
||
|
"modified": "2018-03-31T10:46:24.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5abf6421-c1b8-477b-a9d2-9c0902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:46:24.000Z",
|
||
|
"modified": "2018-03-31T10:46:24.000Z",
|
||
|
"name": "OSINT - Crypter-as-a-Service Helps jRAT Fly Under The Radar",
|
||
|
"published": "2018-03-31T10:46:39Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--5abf642d-5fa8-4bac-bf78-73e102de0b81",
|
||
|
"url--5abf642d-5fa8-4bac-bf78-73e102de0b81",
|
||
|
"indicator--5abf6444-4ca4-45dd-8726-be5302de0b81",
|
||
|
"indicator--5abf6445-9c80-40f4-a5ac-be5302de0b81",
|
||
|
"indicator--5abf6445-2224-46ea-84ca-be5302de0b81",
|
||
|
"indicator--5abf6446-89d4-4118-883c-be5302de0b81",
|
||
|
"indicator--5abf6446-c920-40b2-9756-be5302de0b81",
|
||
|
"indicator--5abf6447-4110-4acd-926f-be5302de0b81",
|
||
|
"indicator--5abf6447-68f0-439b-82ed-be5302de0b81",
|
||
|
"indicator--5abf6448-ef50-4db5-af30-be5302de0b81",
|
||
|
"observed-data--5abf659e-4cb8-4867-934a-bffd02de0b81",
|
||
|
"file--5abf659e-4cb8-4867-934a-bffd02de0b81",
|
||
|
"artifact--5abf659e-4cb8-4867-934a-bffd02de0b81",
|
||
|
"observed-data--5abf65e2-70f8-455b-a6a7-73e602de0b81",
|
||
|
"file--5abf65e2-70f8-455b-a6a7-73e602de0b81",
|
||
|
"artifact--5abf65e2-70f8-455b-a6a7-73e602de0b81",
|
||
|
"indicator--5abf6633-5e18-4ccb-88ed-bdd602de0b81",
|
||
|
"x-misp-attribute--5abf66b8-94b4-4306-bc6b-9b3a02de0b81",
|
||
|
"indicator--5abf66e1-b310-4869-bcf2-bca202de0b81",
|
||
|
"indicator--5abf66e2-5c9c-4390-ba87-bca202de0b81",
|
||
|
"observed-data--5abf66fd-8984-4e4c-9b22-bdd602de0b81",
|
||
|
"url--5abf66fd-8984-4e4c-9b22-bdd602de0b81",
|
||
|
"indicator--9f8377a2-614a-4c95-b23c-9843916ce750",
|
||
|
"x-misp-object--4887e799-a946-45b9-b17d-829e83965fb8",
|
||
|
"indicator--506f740b-a199-4f1e-b7ba-67e253b26d05",
|
||
|
"x-misp-object--19044ae8-56c6-4576-b6d2-67ea8f010aa1",
|
||
|
"indicator--ebbafa48-355a-4f73-9227-d05329f24cb7",
|
||
|
"x-misp-object--fc2df7b7-772d-4ad1-97fb-be696f3a14d2",
|
||
|
"indicator--bf58b01a-22fa-49d9-82b7-e3bfad752bd0",
|
||
|
"x-misp-object--c9dec079-cde4-4d06-ac74-b79ef362ad00",
|
||
|
"indicator--4496c403-6bc9-4d06-9f90-c56776eaaa02",
|
||
|
"x-misp-object--faaf775c-f3bc-4c06-986d-0eda27ef4706",
|
||
|
"indicator--e063f17d-444d-4129-ae42-2a5fe0de69cc",
|
||
|
"x-misp-object--c825cfef-d1db-481f-a382-9735dd1720cb",
|
||
|
"indicator--45b7f55b-64f2-4363-807a-aa68041fb61b",
|
||
|
"x-misp-object--92284358-1b21-472b-9385-89fb4fa7e8ef",
|
||
|
"indicator--7eebf218-879f-46fc-a3cc-d636fd99abe7",
|
||
|
"x-misp-object--e91e2a7b-10e6-4190-9b38-817b7eced5b9",
|
||
|
"relationship--6a420901-20b0-43b3-8df0-be0e6c7d6329",
|
||
|
"relationship--c2a5ddd1-4c01-4267-b29b-e30ea02b18ae",
|
||
|
"relationship--721b00d6-0d1c-4836-bf64-9a333c805c9e",
|
||
|
"relationship--2d209cbd-1feb-4519-8043-fd327aec185d",
|
||
|
"relationship--4107dbb1-e790-440d-90b2-cb80c09202a7",
|
||
|
"relationship--3b69f9b6-348f-4570-b6b0-9990f7e8593c",
|
||
|
"relationship--e7731f5e-d581-43e2-a980-d553f7b157c9",
|
||
|
"relationship--8f43fe96-fd30-4a4f-a75c-868f535aa0ca"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:rat=\"jRAT\"",
|
||
|
"osint:source-type=\"blog-post\"",
|
||
|
"misp-galaxy:tool=\"qrat\"",
|
||
|
"misp-galaxy:rat=\"Quaverse\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5abf642d-5fa8-4bac-bf78-73e102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:38:54.000Z",
|
||
|
"modified": "2018-03-31T10:38:54.000Z",
|
||
|
"first_observed": "2018-03-31T10:38:54Z",
|
||
|
"last_observed": "2018-03-31T10:38:54Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5abf642d-5fa8-4bac-bf78-73e102de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5abf642d-5fa8-4bac-bf78-73e102de0b81",
|
||
|
"value": "https://www.trustwave.com/Resources/SpiderLabs-Blog/Crypter-as-a-Service-Helps-jRAT-Fly-Under-The-Radar/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5abf6444-4ca4-45dd-8726-be5302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:34:44.000Z",
|
||
|
"modified": "2018-03-31T10:34:44.000Z",
|
||
|
"description": "Analyzed samples",
|
||
|
"pattern": "[file:hashes.MD5 = '1eb3f344a0274bfa38c67f6b10650dcf']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-31T10:34:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5abf6445-9c80-40f4-a5ac-be5302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:34:45.000Z",
|
||
|
"modified": "2018-03-31T10:34:45.000Z",
|
||
|
"description": "Analyzed samples",
|
||
|
"pattern": "[file:hashes.MD5 = '64d72c5c86d3638034cd83178abcb82f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-31T10:34:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5abf6445-2224-46ea-84ca-be5302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:34:45.000Z",
|
||
|
"modified": "2018-03-31T10:34:45.000Z",
|
||
|
"description": "Analyzed samples",
|
||
|
"pattern": "[file:hashes.MD5 = 'c52247ecffb2f7a42ef6fa0336671545']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-31T10:34:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5abf6446-89d4-4118-883c-be5302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:34:46.000Z",
|
||
|
"modified": "2018-03-31T10:34:46.000Z",
|
||
|
"description": "Analyzed samples",
|
||
|
"pattern": "[file:hashes.MD5 = 'ae77ffba57049418e5a720bf77d178a5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-31T10:34:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5abf6446-c920-40b2-9756-be5302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:34:46.000Z",
|
||
|
"modified": "2018-03-31T10:34:46.000Z",
|
||
|
"description": "Analyzed samples",
|
||
|
"pattern": "[file:hashes.MD5 = '2f021a10804ac5db5ceb43b42f785a23']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-31T10:34:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5abf6447-4110-4acd-926f-be5302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:34:47.000Z",
|
||
|
"modified": "2018-03-31T10:34:47.000Z",
|
||
|
"description": "Analyzed samples",
|
||
|
"pattern": "[file:hashes.MD5 = 'daa0833d16cd9b6937803d1637284ad1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-31T10:34:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5abf6447-68f0-439b-82ed-be5302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:34:47.000Z",
|
||
|
"modified": "2018-03-31T10:34:47.000Z",
|
||
|
"description": "Analyzed samples",
|
||
|
"pattern": "[file:hashes.MD5 = '6392741705126cb97a837cbb046cfe73']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-31T10:34:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5abf6448-ef50-4db5-af30-be5302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:34:48.000Z",
|
||
|
"modified": "2018-03-31T10:34:48.000Z",
|
||
|
"description": "Analyzed samples",
|
||
|
"pattern": "[file:hashes.MD5 = '8ae2c573bc0e0492efeabe78495c591e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-31T10:34:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5abf659e-4cb8-4867-934a-bffd02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:42:26.000Z",
|
||
|
"modified": "2018-03-31T10:42:26.000Z",
|
||
|
"first_observed": "2018-03-31T10:42:26Z",
|
||
|
"last_observed": "2018-03-31T10:42:26Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"file--5abf659e-4cb8-4867-934a-bffd02de0b81",
|
||
|
"artifact--5abf659e-4cb8-4867-934a-bffd02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"attachment\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "file",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "file--5abf659e-4cb8-4867-934a-bffd02de0b81",
|
||
|
"name": "6a01676411d5a7970b01b7c95a2ed1970b-800wi.png",
|
||
|
"content_ref": "artifact--5abf659e-4cb8-4867-934a-bffd02de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "artifact",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "artifact--5abf659e-4cb8-4867-934a-bffd02de0b81",
|
||
|
"payload_bin": "iVBORw0KGgoAAAANSUhEUgAAAfAAAAQACAYAAAAeBgtYAAAgAElEQVR4XuxdB3gU1dr+UkkIEKoQOqJeARUEBRVsiIqKAooUFZArKCrYCyqIAtcKolcQEUVUUEQRUEAUsAFi91p+C0rvLfSQnv95z8k3e/bszO4Sk5DNfvs8eZKdnTlz5p3Jvuf9akxBQUEByUsQEAQEAUFAEBAEIgqBGCHwiLpfMllBQBAQBAQBQUAhIAQuD4IgIAgIAoKAIBCBCAiBR+BNkykLAoKAICAICAJC4PIMCAKCgCAgCAgCEYiAEHgE3jSZsiAgCAgCgoAgIAQuz4AgIAgIAoKAIBCBCAiBR+BNkykLAoKAICAICAJC4PIMCAKCgCAgCAgCEYiAEHgE3jSZsiAgCAgCgoAgIAQuz4AgIAgIAoKAIBCBCAiBR+BNkykLAoKAICAICAJC4PIMCAKCgCAgCAgCEYiAEHgE3jSZsiAgCAgCgoAgIAQuz4AgIAgIAoKAIBCBCAiBR+BNkykLAoKAICAICAJC4PIMCAKCgCAgCAgCEYiAEHgE3jSZsiAgCAgCgoAgIAQuz4AgIAgIAoKAIBCBCAiBR+BNkykLAoKAICAICAJC4PIMCAKCgCAgCAgCEYiAEHgE3jSZsiAgCAgCgoAgIAQuz4AgIAgIAoKAIBCBCAiBR+BNkykLAoKAICAICAJC4PIMCAKCgCAgCAgCEYiAEHgE3jSZsiAgCAgCgoAgIAQuz4AgIAgIAoKAIBCBCAiBR+BNkykLAoKAICAICAJC4PIMCAKCgCAgCAgCEYiAEHgE3jSZsiAgCAgCgoAgIAQuz4AgIAgIAoKAIBCBCAiBR+BNkykLAoKAICAICAJC4PIMCAKCgCAgCAgCEYiAEHgE3jSZsiAgCAgCgoAgIAQuz4AgIAgIAoKAIBCBCAiBR+BNkykLAoKAICAICAJC4PIMCAKCgCAgCAgCEYiAEHgE3jSZsiAgCAgCgoAgIAQuz4AgIAgIAoKAIBCBCAiBR+BNkykLAoKAICAICAJC4PIMCAKCgCAgCAgCEYiAEHgE3jSZsiAgCAgCgoAgIAQuz4AgIAgIAoKAIBCBCAiBR+BNkykLAoKAICAICAJC4PIMCAKCgCAgCAgCEYiAEHgE3jSZsiAgCAgCgoAgIAQuz4AgIAgIAoKAIBCBCAiBR+BNkykLAoKAICAICAJC4PIMCAKCgCAgCAgCEYiAEHgE3jSZsiAgCAgCgoAgIAQuz4AgIAgIAoKAIBCBCAiBR+BNkykLAoKAICAICAJC4PIMCAKCgCAgCAgCEYiAEHgE3jSZsiAgCAgCgoAgIAQuz4AgIAgIAoKAIBCBCAiBR+BNkykLAoKAICAICAJC4PIMCAKCgCAgCAgCEYiAEHgE3jSZsiAgCAgCgoAgIAQuz4AgIAgIAoKAIBCBCAiBR+BNkykLAoKAICAICAJC4P/gGSgoKPgHR5fMoRkZGbR//341eOXKlSklJaVkTlQMo8bExBTDKDKEICAICALRiYAQuHHfbULOz88nbIuLi1N75ebmEkjHfB8bG0v4wX55eXnqM+zD7+Pj49WxPBb2xefYF7/NY82xsD+fx+1YjM9j81g//PADjRgxgn799Vd1vjPPPJMefvhhOvnkk9UccD5s57F5HviMz2XOC9vxnudsH+s2L3Ms4BUKH8bLxtrt31EIPzq/pOSqBQFBwB2BqCdwLxWN7dnZ2ZSYmKiILycnR5FZhQoV1PusrCyKjY2h+PgERdbYF4QKQgIZZWdnUWJiBUVgIDIcn5SU5IyFYxISEtR7HIv9cDy2Z2Zmqs/wHufMycE89Fh5ebmUm5vnzAtj43yfffYZDRo0kLZu3arGyM8vUGNXr16dpkyZQl26dHHOzdeEY/ma8HhgHnjhc4yBa8QceF54j88wD32N2Q4euD5sw+c8FvbDdWh8MFaCgw/2Zyz1PHLVNdqLGyFy+eoSBAQBQUAI3EEgHNM3K08cBAIlijHIyJ9wQUYgbk3eeYpgmZyZYE1iA0kxseFYJm8QYG5ujiI6TdZ56sdrLHy2e/duevrpp+mll15SxM9KVqt7KP18Sk1NpZtvvpmGDBlCtWvXdoicCIsIf8Jlsva/pny1AME8eEGC68SxvLgxxwJeMTF6QeK7pniKjY0rvKZc51gQNxYbfI2MByvzUP+4ospDISSfCwKCQHlFIKoUeDjEbe8D1cmqFL+zsjL9lCQrbRAJyBoEXKGCVtpQqBiPFS/em+SNsUFcICtbaduq3VbHIMZNmzbRNddcQ99++60zBs6nzfxYAGgXAJvp27RpQ2+99RY1bNjQWRjYip+tByBnnhfmYloi+Jo0HrBEaKWNY1ml49iCArz3qXS9IMlV+GiVzthW8FP8GMt8hSLpUJ+X139euS5BQBCIbgSihsCDkbfbZ2wWZ3WsCRbqGEo7XpE1yIjVMt6DsPBeq/YcQowWiJDNzaaJnRUtiI5N2abSZhM7m6OZ+Jk0Z8+eTaNHj6a1a9c6ah2fYT/tgwd5k/oML8wB25s2bUrDhw+nrl27UsWKFdUiA3PQ5nptnsffPqXtM4tjzngxwUJpQ1Wz2wDXwcea1gNzLFNp88JIq/RcZx58P3ju/C8ajKiFxKP7i0yuXhCIRgSigsDDJW9zPw5Y8/l7tU+bfbQgM1NZMxnZxM/+XxA5m8UD/b8+n7aptFmlYsHAQWaIMEdg2quvvur4zs1gMiZr/NYEqP3heDHRwhc/YMAAeuyxx/z80Kb1AHNkpY3fpqmf/eNsPeAFCvvHtdsA16Txsokfpn4QPbsR8B7H+kzuMLFrcz0vSux/TjfCFhKPxq8wuWZBIHoRiFoCN8naJni8523aLO4jFCY2jgAH6cE/jveHDx9WJmQQmqmGzffYbipM81y8WPAdC+XsS1Vbt24tPfroo7RkyVJFzDqqXM8V/m7Mg89lK28em03seN+hQwd65JFHqHnzZsrcznMz58ELAZ4nj2u+Z3XP8zDnDFwqVkx2gv04Mt0ka7ZMsGrnhYBN3iZBe5G1kHj0fpnJlQsC0YZAuSdwL/M432j+3O23adrWatjnw2bVycFrMGnPmjWL1q1b55ixTbJmYuHzaDO3j5w54EybwGEKR6R3niJl3nfr1i20a9fuwrQuTk3TyhpjMXnD/83EzsFsvvdIe/OlsdWsWZPS0uoUzkWntXEqGROo15z1vNRVOgsWJnM+tlKlSmqhMHjwYBURb5rYgS9HouOcHMXOWLE74EiIXAg82r7C5HoFgehFIOoI3E15u5E3yET7vHUeNytvX/Q4fMfxSnE//vjjNHHihMKgNW26ZlM7K1j8dlPHtsLVhKvTtEIra30ukCgTJ8jZn7w1IZsWATf/OD4PJH7/Y/XYgb51PlYvIrRlgAPnsL9W++3plVemUlpamhNdb6azYQz2j2O+wN2NwE1yt4md/42FxKP3C02uXBCIJgTKNYG7mcaDKW/TnM1ky/5eM00sO1sTO4jp66+/pmuu6UO7du1ygsaCkTdI0ke4WmnzeZn4tDlbR4+bxG8qbah0TfTahO4j/rzCeWjlzqbxQJXuU+2BKt1eROgFCSwCdmCcJm+d+87zYIsBL0DY1D9w4EB68skn/ZS26VvX/nLk0+vIfCZwL9L2MqkLgUfTV5hcqyAQvQhEJYG7KW6TvPlvjjwHUfoKtGQ7Udh4bJCWdccddzjpVDbhMrG5K1xvRWuTd6BP23dsoGoH4aKKmvZr+x/rvmiw88eDK21T8fMiQke5B/rafYuI0047jeBqqFq1qiJ7Jm+2anAUu6m+wyVxm7SFxKP3S02uXBCIFgSihsCD+bqZsM3fpo8bpASy4WA2rRR1AZY335xB9957nxNpbZrJ/ZW1t2k7NFn7TOpuJKkVbiBZszqGydwXie5T7W7m+2BjIWWMyBwrmPIOdCO0bNmS3nnnHapWrZrjnjCD2WBSZ0sB5sGR92Y0um1Wt9W5mNGj5atLrlMQEASigsDDJW9Wz9gfZM0vKHEmb3zGqV4gn9dff13lVXP0uen/bdSoETVp0sRRw2ZeM5ubbZM+E6hJTOx
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5abf65e2-70f8-455b-a6a7-73e602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:42:26.000Z",
|
||
|
"modified": "2018-03-31T10:42:26.000Z",
|
||
|
"first_observed": "2018-03-31T10:42:26Z",
|
||
|
"last_observed": "2018-03-31T10:42:26Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"file--5abf65e2-70f8-455b-a6a7-73e602de0b81",
|
||
|
"artifact--5abf65e2-70f8-455b-a6a7-73e602de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"attachment\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "file",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "file--5abf65e2-70f8-455b-a6a7-73e602de0b81",
|
||
|
"name": "6a0133f264aa62970b01bb09fd6017970d-800wi.gif",
|
||
|
"content_ref": "artifact--5abf65e2-70f8-455b-a6a7-73e602de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "artifact",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "artifact--5abf65e2-70f8-455b-a6a7-73e602de0b81",
|
||
|
"payload_bin": "R0lGODlhqQL9Aff/AImIh/vbjffYs6qqqg9w17i3uPz8tezBdv//4C+M3aCfn9//////69/f35VteLj+/ovZ+Pu1XY4vAPPz86jMyMXz9Km3ycLCwl22/t2OL8W7urnb83FucNjY2NPS02siSwBduaSJkAABiExNTfz8yrZeALyZqW93naSHZrdXgP+3n7Khpl+3t+zr6+Pj4nTB/pbcuc3NzQAvjpa028nV5FoAcOz//5KTo82wncjIyNbw01sALQtbXf/kmX3D3sioTVOg3qSou8+ogPDDlNPRyS+JlJ7j/wAAAN+23tnViMF0IdHOzazw8Nf8/OLa1Xyr2cTd4b6DZqrb8NjV1NeHj///wBg5gCMjdYelu/zP38TAvtrY1YYvgiFLmr29v0uNySksUfXw55/e3kue4wBVmpPG9tPZ3FxaKpF6P4fX/22RuyIjJFwAACl6wJ5LJFRl2Rk2Xy4AXf7tzY20jfzhtDZQzK6wswABLq+cgc7u/3+y5TUuh4/f///IkqTK9gQn4d/i5QAAXbSzssfGw87Jya6urX0nJ8zQ0vDww9TV10Ci5tuWV9nW2C8AgdvZ2Ln7vvj42VInJ4qx9rHo/9fm9J/r/0U8Z6vN7MvKyOHh4djZ2+r079vc3b7cxtv7tLHK8I5ZYYfS8MPFx6WgrS4AAKinqOzo5mXG/qSprOjp6uuzg0+t7GY5ZvDw2u/u7i4ALqteL9rw8Obm5cfM0R5esN3c2biW2pOJ2tva21dlhNjYvHediNDP0NXZ1d3Ak+fn6F623jlchNv83gAvs4DZ/bKy+Piyss/Mybb+4Oj/5P7m5EYyqZ1TAJzE5f/vwX0qAGJgYeHp9cj/3uP/zI/e34jW1qqMQYYsWf/y1f/qnYB92//4x0/A9vLLrHWczwUnX6urzsSi3C4uANUODl4uAPDwrN/fn/Dwylqs8PDw0s7w8KS72uGfT8vLzMjHyaqnm4HJpcJ9KaHBlv/43wAuLuDfw7LAztm6prnfksPYuNacddvq+fj4+PDw8P///////yH/C05FVFNDQVBFMi4wAwEAAAAh/wtYTVAgRGF0YVhNUDw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuNi1jMTM4IDc5LjE1OTgyNCwgMjAxNi8wOS8xNC0wMTowOTowMSAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENDIDIwMTcgKFdpbmRvd3MpIiB4bXBNTTpJbnN0YW5jZUlEPSJ4bXAuaWlkOkQwREEyMTU1MkQ3MDExRTg4Nzc2RTNBOTVFMTkzMkUwIiB4bXBNTTpEb2N1bWVudElEPSJ4bXAuZGlkOkQwREEyMTU2MkQ3MDExRTg4Nzc2RTNBOTVFMTkzMkUwIj4gPHhtcE1NOkRlcml2ZWRGcm9tIHN0UmVmOmluc3RhbmNlSUQ9InhtcC5paWQ6RDBEQTIxNTMyRDcwMTFFODg3NzZFM0E5NUUxOTMyRTAiIHN0UmVmOmRvY3VtZW50SUQ9InhtcC5kaWQ6RDBEQTIxNTQyRDcwMTFFODg3NzZFM0E5NUUxOTMyRTAiLz4gPC9yZGY6RGVzY3JpcHRpb24+IDwvcmRmOlJERj4gPC94OnhtcG1ldGE+IDw/eHBhY2tldCBlbmQ9InIiPz4B//79/Pv6+fj39vX08/Lx8O/u7ezr6uno5+bl5OPi4eDf3t3c29rZ2NfW1dTT0tHQz87NzMvKycjHxsXEw8LBwL++vby7urm4t7a1tLOysbCvrq2sq6qpqKempaSjoqGgn56dnJuamZiXlpWUk5KRkI+OjYyLiomIh4aFhIOCgYB/fn18e3p5eHd2dXRzcnFwb25tbGtqaWhnZmVkY2JhYF9eXVxbWllYV1ZVVFNSUVBPTk1MS0pJSEdGRURDQkFAPz49PDs6OTg3NjU0MzIxMC8uLSwrKikoJyYlJCMiISAfHh0cGxoZGBcWFRQTEhEQDw4NDAsKCQgHBgUEAwIBAAAh+QQFlgD/ACwAAAAAqQL9AQAI/wAHCBxIsKDBgwgTKlzIsKHDhxAjSpxIsaLFixgzatzIsaPHjyBDihxJEqK/kyhTqlzJsqXLlzBjypxJs6bNmzhz6tzJs6fPn0CDCh1KtKjRo0iTyhSotKnTp1CjSp1KtarVq1izasXJdKvXr2DDih1LtqzZs1q7ol3Ltq3bt3Djyp17Ui3du3jz6t3Lt+9au34DCx5MuLBhw4BZ0vhyCQqUw5AjS55MubLPxCoptfnypY1nb5Qsix5NurTpu5hRzmjj4wmQL6896zlNu7bt27iVpvZ3qc2TOV9oBSsCxEfnJ7mTK1/OvOkNBc+jQ1eQVEGLlamo20zNr02wLxLaWP/59o1WmyJ62kRbicDEOpXdbuSJKWdUnvb3Tcxv6Uv6jUv47RSgSwOeVN9+7OnX3IIMNkiTditBaFR2qaTUggIVbjdAS5cUYcV3cHCgxghw+LaZNwkOgGB79tGEX4EtDQjjTTOqVCOBCjqo44463tCSj0lld50/QnK1IUtfBGPFACMA0MBJuXRh3hNtJFjAJSjRYUGOMr3IZYw53ujilwkiGJOYPKap5mkSptSmURemEmdOqbXRxQkc4OEPAyfZY4UanFVpownqmLDAnjjooKAceDy3gT/xQbeOl/nN54ukZZ7UXi8KKIBlgF4e8xyW/sjRKQWLQjfKAu0VMIowJnD/6qk/Xrq6gKkKoGrmmrz2KhqQKwEbZKdDGtlSG99oQYQCThAhCADQWNFZZ2X68qgc4CSjX3vXtkiroZQWOKOMJgRhAx2jNAHqtu75g666JjwaX6Xu+tHep+XacKCX+Morn68AB1zVdP5Bh9SbJyFc1IU3FHtTamp8w8s8RAAAAB4aYGKFd0UImhJ+2NpwzwYgr3rSyCc/Gq6CdES3K7nzzcPufJR+m0fINjMa3aQKDmhtzTijKfDQRNMlbEpHT2hdkcay5MU3dkwQRhithGHKORrI0MWdZTKAQy/g2FDyof5Y6+57NlNa3wJevxxmzzOnDffNYedssqZzI0py3EGT/1n034C/pbDCQs3pj+EaurTHNyEIYgrVptSzwjdWdGFPpgLM6mW3bBuKd6X40RH2gYPut24eXj/aMr2bQyrfvSiti+XaNXPr+q6B5647WUmf1LtQTJ8UPE27HfLNCNBA44ACGhCRixVXBMNPpgxocGiAuP7bH3TZzoyf1zcEUYjbpufdsgJbss4ydLqW2ukNPNNsQgHQqRy3u+z7vfv+/GNF8P+EAwqGVtKC371kN/7wAjQKUQg8cCB547EEIPpHwQpaUDIIJBIneOGFQgAADN/IhSkuSMISmjAvGUTJBLxwAkuMYnonjKEMZ1iWFNLwhjjMoVdsqMMe+vCHSeEhEP+HSMQiNs2ISEyiEol3pCU68YlPFCIUp0jFE0qxiljM4v6uqMUuelFgAumHGMdIxjKa8YxoTKMa18jGNrrxjXCMoxznSMc62vGOeMyjHvfIxz768Y+ADKQgB0nINoaxkIhMpCIXychGOvKRkIykJCdJyUrK8ZCWzKQmN8nJTnryk6AMpSgpiclRmvKUqEylKlfJyla6sh+
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5abf6633-5e18-4ccb-88ed-bdd602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:42:59.000Z",
|
||
|
"modified": "2018-03-31T10:42:59.000Z",
|
||
|
"description": "One thing we noticed right away is that all the samples we collected attempted to download a jar file from https://vvrhhhnaijyj6s2m[.]onion[dot]top. We followed the onion link and found it is a service hosted by QUAverse.",
|
||
|
"pattern": "[url:value = 'https://vvrhhhnaijyj6s2m.onion.top']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-31T10:42:59Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5abf66b8-94b4-4306-bc6b-9b3a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:45:12.000Z",
|
||
|
"modified": "2018-03-31T10:45:12.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"Support Tool\""
|
||
|
],
|
||
|
"x_misp_category": "Support Tool",
|
||
|
"x_misp_comment": "Config of jRAT",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "{\r\n\t\"NETWORK\": [\r\n\t\t{\r\n\t\t\t\"PORT\": 1999,\r\n\t\t\t\"DNS\": \"174.127.99.225\"\r\n\t\t},\r\n\t\t{\r\n\t\t\t\"PORT\": 4987,\r\n\t\t\t\"DNS\": \"174.127.99.225\"\r\n\t\t}\r\n\t],\r\n\t\"INSTALL\": true,\r\n\t\"MODULE_PATH\": \"taM/Xkc/WE.xFP\",\r\n\t\"PLUGIN_FOLDER\": \"cHvEFmnnAYl\",\r\n\t\"JRE_FOLDER\": \"syeyIK\",\r\n\t\"JAR_FOLDER\": \"WEAvkYONVeS\",\r\n\t\"JAR_EXTENSION\": \"OSTZIm\",\r\n\t\"ENCRYPT_KEY\": \"gGgQBEKfxHgELZmseiHwZkjdB\",\r\n\t\"DELAY_INSTALL\": 2,\r\n\t\"NICKNAME\": \"User\",\r\n\t\"VMWARE\": false,\r\n\t\"PLUGIN_EXTENSION\": \"oCYYC\",\r\n\t\"WEBSITE_PROJECT\": \"https://jrat.io\",\r\n\t\"JAR_NAME\": \"dzjQhyXWvSo\",\r\n\t\"SECURITY\": [\r\n\t\t{\r\n\t\t\t\"REG\": [\r\n\t\t\t\t{\r\n\t\t\t\t\t\"VALUE\": \"\\\"SaveZoneInformation\\\"=dword:00000001\\r\\n\",\r\n\t\t\t\t\t\"KEY\": \"[HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments]\"\r\n\t\t\t\t},\r\n\t\t\t\t{\r\n\t\t\t\t\t\"VALUE\": \"\\\"LowRiskFileTypes\\\"=\\\".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;\\\"\\r\\n\",\r\n\t\t\t\t\t\"KEY\": \"[HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Associations]\"\r\n\t\t\t\t},\r\n\t\t\t\t{\r\n\t\t\t\t\t\"VALUE\": \"\\\"SaveZoneInformation\\\"=-\\r\\n\",\r\n\t\t\t\t\t\"KEY\": \"[HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments]\"\r\n\t\t\t\t},\r\n\t\t\t\t{\r\n\t\t\t\t\t\"VALUE\": \"\\\"LowRiskFileTypes\\\"=-\\r\\n\",\r\n\t\t\t\t\t\"KEY\": \"[HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Associations]\"\r\n\t\t\t\t}\r\n\t\t\t],\r\n\t\t\t\"NAME\": \"Open-File Security Warning\"\r\n\t\t},\r\n\t\t{\r\n\t\t\t\"REG\": [\r\n\t\t\t\t{\r\n\t\t\t\t\t\"VALUE\": \"\\\"SEE_MASK_NOZONECHECKS\\\"=\\\"1\\\"\\r\\n\",\r\n\t\t\t\t\t\"KEY\": \"[HKEY_CURRENT_USER\\\\Environment]\"\r\n\t\t\t\t},\r\n\t\t\t\t{\r\n\t\t\t\t\t\"VALUE\": \"\\\"SEE_MASK_NOZONECHECKS\\\"=\\\"1\\\"\\r\\n\",\r\n\t\t\t\t\t\"KEY\": \"[HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\Environment]\"\r\n\t\t\t\t}\r\n\t\t\t],\r\n\t\t\t\"NAME\": \"Disable Zone Checking\"\r\n\t\t},\r\n\t\t{\r\n\t\t\t\"REG\": [\r\n\t\t\t\t{\r\n\t\t\t\t\t\"VALUE\": \"\\\"ConsentPromptBehaviorAdmin\\\"=dword:00000000\\r\\n\\\"ConsentPromptBehaviorUser\\\"=dword:00000000\\r\\n\\\"EnableLUA\\\"=dword:00000000\\r\\n\\\"PromptOnSecureDesktop\\\"=dword:00000000\\r\\n\",\r\n\t\t\t\t\t\"KEY\": \"[HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System]\"\r\n\t\t\t\t}\r\n\t\t\t],\r\n\t\t\t\"PROCESS\": [\r\n\t\t\t\t\"UserAccountControlSettings.exe\"\r\n\t\t\t],\r\n\t\t\t\"NAME\": \"User Account Control\"\r\n\t\t},\r\n\t\t{\r\n\t\t\t\"REG\": [\r\n\t\t\t\t{\r\n\t\t\t\t\t\"VALUE\": \"\\\"DisableTaskMgr\\\"=dword:00000002\\r\\n\",\r\n\t\t\t\t\t\"KEY\": \"[HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System]\"\r\n\t\t\t\t}\r\n\t\t\t],\r\n\t\t\t\"PROCESS\": [\r\n\t\t\t\t\"Taskmgr.exe\"\r\n\t\t\t],\r\n\t\t\t\"NAME\": \"Task Manager\"\r\n\t\t},\r\n\t\t{\r\n\t\t\t\"REG\": [\r\n\t\t\t\t{\r\n\t\t\t\t\t\"VALUE\": \"\\\"DisableConfig\\\"=dword:00000001\\r\\n\\\"DisableSR\\\"=dword:00000001\\r\\n\",\r\n\t\t\t\t\t\"KEY\": \"[HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore]\"\r\n\t\t\t\t}\r\n\t\t\t],\r\n\t\t\t\"NAME\": \"Restore System\"\r\n\t\t},\r\n\t\t{\r\n\t\t\t\"PROCESS\": [\r\n\t\t\t\t\"ProcessHacker.exe\"\r\n\t\t\t],\r\n\t\t\t\"NAME\": \"Process Hacker\"\r\n\t\t},\r\n\t\t{\r\n\t\t\t\"PROCESS\": [\r\n\t\t\t\t\"procexp.exe\"\r\n\t\t\t],\r\n\t\t\t\"NAME\": \"MsConfig\"\r\n\t\t},\r\n\t\t{\r\n\t\t\t\"PROCESS\": [\r\n\t\t\t\t\"MSASCui.exe\",\r\n\t\t\t\t\"MsMpEng.exe\",\r\n\t\t\t\t\"MpUXSrv.exe\",\r\n\t\t\t\t\"MpCmdRun.exe\",\r\n\t\t\t\t\"NisSrv.exe\",\r\n\t\t\t\t\"ConfigSecurityPolicy.exe\"\r\n\t\t\t],\r\n\t\t\t\"NAME\": \"Windows Defender\"\r\n\t\t},\r\n\t\t{\r\n\t\t\t\"PRO
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5abf66e1-b310-4869-bcf2-bca202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:45:53.000Z",
|
||
|
"modified": "2018-03-31T10:45:53.000Z",
|
||
|
"description": "On port 1999",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.127.99.225' AND network-traffic:dst_port = '1999']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-31T10:45:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst|port\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5abf66e2-5c9c-4390-ba87-bca202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:45:54.000Z",
|
||
|
"modified": "2018-03-31T10:45:54.000Z",
|
||
|
"description": "On port 4987",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.127.99.225' AND network-traffic:dst_port = '4987']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-31T10:45:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst|port\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5abf66fd-8984-4e4c-9b22-bdd602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:46:21.000Z",
|
||
|
"modified": "2018-03-31T10:46:21.000Z",
|
||
|
"first_observed": "2018-03-31T10:46:21Z",
|
||
|
"last_observed": "2018-03-31T10:46:21Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5abf66fd-8984-4e4c-9b22-bdd602de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5abf66fd-8984-4e4c-9b22-bdd602de0b81",
|
||
|
"value": "https://pastebin.com/raw/PvKLJAWP"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--9f8377a2-614a-4c95-b23c-9843916ce750",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:36:19.000Z",
|
||
|
"modified": "2018-03-31T10:36:19.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '2f021a10804ac5db5ceb43b42f785a23' AND file:hashes.SHA1 = 'edcbc508c19118f11daac029020f2a55f5cdc115' AND file:hashes.SHA256 = 'a42909490789d8ceb0c62f3a8cfd8d9d6e94d4e4199c4d31dffb6a2b36a67771']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-31T10:36:19Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--4887e799-a946-45b9-b17d-829e83965fb8",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:36:18.000Z",
|
||
|
"modified": "2018-03-31T10:36:18.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/a42909490789d8ceb0c62f3a8cfd8d9d6e94d4e4199c4d31dffb6a2b36a67771/analysis/1522272575/",
|
||
|
"category": "External analysis",
|
||
|
"comment": "Analyzed samples",
|
||
|
"uuid": "5abf64a2-60b8-4859-8de4-4fee02de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "24/60",
|
||
|
"category": "Other",
|
||
|
"comment": "Analyzed samples",
|
||
|
"uuid": "5abf64a2-1e6c-4181-bf62-4fee02de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2018-03-28T21:29:35",
|
||
|
"category": "Other",
|
||
|
"comment": "Analyzed samples",
|
||
|
"uuid": "5abf64a2-300c-4d8e-93e1-4fee02de0b81"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--506f740b-a199-4f1e-b7ba-67e253b26d05",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:36:22.000Z",
|
||
|
"modified": "2018-03-31T10:36:22.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'ae77ffba57049418e5a720bf77d178a5' AND file:hashes.SHA1 = 'ff179cd437f2e4b93758adbe77e19e34610074ec' AND file:hashes.SHA256 = 'eb42177017e06ac8afc21f8d3b713417bf25da0f3de678a52625cf9f6bf5a050']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-31T10:36:22Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--19044ae8-56c6-4576-b6d2-67ea8f010aa1",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:36:20.000Z",
|
||
|
"modified": "2018-03-31T10:36:20.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/eb42177017e06ac8afc21f8d3b713417bf25da0f3de678a52625cf9f6bf5a050/analysis/1522335324/",
|
||
|
"category": "External analysis",
|
||
|
"comment": "Analyzed samples",
|
||
|
"uuid": "5abf64a4-4468-4e18-9d35-4fee02de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "29/59",
|
||
|
"category": "Other",
|
||
|
"comment": "Analyzed samples",
|
||
|
"uuid": "5abf64a5-7660-4946-bbb2-4fee02de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2018-03-29T14:55:24",
|
||
|
"category": "Other",
|
||
|
"comment": "Analyzed samples",
|
||
|
"uuid": "5abf64a5-0124-4e58-a6dd-4fee02de0b81"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--ebbafa48-355a-4f73-9227-d05329f24cb7",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:36:24.000Z",
|
||
|
"modified": "2018-03-31T10:36:24.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '6392741705126cb97a837cbb046cfe73' AND file:hashes.SHA1 = '54b13ce9069beee3cd0a2ffe3bb404d5d92144ed' AND file:hashes.SHA256 = 'aefe7a967c92cb76af1defac59d88a2d57d0c6526c94f782ac0e19935be1e30c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-31T10:36:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--fc2df7b7-772d-4ad1-97fb-be696f3a14d2",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:36:22.000Z",
|
||
|
"modified": "2018-03-31T10:36:22.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/aefe7a967c92cb76af1defac59d88a2d57d0c6526c94f782ac0e19935be1e30c/analysis/1522121609/",
|
||
|
"category": "External analysis",
|
||
|
"comment": "Analyzed samples",
|
||
|
"uuid": "5abf64a7-1990-458d-a62d-4fee02de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "30/59",
|
||
|
"category": "Other",
|
||
|
"comment": "Analyzed samples",
|
||
|
"uuid": "5abf64a7-7ba0-45e3-9966-4fee02de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2018-03-27T03:33:29",
|
||
|
"category": "Other",
|
||
|
"comment": "Analyzed samples",
|
||
|
"uuid": "5abf64a7-98c0-4d7e-9346-4fee02de0b81"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--bf58b01a-22fa-49d9-82b7-e3bfad752bd0",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:36:26.000Z",
|
||
|
"modified": "2018-03-31T10:36:26.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '64d72c5c86d3638034cd83178abcb82f' AND file:hashes.SHA1 = 'cf1f9dba740778df3bea9a7903b030aa9b916d90' AND file:hashes.SHA256 = '7aff36d38eaad0bd01d04c71dbafa4e637008be17e06397c9191826671be4964']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-31T10:36:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--c9dec079-cde4-4d06-ac74-b79ef362ad00",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:36:25.000Z",
|
||
|
"modified": "2018-03-31T10:36:25.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/7aff36d38eaad0bd01d04c71dbafa4e637008be17e06397c9191826671be4964/analysis/1522274126/",
|
||
|
"category": "External analysis",
|
||
|
"comment": "Analyzed samples",
|
||
|
"uuid": "5abf64a9-d1d4-49a9-8a98-4fee02de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "26/49",
|
||
|
"category": "Other",
|
||
|
"comment": "Analyzed samples",
|
||
|
"uuid": "5abf64aa-f510-47f9-9a22-4fee02de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2018-03-28T21:55:26",
|
||
|
"category": "Other",
|
||
|
"comment": "Analyzed samples",
|
||
|
"uuid": "5abf64aa-e2d8-4be0-a606-4fee02de0b81"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--4496c403-6bc9-4d06-9f90-c56776eaaa02",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:36:29.000Z",
|
||
|
"modified": "2018-03-31T10:36:29.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '1eb3f344a0274bfa38c67f6b10650dcf' AND file:hashes.SHA1 = 'a495a93bec5e5cd234dc13c680e15a5e331d19b1' AND file:hashes.SHA256 = '8e4e858584704d7df6b0c3221a2b1d169f072e40aec0cc74340dbe4b6b15e60f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-31T10:36:29Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--faaf775c-f3bc-4c06-986d-0eda27ef4706",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:36:27.000Z",
|
||
|
"modified": "2018-03-31T10:36:27.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/8e4e858584704d7df6b0c3221a2b1d169f072e40aec0cc74340dbe4b6b15e60f/analysis/1522335418/",
|
||
|
"category": "External analysis",
|
||
|
"comment": "Analyzed samples",
|
||
|
"uuid": "5abf64ab-d81c-4d74-b375-4fee02de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "31/59",
|
||
|
"category": "Other",
|
||
|
"comment": "Analyzed samples",
|
||
|
"uuid": "5abf64ac-ea60-4fcb-95bf-4fee02de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2018-03-29T14:56:58",
|
||
|
"category": "Other",
|
||
|
"comment": "Analyzed samples",
|
||
|
"uuid": "5abf64ac-6abc-4be2-a17a-4fee02de0b81"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--e063f17d-444d-4129-ae42-2a5fe0de69cc",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:36:31.000Z",
|
||
|
"modified": "2018-03-31T10:36:31.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'c52247ecffb2f7a42ef6fa0336671545' AND file:hashes.SHA1 = '82822da7d5cf63fd472895c389d0a7e8a9e698c7' AND file:hashes.SHA256 = '8ab8abba46e9b64ce27b03a25dabd69706bf90e2ebede22b211a2da37676ce55']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-31T10:36:31Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--c825cfef-d1db-481f-a382-9735dd1720cb",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:36:30.000Z",
|
||
|
"modified": "2018-03-31T10:36:30.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/8ab8abba46e9b64ce27b03a25dabd69706bf90e2ebede22b211a2da37676ce55/analysis/1522276988/",
|
||
|
"category": "External analysis",
|
||
|
"comment": "Analyzed samples",
|
||
|
"uuid": "5abf64ae-d24c-44f7-a725-4fee02de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "31/60",
|
||
|
"category": "Other",
|
||
|
"comment": "Analyzed samples",
|
||
|
"uuid": "5abf64ae-332c-4626-86e2-4fee02de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2018-03-28T22:43:08",
|
||
|
"category": "Other",
|
||
|
"comment": "Analyzed samples",
|
||
|
"uuid": "5abf64ae-8c44-4904-b8c6-4fee02de0b81"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--45b7f55b-64f2-4363-807a-aa68041fb61b",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:36:34.000Z",
|
||
|
"modified": "2018-03-31T10:36:34.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'daa0833d16cd9b6937803d1637284ad1' AND file:hashes.SHA1 = 'ae7a6b6235a4d827cef54152bca237a30cff9f1e' AND file:hashes.SHA256 = '445a73d4dc4c76b73d35233b2bfba3ee178eb2605def1542c2267375db1ee24c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-31T10:36:34Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--92284358-1b21-472b-9385-89fb4fa7e8ef",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:36:32.000Z",
|
||
|
"modified": "2018-03-31T10:36:32.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/445a73d4dc4c76b73d35233b2bfba3ee178eb2605def1542c2267375db1ee24c/analysis/1522142541/",
|
||
|
"category": "External analysis",
|
||
|
"comment": "Analyzed samples",
|
||
|
"uuid": "5abf64b0-3598-45c7-a58c-4fee02de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "33/59",
|
||
|
"category": "Other",
|
||
|
"comment": "Analyzed samples",
|
||
|
"uuid": "5abf64b1-43c4-4ce3-9e6c-4fee02de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2018-03-27T09:22:21",
|
||
|
"category": "Other",
|
||
|
"comment": "Analyzed samples",
|
||
|
"uuid": "5abf64b1-50c0-46e8-b52d-4fee02de0b81"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--7eebf218-879f-46fc-a3cc-d636fd99abe7",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:36:36.000Z",
|
||
|
"modified": "2018-03-31T10:36:36.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '8ae2c573bc0e0492efeabe78495c591e' AND file:hashes.SHA1 = '3fd3e9a0b0e9cfceccbc0fef6eb19da2e066bc6e' AND file:hashes.SHA256 = 'a0c261c86f3e46f1b6ccd5bc8f706ffe77ff70528ca7961fd8fbd6529a1be993']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-31T10:36:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--e91e2a7b-10e6-4190-9b38-817b7eced5b9",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-31T10:36:34.000Z",
|
||
|
"modified": "2018-03-31T10:36:34.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/a0c261c86f3e46f1b6ccd5bc8f706ffe77ff70528ca7961fd8fbd6529a1be993/analysis/1522275361/",
|
||
|
"category": "External analysis",
|
||
|
"comment": "Analyzed samples",
|
||
|
"uuid": "5abf64b2-c0d8-4443-8392-4fee02de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "29/59",
|
||
|
"category": "Other",
|
||
|
"comment": "Analyzed samples",
|
||
|
"uuid": "5abf64b3-3f1c-4128-bddf-4fee02de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2018-03-28T22:16:01",
|
||
|
"category": "Other",
|
||
|
"comment": "Analyzed samples",
|
||
|
"uuid": "5abf64b3-f7e0-4ada-bc17-4fee02de0b81"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--6a420901-20b0-43b3-8df0-be0e6c7d6329",
|
||
|
"created": "2018-03-31T10:36:35.000Z",
|
||
|
"modified": "2018-03-31T10:36:35.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--9f8377a2-614a-4c95-b23c-9843916ce750",
|
||
|
"target_ref": "x-misp-object--4887e799-a946-45b9-b17d-829e83965fb8"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--c2a5ddd1-4c01-4267-b29b-e30ea02b18ae",
|
||
|
"created": "2018-03-31T10:36:35.000Z",
|
||
|
"modified": "2018-03-31T10:36:35.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--506f740b-a199-4f1e-b7ba-67e253b26d05",
|
||
|
"target_ref": "x-misp-object--19044ae8-56c6-4576-b6d2-67ea8f010aa1"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--721b00d6-0d1c-4836-bf64-9a333c805c9e",
|
||
|
"created": "2018-03-31T10:36:36.000Z",
|
||
|
"modified": "2018-03-31T10:36:36.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--ebbafa48-355a-4f73-9227-d05329f24cb7",
|
||
|
"target_ref": "x-misp-object--fc2df7b7-772d-4ad1-97fb-be696f3a14d2"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--2d209cbd-1feb-4519-8043-fd327aec185d",
|
||
|
"created": "2018-03-31T10:36:36.000Z",
|
||
|
"modified": "2018-03-31T10:36:36.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--bf58b01a-22fa-49d9-82b7-e3bfad752bd0",
|
||
|
"target_ref": "x-misp-object--c9dec079-cde4-4d06-ac74-b79ef362ad00"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--4107dbb1-e790-440d-90b2-cb80c09202a7",
|
||
|
"created": "2018-03-31T10:36:36.000Z",
|
||
|
"modified": "2018-03-31T10:36:36.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--4496c403-6bc9-4d06-9f90-c56776eaaa02",
|
||
|
"target_ref": "x-misp-object--faaf775c-f3bc-4c06-986d-0eda27ef4706"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--3b69f9b6-348f-4570-b6b0-9990f7e8593c",
|
||
|
"created": "2018-03-31T10:36:36.000Z",
|
||
|
"modified": "2018-03-31T10:36:36.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--e063f17d-444d-4129-ae42-2a5fe0de69cc",
|
||
|
"target_ref": "x-misp-object--c825cfef-d1db-481f-a382-9735dd1720cb"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--e7731f5e-d581-43e2-a980-d553f7b157c9",
|
||
|
"created": "2018-03-31T10:36:36.000Z",
|
||
|
"modified": "2018-03-31T10:36:36.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--45b7f55b-64f2-4363-807a-aa68041fb61b",
|
||
|
"target_ref": "x-misp-object--92284358-1b21-472b-9385-89fb4fa7e8ef"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--8f43fe96-fd30-4a4f-a75c-868f535aa0ca",
|
||
|
"created": "2018-03-31T10:36:36.000Z",
|
||
|
"modified": "2018-03-31T10:36:36.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--7eebf218-879f-46fc-a3cc-d636fd99abe7",
|
||
|
"target_ref": "x-misp-object--e91e2a7b-10e6-4190-9b38-817b7eced5b9"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|