544 lines
23 KiB
JSON
544 lines
23 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5846b21a-e1b8-473c-b82d-456c950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-08T16:46:42.000Z",
|
||
|
"modified": "2016-12-08T16:46:42.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "grouping",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "grouping--5846b21a-e1b8-473c-b82d-456c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-08T16:46:42.000Z",
|
||
|
"modified": "2016-12-08T16:46:42.000Z",
|
||
|
"name": "OSINT - Kelihos botnet delivering CryptFlle2 Ransomware with theme AmericanAirlines",
|
||
|
"context": "suspicious-activity",
|
||
|
"object_refs": [
|
||
|
"observed-data--5846b22d-e61c-4563-b63f-4ad1950d210f",
|
||
|
"url--5846b22d-e61c-4563-b63f-4ad1950d210f",
|
||
|
"x-misp-attribute--5846b25a-f08c-4dff-8e92-418b950d210f",
|
||
|
"observed-data--5846b291-723c-4f42-beec-31ad950d210f",
|
||
|
"email-message--5846b291-723c-4f42-beec-31ad950d210f",
|
||
|
"observed-data--5846b291-1d70-4e89-aa04-31ad950d210f",
|
||
|
"email-message--5846b291-1d70-4e89-aa04-31ad950d210f",
|
||
|
"observed-data--5846b291-417c-4d19-ab9a-31ad950d210f",
|
||
|
"email-message--5846b291-417c-4d19-ab9a-31ad950d210f",
|
||
|
"observed-data--5846b292-61dc-4db8-b5e4-31ad950d210f",
|
||
|
"email-message--5846b292-61dc-4db8-b5e4-31ad950d210f",
|
||
|
"indicator--5846b34b-5314-4292-a7ff-4370950d210f",
|
||
|
"indicator--5846b34b-d860-4263-82ff-47a5950d210f",
|
||
|
"indicator--5846b34c-6e50-4082-af0e-4bc9950d210f",
|
||
|
"indicator--5846b34c-d918-477e-9688-4f72950d210f",
|
||
|
"indicator--5846b399-f940-4a5d-932d-443e950d210f",
|
||
|
"indicator--5846b399-0f44-4e50-b671-4b7e950d210f",
|
||
|
"indicator--5846b542-74b8-4247-87a8-45aa950d210f",
|
||
|
"indicator--5846b542-6d54-478c-854e-4699950d210f",
|
||
|
"indicator--5846b542-73f0-4e63-b152-4600950d210f",
|
||
|
"indicator--5846b542-2804-4576-bf31-4123950d210f",
|
||
|
"indicator--5846b543-3c78-4963-b36d-4a45950d210f",
|
||
|
"indicator--5846b6c8-e324-402c-97c2-45b702de0b81",
|
||
|
"indicator--5846b6c8-0ce8-44c4-a89a-420502de0b81",
|
||
|
"observed-data--5846b6c8-c734-4b15-95cd-4ce002de0b81",
|
||
|
"url--5846b6c8-c734-4b15-95cd-4ce002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"type:OSINT",
|
||
|
"malware_classification:malware-category=\"Ransomware\"",
|
||
|
"ecsirt:malicious-code=\"ransomware\"",
|
||
|
"ms-caro-malware:malware-type=\"Ransom\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5846b22d-e61c-4563-b63f-4ad1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-06T12:42:21.000Z",
|
||
|
"modified": "2016-12-06T12:42:21.000Z",
|
||
|
"first_observed": "2016-12-06T12:42:21Z",
|
||
|
"last_observed": "2016-12-06T12:42:21Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5846b22d-e61c-4563-b63f-4ad1950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5846b22d-e61c-4563-b63f-4ad1950d210f",
|
||
|
"value": "http://garwarner.blogspot.lu/2016/08/american-airlines-spam-from-kelihos.html"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5846b25a-f08c-4dff-8e92-418b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-06T12:43:06.000Z",
|
||
|
"modified": "2016-12-06T12:43:06.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "When we saw the Kelihos botnet delivering ransomware last month on July 8th, we sat up and took notice. The Kelihos botnet has a long history of delivering pharma spam and stock market manipulation spam (pump-n-dump), but now it was spamming the WildFire ransomware. ( See: http://garwarner.blogspot.com/2016/07/kelihos-botnet-delivering-dutch.html ) I was under the impression that it was one of the occasional gimmicks observed with Kelihos where they try something a single time and then move on. I assumed that some script kiddies were testing new ransomware techniques. Unfortunately, I was wrong and Kelihos hit back with CryptFIle2 encryption ransomware."
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5846b291-723c-4f42-beec-31ad950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-06T12:44:01.000Z",
|
||
|
"modified": "2016-12-06T12:44:01.000Z",
|
||
|
"first_observed": "2016-12-06T12:44:01Z",
|
||
|
"last_observed": "2016-12-06T12:44:01Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"email-message--5846b291-723c-4f42-beec-31ad950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-subject\"",
|
||
|
"misp:category=\"Payload delivery\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "email-message",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "email-message--5846b291-723c-4f42-beec-31ad950d210f",
|
||
|
"is_multipart": false,
|
||
|
"subject": "Bonus from AmericanAirlines"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5846b291-1d70-4e89-aa04-31ad950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-06T12:44:01.000Z",
|
||
|
"modified": "2016-12-06T12:44:01.000Z",
|
||
|
"first_observed": "2016-12-06T12:44:01Z",
|
||
|
"last_observed": "2016-12-06T12:44:01Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"email-message--5846b291-1d70-4e89-aa04-31ad950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-subject\"",
|
||
|
"misp:category=\"Payload delivery\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "email-message",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "email-message--5846b291-1d70-4e89-aa04-31ad950d210f",
|
||
|
"is_multipart": false,
|
||
|
"subject": "AmericanAirlines free 100$"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5846b291-417c-4d19-ab9a-31ad950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-06T12:44:01.000Z",
|
||
|
"modified": "2016-12-06T12:44:01.000Z",
|
||
|
"first_observed": "2016-12-06T12:44:01Z",
|
||
|
"last_observed": "2016-12-06T12:44:01Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"email-message--5846b291-417c-4d19-ab9a-31ad950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-subject\"",
|
||
|
"misp:category=\"Payload delivery\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "email-message",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "email-message--5846b291-417c-4d19-ab9a-31ad950d210f",
|
||
|
"is_multipart": false,
|
||
|
"subject": "AmericanAirlines discount"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5846b292-61dc-4db8-b5e4-31ad950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-06T12:44:02.000Z",
|
||
|
"modified": "2016-12-06T12:44:02.000Z",
|
||
|
"first_observed": "2016-12-06T12:44:02Z",
|
||
|
"last_observed": "2016-12-06T12:44:02Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"email-message--5846b292-61dc-4db8-b5e4-31ad950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-subject\"",
|
||
|
"misp:category=\"Payload delivery\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "email-message",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "email-message--5846b292-61dc-4db8-b5e4-31ad950d210f",
|
||
|
"is_multipart": false,
|
||
|
"subject": "Free fly with AmericanAirlines"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5846b34b-5314-4292-a7ff-4370950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-06T12:47:07.000Z",
|
||
|
"modified": "2016-12-06T12:47:07.000Z",
|
||
|
"pattern": "[url:value = 'http://dataupllinks.top/nfdk/ticket1845.doc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-06T12:47:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5846b34b-d860-4263-82ff-47a5950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-06T12:47:07.000Z",
|
||
|
"modified": "2016-12-06T12:47:07.000Z",
|
||
|
"pattern": "[url:value = 'http://ftp.dataupllinks.top/edsf/tick-873.doc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-06T12:47:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5846b34c-6e50-4082-af0e-4bc9950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-06T12:47:08.000Z",
|
||
|
"modified": "2016-12-06T12:47:08.000Z",
|
||
|
"pattern": "[url:value = 'http://ftp.filesgigastor.top/23tf/disc_tick-235.doc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-06T12:47:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5846b34c-d918-477e-9688-4f72950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-06T12:47:08.000Z",
|
||
|
"modified": "2016-12-06T12:47:08.000Z",
|
||
|
"pattern": "[url:value = 'http://www.webdataupllinks.net/rety/tick-834.doc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-06T12:47:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5846b399-f940-4a5d-932d-443e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-06T12:48:25.000Z",
|
||
|
"modified": "2016-12-06T12:48:25.000Z",
|
||
|
"pattern": "[email-message:from_ref.value = 'westbors@oath.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-06T12:48:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5846b399-0f44-4e50-b671-4b7e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-06T12:48:25.000Z",
|
||
|
"modified": "2016-12-06T12:48:25.000Z",
|
||
|
"pattern": "[email-message:from_ref.value = 'gobas@inorbit.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-06T12:48:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5846b542-74b8-4247-87a8-45aa950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-06T12:55:30.000Z",
|
||
|
"modified": "2016-12-06T12:55:30.000Z",
|
||
|
"description": "MD5 hash of the Word document",
|
||
|
"pattern": "[file:hashes.MD5 = '4fde04b25ea20b6ab30c5e4984e01afc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-06T12:55:30Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5846b542-6d54-478c-854e-4699950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-06T12:55:30.000Z",
|
||
|
"modified": "2016-12-06T12:55:30.000Z",
|
||
|
"description": "Website mentioned in the Word document",
|
||
|
"pattern": "[domain-name:value = 'english.ctrip.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-06T12:55:30Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5846b542-73f0-4e63-b152-4600950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-06T12:55:30.000Z",
|
||
|
"modified": "2016-12-06T12:55:30.000Z",
|
||
|
"description": "Payload location",
|
||
|
"pattern": "[url:value = 'http://216.170.126.3/wfil/file.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-06T12:55:30Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5846b542-2804-4576-bf31-4123950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-06T12:55:30.000Z",
|
||
|
"modified": "2016-12-06T12:55:30.000Z",
|
||
|
"description": "Payload location",
|
||
|
"pattern": "[url:value = 'http://216.170.118.4/default.jpg']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-06T12:55:30Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5846b543-3c78-4963-b36d-4a45950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-06T12:55:31.000Z",
|
||
|
"modified": "2016-12-06T12:55:31.000Z",
|
||
|
"description": "Command & Control Center",
|
||
|
"pattern": "[url:value = 'http://216.170.118.4/wes/offers.php']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-06T12:55:31Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5846b6c8-e324-402c-97c2-45b702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-06T13:02:00.000Z",
|
||
|
"modified": "2016-12-06T13:02:00.000Z",
|
||
|
"description": "MD5 hash of the Word document - Xchecked via VT: 4fde04b25ea20b6ab30c5e4984e01afc",
|
||
|
"pattern": "[file:hashes.SHA256 = 'a5e14eecf6beb956732790b05df001ce4fe0f001022f75dd1952d529d2eb9c11']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-06T13:02:00Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5846b6c8-0ce8-44c4-a89a-420502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-06T13:02:00.000Z",
|
||
|
"modified": "2016-12-06T13:02:00.000Z",
|
||
|
"description": "MD5 hash of the Word document - Xchecked via VT: 4fde04b25ea20b6ab30c5e4984e01afc",
|
||
|
"pattern": "[file:hashes.SHA1 = '7a35907df3ac0693be55a218be8d5b5b85673f45']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-12-06T13:02:00Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5846b6c8-c734-4b15-95cd-4ce002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-12-06T13:02:00.000Z",
|
||
|
"modified": "2016-12-06T13:02:00.000Z",
|
||
|
"first_observed": "2016-12-06T13:02:00Z",
|
||
|
"last_observed": "2016-12-06T13:02:00Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5846b6c8-c734-4b15-95cd-4ce002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5846b6c8-c734-4b15-95cd-4ce002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/a5e14eecf6beb956732790b05df001ce4fe0f001022f75dd1952d529d2eb9c11/analysis/1472201806/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|