1005 lines
44 KiB
JSON
1005 lines
44 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5870f2f5-5744-4ded-a6f5-469c950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T14:10:14.000Z",
|
||
|
"modified": "2017-01-07T14:10:14.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5870f2f5-5744-4ded-a6f5-469c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T14:10:14.000Z",
|
||
|
"modified": "2017-01-07T14:10:14.000Z",
|
||
|
"name": "OSINT - 2016 Updates to Shifu Banking Trojan",
|
||
|
"published": "2017-01-07T14:10:27Z",
|
||
|
"object_refs": [
|
||
|
"x-misp-attribute--5870f31f-01f0-42fa-b746-4d2b950d210f",
|
||
|
"observed-data--5870f32b-6864-4da5-87f3-477c950d210f",
|
||
|
"url--5870f32b-6864-4da5-87f3-477c950d210f",
|
||
|
"vulnerability--5870f363-0640-47d0-9bdd-422d950d210f",
|
||
|
"vulnerability--5870f363-d7dc-4588-815e-4bfb950d210f",
|
||
|
"x-misp-attribute--5870f391-9b5c-440e-b68a-4de3950d210f",
|
||
|
"x-misp-attribute--5870f393-add0-49e8-921f-47a6950d210f",
|
||
|
"x-misp-attribute--5870f393-4888-4dc5-8269-4753950d210f",
|
||
|
"x-misp-attribute--5870f394-4a04-4eac-b562-4d39950d210f",
|
||
|
"x-misp-attribute--5870f395-b0ac-412c-9c9e-4c02950d210f",
|
||
|
"indicator--5870f3ad-77c8-409b-a83f-42e6950d210f",
|
||
|
"indicator--5870f3ae-e4bc-42ea-8d87-4010950d210f",
|
||
|
"indicator--5870f3af-3904-4b3c-b447-41fc950d210f",
|
||
|
"indicator--5870f3af-7a24-489c-9e8a-4cef950d210f",
|
||
|
"indicator--5870f3c6-0068-42bb-bec1-4c6c950d210f",
|
||
|
"indicator--5870f3c7-1940-479d-b282-4b0f950d210f",
|
||
|
"indicator--5870f3dc-fa2c-4b55-b184-439a950d210f",
|
||
|
"indicator--5870f3ef-7c44-4011-a6cb-4038950d210f",
|
||
|
"indicator--5870f400-92d0-4150-b336-4188950d210f",
|
||
|
"indicator--5870f417-9e8c-44e7-aa42-4b41950d210f",
|
||
|
"indicator--5870f418-6144-41da-8f8f-4519950d210f",
|
||
|
"observed-data--5870f459-8f84-46fb-8337-487d950d210f",
|
||
|
"network-traffic--5870f459-8f84-46fb-8337-487d950d210f",
|
||
|
"ipv4-addr--5870f459-8f84-46fb-8337-487d950d210f",
|
||
|
"observed-data--5870f45a-ced0-4005-8c53-4d40950d210f",
|
||
|
"network-traffic--5870f45a-ced0-4005-8c53-4d40950d210f",
|
||
|
"ipv4-addr--5870f45a-ced0-4005-8c53-4d40950d210f",
|
||
|
"observed-data--5870f45b-ab50-4287-a78c-4d5b950d210f",
|
||
|
"network-traffic--5870f45b-ab50-4287-a78c-4d5b950d210f",
|
||
|
"ipv4-addr--5870f45b-ab50-4287-a78c-4d5b950d210f",
|
||
|
"observed-data--5870f4a6-fa74-4521-9406-436e950d210f",
|
||
|
"domain-name--5870f4a6-fa74-4521-9406-436e950d210f",
|
||
|
"indicator--5870f50c-8794-4494-94b6-411f950d210f",
|
||
|
"indicator--5870f51e-2684-41fa-bd5c-411d950d210f",
|
||
|
"indicator--5870f51f-3f24-4d5d-bdbf-416b950d210f",
|
||
|
"indicator--5870f54a-8dd4-4624-8120-4bad02de0b81",
|
||
|
"indicator--5870f54a-d7a4-401c-9416-4dbb02de0b81",
|
||
|
"observed-data--5870f54b-3930-47d3-8f15-4ed602de0b81",
|
||
|
"url--5870f54b-3930-47d3-8f15-4ed602de0b81",
|
||
|
"indicator--5870f54c-9760-4b93-b1eb-43f702de0b81",
|
||
|
"indicator--5870f54c-9fc0-4b09-8064-498602de0b81",
|
||
|
"observed-data--5870f54d-98b4-4843-b50f-417502de0b81",
|
||
|
"url--5870f54d-98b4-4843-b50f-417502de0b81",
|
||
|
"indicator--5870f54e-ddc8-451c-9241-424302de0b81",
|
||
|
"indicator--5870f54f-f520-4ce5-87bf-468202de0b81",
|
||
|
"observed-data--5870f550-7bb0-4a2d-afa9-4fdc02de0b81",
|
||
|
"url--5870f550-7bb0-4a2d-afa9-4fdc02de0b81",
|
||
|
"indicator--5870f550-d244-46af-acc6-4d1102de0b81",
|
||
|
"indicator--5870f551-43f4-4734-9ea4-43c602de0b81",
|
||
|
"observed-data--5870f552-90a0-4f87-8962-426802de0b81",
|
||
|
"url--5870f552-90a0-4f87-8962-426802de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"circl:topic=\"finance\"",
|
||
|
"veris:action:social:target=\"Finance\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5870f31f-01f0-42fa-b746-4d2b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T13:54:39.000Z",
|
||
|
"modified": "2017-01-07T13:54:39.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "Shifu is a Banking Trojan first discovered in 2015. Shifu is based on the Shiz source code which incorporated techniques used by Zeus. Attackers use Shifu to steal credentials for online banking websites around the world, starting in Russia but later including the UK, Italy, and others.\r\n\r\nPalo Alto Networks Unit 42 research has found that the Shifu authors have evolved Shifu in 2016. Our research has found that Shifu has incorporated multiple new techniques to infect and evade detection on Microsoft Windows systems. Some of these include:\r\n\r\n Exploitation of CVE-2016-0167 a Microsoft Windows Privilege Escalation vulnerability to gain SYSTEM level privileges. Earlier versions of Shifu exploited CVE-2015-0003 to achieve the same goal\r\n Use of a Windows atom to identify if the host is already infected with Shifu in addition to the mutex used by previous versions\r\n Use of \u00e2\u20ac\u0153push-calc-ret\u00e2\u20ac\u009d API obfuscation to hide function calls from malware analysts\r\n Use of alternative Namecoin .bit domains\r\n\r\nWe have also identified new links between Shifu and other tools which suggest Shifu isn\u00e2\u20ac\u2122t simply based on the Shiz Trojan, but is probably the latest evolution of Shiz.\r\n\r\nThe primary goal of this report is to introduce Shifu\u00e2\u20ac\u2122s new features to other malware analysts who may encounter this Trojan in the future. The following sections give an overview of the new features, and the appendix at the end includes the technical details on the overall functionality of Shifu."
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5870f32b-6864-4da5-87f3-477c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T13:54:51.000Z",
|
||
|
"modified": "2017-01-07T13:54:51.000Z",
|
||
|
"first_observed": "2017-01-07T13:54:51Z",
|
||
|
"last_observed": "2017-01-07T13:54:51Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5870f32b-6864-4da5-87f3-477c950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5870f32b-6864-4da5-87f3-477c950d210f",
|
||
|
"value": "http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/"
|
||
|
},
|
||
|
{
|
||
|
"type": "vulnerability",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "vulnerability--5870f363-0640-47d0-9bdd-422d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T13:55:47.000Z",
|
||
|
"modified": "2017-01-07T13:55:47.000Z",
|
||
|
"name": "CVE-2016-0167",
|
||
|
"labels": [
|
||
|
"misp:type=\"vulnerability\"",
|
||
|
"misp:category=\"Payload installation\""
|
||
|
],
|
||
|
"external_references": [
|
||
|
{
|
||
|
"source_name": "cve",
|
||
|
"external_id": "CVE-2016-0167"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "vulnerability",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "vulnerability--5870f363-d7dc-4588-815e-4bfb950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T13:55:47.000Z",
|
||
|
"modified": "2017-01-07T13:55:47.000Z",
|
||
|
"name": "CVE-2015-0003",
|
||
|
"labels": [
|
||
|
"misp:type=\"vulnerability\"",
|
||
|
"misp:category=\"Payload installation\""
|
||
|
],
|
||
|
"external_references": [
|
||
|
{
|
||
|
"source_name": "cve",
|
||
|
"external_id": "CVE-2015-0003"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5870f391-9b5c-440e-b68a-4de3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T13:56:33.000Z",
|
||
|
"modified": "2017-01-07T13:56:33.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"pdb\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_category": "Artifacts dropped",
|
||
|
"x_misp_type": "pdb",
|
||
|
"x_misp_value": "Z:\\coding\\cryptor\\Release\\crypted.pdb"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5870f393-add0-49e8-921f-47a6950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T13:56:35.000Z",
|
||
|
"modified": "2017-01-07T13:56:35.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"pdb\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_category": "Artifacts dropped",
|
||
|
"x_misp_type": "pdb",
|
||
|
"x_misp_value": "Z:\\coding\\malware\\tests\\Release\\cryptoshit.pdb"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5870f393-4888-4dc5-8269-4753950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T13:56:35.000Z",
|
||
|
"modified": "2017-01-07T13:56:35.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"pdb\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_category": "Artifacts dropped",
|
||
|
"x_misp_type": "pdb",
|
||
|
"x_misp_value": "Z:\\coding\\malware\\RDP\\output\\Release\\rdp_bot.pdb"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5870f394-4a04-4eac-b562-4d39950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T13:56:36.000Z",
|
||
|
"modified": "2017-01-07T13:56:36.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"pdb\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_category": "Artifacts dropped",
|
||
|
"x_misp_type": "pdb",
|
||
|
"x_misp_value": "Z:\\coding\\malware\\ScanBot\\Release\\bot.pdb"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5870f395-b0ac-412c-9c9e-4c02950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T13:56:37.000Z",
|
||
|
"modified": "2017-01-07T13:56:37.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"pdb\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_category": "Artifacts dropped",
|
||
|
"x_misp_type": "pdb",
|
||
|
"x_misp_value": "Z:\\coding\\project\\main\\payload\\payload.x86.pdb"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5870f3ad-77c8-409b-a83f-42e6950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T13:57:01.000Z",
|
||
|
"modified": "2017-01-07T13:57:01.000Z",
|
||
|
"description": "Initial obfuscated loader",
|
||
|
"pattern": "[file:hashes.SHA256 = 'd3f9c4037f8b4d24f2baff1e0940d2bf238032f9343d06478b5034d0981b2cd9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-07T13:57:01Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5870f3ae-e4bc-42ea-8d87-4010950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T13:57:02.000Z",
|
||
|
"modified": "2017-01-07T13:57:02.000Z",
|
||
|
"description": "Initial obfuscated loader",
|
||
|
"pattern": "[file:hashes.SHA256 = '368b23e6d9ec7843e537e9d6547777088cf36581076599d04846287a9162652b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-07T13:57:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5870f3af-3904-4b3c-b447-41fc950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T13:57:03.000Z",
|
||
|
"modified": "2017-01-07T13:57:03.000Z",
|
||
|
"description": "Initial obfuscated loader",
|
||
|
"pattern": "[file:hashes.SHA256 = 'e7e154c65417f5594a8b4602db601ac39156b5758889f708dac7258e415d4a18']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-07T13:57:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5870f3af-7a24-489c-9e8a-4cef950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T13:57:03.000Z",
|
||
|
"modified": "2017-01-07T13:57:03.000Z",
|
||
|
"description": "Initial obfuscated loader",
|
||
|
"pattern": "[file:hashes.SHA256 = 'f63ec1e5752eb8b9a07104f42392eebf143617708bfdd0fe31cbf00ef12383f9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-07T13:57:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5870f3c6-0068-42bb-bec1-4c6c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T13:57:26.000Z",
|
||
|
"modified": "2017-01-07T13:57:26.000Z",
|
||
|
"description": "Second stage injector",
|
||
|
"pattern": "[file:hashes.SHA256 = '003965bd25acb7e8c6e16de4f387ff9518db7bcca845502d23b6505d8d3cec01']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-07T13:57:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5870f3c7-1940-479d-b282-4b0f950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T13:57:27.000Z",
|
||
|
"modified": "2017-01-07T13:57:27.000Z",
|
||
|
"description": "Second stage injector",
|
||
|
"pattern": "[file:hashes.SHA256 = '1188c5c9f04658bef20162f3001d9b89f69c93bf5343a1f849974daf6284a650']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-07T13:57:27Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5870f3dc-fa2c-4b55-b184-439a950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T13:57:48.000Z",
|
||
|
"modified": "2017-01-07T13:57:48.000Z",
|
||
|
"description": "Exploit injector",
|
||
|
"pattern": "[file:hashes.SHA256 = 'e7c1523d93154462ed9e15e84d3af01abe827aa6dd0082bc90fc8b58989e9a9a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-07T13:57:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5870f3ef-7c44-4011-a6cb-4038950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T13:58:07.000Z",
|
||
|
"modified": "2017-01-07T13:58:07.000Z",
|
||
|
"description": "CVE-2016-0167 exploit (x86)",
|
||
|
"pattern": "[file:hashes.SHA256 = '5124f4fec24acb2c83f26d1e70d7c525daac6c9fb6e2262ed1c1c52c88636bad']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-07T13:58:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5870f400-92d0-4150-b336-4188950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T13:58:24.000Z",
|
||
|
"modified": "2017-01-07T13:58:24.000Z",
|
||
|
"description": "CVE-2016-0167 exploit (x64)",
|
||
|
"pattern": "[file:hashes.SHA256 = 'f3c2d4090f6f563928e9a9ec86bf0f1c6ee49cdc110b7368db8905781a9a966e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-07T13:58:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5870f417-9e8c-44e7-aa42-4b41950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T13:58:47.000Z",
|
||
|
"modified": "2017-01-07T13:58:47.000Z",
|
||
|
"description": "Main payload",
|
||
|
"pattern": "[file:hashes.SHA256 = 'e9bd4375f9b0b95f385191895edf81c8eadfb3964204bbbe48f7700fc746e4dc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-07T13:58:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5870f418-6144-41da-8f8f-4519950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T13:58:48.000Z",
|
||
|
"modified": "2017-01-07T13:58:48.000Z",
|
||
|
"description": "Main payload",
|
||
|
"pattern": "[file:hashes.SHA256 = '5ca2a9de65c998b0d0a0a01b4aa103a9410d76ab86c75d7b968984be53e279b6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-07T13:58:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5870f459-8f84-46fb-8337-487d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T14:01:26.000Z",
|
||
|
"modified": "2017-01-07T14:01:26.000Z",
|
||
|
"first_observed": "2017-01-07T14:01:26Z",
|
||
|
"last_observed": "2017-01-07T14:01:26Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--5870f459-8f84-46fb-8337-487d950d210f",
|
||
|
"ipv4-addr--5870f459-8f84-46fb-8337-487d950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--5870f459-8f84-46fb-8337-487d950d210f",
|
||
|
"dst_ref": "ipv4-addr--5870f459-8f84-46fb-8337-487d950d210f",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--5870f459-8f84-46fb-8337-487d950d210f",
|
||
|
"value": "92.222.80.28"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5870f45a-ced0-4005-8c53-4d40950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T14:01:36.000Z",
|
||
|
"modified": "2017-01-07T14:01:36.000Z",
|
||
|
"first_observed": "2017-01-07T14:01:36Z",
|
||
|
"last_observed": "2017-01-07T14:01:36Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--5870f45a-ced0-4005-8c53-4d40950d210f",
|
||
|
"ipv4-addr--5870f45a-ced0-4005-8c53-4d40950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--5870f45a-ced0-4005-8c53-4d40950d210f",
|
||
|
"dst_ref": "ipv4-addr--5870f45a-ced0-4005-8c53-4d40950d210f",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--5870f45a-ced0-4005-8c53-4d40950d210f",
|
||
|
"value": "78.138.97.93"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5870f45b-ab50-4287-a78c-4d5b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T14:01:47.000Z",
|
||
|
"modified": "2017-01-07T14:01:47.000Z",
|
||
|
"first_observed": "2017-01-07T14:01:47Z",
|
||
|
"last_observed": "2017-01-07T14:01:47Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--5870f45b-ab50-4287-a78c-4d5b950d210f",
|
||
|
"ipv4-addr--5870f45b-ab50-4287-a78c-4d5b950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--5870f45b-ab50-4287-a78c-4d5b950d210f",
|
||
|
"dst_ref": "ipv4-addr--5870f45b-ab50-4287-a78c-4d5b950d210f",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--5870f45b-ab50-4287-a78c-4d5b950d210f",
|
||
|
"value": "77.66.108.93"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5870f4a6-fa74-4521-9406-436e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T14:01:10.000Z",
|
||
|
"modified": "2017-01-07T14:01:10.000Z",
|
||
|
"first_observed": "2017-01-07T14:01:10Z",
|
||
|
"last_observed": "2017-01-07T14:01:10Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"domain-name--5870f4a6-fa74-4521-9406-436e950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "domain-name",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "domain-name--5870f4a6-fa74-4521-9406-436e950d210f",
|
||
|
"value": "ns1.dk.dns.d0wn.biz"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5870f50c-8794-4494-94b6-411f950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T14:02:52.000Z",
|
||
|
"modified": "2017-01-07T14:02:52.000Z",
|
||
|
"description": "Both domain names, klyatiemoskali.bit and slavaukraine.bit, resolved to the IP address 103.199.16.106 at the time of analysis.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.199.16.106']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-07T14:02:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5870f51e-2684-41fa-bd5c-411d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T14:03:10.000Z",
|
||
|
"modified": "2017-01-07T14:03:10.000Z",
|
||
|
"description": "Both domain names, klyatiemoskali.bit and slavaukraine.bit, resolved to the IP address 103.199.16.106 at the time of analysis.",
|
||
|
"pattern": "[file:name = 'klyatiemoskali.bit']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-07T14:03:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5870f51f-3f24-4d5d-bdbf-416b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T14:03:11.000Z",
|
||
|
"modified": "2017-01-07T14:03:11.000Z",
|
||
|
"description": "Both domain names, klyatiemoskali.bit and slavaukraine.bit, resolved to the IP address 103.199.16.106 at the time of analysis.",
|
||
|
"pattern": "[file:name = 'slavaukraine.bit']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-07T14:03:11Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5870f54a-8dd4-4624-8120-4bad02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T14:03:54.000Z",
|
||
|
"modified": "2017-01-07T14:03:54.000Z",
|
||
|
"description": "Initial obfuscated loader - Xchecked via VT: d3f9c4037f8b4d24f2baff1e0940d2bf238032f9343d06478b5034d0981b2cd9",
|
||
|
"pattern": "[file:hashes.SHA1 = '472c49709b5bf423b05f9c516be9fcf6750c874b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-07T14:03:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5870f54a-d7a4-401c-9416-4dbb02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T14:03:54.000Z",
|
||
|
"modified": "2017-01-07T14:03:54.000Z",
|
||
|
"description": "Initial obfuscated loader - Xchecked via VT: d3f9c4037f8b4d24f2baff1e0940d2bf238032f9343d06478b5034d0981b2cd9",
|
||
|
"pattern": "[file:hashes.MD5 = '7e8eba7fb31ceab049fe43d020dc34bf']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-07T14:03:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5870f54b-3930-47d3-8f15-4ed602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T14:03:55.000Z",
|
||
|
"modified": "2017-01-07T14:03:55.000Z",
|
||
|
"first_observed": "2017-01-07T14:03:55Z",
|
||
|
"last_observed": "2017-01-07T14:03:55Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5870f54b-3930-47d3-8f15-4ed602de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5870f54b-3930-47d3-8f15-4ed602de0b81",
|
||
|
"value": "https://www.virustotal.com/file/d3f9c4037f8b4d24f2baff1e0940d2bf238032f9343d06478b5034d0981b2cd9/analysis/1476315072/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5870f54c-9760-4b93-b1eb-43f702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T14:03:56.000Z",
|
||
|
"modified": "2017-01-07T14:03:56.000Z",
|
||
|
"description": "Initial obfuscated loader - Xchecked via VT: 368b23e6d9ec7843e537e9d6547777088cf36581076599d04846287a9162652b",
|
||
|
"pattern": "[file:hashes.SHA1 = '3cd5a202fd64b8512557a80426f82c3359756f21']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-07T14:03:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5870f54c-9fc0-4b09-8064-498602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T14:03:56.000Z",
|
||
|
"modified": "2017-01-07T14:03:56.000Z",
|
||
|
"description": "Initial obfuscated loader - Xchecked via VT: 368b23e6d9ec7843e537e9d6547777088cf36581076599d04846287a9162652b",
|
||
|
"pattern": "[file:hashes.MD5 = 'f25528baf3d68444fa7d7fda382e9835']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-07T14:03:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5870f54d-98b4-4843-b50f-417502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T14:03:57.000Z",
|
||
|
"modified": "2017-01-07T14:03:57.000Z",
|
||
|
"first_observed": "2017-01-07T14:03:57Z",
|
||
|
"last_observed": "2017-01-07T14:03:57Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5870f54d-98b4-4843-b50f-417502de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5870f54d-98b4-4843-b50f-417502de0b81",
|
||
|
"value": "https://www.virustotal.com/file/368b23e6d9ec7843e537e9d6547777088cf36581076599d04846287a9162652b/analysis/1476120793/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5870f54e-ddc8-451c-9241-424302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T14:03:58.000Z",
|
||
|
"modified": "2017-01-07T14:03:58.000Z",
|
||
|
"description": "Initial obfuscated loader - Xchecked via VT: e7e154c65417f5594a8b4602db601ac39156b5758889f708dac7258e415d4a18",
|
||
|
"pattern": "[file:hashes.SHA1 = 'd74fd4cd8d82450c9436b608631f5ae69fe45187']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-07T14:03:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5870f54f-f520-4ce5-87bf-468202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T14:03:59.000Z",
|
||
|
"modified": "2017-01-07T14:03:59.000Z",
|
||
|
"description": "Initial obfuscated loader - Xchecked via VT: e7e154c65417f5594a8b4602db601ac39156b5758889f708dac7258e415d4a18",
|
||
|
"pattern": "[file:hashes.MD5 = 'ebf3e72f8b698bbb0d026416d7a75a6a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-07T14:03:59Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5870f550-7bb0-4a2d-afa9-4fdc02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T14:04:00.000Z",
|
||
|
"modified": "2017-01-07T14:04:00.000Z",
|
||
|
"first_observed": "2017-01-07T14:04:00Z",
|
||
|
"last_observed": "2017-01-07T14:04:00Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5870f550-7bb0-4a2d-afa9-4fdc02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5870f550-7bb0-4a2d-afa9-4fdc02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/e7e154c65417f5594a8b4602db601ac39156b5758889f708dac7258e415d4a18/analysis/1476121083/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5870f550-d244-46af-acc6-4d1102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T14:04:00.000Z",
|
||
|
"modified": "2017-01-07T14:04:00.000Z",
|
||
|
"description": "Initial obfuscated loader - Xchecked via VT: f63ec1e5752eb8b9a07104f42392eebf143617708bfdd0fe31cbf00ef12383f9",
|
||
|
"pattern": "[file:hashes.SHA1 = 'a09aa148ac6fbbbea05d63c923d44c7126f63ff3']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-07T14:04:00Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5870f551-43f4-4734-9ea4-43c602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T14:04:01.000Z",
|
||
|
"modified": "2017-01-07T14:04:01.000Z",
|
||
|
"description": "Initial obfuscated loader - Xchecked via VT: f63ec1e5752eb8b9a07104f42392eebf143617708bfdd0fe31cbf00ef12383f9",
|
||
|
"pattern": "[file:hashes.MD5 = 'e98459c647a6e328c8b65945884ef29a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-07T14:04:01Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5870f552-90a0-4f87-8962-426802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-07T14:04:02.000Z",
|
||
|
"modified": "2017-01-07T14:04:02.000Z",
|
||
|
"first_observed": "2017-01-07T14:04:02Z",
|
||
|
"last_observed": "2017-01-07T14:04:02Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5870f552-90a0-4f87-8962-426802de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5870f552-90a0-4f87-8962-426802de0b81",
|
||
|
"value": "https://www.virustotal.com/file/f63ec1e5752eb8b9a07104f42392eebf143617708bfdd0fe31cbf00ef12383f9/analysis/1476121104/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|