misp-circl-feed/feeds/circl/stix-2.1/5881bff7-0bd0-4c84-a206-4eb4950d210f.json

553 lines
142 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5881bff7-0bd0-4c84-a206-4eb4950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-20T07:55:03.000Z",
"modified": "2017-01-20T07:55:03.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5881bff7-0bd0-4c84-a206-4eb4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-20T07:55:03.000Z",
"modified": "2017-01-20T07:55:03.000Z",
"name": "OSINT - Spora - the Shortcut Worm that is also a Ransomware",
"published": "2017-01-20T07:55:22Z",
"object_refs": [
"observed-data--5881c051-8680-4604-8ee6-4195950d210f",
"url--5881c051-8680-4604-8ee6-4195950d210f",
"x-misp-attribute--5881c067-6158-41a5-8bd6-4eb7950d210f",
"indicator--5881c0d2-7b5c-499d-9582-4c61950d210f",
"indicator--5881c108-c4fc-4a3d-a379-47d4950d210f",
"indicator--5881c123-f2f8-443f-9f38-4f64950d210f",
"indicator--5881c158-4b98-444b-a384-4b3c950d210f",
"indicator--5881c177-8a80-44cb-a014-4d27950d210f",
"indicator--5881c1a3-1400-4a34-b267-4aca950d210f",
"indicator--5881c1a4-9518-4365-8ea5-403f950d210f",
"indicator--5881c1a4-7ab8-4d54-83c7-452d950d210f",
"observed-data--5881c1c9-609c-4eea-aefe-4027950d210f",
"file--5881c1c9-609c-4eea-aefe-4027950d210f",
"artifact--5881c1c9-609c-4eea-aefe-4027950d210f",
"indicator--5881c1fc-8464-4d81-9590-4f8602de0b81",
"indicator--5881c1fd-a9c8-4edc-a4d6-4e7f02de0b81",
"observed-data--5881c1fe-5b2c-406e-a9c9-48ad02de0b81",
"url--5881c1fe-5b2c-406e-a9c9-48ad02de0b81",
"indicator--5881c1fe-fe68-4c71-983c-441a02de0b81",
"indicator--5881c1ff-9ffc-43a4-96dd-446f02de0b81",
"observed-data--5881c200-5668-4e6e-a169-441202de0b81",
"url--5881c200-5668-4e6e-a169-441202de0b81",
"indicator--5881c201-7fa8-44d8-aebd-4b4202de0b81",
"indicator--5881c201-1fb8-4c0d-a85a-49be02de0b81",
"observed-data--5881c202-c4bc-4470-974a-44a702de0b81",
"url--5881c202-c4bc-4470-974a-44a702de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\"",
"misp-galaxy:preventive-measure=\"Backup and Restore Process\"",
"estimative-language:likelihood-probability=\"very-likely\"",
"ms-caro-malware:malware-type=\"Ransom\"",
"malware_classification:malware-category=\"Ransomware\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5881c051-8680-4604-8ee6-4195950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-20T07:46:25.000Z",
"modified": "2017-01-20T07:46:25.000Z",
"first_observed": "2017-01-20T07:46:25Z",
"last_observed": "2017-01-20T07:46:25Z",
"number_observed": 1,
"object_refs": [
"url--5881c051-8680-4604-8ee6-4195950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5881c051-8680-4604-8ee6-4195950d210f",
"value": "https://blog.gdatasoftware.com/2017/01/29442-spora-worm-and-ransomware"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5881c067-6158-41a5-8bd6-4eb7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-20T07:46:47.000Z",
"modified": "2017-01-20T07:46:47.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Spora spreads via USB drives like Gamarue and Dinihou aka Jenxcus whilst also encrypting files. The sophistication of this threat could easily make it the new Locky. We discuss its infection and encryption procedure and show how it uses statistical values about encrypted files to calculate the ransom amount."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5881c0d2-7b5c-499d-9582-4c61950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-20T07:48:34.000Z",
"modified": "2017-01-20T07:48:34.000Z",
"pattern": "[file:name = '\u00d0\u00a1\u00d0\u00ba\u00d0\u00b0\u00d0\u00bd-\u00d0\u00ba\u00d0\u00be\u00d0\u00bf\u00d0\u00b8\u00d1\u008f _ 10 \u00d1\u008f\u00d0\u00bd\u00d0\u00b2\u00d0\u00b0\u00d1\u20ac\u00d1\u008f 2017\u00d0\u00b3. \u00d0\u00a1\u00d0\u00be\u00d1\u0081\u00d1\u201a\u00d0\u00b0\u00d0\u00b2\u00d0\u00bb\u00d0\u00b5\u00d0\u00bd\u00d0\u00be \u00d0\u00b8 \u00d0\u00bf\u00d0\u00be\u00d0\u00b4\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00b0\u00d0\u00bd\u00d0\u00be \u00d0\u00b3\u00d0\u00bb\u00d0\u00b0\u00d0\u00b2\u00d0\u00bd\u00d1\u2039\u00d0\u00bc \u00d0\u00b1\u00d1\u0192\u00d1\u2026\u00d0\u00b3\u00d0\u00b0\u00d0\u00bb\u00d1\u201a\u00d0\u00b5\u00d1\u20ac\u00d0\u00be\u00d0\u00bc. \u00d0\u00ad\u00d0\u00ba\u00d1\u0081\u00d0\u00bf\u00d0\u00be\u00d1\u20ac\u00d1\u201a \u00d0\u00b8\u00d0\u00b7 1\u00d0\u00a1.a01e743_\u00d1\u20acdf.hta']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-20T07:48:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5881c108-c4fc-4a3d-a379-47d4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-20T07:49:28.000Z",
"modified": "2017-01-20T07:49:28.000Z",
"pattern": "[file:hashes.SHA256 = '3fb2e50764dea9266ca8c20681a0e0bf60feaa34a52699cf2cf0c07d96a22553']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-20T07:49:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5881c123-f2f8-443f-9f38-4f64950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-20T07:49:55.000Z",
"modified": "2017-01-20T07:49:55.000Z",
"description": "Script.Trojan-Dropper.Spora.G - close.js",
"pattern": "[file:hashes.SHA256 = 'e2fe74d890ddb516b4f21a6588c6e0bdbf3dd6f8c5116d707d08db7ebddf505a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-20T07:49:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5881c158-4b98-444b-a384-4b3c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-20T07:50:48.000Z",
"modified": "2017-01-20T07:50:48.000Z",
"description": "Win32.Worm.Spora.B - a277a133-ecde-c0f5-1591-ab36e22428bb.exe - 81063163ded.exe",
"pattern": "[file:hashes.SHA256 = 'dbfd24cd70f02ddea6de0a851c1ef0f45f18b4f70e6f3d0f2e2aec0d1b4a2cbf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-20T07:50:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5881c177-8a80-44cb-a014-4d27950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-20T07:51:19.000Z",
"modified": "2017-01-20T07:51:19.000Z",
"description": "Corrupt Word document\t doc_6d518e.docx",
"pattern": "[file:hashes.SHA256 = '0ba39054a70802d0b59a18b873aab519e418dc9b0c81400d27614c9c085409ad']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-20T07:51:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5881c1a3-1400-4a34-b267-4aca950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-20T07:52:03.000Z",
"modified": "2017-01-20T07:52:03.000Z",
"description": "Ransom note",
"pattern": "[file:name = 'RU302-15XRK-GXTFO-GZTET-KTXFF-ORTXA-AYYYY.HTML']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-20T07:52:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5881c1a4-9518-4365-8ea5-403f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-20T07:52:04.000Z",
"modified": "2017-01-20T07:52:04.000Z",
"description": "Contains statistics, campaignID, username, locale, timestamp and private RSA key C1; encrypted",
"pattern": "[file:name = 'RU302-15XRK-GXTFO-GZTET-KTXFF-ORTXA-AYYYY.KEY']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-20T07:52:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5881c1a4-7ab8-4d54-83c7-452d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-20T07:52:04.000Z",
"modified": "2017-01-20T07:52:04.000Z",
"description": "List of encrypted files; encrypted",
"pattern": "[file:name = 'RU302-15XRK-GXTFO-GZTET-KTXFF-ORTXA-AYYYY.LST']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-20T07:52:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5881c1c9-609c-4eea-aefe-4027950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-20T07:52:41.000Z",
"modified": "2017-01-20T07:52:41.000Z",
"first_observed": "2017-01-20T07:52:41Z",
"last_observed": "2017-01-20T07:52:41Z",
"number_observed": 1,
"object_refs": [
"file--5881c1c9-609c-4eea-aefe-4027950d210f",
"artifact--5881c1c9-609c-4eea-aefe-4027950d210f"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5881c1c9-609c-4eea-aefe-4027950d210f",
"name": "G_DATA_spora_encryption_infographic_web_78175w894h615.jpg",
"content_ref": "artifact--5881c1c9-609c-4eea-aefe-4027950d210f"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--5881c1c9-609c-4eea-aefe-4027950d210f",
"payload_bin": "/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAICAgICAgICAgIDAgICAwQDAgIDBAUEBAQEBAUGBQUFBQUFBgYHBwgHBwYJCQoKCQkMDAwMDAwMDAwMDAwMDAz/2wBDAQMDAwUEBQkGBgkNCwkLDQ8ODg4ODw8MDAwMDA8PDAwMDAwMDwwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAz/wgARCAJnA34DAREAAhEBAxEB/8QAHAABAAEFAQEAAAAAAAAAAAAAAAYBAwQFBwII/8QAGgEBAAMBAQEAAAAAAAAAAAAAAAECAwQFBv/aAAwDAQACEAMQAAAB411c4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFCoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQqAAAULkqHiFQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUKgAGRaZh19Ei6dsu1qGuzpF+XCK82FIAAAAAAAAAAAAAAAAAAAUKgAAAAAAAAAAAAAAAAAAAAAAAAAAAAoVABtNb9I9HtybSAANRlnzfzuOzWAOm1t9J5XhFo+Vdc6gAAAAAyTu1LxiY5jauKAAAAAAS2JiMxPKzA7RUAAAAAAAAAAAAAAAAAAAAAAAAAAAAoVAMi09U9TvybSJTjE8wpdhyHt0w5DRYZc387jA+uctIDMcM0p1qluw0tuE/Gm2X1Hlpv4n5f1z7tneQQ4bpXuWd+f2r87aUzTqFbcwtXZQn8WzIcWvXsdLaeWIjZp1Uxz+YnlZ3ifBgo6JW3LbVvGmlNonHIxMSmJz4cavWoAAAAAAAAAAAAAAAAAAAAAAAABQqChOe3plvX0Adh4s+O9umRDqfJTkvZcDm3ncWjwzGafSuV+t1vwi9NPMSeJ9EsifmnSn01leYRb4K3xmdZ7RS3YK3+At8cw7rnfmVq2ZCVw15DJjUy7BW3HbVntZ0ExOItkQ5HevYK2HHbV69S1ZchtXr1baZEPtHRazyO0ewAAAAAAAAAAAAAAAAAAAAAAAAChUFDrfrd+XawmuFen8lOd9Vx0blpyLt0i2siL82EB4OUfRud/Z3TO/BNKT2syiJ+Udc/rfLTmtojcx2ql/gnfH7Xx05jaO6Ut8Db5Zh0+tuaWrIYnwSuEJmJXExGU9ieQ2qPo+l+B3p2OluLXr1ulrEuSWr1elrcufzXq9bRGYiVo6JWeSWj2AAAAAAAAAAAAAAAAAAAAAAAAAUKg9y7F6/oiku18GfMOu4A6Zy04x26DTY58y83iqXzpFbQia9spfIOQ3rEZjewksTzy0S6sxG0bWEpidNKNzHon9ZERtGIZENfKUxN40MxrSp1ytuRWr2KltPMc6tF0mVZito1p0SsxGYxpY5mGuKgAAAAAAAAAAAAAAAAAAAAAAAAFCoPUuxev6NSkuucWej0tgWae87zOJVlXkPZoNJjlzTzeOoAJlWcWUXmAAAAAAAAAABMYnAI7MS+JiEwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQqCh1T1O7ZaXpLrnFnyrs0oWy7DrHJnyHs0EQ5OeEcXNUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoVAJZ17znt6qHevPy0mkgDJq4x3aUOV+Xwa/OoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoVAKy6d6XbttdAAABDuTmhXFz1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQqAC/aeh+h17vbUAChEOTnhXFzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAChUAAG931kPRrsNL+IjV5UjHNjrs6VAKHS9/MgePfvL4ZCsTz65prxaCnR6mN9bCEZd0w14sOumnrtKtOSLU6ttOWdbOGZds514dFXe3EyC/PC8+2V35LK2hp0T7bzuaYeoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQqAAACgBUAAFxFtIAAAAAAAFDtdLa6XJbVqAD0jykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAChUAAAAAAAFCZacUNz7agFDbQ18rQAAALpaOjVmUJoQuYg0wAJprwwvLuAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoVAAAAAAAAJbpx4mXZu07qJmNZgFq3yYxMJmL6d7DSy0sxKqzF7RP6zojj969OrOqlqSUQ5raABKNOSL59YAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFCoAAAAAAABkTX1FpxWcaXktGpRvYm3LWmSYKNsnAJDCURPObRFpjuFLRyYqbNPH7VA2lst9bn01d9NXYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUKgAAAAAAAoTvXgguXeAAAAAKAFQeCgPR6AM+c+xdPi8o5/X0tdwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQqAAAAAAAChvb4aOm4AAAAAAAAAAAodK28zm2PpgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUKgAAAAAAAG5tjpq7AAAAAAAAUJ/5vdciQABeVsrAAAc+9PgoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUKgAAAAAAAoTvXgguXeAAAAABdLQB5R9Y/GfU5VLAAAAAAD5K+1+WtzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFCoAAAAAAAKGZNMSLgAD0fQFLImL2jYwsy1aJdE4Bgy5FathH1j8Z9TlUsAAAAAAPkr7X5a3MAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUKgAAuFoqAAAASvTkimfWAAL59BZ35VeuqRt4nAleM6FmVojExiI+sfjPqcqlgAAAAAB8lfa/LW5gAAAAAACbRO9ieW2rQAAAAAAAAAAAAAAAAAAAAoVAAN5D6lz04Rem/icA18xvInwc8tEfmBQmmnFC8+2oAL8zsr211a7nS2lyrs9LW4jErG20vjVr0vu6ojzYxLDL6n+K+nyqWlvXzZFq+U5+lINwdfRvS4YbxdV20YWd9vtlt9sueed3D5K+1+WtzAAAAAAAyTqlbR+YsEJmAAAAAAAAAAAAAAAAAAAAKFQADaQ+n89PJrJjFLhBZjstbccvXj9qgVRRIAG91vttLxTDLcXvps6bO9rSMWsbW9seI6X3dUR5sYlhl9T/FfT5VLTrv49rrnqstLFba3O8r6ueiNJhtuNstLjttdcueed3D5K+1+WtzAAAvGXCxLyTGs4ctDMa86rWYxKpPKzxO9fQAAAAAAAAAAAAAAAAAAAKFQAChnnQKzzm0VLBQyDHKAoTzXggmXeAB6lU8QEliZ7Wdwc+mINaBQFEfWPxn1OVSwoAVBQv2jPvTVZaUKg+SvtflrcwAAOt1tOqzQ8GgmNVLcRPPbV28IhMbFMshyW0egAAAAAAAAAejyAAAAAAAAAUKgAG5O953icxy+9dlE4iMM2ydLMeDDBIr80dp0gAb3W96ZjmOY7BS2tlhom0Twa9agHlH1j8Z9TlUsAAAAAAPkr7X5a3MAACpU8g9FAeyRxMkgPJzW0VAAAAAAAPJ0Os48vJmwzi4nHRzC0VAAAAAAABQqAASaJ+kc77Eg0xjSyYT2J+cNKfQOd/lPXPWlDaWy1ddagAyrT6MOsDsdbapGITaJ4LetQDyj6x+M+pyqWAAAAAAHyV9r8tbmAAB2qlsKWTDSzHhOcWkZieQ2qAKAAAAAAAAodypaNS2phGkmL5Ionjtq1KAAAAAFQAUKgAGednpaHTGtlaJrWdbMQC0fQGd/mzSlShO9eCC5d4AG20tdmdJlQSaJn9Z25z6YgloAFDdYbeoAADfX59DToAAA0nRiAABL4nBM8y4aKXT6zC7RryLTAA6LxevMuT0gAAAAABzfv8WIdPBmlwxDJPBQ2MBopdG25ZFfMAAADU0vy/HroAUKgGTMVAAAAKlADYznro0AxomhtL2uTOnzoBQF
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5881c1fc-8464-4d81-9590-4f8602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-20T07:53:32.000Z",
"modified": "2017-01-20T07:53:32.000Z",
"description": "Win32.Worm.Spora.B - a277a133-ecde-c0f5-1591-ab36e22428bb.exe - 81063163ded.exe - Xchecked via VT: dbfd24cd70f02ddea6de0a851c1ef0f45f18b4f70e6f3d0f2e2aec0d1b4a2cbf",
"pattern": "[file:hashes.SHA1 = 'd3c89ccaf190890fc0583ea24396b1a2cd8317c4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-20T07:53:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5881c1fd-a9c8-4edc-a4d6-4e7f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-20T07:53:33.000Z",
"modified": "2017-01-20T07:53:33.000Z",
"description": "Win32.Worm.Spora.B - a277a133-ecde-c0f5-1591-ab36e22428bb.exe - 81063163ded.exe - Xchecked via VT: dbfd24cd70f02ddea6de0a851c1ef0f45f18b4f70e6f3d0f2e2aec0d1b4a2cbf",
"pattern": "[file:hashes.MD5 = '312445d2cca1cf82406af567596b9d8c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-20T07:53:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5881c1fe-5b2c-406e-a9c9-48ad02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-20T07:53:34.000Z",
"modified": "2017-01-20T07:53:34.000Z",
"first_observed": "2017-01-20T07:53:34Z",
"last_observed": "2017-01-20T07:53:34Z",
"number_observed": 1,
"object_refs": [
"url--5881c1fe-5b2c-406e-a9c9-48ad02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5881c1fe-5b2c-406e-a9c9-48ad02de0b81",
"value": "https://www.virustotal.com/file/dbfd24cd70f02ddea6de0a851c1ef0f45f18b4f70e6f3d0f2e2aec0d1b4a2cbf/analysis/1484855168/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5881c1fe-fe68-4c71-983c-441a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-20T07:53:34.000Z",
"modified": "2017-01-20T07:53:34.000Z",
"description": "Script.Trojan-Dropper.Spora.G - close.js - Xchecked via VT: e2fe74d890ddb516b4f21a6588c6e0bdbf3dd6f8c5116d707d08db7ebddf505a",
"pattern": "[file:hashes.SHA1 = 'ae22308bd176a06f3522b8547bd7d9988e1b56fa']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-20T07:53:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5881c1ff-9ffc-43a4-96dd-446f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-20T07:53:35.000Z",
"modified": "2017-01-20T07:53:35.000Z",
"description": "Script.Trojan-Dropper.Spora.G - close.js - Xchecked via VT: e2fe74d890ddb516b4f21a6588c6e0bdbf3dd6f8c5116d707d08db7ebddf505a",
"pattern": "[file:hashes.MD5 = 'fc1b2bec47aaa059319f4a47cb37c5e2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-20T07:53:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5881c200-5668-4e6e-a169-441202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-20T07:53:36.000Z",
"modified": "2017-01-20T07:53:36.000Z",
"first_observed": "2017-01-20T07:53:36Z",
"last_observed": "2017-01-20T07:53:36Z",
"number_observed": 1,
"object_refs": [
"url--5881c200-5668-4e6e-a169-441202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5881c200-5668-4e6e-a169-441202de0b81",
"value": "https://www.virustotal.com/file/e2fe74d890ddb516b4f21a6588c6e0bdbf3dd6f8c5116d707d08db7ebddf505a/analysis/1484641209/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5881c201-7fa8-44d8-aebd-4b4202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-20T07:53:37.000Z",
"modified": "2017-01-20T07:53:37.000Z",
"description": "- Xchecked via VT: 3fb2e50764dea9266ca8c20681a0e0bf60feaa34a52699cf2cf0c07d96a22553",
"pattern": "[file:hashes.SHA1 = '0696d0a4d6fddf137733b867f0334902903e2a0e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-20T07:53:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5881c201-1fb8-4c0d-a85a-49be02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-20T07:53:37.000Z",
"modified": "2017-01-20T07:53:37.000Z",
"description": "- Xchecked via VT: 3fb2e50764dea9266ca8c20681a0e0bf60feaa34a52699cf2cf0c07d96a22553",
"pattern": "[file:hashes.MD5 = '37477dec05d8ae50aa5204559c81bde3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-20T07:53:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5881c202-c4bc-4470-974a-44a702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-20T07:53:38.000Z",
"modified": "2017-01-20T07:53:38.000Z",
"first_observed": "2017-01-20T07:53:38Z",
"last_observed": "2017-01-20T07:53:38Z",
"number_observed": 1,
"object_refs": [
"url--5881c202-c4bc-4470-974a-44a702de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5881c202-c4bc-4470-974a-44a702de0b81",
"value": "https://www.virustotal.com/file/3fb2e50764dea9266ca8c20681a0e0bf60feaa34a52699cf2cf0c07d96a22553/analysis/1484819616/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}