842 lines
37 KiB
JSON
842 lines
37 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--595d508c-dc3c-49e8-8288-4a6002de0b81",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:23.000Z",
|
||
|
"modified": "2017-07-05T20:51:23.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--595d508c-dc3c-49e8-8288-4a6002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:23.000Z",
|
||
|
"modified": "2017-07-05T20:51:23.000Z",
|
||
|
"name": "OSINT - The MeDoc Connection",
|
||
|
"published": "2017-07-05T20:51:47Z",
|
||
|
"object_refs": [
|
||
|
"x-misp-attribute--595d509a-d224-4645-b1ac-439102de0b81",
|
||
|
"observed-data--595d50a4-bd20-437d-8737-434802de0b81",
|
||
|
"url--595d50a4-bd20-437d-8737-434802de0b81",
|
||
|
"x-misp-attribute--595d50c5-f144-46fd-b6ff-46db02de0b81",
|
||
|
"x-misp-attribute--595d50c6-db5c-4e7e-9db0-4d1002de0b81",
|
||
|
"x-misp-attribute--595d50c6-569c-4921-b849-47d002de0b81",
|
||
|
"x-misp-attribute--595d50c6-3ab8-40f2-bf02-4c4a02de0b81",
|
||
|
"x-misp-attribute--595d50c6-8674-4393-aaa3-434a02de0b81",
|
||
|
"x-misp-attribute--595d50c6-f770-47d6-a061-496202de0b81",
|
||
|
"indicator--595d50d5-2328-427b-9535-4fe302de0b81",
|
||
|
"indicator--595d50d5-f8e8-4769-93b1-400e02de0b81",
|
||
|
"indicator--595d50e8-d3f0-4552-9306-437c02de0b81",
|
||
|
"indicator--595d50e8-307c-4a7f-b19b-4e0502de0b81",
|
||
|
"indicator--595d50e8-7a6c-493f-a1c8-452502de0b81",
|
||
|
"indicator--595d50fb-f4a8-4e59-8d73-436402de0b81",
|
||
|
"indicator--595d50fb-3ac8-473b-82c8-45f002de0b81",
|
||
|
"indicator--595d50fb-1dcc-4ac3-9755-4ff802de0b81",
|
||
|
"indicator--595d514c-c9ac-4ccd-bb65-499602de0b81",
|
||
|
"indicator--595d514c-d144-4815-98f0-4c9d02de0b81",
|
||
|
"observed-data--595d514c-81e4-4e91-8bc4-4be202de0b81",
|
||
|
"url--595d514c-81e4-4e91-8bc4-4be202de0b81",
|
||
|
"indicator--595d514c-a0ac-487c-a2ba-41f202de0b81",
|
||
|
"indicator--595d514c-4188-483d-9fd9-4a9702de0b81",
|
||
|
"observed-data--595d514c-1d84-4628-99a6-44a102de0b81",
|
||
|
"url--595d514c-1d84-4628-99a6-44a102de0b81",
|
||
|
"indicator--595d514c-857c-4902-81e0-455102de0b81",
|
||
|
"indicator--595d514c-5fe8-42ca-850a-42c002de0b81",
|
||
|
"observed-data--595d514c-d7c0-4e20-ba7f-4b9d02de0b81",
|
||
|
"url--595d514c-d7c0-4e20-ba7f-4b9d02de0b81",
|
||
|
"indicator--595d514c-9030-4303-9902-496d02de0b81",
|
||
|
"indicator--595d514c-b8bc-4293-a0ea-4dff02de0b81",
|
||
|
"observed-data--595d514c-c4e0-49cc-82d7-468802de0b81",
|
||
|
"url--595d514c-c4e0-49cc-82d7-468802de0b81",
|
||
|
"indicator--595d514c-0284-4d7b-9762-494a02de0b81",
|
||
|
"indicator--595d514c-d754-4082-9b7a-451102de0b81",
|
||
|
"observed-data--595d514c-3d18-431e-bcf0-457c02de0b81",
|
||
|
"url--595d514c-3d18-431e-bcf0-457c02de0b81",
|
||
|
"indicator--595d514c-0248-4f6d-a21e-422702de0b81",
|
||
|
"indicator--595d514c-363c-4b80-b083-469102de0b81",
|
||
|
"observed-data--595d514c-a394-41bb-9d53-404102de0b81",
|
||
|
"url--595d514c-a394-41bb-9d53-404102de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--595d509a-d224-4645-b1ac-439102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:23.000Z",
|
||
|
"modified": "2017-07-05T20:51:23.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "The Nyetya attack was a destructive ransomware variant that affected many organizations inside of Ukraine and multinational corporations with operations in Ukraine. In cooperation with Cisco Advanced Services Incident Response, Talos identified several key aspects of the attack. The investigation found a supply chain-focused attack at M.E.Doc software that delivered a destructive payload disguised as ransomware. By utilizing stolen credentials, the actor was able to manipulate the update server for M.E.Doc to proxy connections to an actor-controlled server. Based on the findings, Talos remains confident that the attack was destructive in nature. The effects were broad reaching, with Ukraine Cyber police confirming over 2000 affected companies in Ukraine alone."
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--595d50a4-bd20-437d-8737-434802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:23.000Z",
|
||
|
"modified": "2017-07-05T20:51:23.000Z",
|
||
|
"first_observed": "2017-07-05T20:51:23Z",
|
||
|
"last_observed": "2017-07-05T20:51:23Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--595d50a4-bd20-437d-8737-434802de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--595d50a4-bd20-437d-8737-434802de0b81",
|
||
|
"value": "http://blog.talosintelligence.com/2017/07/the-medoc-connection.html"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--595d50c5-f144-46fd-b6ff-46db02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:23.000Z",
|
||
|
"modified": "2017-07-05T20:51:23.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"Antivirus detection\""
|
||
|
],
|
||
|
"x_misp_category": "Antivirus detection",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "W32.Ransomware.Nyetya.Talos"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--595d50c6-db5c-4e7e-9db0-4d1002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:23.000Z",
|
||
|
"modified": "2017-07-05T20:51:23.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"Antivirus detection\""
|
||
|
],
|
||
|
"x_misp_category": "Antivirus detection",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "W32.F9D6FE8BD8.Backdoor.Ransomware.Nyetya.Talos"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--595d50c6-569c-4921-b849-47d002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:23.000Z",
|
||
|
"modified": "2017-07-05T20:51:23.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"Antivirus detection\""
|
||
|
],
|
||
|
"x_misp_category": "Antivirus detection",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "W32.D462966166.Backdoor.Ransomware.Nyetya.Talos"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--595d50c6-3ab8-40f2-bf02-4c4a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:23.000Z",
|
||
|
"modified": "2017-07-05T20:51:23.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"Antivirus detection\""
|
||
|
],
|
||
|
"x_misp_category": "Antivirus detection",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "W32.2FD2863D71.Backdoor.Ransomware.Nyetya.Talos"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--595d50c6-8674-4393-aaa3-434a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:23.000Z",
|
||
|
"modified": "2017-07-05T20:51:23.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"Antivirus detection\""
|
||
|
],
|
||
|
"x_misp_category": "Antivirus detection",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "W32.02EF73BD24-95.SBX.TG"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--595d50c6-f770-47d6-a061-496202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:23.000Z",
|
||
|
"modified": "2017-07-05T20:51:23.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"Antivirus detection\""
|
||
|
],
|
||
|
"x_misp_category": "Antivirus detection",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "W32.GenericKD:Petya.20h1.1201"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595d50d5-2328-427b-9535-4fe302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:23.000Z",
|
||
|
"modified": "2017-07-05T20:51:23.000Z",
|
||
|
"description": "MALICIOUS IP ADDRESSES:",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '176.31.182.167']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T20:51:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595d50d5-f8e8-4769-93b1-400e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:23.000Z",
|
||
|
"modified": "2017-07-05T20:51:23.000Z",
|
||
|
"description": "MALICIOUS IP ADDRESSES:",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '159.148.186.214']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T20:51:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595d50e8-d3f0-4552-9306-437c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:23.000Z",
|
||
|
"modified": "2017-07-05T20:51:23.000Z",
|
||
|
"description": "NYETYA MALWARE",
|
||
|
"pattern": "[file:hashes.SHA256 = '027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T20:51:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595d50e8-307c-4a7f-b19b-4e0502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:23.000Z",
|
||
|
"modified": "2017-07-05T20:51:23.000Z",
|
||
|
"description": "NYETYA MALWARE",
|
||
|
"pattern": "[file:hashes.SHA256 = '02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T20:51:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595d50e8-7a6c-493f-a1c8-452502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:23.000Z",
|
||
|
"modified": "2017-07-05T20:51:23.000Z",
|
||
|
"description": "NYETYA MALWARE",
|
||
|
"pattern": "[file:hashes.SHA256 = 'eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T20:51:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595d50fb-f4a8-4e59-8d73-436402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:23.000Z",
|
||
|
"modified": "2017-07-05T20:51:23.000Z",
|
||
|
"description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR:",
|
||
|
"pattern": "[file:hashes.SHA256 = 'f9d6fe8bd8aca6528dec7eaa9f1aafbecde15fd61668182f2ba8a7fc2b9a6740']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T20:51:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595d50fb-3ac8-473b-82c8-45f002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:23.000Z",
|
||
|
"modified": "2017-07-05T20:51:23.000Z",
|
||
|
"description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR:",
|
||
|
"pattern": "[file:hashes.SHA256 = 'd462966166450416d6addd3bfdf48590f8440dd80fc571a389023b7c860ca3ac']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T20:51:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595d50fb-1dcc-4ac3-9755-4ff802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:23.000Z",
|
||
|
"modified": "2017-07-05T20:51:23.000Z",
|
||
|
"description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR:",
|
||
|
"pattern": "[file:hashes.SHA256 = '2fd2863d711a1f18eeee5c7c82f2349c5d4e00465de9789da837fcdca4d00277']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T20:51:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595d514c-c9ac-4ccd-bb65-499602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:24.000Z",
|
||
|
"modified": "2017-07-05T20:51:24.000Z",
|
||
|
"description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR: - Xchecked via VT: 2fd2863d711a1f18eeee5c7c82f2349c5d4e00465de9789da837fcdca4d00277",
|
||
|
"pattern": "[file:hashes.SHA1 = '3567434e2e49358e8210674641a20b147e0bd23c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T20:51:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595d514c-d144-4815-98f0-4c9d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:24.000Z",
|
||
|
"modified": "2017-07-05T20:51:24.000Z",
|
||
|
"description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR: - Xchecked via VT: 2fd2863d711a1f18eeee5c7c82f2349c5d4e00465de9789da837fcdca4d00277",
|
||
|
"pattern": "[file:hashes.MD5 = '3efe62f6cb7285153114f888900a0962']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T20:51:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--595d514c-81e4-4e91-8bc4-4be202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:24.000Z",
|
||
|
"modified": "2017-07-05T20:51:24.000Z",
|
||
|
"first_observed": "2017-07-05T20:51:24Z",
|
||
|
"last_observed": "2017-07-05T20:51:24Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--595d514c-81e4-4e91-8bc4-4be202de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--595d514c-81e4-4e91-8bc4-4be202de0b81",
|
||
|
"value": "https://www.virustotal.com/file/2fd2863d711a1f18eeee5c7c82f2349c5d4e00465de9789da837fcdca4d00277/analysis/1499286304/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595d514c-a0ac-487c-a2ba-41f202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:24.000Z",
|
||
|
"modified": "2017-07-05T20:51:24.000Z",
|
||
|
"description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR: - Xchecked via VT: d462966166450416d6addd3bfdf48590f8440dd80fc571a389023b7c860ca3ac",
|
||
|
"pattern": "[file:hashes.SHA1 = '7f3b1c56c180369ae7891483675bec61f3182f27']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T20:51:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595d514c-4188-483d-9fd9-4a9702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:24.000Z",
|
||
|
"modified": "2017-07-05T20:51:24.000Z",
|
||
|
"description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR: - Xchecked via VT: d462966166450416d6addd3bfdf48590f8440dd80fc571a389023b7c860ca3ac",
|
||
|
"pattern": "[file:hashes.MD5 = '87db6af04613f4bd70467720239117e5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T20:51:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--595d514c-1d84-4628-99a6-44a102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:24.000Z",
|
||
|
"modified": "2017-07-05T20:51:24.000Z",
|
||
|
"first_observed": "2017-07-05T20:51:24Z",
|
||
|
"last_observed": "2017-07-05T20:51:24Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--595d514c-1d84-4628-99a6-44a102de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--595d514c-1d84-4628-99a6-44a102de0b81",
|
||
|
"value": "https://www.virustotal.com/file/d462966166450416d6addd3bfdf48590f8440dd80fc571a389023b7c860ca3ac/analysis/1499278990/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595d514c-857c-4902-81e0-455102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:24.000Z",
|
||
|
"modified": "2017-07-05T20:51:24.000Z",
|
||
|
"description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR: - Xchecked via VT: f9d6fe8bd8aca6528dec7eaa9f1aafbecde15fd61668182f2ba8a7fc2b9a6740",
|
||
|
"pattern": "[file:hashes.SHA1 = '7b051e7e7a82f07873fa360958acc6492e4385dd']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T20:51:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595d514c-5fe8-42ca-850a-42c002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:24.000Z",
|
||
|
"modified": "2017-07-05T20:51:24.000Z",
|
||
|
"description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR: - Xchecked via VT: f9d6fe8bd8aca6528dec7eaa9f1aafbecde15fd61668182f2ba8a7fc2b9a6740",
|
||
|
"pattern": "[file:hashes.MD5 = '8f5718be4ba2c6e4f8ce1597248bb03f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T20:51:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--595d514c-d7c0-4e20-ba7f-4b9d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:24.000Z",
|
||
|
"modified": "2017-07-05T20:51:24.000Z",
|
||
|
"first_observed": "2017-07-05T20:51:24Z",
|
||
|
"last_observed": "2017-07-05T20:51:24Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--595d514c-d7c0-4e20-ba7f-4b9d02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--595d514c-d7c0-4e20-ba7f-4b9d02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/f9d6fe8bd8aca6528dec7eaa9f1aafbecde15fd61668182f2ba8a7fc2b9a6740/analysis/1499256049/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595d514c-9030-4303-9902-496d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:24.000Z",
|
||
|
"modified": "2017-07-05T20:51:24.000Z",
|
||
|
"description": "NYETYA MALWARE - Xchecked via VT: eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998",
|
||
|
"pattern": "[file:hashes.SHA1 = '56c03d8e43f50568741704aee482704a4f5005ad']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T20:51:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595d514c-b8bc-4293-a0ea-4dff02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:24.000Z",
|
||
|
"modified": "2017-07-05T20:51:24.000Z",
|
||
|
"description": "NYETYA MALWARE - Xchecked via VT: eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998",
|
||
|
"pattern": "[file:hashes.MD5 = '2813d34f6197eb4df42c886ec7f234a1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T20:51:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--595d514c-c4e0-49cc-82d7-468802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:24.000Z",
|
||
|
"modified": "2017-07-05T20:51:24.000Z",
|
||
|
"first_observed": "2017-07-05T20:51:24Z",
|
||
|
"last_observed": "2017-07-05T20:51:24Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--595d514c-c4e0-49cc-82d7-468802de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--595d514c-c4e0-49cc-82d7-468802de0b81",
|
||
|
"value": "https://www.virustotal.com/file/eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998/analysis/1498939521/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595d514c-0284-4d7b-9762-494a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:24.000Z",
|
||
|
"modified": "2017-07-05T20:51:24.000Z",
|
||
|
"description": "NYETYA MALWARE - Xchecked via VT: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f",
|
||
|
"pattern": "[file:hashes.SHA1 = '38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T20:51:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595d514c-d754-4082-9b7a-451102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:24.000Z",
|
||
|
"modified": "2017-07-05T20:51:24.000Z",
|
||
|
"description": "NYETYA MALWARE - Xchecked via VT: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f",
|
||
|
"pattern": "[file:hashes.MD5 = '7e37ab34ecdcc3e77e24522ddfd4852d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T20:51:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--595d514c-3d18-431e-bcf0-457c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:24.000Z",
|
||
|
"modified": "2017-07-05T20:51:24.000Z",
|
||
|
"first_observed": "2017-07-05T20:51:24Z",
|
||
|
"last_observed": "2017-07-05T20:51:24Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--595d514c-3d18-431e-bcf0-457c02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--595d514c-3d18-431e-bcf0-457c02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f/analysis/1499122164/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595d514c-0248-4f6d-a21e-422702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:24.000Z",
|
||
|
"modified": "2017-07-05T20:51:24.000Z",
|
||
|
"description": "NYETYA MALWARE - Xchecked via VT: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745",
|
||
|
"pattern": "[file:hashes.SHA1 = '34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T20:51:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--595d514c-363c-4b80-b083-469102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:24.000Z",
|
||
|
"modified": "2017-07-05T20:51:24.000Z",
|
||
|
"description": "NYETYA MALWARE - Xchecked via VT: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745",
|
||
|
"pattern": "[file:hashes.MD5 = '71b6a493388e7d0b40c83ce903bc6b04']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-07-05T20:51:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--595d514c-a394-41bb-9d53-404102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-07-05T20:51:24.000Z",
|
||
|
"modified": "2017-07-05T20:51:24.000Z",
|
||
|
"first_observed": "2017-07-05T20:51:24Z",
|
||
|
"last_observed": "2017-07-05T20:51:24Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--595d514c-a394-41bb-9d53-404102de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--595d514c-a394-41bb-9d53-404102de0b81",
|
||
|
"value": "https://www.virustotal.com/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/1499267430/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|