{ "type": "bundle", "id": "bundle--55014406-fd90-4fc1-a814-4638950d210b", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T08:04:34.000Z", "modified": "2015-03-12T08:04:34.000Z", "name": "CthulhuSPRL.be", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--55014406-fd90-4fc1-a814-4638950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T08:04:34.000Z", "modified": "2015-03-12T08:04:34.000Z", "name": "OSINT Tibetan Uprising Day Malware Attacks by Citizen Labs", "published": "2015-03-12T08:30:18Z", "object_refs": [ "observed-data--55014411-d4cc-4047-bc11-4dd5950d210b", "url--55014411-d4cc-4047-bc11-4dd5950d210b", "indicator--5501442f-79a8-4594-a548-310e950d210b", "vulnerability--55014445-9d54-4f18-a108-4f7f950d210b", "indicator--5501445e-a540-44d5-801d-4c2c950d210b", "indicator--55014472-b0d8-48fe-800e-ca98950d210b", "indicator--55014472-1174-4e76-838f-ca98950d210b", "indicator--5501448d-2ed8-43ef-8476-492b950d210b", "indicator--550144a0-0f58-4165-94d0-48f2950d210b", "x-misp-attribute--550144aa-d8d4-43f4-b4cc-45f2950d210b", "indicator--550144c6-705c-4176-a9aa-9778950d210b", "observed-data--550144d5-fc14-4bf8-a9af-4fe8950d210b", "url--550144d5-fc14-4bf8-a9af-4fe8950d210b", "indicator--550145af-46c8-4980-8fab-ca98950d210b", "indicator--550145af-1cd8-4470-bddc-ca98950d210b", "indicator--550145af-1448-4610-9e15-ca98950d210b", "x-misp-attribute--550145c6-f97c-4ba4-aa09-9778950d210b", "indicator--550145ec-ddf8-4a02-b69f-49fb950d210b", "indicator--550145ed-a194-4be4-ae2d-49c2950d210b", "indicator--550145ed-4940-425d-8b3d-4532950d210b", "indicator--55014604-fde8-40d8-a01a-9778950d210b", "indicator--5501461f-b418-4dc1-a388-ca98950d210b", "observed-data--55014634-3e34-4ce2-94d9-4d15950d210b", "autonomous-system--55014634-3e34-4ce2-94d9-4d15950d210b", "x-misp-attribute--55014660-9d28-4cca-98bc-4cb7950d210b", "indicator--5501466b-005c-467a-9862-47c4950d210b", "indicator--5501468b-374c-4fec-a0d3-4a94950d210b", "indicator--5501468b-2338-4833-bb8e-456d950d210b", "indicator--5501468b-4f98-4f19-a158-435a950d210b", "indicator--550146d0-f174-4578-a83d-ca98950d210b", "indicator--5501471c-d41c-4568-91e3-41ad950d210b", "indicator--5501471c-4798-4566-a48c-48ad950d210b", "indicator--5501471c-1f40-458f-8f17-40f5950d210b", "indicator--5501471c-58e8-47c0-9fe2-48dc950d210b", "indicator--5501471c-f594-446e-9879-4b61950d210b", "indicator--5501471c-51cc-4abf-b1d9-4f6e950d210b", "indicator--55014746-35d0-487a-9f31-4410950d210b", "indicator--55014746-0bb8-43fe-98a9-4058950d210b", "indicator--55014746-1458-4bcd-aabf-4688950d210b", "indicator--5501479d-ffe8-4bdf-b1ba-0959950d210b", "indicator--5501479d-07b8-45b9-aaf3-0959950d210b", "indicator--550147c2-aeb8-44cc-84eb-4c8f950d210b", "indicator--550147c2-ef78-4730-9051-4e54950d210b", "indicator--550147c2-f8e0-49e2-ac9f-4140950d210b", "indicator--550147f4-84c0-4e82-bc24-0955950d210b", "indicator--550147f5-6850-4f1d-9a7f-0955950d210b", "indicator--550147f5-3fa4-48f9-ac44-0955950d210b" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--55014411-d4cc-4047-bc11-4dd5950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:45:21.000Z", "modified": "2015-03-12T07:45:21.000Z", "first_observed": "2015-03-12T07:45:21Z", "last_observed": "2015-03-12T07:45:21Z", "number_observed": 1, "object_refs": [ "url--55014411-d4cc-4047-bc11-4dd5950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--55014411-d4cc-4047-bc11-4dd5950d210b", "value": "https://citizenlab.org/2015/03/tibetan-uprising-day-malware-attacks/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5501442f-79a8-4594-a548-310e950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:45:51.000Z", "modified": "2015-03-12T07:45:51.000Z", "pattern": "[email-message:body_multipart[*].body_raw_ref.name = '10th March.doc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:45:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"email-attachment\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--55014445-9d54-4f18-a108-4f7f950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:46:13.000Z", "modified": "2015-03-12T07:46:13.000Z", "name": "CVE-2012-0158", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2012-0158" } ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5501445e-a540-44d5-801d-4c2c950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:59:57.000Z", "modified": "2015-03-12T07:59:57.000Z", "description": "MsAttacker", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '122.10.117.152']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:59:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55014472-b0d8-48fe-800e-ca98950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:46:58.000Z", "modified": "2015-03-12T07:46:58.000Z", "pattern": "[url:value = 'http://122.10.117.152/download/ms/MiniJs.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:46:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55014472-1174-4e76-838f-ca98950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:46:58.000Z", "modified": "2015-03-12T07:46:58.000Z", "pattern": "[url:value = '/download/ms/MiniJs.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:46:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5501448d-2ed8-43ef-8476-492b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:47:25.000Z", "modified": "2015-03-12T07:47:25.000Z", "pattern": "[file:name = '\\\\%WINDIR\\\\%\\\\system32\\\\teamviewsvc.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:47:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--550144a0-0f58-4165-94d0-48f2950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:59:57.000Z", "modified": "2015-03-12T07:59:57.000Z", "description": "MsAttacker", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '23.27.127.200']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:59:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--550144aa-d8d4-43f4-b4cc-45f2950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:47:54.000Z", "modified": "2015-03-12T07:47:54.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "MsAttacker" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--550144c6-705c-4176-a9aa-9778950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:48:22.000Z", "modified": "2015-03-12T07:48:22.000Z", "pattern": "[email-message:body_multipart[*].body_raw_ref.name = 'WTO. non-market status China _1_.doc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:48:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"email-attachment\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--550144d5-fc14-4bf8-a9af-4fe8950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:48:37.000Z", "modified": "2015-03-12T07:48:37.000Z", "first_observed": "2015-03-12T07:48:37Z", "last_observed": "2015-03-12T07:48:37Z", "number_observed": 1, "object_refs": [ "url--550144d5-fc14-4bf8-a9af-4fe8950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--550144d5-fc14-4bf8-a9af-4fe8950d210b", "value": "https://malwr.com/analysis/MDE4MDMzNGQ0MjY2NDY1OWE5ZTVhMDRmZjQzNTlkYWM/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--550145af-46c8-4980-8fab-ca98950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:52:15.000Z", "modified": "2015-03-12T07:52:15.000Z", "description": "MiniJS.dll", "pattern": "[file:hashes.MD5 = '2782c233ddde25040fb1febf9b13611e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:52:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--550145af-1cd8-4470-bddc-ca98950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:52:15.000Z", "modified": "2015-03-12T07:52:15.000Z", "description": "MiniJS.dll", "pattern": "[file:hashes.SHA1 = 'be50ef6c94f3b630886e1b337e89f4ea9d6e7649']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:52:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--550145af-1448-4610-9e15-ca98950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:52:15.000Z", "modified": "2015-03-12T07:52:15.000Z", "description": "MiniJS.dll", "pattern": "[file:hashes.SHA256 = '50aebd2a1e3b8917d6c2b5e88c2e2999b2368fca550c548d0836aa57e35c463f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:52:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--550145c6-f97c-4ba4-aa09-9778950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:52:38.000Z", "modified": "2015-03-12T07:52:38.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "ShadowNet" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--550145ec-ddf8-4a02-b69f-49fb950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:53:16.000Z", "modified": "2015-03-12T07:53:16.000Z", "pattern": "[url:value = 'http://johnsmith152.typepad.com/blog/rss.xml']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:53:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--550145ed-a194-4be4-ae2d-49c2950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:53:17.000Z", "modified": "2015-03-12T07:53:17.000Z", "pattern": "[url:value = 'http://mynewshemm.wordpress.com/feed/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:53:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--550145ed-4940-425d-8b3d-4532950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:53:17.000Z", "modified": "2015-03-12T07:53:17.000Z", "pattern": "[url:value = 'http://johnsmith5382.thoughts.com/feed']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:53:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55014604-fde8-40d8-a01a-9778950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:53:40.000Z", "modified": "2015-03-12T07:53:40.000Z", "pattern": "[url:value = 'http://www.semamail.info/firex/test.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:53:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5501461f-b418-4dc1-a388-ca98950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:54:07.000Z", "modified": "2015-03-12T07:54:07.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '122.10.117.5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:54:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--55014634-3e34-4ce2-94d9-4d15950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:54:28.000Z", "modified": "2015-03-12T07:54:28.000Z", "first_observed": "2015-03-12T07:54:28Z", "last_observed": "2015-03-12T07:54:28Z", "number_observed": 1, "object_refs": [ "autonomous-system--55014634-3e34-4ce2-94d9-4d15950d210b" ], "labels": [ "misp:type=\"AS\"", "misp:category=\"Network activity\"" ] }, { "type": "autonomous-system", "spec_version": "2.1", "id": "autonomous-system--55014634-3e34-4ce2-94d9-4d15950d210b", "number": 24544 }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--55014660-9d28-4cca-98bc-4cb7950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:55:12.000Z", "modified": "2015-03-12T07:55:12.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Attribution\"" ], "x_misp_category": "Attribution", "x_misp_comment": "Registrant of semamail.info", "x_misp_type": "text", "x_misp_value": "mike.fly@email.com" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5501466b-005c-467a-9862-47c4950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:55:23.000Z", "modified": "2015-03-12T07:55:23.000Z", "pattern": "[domain-name:value = 'semamail.info']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:55:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5501468b-374c-4fec-a0d3-4a94950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:56:26.000Z", "modified": "2015-03-12T07:56:26.000Z", "description": "Same registrant as semamail.info", "pattern": "[domain-name:value = 'conamail.info']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:56:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5501468b-2338-4833-bb8e-456d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:56:26.000Z", "modified": "2015-03-12T07:56:26.000Z", "description": "Same registrant as semamail.info", "pattern": "[domain-name:value = 'convmail.info']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:56:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5501468b-4f98-4f19-a158-435a950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:56:26.000Z", "modified": "2015-03-12T07:56:26.000Z", "description": "Same registrant as semamail.info", "pattern": "[domain-name:value = 'fifamp3.info']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:56:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--550146d0-f174-4578-a83d-ca98950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:57:04.000Z", "modified": "2015-03-12T07:57:04.000Z", "description": "Also resolved to 122.10.117.35", "pattern": "[domain-name:value = 'rukiyeangel.dyndns.pro']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:57:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5501471c-d41c-4568-91e3-41ad950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:58:20.000Z", "modified": "2015-03-12T07:58:20.000Z", "description": "MsAttacker Stage 0", "pattern": "[file:hashes.MD5 = '8346b50c3954b5c25bf13fcd281eb11a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:58:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5501471c-4798-4566-a48c-48ad950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:58:20.000Z", "modified": "2015-03-12T07:58:20.000Z", "description": "MsAttacker Stage 0", "pattern": "[file:hashes.SHA1 = 'd9a74528bb56a841cea1fe5fa3e0c777a8e96402']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:58:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5501471c-1f40-458f-8f17-40f5950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:58:20.000Z", "modified": "2015-03-12T07:58:20.000Z", "description": "MsAttacker Stage 0", "pattern": "[file:hashes.SHA256 = 'de7058700f06c5310c26944b28203bc82035f9ff74021649db39a24470517fd1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:58:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5501471c-58e8-47c0-9fe2-48dc950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:58:20.000Z", "modified": "2015-03-12T07:58:20.000Z", "description": "MsAttacker Stage 0", "pattern": "[file:hashes.MD5 = '6fc909a57650daff9a8b9264f38444a7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:58:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5501471c-f594-446e-9879-4b61950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:58:20.000Z", "modified": "2015-03-12T07:58:20.000Z", "description": "MsAttacker Stage 0", "pattern": "[file:hashes.SHA1 = '2a2a1fae6be0468d388aa2c721a0edd93fb37649']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:58:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5501471c-51cc-4abf-b1d9-4f6e950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:58:20.000Z", "modified": "2015-03-12T07:58:20.000Z", "description": "MsAttacker Stage 0", "pattern": "[file:hashes.SHA256 = 'a264cec4096a04c47013d41dcddab9f99482f8f83d61e13be4bcf4614f79b7a0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:58:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55014746-35d0-487a-9f31-4410950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:59:02.000Z", "modified": "2015-03-12T07:59:02.000Z", "description": "MsAttacker Stage 1", "pattern": "[file:hashes.MD5 = '69a0f490de6ae9fdde0ad9cc35305a7d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:59:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55014746-0bb8-43fe-98a9-4058950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:59:02.000Z", "modified": "2015-03-12T07:59:02.000Z", "description": "MsAttacker Stage 1", "pattern": "[file:hashes.SHA1 = 'e3532fc890f659fb6afb9115b388e0024565888c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:59:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55014746-1458-4bcd-aabf-4688950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T07:59:02.000Z", "modified": "2015-03-12T07:59:02.000Z", "description": "MsAttacker Stage 1", "pattern": "[file:hashes.SHA256 = '3de8fb09d79166f10f4a10aef1202c2cb45849943f224dc6c61df8d18435e064']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T07:59:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5501479d-ffe8-4bdf-b1ba-0959950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T08:00:29.000Z", "modified": "2015-03-12T08:00:29.000Z", "pattern": "[url:value = 'http://122.10.117.152/download/ms/CryptBase.32.cab']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T08:00:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5501479d-07b8-45b9-aaf3-0959950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T08:00:29.000Z", "modified": "2015-03-12T08:00:29.000Z", "pattern": "[url:value = 'http://122.10.117.152/download/ms/CryptBase.64.cab']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T08:00:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--550147c2-aeb8-44cc-84eb-4c8f950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T08:01:06.000Z", "modified": "2015-03-12T08:01:06.000Z", "description": "ShadowNet Stage 0", "pattern": "[file:hashes.MD5 = '72707089512762fce576e29a0472eb16']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T08:01:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--550147c2-ef78-4730-9051-4e54950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T08:01:06.000Z", "modified": "2015-03-12T08:01:06.000Z", "description": "ShadowNet Stage 0", "pattern": "[file:hashes.SHA1 = '4ab039da14acf7d80fbb11034ef9ccc861c5ed24']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T08:01:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--550147c2-f8e0-49e2-ac9f-4140950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T08:01:06.000Z", "modified": "2015-03-12T08:01:06.000Z", "description": "ShadowNet Stage 0", "pattern": "[file:hashes.SHA256 = 'ddfa44ebb181282e815e965a1c531c7e145128aa7306b508a563e10d5f9f03fb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T08:01:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--550147f4-84c0-4e82-bc24-0955950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T08:01:56.000Z", "modified": "2015-03-12T08:01:56.000Z", "description": "ShadowNet Stage 1", "pattern": "[file:hashes.MD5 = 'd8ae44cd65f97654f066edbcb501d999']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T08:01:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--550147f5-6850-4f1d-9a7f-0955950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T08:01:57.000Z", "modified": "2015-03-12T08:01:57.000Z", "description": "ShadowNet Stage 1", "pattern": "[file:hashes.SHA1 = '602a762dca46f7639210e60c59f89a6e7a16391b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T08:01:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--550147f5-3fa4-48f9-ac44-0955950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-03-12T08:01:57.000Z", "modified": "2015-03-12T08:01:57.000Z", "description": "ShadowNet Stage 1", "pattern": "[file:hashes.SHA256 = 'e8f36317e29206d48bd0e6dd6570872122be44f82ca1de01aef373b3cdb2c0e1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-03-12T08:01:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:GREEN", "definition": { "tlp": "green" } } ] }