{ "type": "bundle", "id": "bundle--551e7bc4-ed74-4ff2-aef7-1888950d210b", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T19:56:10.000Z", "modified": "2015-04-03T19:56:10.000Z", "name": "CthulhuSPRL.be", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--551e7bc4-ed74-4ff2-aef7-1888950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T19:56:10.000Z", "modified": "2015-04-03T19:56:10.000Z", "name": "OSINT Additional yara rules for Equation Drug by Florian Roth", "published": "2016-02-22T14:20:57Z", "object_refs": [ "x-misp-attribute--551e7bd5-a208-44a8-9173-1a0e950d210b", "observed-data--551e7bf0-2c14-45cb-8ef2-1879950d210b", "url--551e7bf0-2c14-45cb-8ef2-1879950d210b", "observed-data--551e7bf0-d148-470e-8c28-1879950d210b", "url--551e7bf0-d148-470e-8c28-1879950d210b", "observed-data--551e7c27-fa3c-4646-a4b1-948e950d210b", "url--551e7c27-fa3c-4646-a4b1-948e950d210b", "x-misp-attribute--551e7c3d-1d24-422b-996f-9144950d210b", "x-misp-attribute--551e7c3d-09e4-4a83-ab3a-9144950d210b", "indicator--551e7c52-33e8-448c-9e48-13b6950d210b", "indicator--551e7c60-0274-44b9-b508-1888950d210b", "indicator--551e7c6d-def0-43c3-86fb-7455950d210b", "indicator--551e7c7d-cce8-4854-8048-948e950d210b", "indicator--551e7c91-544c-4776-95f9-0d4d950d210b", "indicator--551e7ca5-b9a4-4ef2-84f1-9144950d210b", "indicator--551e7cb5-5f8c-45d5-be4b-4dc2950d210b", "indicator--551e7cc5-36b8-465f-bc94-8c54950d210b", "indicator--551e7cd9-b65c-4be1-959b-13b6950d210b", "indicator--551e7ce9-b7c0-4bf8-97c3-948e950d210b", "indicator--551e7cfd-bd28-489c-a56a-7455950d210b", "indicator--551e7d0c-9254-4e05-8fb7-13b6950d210b", "indicator--551e7d9f-449c-4b11-b116-1a0e950d210b", "indicator--551e7d9f-90b4-495d-a76f-1a0e950d210b", "indicator--551e7d9f-e820-4991-a88b-1a0e950d210b", "indicator--551e7da0-6554-48c1-9789-1a0e950d210b", "indicator--551e7da0-2538-4b10-9773-1a0e950d210b", "indicator--551e7da0-ed30-41a0-b60e-1a0e950d210b", "indicator--551e7da0-fa2c-4124-bc52-1a0e950d210b", "indicator--551e7da0-e87c-460b-8a4d-1a0e950d210b", "indicator--551e7da0-cb54-4d83-bd6f-1a0e950d210b", "indicator--551e7da0-5eb4-4489-98a0-1a0e950d210b", "indicator--551e7da0-5a10-440a-a4ce-1a0e950d210b", "indicator--551e7da0-b430-43bf-b5fa-1a0e950d210b", "indicator--56c65911-1c7c-4ca9-860f-59a1950d210f", "indicator--56c65913-45f0-437c-afe4-59a2950d210f", "indicator--56c65915-1a88-47c3-a14f-59a4950d210f", "indicator--56c65917-cb64-415e-a117-599e950d210f", "indicator--56c65919-a364-49c2-8632-c650950d210f", "indicator--56c6591b-ec0c-4ef9-a84c-599d950d210f", "indicator--56c6591d-a640-4716-8bf4-5f51950d210f", "indicator--56c6591f-28dc-40be-9925-c654950d210f", "indicator--56c65921-3ee8-4e94-b03a-c651950d210f", "indicator--56c65922-3ac8-4f0c-b172-432f950d210f", "indicator--56c65924-bc08-4ddc-b84a-c653950d210f", "indicator--56c65927-6c14-408b-81bb-599c950d210f", "indicator--56c65912-dab8-4b67-aa47-5f51950d210f", "indicator--56c65914-4cb0-4ff7-84e0-c653950d210f", "indicator--56c65916-6540-4e43-a359-4dfb950d210f", "indicator--56c65918-64ac-4501-bbe1-5f51950d210f", "indicator--56c6591a-e1f0-4015-a784-c651950d210f", "indicator--56c6591b-0f40-4f75-819b-4aed950d210f", "indicator--56c6591e-7c58-4732-8dcf-c650950d210f", "indicator--56c65920-d184-482b-99e8-59a3950d210f", "indicator--56c65922-8c08-40ea-b58c-599f950d210f", "indicator--56c65923-7868-4115-8eaf-49ed950d210f", "indicator--56c65925-b8b8-4f8c-9be2-5f51950d210f", "indicator--56c65928-b2d8-4247-924b-59a4950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--551e7bd5-a208-44a8-9173-1a0e950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:39:01.000Z", "modified": "2015-04-03T11:39:01.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Equation Drug" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--551e7bf0-2c14-45cb-8ef2-1879950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:39:28.000Z", "modified": "2015-04-03T11:39:28.000Z", "first_observed": "2015-04-03T11:39:28Z", "last_observed": "2015-04-03T11:39:28Z", "number_observed": 1, "object_refs": [ "url--551e7bf0-2c14-45cb-8ef2-1879950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--551e7bf0-2c14-45cb-8ef2-1879950d210b", "value": "https://github.com/Neo23x0/Loki/blob/master/signatures/spy_equation_fiveeyes.yar" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--551e7bf0-d148-470e-8c28-1879950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:39:28.000Z", "modified": "2015-04-03T11:39:28.000Z", "first_observed": "2015-04-03T11:39:28Z", "last_observed": "2015-04-03T11:39:28Z", "number_observed": 1, "object_refs": [ "url--551e7bf0-d148-470e-8c28-1879950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--551e7bf0-d148-470e-8c28-1879950d210b", "value": "https://github.com/Neo23x0/Loki/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--551e7c27-fa3c-4646-a4b1-948e950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:40:23.000Z", "modified": "2015-04-03T11:40:23.000Z", "first_observed": "2015-04-03T11:40:23Z", "last_observed": "2015-04-03T11:40:23Z", "number_observed": 1, "object_refs": [ "url--551e7c27-fa3c-4646-a4b1-948e950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--551e7c27-fa3c-4646-a4b1-948e950d210b", "value": "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--551e7c3d-1d24-422b-996f-9144950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:40:45.000Z", "modified": "2015-04-03T11:40:45.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "EquationGroup" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--551e7c3d-09e4-4a83-ab3a-9144950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:40:45.000Z", "modified": "2015-04-03T11:40:45.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Equation Group" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--551e7c52-33e8-448c-9e48-13b6950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:41:06.000Z", "modified": "2015-04-03T11:41:06.000Z", "pattern": "[rule EquationDrug_NetworkSniffer1 {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Backdoor driven by network sniffer - mstcp32.sys, fat32.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"26e787997a338d8111d96c9a4c103cf8ff0201ce\"\r\n\tstrings:\r\n\t\t$s0 = \"Microsoft(R) Windows (TM) Operating System\" fullword wide\r\n\t\t$s1 = \"\\\\Registry\\\\User\\\\CurrentUser\\\\\" fullword wide\r\n\t\t$s3 = \"sys\\\\mstcp32.dbg\" fullword ascii\r\n\t\t$s7 = \"mstcp32.sys\" fullword wide\r\n\t\t$s8 = \"p32.sys\" fullword ascii\r\n\t\t$s9 = \"\\\\Device\\\\%ws_%ws\" fullword wide\r\n\t\t$s10 = \"\\\\DosDevices\\\\%ws\" fullword wide\r\n\t\t$s11 = \"\\\\Device\\\\%ws\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2015-04-03T11:41:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--551e7c60-0274-44b9-b508-1888950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:41:20.000Z", "modified": "2015-04-03T11:41:20.000Z", "pattern": "[rule EquationDrug_CompatLayer_UnilayDLL {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Unilay.DLL\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"a3a31937956f161beba8acac35b96cb74241cd0f\"\r\n\tstrings:\r\n\t\t$mz = { 4d 5a }\r\n\t\t$s0 = \"unilay.dll\" fullword ascii\r\n\tcondition:\r\n\t\t( $mz at 0 ) and $s0\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2015-04-03T11:41:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--551e7c6d-def0-43c3-86fb-7455950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:41:33.000Z", "modified": "2015-04-03T11:41:33.000Z", "pattern": "[rule EquationDrug_HDDSSD_Op {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - HDD/SSD firmware operation - nls_933w.dll\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"ff2b50f371eb26f22eb8a2118e9ab0e015081500\"\r\n\tstrings:\r\n\t\t$s0 = \"nls_933w.dll\" fullword ascii\r\n\tcondition:\r\n\t\tall of them\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2015-04-03T11:41:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--551e7c7d-cce8-4854-8048-948e950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:41:49.000Z", "modified": "2015-04-03T11:41:49.000Z", "pattern": "[rule EquationDrug_NetworkSniffer2 {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Network Sniffer - tdip.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"7e3cd36875c0e5ccb076eb74855d627ae8d4627f\"\r\n\tstrings:\r\n\t\t$s0 = \"Microsoft(R) Windows (TM) Operating System\" fullword wide\r\n\t\t$s1 = \"IP Transport Driver\" fullword wide\r\n\t\t$s2 = \"tdip.sys\" fullword wide\r\n\t\t$s3 = \"sys\\\\tdip.dbg\" fullword ascii\r\n\t\t$s4 = \"dip.sys\" fullword ascii\r\n\t\t$s5 = \"\\\\Device\\\\%ws_%ws\" fullword wide\r\n\t\t$s6 = \"\\\\DosDevices\\\\%ws\" fullword wide\r\n\t\t$s7 = \"\\\\Device\\\\%ws\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2015-04-03T11:41:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--551e7c91-544c-4776-95f9-0d4d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:42:09.000Z", "modified": "2015-04-03T11:42:09.000Z", "pattern": "[rule EquationDrug_NetworkSniffer3 {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Network Sniffer - tdip.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"14599516381a9646cd978cf962c4f92386371040\"\r\n\tstrings:\r\n\t\t$s0 = \"Corporation. All rights reserved.\" fullword wide\r\n\t\t$s1 = \"IP Transport Driver\" fullword wide\r\n\t\t$s2 = \"tdip.sys\" fullword wide\r\n\t\t$s3 = \"tdip.pdb\" fullword ascii\r\n\tcondition:\r\n\t\tall of them\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2015-04-03T11:42:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--551e7ca5-b9a4-4ef2-84f1-9144950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:42:29.000Z", "modified": "2015-04-03T11:42:29.000Z", "pattern": "[rule EquationDrug_VolRec_Driver {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Collector plugin for Volrec - msrstd.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"ee2b504ad502dc3fed62d6483d93d9b1221cdd6c\"\r\n\tstrings:\r\n\t\t$s0 = \"msrstd.sys\" fullword wide\r\n\t\t$s1 = \"msrstd.pdb\" fullword ascii\r\n\t\t$s2 = \"msrstd driver\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2015-04-03T11:42:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--551e7cb5-5f8c-45d5-be4b-4dc2950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:42:45.000Z", "modified": "2015-04-03T11:42:45.000Z", "pattern": "[rule EquationDrug_KernelRootkit {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Kernel mode stage 0 and rootkit (Windows 2000 and above) - msndsrv.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"597715224249e9fb77dc733b2e4d507f0cc41af6\"\r\n\tstrings:\r\n\t\t$s0 = \"Microsoft(R) Windows (TM) Operating System\" fullword wide\r\n\t\t$s1 = \"Parmsndsrv.dbg\" fullword ascii\r\n\t\t$s2 = \"\\\\Registry\\\\User\\\\CurrentUser\\\\\" fullword wide\r\n\t\t$s3 = \"msndsrv.sys\" fullword wide\r\n\t\t$s5 = \"\\\\REGISTRY\\\\MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Windows\" fullword wide\r\n\t\t$s6 = \"\\\\Device\\\\%ws_%ws\" fullword wide\r\n\t\t$s7 = \"\\\\DosDevices\\\\%ws\" fullword wide\r\n\t\t$s9 = \"\\\\Device\\\\%ws\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2015-04-03T11:42:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--551e7cc5-36b8-465f-bc94-8c54950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:43:01.000Z", "modified": "2015-04-03T11:43:01.000Z", "pattern": "[rule EquationDrug_Keylogger {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Key/clipboard logger driver - msrtvd.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"b93aa17b19575a6e4962d224c5801fb78e9a7bb5\"\r\n\tstrings:\r\n\t\t$s0 = \"\\\\registry\\\\machine\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\" fullword wide\r\n\t\t$s2 = \"\\\\registry\\\\machine\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Session Manager\\\\En\" wide\r\n\t\t$s3 = \"\\\\DosDevices\\\\Gk\" fullword wide\r\n\t\t$s5 = \"\\\\Device\\\\Gk0\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2015-04-03T11:43:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--551e7cd9-b65c-4be1-959b-13b6950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:43:21.000Z", "modified": "2015-04-03T11:43:21.000Z", "pattern": "[rule EquationDrug_NetworkSniffer4 {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Network-sniffer/patcher - atmdkdrv.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"cace40965f8600a24a2457f7792efba3bd84d9ba\"\r\n\tstrings:\r\n\t\t$s0 = \"Copyright 1999 RAVISENT Technologies Inc.\" fullword wide\r\n\t\t$s1 = \"\\\\systemroot\\\\\" fullword ascii\r\n\t\t$s2 = \"RAVISENT Technologies Inc.\" fullword wide\r\n\t\t$s3 = \"Created by VIONA Development\" fullword wide\r\n\t\t$s4 = \"\\\\Registry\\\\User\\\\CurrentUser\\\\\" fullword wide\r\n\t\t$s5 = \"\\\\device\\\\harddiskvolume\" fullword wide\r\n\t\t$s7 = \"ATMDKDRV.SYS\" fullword wide\r\n\t\t$s8 = \"\\\\Device\\\\%ws_%ws\" fullword wide\r\n\t\t$s9 = \"\\\\DosDevices\\\\%ws\" fullword wide\r\n\t\t$s10 = \"CineMaster C 1.1 WDM Main Driver\" fullword wide\r\n\t\t$s11 = \"\\\\Device\\\\%ws\" fullword wide\r\n\t\t$s13 = \"CineMaster C 1.1 WDM\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2015-04-03T11:43:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--551e7ce9-b7c0-4bf8-97c3-948e950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:43:37.000Z", "modified": "2015-04-03T11:43:37.000Z", "pattern": "[rule EquationDrug_PlatformOrchestrator {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Platform orchestrator - mscfg32.dll, svchost32.dll\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"febc4f30786db7804008dc9bc1cebdc26993e240\"\r\n\tstrings:\r\n\t\t$s0 = \"SERVICES.EXE\" fullword wide\r\n\t\t$s1 = \"\\\\command.com\" fullword wide\r\n\t\t$s2 = \"Microsoft(R) Windows (TM) Operating System\" fullword wide\r\n\t\t$s3 = \"LSASS.EXE\" fullword wide\r\n\t\t$s4 = \"Windows Configuration Services\" fullword wide\r\n\t\t$s8 = \"unilay.dll\" fullword ascii\r\n\tcondition:\r\n\t\tall of them\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2015-04-03T11:43:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--551e7cfd-bd28-489c-a56a-7455950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:43:57.000Z", "modified": "2015-04-03T11:43:57.000Z", "pattern": "[rule EquationDrug_NetworkSniffer5 {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Network-sniffer/patcher - atmdkdrv.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"09399b9bd600d4516db37307a457bc55eedcbd17\"\r\n\tstrings:\r\n\t\t$s0 = \"Microsoft(R) Windows (TM) Operating System\" fullword wide\r\n\t\t$s1 = \"\\\\Registry\\\\User\\\\CurrentUser\\\\\" fullword wide\r\n\t\t$s2 = \"atmdkdrv.sys\" fullword wide\r\n\t\t$s4 = \"\\\\Device\\\\%ws_%ws\" fullword wide\r\n\t\t$s5 = \"\\\\DosDevices\\\\%ws\" fullword wide\r\n\t\t$s6 = \"\\\\Device\\\\%ws\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2015-04-03T11:43:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--551e7d0c-9254-4e05-8fb7-13b6950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:44:12.000Z", "modified": "2015-04-03T11:44:12.000Z", "pattern": "[rule EquationDrug_FileSystem_Filter {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Filesystem filter driver \u00e2\u20ac\u201c volrec.sys, scsi2mgr.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"57fa4a1abbf39f4899ea76543ebd3688dcc11e13\"\r\n\tstrings:\r\n\t\t$s0 = \"volrec.sys\" fullword wide\r\n\t\t$s1 = \"volrec.pdb\" fullword ascii\r\n\t\t$s2 = \"Volume recognizer driver\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2015-04-03T11:44:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--551e7d9f-449c-4b11-b116-1a0e950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:46:39.000Z", "modified": "2015-04-03T11:46:39.000Z", "pattern": "[file:hashes.SHA1 = '26e787997a338d8111d96c9a4c103cf8ff0201ce']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-03T11:46:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--551e7d9f-90b4-495d-a76f-1a0e950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:46:39.000Z", "modified": "2015-04-03T11:46:39.000Z", "pattern": "[file:hashes.SHA1 = 'a3a31937956f161beba8acac35b96cb74241cd0f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-03T11:46:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--551e7d9f-e820-4991-a88b-1a0e950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:46:39.000Z", "modified": "2015-04-03T11:46:39.000Z", "pattern": "[file:hashes.SHA1 = 'ff2b50f371eb26f22eb8a2118e9ab0e015081500']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-03T11:46:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--551e7da0-6554-48c1-9789-1a0e950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:46:40.000Z", "modified": "2015-04-03T11:46:40.000Z", "pattern": "[file:hashes.SHA1 = '7e3cd36875c0e5ccb076eb74855d627ae8d4627f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-03T11:46:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--551e7da0-2538-4b10-9773-1a0e950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:46:40.000Z", "modified": "2015-04-03T11:46:40.000Z", "pattern": "[file:hashes.SHA1 = '14599516381a9646cd978cf962c4f92386371040']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-03T11:46:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--551e7da0-ed30-41a0-b60e-1a0e950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:46:40.000Z", "modified": "2015-04-03T11:46:40.000Z", "pattern": "[file:hashes.SHA1 = 'ee2b504ad502dc3fed62d6483d93d9b1221cdd6c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-03T11:46:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--551e7da0-fa2c-4124-bc52-1a0e950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:46:40.000Z", "modified": "2015-04-03T11:46:40.000Z", "pattern": "[file:hashes.SHA1 = '597715224249e9fb77dc733b2e4d507f0cc41af6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-03T11:46:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--551e7da0-e87c-460b-8a4d-1a0e950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:46:40.000Z", "modified": "2015-04-03T11:46:40.000Z", "pattern": "[file:hashes.SHA1 = 'b93aa17b19575a6e4962d224c5801fb78e9a7bb5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-03T11:46:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--551e7da0-cb54-4d83-bd6f-1a0e950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:46:40.000Z", "modified": "2015-04-03T11:46:40.000Z", "pattern": "[file:hashes.SHA1 = 'cace40965f8600a24a2457f7792efba3bd84d9ba']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-03T11:46:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--551e7da0-5eb4-4489-98a0-1a0e950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:46:40.000Z", "modified": "2015-04-03T11:46:40.000Z", "pattern": "[file:hashes.SHA1 = 'febc4f30786db7804008dc9bc1cebdc26993e240']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-03T11:46:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--551e7da0-5a10-440a-a4ce-1a0e950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:46:40.000Z", "modified": "2015-04-03T11:46:40.000Z", "pattern": "[file:hashes.SHA1 = '09399b9bd600d4516db37307a457bc55eedcbd17']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-03T11:46:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--551e7da0-b430-43bf-b5fa-1a0e950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-03T11:46:40.000Z", "modified": "2015-04-03T11:46:40.000Z", "pattern": "[file:hashes.SHA1 = '57fa4a1abbf39f4899ea76543ebd3688dcc11e13']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-03T11:46:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c65911-1c7c-4ca9-860f-59a1950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:51:45.000Z", "modified": "2016-02-18T23:51:45.000Z", "description": "Automatically added (via 26e787997a338d8111d96c9a4c103cf8ff0201ce)", "pattern": "[file:hashes.MD5 = '74de13b5ea68b3da24addc009f84baee']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:51:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c65913-45f0-437c-afe4-59a2950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:51:47.000Z", "modified": "2016-02-18T23:51:47.000Z", "description": "Automatically added (via a3a31937956f161beba8acac35b96cb74241cd0f)", "pattern": "[file:hashes.MD5 = 'ef4405930e6071ae1f7f6fa7d4f3397d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:51:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c65915-1a88-47c3-a14f-59a4950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:51:49.000Z", "modified": "2016-02-18T23:51:49.000Z", "description": "Automatically added (via ff2b50f371eb26f22eb8a2118e9ab0e015081500)", "pattern": "[file:hashes.MD5 = '11fb08b9126cdb4668b3f5135cf7a6c5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:51:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c65917-cb64-415e-a117-599e950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:51:51.000Z", "modified": "2016-02-18T23:51:51.000Z", "description": "Automatically added (via 7e3cd36875c0e5ccb076eb74855d627ae8d4627f)", "pattern": "[file:hashes.MD5 = '20506375665a6a62f7d9dd22d1cc9870']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:51:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c65919-a364-49c2-8632-c650950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:51:53.000Z", "modified": "2016-02-18T23:51:53.000Z", "description": "Automatically added (via 14599516381a9646cd978cf962c4f92386371040)", "pattern": "[file:hashes.MD5 = '60dab5bb319281747c5863b44c5ac60d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:51:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c6591b-ec0c-4ef9-a84c-599d950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:51:55.000Z", "modified": "2016-02-18T23:51:55.000Z", "description": "Automatically added (via ee2b504ad502dc3fed62d6483d93d9b1221cdd6c)", "pattern": "[file:hashes.MD5 = '15d39578460e878dd89e8911180494ff']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:51:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c6591d-a640-4716-8bf4-5f51950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:51:57.000Z", "modified": "2016-02-18T23:51:57.000Z", "description": "Automatically added (via 597715224249e9fb77dc733b2e4d507f0cc41af6)", "pattern": "[file:hashes.MD5 = 'c4f8671c1f00dab30f5f88d684af1927']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:51:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c6591f-28dc-40be-9925-c654950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:51:59.000Z", "modified": "2016-02-18T23:51:59.000Z", "description": "Automatically added (via b93aa17b19575a6e4962d224c5801fb78e9a7bb5)", "pattern": "[file:hashes.MD5 = 'f6bf3ed3bcd466e5fd1cbaf6ba658716']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:51:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c65921-3ee8-4e94-b03a-c651950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:52:01.000Z", "modified": "2016-02-18T23:52:01.000Z", "description": "Automatically added (via cace40965f8600a24a2457f7792efba3bd84d9ba)", "pattern": "[file:hashes.MD5 = '214f7a2c95bdc265888fbcd24e3587da']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:52:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c65922-3ac8-4f0c-b172-432f950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:52:02.000Z", "modified": "2016-02-18T23:52:02.000Z", "description": "Automatically added (via febc4f30786db7804008dc9bc1cebdc26993e240)", "pattern": "[file:hashes.MD5 = '5767b9d851d0c24e13eca1bfd16ea424']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:52:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c65924-bc08-4ddc-b84a-c653950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:52:04.000Z", "modified": "2016-02-18T23:52:04.000Z", "description": "Automatically added (via 09399b9bd600d4516db37307a457bc55eedcbd17)", "pattern": "[file:hashes.MD5 = '8d87a1845122bf090b3d8656dc9d60a8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:52:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c65927-6c14-408b-81bb-599c950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:52:07.000Z", "modified": "2016-02-18T23:52:07.000Z", "description": "Automatically added (via 57fa4a1abbf39f4899ea76543ebd3688dcc11e13)", "pattern": "[file:hashes.MD5 = 'c17e16a54916d3838f63d208ebab9879']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:52:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c65912-dab8-4b67-aa47-5f51950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:51:46.000Z", "modified": "2016-02-18T23:51:46.000Z", "description": "Automatically added (via 26e787997a338d8111d96c9a4c103cf8ff0201ce)", "pattern": "[file:hashes.SHA256 = '26215bc56dc31d2466d72f1f4e1b6388e62606e9949bc41c28968fcb9a9d60a6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:51:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c65914-4cb0-4ff7-84e0-c653950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:51:48.000Z", "modified": "2016-02-18T23:51:48.000Z", "description": "Automatically added (via a3a31937956f161beba8acac35b96cb74241cd0f)", "pattern": "[file:hashes.SHA256 = '1c376452b451e05363dd39c56994bd3414e02ffecf89dbc40461eb6e2fe9e51e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:51:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c65916-6540-4e43-a359-4dfb950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:51:50.000Z", "modified": "2016-02-18T23:51:50.000Z", "description": "Automatically added (via ff2b50f371eb26f22eb8a2118e9ab0e015081500)", "pattern": "[file:hashes.SHA256 = '83d14ce2dcfc852791d20cd78066ba5a2b39eb503e12e33f2ef0b1a46c68de73']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:51:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c65918-64ac-4501-bbe1-5f51950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:51:52.000Z", "modified": "2016-02-18T23:51:52.000Z", "description": "Automatically added (via 7e3cd36875c0e5ccb076eb74855d627ae8d4627f)", "pattern": "[file:hashes.SHA256 = 'a5ec4d102d802ada7c5083af53fd9d3c9b5aa83be9de58dbb4fac7876faf6d29']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:51:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c6591a-e1f0-4015-a784-c651950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:51:54.000Z", "modified": "2016-02-18T23:51:54.000Z", "description": "Automatically added (via 14599516381a9646cd978cf962c4f92386371040)", "pattern": "[file:hashes.SHA256 = '318bb5ca29ac1f647f78a5cf1124d6849fadf52e5bc7193fa05922d36a8db4e5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:51:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c6591b-0f40-4f75-819b-4aed950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:51:55.000Z", "modified": "2016-02-18T23:51:55.000Z", "description": "Automatically added (via ee2b504ad502dc3fed62d6483d93d9b1221cdd6c)", "pattern": "[file:hashes.SHA256 = 'c3f92c8b2b11c170879fafa29b698d76a5ea4ed37e01674848c63a911d76bece']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:51:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c6591e-7c58-4732-8dcf-c650950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:51:58.000Z", "modified": "2016-02-18T23:51:58.000Z", "description": "Automatically added (via 597715224249e9fb77dc733b2e4d507f0cc41af6)", "pattern": "[file:hashes.SHA256 = '9f1b82e6c2e9760284c53c5377a054d6cfcb2bd5e36329e0f7c395aa02d79d0d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:51:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c65920-d184-482b-99e8-59a3950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:52:00.000Z", "modified": "2016-02-18T23:52:00.000Z", "description": "Automatically added (via b93aa17b19575a6e4962d224c5801fb78e9a7bb5)", "pattern": "[file:hashes.SHA256 = '63a3b1d2e234481bcee6d95ff8e4d7ebf1967009e32fda35a675bffbd8e4c4aa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:52:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c65922-8c08-40ea-b58c-599f950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:52:02.000Z", "modified": "2016-02-18T23:52:02.000Z", "description": "Automatically added (via cace40965f8600a24a2457f7792efba3bd84d9ba)", "pattern": "[file:hashes.SHA256 = 'd0a4b7d09d36459b07552c0269eeed450fb016a1192088bfb13cf50fba7f92cf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:52:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c65923-7868-4115-8eaf-49ed950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:52:03.000Z", "modified": "2016-02-18T23:52:03.000Z", "description": "Automatically added (via febc4f30786db7804008dc9bc1cebdc26993e240)", "pattern": "[file:hashes.SHA256 = '9df733c565cf3c98878911af11ff17f8788c06e56466db6eaab81f8fa80344e4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:52:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c65925-b8b8-4f8c-9be2-5f51950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:52:05.000Z", "modified": "2016-02-18T23:52:05.000Z", "description": "Automatically added (via 09399b9bd600d4516db37307a457bc55eedcbd17)", "pattern": "[file:hashes.SHA256 = '897489999ff2c360678cdba9a40a6613fc042f346ccfb325fdc0fa46ac42d00e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:52:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c65928-b2d8-4247-924b-59a4950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:52:08.000Z", "modified": "2016-02-18T23:52:08.000Z", "description": "Automatically added (via 57fa4a1abbf39f4899ea76543ebd3688dcc11e13)", "pattern": "[file:hashes.SHA256 = '355e5643c5a04c18d831b942ef65a21d1cdb1d93ea328b0203a38876cef3f93e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:52:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }