{ "type": "bundle", "id": "bundle--559d537c-f570-4e97-8154-98d9950d210b", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2020-08-03T06:31:12.000Z", "modified": "2020-08-03T06:31:12.000Z", "name": "CthulhuSPRL.be", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--559d537c-f570-4e97-8154-98d9950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2020-08-03T06:31:12.000Z", "modified": "2020-08-03T06:31:12.000Z", "name": "OSINT Morpho: Profiting from high-level corporate attacks by Symantec", "published": "2020-08-03T06:34:53Z", "object_refs": [ "observed-data--559d539e-3848-4a7a-a61a-579a950d210b", "url--559d539e-3848-4a7a-a61a-579a950d210b", "observed-data--559d539e-1e30-42bd-add3-579a950d210b", "url--559d539e-1e30-42bd-add3-579a950d210b", "x-misp-attribute--559d53a7-885c-4439-91d2-4f5d950d210b", "indicator--559e20a1-70a4-430f-b7c4-a038950d210b", "indicator--559e20b3-ac64-41f5-881a-4db2950d210b", "indicator--559e20cc-3b88-4598-8dfd-eae3950d210b", "indicator--559e20dc-8188-4564-aa28-4feb950d210b", "indicator--559e20ee-bb88-40d4-96a7-a037950d210b", "indicator--559e20fc-2154-465d-a50e-e09a950d210b", "indicator--559e2111-9998-4ca2-ba49-4861950d210b", "indicator--559e2131-66b8-4b07-97e2-e09a950d210b", "indicator--559e2176-9470-4372-b288-45b9950d210b", "indicator--559e2176-8708-4641-a871-43c1950d210b", "indicator--559e2177-e0fc-478a-9412-4bf1950d210b", "indicator--559e2177-6d28-44c8-9b18-41d1950d210b", "indicator--559e229f-6234-4f9d-a587-49de950d210b", "indicator--559e229f-b908-4716-ac97-418b950d210b", "indicator--559e229f-25d8-4ce8-b3e1-40a6950d210b", "indicator--559e229f-8e58-4706-a012-4fb4950d210b", "indicator--559e229f-6e30-4831-bc56-4e54950d210b", "indicator--559e22a0-9884-48fa-b96d-42b0950d210b", "indicator--559e22a0-2324-490c-a1b3-40ea950d210b", "indicator--559e22a0-a37c-46a2-aa27-47e0950d210b", "indicator--559e22a0-45c0-4bd2-b6aa-49f9950d210b", "indicator--559e22a0-9048-416b-b549-4ee2950d210b", "indicator--559e22a0-5e64-4f0e-abc1-4820950d210b", "indicator--559e22a1-e808-42aa-952c-4b87950d210b", "indicator--559e22a1-2844-4ff3-8ce3-4fa5950d210b", "indicator--559e22a1-cfac-4f92-9226-49a0950d210b", "indicator--559e22a1-97b8-4437-9246-4173950d210b", "indicator--559e22a1-9300-428a-8642-44ed950d210b", "indicator--559e22a1-f5cc-41ff-9e59-401a950d210b", "indicator--559e22a2-a3b8-4da5-8dd0-4fb6950d210b", "indicator--559e22a2-411c-4b2b-900b-4d20950d210b", "indicator--559e22a2-5698-449a-a2e9-4ee6950d210b", "indicator--559e22a2-3a28-4047-bcc1-4b85950d210b", "indicator--559e22a2-1d24-4ca2-adbc-40be950d210b", "indicator--559e22a2-3df4-4350-8444-41f8950d210b", "indicator--559e22a3-7f28-4a03-883b-46db950d210b", "indicator--559e22a3-bce8-4a85-a9d9-480e950d210b", "indicator--559e22a3-99b0-49ac-9f0e-4f6b950d210b", "indicator--559e22a3-b928-4fd6-8424-4775950d210b", "indicator--559e22a3-357c-419f-9f9a-4381950d210b", "indicator--559e22a3-640c-4502-98b8-4394950d210b", "indicator--559e22a4-c05c-4ed7-a801-450a950d210b", "indicator--559e22a4-a60c-44bd-bbf2-41fb950d210b", "indicator--559e22a4-49c0-4b9b-a7d5-4244950d210b", "indicator--559e22a4-d564-4cb3-9f36-46f8950d210b", "indicator--559e22a4-0bd4-47db-b133-472f950d210b", "indicator--559e22a4-8508-4c6d-9c4f-4b55950d210b", "indicator--559e22a5-d3bc-4475-b0db-49fd950d210b", "indicator--559e22a5-f8cc-4d7e-92a0-4cd6950d210b", "indicator--559e22a5-7ed0-4845-8e5b-4be8950d210b", "indicator--559e22a5-5f08-4268-819c-4736950d210b", "indicator--559e22a5-744c-4f64-b245-471b950d210b", "indicator--559e22a5-cf90-4254-a283-42b9950d210b", "indicator--559e22a6-91d8-450b-bdce-46df950d210b", "indicator--559e22a6-c660-4ea1-9a11-46d0950d210b", "indicator--559e22a6-8144-43f8-9676-4921950d210b", "indicator--559e22a6-c90c-43cf-8ccf-42f7950d210b", "indicator--559e22a6-5f4c-4bae-8709-4e08950d210b", "indicator--559e22a6-7970-46de-bfb5-4fee950d210b", "indicator--559e22a7-4ea4-4a79-b9de-4c33950d210b", "indicator--559e22a7-bba0-4fbc-b479-466d950d210b", "indicator--559e22d0-e8b0-4992-947b-44b8950d210b", "indicator--559e22d0-f144-4775-9fd4-483b950d210b", "indicator--559e22f1-0f1c-48b6-900c-a038950d210b", "indicator--559e22f1-bf04-4e8d-b839-a038950d210b", "indicator--559e22f2-f898-4624-8cca-a038950d210b", "indicator--559e22f2-3030-4832-8da7-a038950d210b", "indicator--559e22f2-ae4c-4264-b113-a038950d210b", "indicator--559e232d-b48c-4c45-800d-4b34950d210b", "x-misp-attribute--559e2341-1b68-406c-84c5-4c62950d210b", "x-misp-attribute--559e2445-1780-408a-a19c-42f4950d210b", "x-misp-attribute--559e2445-32ec-4657-b803-4ce4950d210b", "x-misp-attribute--559e2445-1f1c-4665-9b46-4b73950d210b", "x-misp-attribute--559e2445-fb10-4967-bec2-4665950d210b", "x-misp-attribute--559e2445-a434-43a7-b45f-4a90950d210b", "x-misp-attribute--559e2446-ce48-4a27-b1af-44f3950d210b", "x-misp-attribute--559f6755-80e8-44bc-9190-d94a950d210b", "indicator--560a8311-c798-492e-818a-4caf950d210b", "indicator--560a8311-6628-485f-8530-4caf950d210b", "observed-data--560a8312-e670-49a3-8fee-4caf950d210b", "url--560a8312-e670-49a3-8fee-4caf950d210b", "indicator--560a8312-89b0-4e30-9fa7-4caf950d210b", "indicator--560a8312-6414-4e82-bfd0-4caf950d210b", "observed-data--560a8313-83cc-45df-905f-4caf950d210b", "url--560a8313-83cc-45df-905f-4caf950d210b", "indicator--560a8313-a258-48de-b71e-4caf950d210b", "indicator--560a8313-f004-435c-9313-4caf950d210b", "observed-data--560a8314-fbc8-492c-bc94-4caf950d210b", "url--560a8314-fbc8-492c-bc94-4caf950d210b", "indicator--560a8314-d274-42eb-acc8-4caf950d210b", "indicator--560a8314-b004-4c81-a944-4caf950d210b", "observed-data--560a8315-e55c-4aec-bd84-4caf950d210b", "url--560a8315-e55c-4aec-bd84-4caf950d210b", "indicator--560a8315-abd0-46aa-9116-4caf950d210b", "indicator--560a8315-00a4-42d4-81a1-4caf950d210b", "observed-data--560a8316-85ec-418d-a594-4caf950d210b", "url--560a8316-85ec-418d-a594-4caf950d210b", "indicator--560a8316-1c10-464d-b502-4caf950d210b", "indicator--560a8317-9d64-4faa-a6df-4caf950d210b", "observed-data--560a8317-a63c-42a1-a6cd-4caf950d210b", "url--560a8317-a63c-42a1-a6cd-4caf950d210b", "indicator--560a8317-e030-4412-9bd0-4caf950d210b", "indicator--560a8318-3fd4-47be-886f-4caf950d210b", "observed-data--560a8318-5500-45fe-adaf-4caf950d210b", "url--560a8318-5500-45fe-adaf-4caf950d210b", "indicator--560a8318-2394-4b3c-8da9-4caf950d210b", "indicator--560a8319-9444-4cb6-8d83-4caf950d210b", "observed-data--560a8319-e2a8-4339-a36e-4caf950d210b", "url--560a8319-e2a8-4339-a36e-4caf950d210b", "indicator--560a8319-8714-4bd0-a38f-4caf950d210b", "indicator--560a831a-c794-46b8-b30f-4caf950d210b", "observed-data--560a831a-d0cc-4511-a83a-4caf950d210b", "url--560a831a-d0cc-4511-a83a-4caf950d210b", "indicator--560a831a-e06c-462d-b089-4caf950d210b", "indicator--560a831b-7228-4c80-a531-4caf950d210b", "observed-data--560a831b-2818-46a8-acb2-4caf950d210b", "url--560a831b-2818-46a8-acb2-4caf950d210b", "indicator--560a831b-acfc-4d35-9543-4caf950d210b", "indicator--560a831c-5534-43a2-a94a-4caf950d210b", "observed-data--560a831c-9404-44e3-b6a5-4caf950d210b", "url--560a831c-9404-44e3-b6a5-4caf950d210b", "indicator--560a831c-2e34-4fb1-aaf8-4caf950d210b", "indicator--560a831d-f5dc-4ee0-b521-4caf950d210b", "observed-data--560a831d-b258-4d4f-be96-4caf950d210b", "url--560a831d-b258-4d4f-be96-4caf950d210b", "indicator--560a831d-d694-48a7-93f2-4caf950d210b", "indicator--560a831e-9cd8-4a38-8acd-4caf950d210b", "observed-data--560a831e-5dc8-440e-9c2c-4caf950d210b", "url--560a831e-5dc8-440e-9c2c-4caf950d210b", "indicator--560a831e-52b8-4a6a-87a6-4caf950d210b", "indicator--560a831f-2874-469a-bf82-4caf950d210b", "observed-data--560a831f-743c-4994-8890-4caf950d210b", "url--560a831f-743c-4994-8890-4caf950d210b", "indicator--560a8320-c720-456b-af5f-4caf950d210b", "indicator--560a8320-fd48-4fe6-acd8-4caf950d210b", "observed-data--560a8320-8054-46f8-9954-4caf950d210b", "url--560a8320-8054-46f8-9954-4caf950d210b", "indicator--560a8321-ad04-4dc8-9bd7-4caf950d210b", "indicator--560a8321-d414-48bc-83ee-4caf950d210b", "observed-data--560a8321-8e40-404f-b37c-4caf950d210b", "url--560a8321-8e40-404f-b37c-4caf950d210b", "indicator--560a8322-d02c-4c55-8798-4caf950d210b", "indicator--560a8322-d204-4a57-af5e-4caf950d210b", "observed-data--560a8322-7310-4e0f-af2a-4caf950d210b", "url--560a8322-7310-4e0f-af2a-4caf950d210b", "indicator--560a8323-dfbc-47fa-8272-4caf950d210b", "indicator--560a8323-69ac-4c4f-ad7e-4caf950d210b", "observed-data--560a8323-4868-45fe-a5df-4caf950d210b", "url--560a8323-4868-45fe-a5df-4caf950d210b", "indicator--560a8324-00c0-400e-aa5c-4caf950d210b", "indicator--560a8324-d7a8-4f9b-9060-4caf950d210b", "observed-data--560a8324-3544-4138-abf1-4caf950d210b", "url--560a8324-3544-4138-abf1-4caf950d210b", "indicator--560a8325-bad4-4ea1-bb31-4caf950d210b", "indicator--560a8325-afd0-4ece-b4af-4caf950d210b", "observed-data--560a8325-96ac-4952-83a3-4caf950d210b", "url--560a8325-96ac-4952-83a3-4caf950d210b", "indicator--560a8326-0e80-46ba-85a1-4caf950d210b", "indicator--560a8326-05a0-4ec8-9c74-4caf950d210b", "observed-data--560a8326-b3f4-4e88-b8d6-4caf950d210b", "url--560a8326-b3f4-4e88-b8d6-4caf950d210b" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "misp-galaxy:threat-actor=\"WildNeutron\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--559d539e-3848-4a7a-a61a-579a950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-08T16:45:18.000Z", "modified": "2015-07-08T16:45:18.000Z", "first_observed": "2015-07-08T16:45:18Z", "last_observed": "2015-07-08T16:45:18Z", "number_observed": 1, "object_refs": [ "url--559d539e-3848-4a7a-a61a-579a950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--559d539e-3848-4a7a-a61a-579a950d210b", "value": "http://www.symantec.com/connect/blogs/morpho-profiting-high-level-corporate-attacks" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--559d539e-1e30-42bd-add3-579a950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-08T16:45:18.000Z", "modified": "2015-07-08T16:45:18.000Z", "first_observed": "2015-07-08T16:45:18Z", "last_observed": "2015-07-08T16:45:18Z", "number_observed": 1, "object_refs": [ "url--559d539e-1e30-42bd-add3-579a950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--559d539e-1e30-42bd-add3-579a950d210b", "value": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/morpho-corporate-spies-out-for-financial-gain.pdf" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--559d53a7-885c-4439-91d2-4f5d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-08T16:45:27.000Z", "modified": "2015-07-08T16:45:27.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Morpho" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e20a1-70a4-430f-b7c4-a038950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2020-08-03T06:26:12.000Z", "modified": "2020-08-03T06:26:12.000Z", "pattern": "[rule Bannerjack\r\n{\r\n meta:\r\n author = \"Symantec Security Response\"\r\n date = \"2015-07-01\"\r\n description = \"Morpho BannerJack hacktool\"\r\n strings:\r\n $str_1 = \"Usage: ./banner-jack [options]\"\r\n $str_2 = \"-f: file.csv\"\r\n $str_3 = \"-s: ip start\"\r\n $str_4 = \"-R: timeout read (optional, default %d secs)\"\r\n condition:\r\n all of them\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2020-08-03T06:26:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e20b3-ac64-41f5-881a-4db2950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2020-08-03T06:30:48.000Z", "modified": "2020-08-03T06:30:48.000Z", "pattern": "[rule Eventlog\r\n{\r\n meta:\r\n author = \"Symantec Security Response\"\r\n date = \"2015-07-01\"\r\n description = \"Morpho Eventlog hacktool\"\r\n strings:\r\n $str_1 = \"wevtsvc.dll\"\r\n $str_2 = \"Stealing %S.evtx handle ...\"\r\n $str_3 = \"ElfChnk\"\r\n $str_4 = \"-Dr Dump all logs from a channel or .evtx file (raw\"\r\n condition:\r\n all of them\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2020-08-03T06:30:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e20cc-3b88-4598-8dfd-eae3950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2020-08-03T06:29:56.000Z", "modified": "2020-08-03T06:29:56.000Z", "pattern": "[rule Hacktool\r\n{\r\n meta:\r\n author = \"Symantec Security Response\"\r\n date = \"2015-07-01\"\r\n description = \"Morpho hacktool\"\r\n strings:\r\n $str_1 = \"\\\\\\\\.\\\\pipe\\\\winsession\" wide\r\n $str_2 = \"WsiSvc\" wide\r\n $str_3 = \"ConnectNamedPipe\"\r\n $str_4 = \"CreateNamedPipeW\"\r\n $str_5 = \"CreateProcessAsUserW\"\r\n condition:\r\n all of them\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2020-08-03T06:29:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e20dc-8188-4564-aa28-4feb950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2020-08-03T06:26:16.000Z", "modified": "2020-08-03T06:26:16.000Z", "pattern": "[rule Multipurpose\r\n{\r\n meta:\r\n author = \"Symantec Security Response\"\r\n date = \"2015-07-01\"\r\n description = \"Morpho Multipurpose hacktool\"\r\n\r\n strings:\r\n $str_1 = \"dump %d|%d|%d|%d|%d|%d|%s|%d\"\r\n $str_2 = \"kerberos%d.dll\"\r\n $str_3 = \"\\\\\\\\.\\\\pipe\\\\lsassp\"\r\n $str_4 = \"pth : change\"\r\n condition:\r\n all of them\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2020-08-03T06:26:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e20ee-bb88-40d4-96a7-a037950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2020-08-03T06:26:40.000Z", "modified": "2020-08-03T06:26:40.000Z", "pattern": "[rule Securetunnel\r\n{\r\n meta:\r\n author = \"Symantec Security Response\"\r\n date = \"2015-07-01\"\r\n description = \"Morpho Securetunnel hacktool\"\r\n strings:\r\n $str_1 = \"KRB5CCNAME\"\r\n $str_2 = \"SSH _ AUTH _ SOCK\"\r\n $str_3 = \"f:l:u:cehR\"\r\n $str_4 = \".o+=*BOX@%&#/^SE\"\r\n condition:\r\n all of them\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2020-08-03T06:26:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e20fc-2154-465d-a50e-e09a950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2020-08-03T06:26:29.000Z", "modified": "2020-08-03T06:26:29.000Z", "pattern": "[rule Proxy\r\n{\r\n meta:\r\n author = \"Symantec Security Response\"\r\n date = \"2015-07-01\"\r\n description = \"Morpho proxy hacktool\"\r\n strings:\r\n $str_1 = \"-u user : proxy username\"\r\n $str_2 = \"--pleh : displays help\"\r\n $str_3 = \"-x ip/host : proxy ip or host\"\r\n $str_4 = \"-m : bypass mutex check\"\r\n condition:\r\n all of them\r\n }]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2020-08-03T06:26:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e2111-9998-4ca2-ba49-4861950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2017-11-20T14:57:35.000Z", "modified": "2017-11-20T14:57:35.000Z", "pattern": "[rule jiripbot_ascii_str_decrypt\r\n{\r\n meta:\r\n author = \"Symantec Security Response\"\r\n date = \"2015-07-01\"\r\n description = \"Morpho Jiripbot hacktool\"\r\n strings:\r\n $decrypt_func = {\r\n 85 FF\r\n 75 03\r\n 33 C0\r\n C3\r\n 8B C7\r\n 8D 50 01\r\n 8A 08\r\n 40\r\n 84 C9\r\n 75 F9\r\n 2B C2\r\n 53\r\n 8B D8\r\n 80 7C 3B FF ??\r\n 75 3E\r\n 83 3D ?? ?? ?? ?? 00\r\n 56\r\n BE ?? ?? ?? ??\r\n 75 11\r\n 56\r\n FF 15 ?? ?? ?? ??\r\n C7 05 ?? ?? ?? ?? 01 00 00 00\r\n 56\r\n FF 15 ?? ?? ?? ??\r\n 33 C0\r\n 85 DB\r\n 74 09\r\n 80 34 38 ??\r\n 40\r\n 3B C3\r\n 72 F7\r\n 56\r\n FF 15 ?? ?? ?? ??\r\n 5E\r\n 8B C7\r\n 5B\r\n C3\r\n }\r\n condition:\r\n $decrypt_func\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2017-11-20T14:57:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e2131-66b8-4b07-97e2-e09a950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2017-04-29T08:09:09.000Z", "modified": "2017-04-29T08:09:09.000Z", "pattern": "[rule jiripbot_unicode_str_decrypt\r\n{\r\n meta:\r\n author = \"Symantec Security Response\"\r\n date = \"2015-07-01\"\r\n description = \"Morpho Jiripbot Unicode hacktool\"\r\n strings:\r\n $decrypt = {\r\n 85 ??\r\n 75 03\r\n 33 C0\r\n C3\r\n 8B ??\r\n 8D 50 02\r\n 66 8B 08\r\n 83 C0 02\r\n 66 85 C9\r\n 75 F5\r\n 2B C2\r\n D1 F8\r\n 57\r\n 8B F8\r\n B8 ?? ?? ?? ??\r\n 66 39 44 7E FE\r\n 75 43\r\n 83 3D ?? ?? ?? ?? 00\r\n 53\r\n BB ?? ?? ?? ??\r\n 75 11\r\n 53\r\n FF 15 ?? ?? ?? ??\r\n C7 05 ?? ?? ?? ?? 01 00 00 00\r\n 53\r\n FF 15 ?? ?? ?? ??\r\n 33 C0\r\n 85 FF\r\n 74 0E\r\n B9 ?? 00 00 00\r\n 66 31 0C 46\r\n 40\r\n 3B C7\r\n 72 F2\r\n 53\r\n FF 15 ?? ?? ?? ??\r\n 5B\r\n 8B C6\r\n 5F\r\n C3\r\n }\r\n condition:\r\n $decrypt\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2017-04-29T08:09:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e2176-9470-4372-b288-45b9950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:23:34.000Z", "modified": "2015-07-09T07:23:34.000Z", "description": "SSH over port 443", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '46.183.217.132']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:23:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e2176-8708-4641-a871-43c1950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:23:34.000Z", "modified": "2015-07-09T07:23:34.000Z", "description": "SSH over port 443", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '46.165.237.75']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:23:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e2177-e0fc-478a-9412-4bf1950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:23:35.000Z", "modified": "2015-07-09T07:23:35.000Z", "description": "SSH over port 443", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '217.23.3.112']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:23:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e2177-6d28-44c8-9b18-41d1950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:23:35.000Z", "modified": "2015-07-09T07:23:35.000Z", "description": "SSH over port 443", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '178.162.197.9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:23:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e229f-6234-4f9d-a587-49de950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:31.000Z", "modified": "2015-07-09T07:28:31.000Z", "pattern": "[file:hashes.SHA256 = '0ac7b594aaae21b61af2f3aabdc5eda9b6811eca52dcbf4691c4ec6dfd2d5cd8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e229f-b908-4716-ac97-418b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:31.000Z", "modified": "2015-07-09T07:28:31.000Z", "pattern": "[file:hashes.SHA256 = '14bfc2bf8a80a19ff2c1480f513c96b8e8adc89a8d75d7c0064f810f1a7a2e61']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e229f-25d8-4ce8-b3e1-40a6950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:31.000Z", "modified": "2015-07-09T07:28:31.000Z", "pattern": "[file:hashes.SHA256 = '1677573bb02cc073e248e4a14334db90be8052d0b236e446e29582f50441fa33']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e229f-8e58-4706-a012-4fb4950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:31.000Z", "modified": "2015-07-09T07:28:31.000Z", "pattern": "[file:hashes.SHA256 = '178b25ddca2bd5ea1b8c3432291d4d0b5b725e16961f5e4596fb9267a700fa2f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e229f-6e30-4831-bc56-4e54950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:31.000Z", "modified": "2015-07-09T07:28:31.000Z", "pattern": "[file:hashes.SHA256 = '1a9f679016e38d399ff33efcfe7dc6560ec658d964297dbe377ff7c68e0dfbaf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a0-9884-48fa-b96d-42b0950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:32.000Z", "modified": "2015-07-09T07:28:32.000Z", "pattern": "[file:hashes.SHA256 = '1c81bc28ad91baed60ca5e7fee68fbcb976cf8a483112fa81aab71a18450a6b0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a0-2324-490c-a1b3-40ea950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:32.000Z", "modified": "2015-07-09T07:28:32.000Z", "pattern": "[file:hashes.SHA256 = '1c9af096e4c7daa440af136f2b1439089a827101098cfe25b8c19fc7321eaad9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a0-a37c-46a2-aa27-47e0950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:32.000Z", "modified": "2015-07-09T07:28:32.000Z", "pattern": "[file:hashes.SHA256 = '25fe7dd1e2b19514346cb2b8b5e91ae110c6adb9df5a440b8e7bbc5e8bc74227']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a0-45c0-4bd2-b6aa-49f9950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:32.000Z", "modified": "2015-07-09T07:28:32.000Z", "pattern": "[file:hashes.SHA256 = '29906c51217d15b9bbbcc8130f64dabdb69bd32baa7999500c7a230c218e8b0a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a0-9048-416b-b549-4ee2950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:32.000Z", "modified": "2015-07-09T07:28:32.000Z", "pattern": "[file:hashes.SHA256 = '2a8cb295f85f8d1d5aae7744899875ebb4e6c3ef74fbc5bfad6e7723c192c5cf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a0-5e64-4f0e-abc1-4820950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:32.000Z", "modified": "2015-07-09T07:28:32.000Z", "pattern": "[file:hashes.SHA256 = '2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a1-e808-42aa-952c-4b87950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:33.000Z", "modified": "2015-07-09T07:28:33.000Z", "pattern": "[file:hashes.SHA256 = '2bd5f7e0382956a7c135cdeb96edfdbccfcfc1955d26e317e2328ea83ace7cee']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a1-2844-4ff3-8ce3-4fa5950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:33.000Z", "modified": "2015-07-09T07:28:33.000Z", "pattern": "[file:hashes.SHA256 = '2d3ea11c5aea7e8a60cd4f530c1e234a2aa2df900d90122dd2fcf1fa9f47b935']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a1-cfac-4f92-9226-49a0950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:33.000Z", "modified": "2015-07-09T07:28:33.000Z", "pattern": "[file:hashes.SHA256 = '3756ddcb5d52f938dd9e07d61fae21b70e665f01bbb2cbe04164e82892b86e2f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a1-97b8-4437-9246-4173950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:33.000Z", "modified": "2015-07-09T07:28:33.000Z", "pattern": "[file:hashes.SHA256 = '3cfdd3cd1089c4152c0d4c7955210d489565f28fb0af9861b195db34e7ad2502']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a1-9300-428a-8642-44ed950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:33.000Z", "modified": "2015-07-09T07:28:33.000Z", "pattern": "[file:hashes.SHA256 = '4327ce696b5bce9e9b2a691b4e915796218c00998363c7602d8461dd0c1c8fbb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a1-f5cc-41ff-9e59-401a950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:33.000Z", "modified": "2015-07-09T07:28:33.000Z", "pattern": "[file:hashes.SHA256 = '45f363e498312a34fa99af3c1cdd635fcebefaa3222dff348a9ab8ca25530797']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a2-a3b8-4da5-8dd0-4fb6950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:34.000Z", "modified": "2015-07-09T07:28:34.000Z", "pattern": "[file:hashes.SHA256 = '48c0bd55e1cf3f75e911ef66a9ccb9436c1571c982c5281d2d8bf00a99f0ee1a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a2-411c-4b2b-900b-4d20950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:34.000Z", "modified": "2015-07-09T07:28:34.000Z", "pattern": "[file:hashes.SHA256 = '49e4198c94b80483302e11c2e7d83e0ac2379f081ee3a3aa32d96d690729f2d6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a2-5698-449a-a2e9-4ee6950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:34.000Z", "modified": "2015-07-09T07:28:34.000Z", "pattern": "[file:hashes.SHA256 = '534004a473761e60d0db8afbc99390b19c32e7c5af3445ecd63f43ba6187ded4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a2-3a28-4047-bcc1-4b85950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:34.000Z", "modified": "2015-07-09T07:28:34.000Z", "pattern": "[file:hashes.SHA256 = '54a8afb10a0569785d4a530ff25b07320881c139e813e58cb5a621da85f8a9f5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a2-1d24-4ca2-adbc-40be950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:34.000Z", "modified": "2015-07-09T07:28:34.000Z", "pattern": "[file:hashes.SHA256 = '5ab4c378fd8b3254808d66c22bbaacc035874f1c9b4cee511b96458fedff64ed']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a2-3df4-4350-8444-41f8950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:34.000Z", "modified": "2015-07-09T07:28:34.000Z", "pattern": "[file:hashes.SHA256 = '683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a3-7f28-4a03-883b-46db950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:35.000Z", "modified": "2015-07-09T07:28:35.000Z", "pattern": "[file:hashes.SHA256 = '6fb43afb191b09c7b62da7a5ddafdc1a9a4c46058fd376c045d69dd0a2ea71a6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a3-bce8-4a85-a9d9-480e950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:35.000Z", "modified": "2015-07-09T07:28:35.000Z", "pattern": "[file:hashes.SHA256 = '758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a3-99b0-49ac-9f0e-4f6b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:35.000Z", "modified": "2015-07-09T07:28:35.000Z", "pattern": "[file:hashes.SHA256 = '781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a3-b928-4fd6-8424-4775950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:35.000Z", "modified": "2015-07-09T07:28:35.000Z", "pattern": "[file:hashes.SHA256 = '796b1523573c889833f154aeb59532d2a9784e4747b25681a97ec00b9bb4fb19']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a3-357c-419f-9f9a-4381950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:35.000Z", "modified": "2015-07-09T07:28:35.000Z", "pattern": "[file:hashes.SHA256 = '7aa1716426614463b8c20716acf8fd6461052a354b88c31ad2cc8b8a3b3e6868']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a3-640c-4502-98b8-4394950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:35.000Z", "modified": "2015-07-09T07:28:35.000Z", "pattern": "[file:hashes.SHA256 = '81955e36dd46f3b05a1d7e47ffd53b7d1455406d952c890b5210a698dd97e938']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a4-c05c-4ed7-a801-450a950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:36.000Z", "modified": "2015-07-09T07:28:36.000Z", "pattern": "[file:hashes.SHA256 = '8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a4-a60c-44bd-bbf2-41fb950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:36.000Z", "modified": "2015-07-09T07:28:36.000Z", "pattern": "[file:hashes.SHA256 = '8db5c2b645eee393d0f676fe457cd2cd3e4b144bbe86a61e4f4fd48d9de4aeae']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a4-49c0-4b9b-a7d5-4244950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:36.000Z", "modified": "2015-07-09T07:28:36.000Z", "pattern": "[file:hashes.SHA256 = '90b5fec973d31cc149d0e2683872785fa61770deec6925006e9142374c315fde']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a4-d564-4cb3-9f36-46f8950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:36.000Z", "modified": "2015-07-09T07:28:36.000Z", "pattern": "[file:hashes.SHA256 = '9bff19ca48b43b148ff95e054efc39882d868527cdd4f036389a6f11750adddc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a4-0bd4-47db-b133-472f950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:36.000Z", "modified": "2015-07-09T07:28:36.000Z", "pattern": "[file:hashes.SHA256 = '9d077a37b94bf69b94426041e5d5bf1fe56c482ca358191ca911ae041305f3ed']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a4-8508-4c6d-9c4f-4b55950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:36.000Z", "modified": "2015-07-09T07:28:36.000Z", "pattern": "[file:hashes.SHA256 = '9fab34fa2d31a56609b56874e1265969dbfa6c17d967cca5ecce0e0760670a60']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a5-d3bc-4475-b0db-49fd950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:37.000Z", "modified": "2015-07-09T07:28:37.000Z", "pattern": "[file:hashes.SHA256 = 'a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a5-f8cc-4d7e-92a0-4cd6950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:37.000Z", "modified": "2015-07-09T07:28:37.000Z", "pattern": "[file:hashes.SHA256 = 'b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a5-7ed0-4845-8e5b-4be8950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:37.000Z", "modified": "2015-07-09T07:28:37.000Z", "pattern": "[file:hashes.SHA256 = 'b81484220a46c853dc996c19db9416493662d943b638915ed2b3a4a0471cc8d8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a5-5f08-4268-819c-4736950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:37.000Z", "modified": "2015-07-09T07:28:37.000Z", "pattern": "[file:hashes.SHA256 = 'bc177e879fd941911eb2ea404febffa2042310c632d9922205949155e9b35cb6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a5-744c-4f64-b245-471b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:37.000Z", "modified": "2015-07-09T07:28:37.000Z", "pattern": "[file:hashes.SHA256 = 'c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a5-cf90-4254-a283-42b9950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:37.000Z", "modified": "2015-07-09T07:28:37.000Z", "pattern": "[file:hashes.SHA256 = 'c54f31f190b06649dff91f6b915273b88ee27a2f8e766d54ee4213671fc09f90']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a6-91d8-450b-bdce-46df950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:38.000Z", "modified": "2015-07-09T07:28:38.000Z", "pattern": "[file:hashes.SHA256 = 'c83bb0330d69f6ad4c79d4a0ce1891e6f34091aecfeaf72cf80b2532268a0abc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a6-c660-4ea1-9a11-46d0950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:38.000Z", "modified": "2015-07-09T07:28:38.000Z", "pattern": "[file:hashes.SHA256 = 'ccc851cbd600592f1ed2c2969a30b87f0bf29046cdfa1590d8f09cfe454608a5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a6-8144-43f8-9676-4921950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:38.000Z", "modified": "2015-07-09T07:28:38.000Z", "pattern": "[file:hashes.SHA256 = 'cfacc5389683518ecdd78002c975af6870fa5876337600e0b362abbbab0a19d2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a6-c90c-43cf-8ccf-42f7950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:38.000Z", "modified": "2015-07-09T07:28:38.000Z", "pattern": "[file:hashes.SHA256 = 'd15b8071994bad01226a06f2802cbfe86a5483803244de4e99b91f130535d972']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a6-5f4c-4bae-8709-4e08950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:38.000Z", "modified": "2015-07-09T07:28:38.000Z", "pattern": "[file:hashes.SHA256 = 'da41d27070488316cbf9776e9468fae34f2e14651280e3ec1fb8524fda0873de']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a6-7970-46de-bfb5-4fee950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:38.000Z", "modified": "2015-07-09T07:28:38.000Z", "pattern": "[file:hashes.SHA256 = 'efbc082796df566261b07f51a325503231e5a7ce41617d3dfff3640b0be06162']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a7-4ea4-4a79-b9de-4c33950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:39.000Z", "modified": "2015-07-09T07:28:39.000Z", "pattern": "[file:hashes.SHA256 = 'fcaab8f77e4c9ba922d825b837acfffc9f231c3abb21015369431afae679d644']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22a7-bba0-4fbc-b479-466d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:28:39.000Z", "modified": "2015-07-09T07:28:39.000Z", "pattern": "[file:hashes.SHA256 = 'fd616d1298653119fb4fbd88c0d39b881181398d2011320dc9c8c698897848c4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:28:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22d0-e8b0-4992-947b-44b8950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:29:20.000Z", "modified": "2015-07-09T07:29:20.000Z", "pattern": "[domain-name:value = 'ddosprotected.eu']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:29:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22d0-f144-4775-9fd4-483b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:29:20.000Z", "modified": "2015-07-09T07:29:20.000Z", "pattern": "[domain-name:value = 'drfx.chickenkiller.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:29:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22f1-0f1c-48b6-900c-a038950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:29:53.000Z", "modified": "2015-07-09T07:29:53.000Z", "pattern": "[domain-name:value = 'digitalinsight-ltd.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:29:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22f1-bf04-4e8d-b839-a038950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:29:53.000Z", "modified": "2015-07-09T07:29:53.000Z", "pattern": "[domain-name:value = 'clust12-akmai.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:29:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22f2-f898-4624-8cca-a038950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:29:54.000Z", "modified": "2015-07-09T07:29:54.000Z", "pattern": "[domain-name:value = 'jdk-update.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:29:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22f2-3030-4832-8da7-a038950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:29:54.000Z", "modified": "2015-07-09T07:29:54.000Z", "pattern": "[domain-name:value = 'corp-aapl.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:29:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e22f2-ae4c-4264-b113-a038950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:29:54.000Z", "modified": "2015-07-09T07:29:54.000Z", "pattern": "[domain-name:value = 'cloudprotect.eu']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:29:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--559e232d-b48c-4c45-800d-4b34950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:30:53.000Z", "modified": "2015-07-09T07:30:53.000Z", "pattern": "[domain-name:value = 'jdk.20e8ad99287f7fc244651237cbe8292a.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-09T07:30:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--559e2341-1b68-406c-84c5-4c62950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:31:13.000Z", "modified": "2015-07-09T07:31:13.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"Network activity\"" ], "x_misp_category": "Network activity", "x_misp_type": "comment", "x_misp_value": "The following shows the format of Backdoor.Jiripbot\u00e2\u20ac\u2122s DGA domains:\r\njdk\\.[a-f0-9]{32}\\.org e.g. jdk.20e8ad99287f7fc244651237cbe8292a.org" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--559e2445-1780-408a-a19c-42f4950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:35:33.000Z", "modified": "2015-07-09T07:35:33.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_comment": "Symantec", "x_misp_type": "text", "x_misp_value": "Backdoor.Jiripbot" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--559e2445-32ec-4657-b803-4ce4950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:35:33.000Z", "modified": "2015-07-09T07:35:33.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_comment": "Symantec", "x_misp_type": "text", "x_misp_value": "Hacktool.Multipurpose" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--559e2445-1f1c-4665-9b46-4b73950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:35:33.000Z", "modified": "2015-07-09T07:35:33.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_comment": "Symantec", "x_misp_type": "text", "x_misp_value": "Hacktool.Securetunnel" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--559e2445-fb10-4967-bec2-4665950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:35:33.000Z", "modified": "2015-07-09T07:35:33.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_comment": "Symantec", "x_misp_type": "text", "x_misp_value": "Hacktool.Eventlog" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--559e2445-a434-43a7-b45f-4a90950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:35:33.000Z", "modified": "2015-07-09T07:35:33.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_comment": "Symantec", "x_misp_type": "text", "x_misp_value": "Hacktool.Bannerjack" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--559e2446-ce48-4a27-b1af-44f3950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-09T07:35:34.000Z", "modified": "2015-07-09T07:35:34.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_comment": "Symantec", "x_misp_type": "text", "x_misp_value": "Hacktool.Proxy.A" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--559f6755-80e8-44bc-9190-d94a950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-10T06:33:57.000Z", "modified": "2015-07-10T06:33:57.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Wild Neutron" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8311-c798-492e-818a-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:49.000Z", "modified": "2015-09-29T12:24:49.000Z", "description": "- Xchecked via VT: fd616d1298653119fb4fbd88c0d39b881181398d2011320dc9c8c698897848c4", "pattern": "[file:hashes.SHA1 = 'a22290d32d8a01e9b58da9bc5c8c047764e89336']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:24:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8311-6628-485f-8530-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:49.000Z", "modified": "2015-09-29T12:24:49.000Z", "description": "- Xchecked via VT: fd616d1298653119fb4fbd88c0d39b881181398d2011320dc9c8c698897848c4", "pattern": "[file:hashes.MD5 = '1a352beadff958f13b09fde8a89f36f1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:24:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--560a8312-e670-49a3-8fee-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:50.000Z", "modified": "2015-09-29T12:24:50.000Z", "first_observed": "2015-09-29T12:24:50Z", "last_observed": "2015-09-29T12:24:50Z", "number_observed": 1, "object_refs": [ "url--560a8312-e670-49a3-8fee-4caf950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--560a8312-e670-49a3-8fee-4caf950d210b", "value": "https://www.virustotal.com/file/fd616d1298653119fb4fbd88c0d39b881181398d2011320dc9c8c698897848c4/analysis/1442486779/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8312-89b0-4e30-9fa7-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:50.000Z", "modified": "2015-09-29T12:24:50.000Z", "description": "- Xchecked via VT: da41d27070488316cbf9776e9468fae34f2e14651280e3ec1fb8524fda0873de", "pattern": "[file:hashes.SHA1 = '6a4a1076d7ad25d9a3f0052096e1e6697653db6c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:24:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8312-6414-4e82-bfd0-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:50.000Z", "modified": "2015-09-29T12:24:50.000Z", "description": "- Xchecked via VT: da41d27070488316cbf9776e9468fae34f2e14651280e3ec1fb8524fda0873de", "pattern": "[file:hashes.MD5 = '7ae1b2ad1e40d0b19ce76a64348fa534']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:24:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--560a8313-83cc-45df-905f-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:51.000Z", "modified": "2015-09-29T12:24:51.000Z", "first_observed": "2015-09-29T12:24:51Z", "last_observed": "2015-09-29T12:24:51Z", "number_observed": 1, "object_refs": [ "url--560a8313-83cc-45df-905f-4caf950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--560a8313-83cc-45df-905f-4caf950d210b", "value": "https://www.virustotal.com/file/da41d27070488316cbf9776e9468fae34f2e14651280e3ec1fb8524fda0873de/analysis/1442486617/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8313-a258-48de-b71e-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:51.000Z", "modified": "2015-09-29T12:24:51.000Z", "description": "- Xchecked via VT: cfacc5389683518ecdd78002c975af6870fa5876337600e0b362abbbab0a19d2", "pattern": "[file:hashes.SHA1 = '3b8f6dbaa55c63ef87e96a9eb983a2890a6d9da7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:24:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8313-f004-435c-9313-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:51.000Z", "modified": "2015-09-29T12:24:51.000Z", "description": "- Xchecked via VT: cfacc5389683518ecdd78002c975af6870fa5876337600e0b362abbbab0a19d2", "pattern": "[file:hashes.MD5 = 'ece3cc272134b4ea0b3839228883a14c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:24:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--560a8314-fbc8-492c-bc94-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:52.000Z", "modified": "2015-09-29T12:24:52.000Z", "first_observed": "2015-09-29T12:24:52Z", "last_observed": "2015-09-29T12:24:52Z", "number_observed": 1, "object_refs": [ "url--560a8314-fbc8-492c-bc94-4caf950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--560a8314-fbc8-492c-bc94-4caf950d210b", "value": "https://www.virustotal.com/file/cfacc5389683518ecdd78002c975af6870fa5876337600e0b362abbbab0a19d2/analysis/1442486690/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8314-d274-42eb-acc8-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:52.000Z", "modified": "2015-09-29T12:24:52.000Z", "description": "- Xchecked via VT: ccc851cbd600592f1ed2c2969a30b87f0bf29046cdfa1590d8f09cfe454608a5", "pattern": "[file:hashes.SHA1 = '7f9c67959c273c76271d5d58a1049ced1c3b0e23']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:24:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8314-b004-4c81-a944-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:52.000Z", "modified": "2015-09-29T12:24:52.000Z", "description": "- Xchecked via VT: ccc851cbd600592f1ed2c2969a30b87f0bf29046cdfa1590d8f09cfe454608a5", "pattern": "[file:hashes.MD5 = '342887a7ec6b9f709adcb81fef0d30a3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:24:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--560a8315-e55c-4aec-bd84-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:53.000Z", "modified": "2015-09-29T12:24:53.000Z", "first_observed": "2015-09-29T12:24:53Z", "last_observed": "2015-09-29T12:24:53Z", "number_observed": 1, "object_refs": [ "url--560a8315-e55c-4aec-bd84-4caf950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--560a8315-e55c-4aec-bd84-4caf950d210b", "value": "https://www.virustotal.com/file/ccc851cbd600592f1ed2c2969a30b87f0bf29046cdfa1590d8f09cfe454608a5/analysis/1442486074/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8315-abd0-46aa-9116-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:53.000Z", "modified": "2015-09-29T12:24:53.000Z", "description": "- Xchecked via VT: c54f31f190b06649dff91f6b915273b88ee27a2f8e766d54ee4213671fc09f90", "pattern": "[file:hashes.SHA1 = '30359201338053af55109266ebcea3b0060b7d61']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:24:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8315-00a4-42d4-81a1-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:53.000Z", "modified": "2015-09-29T12:24:53.000Z", "description": "- Xchecked via VT: c54f31f190b06649dff91f6b915273b88ee27a2f8e766d54ee4213671fc09f90", "pattern": "[file:hashes.MD5 = '2cafcd57e7fcb1649da9fef9664ea4da']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:24:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--560a8316-85ec-418d-a594-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:54.000Z", "modified": "2015-09-29T12:24:54.000Z", "first_observed": "2015-09-29T12:24:54Z", "last_observed": "2015-09-29T12:24:54Z", "number_observed": 1, "object_refs": [ "url--560a8316-85ec-418d-a594-4caf950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--560a8316-85ec-418d-a594-4caf950d210b", "value": "https://www.virustotal.com/file/c54f31f190b06649dff91f6b915273b88ee27a2f8e766d54ee4213671fc09f90/analysis/1442486621/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8316-1c10-464d-b502-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:54.000Z", "modified": "2015-09-29T12:24:54.000Z", "description": "- Xchecked via VT: c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0", "pattern": "[file:hashes.SHA1 = '3d11dfaf87753b8a0622023607dcae6fa8bddc12']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:24:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8317-9d64-4faa-a6df-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:54.000Z", "modified": "2015-09-29T12:24:54.000Z", "description": "- Xchecked via VT: c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0", "pattern": "[file:hashes.MD5 = '331e0b7f94708c39a07c6da38a665fdb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:24:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--560a8317-a63c-42a1-a6cd-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:55.000Z", "modified": "2015-09-29T12:24:55.000Z", "first_observed": "2015-09-29T12:24:55Z", "last_observed": "2015-09-29T12:24:55Z", "number_observed": 1, "object_refs": [ "url--560a8317-a63c-42a1-a6cd-4caf950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--560a8317-a63c-42a1-a6cd-4caf950d210b", "value": "https://www.virustotal.com/file/c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0/analysis/1442486656/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8317-e030-4412-9bd0-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:55.000Z", "modified": "2015-09-29T12:24:55.000Z", "description": "- Xchecked via VT: b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45", "pattern": "[file:hashes.SHA1 = 'e8c3660c87a2265ddb01dcffcd1d0bb040ab247a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:24:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8318-3fd4-47be-886f-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:56.000Z", "modified": "2015-09-29T12:24:56.000Z", "description": "- Xchecked via VT: b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45", "pattern": "[file:hashes.MD5 = 'f0fff29391e7c2e7b13eb4a806276a84']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:24:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--560a8318-5500-45fe-adaf-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:56.000Z", "modified": "2015-09-29T12:24:56.000Z", "first_observed": "2015-09-29T12:24:56Z", "last_observed": "2015-09-29T12:24:56Z", "number_observed": 1, "object_refs": [ "url--560a8318-5500-45fe-adaf-4caf950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--560a8318-5500-45fe-adaf-4caf950d210b", "value": "https://www.virustotal.com/file/b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45/analysis/1442486077/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8318-2394-4b3c-8da9-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:56.000Z", "modified": "2015-09-29T12:24:56.000Z", "description": "- Xchecked via VT: a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c", "pattern": "[file:hashes.SHA1 = 'c0721460f4ee074b25fb0b1ed8dae4d2cb7517c9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:24:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8319-9444-4cb6-8d83-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:57.000Z", "modified": "2015-09-29T12:24:57.000Z", "description": "- Xchecked via VT: a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c", "pattern": "[file:hashes.MD5 = 'fe2439ef0ace518e1c1a32585099dab8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:24:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--560a8319-e2a8-4339-a36e-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:57.000Z", "modified": "2015-09-29T12:24:57.000Z", "first_observed": "2015-09-29T12:24:57Z", "last_observed": "2015-09-29T12:24:57Z", "number_observed": 1, "object_refs": [ "url--560a8319-e2a8-4339-a36e-4caf950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--560a8319-e2a8-4339-a36e-4caf950d210b", "value": "https://www.virustotal.com/file/a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c/analysis/1442486694/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8319-8714-4bd0-a38f-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:57.000Z", "modified": "2015-09-29T12:24:57.000Z", "description": "- Xchecked via VT: 9d077a37b94bf69b94426041e5d5bf1fe56c482ca358191ca911ae041305f3ed", "pattern": "[file:hashes.SHA1 = 'e540b71e8a4eafc5f26ab379ca5376ac01f05add']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:24:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a831a-c794-46b8-b30f-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:58.000Z", "modified": "2015-09-29T12:24:58.000Z", "description": "- Xchecked via VT: 9d077a37b94bf69b94426041e5d5bf1fe56c482ca358191ca911ae041305f3ed", "pattern": "[file:hashes.MD5 = 'e92ff1d7b66a112bfc29d5ccb98aeadc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:24:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--560a831a-d0cc-4511-a83a-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:58.000Z", "modified": "2015-09-29T12:24:58.000Z", "first_observed": "2015-09-29T12:24:58Z", "last_observed": "2015-09-29T12:24:58Z", "number_observed": 1, "object_refs": [ "url--560a831a-d0cc-4511-a83a-4caf950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--560a831a-d0cc-4511-a83a-4caf950d210b", "value": "https://www.virustotal.com/file/9d077a37b94bf69b94426041e5d5bf1fe56c482ca358191ca911ae041305f3ed/analysis/1442486781/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a831a-e06c-462d-b089-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:58.000Z", "modified": "2015-09-29T12:24:58.000Z", "description": "- Xchecked via VT: 8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a", "pattern": "[file:hashes.SHA1 = '3d75a14f3552d881061449d53577614430ff9e26']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:24:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a831b-7228-4c80-a531-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:59.000Z", "modified": "2015-09-29T12:24:59.000Z", "description": "- Xchecked via VT: 8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a", "pattern": "[file:hashes.MD5 = '1582d68144de2808b518934f0a02bfd6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:24:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--560a831b-2818-46a8-acb2-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:59.000Z", "modified": "2015-09-29T12:24:59.000Z", "first_observed": "2015-09-29T12:24:59Z", "last_observed": "2015-09-29T12:24:59Z", "number_observed": 1, "object_refs": [ "url--560a831b-2818-46a8-acb2-4caf950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--560a831b-2818-46a8-acb2-4caf950d210b", "value": "https://www.virustotal.com/file/8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a/analysis/1442486067/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a831b-acfc-4d35-9543-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:24:59.000Z", "modified": "2015-09-29T12:24:59.000Z", "description": "- Xchecked via VT: 781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e", "pattern": "[file:hashes.SHA1 = 'cc941c08b2ff523651aefda9d2df3ee052a3b5cf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:24:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a831c-5534-43a2-a94a-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:00.000Z", "modified": "2015-09-29T12:25:00.000Z", "description": "- Xchecked via VT: 781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e", "pattern": "[file:hashes.MD5 = '95ffe4ab4b158602917dd2a999a8caf8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:25:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--560a831c-9404-44e3-b6a5-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:00.000Z", "modified": "2015-09-29T12:25:00.000Z", "first_observed": "2015-09-29T12:25:00Z", "last_observed": "2015-09-29T12:25:00Z", "number_observed": 1, "object_refs": [ "url--560a831c-9404-44e3-b6a5-4caf950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--560a831c-9404-44e3-b6a5-4caf950d210b", "value": "https://www.virustotal.com/file/781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e/analysis/1442486072/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a831c-2e34-4fb1-aaf8-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:00.000Z", "modified": "2015-09-29T12:25:00.000Z", "description": "- Xchecked via VT: 758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92", "pattern": "[file:hashes.SHA1 = '050eb34e35feb95b78bfeba3dea70d8dd27a5064']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:25:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a831d-f5dc-4ee0-b521-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:01.000Z", "modified": "2015-09-29T12:25:01.000Z", "description": "- Xchecked via VT: 758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92", "pattern": "[file:hashes.MD5 = '0fa3657af06a8cc8ef14c445acd92c0f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:25:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--560a831d-b258-4d4f-be96-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:01.000Z", "modified": "2015-09-29T12:25:01.000Z", "first_observed": "2015-09-29T12:25:01Z", "last_observed": "2015-09-29T12:25:01Z", "number_observed": 1, "object_refs": [ "url--560a831d-b258-4d4f-be96-4caf950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--560a831d-b258-4d4f-be96-4caf950d210b", "value": "https://www.virustotal.com/file/758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92/analysis/1442486070/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a831d-d694-48a7-93f2-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:01.000Z", "modified": "2015-09-29T12:25:01.000Z", "description": "- Xchecked via VT: 683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9", "pattern": "[file:hashes.SHA1 = '6493bb7decbb6142d9ddb041af0dd385de1d3756']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:25:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a831e-9cd8-4a38-8acd-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:02.000Z", "modified": "2015-09-29T12:25:02.000Z", "description": "- Xchecked via VT: 683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9", "pattern": "[file:hashes.MD5 = '14ba21a3a0081ef60e676fd4945a8bdc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:25:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--560a831e-5dc8-440e-9c2c-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:02.000Z", "modified": "2015-09-29T12:25:02.000Z", "first_observed": "2015-09-29T12:25:02Z", "last_observed": "2015-09-29T12:25:02Z", "number_observed": 1, "object_refs": [ "url--560a831e-5dc8-440e-9c2c-4caf950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--560a831e-5dc8-440e-9c2c-4caf950d210b", "value": "https://www.virustotal.com/file/683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9/analysis/1442486069/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a831e-52b8-4a6a-87a6-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:02.000Z", "modified": "2015-09-29T12:25:02.000Z", "description": "- Xchecked via VT: 5ab4c378fd8b3254808d66c22bbaacc035874f1c9b4cee511b96458fedff64ed", "pattern": "[file:hashes.SHA1 = '35d6935dc04df08031f11696ea407eba9003888a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:25:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a831f-2874-469a-bf82-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:03.000Z", "modified": "2015-09-29T12:25:03.000Z", "description": "- Xchecked via VT: 5ab4c378fd8b3254808d66c22bbaacc035874f1c9b4cee511b96458fedff64ed", "pattern": "[file:hashes.MD5 = '0af7a57ec3311128b58281a4deb425ab']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:25:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--560a831f-743c-4994-8890-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:03.000Z", "modified": "2015-09-29T12:25:03.000Z", "first_observed": "2015-09-29T12:25:03Z", "last_observed": "2015-09-29T12:25:03Z", "number_observed": 1, "object_refs": [ "url--560a831f-743c-4994-8890-4caf950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--560a831f-743c-4994-8890-4caf950d210b", "value": "https://www.virustotal.com/file/5ab4c378fd8b3254808d66c22bbaacc035874f1c9b4cee511b96458fedff64ed/analysis/1442486788/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8320-c720-456b-af5f-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:04.000Z", "modified": "2015-09-29T12:25:04.000Z", "description": "- Xchecked via VT: 4327ce696b5bce9e9b2a691b4e915796218c00998363c7602d8461dd0c1c8fbb", "pattern": "[file:hashes.SHA1 = 'fdfa0c4757b843c2728b876861390566dbcdba54']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:25:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8320-fd48-4fe6-acd8-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:04.000Z", "modified": "2015-09-29T12:25:04.000Z", "description": "- Xchecked via VT: 4327ce696b5bce9e9b2a691b4e915796218c00998363c7602d8461dd0c1c8fbb", "pattern": "[file:hashes.MD5 = '828b19af6f4b94667960cb85079b458b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:25:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--560a8320-8054-46f8-9954-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:04.000Z", "modified": "2015-09-29T12:25:04.000Z", "first_observed": "2015-09-29T12:25:04Z", "last_observed": "2015-09-29T12:25:04Z", "number_observed": 1, "object_refs": [ "url--560a8320-8054-46f8-9954-4caf950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--560a8320-8054-46f8-9954-4caf950d210b", "value": "https://www.virustotal.com/file/4327ce696b5bce9e9b2a691b4e915796218c00998363c7602d8461dd0c1c8fbb/analysis/1442486786/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8321-ad04-4dc8-9bd7-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:05.000Z", "modified": "2015-09-29T12:25:05.000Z", "description": "- Xchecked via VT: 3cfdd3cd1089c4152c0d4c7955210d489565f28fb0af9861b195db34e7ad2502", "pattern": "[file:hashes.SHA1 = 'd026039b985949f1f0d222b38d9fa0defb025309']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:25:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8321-d414-48bc-83ee-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:05.000Z", "modified": "2015-09-29T12:25:05.000Z", "description": "- Xchecked via VT: 3cfdd3cd1089c4152c0d4c7955210d489565f28fb0af9861b195db34e7ad2502", "pattern": "[file:hashes.MD5 = '0bf56a08d031b08163b0a19576e56292']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:25:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--560a8321-8e40-404f-b37c-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:05.000Z", "modified": "2015-09-29T12:25:05.000Z", "first_observed": "2015-09-29T12:25:05Z", "last_observed": "2015-09-29T12:25:05Z", "number_observed": 1, "object_refs": [ "url--560a8321-8e40-404f-b37c-4caf950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--560a8321-8e40-404f-b37c-4caf950d210b", "value": "https://www.virustotal.com/file/3cfdd3cd1089c4152c0d4c7955210d489565f28fb0af9861b195db34e7ad2502/analysis/1442486784/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8322-d02c-4c55-8798-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:06.000Z", "modified": "2015-09-29T12:25:06.000Z", "description": "- Xchecked via VT: 2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94", "pattern": "[file:hashes.SHA1 = '8e4e662682f0f7f7fa59d39a2fc023a1843238a0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:25:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8322-d204-4a57-af5e-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:06.000Z", "modified": "2015-09-29T12:25:06.000Z", "description": "- Xchecked via VT: 2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94", "pattern": "[file:hashes.MD5 = '425b40d687e34623f54ff58a079fc9af']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:25:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--560a8322-7310-4e0f-af2a-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:06.000Z", "modified": "2015-09-29T12:25:06.000Z", "first_observed": "2015-09-29T12:25:06Z", "last_observed": "2015-09-29T12:25:06Z", "number_observed": 1, "object_refs": [ "url--560a8322-7310-4e0f-af2a-4caf950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--560a8322-7310-4e0f-af2a-4caf950d210b", "value": "https://www.virustotal.com/file/2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94/analysis/1442486660/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8323-dfbc-47fa-8272-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:07.000Z", "modified": "2015-09-29T12:25:07.000Z", "description": "- Xchecked via VT: 2a8cb295f85f8d1d5aae7744899875ebb4e6c3ef74fbc5bfad6e7723c192c5cf", "pattern": "[file:hashes.SHA1 = '29804cb689f1949e5f127378351f72fada48c1e0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:25:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8323-69ac-4c4f-ad7e-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:07.000Z", "modified": "2015-09-29T12:25:07.000Z", "description": "- Xchecked via VT: 2a8cb295f85f8d1d5aae7744899875ebb4e6c3ef74fbc5bfad6e7723c192c5cf", "pattern": "[file:hashes.MD5 = 'b7efead869c3d92f1086c43cb99ab0a2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:25:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--560a8323-4868-45fe-a5df-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:07.000Z", "modified": "2015-09-29T12:25:07.000Z", "first_observed": "2015-09-29T12:25:07Z", "last_observed": "2015-09-29T12:25:07Z", "number_observed": 1, "object_refs": [ "url--560a8323-4868-45fe-a5df-4caf950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--560a8323-4868-45fe-a5df-4caf950d210b", "value": "https://www.virustotal.com/file/2a8cb295f85f8d1d5aae7744899875ebb4e6c3ef74fbc5bfad6e7723c192c5cf/analysis/1442486615/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8324-00c0-400e-aa5c-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:08.000Z", "modified": "2015-09-29T12:25:08.000Z", "description": "- Xchecked via VT: 29906c51217d15b9bbbcc8130f64dabdb69bd32baa7999500c7a230c218e8b0a", "pattern": "[file:hashes.SHA1 = 'd838b54b755d6ec7be71f46c244cb3ecd180f2e5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:25:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8324-d7a8-4f9b-9060-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:08.000Z", "modified": "2015-09-29T12:25:08.000Z", "description": "- Xchecked via VT: 29906c51217d15b9bbbcc8130f64dabdb69bd32baa7999500c7a230c218e8b0a", "pattern": "[file:hashes.MD5 = '2c9cbe71dc98897aeaef4d6d3afc7eb3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:25:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--560a8324-3544-4138-abf1-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:08.000Z", "modified": "2015-09-29T12:25:08.000Z", "first_observed": "2015-09-29T12:25:08Z", "last_observed": "2015-09-29T12:25:08Z", "number_observed": 1, "object_refs": [ "url--560a8324-3544-4138-abf1-4caf950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--560a8324-3544-4138-abf1-4caf950d210b", "value": "https://www.virustotal.com/file/29906c51217d15b9bbbcc8130f64dabdb69bd32baa7999500c7a230c218e8b0a/analysis/1442486782/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8325-bad4-4ea1-bb31-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:09.000Z", "modified": "2015-09-29T12:25:09.000Z", "description": "- Xchecked via VT: 1c9af096e4c7daa440af136f2b1439089a827101098cfe25b8c19fc7321eaad9", "pattern": "[file:hashes.SHA1 = 'c2b09f227d141befeab81df132c9abbad4b73c46']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:25:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8325-afd0-4ece-b4af-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:09.000Z", "modified": "2015-09-29T12:25:09.000Z", "description": "- Xchecked via VT: 1c9af096e4c7daa440af136f2b1439089a827101098cfe25b8c19fc7321eaad9", "pattern": "[file:hashes.MD5 = '5c42ec22da050bbc82e4a86d4dd0e086']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:25:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--560a8325-96ac-4952-83a3-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:09.000Z", "modified": "2015-09-29T12:25:09.000Z", "first_observed": "2015-09-29T12:25:09Z", "last_observed": "2015-09-29T12:25:09Z", "number_observed": 1, "object_refs": [ "url--560a8325-96ac-4952-83a3-4caf950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--560a8325-96ac-4952-83a3-4caf950d210b", "value": "https://www.virustotal.com/file/1c9af096e4c7daa440af136f2b1439089a827101098cfe25b8c19fc7321eaad9/analysis/1442486777/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8326-0e80-46ba-85a1-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:10.000Z", "modified": "2015-09-29T12:25:10.000Z", "description": "- Xchecked via VT: 1677573bb02cc073e248e4a14334db90be8052d0b236e446e29582f50441fa33", "pattern": "[file:hashes.SHA1 = 'f42e316292f59ea51f4c40d1c574747eec227796']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:25:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--560a8326-05a0-4ec8-9c74-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:10.000Z", "modified": "2015-09-29T12:25:10.000Z", "description": "- Xchecked via VT: 1677573bb02cc073e248e4a14334db90be8052d0b236e446e29582f50441fa33", "pattern": "[file:hashes.MD5 = 'a16e58bba851ea00e4ea79f9763df6f1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-09-29T12:25:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--560a8326-b3f4-4e88-b8d6-4caf950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-09-29T12:25:10.000Z", "modified": "2015-09-29T12:25:10.000Z", "first_observed": "2015-09-29T12:25:10Z", "last_observed": "2015-09-29T12:25:10Z", "number_observed": 1, "object_refs": [ "url--560a8326-b3f4-4e88-b8d6-4caf950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--560a8326-b3f4-4e88-b8d6-4caf950d210b", "value": "https://www.virustotal.com/file/1677573bb02cc073e248e4a14334db90be8052d0b236e446e29582f50441fa33/analysis/1442486775/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }