{ "type": "bundle", "id": "bundle--55a76999-52e4-45c0-ac44-2ce2950d210b", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-01-31T20:54:46.000Z", "modified": "2016-01-31T20:54:46.000Z", "name": "CthulhuSPRL.be", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--55a76999-52e4-45c0-ac44-2ce2950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-01-31T20:54:46.000Z", "modified": "2016-01-31T20:54:46.000Z", "name": "OSINT An In-Depth Look at How Pawn Storm\u00e2\u20ac\u2122s Java Zero-Day Was Used by Trend Micro", "published": "2015-07-23T11:27:11Z", "object_refs": [ "observed-data--55a769b1-faf0-4553-b131-e4fd950d210b", "url--55a769b1-faf0-4553-b131-e4fd950d210b", "x-misp-attribute--55a769c5-83c8-41f9-a020-266f950d210b", "x-misp-attribute--55a769c5-904c-44d3-a10e-266f950d210b", "x-misp-attribute--55a769c5-3b70-40c6-8030-266f950d210b", "x-misp-attribute--55a769c6-70cc-469e-bae4-266f950d210b", "indicator--55a8cf34-5c94-40bf-9cfc-4301950d210b", "observed-data--55a8cf34-29cc-480a-8bfd-43b9950d210b", "url--55a8cf34-29cc-480a-8bfd-43b9950d210b", "indicator--55a8cf34-0550-4b1f-b183-42ae950d210b", "indicator--55a8cf35-add8-4854-b6c3-443b950d210b", "indicator--55a8cf35-3b68-473a-8347-49c9950d210b", "indicator--55a8cf35-e610-4d0b-b99a-44a5950d210b", "indicator--55a8d02c-f300-4479-a2e9-1e08950d210b", "indicator--55a8d02c-8f64-4dd0-a81e-1e08950d210b", "indicator--55a8d02c-4300-4109-9e0d-1e08950d210b", "indicator--55a8d02d-3cb4-424d-980f-1e08950d210b", "indicator--55a8d02d-e680-47d6-ada7-1e08950d210b", "indicator--55a8d02d-5a2c-49e1-bd33-1e08950d210b", "indicator--55a8d02d-30f4-48a7-9ae8-1e08950d210b", "indicator--55a8d02d-9718-48ec-8566-1e08950d210b", "indicator--55a8d02d-b774-4483-bf97-1e08950d210b", "indicator--55a8d02e-384c-4a0e-b776-1e08950d210b", "indicator--55a8d02e-fa20-43d0-9a16-1e08950d210b", "indicator--55a8d02e-71e4-484a-b446-1e08950d210b", "indicator--55a8d02e-c688-4242-b2b6-1e08950d210b", "indicator--55a8d02e-d3c4-41d0-adfe-1e08950d210b", "x-misp-attribute--55a8d083-0df0-41d5-aaff-0a95950d210b", "x-misp-attribute--55a8d083-889c-4378-8a87-0a95950d210b", "x-misp-attribute--55a8d083-b298-4191-b334-0a95950d210b", "indicator--56ae7496-ac98-437d-ba17-4bfa02de0b81", "indicator--56ae7496-ab14-4ad0-a447-44be02de0b81", "observed-data--56ae7497-80f0-4165-be41-49d402de0b81", "url--56ae7497-80f0-4165-be41-49d402de0b81", "indicator--56ae7497-8098-4ffc-b65e-47d302de0b81", "indicator--56ae7497-5968-4028-ac90-4fb202de0b81", "observed-data--56ae7498-0774-4bcb-ae08-492402de0b81", "url--56ae7498-0774-4bcb-ae08-492402de0b81", "indicator--56ae7498-5770-4232-9152-4a3102de0b81", "indicator--56ae7498-cf28-4e29-81fb-47be02de0b81", "observed-data--56ae7498-af00-40a5-9683-420102de0b81", "url--56ae7498-af00-40a5-9683-420102de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--55a769b1-faf0-4553-b131-e4fd950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-16T08:22:09.000Z", "modified": "2015-07-16T08:22:09.000Z", "first_observed": "2015-07-16T08:22:09Z", "last_observed": "2015-07-16T08:22:09Z", "number_observed": 1, "object_refs": [ "url--55a769b1-faf0-4553-b131-e4fd950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--55a769b1-faf0-4553-b131-e4fd950d210b", "value": "http://blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--55a769c5-83c8-41f9-a020-266f950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-16T08:22:29.000Z", "modified": "2015-07-16T08:22:29.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "APT28" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--55a769c5-904c-44d3-a10e-266f950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-16T08:22:29.000Z", "modified": "2015-07-16T08:22:29.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Pawn Storm" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--55a769c5-3b70-40c6-8030-266f950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-16T08:22:29.000Z", "modified": "2015-07-16T08:22:29.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Sednit" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--55a769c6-70cc-469e-bae4-266f950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-16T08:22:30.000Z", "modified": "2015-07-16T08:22:30.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Sofacy" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55a8cf34-5c94-40bf-9cfc-4301950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-17T09:47:32.000Z", "modified": "2015-07-17T09:47:32.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.SHA1 = '95dc765700f5af406883d07f165011d2ff8dd0fb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-17T09:47:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--55a8cf34-29cc-480a-8bfd-43b9950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-17T09:48:13.000Z", "modified": "2015-07-17T09:48:13.000Z", "first_observed": "2015-07-17T09:48:13Z", "last_observed": "2015-07-17T09:48:13Z", "number_observed": 1, "object_refs": [ "url--55a8cf34-29cc-480a-8bfd-43b9950d210b" ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--55a8cf34-29cc-480a-8bfd-43b9950d210b", "value": "http://ausameetings.com/url?=[a-za-z0-9]{7}/2015annualmeeting/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55a8cf34-0550-4b1f-b183-42ae950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-17T09:47:32.000Z", "modified": "2015-07-17T09:47:32.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.SHA1 = 'b4a515ef9de037f18d96b9b0e48271180f5725b7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-17T09:47:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55a8cf35-add8-4854-b6c3-443b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-17T09:47:33.000Z", "modified": "2015-07-17T09:47:33.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'vhgg5hkvn25.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-17T09:47:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55a8cf35-3b68-473a-8347-49c9950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-17T09:47:33.000Z", "modified": "2015-07-17T09:47:33.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.SHA1 = '21835aafe6d46840bb697e8b0d4aac06dec44f5b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-17T09:47:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55a8cf35-e610-4d0b-b99a-44a5950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-17T09:47:33.000Z", "modified": "2015-07-17T09:47:33.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'api-ms-win-downlevel-profile-l1-1-0.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-17T09:47:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55a8d02c-f300-4479-a2e9-1e08950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-17T09:51:40.000Z", "modified": "2015-07-17T09:51:40.000Z", "description": "Imported via the freetext import.", "pattern": "[domain-name:value = 'ausameetings.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-17T09:51:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55a8d02c-8f64-4dd0-a81e-1e08950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-17T09:51:40.000Z", "modified": "2015-07-17T09:51:40.000Z", "description": "Low precision", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.215.45.189']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-17T09:51:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55a8d02c-4300-4109-9e0d-1e08950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-17T09:51:40.000Z", "modified": "2015-07-17T09:51:40.000Z", "description": "Imported via the freetext import.", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '87.236.215.132']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-17T09:51:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55a8d02d-3cb4-424d-980f-1e08950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-17T09:51:41.000Z", "modified": "2015-07-17T09:51:41.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'arrayreplace.class']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-17T09:51:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55a8d02d-e680-47d6-ada7-1e08950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-17T09:51:41.000Z", "modified": "2015-07-17T09:51:41.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'App$PassHandleController.class']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-17T09:51:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55a8d02d-5a2c-49e1-bd33-1e08950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-17T09:51:41.000Z", "modified": "2015-07-17T09:51:41.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'converter.class']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-17T09:51:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55a8d02d-30f4-48a7-9ae8-1e08950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-17T09:51:41.000Z", "modified": "2015-07-17T09:51:41.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'mybytearrayinputstream.class']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-17T09:51:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55a8d02d-9718-48ec-8566-1e08950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-17T09:51:41.000Z", "modified": "2015-07-17T09:51:41.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'none2.class']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-17T09:51:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55a8d02d-b774-4483-bf97-1e08950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-17T09:51:41.000Z", "modified": "2015-07-17T09:51:41.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'none.class']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-17T09:51:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55a8d02e-384c-4a0e-b776-1e08950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-17T09:51:42.000Z", "modified": "2015-07-17T09:51:42.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'cormac.mcr']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-17T09:51:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55a8d02e-fa20-43d0-9a16-1e08950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-17T09:51:42.000Z", "modified": "2015-07-17T09:51:42.000Z", "description": "Imported via the freetext import.", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.111.146.185']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-17T09:51:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55a8d02e-71e4-484a-b446-1e08950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-17T09:51:42.000Z", "modified": "2015-07-17T09:51:42.000Z", "description": "Imported via the freetext import.", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '37.187.116.240']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-17T09:51:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55a8d02e-c688-4242-b2b6-1e08950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-17T09:52:02.000Z", "modified": "2015-07-17T09:52:02.000Z", "description": "Imported via the freetext import.", "pattern": "[domain-name:value = 'acledit.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-17T09:52:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--55a8d02e-d3c4-41d0-adfe-1e08950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-17T09:52:10.000Z", "modified": "2015-07-17T09:52:10.000Z", "description": "Imported via the freetext import.", "pattern": "[domain-name:value = 'biocpl.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-07-17T09:52:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--55a8d083-0df0-41d5-aaff-0a95950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-17T09:53:07.000Z", "modified": "2015-07-17T09:53:07.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_type": "text", "x_misp_value": "JAVA_DLOADR.EFD" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--55a8d083-889c-4378-8a87-0a95950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-17T09:53:07.000Z", "modified": "2015-07-17T09:53:07.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_type": "text", "x_misp_value": "TROJ_DROPPR.CXC" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--55a8d083-b298-4191-b334-0a95950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-07-17T09:53:07.000Z", "modified": "2015-07-17T09:53:07.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_type": "text", "x_misp_value": "TSPY_SEDNIT.C" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56ae7496-ac98-437d-ba17-4bfa02de0b81", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-01-31T20:54:46.000Z", "modified": "2016-01-31T20:54:46.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 21835aafe6d46840bb697e8b0d4aac06dec44f5b", "pattern": "[file:hashes.SHA256 = '3d13f2e5b241168005425b15410556bcf26d04078da6b2ef42bc0c2be7654bf8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-01-31T20:54:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56ae7496-ab14-4ad0-a447-44be02de0b81", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-01-31T20:54:46.000Z", "modified": "2016-01-31T20:54:46.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 21835aafe6d46840bb697e8b0d4aac06dec44f5b", "pattern": "[file:hashes.MD5 = '211b7100fd799e9eaabeb13cfa446231']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-01-31T20:54:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56ae7497-80f0-4165-be41-49d402de0b81", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-01-31T20:54:47.000Z", "modified": "2016-01-31T20:54:47.000Z", "first_observed": "2016-01-31T20:54:47Z", "last_observed": "2016-01-31T20:54:47Z", "number_observed": 1, "object_refs": [ "url--56ae7497-80f0-4165-be41-49d402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56ae7497-80f0-4165-be41-49d402de0b81", "value": "https://www.virustotal.com/file/3d13f2e5b241168005425b15410556bcf26d04078da6b2ef42bc0c2be7654bf8/analysis/1451306949/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56ae7497-8098-4ffc-b65e-47d302de0b81", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-01-31T20:54:47.000Z", "modified": "2016-01-31T20:54:47.000Z", "description": "Imported via the freetext import. - Xchecked via VT: b4a515ef9de037f18d96b9b0e48271180f5725b7", "pattern": "[file:hashes.SHA256 = 'd93f22d46090bfc19ef51963a781eeb864390c66d9347e86e03bba25a1fc29c5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-01-31T20:54:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56ae7497-5968-4028-ac90-4fb202de0b81", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-01-31T20:54:47.000Z", "modified": "2016-01-31T20:54:47.000Z", "description": "Imported via the freetext import. - Xchecked via VT: b4a515ef9de037f18d96b9b0e48271180f5725b7", "pattern": "[file:hashes.MD5 = 'afe09fb5a2b97f9e119f70292092604e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-01-31T20:54:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56ae7498-0774-4bcb-ae08-492402de0b81", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-01-31T20:54:48.000Z", "modified": "2016-01-31T20:54:48.000Z", "first_observed": "2016-01-31T20:54:48Z", "last_observed": "2016-01-31T20:54:48Z", "number_observed": 1, "object_refs": [ "url--56ae7498-0774-4bcb-ae08-492402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56ae7498-0774-4bcb-ae08-492402de0b81", "value": "https://www.virustotal.com/file/d93f22d46090bfc19ef51963a781eeb864390c66d9347e86e03bba25a1fc29c5/analysis/1449817909/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56ae7498-5770-4232-9152-4a3102de0b81", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-01-31T20:54:48.000Z", "modified": "2016-01-31T20:54:48.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 95dc765700f5af406883d07f165011d2ff8dd0fb", "pattern": "[file:hashes.SHA256 = '3f2d8744205b59f7bee5a8f13e6a15201f04663ce2c6f33b1684968778e44349']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-01-31T20:54:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56ae7498-cf28-4e29-81fb-47be02de0b81", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-01-31T20:54:48.000Z", "modified": "2016-01-31T20:54:48.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 95dc765700f5af406883d07f165011d2ff8dd0fb", "pattern": "[file:hashes.MD5 = '0c345969a5974e8b1ec6a5e23b2cf777']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-01-31T20:54:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56ae7498-af00-40a5-9683-420102de0b81", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-01-31T20:54:48.000Z", "modified": "2016-01-31T20:54:48.000Z", "first_observed": "2016-01-31T20:54:48Z", "last_observed": "2016-01-31T20:54:48Z", "number_observed": 1, "object_refs": [ "url--56ae7498-af00-40a5-9683-420102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56ae7498-af00-40a5-9683-420102de0b81", "value": "https://www.virustotal.com/file/3f2d8744205b59f7bee5a8f13e6a15201f04663ce2c6f33b1684968778e44349/analysis/1443100024/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }