{ "type": "bundle", "id": "bundle--5642582d-78dc-4e92-b42f-6d9d950d210b", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:36:47.000Z", "modified": "2015-11-11T06:36:47.000Z", "name": "CthulhuSPRL.be", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5642582d-78dc-4e92-b42f-6d9d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:36:47.000Z", "modified": "2015-11-11T06:36:47.000Z", "name": "OSINT Bookworm Trojan: A Model of Modular Architecture by Palo Alto Unit 42", "published": "2015-11-11T06:37:00Z", "object_refs": [ "observed-data--56425841-0dbc-4bc7-9bb8-6d9d950d210b", "url--56425841-0dbc-4bc7-9bb8-6d9d950d210b", "indicator--56425890-6bc4-42f8-8589-606d950d210b", "indicator--56425891-ca24-437a-a590-606d950d210b", "indicator--56425891-52e8-4b07-bb8f-606d950d210b", "indicator--56425892-c1cc-409d-b824-606d950d210b", "indicator--56425892-d218-49bd-a652-606d950d210b", "indicator--56425893-28f8-43b4-b8ed-606d950d210b", "indicator--56425893-1728-4f1a-a6a5-606d950d210b", "indicator--56425894-1b78-4686-be13-606d950d210b", "indicator--56425894-f18c-4c7a-a608-606d950d210b", "indicator--56425894-5d20-4a12-868d-606d950d210b", "indicator--56425895-1ac8-4007-9445-606d950d210b", "indicator--56425895-c524-4124-8ed8-606d950d210b", "indicator--56425896-8664-4a0e-9144-606d950d210b", "indicator--56425896-47cc-4474-9a75-606d950d210b", "indicator--56425896-8508-465d-9e55-606d950d210b", "indicator--56425897-8304-4382-a5ea-606d950d210b", "indicator--56425897-e9c0-4c8f-b3c0-606d950d210b", "indicator--56425898-f478-4665-b301-606d950d210b", "indicator--56425898-e934-4e91-bde0-606d950d210b", "indicator--56425898-8a9c-420c-a63d-606d950d210b", "indicator--56425899-ce88-4132-901c-606d950d210b", "indicator--56425899-baa4-42a6-b198-606d950d210b", "indicator--5642589a-9400-4502-8379-606d950d210b", "indicator--5642589a-d010-425e-bf07-606d950d210b", "indicator--5642589a-50d8-453c-a120-606d950d210b", "indicator--5642589b-d870-4df1-b86a-606d950d210b", "indicator--5642589b-99a4-48c3-b954-606d950d210b", "indicator--5642589c-417c-43ff-b919-606d950d210b", "indicator--5642589c-fa44-40d3-a416-606d950d210b", "indicator--5642589c-8cdc-4043-b9ba-606d950d210b", "indicator--5642589d-9d6c-401b-a50d-606d950d210b", "indicator--5642589d-096c-4f7e-b788-606d950d210b", "indicator--5642589e-f7c0-47eb-acdb-606d950d210b", "indicator--5642589e-c224-4568-ace8-606d950d210b", "indicator--5642e0b0-e260-47b5-93dd-cf3b950d210b", "indicator--5642e0b0-5c74-411d-8cb7-cf3b950d210b", "observed-data--5642e0b1-64d4-4d94-b945-cf3b950d210b", "url--5642e0b1-64d4-4d94-b945-cf3b950d210b", "indicator--5642e0b1-f574-4ada-b57f-cf3b950d210b", "indicator--5642e0b2-c404-400e-95e5-cf3b950d210b", "observed-data--5642e0b2-c460-4c34-bf43-cf3b950d210b", "url--5642e0b2-c460-4c34-bf43-cf3b950d210b", "indicator--5642e0b2-1b64-4bfe-9838-cf3b950d210b", "indicator--5642e0b3-358c-4a4f-89f0-cf3b950d210b", "observed-data--5642e0b3-6d30-40c5-97e3-cf3b950d210b", "url--5642e0b3-6d30-40c5-97e3-cf3b950d210b", "indicator--5642e0b4-0194-4516-a2e8-cf3b950d210b", "indicator--5642e0b4-45d8-43b3-9437-cf3b950d210b", "observed-data--5642e0b4-2434-4938-9a58-cf3b950d210b", "url--5642e0b4-2434-4938-9a58-cf3b950d210b", "indicator--5642e0b5-c668-4109-95d7-cf3b950d210b", "indicator--5642e0b5-0a40-4018-bd35-cf3b950d210b", "observed-data--5642e0b6-7570-4293-b82b-cf3b950d210b", "url--5642e0b6-7570-4293-b82b-cf3b950d210b", "indicator--5642e0b6-d7b4-4262-b343-cf3b950d210b", "indicator--5642e0b6-7b68-431d-922a-cf3b950d210b", "observed-data--5642e0b7-4ef4-4a70-825f-cf3b950d210b", "url--5642e0b7-4ef4-4a70-825f-cf3b950d210b", "indicator--5642e0b7-8e10-4fbe-9383-cf3b950d210b", "indicator--5642e0b8-0104-4b7b-8000-cf3b950d210b", "observed-data--5642e0b8-b6a0-43b1-82f8-cf3b950d210b", "url--5642e0b8-b6a0-43b1-82f8-cf3b950d210b", "indicator--5642e0b8-9a84-4225-8595-cf3b950d210b", "indicator--5642e0b9-3258-4d3f-bf85-cf3b950d210b", "observed-data--5642e0b9-55e4-440c-a7f0-cf3b950d210b", "url--5642e0b9-55e4-440c-a7f0-cf3b950d210b", "indicator--5642e0ba-52d8-428e-94bd-cf3b950d210b", "indicator--5642e0ba-4018-480f-a451-cf3b950d210b", "observed-data--5642e0ba-a664-4cdd-88ee-cf3b950d210b", "url--5642e0ba-a664-4cdd-88ee-cf3b950d210b", "indicator--5642e0bb-6d9c-46c0-99a1-cf3b950d210b", "indicator--5642e0bb-3fa0-4e26-8593-cf3b950d210b", "observed-data--5642e0bc-d580-4ae1-a7e1-cf3b950d210b", "url--5642e0bc-d580-4ae1-a7e1-cf3b950d210b", "indicator--5642e0bc-b8d0-4dca-9fcb-cf3b950d210b", "indicator--5642e0bc-289c-4a58-a9c1-cf3b950d210b", "observed-data--5642e0bd-3d48-4b93-a322-cf3b950d210b", "url--5642e0bd-3d48-4b93-a322-cf3b950d210b", "indicator--5642e0bd-06b8-4594-b6fd-cf3b950d210b", "indicator--5642e0be-8460-46a9-8503-cf3b950d210b", "observed-data--5642e0be-7718-4d56-880c-cf3b950d210b", "url--5642e0be-7718-4d56-880c-cf3b950d210b", "indicator--5642e0be-7f4c-4836-9096-cf3b950d210b", "indicator--5642e0bf-6a88-48e1-885f-cf3b950d210b", "observed-data--5642e0bf-2d84-47bf-875f-cf3b950d210b", "url--5642e0bf-2d84-47bf-875f-cf3b950d210b", "indicator--5642e0c0-ada8-457f-b058-cf3b950d210b", "indicator--5642e0c0-8274-4588-b098-cf3b950d210b", "observed-data--5642e0c0-e790-4e70-ba95-cf3b950d210b", "url--5642e0c0-e790-4e70-ba95-cf3b950d210b", "indicator--5642e0c1-d174-4ffe-bb82-cf3b950d210b", "indicator--5642e0c1-e6f8-4658-be72-cf3b950d210b", "observed-data--5642e0c2-5228-470c-ad18-cf3b950d210b", "url--5642e0c2-5228-470c-ad18-cf3b950d210b", "indicator--5642e0c2-1764-40e4-b33a-cf3b950d210b", "indicator--5642e0c2-f640-4dd8-80b3-cf3b950d210b", "observed-data--5642e0c3-3ba4-4d18-b464-cf3b950d210b", "url--5642e0c3-3ba4-4d18-b464-cf3b950d210b", "x-misp-attribute--5642e1ff-38a8-4008-9817-a5c4950d210b" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56425841-0dbc-4bc7-9bb8-6d9d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:49:05.000Z", "modified": "2015-11-10T20:49:05.000Z", "first_observed": "2015-11-10T20:49:05Z", "last_observed": "2015-11-10T20:49:05Z", "number_observed": 1, "object_refs": [ "url--56425841-0dbc-4bc7-9bb8-6d9d950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56425841-0dbc-4bc7-9bb8-6d9d950d210b", "value": "http://researchcenter.paloaltonetworks.com/2015/11/bookworm-trojan-a-model-of-modular-architecture/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56425890-6bc4-42f8-8589-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:24.000Z", "modified": "2015-11-10T20:50:24.000Z", "pattern": "[domain-name:value = 'bkmail.blogdns.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56425891-ca24-437a-a590-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:25.000Z", "modified": "2015-11-10T20:50:25.000Z", "pattern": "[domain-name:value = 'debain.servehttp.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56425891-52e8-4b07-bb8f-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:25.000Z", "modified": "2015-11-10T20:50:25.000Z", "pattern": "[domain-name:value = 'linuxdns.sytes.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56425892-c1cc-409d-b824-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:26.000Z", "modified": "2015-11-10T20:50:26.000Z", "pattern": "[domain-name:value = 'news.nhknews.hk']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56425892-d218-49bd-a652-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:26.000Z", "modified": "2015-11-10T20:50:26.000Z", "pattern": "[domain-name:value = 'sswmail.gotdns.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56425893-28f8-43b4-b8ed-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:27.000Z", "modified": "2015-11-10T20:50:27.000Z", "pattern": "[domain-name:value = 'sswwmail.gotdns.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56425893-1728-4f1a-a6a5-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:27.000Z", "modified": "2015-11-10T20:50:27.000Z", "pattern": "[domain-name:value = 'sysnc.sytes.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56425894-1b78-4686-be13-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:28.000Z", "modified": "2015-11-10T20:50:28.000Z", "pattern": "[domain-name:value = 'systeminfothai.gotdns.ch']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56425894-f18c-4c7a-a608-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:28.000Z", "modified": "2015-11-10T20:50:28.000Z", "pattern": "[domain-name:value = 'thailandbbs.ddns.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56425894-5d20-4a12-868d-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:28.000Z", "modified": "2015-11-10T20:50:28.000Z", "pattern": "[domain-name:value = 'ubuntudns.sytes.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56425895-1ac8-4007-9445-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:29.000Z", "modified": "2015-11-10T20:50:29.000Z", "pattern": "[domain-name:value = 'web12.nhkews.hk']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56425895-c524-4124-8ed8-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:29.000Z", "modified": "2015-11-10T20:50:29.000Z", "pattern": "[file:hashes.MD5 = '0f41c853a2d522e326f2c30b4b951b04']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56425896-8664-4a0e-9144-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:30.000Z", "modified": "2015-11-10T20:50:30.000Z", "pattern": "[file:hashes.MD5 = '8ae2468d3f208d07fb47ebb1e0e297d7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56425896-47cc-4474-9a75-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:30.000Z", "modified": "2015-11-10T20:50:30.000Z", "pattern": "[file:hashes.MD5 = '35755a6839f3c54e602d777cd11ef557']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56425896-8508-465d-9e55-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:30.000Z", "modified": "2015-11-10T20:50:30.000Z", "pattern": "[file:hashes.MD5 = '87d71401e2b8978c2084eb9a1d59c172']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56425897-8304-4382-a5ea-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:31.000Z", "modified": "2015-11-10T20:50:31.000Z", "pattern": "[file:hashes.MD5 = '599b6e05a38329081b80a461b57cec37']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56425897-e9c0-4c8f-b3c0-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:31.000Z", "modified": "2015-11-10T20:50:31.000Z", "pattern": "[file:hashes.MD5 = 'ba1aea40182861e1d1de8c0c2ae78cb7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56425898-f478-4665-b301-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:32.000Z", "modified": "2015-11-10T20:50:32.000Z", "pattern": "[file:hashes.MD5 = 'de1595a7585219967a87a909f38acaa2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56425898-e934-4e91-bde0-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:32.000Z", "modified": "2015-11-10T20:50:32.000Z", "pattern": "[file:hashes.MD5 = 'f8c8c6683d6ca880293f7c1a78d7f8ce']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56425898-8a9c-420c-a63d-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:32.000Z", "modified": "2015-11-10T20:50:32.000Z", "pattern": "[file:hashes.MD5 = '0b4ad1bd093e0a2eb8968e308e900180']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56425899-ce88-4132-901c-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:33.000Z", "modified": "2015-11-10T20:50:33.000Z", "pattern": "[file:hashes.MD5 = 'cba74e507e9741740d251b1fb34a1874']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56425899-baa4-42a6-b198-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:33.000Z", "modified": "2015-11-10T20:50:33.000Z", "pattern": "[file:hashes.MD5 = 'fcd68032c39cca3385c539ea38914735']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642589a-9400-4502-8379-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:34.000Z", "modified": "2015-11-10T20:50:34.000Z", "pattern": "[file:hashes.MD5 = '3e69c34298a8fd5169259a2fef506d63']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642589a-d010-425e-bf07-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:34.000Z", "modified": "2015-11-10T20:50:34.000Z", "pattern": "[file:hashes.MD5 = '04d63e2a3da0a171e5c15d8e904387b9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642589a-50d8-453c-a120-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:34.000Z", "modified": "2015-11-10T20:50:34.000Z", "pattern": "[file:hashes.MD5 = '0d57d2bef1296be62a3e791bfad33bcd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642589b-d870-4df1-b86a-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:35.000Z", "modified": "2015-11-10T20:50:35.000Z", "pattern": "[file:hashes.MD5 = '4389fc820d0edd96bac26fa0b7448aee']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642589b-99a4-48c3-b954-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:35.000Z", "modified": "2015-11-10T20:50:35.000Z", "pattern": "[file:hashes.MD5 = '74c293acdda0d2c3b5087763dae27ec6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642589c-417c-43ff-b919-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:36.000Z", "modified": "2015-11-10T20:50:36.000Z", "pattern": "[file:hashes.MD5 = 'b030c619bb24804cbcc05065530fcf2e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642589c-fa44-40d3-a416-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:36.000Z", "modified": "2015-11-10T20:50:36.000Z", "pattern": "[file:hashes.MD5 = '29df124f370752a87b3426dcad539ec6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642589c-8cdc-4043-b9ba-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:36.000Z", "modified": "2015-11-10T20:50:36.000Z", "pattern": "[file:hashes.MD5 = '9df45e8d8619e234d0449daf2f617ba3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642589d-9d6c-401b-a50d-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:37.000Z", "modified": "2015-11-10T20:50:37.000Z", "pattern": "[file:hashes.MD5 = '40f1b160b88ff98934017f3f1e7879a5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642589d-096c-4f7e-b788-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:37.000Z", "modified": "2015-11-10T20:50:37.000Z", "pattern": "[file:hashes.MD5 = '210816c8bde338bf206f13bb923327a1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642589e-f7c0-47eb-acdb-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:38.000Z", "modified": "2015-11-10T20:50:38.000Z", "pattern": "[file:hashes.MD5 = '187cdb58fbc30046a35793818229c573']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642589e-c224-4568-ace8-606d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-10T20:50:38.000Z", "modified": "2015-11-10T20:50:38.000Z", "pattern": "[file:hashes.MD5 = '499ccc8d6d7c08e135a91928ccc2fd7a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-10T20:50:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0b0-e260-47b5-93dd-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:12.000Z", "modified": "2015-11-11T06:31:12.000Z", "description": "- Xchecked via VT: 499ccc8d6d7c08e135a91928ccc2fd7a", "pattern": "[file:hashes.SHA256 = '1fa5d83a5766556cf2ff16ad279e73cb40584746bd388e0a4e818a2cc06613d3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0b0-5c74-411d-8cb7-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:12.000Z", "modified": "2015-11-11T06:31:12.000Z", "description": "- Xchecked via VT: 499ccc8d6d7c08e135a91928ccc2fd7a", "pattern": "[file:hashes.SHA1 = '78b2b70ad8e49cd2e8518501a29d1af1e714a16f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5642e0b1-64d4-4d94-b945-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:13.000Z", "modified": "2015-11-11T06:31:13.000Z", "first_observed": "2015-11-11T06:31:13Z", "last_observed": "2015-11-11T06:31:13Z", "number_observed": 1, "object_refs": [ "url--5642e0b1-64d4-4d94-b945-cf3b950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5642e0b1-64d4-4d94-b945-cf3b950d210b", "value": "https://www.virustotal.com/file/1fa5d83a5766556cf2ff16ad279e73cb40584746bd388e0a4e818a2cc06613d3/analysis/1426027731/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0b1-f574-4ada-b57f-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:13.000Z", "modified": "2015-11-11T06:31:13.000Z", "description": "- Xchecked via VT: 40f1b160b88ff98934017f3f1e7879a5", "pattern": "[file:hashes.SHA256 = '80bfe4c4758a93e315da8bbcbfbc48cd8f280b871e1bcf1cf6a126454895e05a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0b2-c404-400e-95e5-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:14.000Z", "modified": "2015-11-11T06:31:14.000Z", "description": "- Xchecked via VT: 40f1b160b88ff98934017f3f1e7879a5", "pattern": "[file:hashes.SHA1 = '468e2a5779e415ec2df359b410d208d32a279604']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5642e0b2-c460-4c34-bf43-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:14.000Z", "modified": "2015-11-11T06:31:14.000Z", "first_observed": "2015-11-11T06:31:14Z", "last_observed": "2015-11-11T06:31:14Z", "number_observed": 1, "object_refs": [ "url--5642e0b2-c460-4c34-bf43-cf3b950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5642e0b2-c460-4c34-bf43-cf3b950d210b", "value": "https://www.virustotal.com/file/80bfe4c4758a93e315da8bbcbfbc48cd8f280b871e1bcf1cf6a126454895e05a/analysis/1445861223/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0b2-1b64-4bfe-9838-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:14.000Z", "modified": "2015-11-11T06:31:14.000Z", "description": "- Xchecked via VT: 29df124f370752a87b3426dcad539ec6", "pattern": "[file:hashes.SHA256 = '9044fe4924a76e409a292cc1bd041f3a16aa70acd656e14d904b98dc82cc82ab']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0b3-358c-4a4f-89f0-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:15.000Z", "modified": "2015-11-11T06:31:15.000Z", "description": "- Xchecked via VT: 29df124f370752a87b3426dcad539ec6", "pattern": "[file:hashes.SHA1 = '0bcbd480ace28d852a84ecdb36655a2aaabddc9b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5642e0b3-6d30-40c5-97e3-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:15.000Z", "modified": "2015-11-11T06:31:15.000Z", "first_observed": "2015-11-11T06:31:15Z", "last_observed": "2015-11-11T06:31:15Z", "number_observed": 1, "object_refs": [ "url--5642e0b3-6d30-40c5-97e3-cf3b950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5642e0b3-6d30-40c5-97e3-cf3b950d210b", "value": "https://www.virustotal.com/file/9044fe4924a76e409a292cc1bd041f3a16aa70acd656e14d904b98dc82cc82ab/analysis/1446196462/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0b4-0194-4516-a2e8-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:16.000Z", "modified": "2015-11-11T06:31:16.000Z", "description": "- Xchecked via VT: b030c619bb24804cbcc05065530fcf2e", "pattern": "[file:hashes.SHA256 = 'c28fd4336214e8836f8eea548d523c1c5ca3df53c9c30b8d720e6d00dc632323']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0b4-45d8-43b3-9437-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:16.000Z", "modified": "2015-11-11T06:31:16.000Z", "description": "- Xchecked via VT: b030c619bb24804cbcc05065530fcf2e", "pattern": "[file:hashes.SHA1 = '07c49d6dbb411b871943ef857be55310a5a4d22e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5642e0b4-2434-4938-9a58-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:16.000Z", "modified": "2015-11-11T06:31:16.000Z", "first_observed": "2015-11-11T06:31:16Z", "last_observed": "2015-11-11T06:31:16Z", "number_observed": 1, "object_refs": [ "url--5642e0b4-2434-4938-9a58-cf3b950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5642e0b4-2434-4938-9a58-cf3b950d210b", "value": "https://www.virustotal.com/file/c28fd4336214e8836f8eea548d523c1c5ca3df53c9c30b8d720e6d00dc632323/analysis/1444222895/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0b5-c668-4109-95d7-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:17.000Z", "modified": "2015-11-11T06:31:17.000Z", "description": "- Xchecked via VT: 74c293acdda0d2c3b5087763dae27ec6", "pattern": "[file:hashes.SHA256 = 'e2dce038ea6a354da4d34d579a02f14c67ceba6a1b4acea59d12101aa1c5585d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0b5-0a40-4018-bd35-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:17.000Z", "modified": "2015-11-11T06:31:17.000Z", "description": "- Xchecked via VT: 74c293acdda0d2c3b5087763dae27ec6", "pattern": "[file:hashes.SHA1 = '1afd72a119a7261179b2f58d1e9ccec7abdd4353']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5642e0b6-7570-4293-b82b-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:18.000Z", "modified": "2015-11-11T06:31:18.000Z", "first_observed": "2015-11-11T06:31:18Z", "last_observed": "2015-11-11T06:31:18Z", "number_observed": 1, "object_refs": [ "url--5642e0b6-7570-4293-b82b-cf3b950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5642e0b6-7570-4293-b82b-cf3b950d210b", "value": "https://www.virustotal.com/file/e2dce038ea6a354da4d34d579a02f14c67ceba6a1b4acea59d12101aa1c5585d/analysis/1442205914/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0b6-d7b4-4262-b343-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:18.000Z", "modified": "2015-11-11T06:31:18.000Z", "description": "- Xchecked via VT: 0d57d2bef1296be62a3e791bfad33bcd", "pattern": "[file:hashes.SHA256 = 'c9434a3b15609527d6a986d747aa13a90786d1e86fddd864cbfbaf2f01bfe1fb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0b6-7b68-431d-922a-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:18.000Z", "modified": "2015-11-11T06:31:18.000Z", "description": "- Xchecked via VT: 0d57d2bef1296be62a3e791bfad33bcd", "pattern": "[file:hashes.SHA1 = '084abcb69b8a1db256b363746ce6ef6f7cd547d8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5642e0b7-4ef4-4a70-825f-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:19.000Z", "modified": "2015-11-11T06:31:19.000Z", "first_observed": "2015-11-11T06:31:19Z", "last_observed": "2015-11-11T06:31:19Z", "number_observed": 1, "object_refs": [ "url--5642e0b7-4ef4-4a70-825f-cf3b950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5642e0b7-4ef4-4a70-825f-cf3b950d210b", "value": "https://www.virustotal.com/file/c9434a3b15609527d6a986d747aa13a90786d1e86fddd864cbfbaf2f01bfe1fb/analysis/1445869975/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0b7-8e10-4fbe-9383-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:19.000Z", "modified": "2015-11-11T06:31:19.000Z", "description": "- Xchecked via VT: 3e69c34298a8fd5169259a2fef506d63", "pattern": "[file:hashes.SHA256 = '1b0355f699196bc33b3791150fd9b3b58c1208cc18b5b89f5918df8cf026ffb7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0b8-0104-4b7b-8000-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:20.000Z", "modified": "2015-11-11T06:31:20.000Z", "description": "- Xchecked via VT: 3e69c34298a8fd5169259a2fef506d63", "pattern": "[file:hashes.SHA1 = '0ed5dfd91654c715c806595b39b4060af649aafd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5642e0b8-b6a0-43b1-82f8-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:20.000Z", "modified": "2015-11-11T06:31:20.000Z", "first_observed": "2015-11-11T06:31:20Z", "last_observed": "2015-11-11T06:31:20Z", "number_observed": 1, "object_refs": [ "url--5642e0b8-b6a0-43b1-82f8-cf3b950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5642e0b8-b6a0-43b1-82f8-cf3b950d210b", "value": "https://www.virustotal.com/file/1b0355f699196bc33b3791150fd9b3b58c1208cc18b5b89f5918df8cf026ffb7/analysis/1446805687/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0b8-9a84-4225-8595-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:20.000Z", "modified": "2015-11-11T06:31:20.000Z", "description": "- Xchecked via VT: fcd68032c39cca3385c539ea38914735", "pattern": "[file:hashes.SHA256 = '613d0c5951aa8473982edd766d2e01f542be1280ebaef634c079441686b27978']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0b9-3258-4d3f-bf85-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:21.000Z", "modified": "2015-11-11T06:31:21.000Z", "description": "- Xchecked via VT: fcd68032c39cca3385c539ea38914735", "pattern": "[file:hashes.SHA1 = 'bb273ce38e24b1fd092a90f785497f5f2d28886f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5642e0b9-55e4-440c-a7f0-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:21.000Z", "modified": "2015-11-11T06:31:21.000Z", "first_observed": "2015-11-11T06:31:21Z", "last_observed": "2015-11-11T06:31:21Z", "number_observed": 1, "object_refs": [ "url--5642e0b9-55e4-440c-a7f0-cf3b950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5642e0b9-55e4-440c-a7f0-cf3b950d210b", "value": "https://www.virustotal.com/file/613d0c5951aa8473982edd766d2e01f542be1280ebaef634c079441686b27978/analysis/1441600914/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0ba-52d8-428e-94bd-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:22.000Z", "modified": "2015-11-11T06:31:22.000Z", "description": "- Xchecked via VT: cba74e507e9741740d251b1fb34a1874", "pattern": "[file:hashes.SHA256 = '755a4b2ec15da6bb01248b2dfbad206c340ba937eae9c35f04f6cedfe5e99d63']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0ba-4018-480f-a451-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:22.000Z", "modified": "2015-11-11T06:31:22.000Z", "description": "- Xchecked via VT: cba74e507e9741740d251b1fb34a1874", "pattern": "[file:hashes.SHA1 = '56ee57de81ecea6a2c83d5430238fa98a041e8eb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5642e0ba-a664-4cdd-88ee-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:22.000Z", "modified": "2015-11-11T06:31:22.000Z", "first_observed": "2015-11-11T06:31:22Z", "last_observed": "2015-11-11T06:31:22Z", "number_observed": 1, "object_refs": [ "url--5642e0ba-a664-4cdd-88ee-cf3b950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5642e0ba-a664-4cdd-88ee-cf3b950d210b", "value": "https://www.virustotal.com/file/755a4b2ec15da6bb01248b2dfbad206c340ba937eae9c35f04f6cedfe5e99d63/analysis/1441858084/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0bb-6d9c-46c0-99a1-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:23.000Z", "modified": "2015-11-11T06:31:23.000Z", "description": "- Xchecked via VT: de1595a7585219967a87a909f38acaa2", "pattern": "[file:hashes.SHA256 = 'e96b37592d42800a5a46e3bb3bc9ceb6dbaaaf5448f84cf69098815f8c233566']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0bb-3fa0-4e26-8593-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:23.000Z", "modified": "2015-11-11T06:31:23.000Z", "description": "- Xchecked via VT: de1595a7585219967a87a909f38acaa2", "pattern": "[file:hashes.SHA1 = 'bad66e5bbf8775c0f5683428f93a64eb84c75772']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5642e0bc-d580-4ae1-a7e1-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:24.000Z", "modified": "2015-11-11T06:31:24.000Z", "first_observed": "2015-11-11T06:31:24Z", "last_observed": "2015-11-11T06:31:24Z", "number_observed": 1, "object_refs": [ "url--5642e0bc-d580-4ae1-a7e1-cf3b950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5642e0bc-d580-4ae1-a7e1-cf3b950d210b", "value": "https://www.virustotal.com/file/e96b37592d42800a5a46e3bb3bc9ceb6dbaaaf5448f84cf69098815f8c233566/analysis/1441609817/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0bc-b8d0-4dca-9fcb-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:24.000Z", "modified": "2015-11-11T06:31:24.000Z", "description": "- Xchecked via VT: ba1aea40182861e1d1de8c0c2ae78cb7", "pattern": "[file:hashes.SHA256 = 'ca7cd0d3b5582ac4257c8ed31799d4fd577cdff1bf7ff018946b6284c0bbd617']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0bc-289c-4a58-a9c1-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:24.000Z", "modified": "2015-11-11T06:31:24.000Z", "description": "- Xchecked via VT: ba1aea40182861e1d1de8c0c2ae78cb7", "pattern": "[file:hashes.SHA1 = 'f3fda6f46c7316381a65ccc26e94cb0ac448ec46']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5642e0bd-3d48-4b93-a322-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:25.000Z", "modified": "2015-11-11T06:31:25.000Z", "first_observed": "2015-11-11T06:31:25Z", "last_observed": "2015-11-11T06:31:25Z", "number_observed": 1, "object_refs": [ "url--5642e0bd-3d48-4b93-a322-cf3b950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5642e0bd-3d48-4b93-a322-cf3b950d210b", "value": "https://www.virustotal.com/file/ca7cd0d3b5582ac4257c8ed31799d4fd577cdff1bf7ff018946b6284c0bbd617/analysis/1442660730/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0bd-06b8-4594-b6fd-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:25.000Z", "modified": "2015-11-11T06:31:25.000Z", "description": "- Xchecked via VT: 599b6e05a38329081b80a461b57cec37", "pattern": "[file:hashes.SHA256 = 'e52b87d95794977261728f9a25c3f59df86a3a7246f7607fbb1fbf9a0e85631d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0be-8460-46a9-8503-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:26.000Z", "modified": "2015-11-11T06:31:26.000Z", "description": "- Xchecked via VT: 599b6e05a38329081b80a461b57cec37", "pattern": "[file:hashes.SHA1 = '2c4d72f47165bfd207d6c52f1bf5ab4fd1c27513']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5642e0be-7718-4d56-880c-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:26.000Z", "modified": "2015-11-11T06:31:26.000Z", "first_observed": "2015-11-11T06:31:26Z", "last_observed": "2015-11-11T06:31:26Z", "number_observed": 1, "object_refs": [ "url--5642e0be-7718-4d56-880c-cf3b950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5642e0be-7718-4d56-880c-cf3b950d210b", "value": "https://www.virustotal.com/file/e52b87d95794977261728f9a25c3f59df86a3a7246f7607fbb1fbf9a0e85631d/analysis/1442604140/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0be-7f4c-4836-9096-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:26.000Z", "modified": "2015-11-11T06:31:26.000Z", "description": "- Xchecked via VT: 87d71401e2b8978c2084eb9a1d59c172", "pattern": "[file:hashes.SHA256 = 'a7bfa55f4e228edf7add4879728be2640cce5f6cfda9dcaa574d53f4c9bfbcef']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0bf-6a88-48e1-885f-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:27.000Z", "modified": "2015-11-11T06:31:27.000Z", "description": "- Xchecked via VT: 87d71401e2b8978c2084eb9a1d59c172", "pattern": "[file:hashes.SHA1 = '30308413fa56398d096ae41f6fa323940ef279cd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5642e0bf-2d84-47bf-875f-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:27.000Z", "modified": "2015-11-11T06:31:27.000Z", "first_observed": "2015-11-11T06:31:27Z", "last_observed": "2015-11-11T06:31:27Z", "number_observed": 1, "object_refs": [ "url--5642e0bf-2d84-47bf-875f-cf3b950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5642e0bf-2d84-47bf-875f-cf3b950d210b", "value": "https://www.virustotal.com/file/a7bfa55f4e228edf7add4879728be2640cce5f6cfda9dcaa574d53f4c9bfbcef/analysis/1441776206/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0c0-ada8-457f-b058-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:28.000Z", "modified": "2015-11-11T06:31:28.000Z", "description": "- Xchecked via VT: 35755a6839f3c54e602d777cd11ef557", "pattern": "[file:hashes.SHA256 = 'ac5742bf871c7cabf9415721d88f38834d6f73bb926479b338861ab398090f81']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0c0-8274-4588-b098-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:28.000Z", "modified": "2015-11-11T06:31:28.000Z", "description": "- Xchecked via VT: 35755a6839f3c54e602d777cd11ef557", "pattern": "[file:hashes.SHA1 = '8d3de4210bc0dd68df7d9a47fa6081043b268852']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5642e0c0-e790-4e70-ba95-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:28.000Z", "modified": "2015-11-11T06:31:28.000Z", "first_observed": "2015-11-11T06:31:28Z", "last_observed": "2015-11-11T06:31:28Z", "number_observed": 1, "object_refs": [ "url--5642e0c0-e790-4e70-ba95-cf3b950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5642e0c0-e790-4e70-ba95-cf3b950d210b", "value": "https://www.virustotal.com/file/ac5742bf871c7cabf9415721d88f38834d6f73bb926479b338861ab398090f81/analysis/1444808057/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0c1-d174-4ffe-bb82-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:29.000Z", "modified": "2015-11-11T06:31:29.000Z", "description": "- Xchecked via VT: 8ae2468d3f208d07fb47ebb1e0e297d7", "pattern": "[file:hashes.SHA256 = '2e3a2cea18bb9cd7a65df2a9c972ee1d4553acd67925b5d42aff24d5a61adae3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0c1-e6f8-4658-be72-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:29.000Z", "modified": "2015-11-11T06:31:29.000Z", "description": "- Xchecked via VT: 8ae2468d3f208d07fb47ebb1e0e297d7", "pattern": "[file:hashes.SHA1 = '4e1ae6a67262c263f2b73226e8156b372af946c2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5642e0c2-5228-470c-ad18-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:30.000Z", "modified": "2015-11-11T06:31:30.000Z", "first_observed": "2015-11-11T06:31:30Z", "last_observed": "2015-11-11T06:31:30Z", "number_observed": 1, "object_refs": [ "url--5642e0c2-5228-470c-ad18-cf3b950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5642e0c2-5228-470c-ad18-cf3b950d210b", "value": "https://www.virustotal.com/file/2e3a2cea18bb9cd7a65df2a9c972ee1d4553acd67925b5d42aff24d5a61adae3/analysis/1444376908/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0c2-1764-40e4-b33a-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:30.000Z", "modified": "2015-11-11T06:31:30.000Z", "description": "- Xchecked via VT: 0f41c853a2d522e326f2c30b4b951b04", "pattern": "[file:hashes.SHA256 = '2b02460613d888536b83ec9e658e33e98cb8d8d89eb811cf5528fed78cebd062']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5642e0c2-f640-4dd8-80b3-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:30.000Z", "modified": "2015-11-11T06:31:30.000Z", "description": "- Xchecked via VT: 0f41c853a2d522e326f2c30b4b951b04", "pattern": "[file:hashes.SHA1 = '34e1450acc35a3d18c5dcd2e27331fff67e873fa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-11T06:31:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5642e0c3-3ba4-4d18-b464-cf3b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:31:31.000Z", "modified": "2015-11-11T06:31:31.000Z", "first_observed": "2015-11-11T06:31:31Z", "last_observed": "2015-11-11T06:31:31Z", "number_observed": 1, "object_refs": [ "url--5642e0c3-3ba4-4d18-b464-cf3b950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5642e0c3-3ba4-4d18-b464-cf3b950d210b", "value": "https://www.virustotal.com/file/2b02460613d888536b83ec9e658e33e98cb8d8d89eb811cf5528fed78cebd062/analysis/1444641135/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5642e1ff-38a8-4008-9817-a5c4950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-11T06:36:47.000Z", "modified": "2015-11-11T06:36:47.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Recently, while researching attacks on targets in Thailand, Unit 42 discovered a tool that initially appeared to be a variant of the well-known PlugX RAT based on similar observed behavior such as the usage of DLL side-loading and a shellcode file. After closer inspection, it appears to be a completely distinct Trojan, which we have dubbed Bookworm and track in Autofocus using the tag Bookworm.\r\n\r\nBookworm\u00e2\u20ac\u2122s functional code is radically different from PlugX and has a rather unique modular architecture that warranted additional analysis by Unit 42. Bookworm has little malicious functionality built-in, with its only core ability involving stealing keystrokes and clipboard contents. However, Bookworm expands on its capabilities through its ability to load additional modules directly from its command and control (C2) server. This blog will provide an analysis of the Bookworm Trojan and known indicators of compromise. A later blog will explore the associated attack campaigns and attributions surrounding Bookworm." }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }