{ "type": "bundle", "id": "bundle--56f92df0-24f0-4c6e-a297-6f2402de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:20:02.000Z", "modified": "2016-03-28T13:20:02.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--56f92df0-24f0-4c6e-a297-6f2402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:20:02.000Z", "modified": "2016-03-28T13:20:02.000Z", "name": "OSINT - TREASUREHUNT: A CUSTOM POS MALWARE TOOL", "published": "2016-03-28T13:20:31Z", "object_refs": [ "observed-data--56f92e2a-1be0-4a3a-a3b6-3f2a02de0b81", "url--56f92e2a-1be0-4a3a-a3b6-3f2a02de0b81", "x-misp-attribute--56f92e3c-2ab8-4dba-bc15-74ae02de0b81", "x-misp-attribute--56f92e6f-b504-4115-81bd-3f2f02de0b81", "indicator--56f92ea5-2d50-4fc9-92ef-6f2302de0b81", "indicator--56f92ea6-2890-41b3-8059-6f2302de0b81", "indicator--56f92ea6-009c-4348-a0b2-6f2302de0b81", "indicator--56f92ea6-5070-43a2-a874-6f2302de0b81", "indicator--56f92ea6-18ec-4295-acf9-6f2302de0b81", "indicator--56f92ea7-4c38-4d72-ada3-6f2302de0b81", "indicator--56f92ea7-0eb4-4fd2-a1e9-6f2302de0b81", "indicator--56f92ea7-af3c-4c3f-9520-6f2302de0b81", "indicator--56f92ea8-ecd4-43e1-ad7c-6f2302de0b81", "indicator--56f92eea-ac18-4ba4-ab20-3f2f02de0b81", "indicator--56f92eeb-30ec-4789-aafb-3f2f02de0b81", "observed-data--56f92eeb-1ccc-4c4f-8e3f-3f2f02de0b81", "url--56f92eeb-1ccc-4c4f-8e3f-3f2f02de0b81", "indicator--56f92eeb-8880-47ad-b5a3-3f2f02de0b81", "indicator--56f92eec-9acc-40aa-a04c-3f2f02de0b81", "observed-data--56f92eec-74a4-47a5-8e1f-3f2f02de0b81", "url--56f92eec-74a4-47a5-8e1f-3f2f02de0b81", "indicator--56f92eec-cb08-42a5-a92c-3f2f02de0b81", "indicator--56f92eed-be5c-45ca-988f-3f2f02de0b81", "observed-data--56f92eed-a3d4-4e99-bb70-3f2f02de0b81", "url--56f92eed-a3d4-4e99-bb70-3f2f02de0b81", "indicator--56f92eed-74d0-4003-8897-3f2f02de0b81", "indicator--56f92eee-b4fc-40b6-a166-3f2f02de0b81", "observed-data--56f92eee-bf40-43c5-9093-3f2f02de0b81", "url--56f92eee-bf40-43c5-9093-3f2f02de0b81", "indicator--56f92eee-ce30-4600-b1c8-3f2f02de0b81", "indicator--56f92eef-74b4-465d-84cf-3f2f02de0b81", "observed-data--56f92eef-d390-4ef2-b190-3f2f02de0b81", "url--56f92eef-d390-4ef2-b190-3f2f02de0b81", "indicator--56f92eef-b2d4-4816-ac53-3f2f02de0b81", "indicator--56f92ef0-3d38-49f3-82cb-3f2f02de0b81", "observed-data--56f92ef0-68b8-4ca9-b104-3f2f02de0b81", "url--56f92ef0-68b8-4ca9-b104-3f2f02de0b81", "indicator--56f92ef0-d61c-4aa4-a5b8-3f2f02de0b81", "indicator--56f92ef1-102c-43b0-bc57-3f2f02de0b81", "observed-data--56f92ef1-1fc8-4a34-a578-3f2f02de0b81", "url--56f92ef1-1fc8-4a34-a578-3f2f02de0b81", "indicator--56f92ef1-0fa4-4296-863c-3f2f02de0b81", "indicator--56f92ef1-5540-44ce-8692-3f2f02de0b81", "observed-data--56f92ef2-aa44-45f1-b419-3f2f02de0b81", "url--56f92ef2-aa44-45f1-b419-3f2f02de0b81", "indicator--56f92f32-3d88-4926-902b-3f2602de0b81", "indicator--56f92f33-d728-4b66-9836-3f2602de0b81", "indicator--56f92f33-7eb4-49a3-be41-3f2602de0b81", "indicator--56f92f33-f708-441f-878d-3f2602de0b81", "indicator--56f92f33-ad68-4f3f-8d32-3f2602de0b81", "indicator--56f92f34-b594-40c9-8f45-3f2602de0b81", "indicator--56f92f34-05fc-4b79-9aa7-3f2602de0b81", "indicator--56f92f34-eb28-45fe-b3c6-3f2602de0b81", "indicator--56f92f35-fc5c-4f56-9fac-3f2602de0b81", "indicator--56f92f55-ac44-403f-ab8a-74ad02de0b81", "indicator--56f92f56-8260-4ad2-9d62-74ad02de0b81", "indicator--56f92f56-cb74-431d-8695-74ad02de0b81", "indicator--56f92f56-b3e0-4cf5-82ac-74ad02de0b81", "indicator--56f92f57-e3f4-40e8-8bf1-74ad02de0b81", "indicator--56f92f57-2024-43e8-a11c-74ad02de0b81", "indicator--56f92f58-49e4-4721-ab04-74ad02de0b81", "indicator--56f92f69-d568-4a12-a081-3f2802de0b81", "indicator--56f92f82-de18-4d14-91fb-6f2302de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56f92e2a-1be0-4a3a-a3b6-3f2a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:14:18.000Z", "modified": "2016-03-28T13:14:18.000Z", "first_observed": "2016-03-28T13:14:18Z", "last_observed": "2016-03-28T13:14:18Z", "number_observed": 1, "object_refs": [ "url--56f92e2a-1be0-4a3a-a3b6-3f2a02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56f92e2a-1be0-4a3a-a3b6-3f2a02de0b81", "value": "https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.html" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--56f92e3c-2ab8-4dba-bc15-74ae02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:14:36.000Z", "modified": "2016-03-28T13:14:36.000Z", "labels": [ "misp:type=\"pattern-in-file\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ], "x_misp_category": "Artifacts dropped", "x_misp_type": "pattern-in-file", "x_misp_value": "%USERPROFILE%\\documents\\visual studio 2012\\Projects\\treasureHunter\\Release\\treasureHunter.pdb" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--56f92e6f-b504-4115-81bd-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:15:27.000Z", "modified": "2016-03-28T13:15:27.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Since early 2015, FireEye Threat Intelligence has observed the significant growth of point-of-sale (POS) malware families in underground cyber crime forums. POS malware refers to malicious software that extracts payment card information from memory and usually uploads that data to a command and control (CnC) server.\r\n\r\nAlthough the PCI DSS rules changed in October 2015, leaving retailers who have not transitioned from existing \u00e2\u20ac\u0153swipe\u00e2\u20ac\u009d cards to EMV or \u00e2\u20ac\u0153chip\u00e2\u20ac\u009d enabled cards liable for card present fraud in more ways than before, many retailers are still in the process of transitioning to chip-enabled card technology. Criminals appear to be racing to infect POS systems in the United States before US retailers complete this transition. In 2015, more than a dozen new POS malware families were discovered.[1]\r\n\r\nPOS malware may be freely available, available for purchase, or custom-built for specific cyber criminals. Free tools are often a result of malware source code being leaked, and tend to be older and more easily detected by security software. POS malware available for purchase may be newly developed tools or modified versions of older tools. Then there is another class of POS malware that is developed for use exclusively by a particular threat group.\r\n\r\nIn this article we examine TREASUREHUNT, POS malware that appears to have been custom-built for the operations of a particular \u00e2\u20ac\u0153dump shop,\u00e2\u20ac\u009d which sells stolen credit card data. TREASUREHUNT enumerates running processes, extracts payment card information from memory, and then transmits this information to a command and control server." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92ea5-2d50-4fc9-92ef-6f2302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:16:21.000Z", "modified": "2016-03-28T13:16:21.000Z", "description": "TREASUREHUNT 0.1", "pattern": "[file:hashes.MD5 = 'cec2810556c63e9c225afb6a5ca58bc1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:16:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92ea6-2890-41b3-8059-6f2302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:16:22.000Z", "modified": "2016-03-28T13:16:22.000Z", "description": "TREASUREHUNT 0.1", "pattern": "[file:hashes.MD5 = 'cb75de605c171e36c8a593e337275d8f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:16:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92ea6-009c-4348-a0b2-6f2302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:16:22.000Z", "modified": "2016-03-28T13:16:22.000Z", "description": "TREASUREHUNT 0.1", "pattern": "[file:hashes.MD5 = '6a9348f582b2e121a5d9bff1e8f0935f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:16:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92ea6-5070-43a2-a874-6f2302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:16:22.000Z", "modified": "2016-03-28T13:16:22.000Z", "description": "TREASUREHUNT 0.1", "pattern": "[file:hashes.MD5 = '070e9a317ee53ac3814eb86bc7d5bf49']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:16:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92ea6-18ec-4295-acf9-6f2302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:16:22.000Z", "modified": "2016-03-28T13:16:22.000Z", "description": "TREASUREHUNT 0.1", "pattern": "[file:hashes.MD5 = '3e2003878b364b5d77790109f24c9137']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:16:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92ea7-4c38-4d72-ada3-6f2302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:16:23.000Z", "modified": "2016-03-28T13:16:23.000Z", "description": "TREASUREHUNT 0.1", "pattern": "[file:hashes.MD5 = '21f99135f836fb4d3f4685d704a4460d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:16:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92ea7-0eb4-4fd2-a1e9-6f2302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:16:23.000Z", "modified": "2016-03-28T13:16:23.000Z", "description": "TREASUREHUNT 0.1", "pattern": "[file:hashes.MD5 = 'ea6248e4ddd080e60e6140ab0f8562e1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:16:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92ea7-af3c-4c3f-9520-6f2302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:16:23.000Z", "modified": "2016-03-28T13:16:23.000Z", "description": "TREASUREHUNT 0.1", "pattern": "[file:hashes.MD5 = '48692beb88058652115b5c447cd28589']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:16:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92ea8-ecd4-43e1-ad7c-6f2302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:16:24.000Z", "modified": "2016-03-28T13:16:24.000Z", "description": "TREASUREHUNT 0.1", "pattern": "[file:hashes.MD5 = '9f9c2e6072e0a233631d234bdcf1b293']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:16:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92eea-ac18-4ba4-ab20-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:17:30.000Z", "modified": "2016-03-28T13:17:30.000Z", "description": "TREASUREHUNT 0.1 - Xchecked via VT: cec2810556c63e9c225afb6a5ca58bc1", "pattern": "[file:hashes.SHA256 = '046d0b8024cea9c6aea2ef04b51ce9fd482214fbb3ef068a85c0f91f193f248f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:17:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92eeb-30ec-4789-aafb-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:17:31.000Z", "modified": "2016-03-28T13:17:31.000Z", "description": "TREASUREHUNT 0.1 - Xchecked via VT: cec2810556c63e9c225afb6a5ca58bc1", "pattern": "[file:hashes.SHA1 = '95cfa6e9e2eab0e5e34a96ce6781320d42ff8c0b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:17:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56f92eeb-1ccc-4c4f-8e3f-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:17:31.000Z", "modified": "2016-03-28T13:17:31.000Z", "first_observed": "2016-03-28T13:17:31Z", "last_observed": "2016-03-28T13:17:31Z", "number_observed": 1, "object_refs": [ "url--56f92eeb-1ccc-4c4f-8e3f-3f2f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56f92eeb-1ccc-4c4f-8e3f-3f2f02de0b81", "value": "https://www.virustotal.com/file/046d0b8024cea9c6aea2ef04b51ce9fd482214fbb3ef068a85c0f91f193f248f/analysis/1458803364/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92eeb-8880-47ad-b5a3-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:17:31.000Z", "modified": "2016-03-28T13:17:31.000Z", "description": "TREASUREHUNT 0.1 - Xchecked via VT: 6a9348f582b2e121a5d9bff1e8f0935f", "pattern": "[file:hashes.SHA256 = 'fe5f50fce2f430432a636ef899919505e9477968d8caff7506e888cffed0b5f8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:17:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92eec-9acc-40aa-a04c-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:17:32.000Z", "modified": "2016-03-28T13:17:32.000Z", "description": "TREASUREHUNT 0.1 - Xchecked via VT: 6a9348f582b2e121a5d9bff1e8f0935f", "pattern": "[file:hashes.SHA1 = 'e03dbcf2d45cf99fbcd9aef453cdeb3a00c59d4c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:17:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56f92eec-74a4-47a5-8e1f-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:17:32.000Z", "modified": "2016-03-28T13:17:32.000Z", "first_observed": "2016-03-28T13:17:32Z", "last_observed": "2016-03-28T13:17:32Z", "number_observed": 1, "object_refs": [ "url--56f92eec-74a4-47a5-8e1f-3f2f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56f92eec-74a4-47a5-8e1f-3f2f02de0b81", "value": "https://www.virustotal.com/file/fe5f50fce2f430432a636ef899919505e9477968d8caff7506e888cffed0b5f8/analysis/1450248638/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92eec-cb08-42a5-a92c-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:17:32.000Z", "modified": "2016-03-28T13:17:32.000Z", "description": "TREASUREHUNT 0.1 - Xchecked via VT: 070e9a317ee53ac3814eb86bc7d5bf49", "pattern": "[file:hashes.SHA256 = 'ceed84d8d76ee27c92d48dd01c96e6345fb3981319151601f78f4e9ec754a73b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:17:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92eed-be5c-45ca-988f-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:17:33.000Z", "modified": "2016-03-28T13:17:33.000Z", "description": "TREASUREHUNT 0.1 - Xchecked via VT: 070e9a317ee53ac3814eb86bc7d5bf49", "pattern": "[file:hashes.SHA1 = '63f377989a84d65b372819992c95110318c6e7c9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:17:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56f92eed-a3d4-4e99-bb70-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:17:33.000Z", "modified": "2016-03-28T13:17:33.000Z", "first_observed": "2016-03-28T13:17:33Z", "last_observed": "2016-03-28T13:17:33Z", "number_observed": 1, "object_refs": [ "url--56f92eed-a3d4-4e99-bb70-3f2f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56f92eed-a3d4-4e99-bb70-3f2f02de0b81", "value": "https://www.virustotal.com/file/ceed84d8d76ee27c92d48dd01c96e6345fb3981319151601f78f4e9ec754a73b/analysis/1440623335/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92eed-74d0-4003-8897-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:17:33.000Z", "modified": "2016-03-28T13:17:33.000Z", "description": "TREASUREHUNT 0.1 - Xchecked via VT: 3e2003878b364b5d77790109f24c9137", "pattern": "[file:hashes.SHA256 = '68358c49d084939ecae7b78f2c0df0eb8d5b98f31dc13fb5878d8bfbdd5db86f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:17:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92eee-b4fc-40b6-a166-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:17:34.000Z", "modified": "2016-03-28T13:17:34.000Z", "description": "TREASUREHUNT 0.1 - Xchecked via VT: 3e2003878b364b5d77790109f24c9137", "pattern": "[file:hashes.SHA1 = 'efc73c637c63704c31a4b8516adc866feedbfc43']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:17:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56f92eee-bf40-43c5-9093-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:17:34.000Z", "modified": "2016-03-28T13:17:34.000Z", "first_observed": "2016-03-28T13:17:34Z", "last_observed": "2016-03-28T13:17:34Z", "number_observed": 1, "object_refs": [ "url--56f92eee-bf40-43c5-9093-3f2f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56f92eee-bf40-43c5-9093-3f2f02de0b81", "value": "https://www.virustotal.com/file/68358c49d084939ecae7b78f2c0df0eb8d5b98f31dc13fb5878d8bfbdd5db86f/analysis/1458802637/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92eee-ce30-4600-b1c8-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:17:34.000Z", "modified": "2016-03-28T13:17:34.000Z", "description": "TREASUREHUNT 0.1 - Xchecked via VT: 21f99135f836fb4d3f4685d704a4460d", "pattern": "[file:hashes.SHA256 = '442bca26dddfe4a5d1c0b4adaaaab205a1dca856c41d9353ba45e0794e3660ed']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:17:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92eef-74b4-465d-84cf-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:17:35.000Z", "modified": "2016-03-28T13:17:35.000Z", "description": "TREASUREHUNT 0.1 - Xchecked via VT: 21f99135f836fb4d3f4685d704a4460d", "pattern": "[file:hashes.SHA1 = 'a269ca72b899d30d9730d6a213f643c5e560bdd4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:17:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56f92eef-d390-4ef2-b190-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:17:35.000Z", "modified": "2016-03-28T13:17:35.000Z", "first_observed": "2016-03-28T13:17:35Z", "last_observed": "2016-03-28T13:17:35Z", "number_observed": 1, "object_refs": [ "url--56f92eef-d390-4ef2-b190-3f2f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56f92eef-d390-4ef2-b190-3f2f02de0b81", "value": "https://www.virustotal.com/file/442bca26dddfe4a5d1c0b4adaaaab205a1dca856c41d9353ba45e0794e3660ed/analysis/1458802460/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92eef-b2d4-4816-ac53-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:17:35.000Z", "modified": "2016-03-28T13:17:35.000Z", "description": "TREASUREHUNT 0.1 - Xchecked via VT: ea6248e4ddd080e60e6140ab0f8562e1", "pattern": "[file:hashes.SHA256 = '7eca8bf6d17891529c74d8fce85471135a203f312ae09fe3d907355c7dea9f59']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:17:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92ef0-3d38-49f3-82cb-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:17:36.000Z", "modified": "2016-03-28T13:17:36.000Z", "description": "TREASUREHUNT 0.1 - Xchecked via VT: ea6248e4ddd080e60e6140ab0f8562e1", "pattern": "[file:hashes.SHA1 = '67bd53130d2ebe851489b607b81ca2d2fb0a20f9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:17:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56f92ef0-68b8-4ca9-b104-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:17:36.000Z", "modified": "2016-03-28T13:17:36.000Z", "first_observed": "2016-03-28T13:17:36Z", "last_observed": "2016-03-28T13:17:36Z", "number_observed": 1, "object_refs": [ "url--56f92ef0-68b8-4ca9-b104-3f2f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56f92ef0-68b8-4ca9-b104-3f2f02de0b81", "value": "https://www.virustotal.com/file/7eca8bf6d17891529c74d8fce85471135a203f312ae09fe3d907355c7dea9f59/analysis/1458803543/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92ef0-d61c-4aa4-a5b8-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:17:36.000Z", "modified": "2016-03-28T13:17:36.000Z", "description": "TREASUREHUNT 0.1 - Xchecked via VT: 48692beb88058652115b5c447cd28589", "pattern": "[file:hashes.SHA256 = '6a6b099dd313cfd9009d28f42613ed0375ffac9e03e5392329a2a3a4a5c358cd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:17:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92ef1-102c-43b0-bc57-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:17:37.000Z", "modified": "2016-03-28T13:17:37.000Z", "description": "TREASUREHUNT 0.1 - Xchecked via VT: 48692beb88058652115b5c447cd28589", "pattern": "[file:hashes.SHA1 = '0b3c2a94075a7ad996cedc81bd29e44a8ea9ed05']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:17:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56f92ef1-1fc8-4a34-a578-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:17:37.000Z", "modified": "2016-03-28T13:17:37.000Z", "first_observed": "2016-03-28T13:17:37Z", "last_observed": "2016-03-28T13:17:37Z", "number_observed": 1, "object_refs": [ "url--56f92ef1-1fc8-4a34-a578-3f2f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56f92ef1-1fc8-4a34-a578-3f2f02de0b81", "value": "https://www.virustotal.com/file/6a6b099dd313cfd9009d28f42613ed0375ffac9e03e5392329a2a3a4a5c358cd/analysis/1458802694/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92ef1-0fa4-4296-863c-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:17:37.000Z", "modified": "2016-03-28T13:17:37.000Z", "description": "TREASUREHUNT 0.1 - Xchecked via VT: 9f9c2e6072e0a233631d234bdcf1b293", "pattern": "[file:hashes.SHA256 = 'ab7ac10833cf5936c98554c20a123c395631e09200b4f87a610195bf49dda8e1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:17:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92ef1-5540-44ce-8692-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:17:37.000Z", "modified": "2016-03-28T13:17:37.000Z", "description": "TREASUREHUNT 0.1 - Xchecked via VT: 9f9c2e6072e0a233631d234bdcf1b293", "pattern": "[file:hashes.SHA1 = 'ebcc227dbf3c33c3fc9e825ee62382e20a8756ee']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:17:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56f92ef2-aa44-45f1-b419-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:17:38.000Z", "modified": "2016-03-28T13:17:38.000Z", "first_observed": "2016-03-28T13:17:38Z", "last_observed": "2016-03-28T13:17:38Z", "number_observed": 1, "object_refs": [ "url--56f92ef2-aa44-45f1-b419-3f2f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56f92ef2-aa44-45f1-b419-3f2f02de0b81", "value": "https://www.virustotal.com/file/ab7ac10833cf5936c98554c20a123c395631e09200b4f87a610195bf49dda8e1/analysis/1458803121/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92f32-3d88-4926-902b-3f2602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:18:42.000Z", "modified": "2016-03-28T13:18:42.000Z", "description": "TREASUREHUNT v0.1", "pattern": "[url:value = 'millionjam.eu/megastock/gate.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:18:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92f33-d728-4b66-9836-3f2602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:18:43.000Z", "modified": "2016-03-28T13:18:43.000Z", "description": "TREASUREHUNT v0.1", "pattern": "[url:value = 'cortykopl.com/sdfsgsdsdssdf/gate.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:18:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92f33-7eb4-49a3-be41-3f2602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:18:43.000Z", "modified": "2016-03-28T13:18:43.000Z", "description": "TREASUREHUNT v0.1", "pattern": "[url:value = '91.232.29.83/sdfsgsdsdssdf/gate.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:18:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92f33-f708-441f-878d-3f2602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:18:43.000Z", "modified": "2016-03-28T13:18:43.000Z", "description": "TREASUREHUNT v0.1", "pattern": "[url:value = '179.43.160.34/wp-content/temp/gate.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:18:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92f33-ad68-4f3f-8d32-3f2602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:18:43.000Z", "modified": "2016-03-28T13:18:43.000Z", "description": "TREASUREHUNT v0.1", "pattern": "[url:value = '3sipiojt.com/noth/gate.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:18:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92f34-b594-40c9-8f45-3f2602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:18:44.000Z", "modified": "2016-03-28T13:18:44.000Z", "description": "TREASUREHUNT v0.1", "pattern": "[url:value = 'friltopyes.com/southcal/gate.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:18:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92f34-05fc-4b79-9aa7-3f2602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:18:44.000Z", "modified": "2016-03-28T13:18:44.000Z", "description": "TREASUREHUNT v0.1", "pattern": "[url:value = 'seatrip888.eu/gate.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:18:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92f34-eb28-45fe-b3c6-3f2602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:18:44.000Z", "modified": "2016-03-28T13:18:44.000Z", "description": "TREASUREHUNT v0.1", "pattern": "[url:value = 'friltopyes.com/alabol/gate.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:18:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92f35-fc5c-4f56-9fac-3f2602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:18:45.000Z", "modified": "2016-03-28T13:18:45.000Z", "description": "TREASUREHUNT v0.1", "pattern": "[url:value = 'friltopyes.com/nothcal/gate.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:18:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92f55-ac44-403f-ab8a-74ad02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:19:17.000Z", "modified": "2016-03-28T13:19:17.000Z", "description": "TREASUREHUNT v0.1", "pattern": "[domain-name:value = 'millionjam.eu']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:19:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92f56-8260-4ad2-9d62-74ad02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:19:18.000Z", "modified": "2016-03-28T13:19:18.000Z", "description": "TREASUREHUNT v0.1", "pattern": "[domain-name:value = 'cortykopl.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:19:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92f56-cb74-431d-8695-74ad02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:19:18.000Z", "modified": "2016-03-28T13:19:18.000Z", "description": "TREASUREHUNT v0.1", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '91.232.29.83']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:19:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92f56-b3e0-4cf5-82ac-74ad02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:19:18.000Z", "modified": "2016-03-28T13:19:18.000Z", "description": "TREASUREHUNT v0.1", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '179.43.160.34']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:19:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92f57-e3f4-40e8-8bf1-74ad02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:19:19.000Z", "modified": "2016-03-28T13:19:19.000Z", "description": "TREASUREHUNT v0.1", "pattern": "[domain-name:value = '3sipiojt.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:19:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92f57-2024-43e8-a11c-74ad02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:19:19.000Z", "modified": "2016-03-28T13:19:19.000Z", "description": "TREASUREHUNT v0.1", "pattern": "[domain-name:value = 'friltopyes.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:19:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92f58-49e4-4721-ab04-74ad02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:19:20.000Z", "modified": "2016-03-28T13:19:20.000Z", "description": "TREASUREHUNT v0.1", "pattern": "[domain-name:value = 'seatrip888.eu']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:19:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92f69-d568-4a12-a081-3f2802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:19:37.000Z", "modified": "2016-03-28T13:19:37.000Z", "pattern": "[file:hashes.MD5 = '2dfddbc240cd6e320f69b172c1e3ce58']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:19:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f92f82-de18-4d14-91fb-6f2302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T13:20:02.000Z", "modified": "2016-03-28T13:20:02.000Z", "description": "TREASUREHUNT v0.1.1", "pattern": "[domain-name:value = 'logmeinrescue.us.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T13:20:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }