{ "type": "bundle", "id": "bundle--5720bf21-9d4c-40b2-9088-45e6950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-28T07:37:12.000Z", "modified": "2016-04-28T07:37:12.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5720bf21-9d4c-40b2-9088-45e6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-28T07:37:12.000Z", "modified": "2016-04-28T07:37:12.000Z", "name": "OSINT - New Downloader for Locky", "published": "2016-05-07T05:15:16Z", "object_refs": [ "observed-data--5720bf30-342c-46e3-bbdd-49d2950d210f", "url--5720bf30-342c-46e3-bbdd-49d2950d210f", "x-misp-attribute--5720bf3e-32fc-4d28-9a3a-45cc950d210f", "observed-data--5720bf9e-b3fc-42ce-a32f-4d83950d210f", "email-message--5720bf9e-b3fc-42ce-a32f-4d83950d210f", "observed-data--5720bfb2-7df0-4ffe-af65-472b950d210f", "email-message--5720bfb2-7df0-4ffe-af65-472b950d210f", "file--5720bfb2-7df0-4ffe-af65-472b950d210f", "indicator--5720bfc6-86bc-4717-b4b8-4d86950d210f", "indicator--5720c036-f4b8-497c-ad91-45dc950d210f", "indicator--5720c036-f710-4da1-8d4c-4a7c950d210f", "indicator--5720c04c-a8bc-451d-9fe4-4e48950d210f", "indicator--5720c04c-3a88-4a9e-b201-4d39950d210f", "indicator--5720c04d-1d90-42ff-a0ef-4908950d210f", "indicator--5720c04d-54fc-4671-9e61-4f48950d210f", "indicator--5720c04d-3fc0-4c67-9c91-47a8950d210f", "indicator--5720c0fc-b0d8-4fe9-bcc8-41b4950d210f", "indicator--5720c0fd-a6a4-46e2-9458-4a9c950d210f", "indicator--5720c0fd-5da4-4b5f-95ea-4aeb950d210f", "indicator--5720c0fd-4d60-4474-b651-40ce950d210f", "indicator--5720c0fe-dd94-46d5-a54a-4777950d210f", "indicator--5720c0fe-8dcc-4d81-8b03-4f6c950d210f", "indicator--5720d993-f430-46d3-8fa5-0fab02de0b81", "indicator--5720d994-4600-4933-8dd4-0fab02de0b81", "observed-data--5720d994-7ca4-455e-9f2e-0fab02de0b81", "url--5720d994-7ca4-455e-9f2e-0fab02de0b81", "indicator--5720d995-11b0-43a0-b5cc-0fab02de0b81", "indicator--5720d995-8004-4dda-a959-0fab02de0b81", "observed-data--5720d995-3140-46e7-b65a-0fab02de0b81", "url--5720d995-3140-46e7-b65a-0fab02de0b81", "indicator--5720d996-dce4-4184-ad02-0fab02de0b81", "indicator--5720d996-99a0-4376-a595-0fab02de0b81", "observed-data--5720d997-a6e8-44a7-b706-0fab02de0b81", "url--5720d997-a6e8-44a7-b706-0fab02de0b81", "indicator--5720d997-6b7c-4b03-a65b-0fab02de0b81", "indicator--5720d998-7e78-4485-91c8-0fab02de0b81", "observed-data--5720d998-f688-4bcc-88e6-0fab02de0b81", "url--5720d998-f688-4bcc-88e6-0fab02de0b81", "indicator--5720d998-d3b0-4521-ae7a-0fab02de0b81", "indicator--5720d999-bb0c-4cf0-893b-0fab02de0b81", "observed-data--5720d999-1650-4442-aca5-0fab02de0b81", "url--5720d999-1650-4442-aca5-0fab02de0b81", "indicator--5720d99a-15e8-4e7a-9fe5-0fab02de0b81", "indicator--5720d99b-5644-4574-9a56-0fab02de0b81", "observed-data--5720d99b-82fc-49a4-9701-0fab02de0b81", "url--5720d99b-82fc-49a4-9701-0fab02de0b81", "indicator--5721bda7-9dfc-4984-b012-4e32950d210f", "indicator--5721bda6-8408-401a-96fe-40f3950d210f", "indicator--5721bda5-90e4-460c-b362-4667950d210f", "indicator--5721bda6-4520-4e2d-9136-4bd3950d210f", "indicator--5721bda7-d424-4f46-8138-4133950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "ecsirt:malicious-code=\"ransomware\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5720bf30-342c-46e3-bbdd-49d2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T13:31:28.000Z", "modified": "2016-04-27T13:31:28.000Z", "first_observed": "2016-04-27T13:31:28Z", "last_observed": "2016-04-27T13:31:28Z", "number_observed": 1, "object_refs": [ "url--5720bf30-342c-46e3-bbdd-49d2950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5720bf30-342c-46e3-bbdd-49d2950d210f", "value": "https://www.fireeye.com/blog/threat-research/2016/04/new_downloader_forl.html" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5720bf3e-32fc-4d28-9a3a-45cc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T13:31:42.000Z", "modified": "2016-04-27T13:31:42.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Through DTI Intelligence analysis, We have been observing Locky malware rise to fame recently. Locky is ransomware that is aggressively distributed via downloaders attached in spam emails, and it may have surpassed the Dridex banking trojan in popularity. In previous campaigns, the ransomware was downloaded by a macro-based downloader or a JavaScript downloader. However, in April 2016, FireEye Labs observed a new development in the way this ransomware is downloaded onto a compromised system." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5720bf9e-b3fc-42ce-a32f-4d83950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T13:33:18.000Z", "modified": "2016-04-27T13:33:18.000Z", "first_observed": "2016-04-27T13:33:18Z", "last_observed": "2016-04-27T13:33:18Z", "number_observed": 1, "object_refs": [ "email-message--5720bf9e-b3fc-42ce-a32f-4d83950d210f" ], "labels": [ "misp:type=\"email-subject\"", "misp:category=\"Payload delivery\"" ] }, { "type": "email-message", "spec_version": "2.1", "id": "email-message--5720bf9e-b3fc-42ce-a32f-4d83950d210f", "is_multipart": false, "subject": "Photos" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5720bfb2-7df0-4ffe-af65-472b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T13:33:38.000Z", "modified": "2016-04-27T13:33:38.000Z", "first_observed": "2016-04-27T13:33:38Z", "last_observed": "2016-04-27T13:33:38Z", "number_observed": 1, "object_refs": [ "email-message--5720bfb2-7df0-4ffe-af65-472b950d210f", "file--5720bfb2-7df0-4ffe-af65-472b950d210f" ], "labels": [ "misp:type=\"email-attachment\"", "misp:category=\"Payload delivery\"" ] }, { "type": "email-message", "spec_version": "2.1", "id": "email-message--5720bfb2-7df0-4ffe-af65-472b950d210f", "is_multipart": true, "body_multipart": [ { "body_raw_ref": "file--5720bfb2-7df0-4ffe-af65-472b950d210f", "content_disposition": "attachment; filename='Photos.zip'" } ] }, { "type": "file", "spec_version": "2.1", "id": "file--5720bfb2-7df0-4ffe-af65-472b950d210f", "name": "Photos.zip" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720bfc6-86bc-4717-b4b8-4d86950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T13:33:58.000Z", "modified": "2016-04-27T13:33:58.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'http://mrsweeter.ru/87h78rf33g']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T13:33:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720c036-f4b8-497c-ad91-45dc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T13:35:50.000Z", "modified": "2016-04-27T13:35:50.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.SHA256 = '7b45833d87d8bd38c44cbaeece65dbbd04e12b8c1ef81a383cf7f0fce9832660']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T13:35:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720c036-f710-4da1-8d4c-4a7c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T13:35:50.000Z", "modified": "2016-04-27T13:35:50.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.SHA256 = '9a0788ba4e0666e082e18d61fad0fa9d985e1c3223f910a50ec3834ba44cce10']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T13:35:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720c04c-a8bc-451d-9fe4-4e48950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T13:36:12.000Z", "modified": "2016-04-27T13:36:12.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.MD5 = 'b0ca8c5881c1d27684c23db7a88d11e1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T13:36:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720c04c-3a88-4a9e-b201-4d39950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T13:36:12.000Z", "modified": "2016-04-27T13:36:12.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.MD5 = 'c5ad81d8d986c92f90d0462bc06ac9c6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T13:36:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720c04d-1d90-42ff-a0ef-4908950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T13:36:13.000Z", "modified": "2016-04-27T13:36:13.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.MD5 = 'ebf1f8951ec79f2e6bf40e6981c7dbfc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T13:36:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720c04d-54fc-4671-9e61-4f48950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T13:36:13.000Z", "modified": "2016-04-27T13:36:13.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.SHA256 = '357c162a35c3623d1a1791c18e9f56e72bcd76f6ef9f4cbcf5952f62b9bc8a08']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T13:36:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720c04d-3fc0-4c67-9c91-47a8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T13:36:13.000Z", "modified": "2016-04-27T13:36:13.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.MD5 = 'c325dcf4c6c1e2b62a7c5b1245985083']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T13:36:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720c0fc-b0d8-4fe9-bcc8-41b4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T13:39:08.000Z", "modified": "2016-04-27T13:39:08.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'http://185.130.7.22/files/sBpFSa.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T13:39:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720c0fd-a6a4-46e2-9458-4a9c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T13:39:09.000Z", "modified": "2016-04-27T13:39:09.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'http://185.130.7.22/files/WRwe3X.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T13:39:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720c0fd-5da4-4b5f-95ea-4aeb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T13:39:09.000Z", "modified": "2016-04-27T13:39:09.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'http://slater.chat.ru/gvtg77996']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T13:39:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720c0fd-4d60-4474-b651-40ce950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T13:39:09.000Z", "modified": "2016-04-27T13:39:09.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'http://hundeschulegoerg.de/gvtg77996']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T13:39:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720c0fe-dd94-46d5-a54a-4777950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T13:39:10.000Z", "modified": "2016-04-27T13:39:10.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'http://buhjolk.at/files/dIseJh.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T13:39:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720c0fe-8dcc-4d81-8b03-4f6c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T13:39:10.000Z", "modified": "2016-04-27T13:39:10.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'http://buhjolk.at/files/aY5TFn.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T13:39:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720d993-f430-46d3-8fa5-0fab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T15:24:03.000Z", "modified": "2016-04-27T15:24:03.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 9a0788ba4e0666e082e18d61fad0fa9d985e1c3223f910a50ec3834ba44cce10", "pattern": "[file:hashes.SHA1 = '39ad2102512f2d3b30e038354289b5b734d0d33f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T15:24:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720d994-4600-4933-8dd4-0fab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T15:24:04.000Z", "modified": "2016-04-27T15:24:04.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 9a0788ba4e0666e082e18d61fad0fa9d985e1c3223f910a50ec3834ba44cce10", "pattern": "[file:hashes.MD5 = '4df0079da5e37378b15bacc9e0631c33']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T15:24:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5720d994-7ca4-455e-9f2e-0fab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T15:24:04.000Z", "modified": "2016-04-27T15:24:04.000Z", "first_observed": "2016-04-27T15:24:04Z", "last_observed": "2016-04-27T15:24:04Z", "number_observed": 1, "object_refs": [ "url--5720d994-7ca4-455e-9f2e-0fab02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5720d994-7ca4-455e-9f2e-0fab02de0b81", "value": "https://www.virustotal.com/file/9a0788ba4e0666e082e18d61fad0fa9d985e1c3223f910a50ec3834ba44cce10/analysis/1460046851/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720d995-11b0-43a0-b5cc-0fab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T15:24:05.000Z", "modified": "2016-04-27T15:24:05.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 7b45833d87d8bd38c44cbaeece65dbbd04e12b8c1ef81a383cf7f0fce9832660", "pattern": "[file:hashes.SHA1 = '626d2953e329debdd9ad3feda65341413094fed6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T15:24:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720d995-8004-4dda-a959-0fab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T15:24:05.000Z", "modified": "2016-04-27T15:24:05.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 7b45833d87d8bd38c44cbaeece65dbbd04e12b8c1ef81a383cf7f0fce9832660", "pattern": "[file:hashes.MD5 = '829653e8f2a9453b440ca11975c9aaa0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T15:24:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5720d995-3140-46e7-b65a-0fab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T15:24:05.000Z", "modified": "2016-04-27T15:24:05.000Z", "first_observed": "2016-04-27T15:24:05Z", "last_observed": "2016-04-27T15:24:05Z", "number_observed": 1, "object_refs": [ "url--5720d995-3140-46e7-b65a-0fab02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5720d995-3140-46e7-b65a-0fab02de0b81", "value": "https://www.virustotal.com/file/7b45833d87d8bd38c44cbaeece65dbbd04e12b8c1ef81a383cf7f0fce9832660/analysis/1459558891/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720d996-dce4-4184-ad02-0fab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T15:24:06.000Z", "modified": "2016-04-27T15:24:06.000Z", "description": "Imported via the freetext import. - Xchecked via VT: c325dcf4c6c1e2b62a7c5b1245985083", "pattern": "[file:hashes.SHA256 = 'f6c463bbe4f5da7b0ce38e6b76cd1d687964bc787b63bb7a2338d36ef6c3a360']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T15:24:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720d996-99a0-4376-a595-0fab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T15:24:06.000Z", "modified": "2016-04-27T15:24:06.000Z", "description": "Imported via the freetext import. - Xchecked via VT: c325dcf4c6c1e2b62a7c5b1245985083", "pattern": "[file:hashes.SHA1 = 'e701ff37e06e63232c0c47ae5867e7b05536ee36']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T15:24:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5720d997-a6e8-44a7-b706-0fab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T15:24:07.000Z", "modified": "2016-04-27T15:24:07.000Z", "first_observed": "2016-04-27T15:24:07Z", "last_observed": "2016-04-27T15:24:07Z", "number_observed": 1, "object_refs": [ "url--5720d997-a6e8-44a7-b706-0fab02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5720d997-a6e8-44a7-b706-0fab02de0b81", "value": "https://www.virustotal.com/file/f6c463bbe4f5da7b0ce38e6b76cd1d687964bc787b63bb7a2338d36ef6c3a360/analysis/1461736669/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720d997-6b7c-4b03-a65b-0fab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T15:24:07.000Z", "modified": "2016-04-27T15:24:07.000Z", "description": "Imported via the freetext import. - Xchecked via VT: ebf1f8951ec79f2e6bf40e6981c7dbfc", "pattern": "[file:hashes.SHA256 = 'a3d090f64b9dbca420f232966d65ecdca333cb497308cea94477e5219af685ae']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T15:24:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720d998-7e78-4485-91c8-0fab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T15:24:08.000Z", "modified": "2016-04-27T15:24:08.000Z", "description": "Imported via the freetext import. - Xchecked via VT: ebf1f8951ec79f2e6bf40e6981c7dbfc", "pattern": "[file:hashes.SHA1 = 'b3a7f553c32a551786d873fa26047170f6f9c2e1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T15:24:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5720d998-f688-4bcc-88e6-0fab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T15:24:08.000Z", "modified": "2016-04-27T15:24:08.000Z", "first_observed": "2016-04-27T15:24:08Z", "last_observed": "2016-04-27T15:24:08Z", "number_observed": 1, "object_refs": [ "url--5720d998-f688-4bcc-88e6-0fab02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5720d998-f688-4bcc-88e6-0fab02de0b81", "value": "https://www.virustotal.com/file/a3d090f64b9dbca420f232966d65ecdca333cb497308cea94477e5219af685ae/analysis/1461571429/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720d998-d3b0-4521-ae7a-0fab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T15:24:08.000Z", "modified": "2016-04-27T15:24:08.000Z", "description": "Imported via the freetext import. - Xchecked via VT: c5ad81d8d986c92f90d0462bc06ac9c6", "pattern": "[file:hashes.SHA256 = '5d6ddb8458ee5ab99f3e7d9a21490ff4e5bc9808e18b9e20b6dc2c5b27927ba1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T15:24:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720d999-bb0c-4cf0-893b-0fab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T15:24:09.000Z", "modified": "2016-04-27T15:24:09.000Z", "description": "Imported via the freetext import. - Xchecked via VT: c5ad81d8d986c92f90d0462bc06ac9c6", "pattern": "[file:hashes.SHA1 = '21ac04e0d5acff88c83151a0e774001c0c06a744']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T15:24:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5720d999-1650-4442-aca5-0fab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T15:24:09.000Z", "modified": "2016-04-27T15:24:09.000Z", "first_observed": "2016-04-27T15:24:09Z", "last_observed": "2016-04-27T15:24:09Z", "number_observed": 1, "object_refs": [ "url--5720d999-1650-4442-aca5-0fab02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5720d999-1650-4442-aca5-0fab02de0b81", "value": "https://www.virustotal.com/file/5d6ddb8458ee5ab99f3e7d9a21490ff4e5bc9808e18b9e20b6dc2c5b27927ba1/analysis/1460448282/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720d99a-15e8-4e7a-9fe5-0fab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T15:24:10.000Z", "modified": "2016-04-27T15:24:10.000Z", "description": "Imported via the freetext import. - Xchecked via VT: b0ca8c5881c1d27684c23db7a88d11e1", "pattern": "[file:hashes.SHA256 = 'e4c4e5337fa14ac8eb38376ec069173481f186692586edba805406fa756544d9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T15:24:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5720d99b-5644-4574-9a56-0fab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T15:24:11.000Z", "modified": "2016-04-27T15:24:11.000Z", "description": "Imported via the freetext import. - Xchecked via VT: b0ca8c5881c1d27684c23db7a88d11e1", "pattern": "[file:hashes.SHA1 = 'b85a45350bc7c98bb9bae572cc861af51789ce69']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-27T15:24:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5720d99b-82fc-49a4-9701-0fab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-27T15:24:11.000Z", "modified": "2016-04-27T15:24:11.000Z", "first_observed": "2016-04-27T15:24:11Z", "last_observed": "2016-04-27T15:24:11Z", "number_observed": 1, "object_refs": [ "url--5720d99b-82fc-49a4-9701-0fab02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5720d99b-82fc-49a4-9701-0fab02de0b81", "value": "https://www.virustotal.com/file/e4c4e5337fa14ac8eb38376ec069173481f186692586edba805406fa756544d9/analysis/1461052381/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5721bda7-9dfc-4984-b012-4e32950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-28T07:37:11.000Z", "modified": "2016-04-28T07:37:11.000Z", "pattern": "[domain-name:value = 'slater.chat.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-28T07:37:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5721bda6-8408-401a-96fe-40f3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-28T07:37:10.000Z", "modified": "2016-04-28T07:37:10.000Z", "pattern": "[domain-name:value = 'hundeschulegoerg.de']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-28T07:37:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5721bda5-90e4-460c-b362-4667950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-28T07:37:09.000Z", "modified": "2016-04-28T07:37:09.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.130.7.22']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-28T07:37:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5721bda6-4520-4e2d-9136-4bd3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-28T07:37:10.000Z", "modified": "2016-04-28T07:37:10.000Z", "pattern": "[domain-name:value = 'buhjolk.at']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-28T07:37:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5721bda7-d424-4f46-8138-4133950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-28T07:37:11.000Z", "modified": "2016-04-28T07:37:11.000Z", "pattern": "[domain-name:value = 'mrsweeter.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-28T07:37:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }