{ "type": "bundle", "id": "bundle--57557d45-1590-4513-925d-4516950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:37.000Z", "modified": "2016-06-06T13:44:37.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--57557d45-1590-4513-925d-4516950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:37.000Z", "modified": "2016-06-06T13:44:37.000Z", "name": "OSINT - Lame proxychanger, apparently related to a clickfraud botnet.", "published": "2016-06-06T13:46:42Z", "object_refs": [ "observed-data--57557d5b-5784-4f5b-8c19-4000950d210f", "url--57557d5b-5784-4f5b-8c19-4000950d210f", "indicator--57557d83-b6f0-4d6f-acdc-4ac1950d210f", "indicator--57557d83-6ac4-4586-9595-45e1950d210f", "indicator--57557d83-7330-4161-a166-4e15950d210f", "indicator--57557d84-da20-4d16-be87-420d950d210f", "indicator--57557d84-49fc-4a1e-a3fc-4260950d210f", "indicator--57557d85-a524-461e-9183-4f70950d210f", "indicator--57557da8-e0d4-40f4-bdda-4b2a950d210f", "indicator--57557de4-c03c-494d-9996-4b24950d210f", "indicator--57557de5-6174-46b1-8432-4cea950d210f", "indicator--57557de5-9268-48ac-9a8d-4d75950d210f", "indicator--57557de6-f95c-450a-b4ce-4448950d210f", "indicator--57557de6-77b8-427c-879b-4b31950d210f", "indicator--57557de7-7b30-4b87-bc0c-42d9950d210f", "indicator--57557de7-b080-45b6-b19d-45bf950d210f", "indicator--57557de7-fc28-4d74-9984-4c53950d210f", "indicator--57557de8-ff44-43f3-bc28-456c950d210f", "indicator--57557de8-2034-484b-89fb-428f950d210f", "indicator--57557de9-7180-4b8b-b71f-4143950d210f", "indicator--57557de9-0154-4175-94a2-485a950d210f", "indicator--57557dea-7ac0-401e-a58c-4135950d210f", "indicator--57557dea-9fbc-44cd-ba5a-4a9f950d210f", "indicator--57557deb-3480-400a-a5ff-4954950d210f", "indicator--57557deb-749c-4eed-a3c0-4174950d210f", "indicator--57557dec-11e4-4c4d-a530-49d9950d210f", "indicator--57557dec-6314-4b72-a898-4491950d210f", "indicator--57557ded-70e0-4270-9e61-494b950d210f", "indicator--57557ded-e7f4-44ba-ad15-4c83950d210f", "indicator--57557dee-a7b4-4a24-9d01-48f6950d210f", "indicator--57557dee-dd1c-4ca4-b0c9-4bb2950d210f", "indicator--57557dee-24a4-448a-9a92-4666950d210f", "indicator--57557def-815c-45fe-9e75-49c9950d210f", "indicator--57557def-3c94-455a-938e-4936950d210f", "indicator--57557df0-6c78-435a-93f1-4705950d210f", "indicator--57557df0-3f84-45b4-936d-4dbd950d210f", "indicator--57557df0-f434-442b-b210-40ad950d210f", "indicator--57557df1-9120-4600-b632-44ea950d210f", "indicator--57557df1-bca8-4943-bf53-4e77950d210f", "indicator--57557e00-80d8-4133-827d-4a8f950d210f", "indicator--57557e00-d764-4292-848d-4af8950d210f", "indicator--57557e01-4c50-43c6-b236-40f4950d210f", "observed-data--57557e45-0d9c-4474-ad8d-432d02de0b81", "url--57557e45-0d9c-4474-ad8d-432d02de0b81", "indicator--57557e46-59b8-41ad-908d-42ed02de0b81", "indicator--57557e46-3c14-4f93-8e79-424c02de0b81", "observed-data--57557e47-f230-4459-815d-4ad202de0b81", "url--57557e47-f230-4459-815d-4ad202de0b81", "indicator--57557e47-f344-4498-8b44-4fd802de0b81", "indicator--57557e48-d0d8-41e9-a957-4a9102de0b81", "observed-data--57557e48-6190-45db-b5d5-4bbf02de0b81", "url--57557e48-6190-45db-b5d5-4bbf02de0b81", "observed-data--57557e48-9418-4765-81d4-4ac702de0b81", "url--57557e48-9418-4765-81d4-4ac702de0b81", "observed-data--57557e49-bc8c-49eb-a5f9-4a5702de0b81", "url--57557e49-bc8c-49eb-a5f9-4a5702de0b81", "indicator--57557e49-2ecc-447f-987d-4f7702de0b81", "indicator--57557e4a-f784-4932-a95b-44bd02de0b81", "observed-data--57557e4a-d290-4a02-acff-4a2102de0b81", "url--57557e4a-d290-4a02-acff-4a2102de0b81", "indicator--57557e4b-e634-475b-9683-473802de0b81", "indicator--57557e4b-41cc-434c-92aa-402d02de0b81", "observed-data--57557e4c-c58c-41f5-b275-493502de0b81", "url--57557e4c-c58c-41f5-b275-493502de0b81", "indicator--57557e4c-7b9c-4a0e-a450-4c5602de0b81", "indicator--57557e4c-20b4-46a8-9431-427202de0b81", "observed-data--57557e4d-2440-4ca8-87b7-4e1d02de0b81", "url--57557e4d-2440-4ca8-87b7-4e1d02de0b81", "indicator--57557e4d-e8ec-47ce-bcc7-4c3a02de0b81", "indicator--57557e4e-95fc-4d0d-95a7-4c3802de0b81", "observed-data--57557e4e-0ddc-477d-9c32-489202de0b81", "url--57557e4e-0ddc-477d-9c32-489202de0b81", "indicator--57557e4f-bf88-4b9d-8744-467202de0b81", "indicator--57557e4f-e8dc-485f-8074-400302de0b81", "observed-data--57557e50-a1d8-4e21-afeb-401a02de0b81", "url--57557e50-a1d8-4e21-afeb-401a02de0b81", "observed-data--57557e50-7f40-4da9-910d-41a602de0b81", "url--57557e50-7f40-4da9-910d-41a602de0b81", "indicator--57557e50-3edc-48dd-bb44-4e5b02de0b81", "indicator--57557e51-b434-4720-904d-474202de0b81", "observed-data--57557e51-e968-4f64-87a1-44ff02de0b81", "url--57557e51-e968-4f64-87a1-44ff02de0b81", "observed-data--57557e52-73c4-4a52-8662-4aac02de0b81", "url--57557e52-73c4-4a52-8662-4aac02de0b81", "indicator--57557e52-0e6c-4910-8519-47cb02de0b81", "indicator--57557e53-1688-4253-bd64-412002de0b81", "observed-data--57557e53-3bc0-4883-bddd-4ee802de0b81", "url--57557e53-3bc0-4883-bddd-4ee802de0b81", "indicator--57557e54-9970-4a97-ae94-48b302de0b81", "indicator--57557e54-6134-4200-8443-4c0502de0b81", "observed-data--57557e54-7104-43a9-b5c3-49bc02de0b81", "url--57557e54-7104-43a9-b5c3-49bc02de0b81", "indicator--57557e55-fda0-4638-9d59-48e302de0b81", "indicator--57557e55-20b0-47e1-a925-4d1c02de0b81", "observed-data--57557e56-b2d0-4e57-9029-4e5102de0b81", "url--57557e56-b2d0-4e57-9029-4e5102de0b81", "observed-data--57557e56-38c4-4e0d-aa31-44dd02de0b81", "url--57557e56-38c4-4e0d-aa31-44dd02de0b81", "indicator--57557e57-b064-4bdb-923c-461702de0b81", "indicator--57557e57-b29c-4921-8c06-454b02de0b81", "observed-data--57557e57-80f8-4e2a-a7ec-459902de0b81", "url--57557e57-80f8-4e2a-a7ec-459902de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57557d5b-5784-4f5b-8c19-4000950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:40:43.000Z", "modified": "2016-06-06T13:40:43.000Z", "first_observed": "2016-06-06T13:40:43Z", "last_observed": "2016-06-06T13:40:43Z", "number_observed": 1, "object_refs": [ "url--57557d5b-5784-4f5b-8c19-4000950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57557d5b-5784-4f5b-8c19-4000950d210f", "value": "https://labs.bitdefender.com/2016/05/inside-the-million-machine-clickfraud-botnet/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557d83-b6f0-4d6f-acdc-4ac1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:41:23.000Z", "modified": "2016-06-06T13:41:23.000Z", "description": "PAC file", "pattern": "[url:value = 'http://xn--51haaa.ml/server.pac']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:41:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557d83-6ac4-4586-9595-45e1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:41:23.000Z", "modified": "2016-06-06T13:41:23.000Z", "description": "PAC file", "pattern": "[url:value = 'http://xn--51haaa.ml/proxy.pac']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:41:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557d83-7330-4161-a166-4e15950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:41:23.000Z", "modified": "2016-06-06T13:41:23.000Z", "description": "PAC file", "pattern": "[url:value = 'http://xn--koa.net/proxy.pac']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:41:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557d84-da20-4d16-be87-420d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:41:24.000Z", "modified": "2016-06-06T13:41:24.000Z", "description": "PAC file", "pattern": "[url:value = 'http://wpad.com.gr/server.pac']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:41:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557d84-49fc-4a1e-a3fc-4260950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:41:24.000Z", "modified": "2016-06-06T13:41:24.000Z", "description": "On port 8484", "pattern": "[url:value = 'http://93.190.137.240']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:41:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557d85-a524-461e-9183-4f70950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:41:25.000Z", "modified": "2016-06-06T13:41:25.000Z", "description": "PAC file", "pattern": "[url:value = 'http://xn--koa.net/server.pac']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557da8-e0d4-40f4-bdda-4b2a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:42:00.000Z", "modified": "2016-06-06T13:42:00.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '93.190.137.240']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:42:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557de4-c03c-494d-9996-4b24950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:00.000Z", "modified": "2016-06-06T13:43:00.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.MD5 = '754df4b9e0a954f13ef0f4a01a7cc587']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557de5-6174-46b1-8432-4cea950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:01.000Z", "modified": "2016-06-06T13:43:01.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.MD5 = '9dfebeacb2fcd8bf558caab4226e73e0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557de5-9268-48ac-9a8d-4d75950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:01.000Z", "modified": "2016-06-06T13:43:01.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.MD5 = '8da287ad9cee5376d5822012c1fdc1d8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557de6-f95c-450a-b4ce-4448950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:02.000Z", "modified": "2016-06-06T13:43:02.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.MD5 = 'fb6e1bfb2083daaf0bf40b9ad5226d3d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557de6-77b8-427c-879b-4b31950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:02.000Z", "modified": "2016-06-06T13:43:02.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.MD5 = 'd62b97f57093cc5cb4d1fd3cff89f63b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557de7-7b30-4b87-bc0c-42d9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:03.000Z", "modified": "2016-06-06T13:43:03.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.MD5 = 'f2afeeb6a6a205f6561bce5395d67730']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557de7-b080-45b6-b19d-45bf950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:03.000Z", "modified": "2016-06-06T13:43:03.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.SHA1 = '374c760361a2e9d7aea99b784893ce2d50cd7c41']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557de7-fc28-4d74-9984-4c53950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:03.000Z", "modified": "2016-06-06T13:43:03.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.SHA1 = '78543cc1a1441e730bc4b1f9570cb00285f7de79']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557de8-ff44-43f3-bc28-456c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:04.000Z", "modified": "2016-06-06T13:43:04.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.SHA1 = '641d10b10264d0d2fb7f94dfca819ad5bbca49a3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557de8-2034-484b-89fb-428f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:04.000Z", "modified": "2016-06-06T13:43:04.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.SHA1 = '2d8e2a0eaa261402a58a20b8862d93e1096f6ce2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557de9-7180-4b8b-b71f-4143950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:05.000Z", "modified": "2016-06-06T13:43:05.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.SHA1 = 'b505a0f13bf9439dcf621899b26bb32fdc2b5d44']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557de9-0154-4175-94a2-485a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:05.000Z", "modified": "2016-06-06T13:43:05.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.SHA1 = '83d15bc3d8cb28321602bc3ca4f47fd2a254b8ab']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557dea-7ac0-401e-a58c-4135950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:06.000Z", "modified": "2016-06-06T13:43:06.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.SHA256 = '98a59f042da32b5972dadf17331f2f1e714097dc2d9d9d678edafc10dc5d7d9a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557dea-9fbc-44cd-ba5a-4a9f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:06.000Z", "modified": "2016-06-06T13:43:06.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.SHA256 = 'e7aecb0135099e15b71cc357f9c2529d1e6e494cab402017b2555096e09c9f31']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557deb-3480-400a-a5ff-4954950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:07.000Z", "modified": "2016-06-06T13:43:07.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.SHA256 = 'b8f9a1f7f3d096b040e0f2e6e6af47d3ffcfadc2a3234728949b1d6916a571a1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557deb-749c-4eed-a3c0-4174950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:07.000Z", "modified": "2016-06-06T13:43:07.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.SHA256 = 'c704caed0fe22efb9e94f0ae8c91c01a935c077526131b489f4bec893c3433dd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557dec-11e4-4c4d-a530-49d9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:08.000Z", "modified": "2016-06-06T13:43:08.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.SHA256 = '993b06ee1d6b8384fc35cc94a3ad2a6ea6d04ebbd2413653eb635b33a57b1151']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557dec-6314-4b72-a898-4491950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:08.000Z", "modified": "2016-06-06T13:43:08.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.SHA256 = '1f111c1f9b4dd8596efbd5f0ceeb2e7a30b25ba296a2035e3652a81f340e0f26']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557ded-70e0-4270-9e61-494b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:09.000Z", "modified": "2016-06-06T13:43:09.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.SHA256 = '86763ec412336d2b7524b44c3c60cf7938ff4d36927015c84503dd70acac30d0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557ded-e7f4-44ba-ad15-4c83950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:09.000Z", "modified": "2016-06-06T13:43:09.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.SHA256 = 'ca4d238b324dd35b2a1706d92b728b69efeca28c5934fd69b8816943c9de2ec5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557dee-a7b4-4a24-9d01-48f6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:10.000Z", "modified": "2016-06-06T13:43:10.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.SHA256 = 'eca52b0c880141cf36fbb0a704860dc8eeb9fd38528021c25f79a68293004563']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557dee-dd1c-4ca4-b0c9-4bb2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:10.000Z", "modified": "2016-06-06T13:43:10.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.SHA256 = '2bed7c4b1c7a9a1aac6996a2edb8b6987b71ffaa55ac2c574dc43f1feee8e1ce']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557dee-24a4-448a-9a92-4666950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:10.000Z", "modified": "2016-06-06T13:43:10.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.SHA256 = 'eccfd7065d436d5a4da903c6a29bc926e630c9e47795bfc416f8a3cd25090167']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557def-815c-45fe-9e75-49c9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:11.000Z", "modified": "2016-06-06T13:43:11.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.SHA256 = 'e879531b7fc218213af9c6c9f48107cd14b5733f9f9b68b64d07a1adb61b2ed0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557def-3c94-455a-938e-4936950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:11.000Z", "modified": "2016-06-06T13:43:11.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.SHA256 = '426ee3c2df00f5ecad0dd6394f9ab331b0d759545f709479f062764673af5120']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557df0-6c78-435a-93f1-4705950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:12.000Z", "modified": "2016-06-06T13:43:12.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.SHA256 = 'b7ddd15fa8e5b41ae06890cb860e71c9baf308813adc1f61eec853a6b366b206']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557df0-3f84-45b4-936d-4dbd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:12.000Z", "modified": "2016-06-06T13:43:12.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.SHA256 = 'ead9ec37ff78a036083ea8f39e3e4f4e356efa7b1da16fc741a29e201aa3cc1f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557df0-f434-442b-b210-40ad950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:12.000Z", "modified": "2016-06-06T13:43:12.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.SHA256 = 'e16c8d3522b51648e7bb369e8f013ea97bc34e0da1cde467676015b5c2b38e93']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557df1-9120-4600-b632-44ea950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:13.000Z", "modified": "2016-06-06T13:43:13.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.SHA256 = 'b673103ca06c97adf43fcd6a9c80906c45a2d168750774c9cd18308ead8cc426']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557df1-bca8-4943-bf53-4e77950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:13.000Z", "modified": "2016-06-06T13:43:13.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet.", "pattern": "[file:hashes.SHA256 = '9f63a748ce6f4e4b53eff31e20c67a528e220190e834eac2da57dd426b93a234']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e00-80d8-4133-827d-4a8f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:28.000Z", "modified": "2016-06-06T13:43:28.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[domain-name:value = 'xn--51haaa.ml']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e00-d764-4292-848d-4af8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:28.000Z", "modified": "2016-06-06T13:43:28.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[domain-name:value = 'xn--koa.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e01-4c50-43c6-b236-40f4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:43:29.000Z", "modified": "2016-06-06T13:43:29.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[domain-name:value = 'wpad.com.gr']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:43:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57557e45-0d9c-4474-ad8d-432d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:37.000Z", "modified": "2016-06-06T13:44:37.000Z", "first_observed": "2016-06-06T13:44:37Z", "last_observed": "2016-06-06T13:44:37Z", "number_observed": 1, "object_refs": [ "url--57557e45-0d9c-4474-ad8d-432d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57557e45-0d9c-4474-ad8d-432d02de0b81", "value": "https://www.virustotal.com/file/9f63a748ce6f4e4b53eff31e20c67a528e220190e834eac2da57dd426b93a234/analysis/1450058531/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e46-59b8-41ad-908d-42ed02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:38.000Z", "modified": "2016-06-06T13:44:38.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet. - Xchecked via VT: b673103ca06c97adf43fcd6a9c80906c45a2d168750774c9cd18308ead8cc426", "pattern": "[file:hashes.SHA1 = 'fe1cfeab9080ce9c0436813fc96ca89f1c9e3d07']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:44:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e46-3c14-4f93-8e79-424c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:38.000Z", "modified": "2016-06-06T13:44:38.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet. - Xchecked via VT: b673103ca06c97adf43fcd6a9c80906c45a2d168750774c9cd18308ead8cc426", "pattern": "[file:hashes.MD5 = '713dc2ca729aad773380c6fca70af8b7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:44:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57557e47-f230-4459-815d-4ad202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:39.000Z", "modified": "2016-06-06T13:44:39.000Z", "first_observed": "2016-06-06T13:44:39Z", "last_observed": "2016-06-06T13:44:39Z", "number_observed": 1, "object_refs": [ "url--57557e47-f230-4459-815d-4ad202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57557e47-f230-4459-815d-4ad202de0b81", "value": "https://www.virustotal.com/file/b673103ca06c97adf43fcd6a9c80906c45a2d168750774c9cd18308ead8cc426/analysis/1463490982/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e47-f344-4498-8b44-4fd802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:39.000Z", "modified": "2016-06-06T13:44:39.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet. - Xchecked via VT: e16c8d3522b51648e7bb369e8f013ea97bc34e0da1cde467676015b5c2b38e93", "pattern": "[file:hashes.SHA1 = '73f0977a41ff0a32e9039d2e6f760de3c3083a3c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:44:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e48-d0d8-41e9-a957-4a9102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:40.000Z", "modified": "2016-06-06T13:44:40.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet. - Xchecked via VT: e16c8d3522b51648e7bb369e8f013ea97bc34e0da1cde467676015b5c2b38e93", "pattern": "[file:hashes.MD5 = '521ac14c9aae6cac9b988dd4dd6a2f6b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:44:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57557e48-6190-45db-b5d5-4bbf02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:40.000Z", "modified": "2016-06-06T13:44:40.000Z", "first_observed": "2016-06-06T13:44:40Z", "last_observed": "2016-06-06T13:44:40Z", "number_observed": 1, "object_refs": [ "url--57557e48-6190-45db-b5d5-4bbf02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57557e48-6190-45db-b5d5-4bbf02de0b81", "value": "https://www.virustotal.com/file/e16c8d3522b51648e7bb369e8f013ea97bc34e0da1cde467676015b5c2b38e93/analysis/1463490981/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57557e48-9418-4765-81d4-4ac702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:40.000Z", "modified": "2016-06-06T13:44:40.000Z", "first_observed": "2016-06-06T13:44:40Z", "last_observed": "2016-06-06T13:44:40Z", "number_observed": 1, "object_refs": [ "url--57557e48-9418-4765-81d4-4ac702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57557e48-9418-4765-81d4-4ac702de0b81", "value": "https://www.virustotal.com/file/ead9ec37ff78a036083ea8f39e3e4f4e356efa7b1da16fc741a29e201aa3cc1f/analysis/1446478125/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57557e49-bc8c-49eb-a5f9-4a5702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:41.000Z", "modified": "2016-06-06T13:44:41.000Z", "first_observed": "2016-06-06T13:44:41Z", "last_observed": "2016-06-06T13:44:41Z", "number_observed": 1, "object_refs": [ "url--57557e49-bc8c-49eb-a5f9-4a5702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57557e49-bc8c-49eb-a5f9-4a5702de0b81", "value": "https://www.virustotal.com/file/b7ddd15fa8e5b41ae06890cb860e71c9baf308813adc1f61eec853a6b366b206/analysis/1464421408/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e49-2ecc-447f-987d-4f7702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:41.000Z", "modified": "2016-06-06T13:44:41.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet. - Xchecked via VT: 426ee3c2df00f5ecad0dd6394f9ab331b0d759545f709479f062764673af5120", "pattern": "[file:hashes.SHA1 = '0e816e715c631c28ad8a82202b7fcfea00a72a30']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:44:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e4a-f784-4932-a95b-44bd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:42.000Z", "modified": "2016-06-06T13:44:42.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet. - Xchecked via VT: 426ee3c2df00f5ecad0dd6394f9ab331b0d759545f709479f062764673af5120", "pattern": "[file:hashes.MD5 = '99a0df95986f975a4e5229550d710f23']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:44:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57557e4a-d290-4a02-acff-4a2102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:42.000Z", "modified": "2016-06-06T13:44:42.000Z", "first_observed": "2016-06-06T13:44:42Z", "last_observed": "2016-06-06T13:44:42Z", "number_observed": 1, "object_refs": [ "url--57557e4a-d290-4a02-acff-4a2102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57557e4a-d290-4a02-acff-4a2102de0b81", "value": "https://www.virustotal.com/file/426ee3c2df00f5ecad0dd6394f9ab331b0d759545f709479f062764673af5120/analysis/1463490983/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e4b-e634-475b-9683-473802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:43.000Z", "modified": "2016-06-06T13:44:43.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet. - Xchecked via VT: e879531b7fc218213af9c6c9f48107cd14b5733f9f9b68b64d07a1adb61b2ed0", "pattern": "[file:hashes.SHA1 = '468c249e2be922e524ca73f01b4ad662b6e5d411']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:44:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e4b-41cc-434c-92aa-402d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:43.000Z", "modified": "2016-06-06T13:44:43.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet. - Xchecked via VT: e879531b7fc218213af9c6c9f48107cd14b5733f9f9b68b64d07a1adb61b2ed0", "pattern": "[file:hashes.MD5 = '57212490b784ecbdb9ce965acd228539']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:44:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57557e4c-c58c-41f5-b275-493502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:44.000Z", "modified": "2016-06-06T13:44:44.000Z", "first_observed": "2016-06-06T13:44:44Z", "last_observed": "2016-06-06T13:44:44Z", "number_observed": 1, "object_refs": [ "url--57557e4c-c58c-41f5-b275-493502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57557e4c-c58c-41f5-b275-493502de0b81", "value": "https://www.virustotal.com/file/e879531b7fc218213af9c6c9f48107cd14b5733f9f9b68b64d07a1adb61b2ed0/analysis/1451634274/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e4c-7b9c-4a0e-a450-4c5602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:44.000Z", "modified": "2016-06-06T13:44:44.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet. - Xchecked via VT: eccfd7065d436d5a4da903c6a29bc926e630c9e47795bfc416f8a3cd25090167", "pattern": "[file:hashes.SHA1 = 'e1d791b60f69a08f81d0acb88f068ad2e8735585']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:44:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e4c-20b4-46a8-9431-427202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:44.000Z", "modified": "2016-06-06T13:44:44.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet. - Xchecked via VT: eccfd7065d436d5a4da903c6a29bc926e630c9e47795bfc416f8a3cd25090167", "pattern": "[file:hashes.MD5 = '8f93e41c30911fd2321973c01277c752']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:44:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57557e4d-2440-4ca8-87b7-4e1d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:45.000Z", "modified": "2016-06-06T13:44:45.000Z", "first_observed": "2016-06-06T13:44:45Z", "last_observed": "2016-06-06T13:44:45Z", "number_observed": 1, "object_refs": [ "url--57557e4d-2440-4ca8-87b7-4e1d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57557e4d-2440-4ca8-87b7-4e1d02de0b81", "value": "https://www.virustotal.com/file/eccfd7065d436d5a4da903c6a29bc926e630c9e47795bfc416f8a3cd25090167/analysis/1463490983/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e4d-e8ec-47ce-bcc7-4c3a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:45.000Z", "modified": "2016-06-06T13:44:45.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet. - Xchecked via VT: 2bed7c4b1c7a9a1aac6996a2edb8b6987b71ffaa55ac2c574dc43f1feee8e1ce", "pattern": "[file:hashes.SHA1 = '1be920cb406d8fea6a554faa4f1457b2fed47df4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:44:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e4e-95fc-4d0d-95a7-4c3802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:46.000Z", "modified": "2016-06-06T13:44:46.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet. - Xchecked via VT: 2bed7c4b1c7a9a1aac6996a2edb8b6987b71ffaa55ac2c574dc43f1feee8e1ce", "pattern": "[file:hashes.MD5 = 'c6b90576c2f6aae51fc932c98b17daf0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:44:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57557e4e-0ddc-477d-9c32-489202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:46.000Z", "modified": "2016-06-06T13:44:46.000Z", "first_observed": "2016-06-06T13:44:46Z", "last_observed": "2016-06-06T13:44:46Z", "number_observed": 1, "object_refs": [ "url--57557e4e-0ddc-477d-9c32-489202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57557e4e-0ddc-477d-9c32-489202de0b81", "value": "https://www.virustotal.com/file/2bed7c4b1c7a9a1aac6996a2edb8b6987b71ffaa55ac2c574dc43f1feee8e1ce/analysis/1464248617/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e4f-bf88-4b9d-8744-467202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:47.000Z", "modified": "2016-06-06T13:44:47.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet. - Xchecked via VT: eca52b0c880141cf36fbb0a704860dc8eeb9fd38528021c25f79a68293004563", "pattern": "[file:hashes.SHA1 = 'b67b22aafda1a77758014071bb12e6ba2e0b8a0f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:44:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e4f-e8dc-485f-8074-400302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:47.000Z", "modified": "2016-06-06T13:44:47.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet. - Xchecked via VT: eca52b0c880141cf36fbb0a704860dc8eeb9fd38528021c25f79a68293004563", "pattern": "[file:hashes.MD5 = 'eed81f2283c05191c77ceec6ecf989bc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:44:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57557e50-a1d8-4e21-afeb-401a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:48.000Z", "modified": "2016-06-06T13:44:48.000Z", "first_observed": "2016-06-06T13:44:48Z", "last_observed": "2016-06-06T13:44:48Z", "number_observed": 1, "object_refs": [ "url--57557e50-a1d8-4e21-afeb-401a02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57557e50-a1d8-4e21-afeb-401a02de0b81", "value": "https://www.virustotal.com/file/eca52b0c880141cf36fbb0a704860dc8eeb9fd38528021c25f79a68293004563/analysis/1463490985/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57557e50-7f40-4da9-910d-41a602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:48.000Z", "modified": "2016-06-06T13:44:48.000Z", "first_observed": "2016-06-06T13:44:48Z", "last_observed": "2016-06-06T13:44:48Z", "number_observed": 1, "object_refs": [ "url--57557e50-7f40-4da9-910d-41a602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57557e50-7f40-4da9-910d-41a602de0b81", "value": "https://www.virustotal.com/file/ca4d238b324dd35b2a1706d92b728b69efeca28c5934fd69b8816943c9de2ec5/analysis/1463640490/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e50-3edc-48dd-bb44-4e5b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:48.000Z", "modified": "2016-06-06T13:44:48.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet. - Xchecked via VT: 86763ec412336d2b7524b44c3c60cf7938ff4d36927015c84503dd70acac30d0", "pattern": "[file:hashes.SHA1 = '3c551bf3b31cf7b2aaa8a6beb5c9114315cf71ba']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:44:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e51-b434-4720-904d-474202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:49.000Z", "modified": "2016-06-06T13:44:49.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet. - Xchecked via VT: 86763ec412336d2b7524b44c3c60cf7938ff4d36927015c84503dd70acac30d0", "pattern": "[file:hashes.MD5 = '4f19bb0b2f343c2bcc25fe36bccbbab7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:44:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57557e51-e968-4f64-87a1-44ff02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:49.000Z", "modified": "2016-06-06T13:44:49.000Z", "first_observed": "2016-06-06T13:44:49Z", "last_observed": "2016-06-06T13:44:49Z", "number_observed": 1, "object_refs": [ "url--57557e51-e968-4f64-87a1-44ff02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57557e51-e968-4f64-87a1-44ff02de0b81", "value": "https://www.virustotal.com/file/86763ec412336d2b7524b44c3c60cf7938ff4d36927015c84503dd70acac30d0/analysis/1463490981/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57557e52-73c4-4a52-8662-4aac02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:50.000Z", "modified": "2016-06-06T13:44:50.000Z", "first_observed": "2016-06-06T13:44:50Z", "last_observed": "2016-06-06T13:44:50Z", "number_observed": 1, "object_refs": [ "url--57557e52-73c4-4a52-8662-4aac02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57557e52-73c4-4a52-8662-4aac02de0b81", "value": "https://www.virustotal.com/file/1f111c1f9b4dd8596efbd5f0ceeb2e7a30b25ba296a2035e3652a81f340e0f26/analysis/1453461325/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e52-0e6c-4910-8519-47cb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:50.000Z", "modified": "2016-06-06T13:44:50.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet. - Xchecked via VT: 993b06ee1d6b8384fc35cc94a3ad2a6ea6d04ebbd2413653eb635b33a57b1151", "pattern": "[file:hashes.SHA1 = 'ac15fb527baa0058c059f20f1ef20b5c2bd16abc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:44:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e53-1688-4253-bd64-412002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:51.000Z", "modified": "2016-06-06T13:44:51.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet. - Xchecked via VT: 993b06ee1d6b8384fc35cc94a3ad2a6ea6d04ebbd2413653eb635b33a57b1151", "pattern": "[file:hashes.MD5 = '0681d610f382f5aa59e69d976ed7acdb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:44:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57557e53-3bc0-4883-bddd-4ee802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:51.000Z", "modified": "2016-06-06T13:44:51.000Z", "first_observed": "2016-06-06T13:44:51Z", "last_observed": "2016-06-06T13:44:51Z", "number_observed": 1, "object_refs": [ "url--57557e53-3bc0-4883-bddd-4ee802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57557e53-3bc0-4883-bddd-4ee802de0b81", "value": "https://www.virustotal.com/file/993b06ee1d6b8384fc35cc94a3ad2a6ea6d04ebbd2413653eb635b33a57b1151/analysis/1464094559/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e54-9970-4a97-ae94-48b302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:52.000Z", "modified": "2016-06-06T13:44:52.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet. - Xchecked via VT: c704caed0fe22efb9e94f0ae8c91c01a935c077526131b489f4bec893c3433dd", "pattern": "[file:hashes.SHA1 = '678046b7c48ab176fc0053ab22d4490f72e9e132']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:44:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e54-6134-4200-8443-4c0502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:52.000Z", "modified": "2016-06-06T13:44:52.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet. - Xchecked via VT: c704caed0fe22efb9e94f0ae8c91c01a935c077526131b489f4bec893c3433dd", "pattern": "[file:hashes.MD5 = '6a2ac9046e8632e00d52bfb804ddeb5e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:44:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57557e54-7104-43a9-b5c3-49bc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:52.000Z", "modified": "2016-06-06T13:44:52.000Z", "first_observed": "2016-06-06T13:44:52Z", "last_observed": "2016-06-06T13:44:52Z", "number_observed": 1, "object_refs": [ "url--57557e54-7104-43a9-b5c3-49bc02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57557e54-7104-43a9-b5c3-49bc02de0b81", "value": "https://www.virustotal.com/file/c704caed0fe22efb9e94f0ae8c91c01a935c077526131b489f4bec893c3433dd/analysis/1463490982/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e55-fda0-4638-9d59-48e302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:53.000Z", "modified": "2016-06-06T13:44:53.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet. - Xchecked via VT: b8f9a1f7f3d096b040e0f2e6e6af47d3ffcfadc2a3234728949b1d6916a571a1", "pattern": "[file:hashes.SHA1 = '9297023d51c5361dcfe26c17b5ec0d712e477260']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:44:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e55-20b0-47e1-a925-4d1c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:53.000Z", "modified": "2016-06-06T13:44:53.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet. - Xchecked via VT: b8f9a1f7f3d096b040e0f2e6e6af47d3ffcfadc2a3234728949b1d6916a571a1", "pattern": "[file:hashes.MD5 = 'ef7fc17f694d2ce26d97247ba9b25c36']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:44:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57557e56-b2d0-4e57-9029-4e5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:54.000Z", "modified": "2016-06-06T13:44:54.000Z", "first_observed": "2016-06-06T13:44:54Z", "last_observed": "2016-06-06T13:44:54Z", "number_observed": 1, "object_refs": [ "url--57557e56-b2d0-4e57-9029-4e5102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57557e56-b2d0-4e57-9029-4e5102de0b81", "value": "https://www.virustotal.com/file/b8f9a1f7f3d096b040e0f2e6e6af47d3ffcfadc2a3234728949b1d6916a571a1/analysis/1451634587/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57557e56-38c4-4e0d-aa31-44dd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:54.000Z", "modified": "2016-06-06T13:44:54.000Z", "first_observed": "2016-06-06T13:44:54Z", "last_observed": "2016-06-06T13:44:54Z", "number_observed": 1, "object_refs": [ "url--57557e56-38c4-4e0d-aa31-44dd02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57557e56-38c4-4e0d-aa31-44dd02de0b81", "value": "https://www.virustotal.com/file/e7aecb0135099e15b71cc357f9c2529d1e6e494cab402017b2555096e09c9f31/analysis/1444238521/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e57-b064-4bdb-923c-461702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:55.000Z", "modified": "2016-06-06T13:44:55.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet. - Xchecked via VT: 98a59f042da32b5972dadf17331f2f1e714097dc2d9d9d678edafc10dc5d7d9a", "pattern": "[file:hashes.SHA1 = 'b44d0686e918c6708d091870aa91c2db63e84b41']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:44:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57557e57-b29c-4921-8c06-454b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:55.000Z", "modified": "2016-06-06T13:44:55.000Z", "description": "Lame proxychanger, apparently related to a clickfraud botnet. - Xchecked via VT: 98a59f042da32b5972dadf17331f2f1e714097dc2d9d9d678edafc10dc5d7d9a", "pattern": "[file:hashes.MD5 = 'b29816a16f6ac75432d52848236c04db']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-06T13:44:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57557e57-80f8-4e2a-a7ec-459902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-06T13:44:55.000Z", "modified": "2016-06-06T13:44:55.000Z", "first_observed": "2016-06-06T13:44:55Z", "last_observed": "2016-06-06T13:44:55Z", "number_observed": 1, "object_refs": [ "url--57557e57-80f8-4e2a-a7ec-459902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57557e57-80f8-4e2a-a7ec-459902de0b81", "value": "https://www.virustotal.com/file/98a59f042da32b5972dadf17331f2f1e714097dc2d9d9d678edafc10dc5d7d9a/analysis/1463490983/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }