{ "type": "bundle", "id": "bundle--57a33020-bc70-4f69-96f9-118b950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T14:02:12.000Z", "modified": "2016-08-04T14:02:12.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--57a33020-bc70-4f69-96f9-118b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T14:02:12.000Z", "modified": "2016-08-04T14:02:12.000Z", "name": "OSINT - NANHAISHU RATing the South China Sea", "published": "2016-08-04T14:02:25Z", "object_refs": [ "indicator--57a34524-d4ac-4726-93e7-22a8950d210f", "indicator--57a34582-8218-4ef3-92aa-22a4950d210f", "indicator--57a34582-65fc-45a6-abff-22a4950d210f", "indicator--57a34583-b91c-42ae-973e-22a4950d210f", "indicator--57a3461e-63e4-43aa-ba6d-22a4950d210f", "indicator--57a3461f-38f0-4b14-a80b-22a4950d210f", "indicator--57a34643-5a6c-40e0-98e3-22a9950d210f", "indicator--57a34643-c924-4e5a-903e-22a9950d210f", "indicator--57a3473e-0b34-46a7-a522-1cb7950d210f", "indicator--57a3473e-37b4-40a5-9930-1cb7950d210f", "indicator--57a34998-ba54-4cff-bf49-22ae950d210f", "indicator--57a34998-0918-41f5-8b46-22ae950d210f", "indicator--57a349dc-fad4-4d78-8806-22ae950d210f", "indicator--57a349dc-d358-419b-a9d8-22ae950d210f", "indicator--57a349fc-40f8-4218-970f-22b3950d210f", "indicator--57a349fc-de7c-4f8a-9c75-22b3950d210f", "indicator--57a34a18-8724-4dd0-8e04-22b3950d210f", "indicator--57a34a18-7d8c-45de-a405-22b3950d210f", "observed-data--57a34aa1-1038-4900-952d-22b0950d210f", "url--57a34aa1-1038-4900-952d-22b0950d210f", "observed-data--57a34ac8-2f7c-40f0-87ed-118b950d210f", "url--57a34ac8-2f7c-40f0-87ed-118b950d210f", "indicator--57a34ae4-6ec4-4df6-8404-22b402de0b81", "indicator--57a34ae4-5750-4fc5-aa9f-22b402de0b81", "observed-data--57a34ae4-12b8-4f62-ab4d-22b402de0b81", "url--57a34ae4-12b8-4f62-ab4d-22b402de0b81", "indicator--57a34ae5-61ac-40c3-bbbf-22b402de0b81", "indicator--57a34ae5-ae24-4413-8de2-22b402de0b81", "observed-data--57a34ae5-de80-4f90-99b7-22b402de0b81", "url--57a34ae5-de80-4f90-99b7-22b402de0b81", "indicator--57a34ae5-2d0c-4bce-aeb9-22b402de0b81", "indicator--57a34ae5-4d90-4304-8b72-22b402de0b81", "observed-data--57a34ae5-7574-446f-bed9-22b402de0b81", "url--57a34ae5-7574-446f-bed9-22b402de0b81", "indicator--57a34ae6-85e8-4129-851b-22b402de0b81", "indicator--57a34ae6-d5d4-4764-886b-22b402de0b81", "observed-data--57a34ae6-b7a0-49dd-a6fe-22b402de0b81", "url--57a34ae6-b7a0-49dd-a6fe-22b402de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a34524-d4ac-4726-93e7-22a8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T13:59:26.000Z", "modified": "2016-08-04T13:59:26.000Z", "description": "First seen 2015-01-13", "pattern": "[file:name = 'DOJ Staff bonus January 13, 2015.xls' AND file:hashes.SHA1 = 'a17769e8a2ac48f83076e3e1b6b24d71e6431d43']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T13:59:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a34582-8218-4ef3-92aa-22a4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T14:00:04.000Z", "modified": "2016-08-04T14:00:04.000Z", "description": "https://blogs.mcafee.com/mcafee-labs/stealthycyberespionagecampaign-attackswith-socialengineering/ - 2015-04-07", "pattern": "[file:name = 'The draft Foley Hoag reform of the distribution of shares and the remuneration system.xls' AND file:hashes.SHA1 = 'c66165a2fda061a2dc6415b99668c0b802bb26a0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T14:00:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a34582-65fc-45a6-abff-22a4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T14:00:28.000Z", "modified": "2016-08-04T14:00:28.000Z", "description": "https://blogs.mcafee.com/mcafee-labs/stealthycyberespionagecampaign-attackswith-socialengineering/ - 2015-05-27", "pattern": "[file:name = 'Salary and Bonus Data.xls' AND file:hashes.SHA1 = 'da799a043e077fd7bde1eaa1a1fa32fd32bcfb25']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T14:00:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a34583-b91c-42ae-973e-22a4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T14:00:45.000Z", "modified": "2016-08-04T14:00:45.000Z", "description": "https://blogs.mcafee.com/mcafee-labs/stealthycyberespionagecampaign-attackswith-socialengineering/ - 2015-10-02", "pattern": "[file:name = 'AELM Entertainment budget and Attendance allowance.xls' AND file:hashes.SHA1 = 'da3a8d1ea5b245f612da17ec7b252c45fd75adae']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T14:00:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a3461e-63e4-43aa-ba6d-22a4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T13:41:50.000Z", "modified": "2016-08-04T13:41:50.000Z", "description": "a17769e8a2ac48f83076e3e1b6b24d71e6431d43", "pattern": "[domain-name:value = 'mines.port0.org' AND domain-name:resolves_to_refs[*].value = '54.87.87.13']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T13:41:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain|ip\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a3461f-38f0-4b14-a80b-22a4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T13:41:51.000Z", "modified": "2016-08-04T13:41:51.000Z", "description": "a17769e8a2ac48f83076e3e1b6b24d71e6431d43", "pattern": "[domain-name:value = 'mines.port0.org' AND domain-name:resolves_to_refs[*].value = '103.238.224.218']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T13:41:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain|ip\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a34643-5a6c-40e0-98e3-22a9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T13:42:27.000Z", "modified": "2016-08-04T13:42:27.000Z", "description": "c66165a2fda061a2dc6415b99668c0b802bb26a0", "pattern": "[domain-name:value = 'eholidays.mooo.com' AND domain-name:resolves_to_refs[*].value = '54.87.87.13']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T13:42:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain|ip\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a34643-c924-4e5a-903e-22a9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T13:42:27.000Z", "modified": "2016-08-04T13:42:27.000Z", "description": "c66165a2fda061a2dc6415b99668c0b802bb26a0", "pattern": "[domain-name:value = 'eholidays.mooo.com' AND domain-name:resolves_to_refs[*].value = '103.238.224.218']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T13:42:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain|ip\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a3473e-0b34-46a7-a522-1cb7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T13:46:38.000Z", "modified": "2016-08-04T13:46:38.000Z", "description": "da799a043e077fd7bde1eaa1a1fa32fd32bcfb25", "pattern": "[domain-name:value = 'humans.mooo.info' AND domain-name:resolves_to_refs[*].value = '54.242.66.219']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T13:46:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain|ip\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a3473e-37b4-40a5-9930-1cb7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T13:46:38.000Z", "modified": "2016-08-04T13:46:38.000Z", "description": "da799a043e077fd7bde1eaa1a1fa32fd32bcfb25", "pattern": "[domain-name:value = 'humans.mooo.info' AND domain-name:resolves_to_refs[*].value = '103.238.224.218']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T13:46:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain|ip\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a34998-ba54-4cff-bf49-22ae950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T13:56:40.000Z", "modified": "2016-08-04T13:56:40.000Z", "description": "da3a8d1ea5b245f612da17ec7b252c45fd75adae", "pattern": "[domain-name:value = 'presentation.twilightparadox.com' AND domain-name:resolves_to_refs[*].value = '64.62.189.196']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T13:56:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain|ip\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a34998-0918-41f5-8b46-22ae950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T13:56:40.000Z", "modified": "2016-08-04T13:56:40.000Z", "description": "da3a8d1ea5b245f612da17ec7b252c45fd75adae", "pattern": "[domain-name:value = 'presentation.twilightparadox.com' AND domain-name:resolves_to_refs[*].value = '103.238.224.218']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T13:56:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain|ip\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a349dc-fad4-4d78-8806-22ae950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T13:57:48.000Z", "modified": "2016-08-04T13:57:48.000Z", "pattern": "[domain-name:value = 'mintty.ignorelist.com' AND domain-name:resolves_to_refs[*].value = '64.62.189.221']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T13:57:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain|ip\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a349dc-d358-419b-a9d8-22ae950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T13:57:48.000Z", "modified": "2016-08-04T13:57:48.000Z", "pattern": "[domain-name:value = 'mintty.ignorelist.com' AND domain-name:resolves_to_refs[*].value = '103.238.224.218']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T13:57:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain|ip\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a349fc-40f8-4218-970f-22b3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T13:58:20.000Z", "modified": "2016-08-04T13:58:20.000Z", "pattern": "[file:name = '\\\\%appdata\\\\%\\\\Microsoft\\\\Network\\\\network.js']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T13:58:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a349fc-de7c-4f8a-9c75-22b3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T13:58:20.000Z", "modified": "2016-08-04T13:58:20.000Z", "pattern": "[file:name = '\\\\%appdata\\\\%\\\\Microsoft\\\\Protect\\\\CRED']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T13:58:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a34a18-8724-4dd0-8e04-22b3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T13:58:48.000Z", "modified": "2016-08-04T13:58:48.000Z", "pattern": "[windows-registry-key:key = '\\\\%regrun\\\\%\\\\network']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T13:58:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a34a18-7d8c-45de-a405-22b3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T13:58:48.000Z", "modified": "2016-08-04T13:58:48.000Z", "pattern": "[windows-registry-key:key = '\\\\%regrun\\\\%\\\\protect']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T13:58:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a34aa1-1038-4900-952d-22b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T14:01:05.000Z", "modified": "2016-08-04T14:01:05.000Z", "first_observed": "2016-08-04T14:01:05Z", "last_observed": "2016-08-04T14:01:05Z", "number_observed": 1, "object_refs": [ "url--57a34aa1-1038-4900-952d-22b0950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57a34aa1-1038-4900-952d-22b0950d210f", "value": "https://blogs.mcafee.com/mcafee-labs/stealthycyberespionagecampaign-attackswith-socialengineering/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a34ac8-2f7c-40f0-87ed-118b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T14:01:44.000Z", "modified": "2016-08-04T14:01:44.000Z", "first_observed": "2016-08-04T14:01:44Z", "last_observed": "2016-08-04T14:01:44Z", "number_observed": 1, "object_refs": [ "url--57a34ac8-2f7c-40f0-87ed-118b950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57a34ac8-2f7c-40f0-87ed-118b950d210f", "value": "https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a34ae4-6ec4-4df6-8404-22b402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T14:02:12.000Z", "modified": "2016-08-04T14:02:12.000Z", "description": "https://blogs.mcafee.com/mcafee-labs/stealthycyberespionagecampaign-attackswith-socialengineering/ - 2015-10-02 - Xchecked via VT: da3a8d1ea5b245f612da17ec7b252c45fd75adae", "pattern": "[file:hashes.SHA256 = 'b0de26080a84ba0b15ea3f471fe6be5392efe770c53dbe5c0a8ed439b05731c6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T14:02:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a34ae4-5750-4fc5-aa9f-22b402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T14:02:12.000Z", "modified": "2016-08-04T14:02:12.000Z", "description": "https://blogs.mcafee.com/mcafee-labs/stealthycyberespionagecampaign-attackswith-socialengineering/ - 2015-10-02 - Xchecked via VT: da3a8d1ea5b245f612da17ec7b252c45fd75adae", "pattern": "[file:hashes.MD5 = '97da0784fddfef932d7d31884f088b40']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T14:02:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a34ae4-12b8-4f62-ab4d-22b402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T14:02:12.000Z", "modified": "2016-08-04T14:02:12.000Z", "first_observed": "2016-08-04T14:02:12Z", "last_observed": "2016-08-04T14:02:12Z", "number_observed": 1, "object_refs": [ "url--57a34ae4-12b8-4f62-ab4d-22b402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57a34ae4-12b8-4f62-ab4d-22b402de0b81", "value": "https://www.virustotal.com/file/b0de26080a84ba0b15ea3f471fe6be5392efe770c53dbe5c0a8ed439b05731c6/analysis/1445948371/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a34ae5-61ac-40c3-bbbf-22b402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T14:02:13.000Z", "modified": "2016-08-04T14:02:13.000Z", "description": "https://blogs.mcafee.com/mcafee-labs/stealthycyberespionagecampaign-attackswith-socialengineering/ - 2015-05-27 - Xchecked via VT: da799a043e077fd7bde1eaa1a1fa32fd32bcfb25", "pattern": "[file:hashes.SHA256 = 'fd5706a5e45d2e0805221c3336c75167980916f39826eb6312aea7ea807d4ec0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T14:02:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a34ae5-ae24-4413-8de2-22b402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T14:02:13.000Z", "modified": "2016-08-04T14:02:13.000Z", "description": "https://blogs.mcafee.com/mcafee-labs/stealthycyberespionagecampaign-attackswith-socialengineering/ - 2015-05-27 - Xchecked via VT: da799a043e077fd7bde1eaa1a1fa32fd32bcfb25", "pattern": "[file:hashes.MD5 = 'e1f88bc02e9bd15cecc7ae97a009e0d2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T14:02:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a34ae5-de80-4f90-99b7-22b402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T14:02:13.000Z", "modified": "2016-08-04T14:02:13.000Z", "first_observed": "2016-08-04T14:02:13Z", "last_observed": "2016-08-04T14:02:13Z", "number_observed": 1, "object_refs": [ "url--57a34ae5-de80-4f90-99b7-22b402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57a34ae5-de80-4f90-99b7-22b402de0b81", "value": "https://www.virustotal.com/file/fd5706a5e45d2e0805221c3336c75167980916f39826eb6312aea7ea807d4ec0/analysis/1455828112/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a34ae5-2d0c-4bce-aeb9-22b402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T14:02:13.000Z", "modified": "2016-08-04T14:02:13.000Z", "description": "https://blogs.mcafee.com/mcafee-labs/stealthycyberespionagecampaign-attackswith-socialengineering/ - 2015-04-07 - Xchecked via VT: c66165a2fda061a2dc6415b99668c0b802bb26a0", "pattern": "[file:hashes.SHA256 = 'e2c115679bcad87692506d6d9e7a985c59f59e36fd658b8927386474cbcc38ca']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T14:02:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a34ae5-4d90-4304-8b72-22b402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T14:02:13.000Z", "modified": "2016-08-04T14:02:13.000Z", "description": "https://blogs.mcafee.com/mcafee-labs/stealthycyberespionagecampaign-attackswith-socialengineering/ - 2015-04-07 - Xchecked via VT: c66165a2fda061a2dc6415b99668c0b802bb26a0", "pattern": "[file:hashes.MD5 = 'd1de5bf033ee31da7babc6fa270f55bb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T14:02:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a34ae5-7574-446f-bed9-22b402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T14:02:13.000Z", "modified": "2016-08-04T14:02:13.000Z", "first_observed": "2016-08-04T14:02:13Z", "last_observed": "2016-08-04T14:02:13Z", "number_observed": 1, "object_refs": [ "url--57a34ae5-7574-446f-bed9-22b402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57a34ae5-7574-446f-bed9-22b402de0b81", "value": "https://www.virustotal.com/file/e2c115679bcad87692506d6d9e7a985c59f59e36fd658b8927386474cbcc38ca/analysis/1456251302/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a34ae6-85e8-4129-851b-22b402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T14:02:14.000Z", "modified": "2016-08-04T14:02:14.000Z", "description": "First seen 2015-01-13 - Xchecked via VT: a17769e8a2ac48f83076e3e1b6b24d71e6431d43", "pattern": "[file:hashes.SHA256 = '9696478b1484a0182644050d9adece9404f51eac193c4629a2bea9669a2fe5ef']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T14:02:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a34ae6-d5d4-4764-886b-22b402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T14:02:14.000Z", "modified": "2016-08-04T14:02:14.000Z", "description": "First seen 2015-01-13 - Xchecked via VT: a17769e8a2ac48f83076e3e1b6b24d71e6431d43", "pattern": "[file:hashes.MD5 = 'c0326d13c9619ebf6ee302cebda6cbfe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-04T14:02:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a34ae6-b7a0-49dd-a6fe-22b402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-04T14:02:14.000Z", "modified": "2016-08-04T14:02:14.000Z", "first_observed": "2016-08-04T14:02:14Z", "last_observed": "2016-08-04T14:02:14Z", "number_observed": 1, "object_refs": [ "url--57a34ae6-b7a0-49dd-a6fe-22b402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57a34ae6-b7a0-49dd-a6fe-22b402de0b81", "value": "https://www.virustotal.com/file/9696478b1484a0182644050d9adece9404f51eac193c4629a2bea9669a2fe5ef/analysis/1470315364/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }