{ "type": "bundle", "id": "bundle--582c134f-c358-455c-935e-4598950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T09:11:18.000Z", "modified": "2016-11-16T09:11:18.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--582c134f-c358-455c-935e-4598950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T09:11:18.000Z", "modified": "2016-11-16T09:11:18.000Z", "name": "OSINT - New Carbanak / Anunak Attack Methodology", "published": "2016-11-16T09:11:47Z", "object_refs": [ "observed-data--582c1529-6e5c-4306-b983-4713950d210f", "url--582c1529-6e5c-4306-b983-4713950d210f", "x-misp-attribute--582c153a-eff4-460a-a3da-4d39950d210f", "indicator--582c1563-9db8-4af1-a2ec-40a9950d210f", "indicator--582c1563-f06c-4244-8e19-4ab8950d210f", "indicator--582c158d-bcc0-4c2d-b25b-4769950d210f", "indicator--582c158d-6ae0-42c3-9011-45e6950d210f", "indicator--582c158e-88e8-4c6f-a769-4c69950d210f", "indicator--582c15a4-c3e0-47d9-8f43-40a6950d210f", "indicator--582c15d0-28c8-486c-baaa-49dd950d210f", "indicator--582c15d0-e134-4463-8db6-4f1e950d210f", "indicator--582c15d1-a4ec-4994-9a07-4acc950d210f", "indicator--582c15d1-5f90-45a9-a73e-41b1950d210f", "indicator--582c15d2-081c-4dbc-bda4-44aa950d210f", "indicator--582c160a-3bcc-4fc8-bf8a-458e950d210f", "indicator--582c160a-5114-4d1a-a92b-47e1950d210f", "indicator--582c1643-a4e8-4892-afe1-42ae950d210f", "indicator--582c1644-01f8-44d2-a18d-42a6950d210f", "indicator--582c166d-7980-406f-b221-49e5950d210f", "indicator--582c168a-f448-4d62-9e2c-4a31950d210f", "indicator--582c168a-4264-473f-be7b-4bc7950d210f", "indicator--582c22b6-69e8-42b7-a9f9-478302de0b81", "indicator--582c22b7-3270-4537-bbcb-4a4902de0b81", "observed-data--582c22b7-cd5c-4dbb-a339-426f02de0b81", "url--582c22b7-cd5c-4dbb-a339-426f02de0b81", "indicator--582c22b8-b78c-4669-95fb-42eb02de0b81", "indicator--582c22b8-d530-4bca-a546-4ef102de0b81", "observed-data--582c22b9-eec8-4e95-b73a-49dd02de0b81", "url--582c22b9-eec8-4e95-b73a-49dd02de0b81", "indicator--582c22b9-3a70-475c-923d-473302de0b81", "indicator--582c22ba-b2b8-42cc-bfc1-4e9102de0b81", "observed-data--582c22ba-d550-49c3-8674-4c7002de0b81", "url--582c22ba-d550-49c3-8674-4c7002de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "circl:topic=\"finance\"", "veris:action:social:target=\"Finance\"", "misp-galaxy:threat-actor=\"Anunak\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--582c1529-6e5c-4306-b983-4713950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T08:13:29.000Z", "modified": "2016-11-16T08:13:29.000Z", "first_observed": "2016-11-16T08:13:29Z", "last_observed": "2016-11-16T08:13:29Z", "number_observed": 1, "object_refs": [ "url--582c1529-6e5c-4306-b983-4713950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--582c1529-6e5c-4306-b983-4713950d210f", "value": "https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Carbanak-/-Anunak-Attack-Methodology/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--582c153a-eff4-460a-a3da-4d39950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T08:13:46.000Z", "modified": "2016-11-16T08:13:46.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "In the last month Trustwave was engaged by two separate hospitality clients, and one restaurant chain for investigations by an unknown attacker or attackers. The modus operandi for all three investigations were very similar and appear to be a new Carbanak gang attack methodology, focused on the hospitality industry. Carbanak is a prolific crime group, well known for stealing over one billion dollars from banks in 2015 (*Kaspersky estimated loss) and more recently orchestrating an attack on the Oracle Micros POS support site that put over one million Point of Sale systems at risk. The current investigations are still underway but the known indicators of compromise in these new attacks will be presented below. At the time of investigation this malware was not correctly detected by any existing antivirus engines, and domains / IP's were not found in any commercial threat intelligence feeds.\r\n\r\nIt is also interesting to note that just during the time that it took to write this blog, Carbanak returned to their victims with significantly upgraded malware. This demonstrates the speed and versatility of this threat group. We have included analysis for two separate versions of AdobeUpdateManagementTool.vbs in this report. (The malware used following the initial infection) Version two arrived only two weeks after we began investigating this new campaign." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582c1563-9db8-4af1-a2ec-40a9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T08:14:27.000Z", "modified": "2016-11-16T08:14:27.000Z", "description": "adobeupdatemanagementtool.vbs version 1", "pattern": "[file:hashes.SHA1 = '8d7c90a699b4055e9c7db4571588c765c1cf2358']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-16T08:14:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582c1563-f06c-4244-8e19-4ab8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T08:14:27.000Z", "modified": "2016-11-16T08:14:27.000Z", "description": "adobeupdatemanagementtool.vbs version 2", "pattern": "[file:hashes.SHA1 = 'a91416185d2565ce991fc2c0dd9591c71fd1f627']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-16T08:14:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582c158d-bcc0-4c2d-b25b-4769950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T08:15:09.000Z", "modified": "2016-11-16T08:15:09.000Z", "description": "The malware contacts the following and may attempt to download doc", "pattern": "[url:value = 'http://revital-travel.com/cssSiteteTemplates']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-16T08:15:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582c158d-6ae0-42c3-9011-45e6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T08:15:09.000Z", "modified": "2016-11-16T08:15:09.000Z", "description": "The malware contacts the following and may attempt to download doc", "pattern": "[url:value = 'http://juste-travel.com/cssSiteteTemplates']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-16T08:15:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582c158e-88e8-4c6f-a769-4c69950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T08:15:10.000Z", "modified": "2016-11-16T08:15:10.000Z", "description": "The malware contacts the following and may attempt to download doc", "pattern": "[url:value = 'http://park-travels.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-16T08:15:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582c15a4-c3e0-47d9-8f43-40a6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T08:15:32.000Z", "modified": "2016-11-16T08:15:32.000Z", "description": "malware contacts the following and may attempt to download doc", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.99.14.211']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-16T08:15:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582c15d0-28c8-486c-baaa-49dd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T08:16:16.000Z", "modified": "2016-11-16T08:16:16.000Z", "description": "The malware may report to the following command and Control Servers, depending on the version used in the attack", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '148.251.18.75']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-16T08:16:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582c15d0-e134-4463-8db6-4f1e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T08:16:16.000Z", "modified": "2016-11-16T08:16:16.000Z", "description": "The malware may report to the following command and Control Servers, depending on the version used in the attack", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.215.46.221']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-16T08:16:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582c15d1-a4ec-4994-9a07-4acc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T08:16:17.000Z", "modified": "2016-11-16T08:16:17.000Z", "description": "The malware may report to the following command and Control Servers, depending on the version used in the attack", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.215.46.229']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-16T08:16:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582c15d1-5f90-45a9-a73e-41b1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T08:16:17.000Z", "modified": "2016-11-16T08:16:17.000Z", "description": "The malware may report to the following command and Control Servers, depending on the version used in the attack", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.215.46.234']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-16T08:16:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582c15d2-081c-4dbc-bda4-44aa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T08:16:18.000Z", "modified": "2016-11-16T08:16:18.000Z", "description": "The malware may report to the following command and Control Servers, depending on the version used in the attack", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '81.17.28.124']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-16T08:16:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582c160a-3bcc-4fc8-bf8a-458e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T08:17:14.000Z", "modified": "2016-11-16T08:17:14.000Z", "description": "The malware contacts the following and may attempt to download doc", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.215.46.249']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-16T08:17:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582c160a-5114-4d1a-a92b-47e1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T08:17:14.000Z", "modified": "2016-11-16T08:17:14.000Z", "description": "The malware contacts the following and may attempt to download doc", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '179.43.133.34']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-16T08:17:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582c1643-a4e8-4892-afe1-42ae950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T08:18:11.000Z", "modified": "2016-11-16T08:18:11.000Z", "description": "el32.exe", "pattern": "[file:hashes.SHA1 = '83d0964f06e5f53d882f759e4933a6511730e07b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-16T08:18:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582c1644-01f8-44d2-a18d-42a6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T08:18:12.000Z", "modified": "2016-11-16T08:18:12.000Z", "description": "el64.exe", "pattern": "[file:hashes.SHA1 = 'cf5b30e6ada0d6ee7449d6bde9986a35df6f2986']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-16T08:18:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582c166d-7980-406f-b221-49e5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T08:18:53.000Z", "modified": "2016-11-16T08:18:53.000Z", "description": "bf.exe - Second Stage \u00e2\u20ac\u201c Carbanak / Anunak Malware", "pattern": "[file:hashes.SHA1 = '3d00602c98776e2ea5d64a78fc622c4ff08708e3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-16T08:18:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582c168a-f448-4d62-9e2c-4a31950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T08:19:22.000Z", "modified": "2016-11-16T08:19:22.000Z", "description": "This malware provides the attacker remote command and control of the victim system via a multifunctional backdoor capability. It communicates via an encrypted tunnel on port 443 with the following IP addresses", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.45.179.173']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-16T08:19:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582c168a-4264-473f-be7b-4bc7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T08:19:22.000Z", "modified": "2016-11-16T08:19:22.000Z", "description": "This malware provides the attacker remote command and control of the victim system via a multifunctional backdoor capability. It communicates via an encrypted tunnel on port 443 with the following IP addresses", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '92.215.45.94']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-16T08:19:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582c22b6-69e8-42b7-a9f9-478302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T09:11:18.000Z", "modified": "2016-11-16T09:11:18.000Z", "description": "el64.exe - Xchecked via VT: cf5b30e6ada0d6ee7449d6bde9986a35df6f2986", "pattern": "[file:hashes.SHA256 = '6224efee6665118fe4b5bfbc0c4b1dbe611a43a4b385f61ae33b0a0af230da4e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-16T09:11:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582c22b7-3270-4537-bbcb-4a4902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T09:11:19.000Z", "modified": "2016-11-16T09:11:19.000Z", "description": "el64.exe - Xchecked via VT: cf5b30e6ada0d6ee7449d6bde9986a35df6f2986", "pattern": "[file:hashes.MD5 = '13a5fab598763ae4141955f2903d66f9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-16T09:11:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--582c22b7-cd5c-4dbb-a339-426f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T09:11:19.000Z", "modified": "2016-11-16T09:11:19.000Z", "first_observed": "2016-11-16T09:11:19Z", "last_observed": "2016-11-16T09:11:19Z", "number_observed": 1, "object_refs": [ "url--582c22b7-cd5c-4dbb-a339-426f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--582c22b7-cd5c-4dbb-a339-426f02de0b81", "value": "https://www.virustotal.com/file/6224efee6665118fe4b5bfbc0c4b1dbe611a43a4b385f61ae33b0a0af230da4e/analysis/1476970935/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582c22b8-b78c-4669-95fb-42eb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T09:11:20.000Z", "modified": "2016-11-16T09:11:20.000Z", "description": "el32.exe - Xchecked via VT: 83d0964f06e5f53d882f759e4933a6511730e07b", "pattern": "[file:hashes.SHA256 = '91ff7b9c4cdcaa61b01f0783dacdbbed3f848fb01013c635bc9d87a85183ebc0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-16T09:11:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582c22b8-d530-4bca-a546-4ef102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T09:11:20.000Z", "modified": "2016-11-16T09:11:20.000Z", "description": "el32.exe - Xchecked via VT: 83d0964f06e5f53d882f759e4933a6511730e07b", "pattern": "[file:hashes.MD5 = '36f36696b948b550ad4afe4b0bc53fbd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-16T09:11:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--582c22b9-eec8-4e95-b73a-49dd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T09:11:21.000Z", "modified": "2016-11-16T09:11:21.000Z", "first_observed": "2016-11-16T09:11:21Z", "last_observed": "2016-11-16T09:11:21Z", "number_observed": 1, "object_refs": [ "url--582c22b9-eec8-4e95-b73a-49dd02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--582c22b9-eec8-4e95-b73a-49dd02de0b81", "value": "https://www.virustotal.com/file/91ff7b9c4cdcaa61b01f0783dacdbbed3f848fb01013c635bc9d87a85183ebc0/analysis/1477538068/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582c22b9-3a70-475c-923d-473302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T09:11:21.000Z", "modified": "2016-11-16T09:11:21.000Z", "description": "adobeupdatemanagementtool.vbs version 1 - Xchecked via VT: 8d7c90a699b4055e9c7db4571588c765c1cf2358", "pattern": "[file:hashes.SHA256 = '90ac49c60b5e0f76e87bd6f0062ea64b875bb571e226133bb681392b2151fb24']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-16T09:11:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582c22ba-b2b8-42cc-bfc1-4e9102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T09:11:22.000Z", "modified": "2016-11-16T09:11:22.000Z", "description": "adobeupdatemanagementtool.vbs version 1 - Xchecked via VT: 8d7c90a699b4055e9c7db4571588c765c1cf2358", "pattern": "[file:hashes.MD5 = '7a5fa7a9e9319e0871d2098a02f0bcfa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-16T09:11:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--582c22ba-d550-49c3-8674-4c7002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-16T09:11:22.000Z", "modified": "2016-11-16T09:11:22.000Z", "first_observed": "2016-11-16T09:11:22Z", "last_observed": "2016-11-16T09:11:22Z", "number_observed": 1, "object_refs": [ "url--582c22ba-d550-49c3-8674-4c7002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--582c22ba-d550-49c3-8674-4c7002de0b81", "value": "https://www.virustotal.com/file/90ac49c60b5e0f76e87bd6f0062ea64b875bb571e226133bb681392b2151fb24/analysis/1479214205/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }