{ "type": "bundle", "id": "bundle--5894f679-33c8-4642-8e51-8cd902de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:42:04.000Z", "modified": "2017-02-03T21:42:04.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5894f679-33c8-4642-8e51-8cd902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:42:04.000Z", "modified": "2017-02-03T21:42:04.000Z", "name": "OSINT - Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX", "published": "2017-02-03T21:42:45Z", "object_refs": [ "observed-data--5894f698-4df4-47de-b058-46c802de0b81", "url--5894f698-4df4-47de-b058-46c802de0b81", "x-misp-attribute--5894f6c6-9b98-41eb-b759-8c2302de0b81", "indicator--5894f6e9-7698-4db5-a2eb-0e7202de0b81", "indicator--5894f6ea-77c0-486b-8d81-0e7202de0b81", "indicator--5894f6eb-9078-49f1-b87a-0e7202de0b81", "indicator--5894f6ec-097c-4ee6-8414-0e7202de0b81", "indicator--5894f6f9-2cdc-41c8-ab62-0e7202de0b81", "indicator--5894f6f9-a598-441c-a2aa-0e7202de0b81", "indicator--5894f6fa-0710-41ae-9c18-0e7202de0b81", "indicator--5894f706-d434-43d7-9e92-7dba02de0b81", "indicator--5894f723-62b8-46b9-afb1-46f902de0b81", "indicator--5894f724-9ac4-45a9-a528-49d502de0b81", "indicator--5894f725-8180-42cc-984f-4bf402de0b81", "indicator--5894f725-24a0-42bc-8861-4c4e02de0b81", "indicator--5894f726-3c9c-4193-97b1-4aeb02de0b81", "indicator--5894f727-1fc0-4264-89e3-486002de0b81", "indicator--5894f727-35dc-4fd4-af4e-480702de0b81", "indicator--5894f728-2060-4201-bb24-445802de0b81", "indicator--5894f729-c338-490f-87b2-4c6f02de0b81", "indicator--5894f72a-8a18-4468-b070-45d802de0b81", "indicator--5894f72a-e3e4-4456-99ee-4c0b02de0b81", "indicator--5894f72b-b238-4c1f-bc46-493402de0b81", "indicator--5894f72c-24ec-4712-88ac-4db202de0b81", "indicator--5894f72d-7a14-48bb-b228-477a02de0b81", "indicator--5894f72d-e640-46be-87db-49f402de0b81", "indicator--5894f72e-a43c-407a-90dc-4c1002de0b81", "indicator--5894f73c-e224-4212-8b2a-451802de0b81", "indicator--5894f73d-5e10-469f-96a3-469e02de0b81", "indicator--5894f73d-256c-4459-9e24-474e02de0b81", "indicator--5894f74a-0890-451d-b6bc-4bfb02de0b81", "indicator--5894f74b-66dc-4ac3-90d3-40ed02de0b81", "indicator--5894f74c-b294-41b6-932a-4c8c02de0b81", "indicator--5894f75d-0acc-47e4-95c8-8cd702de0b81", "indicator--5894f75e-13d0-4093-8d7b-8cd702de0b81", "indicator--5894f76e-ebe4-4ea0-aea4-4fe002de0b81", "indicator--5894f76e-29f0-4a49-bdf5-44dd02de0b81", "x-misp-attribute--5894f78e-8c64-40bf-8132-8cd902de0b81", "indicator--5894f7a4-f394-4ffe-9c10-874d02de0b81", "indicator--5894f7a4-201c-49b5-b4f9-874d02de0b81", "observed-data--5894f7a5-f100-47d2-84f6-874d02de0b81", "url--5894f7a5-f100-47d2-84f6-874d02de0b81", "indicator--5894f7a6-0548-474e-9571-874d02de0b81", "indicator--5894f7a7-22f4-4785-87ce-874d02de0b81", "observed-data--5894f7a7-1b30-4134-a970-874d02de0b81", "url--5894f7a7-1b30-4134-a970-874d02de0b81", "indicator--5894f7a8-a7b8-4ba8-974b-874d02de0b81", "indicator--5894f7a9-6a58-4577-8ed7-874d02de0b81", "observed-data--5894f7aa-8818-40c8-816c-874d02de0b81", "url--5894f7aa-8818-40c8-816c-874d02de0b81", "indicator--5894f7ab-3024-4e0e-be6b-874d02de0b81", "indicator--5894f7ac-b12c-461e-9e7d-874d02de0b81", "observed-data--5894f7ac-767c-4d03-8433-874d02de0b81", "url--5894f7ac-767c-4d03-8433-874d02de0b81", "indicator--5894f7ad-b52c-4b44-b537-874d02de0b81", "indicator--5894f7ae-4d58-447b-8832-874d02de0b81", "observed-data--5894f7af-f3d0-48fd-b5da-874d02de0b81", "url--5894f7af-f3d0-48fd-b5da-874d02de0b81", "indicator--5894f7af-5cd4-48a3-aa87-874d02de0b81", "indicator--5894f7b0-cf18-49f4-bf02-874d02de0b81", "observed-data--5894f7b1-f3b4-46dc-bc97-874d02de0b81", "url--5894f7b1-f3b4-46dc-bc97-874d02de0b81", "indicator--5894f7b2-495c-4bb6-ae90-874d02de0b81", "indicator--5894f7b3-42e4-482d-bbdc-874d02de0b81", "observed-data--5894f7b3-5d58-4632-a725-874d02de0b81", "url--5894f7b3-5d58-4632-a725-874d02de0b81", "indicator--5894f7b4-399c-4bb3-9bc3-874d02de0b81", "indicator--5894f7b5-f100-42f2-8f76-874d02de0b81", "observed-data--5894f7b6-9ba4-4b30-9289-874d02de0b81", "url--5894f7b6-9ba4-4b30-9289-874d02de0b81", "indicator--5894f7b7-45e4-4820-95f9-874d02de0b81", "indicator--5894f7b7-4fec-43df-946b-874d02de0b81", "observed-data--5894f7b8-b570-45da-849c-874d02de0b81", "url--5894f7b8-b570-45da-849c-874d02de0b81", "indicator--5894f7b9-2e88-4ddc-80cc-874d02de0b81", "indicator--5894f7ba-6218-4476-8b6a-874d02de0b81", "observed-data--5894f7bb-4cc4-4cdb-af81-874d02de0b81", "url--5894f7bb-4cc4-4cdb-af81-874d02de0b81", "indicator--5894f7bb-8cd4-4351-87ea-874d02de0b81", "indicator--5894f7bc-f890-45eb-97c1-874d02de0b81", "observed-data--5894f7bd-267c-49fa-9bc8-874d02de0b81", "url--5894f7bd-267c-49fa-9bc8-874d02de0b81", "indicator--5894f7be-9a98-410c-89b1-874d02de0b81", "indicator--5894f7be-f7c8-49e9-b21b-874d02de0b81", "observed-data--5894f7bf-05a0-4442-a42c-874d02de0b81", "url--5894f7bf-05a0-4442-a42c-874d02de0b81", "indicator--5894f7c0-8550-4723-97db-874d02de0b81", "indicator--5894f7c1-0ac8-487d-8ce2-874d02de0b81", "observed-data--5894f7c1-3fd0-45f4-9dd3-874d02de0b81", "url--5894f7c1-3fd0-45f4-9dd3-874d02de0b81", "indicator--5894f7c2-966c-4b2f-8bd8-874d02de0b81", "indicator--5894f7c3-0314-4673-86b4-874d02de0b81", "observed-data--5894f7c4-1b28-4ff0-98ea-874d02de0b81", "url--5894f7c4-1b28-4ff0-98ea-874d02de0b81", "indicator--5894f7c4-8ce0-4857-810d-874d02de0b81", "indicator--5894f7c5-95c8-4da7-8c5d-874d02de0b81", "observed-data--5894f7c6-d09c-4b4c-ad3b-874d02de0b81", "url--5894f7c6-d09c-4b4c-ad3b-874d02de0b81", "indicator--5894f7c6-6274-4788-ab7c-874d02de0b81", "indicator--5894f7c7-073c-4308-a20e-874d02de0b81", "observed-data--5894f7c8-f694-487b-8647-874d02de0b81", "url--5894f7c8-f694-487b-8647-874d02de0b81", "indicator--5894f7c9-35bc-46bd-8b25-874d02de0b81", "indicator--5894f7ca-5fa4-4da5-a064-874d02de0b81", "observed-data--5894f7cb-6d18-4303-ac70-874d02de0b81", "url--5894f7cb-6d18-4303-ac70-874d02de0b81", "indicator--5894f7cc-0218-4f9d-bf11-874d02de0b81", "indicator--5894f7cd-6124-481c-a7a6-874d02de0b81", "observed-data--5894f7cd-b09c-43b5-976f-874d02de0b81", "url--5894f7cd-b09c-43b5-976f-874d02de0b81", "indicator--5894f7ce-f1fc-46b6-8ead-874d02de0b81", "indicator--5894f7cf-43bc-4b5f-a376-874d02de0b81", "observed-data--5894f7cf-fe64-4c55-a629-874d02de0b81", "url--5894f7cf-fe64-4c55-a629-874d02de0b81", "indicator--5894f7d0-7268-45dd-99ea-874d02de0b81", "indicator--5894f7d1-b6c4-46c5-b719-874d02de0b81", "observed-data--5894f7d2-da64-4b71-9c5f-874d02de0b81", "url--5894f7d2-da64-4b71-9c5f-874d02de0b81", "indicator--5894f7d3-69c0-40e2-985d-874d02de0b81", "indicator--5894f7d3-bd40-4342-a53f-874d02de0b81", "observed-data--5894f7d4-856c-4159-9e00-874d02de0b81", "url--5894f7d4-856c-4159-9e00-874d02de0b81", "indicator--5894f7d5-3984-430e-9e61-874d02de0b81", "indicator--5894f7d6-9608-4941-85f5-874d02de0b81", "observed-data--5894f7d6-8534-4c0f-b126-874d02de0b81", "url--5894f7d6-8534-4c0f-b126-874d02de0b81", "indicator--5894f7d7-e764-48d6-898c-874d02de0b81", "indicator--5894f7d8-7d10-403d-b3fa-874d02de0b81", "observed-data--5894f7d9-afd0-47c3-bfdf-874d02de0b81", "url--5894f7d9-afd0-47c3-bfdf-874d02de0b81", "observed-data--5894f8d2-d7e0-4225-834c-874d02de0b81", "url--5894f8d2-d7e0-4225-834c-874d02de0b81", "observed-data--5894f8d2-f494-476c-a034-874d02de0b81", "url--5894f8d2-f494-476c-a034-874d02de0b81", "observed-data--5894f8d3-6008-437d-bec0-874d02de0b81", "url--5894f8d3-6008-437d-bec0-874d02de0b81", "observed-data--5894f8d4-7700-4a87-8aa3-874d02de0b81", "url--5894f8d4-7700-4a87-8aa3-874d02de0b81", "observed-data--5894f8d5-a2c4-41d4-b4b7-874d02de0b81", "url--5894f8d5-a2c4-41d4-b4b7-874d02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:tool=\"PlugX\"", "misp-galaxy:tool=\"ZeroT\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f698-4df4-47de-b058-46c802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:31:25.000Z", "modified": "2017-02-03T21:31:25.000Z", "first_observed": "2017-02-03T21:31:25Z", "last_observed": "2017-02-03T21:31:25Z", "number_observed": 1, "object_refs": [ "url--5894f698-4df4-47de-b058-46c802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"", "admiralty-scale:source-reliability=\"b\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f698-4df4-47de-b058-46c802de0b81", "value": "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5894f6c6-9b98-41eb-b759-8c2302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:31:50.000Z", "modified": "2017-02-03T21:31:50.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Although state-sponsored attacks against the United States by Chinese threat actors have decreased dramatically since the signing of the US-China Cyber Agreement in 2016, Proofpoint researchers have continued to observe advanced persistent threat (APT) activity associated with Chinese actors targeting other regions. We have previously written about related activity [2][3] in which a particular China-based attack group used PlugX and NetTraveler Trojans for espionage in Europe, Russia, Mongolia, Belarus, and other neighboring countries. Most recently, we have observed the same group targeting military and aerospace interests in Russia and Belarus. Since the summer of 2016, this group began using a new downloader known as ZeroT to install the PlugX remote access Trojan (RAT) and added Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-phishing emails.\r\n\r\nThis blog details the function of the new malware, provides delivery details for elements of the APT activity, and describes additional changes in tactics, techniques, and procedures (TTPs) associated with this group." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f6e9-7698-4db5-a2eb-0e7202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:32:25.000Z", "modified": "2017-02-03T21:32:25.000Z", "description": "RAR / 7-Zip archives", "pattern": "[file:hashes.SHA256 = '38566230e5f19d2fd151eaf1744ef2aef946e17873924b91bbeaede0fbfb38cf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:32:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f6ea-77c0-486b-8d81-0e7202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:32:26.000Z", "modified": "2017-02-03T21:32:26.000Z", "description": "RAR / 7-Zip archives", "pattern": "[file:hashes.SHA256 = 'ee81c939eec30bf9351c9246ecfdc39a2fed78be08cc9923d48781f6c9bd7097']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:32:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f6eb-9078-49f1-b87a-0e7202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:32:27.000Z", "modified": "2017-02-03T21:32:27.000Z", "description": "RAR / 7-Zip archives", "pattern": "[file:hashes.SHA256 = 'ec3405e058b3be958a1d3db410dd438fba7b8a8c28355939c2319e2e2a338462']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:32:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f6ec-097c-4ee6-8414-0e7202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:32:28.000Z", "modified": "2017-02-03T21:32:28.000Z", "description": "RAR / 7-Zip archives", "pattern": "[file:hashes.SHA256 = 'f2b6f7e0fcf4611cb25f9a24f002ba104ee5cf84528769b2ab82c63ba4476168']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:32:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f6f9-2cdc-41c8-ab62-0e7202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:32:41.000Z", "modified": "2017-02-03T21:32:41.000Z", "description": "CHM droppers", "pattern": "[file:hashes.SHA256 = '4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:32:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f6f9-a598-441c-a2aa-0e7202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:32:41.000Z", "modified": "2017-02-03T21:32:41.000Z", "description": "CHM droppers", "pattern": "[file:hashes.SHA256 = 'ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:32:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f6fa-0710-41ae-9c18-0e7202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:32:42.000Z", "modified": "2017-02-03T21:32:42.000Z", "description": "CHM droppers", "pattern": "[file:hashes.SHA256 = '74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:32:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f706-d434-43d7-9e92-7dba02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:32:54.000Z", "modified": "2017-02-03T21:32:54.000Z", "description": "Word Exploit documents", "pattern": "[file:hashes.SHA256 = '9dd730f615824a7992a67400fce754df6eaa770f643ad7e425ff252324671b58']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:32:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f723-62b8-46b9-afb1-46f902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:33:23.000Z", "modified": "2017-02-03T21:33:23.000Z", "description": "ZeroT", "pattern": "[file:hashes.SHA256 = '09061c603a32ac99b664f7434febfc8c1f9fd7b6469be289bb130a635a6c47c0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:33:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f724-9ac4-45a9-a528-49d502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:33:24.000Z", "modified": "2017-02-03T21:33:24.000Z", "description": "ZeroT", "pattern": "[file:hashes.SHA256 = '1e25a8bd1ac2df82d4f6d280af0ecd57d5e4aef88298a2f14414df76db54bcc4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:33:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f725-8180-42cc-984f-4bf402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:33:25.000Z", "modified": "2017-02-03T21:33:25.000Z", "description": "ZeroT", "pattern": "[file:hashes.SHA256 = '399693f48a457d77530ab88d4763cbd9d3f73606bd860adc0638f36b811bf343']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:33:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f725-24a0-42bc-8861-4c4e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:33:25.000Z", "modified": "2017-02-03T21:33:25.000Z", "description": "ZeroT", "pattern": "[file:hashes.SHA256 = '3be2e226cd477138d03428f6046a216103ba9fa5597ec407e542ab2f86c37425']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:33:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f726-3c9c-4193-97b1-4aeb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:33:26.000Z", "modified": "2017-02-03T21:33:26.000Z", "description": "ZeroT", "pattern": "[file:hashes.SHA256 = '67693ddb6236d3ef790059409ae240212c47acfd8c1c76d65c3ef19096fdf43b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:33:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f727-1fc0-4264-89e3-486002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:33:27.000Z", "modified": "2017-02-03T21:33:27.000Z", "description": "ZeroT", "pattern": "[file:hashes.SHA256 = '74eb592ef7f5967b14794acdc916686e061a43169f06e5be4dca70811b9815df']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:33:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f727-35dc-4fd4-af4e-480702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:33:27.000Z", "modified": "2017-02-03T21:33:27.000Z", "description": "ZeroT", "pattern": "[file:hashes.SHA256 = 'a16078c6d09fcfc9d6ff7a91e39e6d72e2d6d6ab6080930e1e2169ec002b37d3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:33:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f728-2060-4201-bb24-445802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:33:28.000Z", "modified": "2017-02-03T21:33:28.000Z", "description": "ZeroT", "pattern": "[file:hashes.SHA256 = 'a685cf4dca6a58213e67d041bba637dca9cb3ea6bb9ad3eae3ba85229118bce0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:33:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f729-c338-490f-87b2-4c6f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:33:29.000Z", "modified": "2017-02-03T21:33:29.000Z", "description": "ZeroT", "pattern": "[file:hashes.SHA256 = 'a9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:33:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f72a-8a18-4468-b070-45d802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:33:30.000Z", "modified": "2017-02-03T21:33:30.000Z", "description": "ZeroT", "pattern": "[file:hashes.SHA256 = 'aa7810862ef43d4ef6bec463266b7eb169dbf3f7f953ef955e380e4269137267']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:33:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f72a-e3e4-4456-99ee-4c0b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:33:30.000Z", "modified": "2017-02-03T21:33:30.000Z", "description": "ZeroT", "pattern": "[file:hashes.SHA256 = 'b7ee556d1d1b83c5ce6b0c903244c1d3b79654cb950105b2c03996cdd4a70be8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:33:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f72b-b238-4c1f-bc46-493402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:33:31.000Z", "modified": "2017-02-03T21:33:31.000Z", "description": "ZeroT", "pattern": "[file:hashes.SHA256 = 'c15255b9a55e7a025cf36aca85eb6cc48571d0b997a93d4dfa4eacb49001cc8d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:33:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f72c-24ec-4712-88ac-4db202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:33:32.000Z", "modified": "2017-02-03T21:33:32.000Z", "description": "ZeroT", "pattern": "[file:hashes.SHA256 = 'c5d022f0815aeaa27afb8f1efbce2771d95914be881d288b0841713dbbbeda1a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:33:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f72d-7a14-48bb-b228-477a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:33:33.000Z", "modified": "2017-02-03T21:33:33.000Z", "description": "ZeroT", "pattern": "[file:hashes.SHA256 = 'd1c4a51064aeec4c11a8f90f80a3b60a36c07cce2dde0756c114e477d63ce375']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:33:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f72d-e640-46be-87db-49f402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:33:33.000Z", "modified": "2017-02-03T21:33:33.000Z", "description": "ZeroT", "pattern": "[file:hashes.SHA256 = 'fc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:33:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f72e-a43c-407a-90dc-4c1002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:33:34.000Z", "modified": "2017-02-03T21:33:34.000Z", "description": "ZeroT", "pattern": "[file:hashes.SHA256 = '97016593c53c7eeecd9d3a2788199f6473899ca8f07fafcd4173464f38ee0ab4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:33:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f73c-e224-4212-8b2a-451802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:33:48.000Z", "modified": "2017-02-03T21:33:48.000Z", "description": "PlugX", "pattern": "[file:hashes.SHA256 = 'b185401a8562614ef42a84bc29f6c21aca31b7811c2c0e680f455b061229a77f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:33:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f73d-5e10-469f-96a3-469e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:33:49.000Z", "modified": "2017-02-03T21:33:49.000Z", "description": "PlugX", "pattern": "[file:hashes.SHA256 = '3149fb0ddd89b77ecfb797c4ab4676c63d157a6b22ba4c8f98e8478c24104dfa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:33:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f73d-256c-4459-9e24-474e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:33:49.000Z", "modified": "2017-02-03T21:33:49.000Z", "description": "PlugX", "pattern": "[file:hashes.SHA256 = '07343a069dd2340a63bc04ba2e5c6fad4f9e3cf8a6226eb2a82eb4edc4926f67']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:33:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f74a-0890-451d-b6bc-4bfb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:34:02.000Z", "modified": "2017-02-03T21:34:02.000Z", "description": "ZeroT C&C", "pattern": "[domain-name:value = 'www.tassnews.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:34:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f74b-66dc-4ac3-90d3-40ed02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:34:03.000Z", "modified": "2017-02-03T21:34:03.000Z", "description": "ZeroT C&C", "pattern": "[domain-name:value = 'www.versig.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:34:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f74c-b294-41b6-932a-4c8c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:34:04.000Z", "modified": "2017-02-03T21:34:04.000Z", "description": "ZeroT C&C", "pattern": "[domain-name:value = 'www.riaru.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:34:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f75d-0acc-47e4-95c8-8cd702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:34:21.000Z", "modified": "2017-02-03T21:34:21.000Z", "description": "PlugX C&C", "pattern": "[domain-name:value = 'www.micrnet.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:34:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f75e-13d0-4093-8d7b-8cd702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:34:22.000Z", "modified": "2017-02-03T21:34:22.000Z", "description": "PlugX C&C", "pattern": "[domain-name:value = 'www.dicemention.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:34:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f76e-ebe4-4ea0-aea4-4fe002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:34:38.000Z", "modified": "2017-02-03T21:34:38.000Z", "description": "Likely Related C&C", "pattern": "[domain-name:value = 'www.rumiany.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:34:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f76e-29f0-4a49-bdf5-44dd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:34:38.000Z", "modified": "2017-02-03T21:34:38.000Z", "description": "Likely Related C&C", "pattern": "[domain-name:value = 'www.yandcx.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:34:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5894f78e-8c64-40bf-8132-8cd902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:10.000Z", "modified": "2017-02-03T21:35:10.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Appendix A: Example PlugX Configuration\r\n\r\nSample hash: 07343a069dd2340a63bc04ba2e5c6fad4f9e3cf8a6226eb2a82eb4edc4926f67\r\n\r\nPlugX Config (0x36a4 bytes):\r\n\r\n Hide Dll: 0\r\n\r\n Keylogger: -1\r\n\r\n Sleep1: 167772160\r\n\r\n Sleep2: 0\r\n\r\n Cnc: www.micrnet[.]net:80 (HTTP / UDP)\r\n\r\n Cnc: www.micrnet[.]net:80 (TCP / HTTP)\r\n\r\n Cnc: www.micrnet[.]net:80 (UDP)\r\n\r\n Cnc: www.micrnet[.]net:443 (HTTP / UDP)\r\n\r\n Cnc: www.micrnet[.]net:443 (TCP / HTTP)\r\n\r\n Cnc: www.micrnet[.]net:443 (UDP)\r\n\r\n Cnc: www.micrnet[.]net:53 (HTTP / UDP)\r\n\r\n Cnc: www.micrnet[.]net:53 (TCP / HTTP)\r\n\r\n Cnc: www.micrnet[.]net:53 (UDP)\r\n\r\n Persistence: Run key\r\n\r\n Install Folder: %AUTO%\\TCMyXfeFAd\r\n\r\n Service Name: pQwEPnz\r\n\r\n Service Display Name: pQwEPnz\r\n\r\n Service Des%WINDIR%\\pQwEPnz Service\r\n\r\n Reg Hive: HKCU\r\n\r\n Reg Key: Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\r\n Reg Value: mJqyCsNGBsge\r\n\r\n Injection: 1\r\n\r\n Inject Process: %windir%\\explorer.exe\r\n\r\n Inject Process: %ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe\r\n\r\n Inject Process: %windir%\\system32\\svchost.exe\r\n\r\n Uac Bypass Injection: 1\r\n\r\n Uac Bypass Inject: %windir%\\explorer.exe\r\n\r\n Uac Bypass Inject: %windir%\\system32\\rundll32.exe\r\n\r\n Uac Bypass Inject: %windir%\\system32\\dllhost.exe\r\n\r\n Uac Bypass Inject: %windir%\\system32\\msiexec.exe\r\n\r\n Plugx Auth Str: TEST\r\n\r\n Cnc Auth Str: DuICS\r\n\r\n Mutex: Global\\WtMKAPYYxoWMoWW\r\n\r\n Screenshots: 0\r\n\r\n Screenshots Sec: 10\r\n\r\n Screenshots Zoom: 50\r\n\r\n Screenshots Bits: 16\r\n\r\n Screenshots Qual: 50\r\n\r\n Screenshots Keep: 3\r\n\r\n Screenshot Folder: %AUTO%\\FS\\screen\r\n\r\n Enable Tcp P2P: 1\r\n\r\n Tcp P2P Port: 1357\r\n\r\n Enable Udp P2P: 1\r\n\r\n Udp P2P Port: 1357\r\n\r\n Enable Icmp P2P: 1\r\n\r\n Icmp P2P Port: 1357\r\n\r\n Enable Ipproto P2P: 1\r\n\r\n Ipproto P2P Port: 1357\r\n\r\n Enable P2P Scan: 1\r\n\r\n P2P Start Scan1: 0.0.0.0\r\n\r\n P2P Start Scan2: 0.0.0.0\r\n\r\n P2P Start Scan3: 0.0.0.0\r\n\r\n P2P Start Scan4: 0.0.0.0\r\n\r\n P2P End Scan1: 0.0.0.0\r\n\r\n P2P End Scan2: 0.0.0.0\r\n\r\n P2P End Scan3: 0.0.0.0\r\n\r\n P2P End Scan4: 0.0.0.0\r\n\r\n Mac Disable: 00:00:00:00:00:00\r\n\r\nAppendix B: Example PlugX Configuration\r\n\r\nSample hash: 3149fb0ddd89b77ecfb797c4ab4676c63d157a6b22ba4c8f98e8478c24104dfa\r\n\r\nProcess: fsguidll.exe (3980)\r\n\r\nPlugX Config (0x36a4 bytes):\r\n\r\n Hide Dll: 0\r\n\r\n Keylogger: -1\r\n\r\n Sleep1: 167772160\r\n\r\n Sleep2: 0\r\n\r\n Cnc: www.dicemention[.]com:80 (HTTP / UDP)\r\n\r\n Cnc: www.dicemention[.]com:443 (HTTP / UDP)\r\n\r\n Cnc: www.dicemention[.]com:25 (HTTP / UDP)\r\n\r\n Cnc: www.dicemention[.]com:80 (TCP / HTTP)\r\n\r\n Cnc: www.dicemention[.]com:443 (TCP / HTTP)\r\n\r\n Cnc: www.dicemention[.]com:25 (TCP / HTTP)\r\n\r\n Cnc: www.dicemention[.]com:80 (UDP)\r\n\r\n Cnc: www.dicemention[.]com:443 (UDP)\r\n\r\n Cnc: www.dicemention[.]com:25 (UDP)\r\n\r\n Persistence: Service + Run Key\r\n\r\n Install Folder: %AUTO%\\IZBpIciif\r\n\r\n Service Name: yAjUgUdMGHuvGaZ\r\n\r\n Service Display Name: yAjUgUdMGHuvGaZ\r\n\r\n Service Des%WINDIR%\\yAjUgUdMGHuvGaZ Service\r\n\r\n Reg Hive: HKCU\r\n\r\n Reg Key: Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\r\n Reg Value: RqdFqFSYaBx\r\n\r\n Injection: 1\r\n\r\n Inject Process: %windir%\\system32\\svchost.exe\r\n\r\n Inject Process: %windir%\\explorer.exe\r\n\r\n Inject Process: %ProgramFiles%\\Internet Explorer\\iexplore.exe\r\n\r\n Inject Process: %ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe\r\n\r\n Uac Bypass Injection: 1\r\n\r\n Uac Bypass Inject: %windir%\\system32\\msiexec.exe\r\n\r\n Uac Bypass Inject: %windir%\\explorer.exe\r\n\r\n Uac Bypass Inject: %windir%\\system32\\rundll32.exe\r\n\r\n Uac Bypass Inject: %windir%\\system32\\dllhost.exe\r\n\r\n Plugx Auth Str: TEST\r\n\r\n Cnc Auth Str: NBz\r\n\r\n Mutex: Global\\ksMoQGOTIBJXumYclXtcsAnx\r\n\r\n Screenshots: 0\r\n\r\n Screenshots Sec: 10\r\n\r\n Screenshots Zoom: 50\r\n\r\n Screenshots Bits: 16\r\n\r\n Screenshots Qual: 50\r\n\r\n Screenshots Keep: 3\r\n\r\n Screenshot Folder: %AUTO%\\FS\\screen\r\n\r\n Enable Tcp P2P: 1\r\n\r\n Tcp P2P Port: 1357\r\n\r\n Enable Udp P2P: 1\r\n\r\n Udp P2P Port: 1357\r\n\r\n Enable Icmp P2P: 1\r\n\r\n Icmp P2P Port: 1357\r\n\r\n Enable Ipproto P2P: 1\r\n\r\n Ipproto P2P Port: 1357\r\n\r\n Enable P2P Scan: 1\r\n\r\n P2P Start Scan1: 0.0.0.0\r\n\r\n P2P Start Scan2: 0.0.0.0\r\n\r\n P2P Start Scan3: 0.0.0.0\r\n\r\n P2P Start Scan4: 0.0.0.0\r\n\r\n P2P End Scan1: 0.0.0.0\r\n\r\n P2P End Scan2: 0.0.0.0\r\n\r\n P2P End Scan3: 0.0.0.0\r\n\r\n P2P End Scan4: 0.0.0.0\r\n\r\n Mac Disable: 00:00:00:00:00:00" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7a4-f394-4ffe-9c10-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:31.000Z", "modified": "2017-02-03T21:35:31.000Z", "description": "ZeroT - Xchecked via VT: 97016593c53c7eeecd9d3a2788199f6473899ca8f07fafcd4173464f38ee0ab4", "pattern": "[file:hashes.SHA1 = 'ddd643d447e6ff3af7298c2a1858b52f86fcd0ef']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:35:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7a4-201c-49b5-b4f9-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:32.000Z", "modified": "2017-02-03T21:35:32.000Z", "description": "ZeroT - Xchecked via VT: 97016593c53c7eeecd9d3a2788199f6473899ca8f07fafcd4173464f38ee0ab4", "pattern": "[file:hashes.MD5 = 'c7a4292834dd2f75577af3a1fcaaf7b4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:35:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f7a5-f100-47d2-84f6-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:33.000Z", "modified": "2017-02-03T21:35:33.000Z", "first_observed": "2017-02-03T21:35:33Z", "last_observed": "2017-02-03T21:35:33Z", "number_observed": 1, "object_refs": [ "url--5894f7a5-f100-47d2-84f6-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f7a5-f100-47d2-84f6-874d02de0b81", "value": "https://www.virustotal.com/file/97016593c53c7eeecd9d3a2788199f6473899ca8f07fafcd4173464f38ee0ab4/analysis/1481642491/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7a6-0548-474e-9571-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:34.000Z", "modified": "2017-02-03T21:35:34.000Z", "description": "ZeroT - Xchecked via VT: fc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478", "pattern": "[file:hashes.SHA1 = '4b7088444def62d77c00efd11c3a16e0f26c54c9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:35:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7a7-22f4-4785-87ce-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:35.000Z", "modified": "2017-02-03T21:35:35.000Z", "description": "ZeroT - Xchecked via VT: fc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478", "pattern": "[file:hashes.MD5 = '0892d0e0cf63d50a8ea8d55baea4ea33']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:35:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f7a7-1b30-4134-a970-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:35.000Z", "modified": "2017-02-03T21:35:35.000Z", "first_observed": "2017-02-03T21:35:35Z", "last_observed": "2017-02-03T21:35:35Z", "number_observed": 1, "object_refs": [ "url--5894f7a7-1b30-4134-a970-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f7a7-1b30-4134-a970-874d02de0b81", "value": "https://www.virustotal.com/file/fc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478/analysis/1469547952/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7a8-a7b8-4ba8-974b-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:36.000Z", "modified": "2017-02-03T21:35:36.000Z", "description": "ZeroT - Xchecked via VT: d1c4a51064aeec4c11a8f90f80a3b60a36c07cce2dde0756c114e477d63ce375", "pattern": "[file:hashes.SHA1 = 'fd33857fdc9f88c258920a1d53bfcd5f79ecabb7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:35:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7a9-6a58-4577-8ed7-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:37.000Z", "modified": "2017-02-03T21:35:37.000Z", "description": "ZeroT - Xchecked via VT: d1c4a51064aeec4c11a8f90f80a3b60a36c07cce2dde0756c114e477d63ce375", "pattern": "[file:hashes.MD5 = '0b227712315620cd737809f288a32f2b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:35:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f7aa-8818-40c8-816c-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:38.000Z", "modified": "2017-02-03T21:35:38.000Z", "first_observed": "2017-02-03T21:35:38Z", "last_observed": "2017-02-03T21:35:38Z", "number_observed": 1, "object_refs": [ "url--5894f7aa-8818-40c8-816c-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f7aa-8818-40c8-816c-874d02de0b81", "value": "https://www.virustotal.com/file/d1c4a51064aeec4c11a8f90f80a3b60a36c07cce2dde0756c114e477d63ce375/analysis/1479838803/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7ab-3024-4e0e-be6b-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:39.000Z", "modified": "2017-02-03T21:35:39.000Z", "description": "ZeroT - Xchecked via VT: c15255b9a55e7a025cf36aca85eb6cc48571d0b997a93d4dfa4eacb49001cc8d", "pattern": "[file:hashes.SHA1 = 'f4425e0a543e3efda38378c0884d8e2200d2821a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:35:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7ac-b12c-461e-9e7d-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:40.000Z", "modified": "2017-02-03T21:35:40.000Z", "description": "ZeroT - Xchecked via VT: c15255b9a55e7a025cf36aca85eb6cc48571d0b997a93d4dfa4eacb49001cc8d", "pattern": "[file:hashes.MD5 = '0530c718660fa2d1b4679570c7d0ae97']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:35:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f7ac-767c-4d03-8433-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:40.000Z", "modified": "2017-02-03T21:35:40.000Z", "first_observed": "2017-02-03T21:35:40Z", "last_observed": "2017-02-03T21:35:40Z", "number_observed": 1, "object_refs": [ "url--5894f7ac-767c-4d03-8433-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f7ac-767c-4d03-8433-874d02de0b81", "value": "https://www.virustotal.com/file/c15255b9a55e7a025cf36aca85eb6cc48571d0b997a93d4dfa4eacb49001cc8d/analysis/1477322459/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7ad-b52c-4b44-b537-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:41.000Z", "modified": "2017-02-03T21:35:41.000Z", "description": "ZeroT - Xchecked via VT: b7ee556d1d1b83c5ce6b0c903244c1d3b79654cb950105b2c03996cdd4a70be8", "pattern": "[file:hashes.SHA1 = '935d02e4e5077c14df649b9887722b9cddcca4b7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:35:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7ae-4d58-447b-8832-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:42.000Z", "modified": "2017-02-03T21:35:42.000Z", "description": "ZeroT - Xchecked via VT: b7ee556d1d1b83c5ce6b0c903244c1d3b79654cb950105b2c03996cdd4a70be8", "pattern": "[file:hashes.MD5 = 'b1b4b54dfa4b57885a74ef1c4a7cb6d6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:35:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f7af-f3d0-48fd-b5da-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:43.000Z", "modified": "2017-02-03T21:35:43.000Z", "first_observed": "2017-02-03T21:35:43Z", "last_observed": "2017-02-03T21:35:43Z", "number_observed": 1, "object_refs": [ "url--5894f7af-f3d0-48fd-b5da-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f7af-f3d0-48fd-b5da-874d02de0b81", "value": "https://www.virustotal.com/file/b7ee556d1d1b83c5ce6b0c903244c1d3b79654cb950105b2c03996cdd4a70be8/analysis/1486130149/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7af-5cd4-48a3-aa87-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:43.000Z", "modified": "2017-02-03T21:35:43.000Z", "description": "ZeroT - Xchecked via VT: aa7810862ef43d4ef6bec463266b7eb169dbf3f7f953ef955e380e4269137267", "pattern": "[file:hashes.SHA1 = '16ca9dc8a8d35f4e7cbbeda2bf337e8e1c9b7a1f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:35:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7b0-cf18-49f4-bf02-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:44.000Z", "modified": "2017-02-03T21:35:44.000Z", "description": "ZeroT - Xchecked via VT: aa7810862ef43d4ef6bec463266b7eb169dbf3f7f953ef955e380e4269137267", "pattern": "[file:hashes.MD5 = 'df2a485a3eb76b3243ce7d25b5893b40']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:35:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f7b1-f3b4-46dc-bc97-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:45.000Z", "modified": "2017-02-03T21:35:45.000Z", "first_observed": "2017-02-03T21:35:45Z", "last_observed": "2017-02-03T21:35:45Z", "number_observed": 1, "object_refs": [ "url--5894f7b1-f3b4-46dc-bc97-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f7b1-f3b4-46dc-bc97-874d02de0b81", "value": "https://www.virustotal.com/file/aa7810862ef43d4ef6bec463266b7eb169dbf3f7f953ef955e380e4269137267/analysis/1476267631/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7b2-495c-4bb6-ae90-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:46.000Z", "modified": "2017-02-03T21:35:46.000Z", "description": "ZeroT - Xchecked via VT: a9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8", "pattern": "[file:hashes.SHA1 = 'e06fce249eefd4c65b57e2dd1300b0e40d417563']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:35:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7b3-42e4-482d-bbdc-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:47.000Z", "modified": "2017-02-03T21:35:47.000Z", "description": "ZeroT - Xchecked via VT: a9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8", "pattern": "[file:hashes.MD5 = 'aea45c19234d85f31881eddd24dfe88f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:35:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f7b3-5d58-4632-a725-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:47.000Z", "modified": "2017-02-03T21:35:47.000Z", "first_observed": "2017-02-03T21:35:47Z", "last_observed": "2017-02-03T21:35:47Z", "number_observed": 1, "object_refs": [ "url--5894f7b3-5d58-4632-a725-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f7b3-5d58-4632-a725-874d02de0b81", "value": "https://www.virustotal.com/file/a9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8/analysis/1486145225/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7b4-399c-4bb3-9bc3-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:48.000Z", "modified": "2017-02-03T21:35:48.000Z", "description": "ZeroT - Xchecked via VT: a685cf4dca6a58213e67d041bba637dca9cb3ea6bb9ad3eae3ba85229118bce0", "pattern": "[file:hashes.SHA1 = 'ae4cf0457505fb774df04d7ba2f8fc1c891328a9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:35:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7b5-f100-42f2-8f76-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:49.000Z", "modified": "2017-02-03T21:35:49.000Z", "description": "ZeroT - Xchecked via VT: a685cf4dca6a58213e67d041bba637dca9cb3ea6bb9ad3eae3ba85229118bce0", "pattern": "[file:hashes.MD5 = 'a3c41c9cace716707c629dc8087af371']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:35:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f7b6-9ba4-4b30-9289-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:50.000Z", "modified": "2017-02-03T21:35:50.000Z", "first_observed": "2017-02-03T21:35:50Z", "last_observed": "2017-02-03T21:35:50Z", "number_observed": 1, "object_refs": [ "url--5894f7b6-9ba4-4b30-9289-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f7b6-9ba4-4b30-9289-874d02de0b81", "value": "https://www.virustotal.com/file/a685cf4dca6a58213e67d041bba637dca9cb3ea6bb9ad3eae3ba85229118bce0/analysis/1486130149/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7b7-45e4-4820-95f9-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:51.000Z", "modified": "2017-02-03T21:35:51.000Z", "description": "ZeroT - Xchecked via VT: a16078c6d09fcfc9d6ff7a91e39e6d72e2d6d6ab6080930e1e2169ec002b37d3", "pattern": "[file:hashes.SHA1 = 'b6718ed9a64857e13b2894f5c50669a4306195ba']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:35:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7b7-4fec-43df-946b-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:51.000Z", "modified": "2017-02-03T21:35:51.000Z", "description": "ZeroT - Xchecked via VT: a16078c6d09fcfc9d6ff7a91e39e6d72e2d6d6ab6080930e1e2169ec002b37d3", "pattern": "[file:hashes.MD5 = '4a49a5358e6841ba625956fac62483ca']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:35:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f7b8-b570-45da-849c-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:52.000Z", "modified": "2017-02-03T21:35:52.000Z", "first_observed": "2017-02-03T21:35:52Z", "last_observed": "2017-02-03T21:35:52Z", "number_observed": 1, "object_refs": [ "url--5894f7b8-b570-45da-849c-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f7b8-b570-45da-849c-874d02de0b81", "value": "https://www.virustotal.com/file/a16078c6d09fcfc9d6ff7a91e39e6d72e2d6d6ab6080930e1e2169ec002b37d3/analysis/1486130148/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7b9-2e88-4ddc-80cc-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:53.000Z", "modified": "2017-02-03T21:35:53.000Z", "description": "ZeroT - Xchecked via VT: 74eb592ef7f5967b14794acdc916686e061a43169f06e5be4dca70811b9815df", "pattern": "[file:hashes.SHA1 = 'b66c11c8ecd3d5c064f7ada4e84e50ef0f4f6b4e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:35:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7ba-6218-4476-8b6a-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:54.000Z", "modified": "2017-02-03T21:35:54.000Z", "description": "ZeroT - Xchecked via VT: 74eb592ef7f5967b14794acdc916686e061a43169f06e5be4dca70811b9815df", "pattern": "[file:hashes.MD5 = '3cff0e45be3bc3d8904151499da5a354']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:35:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f7bb-4cc4-4cdb-af81-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:55.000Z", "modified": "2017-02-03T21:35:55.000Z", "first_observed": "2017-02-03T21:35:55Z", "last_observed": "2017-02-03T21:35:55Z", "number_observed": 1, "object_refs": [ "url--5894f7bb-4cc4-4cdb-af81-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f7bb-4cc4-4cdb-af81-874d02de0b81", "value": "https://www.virustotal.com/file/74eb592ef7f5967b14794acdc916686e061a43169f06e5be4dca70811b9815df/analysis/1486130147/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7bb-8cd4-4351-87ea-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:55.000Z", "modified": "2017-02-03T21:35:55.000Z", "description": "ZeroT - Xchecked via VT: 67693ddb6236d3ef790059409ae240212c47acfd8c1c76d65c3ef19096fdf43b", "pattern": "[file:hashes.SHA1 = '39094640c5d3eb6d2b43282d724d792c81706a20']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:35:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7bc-f890-45eb-97c1-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:56.000Z", "modified": "2017-02-03T21:35:56.000Z", "description": "ZeroT - Xchecked via VT: 67693ddb6236d3ef790059409ae240212c47acfd8c1c76d65c3ef19096fdf43b", "pattern": "[file:hashes.MD5 = 'b0b7e48f76bf7cabd46bd23be6a044c3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:35:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f7bd-267c-49fa-9bc8-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:57.000Z", "modified": "2017-02-03T21:35:57.000Z", "first_observed": "2017-02-03T21:35:57Z", "last_observed": "2017-02-03T21:35:57Z", "number_observed": 1, "object_refs": [ "url--5894f7bd-267c-49fa-9bc8-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f7bd-267c-49fa-9bc8-874d02de0b81", "value": "https://www.virustotal.com/file/67693ddb6236d3ef790059409ae240212c47acfd8c1c76d65c3ef19096fdf43b/analysis/1486130147/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7be-9a98-410c-89b1-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:58.000Z", "modified": "2017-02-03T21:35:58.000Z", "description": "ZeroT - Xchecked via VT: 3be2e226cd477138d03428f6046a216103ba9fa5597ec407e542ab2f86c37425", "pattern": "[file:hashes.SHA1 = '462e09c090d48fe4c7d9c5bab37666cb25a787f4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:35:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7be-f7c8-49e9-b21b-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:58.000Z", "modified": "2017-02-03T21:35:58.000Z", "description": "ZeroT - Xchecked via VT: 3be2e226cd477138d03428f6046a216103ba9fa5597ec407e542ab2f86c37425", "pattern": "[file:hashes.MD5 = 'f973c23d96ff11b593068b06c727a94c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:35:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f7bf-05a0-4442-a42c-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:35:59.000Z", "modified": "2017-02-03T21:35:59.000Z", "first_observed": "2017-02-03T21:35:59Z", "last_observed": "2017-02-03T21:35:59Z", "number_observed": 1, "object_refs": [ "url--5894f7bf-05a0-4442-a42c-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f7bf-05a0-4442-a42c-874d02de0b81", "value": "https://www.virustotal.com/file/3be2e226cd477138d03428f6046a216103ba9fa5597ec407e542ab2f86c37425/analysis/1486130147/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7c0-8550-4723-97db-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:00.000Z", "modified": "2017-02-03T21:36:00.000Z", "description": "ZeroT - Xchecked via VT: 399693f48a457d77530ab88d4763cbd9d3f73606bd860adc0638f36b811bf343", "pattern": "[file:hashes.SHA1 = '15f5f735dd60d295b826c0bebfca9625ffce725d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:36:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7c1-0ac8-487d-8ce2-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:01.000Z", "modified": "2017-02-03T21:36:01.000Z", "description": "ZeroT - Xchecked via VT: 399693f48a457d77530ab88d4763cbd9d3f73606bd860adc0638f36b811bf343", "pattern": "[file:hashes.MD5 = '4abb9a2b65ecd19b952e7b5ea0c2a854']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:36:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f7c1-3fd0-45f4-9dd3-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:01.000Z", "modified": "2017-02-03T21:36:01.000Z", "first_observed": "2017-02-03T21:36:01Z", "last_observed": "2017-02-03T21:36:01Z", "number_observed": 1, "object_refs": [ "url--5894f7c1-3fd0-45f4-9dd3-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f7c1-3fd0-45f4-9dd3-874d02de0b81", "value": "https://www.virustotal.com/file/399693f48a457d77530ab88d4763cbd9d3f73606bd860adc0638f36b811bf343/analysis/1486130147/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7c2-966c-4b2f-8bd8-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:02.000Z", "modified": "2017-02-03T21:36:02.000Z", "description": "ZeroT - Xchecked via VT: 1e25a8bd1ac2df82d4f6d280af0ecd57d5e4aef88298a2f14414df76db54bcc4", "pattern": "[file:hashes.SHA1 = 'c15b209a8fcdc8a6c2b8fbc9eadc7a641cc771c5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:36:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7c3-0314-4673-86b4-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:03.000Z", "modified": "2017-02-03T21:36:03.000Z", "description": "ZeroT - Xchecked via VT: 1e25a8bd1ac2df82d4f6d280af0ecd57d5e4aef88298a2f14414df76db54bcc4", "pattern": "[file:hashes.MD5 = '25b30aa5ab498408d46c1042f121df3f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:36:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f7c4-1b28-4ff0-98ea-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:04.000Z", "modified": "2017-02-03T21:36:04.000Z", "first_observed": "2017-02-03T21:36:04Z", "last_observed": "2017-02-03T21:36:04Z", "number_observed": 1, "object_refs": [ "url--5894f7c4-1b28-4ff0-98ea-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f7c4-1b28-4ff0-98ea-874d02de0b81", "value": "https://www.virustotal.com/file/1e25a8bd1ac2df82d4f6d280af0ecd57d5e4aef88298a2f14414df76db54bcc4/analysis/1486130146/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7c4-8ce0-4857-810d-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:04.000Z", "modified": "2017-02-03T21:36:04.000Z", "description": "ZeroT - Xchecked via VT: 09061c603a32ac99b664f7434febfc8c1f9fd7b6469be289bb130a635a6c47c0", "pattern": "[file:hashes.SHA1 = '1b86e4ead3ac8421ac83d9a39412f07706b6dd2e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:36:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7c5-95c8-4da7-8c5d-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:05.000Z", "modified": "2017-02-03T21:36:05.000Z", "description": "ZeroT - Xchecked via VT: 09061c603a32ac99b664f7434febfc8c1f9fd7b6469be289bb130a635a6c47c0", "pattern": "[file:hashes.MD5 = '47ff1d275bd63bb2e0b4820b121485c3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:36:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f7c6-d09c-4b4c-ad3b-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:06.000Z", "modified": "2017-02-03T21:36:06.000Z", "first_observed": "2017-02-03T21:36:06Z", "last_observed": "2017-02-03T21:36:06Z", "number_observed": 1, "object_refs": [ "url--5894f7c6-d09c-4b4c-ad3b-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f7c6-d09c-4b4c-ad3b-874d02de0b81", "value": "https://www.virustotal.com/file/09061c603a32ac99b664f7434febfc8c1f9fd7b6469be289bb130a635a6c47c0/analysis/1486130146/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7c6-6274-4788-ab7c-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:06.000Z", "modified": "2017-02-03T21:36:06.000Z", "description": "Word Exploit documents - Xchecked via VT: 9dd730f615824a7992a67400fce754df6eaa770f643ad7e425ff252324671b58", "pattern": "[file:hashes.SHA1 = '74f4086f2d93b8f40b8a011c10b8c26da7f35eb2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:36:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7c7-073c-4308-a20e-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:07.000Z", "modified": "2017-02-03T21:36:07.000Z", "description": "Word Exploit documents - Xchecked via VT: 9dd730f615824a7992a67400fce754df6eaa770f643ad7e425ff252324671b58", "pattern": "[file:hashes.MD5 = '970369ddf7ffff8806aea81b1093a06a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:36:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f7c8-f694-487b-8647-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:08.000Z", "modified": "2017-02-03T21:36:08.000Z", "first_observed": "2017-02-03T21:36:08Z", "last_observed": "2017-02-03T21:36:08Z", "number_observed": 1, "object_refs": [ "url--5894f7c8-f694-487b-8647-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f7c8-f694-487b-8647-874d02de0b81", "value": "https://www.virustotal.com/file/9dd730f615824a7992a67400fce754df6eaa770f643ad7e425ff252324671b58/analysis/1482473568/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7c9-35bc-46bd-8b25-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:09.000Z", "modified": "2017-02-03T21:36:09.000Z", "description": "CHM droppers - Xchecked via VT: 74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d", "pattern": "[file:hashes.SHA1 = 'd6ab70f6a889077a28c5f4a7dae096e223759ebf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:36:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7ca-5fa4-4da5-a064-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:10.000Z", "modified": "2017-02-03T21:36:10.000Z", "description": "CHM droppers - Xchecked via VT: 74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d", "pattern": "[file:hashes.MD5 = 'da00090169a373606ef0707ea45cefa9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:36:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f7cb-6d18-4303-ac70-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:11.000Z", "modified": "2017-02-03T21:36:11.000Z", "first_observed": "2017-02-03T21:36:11Z", "last_observed": "2017-02-03T21:36:11Z", "number_observed": 1, "object_refs": [ "url--5894f7cb-6d18-4303-ac70-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f7cb-6d18-4303-ac70-874d02de0b81", "value": "https://www.virustotal.com/file/74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d/analysis/1481628229/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7cc-0218-4f9d-bf11-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:12.000Z", "modified": "2017-02-03T21:36:12.000Z", "description": "CHM droppers - Xchecked via VT: ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2", "pattern": "[file:hashes.SHA1 = '65913c8ea66b1c7a516e52f3ce5d33e1fc36ae66']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:36:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7cd-6124-481c-a7a6-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:13.000Z", "modified": "2017-02-03T21:36:13.000Z", "description": "CHM droppers - Xchecked via VT: ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2", "pattern": "[file:hashes.MD5 = 'e899619a5b12b9d90d07b87128a1430c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:36:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f7cd-b09c-43b5-976f-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:13.000Z", "modified": "2017-02-03T21:36:13.000Z", "first_observed": "2017-02-03T21:36:13Z", "last_observed": "2017-02-03T21:36:13Z", "number_observed": 1, "object_refs": [ "url--5894f7cd-b09c-43b5-976f-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f7cd-b09c-43b5-976f-874d02de0b81", "value": "https://www.virustotal.com/file/ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2/analysis/1477566896/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7ce-f1fc-46b6-8ead-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:14.000Z", "modified": "2017-02-03T21:36:14.000Z", "description": "CHM droppers - Xchecked via VT: 4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff", "pattern": "[file:hashes.SHA1 = '0a48de42d2ba2f3c9536c7646eeeb8e279e25cfd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:36:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7cf-43bc-4b5f-a376-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:15.000Z", "modified": "2017-02-03T21:36:15.000Z", "description": "CHM droppers - Xchecked via VT: 4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff", "pattern": "[file:hashes.MD5 = '2d9a3057512a6bca6aeecd124068471f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:36:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f7cf-fe64-4c55-a629-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:15.000Z", "modified": "2017-02-03T21:36:15.000Z", "first_observed": "2017-02-03T21:36:15Z", "last_observed": "2017-02-03T21:36:15Z", "number_observed": 1, "object_refs": [ "url--5894f7cf-fe64-4c55-a629-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f7cf-fe64-4c55-a629-874d02de0b81", "value": "https://www.virustotal.com/file/4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff/analysis/1486130147/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7d0-7268-45dd-99ea-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:16.000Z", "modified": "2017-02-03T21:36:16.000Z", "description": "RAR / 7-Zip archives - Xchecked via VT: f2b6f7e0fcf4611cb25f9a24f002ba104ee5cf84528769b2ab82c63ba4476168", "pattern": "[file:hashes.SHA1 = 'b005a426a17d32694c9cf224350e72a777d7d62c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:36:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7d1-b6c4-46c5-b719-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:17.000Z", "modified": "2017-02-03T21:36:17.000Z", "description": "RAR / 7-Zip archives - Xchecked via VT: f2b6f7e0fcf4611cb25f9a24f002ba104ee5cf84528769b2ab82c63ba4476168", "pattern": "[file:hashes.MD5 = 'bc96303c24aaa86c8acfbf2162b43e90']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:36:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f7d2-da64-4b71-9c5f-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:18.000Z", "modified": "2017-02-03T21:36:18.000Z", "first_observed": "2017-02-03T21:36:18Z", "last_observed": "2017-02-03T21:36:18Z", "number_observed": 1, "object_refs": [ "url--5894f7d2-da64-4b71-9c5f-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f7d2-da64-4b71-9c5f-874d02de0b81", "value": "https://www.virustotal.com/file/f2b6f7e0fcf4611cb25f9a24f002ba104ee5cf84528769b2ab82c63ba4476168/analysis/1486130146/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7d3-69c0-40e2-985d-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:19.000Z", "modified": "2017-02-03T21:36:19.000Z", "description": "RAR / 7-Zip archives - Xchecked via VT: ec3405e058b3be958a1d3db410dd438fba7b8a8c28355939c2319e2e2a338462", "pattern": "[file:hashes.SHA1 = '83f57b2910627cba851b01be3b4c316873252e73']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:36:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7d3-bd40-4342-a53f-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:19.000Z", "modified": "2017-02-03T21:36:19.000Z", "description": "RAR / 7-Zip archives - Xchecked via VT: ec3405e058b3be958a1d3db410dd438fba7b8a8c28355939c2319e2e2a338462", "pattern": "[file:hashes.MD5 = '55fd25ef423da52ba60b76a27650f485']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:36:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f7d4-856c-4159-9e00-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:20.000Z", "modified": "2017-02-03T21:36:20.000Z", "first_observed": "2017-02-03T21:36:20Z", "last_observed": "2017-02-03T21:36:20Z", "number_observed": 1, "object_refs": [ "url--5894f7d4-856c-4159-9e00-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f7d4-856c-4159-9e00-874d02de0b81", "value": "https://www.virustotal.com/file/ec3405e058b3be958a1d3db410dd438fba7b8a8c28355939c2319e2e2a338462/analysis/1486130151/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7d5-3984-430e-9e61-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:21.000Z", "modified": "2017-02-03T21:36:21.000Z", "description": "RAR / 7-Zip archives - Xchecked via VT: ee81c939eec30bf9351c9246ecfdc39a2fed78be08cc9923d48781f6c9bd7097", "pattern": "[file:hashes.SHA1 = 'cdc08d31a935e66e5ae6a3ba2b39cd2f506cc8fb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:36:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7d6-9608-4941-85f5-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:22.000Z", "modified": "2017-02-03T21:36:22.000Z", "description": "RAR / 7-Zip archives - Xchecked via VT: ee81c939eec30bf9351c9246ecfdc39a2fed78be08cc9923d48781f6c9bd7097", "pattern": "[file:hashes.MD5 = '2be3003e464b3e56bc678cd182aac73d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:36:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f7d6-8534-4c0f-b126-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:22.000Z", "modified": "2017-02-03T21:36:22.000Z", "first_observed": "2017-02-03T21:36:22Z", "last_observed": "2017-02-03T21:36:22Z", "number_observed": 1, "object_refs": [ "url--5894f7d6-8534-4c0f-b126-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f7d6-8534-4c0f-b126-874d02de0b81", "value": "https://www.virustotal.com/file/ee81c939eec30bf9351c9246ecfdc39a2fed78be08cc9923d48781f6c9bd7097/analysis/1486130150/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7d7-e764-48d6-898c-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:23.000Z", "modified": "2017-02-03T21:36:23.000Z", "description": "RAR / 7-Zip archives - Xchecked via VT: 38566230e5f19d2fd151eaf1744ef2aef946e17873924b91bbeaede0fbfb38cf", "pattern": "[file:hashes.SHA1 = 'b35fc02b19f331f78e83d44b40116a2bf6f1252e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:36:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5894f7d8-7d10-403d-b3fa-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:24.000Z", "modified": "2017-02-03T21:36:24.000Z", "description": "RAR / 7-Zip archives - Xchecked via VT: 38566230e5f19d2fd151eaf1744ef2aef946e17873924b91bbeaede0fbfb38cf", "pattern": "[file:hashes.MD5 = '4fa0bff0626ebe8253c04fd33462b5fc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-03T21:36:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f7d9-afd0-47c3-bfdf-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:36:25.000Z", "modified": "2017-02-03T21:36:25.000Z", "first_observed": "2017-02-03T21:36:25Z", "last_observed": "2017-02-03T21:36:25Z", "number_observed": 1, "object_refs": [ "url--5894f7d9-afd0-47c3-bfdf-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f7d9-afd0-47c3-bfdf-874d02de0b81", "value": "https://www.virustotal.com/file/38566230e5f19d2fd151eaf1744ef2aef946e17873924b91bbeaede0fbfb38cf/analysis/1486130150/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f8d2-d7e0-4225-834c-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:40:34.000Z", "modified": "2017-02-03T21:40:34.000Z", "first_observed": "2017-02-03T21:40:34Z", "last_observed": "2017-02-03T21:40:34Z", "number_observed": 1, "object_refs": [ "url--5894f8d2-d7e0-4225-834c-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f8d2-d7e0-4225-834c-874d02de0b81", "value": "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f8d2-f494-476c-a034-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:41:23.000Z", "modified": "2017-02-03T21:41:23.000Z", "first_observed": "2017-02-03T21:41:23Z", "last_observed": "2017-02-03T21:41:23Z", "number_observed": 1, "object_refs": [ "url--5894f8d2-f494-476c-a034-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f8d2-f494-476c-a034-874d02de0b81", "value": "https://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f8d3-6008-437d-bec0-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:41:16.000Z", "modified": "2017-02-03T21:41:16.000Z", "first_observed": "2017-02-03T21:41:16Z", "last_observed": "2017-02-03T21:41:16Z", "number_observed": 1, "object_refs": [ "url--5894f8d3-6008-437d-bec0-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f8d3-6008-437d-bec0-874d02de0b81", "value": "https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f8d4-7700-4a87-8aa3-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:41:45.000Z", "modified": "2017-02-03T21:41:45.000Z", "first_observed": "2017-02-03T21:41:45Z", "last_observed": "2017-02-03T21:41:45Z", "number_observed": 1, "object_refs": [ "url--5894f8d4-7700-4a87-8aa3-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f8d4-7700-4a87-8aa3-874d02de0b81", "value": "http://researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5894f8d5-a2c4-41d4-b4b7-874d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-03T21:41:53.000Z", "modified": "2017-02-03T21:41:53.000Z", "first_observed": "2017-02-03T21:41:53Z", "last_observed": "2017-02-03T21:41:53Z", "number_observed": 1, "object_refs": [ "url--5894f8d5-a2c4-41d4-b4b7-874d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"technical-report\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5894f8d5-a2c4-41d4-b4b7-874d02de0b81", "value": "https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-office-exploit-generators-szappanos.pdf" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }