{ "type": "bundle", "id": "bundle--58d38baa-a47c-40c5-8c8f-45b4950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:19.000Z", "modified": "2017-03-23T09:29:19.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--58d38baa-a47c-40c5-8c8f-45b4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:19.000Z", "modified": "2017-03-23T09:29:19.000Z", "name": "OSINT - Winnti Abuses GitHub for C&C Communications", "published": "2017-03-23T09:34:35Z", "object_refs": [ "observed-data--58d38bd6-fd08-43d4-b092-4586950d210f", "url--58d38bd6-fd08-43d4-b092-4586950d210f", "x-misp-attribute--58d38bea-6cd0-4bb7-86f6-4534950d210f", "indicator--58d393bd-bf10-4b1e-9cbf-4ebc950d210f", "indicator--58d393be-6cb4-4753-8e81-4306950d210f", "indicator--58d393bf-f3f0-4c43-81a3-461b950d210f", "indicator--58d393c0-18f8-4311-b6a1-4cb5950d210f", "indicator--58d393c0-5a30-47ca-be06-4960950d210f", "indicator--58d393c1-75a4-42d5-915a-4c77950d210f", "indicator--58d3950a-ffb4-4a6b-a442-4e10950d210f", "indicator--58d3950b-d098-49b4-8ad8-4255950d210f", "indicator--58d3950c-6c0c-41fc-b0ff-4e3c950d210f", "indicator--58d3950d-9778-4477-93b7-4192950d210f", "indicator--58d3950e-4164-48d4-bda4-45f8950d210f", "indicator--58d3950f-6e7c-4959-8f43-4f6b950d210f", "indicator--58d39510-5840-4bba-b5d3-43a1950d210f", "indicator--58d39511-d928-4adc-a65c-41ec950d210f", "indicator--58d39512-beac-4951-bd97-422f950d210f", "indicator--58d39512-63ac-4119-b1d1-404c950d210f", "indicator--58d39513-3674-4298-83a5-4e97950d210f", "indicator--58d39514-ac10-4112-9f4a-44c6950d210f", "indicator--58d39515-1c68-4743-8f45-4132950d210f", "indicator--58d39582-f3b8-4540-bc74-478a02de0b81", "indicator--58d39583-c104-4652-a263-44f802de0b81", "observed-data--58d39584-3f08-4842-848f-475602de0b81", "url--58d39584-3f08-4842-848f-475602de0b81", "indicator--58d39585-7cf8-45ba-8f84-48a202de0b81", "indicator--58d39586-7de0-4c69-b715-4bb902de0b81", "observed-data--58d39587-6484-49c5-8cf5-43ac02de0b81", "url--58d39587-6484-49c5-8cf5-43ac02de0b81", "indicator--58d39588-a408-45a0-a2fa-4ba502de0b81", "indicator--58d39589-a960-47cc-9923-483e02de0b81", "observed-data--58d3958a-3b38-414e-96a1-4e8502de0b81", "url--58d3958a-3b38-414e-96a1-4e8502de0b81", "indicator--58d3958b-0dd0-40a0-97d2-446102de0b81", "indicator--58d3958c-6118-4f70-aec5-463102de0b81", "observed-data--58d3958d-3960-4962-8469-497502de0b81", "url--58d3958d-3960-4962-8469-497502de0b81", "indicator--58d3958e-f960-4209-8de4-4e5f02de0b81", "indicator--58d3958f-2bf4-431b-a40d-41ed02de0b81", "observed-data--58d39590-87e0-4b5e-9143-4fff02de0b81", "url--58d39590-87e0-4b5e-9143-4fff02de0b81", "indicator--58d39591-8ed8-4334-a252-473902de0b81", "indicator--58d39592-3394-4c30-9626-4f5202de0b81", "observed-data--58d39593-73e0-45fe-9265-4f1002de0b81", "url--58d39593-73e0-45fe-9265-4f1002de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "osint:source-type=\"blog-post\"", "misp-galaxy:tool=\"Winnti\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58d38bd6-fd08-43d4-b092-4586950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:19.000Z", "modified": "2017-03-23T09:29:19.000Z", "first_observed": "2017-03-23T09:29:19Z", "last_observed": "2017-03-23T09:29:19Z", "number_observed": 1, "object_refs": [ "url--58d38bd6-fd08-43d4-b092-4586950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"", "estimative-language:likelihood-probability=\"almost-certain\"", "admiralty-scale:source-reliability=\"b\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58d38bd6-fd08-43d4-b092-4586950d210f", "value": "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--58d38bea-6cd0-4bb7-86f6-4534950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:19.000Z", "modified": "2017-03-23T09:29:19.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"", "estimative-language:likelihood-probability=\"almost-certain\"", "admiralty-scale:source-reliability=\"b\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Developers constantly need to modify and rework their source codes when releasing new versions of applications or coding projects they create and maintain. This is what makes GitHub\u00e2\u20ac\u201dan online repository hosting service that provides version control management\u00e2\u20ac\u201dpopular. In many ways, it\u00e2\u20ac\u2122s like a social networking site for programmers and developers, one that provides a valuable platform for code management, sharing, collaboration, and integration.\r\n\r\nGitHub is no stranger to misuse, however. Open-source ransomware projects EDA2 and Hidden Tear\u00e2\u20ac\u201dsupposedly created for educational purposes\u00e2\u20ac\u201dwere hosted on GitHub, and have since spawned various offshoots that have been found targeting enterprises. Tools that exploited vulnerabilities in Internet of Things (IoT) devices were also made available on GitHub. Even the Limitless Keylogger, which was used in targeted attacks, was linked to a GitHub project.\r\n\r\nRecently, the Winnti group, a threat actor with a past of traditional cybercrime -particularly with financial fraud, has been seen abusing GitHub by turning it into a conduit for the command and control (C&C) communications of their seemingly new backdoor (detected by Trend Micro as BKDR64_WINNTI.ONM).\r\n\r\nOur research also showed that the group still uses some of the infamous PlugX malware variants\u00e2\u20ac\u201da staple in Winnti\u00e2\u20ac\u2122s arsenal\u00e2\u20ac\u201dto handle targeted attack operations via the GitHub account we identified." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d393bd-bf10-4b1e-9cbf-4ebc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:19.000Z", "modified": "2017-03-23T09:29:19.000Z", "description": "cryptbase.dll", "pattern": "[file:hashes.SHA256 = '06b077e31a6f339c4f3b1f61ba9a6a6ba827afe52ed5bed6a6bf56bf18a279ba']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d393be-6cb4-4753-8e81-4306950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:19.000Z", "modified": "2017-03-23T09:29:19.000Z", "description": "loadperf.dll", "pattern": "[file:hashes.SHA256 = '1e63a7186886deea6c4e5c2a329eab76a60be3a65bca1ba9ed6e71f9a46b7e9d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d393bf-f3f0-4c43-81a3-461b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:19.000Z", "modified": "2017-03-23T09:29:19.000Z", "description": "loadoerf.ini", "pattern": "[file:hashes.SHA256 = '7c37ebb96c54d5d8ea232951ccf56cb1d029facdd6b730f80ca2ad566f6c5d9b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d393c0-18f8-4311-b6a1-4cb5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:19.000Z", "modified": "2017-03-23T09:29:19.000Z", "description": "wbemcomn.ini", "pattern": "[file:hashes.SHA256 = '9d04ef8708cf030b9688bf3e8287c1790023a76374e43bd332178e212420f9fb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d393c0-5a30-47ca-be06-4960950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:19.000Z", "modified": "2017-03-23T09:29:19.000Z", "description": "cryptbase.ini", "pattern": "[file:hashes.SHA256 = 'b1a0d0508ee932bbf91625330d2136f33344ed70cb25f7e64be0620d32c4b9e2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d393c1-75a4-42d5-915a-4c77950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:19.000Z", "modified": "2017-03-23T09:29:19.000Z", "description": "wbemcomn.dll", "pattern": "[file:hashes.SHA256 = 'e5273b72c853f12b77a11e9c08ae6432fabbb32238ac487af2fb959a6cc26089']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d3950a-ffb4-4a6b-a442-4e10950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:19.000Z", "modified": "2017-03-23T09:29:19.000Z", "description": "443 (HTTPS) 53 (DNS) 80 (HTTP)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '160.16.243.129']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d3950b-d098-49b4-8ad8-4255950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:19.000Z", "modified": "2017-03-23T09:29:19.000Z", "description": "443 (HTTPS) 53 (DNS)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.139.203.18']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d3950c-6c0c-41fc-b0ff-4e3c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:19.000Z", "modified": "2017-03-23T09:29:19.000Z", "description": "53 (DNS)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.139.203.20']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d3950d-9778-4477-93b7-4192950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:19.000Z", "modified": "2017-03-23T09:29:19.000Z", "description": "443 (HTTPS) 53 (DNS)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.139.203.22']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d3950e-4164-48d4-bda4-45f8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:19.000Z", "modified": "2017-03-23T09:29:19.000Z", "description": "53 (DNS)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.139.203.27']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d3950f-6e7c-4959-8f43-4f6b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:19.000Z", "modified": "2017-03-23T09:29:19.000Z", "description": "53 (DNS)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.139.203.34']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d39510-5840-4bba-b5d3-43a1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:19.000Z", "modified": "2017-03-23T09:29:19.000Z", "description": "80 (HTTP)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.139.62.58']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d39511-d928-4adc-a65c-41ec950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:19.000Z", "modified": "2017-03-23T09:29:19.000Z", "description": "443 (HTTPS) 53 (DNS) 80 (HTTP)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.139.62.60']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d39512-beac-4951-bd97-422f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:19.000Z", "modified": "2017-03-23T09:29:19.000Z", "description": "443 (HTTPS)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.139.62.61']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d39512-63ac-4119-b1d1-404c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:19.000Z", "modified": "2017-03-23T09:29:19.000Z", "description": "443 (HTTPS) 53 (DNS) 80 (HTTP)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '61.195.98.245']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d39513-3674-4298-83a5-4e97950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:19.000Z", "modified": "2017-03-23T09:29:19.000Z", "description": "443 (HTTPS) 53 (DNS)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '67.198.161.250']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d39514-ac10-4112-9f4a-44c6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:19.000Z", "modified": "2017-03-23T09:29:19.000Z", "description": "443 (HTTPS)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '67.198.161.251']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d39515-1c68-4743-8f45-4132950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:19.000Z", "modified": "2017-03-23T09:29:19.000Z", "description": "443 (HTTPS)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '67.198.161.252']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d39582-f3b8-4540-bc74-478a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:38.000Z", "modified": "2017-03-23T09:29:38.000Z", "description": "wbemcomn.dll - Xchecked via VT: e5273b72c853f12b77a11e9c08ae6432fabbb32238ac487af2fb959a6cc26089", "pattern": "[file:hashes.SHA1 = '08afbd47ce5f4e296d375b3a2d069993e09c090f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d39583-c104-4652-a263-44f802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:39.000Z", "modified": "2017-03-23T09:29:39.000Z", "description": "wbemcomn.dll - Xchecked via VT: e5273b72c853f12b77a11e9c08ae6432fabbb32238ac487af2fb959a6cc26089", "pattern": "[file:hashes.MD5 = '3301341e7e769c92aefb07e4bec15ad2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58d39584-3f08-4842-848f-475602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:40.000Z", "modified": "2017-03-23T09:29:40.000Z", "first_observed": "2017-03-23T09:29:40Z", "last_observed": "2017-03-23T09:29:40Z", "number_observed": 1, "object_refs": [ "url--58d39584-3f08-4842-848f-475602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58d39584-3f08-4842-848f-475602de0b81", "value": "https://www.virustotal.com/file/e5273b72c853f12b77a11e9c08ae6432fabbb32238ac487af2fb959a6cc26089/analysis/1490216161/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d39585-7cf8-45ba-8f84-48a202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:41.000Z", "modified": "2017-03-23T09:29:41.000Z", "description": "cryptbase.ini - Xchecked via VT: b1a0d0508ee932bbf91625330d2136f33344ed70cb25f7e64be0620d32c4b9e2", "pattern": "[file:hashes.SHA1 = '5e23c5b5f21c0a6f894d636cd4f4469bf28b53ba']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d39586-7de0-4c69-b715-4bb902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:42.000Z", "modified": "2017-03-23T09:29:42.000Z", "description": "cryptbase.ini - Xchecked via VT: b1a0d0508ee932bbf91625330d2136f33344ed70cb25f7e64be0620d32c4b9e2", "pattern": "[file:hashes.MD5 = '802890514844f6bab0cb2004c52025d6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58d39587-6484-49c5-8cf5-43ac02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:43.000Z", "modified": "2017-03-23T09:29:43.000Z", "first_observed": "2017-03-23T09:29:43Z", "last_observed": "2017-03-23T09:29:43Z", "number_observed": 1, "object_refs": [ "url--58d39587-6484-49c5-8cf5-43ac02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58d39587-6484-49c5-8cf5-43ac02de0b81", "value": "https://www.virustotal.com/file/b1a0d0508ee932bbf91625330d2136f33344ed70cb25f7e64be0620d32c4b9e2/analysis/1490216160/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d39588-a408-45a0-a2fa-4ba502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:44.000Z", "modified": "2017-03-23T09:29:44.000Z", "description": "wbemcomn.ini - Xchecked via VT: 9d04ef8708cf030b9688bf3e8287c1790023a76374e43bd332178e212420f9fb", "pattern": "[file:hashes.SHA1 = '51891247e3caa4e4f8f71b2eaf8ba47602dc0be1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d39589-a960-47cc-9923-483e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:45.000Z", "modified": "2017-03-23T09:29:45.000Z", "description": "wbemcomn.ini - Xchecked via VT: 9d04ef8708cf030b9688bf3e8287c1790023a76374e43bd332178e212420f9fb", "pattern": "[file:hashes.MD5 = '5b1852311cc9f5ccdddf35a9c473ab27']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58d3958a-3b38-414e-96a1-4e8502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:46.000Z", "modified": "2017-03-23T09:29:46.000Z", "first_observed": "2017-03-23T09:29:46Z", "last_observed": "2017-03-23T09:29:46Z", "number_observed": 1, "object_refs": [ "url--58d3958a-3b38-414e-96a1-4e8502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58d3958a-3b38-414e-96a1-4e8502de0b81", "value": "https://www.virustotal.com/file/9d04ef8708cf030b9688bf3e8287c1790023a76374e43bd332178e212420f9fb/analysis/1490216160/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d3958b-0dd0-40a0-97d2-446102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:47.000Z", "modified": "2017-03-23T09:29:47.000Z", "description": "loadoerf.ini - Xchecked via VT: 7c37ebb96c54d5d8ea232951ccf56cb1d029facdd6b730f80ca2ad566f6c5d9b", "pattern": "[file:hashes.SHA1 = '1eddc0e76f1dd787091cfdcf98a058dd4319fd34']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d3958c-6118-4f70-aec5-463102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:48.000Z", "modified": "2017-03-23T09:29:48.000Z", "description": "loadoerf.ini - Xchecked via VT: 7c37ebb96c54d5d8ea232951ccf56cb1d029facdd6b730f80ca2ad566f6c5d9b", "pattern": "[file:hashes.MD5 = 'c7d0ec5b742ee497b9ee536f23586949']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58d3958d-3960-4962-8469-497502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:49.000Z", "modified": "2017-03-23T09:29:49.000Z", "first_observed": "2017-03-23T09:29:49Z", "last_observed": "2017-03-23T09:29:49Z", "number_observed": 1, "object_refs": [ "url--58d3958d-3960-4962-8469-497502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58d3958d-3960-4962-8469-497502de0b81", "value": "https://www.virustotal.com/file/7c37ebb96c54d5d8ea232951ccf56cb1d029facdd6b730f80ca2ad566f6c5d9b/analysis/1489477860/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d3958e-f960-4209-8de4-4e5f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:50.000Z", "modified": "2017-03-23T09:29:50.000Z", "description": "loadperf.dll - Xchecked via VT: 1e63a7186886deea6c4e5c2a329eab76a60be3a65bca1ba9ed6e71f9a46b7e9d", "pattern": "[file:hashes.SHA1 = '64093d8dbf2e108c73fb5f96bbf0c2fcd8975c94']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d3958f-2bf4-431b-a40d-41ed02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:51.000Z", "modified": "2017-03-23T09:29:51.000Z", "description": "loadperf.dll - Xchecked via VT: 1e63a7186886deea6c4e5c2a329eab76a60be3a65bca1ba9ed6e71f9a46b7e9d", "pattern": "[file:hashes.MD5 = '879ce99e253e598a3c156258a9e81457']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58d39590-87e0-4b5e-9143-4fff02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:52.000Z", "modified": "2017-03-23T09:29:52.000Z", "first_observed": "2017-03-23T09:29:52Z", "last_observed": "2017-03-23T09:29:52Z", "number_observed": 1, "object_refs": [ "url--58d39590-87e0-4b5e-9143-4fff02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58d39590-87e0-4b5e-9143-4fff02de0b81", "value": "https://www.virustotal.com/file/1e63a7186886deea6c4e5c2a329eab76a60be3a65bca1ba9ed6e71f9a46b7e9d/analysis/1490193118/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d39591-8ed8-4334-a252-473902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:53.000Z", "modified": "2017-03-23T09:29:53.000Z", "description": "cryptbase.dll - Xchecked via VT: 06b077e31a6f339c4f3b1f61ba9a6a6ba827afe52ed5bed6a6bf56bf18a279ba", "pattern": "[file:hashes.SHA1 = '1a20d3333e220f6fe2980dff119705c0ddc59604']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58d39592-3394-4c30-9626-4f5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:54.000Z", "modified": "2017-03-23T09:29:54.000Z", "description": "cryptbase.dll - Xchecked via VT: 06b077e31a6f339c4f3b1f61ba9a6a6ba827afe52ed5bed6a6bf56bf18a279ba", "pattern": "[file:hashes.MD5 = '5b2484ad1f74f2c19ff0d29e63c773d8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-23T09:29:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58d39593-73e0-45fe-9265-4f1002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-23T09:29:55.000Z", "modified": "2017-03-23T09:29:55.000Z", "first_observed": "2017-03-23T09:29:55Z", "last_observed": "2017-03-23T09:29:55Z", "number_observed": 1, "object_refs": [ "url--58d39593-73e0-45fe-9265-4f1002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58d39593-73e0-45fe-9265-4f1002de0b81", "value": "https://www.virustotal.com/file/06b077e31a6f339c4f3b1f61ba9a6a6ba827afe52ed5bed6a6bf56bf18a279ba/analysis/1490195522/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }