{ "type": "bundle", "id": "bundle--59861ab3-3ef8-4683-ad19-9533950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:37:21.000Z", "modified": "2017-08-05T19:37:21.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--59861ab3-3ef8-4683-ad19-9533950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:37:21.000Z", "modified": "2017-08-05T19:37:21.000Z", "name": "OSINT - TwoFace Webshell: Persistent Access Point for Lateral Movement", "published": "2017-08-05T19:38:07Z", "object_refs": [ "x-misp-attribute--59861af0-25a4-49f9-bf01-4f2c950d210f", "observed-data--59861b17-1cbc-4813-965b-4fa3950d210f", "url--59861b17-1cbc-4813-965b-4fa3950d210f", "indicator--59861b70-3c18-4ad8-a631-4262950d210f", "indicator--59861b70-0bf0-4044-8432-4ade950d210f", "indicator--59861b70-f498-42f2-89ca-45e9950d210f", "indicator--59861b70-8370-478b-8ad6-4c50950d210f", "indicator--59861b87-9d74-4493-96ab-4d85950d210f", "indicator--59861b87-fb2c-425a-85df-4f5d950d210f", "indicator--59861ba3-3e74-4e1e-8e9c-4528950d210f", "indicator--59861ba3-4fb8-4eb0-b43e-4528950d210f", "indicator--59861ba3-ff20-4384-8bb4-4528950d210f", "indicator--59861ba3-cd24-4f0d-90c7-4528950d210f", "indicator--59861ba3-d38c-4274-9ef2-4528950d210f", "indicator--59861ba3-d3b4-4c45-bc66-4528950d210f", "indicator--59861ba3-dcd8-49d9-919c-4528950d210f", "indicator--59861ba3-fd08-431f-b42e-4528950d210f", "indicator--59861bc6-0238-4656-8840-9533950d210f", "indicator--59861bc6-dc24-4ccf-bb7b-9533950d210f", "indicator--59861bfb-a1cc-4996-8368-4245950d210f", "indicator--59861c39-89f0-4b18-b602-475702de0b81", "indicator--59861c39-db1c-4926-9bc9-4cb502de0b81", "observed-data--59861c39-8ce8-498a-9f27-4b7a02de0b81", "url--59861c39-8ce8-498a-9f27-4b7a02de0b81", "indicator--59861c39-f138-4f70-9226-47b702de0b81", "indicator--59861c39-09c0-4478-812f-4dbf02de0b81", "observed-data--59861c39-a73c-4f9c-9e37-4cf802de0b81", "url--59861c39-a73c-4f9c-9e37-4cf802de0b81", "indicator--59861c39-3c84-4bd2-a0e9-412102de0b81", "indicator--59861c39-cc70-4028-916c-459f02de0b81", "observed-data--59861c39-5664-4e0a-8d88-4e5202de0b81", "url--59861c39-5664-4e0a-8d88-4e5202de0b81", "indicator--59861c39-f1ec-4cd9-ab7a-4dab02de0b81", "indicator--59861c39-75bc-4043-a143-49c802de0b81", "observed-data--59861c39-ac3c-41b3-b1b3-495c02de0b81", "url--59861c39-ac3c-41b3-b1b3-495c02de0b81", "indicator--59861c39-97a8-49a8-866c-4ffe02de0b81", "indicator--59861c39-d250-46e9-b502-451502de0b81", "observed-data--59861c39-63b0-4a13-a446-493802de0b81", "url--59861c39-63b0-4a13-a446-493802de0b81", "indicator--59861c39-bff0-4078-ba6c-4f8602de0b81", "indicator--59861c39-0884-4dc6-ae42-4fcc02de0b81", "observed-data--59861c39-84a8-4d66-9785-49e602de0b81", "url--59861c39-84a8-4d66-9785-49e602de0b81", "indicator--59861c39-c338-4b2b-91cc-4c9c02de0b81", "indicator--59861c39-e778-459f-ac0b-46da02de0b81", "observed-data--59861c39-7d64-4635-9b3e-405302de0b81", "url--59861c39-7d64-4635-9b3e-405302de0b81", "indicator--59861c39-f2dc-4158-bcbf-4b1b02de0b81", "indicator--59861c39-f030-4c07-9afb-44d002de0b81", "observed-data--59861c39-4ff4-4c9f-bc50-413702de0b81", "url--59861c39-4ff4-4c9f-bc50-413702de0b81", "indicator--59861c39-8884-4f11-a6fe-412602de0b81", "indicator--59861c39-d110-41d3-9ee1-4bf202de0b81", "observed-data--59861c39-8980-4e01-b5ac-4b7602de0b81", "url--59861c39-8980-4e01-b5ac-4b7602de0b81", "indicator--59861c39-0b80-4353-a6dc-491602de0b81", "indicator--59861c39-d3d0-4f7c-ba66-404002de0b81", "observed-data--59861c39-953c-4d87-871e-414302de0b81", "url--59861c39-953c-4d87-871e-414302de0b81", "indicator--59861c39-a978-48c5-8c2d-4a4102de0b81", "indicator--59861c39-4220-433c-83ef-45b002de0b81", "observed-data--59861c39-bfd4-40f0-b115-488102de0b81", "url--59861c39-bfd4-40f0-b115-488102de0b81", "indicator--59861c39-3dec-4985-9014-439e02de0b81", "indicator--59861c39-c2b8-4764-90d5-47d002de0b81", "observed-data--59861c39-f954-450e-a2d4-417602de0b81", "url--59861c39-f954-450e-a2d4-417602de0b81", "observed-data--59861e71-d65c-4eed-8a99-4aae950d210f", "file--59861e71-d65c-4eed-8a99-4aae950d210f", "observed-data--59861e71-ebe0-471d-b47c-4f97950d210f", "file--59861e71-ebe0-471d-b47c-4f97950d210f", "observed-data--59861e71-8dcc-46fb-a973-4597950d210f", "file--59861e71-8dcc-46fb-a973-4597950d210f", "observed-data--59861e71-4bbc-4cb5-9349-4e65950d210f", "file--59861e71-4bbc-4cb5-9349-4e65950d210f", "observed-data--59861e71-c574-4ca7-8d0e-44ac950d210f", "file--59861e71-c574-4ca7-8d0e-44ac950d210f", "observed-data--59861e71-eb0c-4230-aa9a-4ca4950d210f", "file--59861e71-eb0c-4230-aa9a-4ca4950d210f", "observed-data--59861e71-1754-46ee-9b2c-4459950d210f", "file--59861e71-1754-46ee-9b2c-4459950d210f", "observed-data--59861e71-7c58-4271-abbd-4c5d950d210f", "file--59861e71-7c58-4271-abbd-4c5d950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59861af0-25a4-49f9-bf01-4f2c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:52.000Z", "modified": "2017-08-05T19:27:52.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "While investigating a recent security incident, Unit 42 found a webshell that we believe was used by the threat actor to remotely access the network of a targeted Middle Eastern organization. The construction of the webshell was interesting by itself, as it was actually two separate webshells: an initial webshell that was responsible for saving and loading the second fully functional webshell. It is this second webshell that enabled the threat actor to run a variety of commands on the compromised server. Due to these two layers, we use the name TwoFace to track this webshell.\r\n\r\nDuring our analysis, we extracted the commands executed by the TwoFace webshell from the server logs on the compromised server. Our analysis shows that the commands issued by the threat actor date back to June 2016; this suggests that the actor had access to this shell for almost an entire year. The commands issued show the actor was interested in gathering credentials from the compromised server using the Mimikatz tool. We also saw the attacker using the TwoFace webshell to move laterally through the network by copying itself and other webshells to other servers." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59861b17-1cbc-4813-965b-4fa3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:52.000Z", "modified": "2017-08-05T19:27:52.000Z", "first_observed": "2017-08-05T19:27:52Z", "last_observed": "2017-08-05T19:27:52Z", "number_observed": 1, "object_refs": [ "url--59861b17-1cbc-4813-965b-4fa3950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59861b17-1cbc-4813-965b-4fa3950d210f", "value": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861b70-3c18-4ad8-a631-4262950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:52.000Z", "modified": "2017-08-05T19:27:52.000Z", "description": "TwoFace Loader", "pattern": "[file:hashes.SHA256 = 'ed684062f43d34834c4a87fdb68f4536568caf16c34a0ea451e6f25cf1532d51']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861b70-0bf0-4044-8432-4ade950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:52.000Z", "modified": "2017-08-05T19:27:52.000Z", "description": "TwoFace Loader", "pattern": "[file:hashes.SHA256 = 'f4da5cb72246434decb8cf676758da410f6ddc20196dfd484f513aa3b6bc4ac5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861b70-f498-42f2-89ca-45e9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:52.000Z", "modified": "2017-08-05T19:27:52.000Z", "description": "TwoFace Loader", "pattern": "[file:hashes.SHA256 = '9a361019f6fbd4a246b96545868dcb7908c611934c41166b9aa93519504ac813']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861b70-8370-478b-8ad6-4c50950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:52.000Z", "modified": "2017-08-05T19:27:52.000Z", "description": "TwoFace Loader", "pattern": "[file:hashes.SHA256 = 'd0ffd613b1b285b15e2d6c038b0bd4951eb40eb802617cf6eb4f56cda4b023e3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861b87-9d74-4493-96ab-4d85950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:52.000Z", "modified": "2017-08-05T19:27:52.000Z", "description": "TwoFace++ Loader", "pattern": "[file:hashes.SHA256 = 'bca01f14fb3cb4cfbe7f240156feebc55abac73a6c96b9f75da2f9df580101ef']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861b87-fb2c-425a-85df-4f5d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:52.000Z", "modified": "2017-08-05T19:27:52.000Z", "description": "TwoFace++ Loader", "pattern": "[file:hashes.SHA256 = '8d178b9730e09e35c071526bfb91ce72f876797ebc4e81f0bc05e7bb8ad1734e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861ba3-3e74-4e1e-8e9c-4528950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:52.000Z", "modified": "2017-08-05T19:27:52.000Z", "description": "TwoFace Payload", "pattern": "[file:hashes.SHA256 = '8f0419493da5ba201429503e53c9ccb8f8170ab73141bdc6ae6b9771512ad84b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861ba3-4fb8-4eb0-b43e-4528950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:52.000Z", "modified": "2017-08-05T19:27:52.000Z", "description": "TwoFace Payload", "pattern": "[file:hashes.SHA256 = '0a77e28e6d0d7bd057167ca8a63da867397f1619a38d5c713027ebb22b784d4f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861ba3-ff20-4384-8bb4-4528950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:52.000Z", "modified": "2017-08-05T19:27:52.000Z", "description": "TwoFace Payload", "pattern": "[file:hashes.SHA256 = '54c8bfa0be1d1419bf0770d49e937b284b52df212df19551576f73653a7d061f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861ba3-cd24-4f0d-90c7-4528950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:52.000Z", "modified": "2017-08-05T19:27:52.000Z", "description": "TwoFace Payload", "pattern": "[file:hashes.SHA256 = '818ac924fd8f7bc1b6062a8ef456226a47c4c59d2f9e38eda89fff463253942f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861ba3-d38c-4274-9ef2-4528950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:52.000Z", "modified": "2017-08-05T19:27:52.000Z", "description": "TwoFace Payload", "pattern": "[file:hashes.SHA256 = 'fd47825d75e3da3e43dc84f425178d6e834a900d6b2fd850ee1083dbb1e5b113']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861ba3-d3b4-4c45-bc66-4528950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:52.000Z", "modified": "2017-08-05T19:27:52.000Z", "description": "TwoFace Payload", "pattern": "[file:hashes.SHA256 = '79c9a2a2b596f8270b32f30f3e03882b00b87102e65de00a325b64d30051da4e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861ba3-dcd8-49d9-919c-4528950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:52.000Z", "modified": "2017-08-05T19:27:52.000Z", "description": "TwoFace Payload", "pattern": "[file:hashes.SHA256 = 'e33096ab328949af19c290809819034d196445b8ed0406206e7418ec96f66b68']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861ba3-fd08-431f-b42e-4528950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:52.000Z", "modified": "2017-08-05T19:27:52.000Z", "description": "TwoFace Payload", "pattern": "[file:hashes.SHA256 = 'c116f078a0b9ea25c5fdb2e72914c3446c46f22d9f2b37c582600162ed711b69']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861bc6-0238-4656-8840-9533950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:52.000Z", "modified": "2017-08-05T19:27:52.000Z", "description": "IntrudingDivisor Shell", "pattern": "[file:hashes.SHA256 = 'e342d6bf07de1257e82f4ea19e9f08c9e11a43d9ad576cd799782f6e968914b8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861bc6-dc24-4ccf-bb7b-9533950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:52.000Z", "modified": "2017-08-05T19:27:52.000Z", "description": "IntrudingDivisor Shell", "pattern": "[file:hashes.SHA256 = '49f43f2caaea89bd3bb137f4228e543783ef265abbdc84e3743d93a7d30b0a7e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861bfb-a1cc-4996-8368-4245950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:52.000Z", "modified": "2017-08-05T19:27:52.000Z", "description": "Mimikatz", "pattern": "[file:hashes.SHA256 = 'f17272d146f4d46dda5dc2791836bfa783bdc09ca062f33447e4f3a26f26f4e0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861c39-89f0-4b18-b602-475702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "description": "Mimikatz - Xchecked via VT: f17272d146f4d46dda5dc2791836bfa783bdc09ca062f33447e4f3a26f26f4e0", "pattern": "[file:hashes.SHA1 = '28e2b56ee6ca16d84bc05f01dd6abeb12ef52e77']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861c39-db1c-4926-9bc9-4cb502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "description": "Mimikatz - Xchecked via VT: f17272d146f4d46dda5dc2791836bfa783bdc09ca062f33447e4f3a26f26f4e0", "pattern": "[file:hashes.MD5 = 'cb567013f063019f5f57fa8240caa3dc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59861c39-8ce8-498a-9f27-4b7a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "first_observed": "2017-08-05T19:27:53Z", "last_observed": "2017-08-05T19:27:53Z", "number_observed": 1, "object_refs": [ "url--59861c39-8ce8-498a-9f27-4b7a02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59861c39-8ce8-498a-9f27-4b7a02de0b81", "value": "https://www.virustotal.com/file/f17272d146f4d46dda5dc2791836bfa783bdc09ca062f33447e4f3a26f26f4e0/analysis/1501873561/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861c39-f138-4f70-9226-47b702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "description": "IntrudingDivisor Shell - Xchecked via VT: 49f43f2caaea89bd3bb137f4228e543783ef265abbdc84e3743d93a7d30b0a7e", "pattern": "[file:hashes.SHA1 = 'e4ac7454be74994e5b32e4a2aedd21b077417a4c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861c39-09c0-4478-812f-4dbf02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "description": "IntrudingDivisor Shell - Xchecked via VT: 49f43f2caaea89bd3bb137f4228e543783ef265abbdc84e3743d93a7d30b0a7e", "pattern": "[file:hashes.MD5 = '872df1b1889f34a6479952d258c73ccb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59861c39-a73c-4f9c-9e37-4cf802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "first_observed": "2017-08-05T19:27:53Z", "last_observed": "2017-08-05T19:27:53Z", "number_observed": 1, "object_refs": [ "url--59861c39-a73c-4f9c-9e37-4cf802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59861c39-a73c-4f9c-9e37-4cf802de0b81", "value": "https://www.virustotal.com/file/49f43f2caaea89bd3bb137f4228e543783ef265abbdc84e3743d93a7d30b0a7e/analysis/1501873544/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861c39-3c84-4bd2-a0e9-412102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "description": "TwoFace Payload - Xchecked via VT: fd47825d75e3da3e43dc84f425178d6e834a900d6b2fd850ee1083dbb1e5b113", "pattern": "[file:hashes.SHA1 = '1a9b15800c570997191ec1613ac5816c280d8283']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861c39-cc70-4028-916c-459f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "description": "TwoFace Payload - Xchecked via VT: fd47825d75e3da3e43dc84f425178d6e834a900d6b2fd850ee1083dbb1e5b113", "pattern": "[file:hashes.MD5 = '154354bbb42ff8326fff9b86ce22e1a9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59861c39-5664-4e0a-8d88-4e5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "first_observed": "2017-08-05T19:27:53Z", "last_observed": "2017-08-05T19:27:53Z", "number_observed": 1, "object_refs": [ "url--59861c39-5664-4e0a-8d88-4e5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59861c39-5664-4e0a-8d88-4e5202de0b81", "value": "https://www.virustotal.com/file/fd47825d75e3da3e43dc84f425178d6e834a900d6b2fd850ee1083dbb1e5b113/analysis/1501873497/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861c39-f1ec-4cd9-ab7a-4dab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "description": "TwoFace Payload - Xchecked via VT: 818ac924fd8f7bc1b6062a8ef456226a47c4c59d2f9e38eda89fff463253942f", "pattern": "[file:hashes.SHA1 = '5260114801ddd07f721fa04607c722d2add0fa32']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861c39-75bc-4043-a143-49c802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "description": "TwoFace Payload - Xchecked via VT: 818ac924fd8f7bc1b6062a8ef456226a47c4c59d2f9e38eda89fff463253942f", "pattern": "[file:hashes.MD5 = '7d8766edf1680bdb12ff4b71a2e53edf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59861c39-ac3c-41b3-b1b3-495c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "first_observed": "2017-08-05T19:27:53Z", "last_observed": "2017-08-05T19:27:53Z", "number_observed": 1, "object_refs": [ "url--59861c39-ac3c-41b3-b1b3-495c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59861c39-ac3c-41b3-b1b3-495c02de0b81", "value": "https://www.virustotal.com/file/818ac924fd8f7bc1b6062a8ef456226a47c4c59d2f9e38eda89fff463253942f/analysis/1501873479/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861c39-97a8-49a8-866c-4ffe02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "description": "TwoFace Payload - Xchecked via VT: 54c8bfa0be1d1419bf0770d49e937b284b52df212df19551576f73653a7d061f", "pattern": "[file:hashes.SHA1 = 'a406513a493e2ee9fa0db8f1d9871cb982906a48']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861c39-d250-46e9-b502-451502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "description": "TwoFace Payload - Xchecked via VT: 54c8bfa0be1d1419bf0770d49e937b284b52df212df19551576f73653a7d061f", "pattern": "[file:hashes.MD5 = 'c2dcbd7b96d363b84cf655648cd6b59e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59861c39-63b0-4a13-a446-493802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "first_observed": "2017-08-05T19:27:53Z", "last_observed": "2017-08-05T19:27:53Z", "number_observed": 1, "object_refs": [ "url--59861c39-63b0-4a13-a446-493802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59861c39-63b0-4a13-a446-493802de0b81", "value": "https://www.virustotal.com/file/54c8bfa0be1d1419bf0770d49e937b284b52df212df19551576f73653a7d061f/analysis/1501873465/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861c39-bff0-4078-ba6c-4f8602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "description": "TwoFace Payload - Xchecked via VT: 0a77e28e6d0d7bd057167ca8a63da867397f1619a38d5c713027ebb22b784d4f", "pattern": "[file:hashes.SHA1 = 'e2446d181c54d3883a3613404cfbba666bb04106']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861c39-0884-4dc6-ae42-4fcc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "description": "TwoFace Payload - Xchecked via VT: 0a77e28e6d0d7bd057167ca8a63da867397f1619a38d5c713027ebb22b784d4f", "pattern": "[file:hashes.MD5 = 'fb5aa6b2dae48602ad5db408800b908e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59861c39-84a8-4d66-9785-49e602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "first_observed": "2017-08-05T19:27:53Z", "last_observed": "2017-08-05T19:27:53Z", "number_observed": 1, "object_refs": [ "url--59861c39-84a8-4d66-9785-49e602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59861c39-84a8-4d66-9785-49e602de0b81", "value": "https://www.virustotal.com/file/0a77e28e6d0d7bd057167ca8a63da867397f1619a38d5c713027ebb22b784d4f/analysis/1501954505/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861c39-c338-4b2b-91cc-4c9c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "description": "TwoFace Payload - Xchecked via VT: 8f0419493da5ba201429503e53c9ccb8f8170ab73141bdc6ae6b9771512ad84b", "pattern": "[file:hashes.SHA1 = '9cc0e7f80ca9dce6976bda0660885825a1f1afbf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861c39-e778-459f-ac0b-46da02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "description": "TwoFace Payload - Xchecked via VT: 8f0419493da5ba201429503e53c9ccb8f8170ab73141bdc6ae6b9771512ad84b", "pattern": "[file:hashes.MD5 = 'aff218b56ae622a3b3376996a33287ad']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59861c39-7d64-4635-9b3e-405302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "first_observed": "2017-08-05T19:27:53Z", "last_observed": "2017-08-05T19:27:53Z", "number_observed": 1, "object_refs": [ "url--59861c39-7d64-4635-9b3e-405302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59861c39-7d64-4635-9b3e-405302de0b81", "value": "https://www.virustotal.com/file/8f0419493da5ba201429503e53c9ccb8f8170ab73141bdc6ae6b9771512ad84b/analysis/1501873416/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861c39-f2dc-4158-bcbf-4b1b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "description": "TwoFace++ Loader - Xchecked via VT: 8d178b9730e09e35c071526bfb91ce72f876797ebc4e81f0bc05e7bb8ad1734e", "pattern": "[file:hashes.SHA1 = '8d82ea31ce64e262c834ceed49ea97a53f8302e4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861c39-f030-4c07-9afb-44d002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "description": "TwoFace++ Loader - Xchecked via VT: 8d178b9730e09e35c071526bfb91ce72f876797ebc4e81f0bc05e7bb8ad1734e", "pattern": "[file:hashes.MD5 = '142b659975be77dd125fd3432c95e5de']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59861c39-4ff4-4c9f-bc50-413702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "first_observed": "2017-08-05T19:27:53Z", "last_observed": "2017-08-05T19:27:53Z", "number_observed": 1, "object_refs": [ "url--59861c39-4ff4-4c9f-bc50-413702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59861c39-4ff4-4c9f-bc50-413702de0b81", "value": "https://www.virustotal.com/file/8d178b9730e09e35c071526bfb91ce72f876797ebc4e81f0bc05e7bb8ad1734e/analysis/1501873395/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861c39-8884-4f11-a6fe-412602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "description": "TwoFace++ Loader - Xchecked via VT: bca01f14fb3cb4cfbe7f240156feebc55abac73a6c96b9f75da2f9df580101ef", "pattern": "[file:hashes.SHA1 = '75890380e99448e612530871f2c65b27c9a401ec']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861c39-d110-41d3-9ee1-4bf202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "description": "TwoFace++ Loader - Xchecked via VT: bca01f14fb3cb4cfbe7f240156feebc55abac73a6c96b9f75da2f9df580101ef", "pattern": "[file:hashes.MD5 = '6ca2818f6cce5b5fc484c3557b59a003']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59861c39-8980-4e01-b5ac-4b7602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "first_observed": "2017-08-05T19:27:53Z", "last_observed": "2017-08-05T19:27:53Z", "number_observed": 1, "object_refs": [ "url--59861c39-8980-4e01-b5ac-4b7602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59861c39-8980-4e01-b5ac-4b7602de0b81", "value": "https://www.virustotal.com/file/bca01f14fb3cb4cfbe7f240156feebc55abac73a6c96b9f75da2f9df580101ef/analysis/1501873378/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861c39-0b80-4353-a6dc-491602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "description": "TwoFace Loader - Xchecked via VT: d0ffd613b1b285b15e2d6c038b0bd4951eb40eb802617cf6eb4f56cda4b023e3", "pattern": "[file:hashes.SHA1 = '418fb8a86d3a9ce0b32ef338de2fa4b3a4cffc6f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861c39-d3d0-4f7c-ba66-404002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "description": "TwoFace Loader - Xchecked via VT: d0ffd613b1b285b15e2d6c038b0bd4951eb40eb802617cf6eb4f56cda4b023e3", "pattern": "[file:hashes.MD5 = 'abb7f1eefdc2a539cfe541f416f22407']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59861c39-953c-4d87-871e-414302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "first_observed": "2017-08-05T19:27:53Z", "last_observed": "2017-08-05T19:27:53Z", "number_observed": 1, "object_refs": [ "url--59861c39-953c-4d87-871e-414302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59861c39-953c-4d87-871e-414302de0b81", "value": "https://www.virustotal.com/file/d0ffd613b1b285b15e2d6c038b0bd4951eb40eb802617cf6eb4f56cda4b023e3/analysis/1501873357/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861c39-a978-48c5-8c2d-4a4102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "description": "TwoFace Loader - Xchecked via VT: 9a361019f6fbd4a246b96545868dcb7908c611934c41166b9aa93519504ac813", "pattern": "[file:hashes.SHA1 = 'a238ac53363f8a4b65271a1f380c21ceacd9c0b3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861c39-4220-433c-83ef-45b002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "description": "TwoFace Loader - Xchecked via VT: 9a361019f6fbd4a246b96545868dcb7908c611934c41166b9aa93519504ac813", "pattern": "[file:hashes.MD5 = 'c0e62672fab65be9ecf54a64730323b8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59861c39-bfd4-40f0-b115-488102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "first_observed": "2017-08-05T19:27:53Z", "last_observed": "2017-08-05T19:27:53Z", "number_observed": 1, "object_refs": [ "url--59861c39-bfd4-40f0-b115-488102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59861c39-bfd4-40f0-b115-488102de0b81", "value": "https://www.virustotal.com/file/9a361019f6fbd4a246b96545868dcb7908c611934c41166b9aa93519504ac813/analysis/1501873330/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861c39-3dec-4985-9014-439e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "description": "TwoFace Loader - Xchecked via VT: f4da5cb72246434decb8cf676758da410f6ddc20196dfd484f513aa3b6bc4ac5", "pattern": "[file:hashes.SHA1 = 'da78d71fce08e809f114bfb931daa9a5ec7eea33']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59861c39-c2b8-4764-90d5-47d002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "description": "TwoFace Loader - Xchecked via VT: f4da5cb72246434decb8cf676758da410f6ddc20196dfd484f513aa3b6bc4ac5", "pattern": "[file:hashes.MD5 = '6c6567b4ccf9c650c4ae80b516881164']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-05T19:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59861c39-f954-450e-a2d4-417602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:27:53.000Z", "modified": "2017-08-05T19:27:53.000Z", "first_observed": "2017-08-05T19:27:53Z", "last_observed": "2017-08-05T19:27:53Z", "number_observed": 1, "object_refs": [ "url--59861c39-f954-450e-a2d4-417602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59861c39-f954-450e-a2d4-417602de0b81", "value": "https://www.virustotal.com/file/f4da5cb72246434decb8cf676758da410f6ddc20196dfd484f513aa3b6bc4ac5/analysis/1501873300/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59861e71-d65c-4eed-8a99-4aae950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:37:21.000Z", "modified": "2017-08-05T19:37:21.000Z", "first_observed": "2017-08-05T19:37:21Z", "last_observed": "2017-08-05T19:37:21Z", "number_observed": 1, "object_refs": [ "file--59861e71-d65c-4eed-8a99-4aae950d210f" ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--59861e71-d65c-4eed-8a99-4aae950d210f", "hashes": { "SHA-1": "a2c9afd6adac242827adb00d76c20c491b2d2247" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59861e71-ebe0-471d-b47c-4f97950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:37:21.000Z", "modified": "2017-08-05T19:37:21.000Z", "first_observed": "2017-08-05T19:37:21Z", "last_observed": "2017-08-05T19:37:21Z", "number_observed": 1, "object_refs": [ "file--59861e71-ebe0-471d-b47c-4f97950d210f" ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--59861e71-ebe0-471d-b47c-4f97950d210f", "hashes": { "SHA-1": "6a0e681586988388d4a0690b6fb686715d92d069" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59861e71-8dcc-46fb-a973-4597950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:37:21.000Z", "modified": "2017-08-05T19:37:21.000Z", "first_observed": "2017-08-05T19:37:21Z", "last_observed": "2017-08-05T19:37:21Z", "number_observed": 1, "object_refs": [ "file--59861e71-8dcc-46fb-a973-4597950d210f" ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--59861e71-8dcc-46fb-a973-4597950d210f", "hashes": { "SHA-1": "5e1c37bf3bd8a7567d46db63ed9b0aeed53e57fe" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59861e71-4bbc-4cb5-9349-4e65950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:37:21.000Z", "modified": "2017-08-05T19:37:21.000Z", "first_observed": "2017-08-05T19:37:21Z", "last_observed": "2017-08-05T19:37:21Z", "number_observed": 1, "object_refs": [ "file--59861e71-4bbc-4cb5-9349-4e65950d210f" ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--59861e71-4bbc-4cb5-9349-4e65950d210f", "hashes": { "SHA-1": "37ada887553cf48715cc19131b8e661ac43718e9" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59861e71-c574-4ca7-8d0e-44ac950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:37:21.000Z", "modified": "2017-08-05T19:37:21.000Z", "first_observed": "2017-08-05T19:37:21Z", "last_observed": "2017-08-05T19:37:21Z", "number_observed": 1, "object_refs": [ "file--59861e71-c574-4ca7-8d0e-44ac950d210f" ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--59861e71-c574-4ca7-8d0e-44ac950d210f", "hashes": { "SHA-1": "9789b5c0c13fb58c423bce5577873d413d9494be" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59861e71-eb0c-4230-aa9a-4ca4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:37:21.000Z", "modified": "2017-08-05T19:37:21.000Z", "first_observed": "2017-08-05T19:37:21Z", "last_observed": "2017-08-05T19:37:21Z", "number_observed": 1, "object_refs": [ "file--59861e71-eb0c-4230-aa9a-4ca4950d210f" ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--59861e71-eb0c-4230-aa9a-4ca4950d210f", "hashes": { "SHA-1": "c56bc0d331a825fdea01c5437877d5e9e1cda2c4" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59861e71-1754-46ee-9b2c-4459950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:37:21.000Z", "modified": "2017-08-05T19:37:21.000Z", "first_observed": "2017-08-05T19:37:21Z", "last_observed": "2017-08-05T19:37:21Z", "number_observed": 1, "object_refs": [ "file--59861e71-1754-46ee-9b2c-4459950d210f" ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--59861e71-1754-46ee-9b2c-4459950d210f", "hashes": { "SHA-1": "9f4e10484f4ceac34878d4f621a1ad8e580fd02a" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59861e71-7c58-4271-abbd-4c5d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-05T19:37:21.000Z", "modified": "2017-08-05T19:37:21.000Z", "first_observed": "2017-08-05T19:37:21Z", "last_observed": "2017-08-05T19:37:21Z", "number_observed": 1, "object_refs": [ "file--59861e71-7c58-4271-abbd-4c5d950d210f" ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--59861e71-7c58-4271-abbd-4c5d950d210f", "hashes": { "SHA-1": "57dd9721f9837ebd24dea55a90a2a9e3e6ad6f1e" } }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }