{ "type": "bundle", "id": "bundle--59d34428-803c-4eab-bac7-49c0950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:51:18.000Z", "modified": "2017-10-04T08:51:18.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--59d34428-803c-4eab-bac7-49c0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:51:18.000Z", "modified": "2017-10-04T08:51:18.000Z", "name": "OSINT - Evidence Aurora Operation Still Active Part 2: More Ties Uncovered Between CCleaner Hack & Chinese Hackers", "published": "2017-10-04T08:51:30Z", "object_refs": [ "observed-data--59d34439-4454-45a8-94dc-3e8a950d210f", "url--59d34439-4454-45a8-94dc-3e8a950d210f", "x-misp-attribute--59d344c1-426c-49c5-9ff5-4eed950d210f", "indicator--59d34505-26c0-45b8-ad15-3e8b950d210f", "indicator--59d34505-22e0-4906-90c3-3e8b950d210f", "indicator--59d34505-2e78-4dc1-a67b-3e8b950d210f", "indicator--59d34505-3db8-4638-9c56-3e8b950d210f", "indicator--59d34505-f7d0-4def-8e96-3e8b950d210f", "indicator--59d34544-1b60-4b87-8b28-42df950d210f", "indicator--59d345d3-66fc-41a9-a259-4762950d210f", "indicator--59d345d3-b880-404c-8dfa-43d3950d210f", "indicator--59d34660-03b0-4649-93dc-4236950d210f", "indicator--59d34915-eb94-48f5-8e04-3e86950d210f", "observed-data--59d34b35-0d00-462b-903a-43a4950d210f", "windows-registry-key--59d34b35-0d00-462b-903a-43a4950d210f", "observed-data--59d34b35-12cc-4033-9114-400e950d210f", "windows-registry-key--59d34b35-12cc-4033-9114-400e950d210f", "observed-data--59d34b35-3b98-432e-b9f2-40d1950d210f", "windows-registry-key--59d34b35-3b98-432e-b9f2-40d1950d210f", "observed-data--59d34b35-7ebc-4b87-b031-45fc950d210f", "windows-registry-key--59d34b35-7ebc-4b87-b031-45fc950d210f", "observed-data--59d34b35-f05c-4193-b489-4d53950d210f", "windows-registry-key--59d34b35-f05c-4193-b489-4d53950d210f", "indicator--59d4a0da-b11c-4106-bb81-424502de0b81", "indicator--59d4a0da-0ce0-47c9-a313-48fc02de0b81", "observed-data--59d4a0da-d74c-4b70-870f-48ab02de0b81", "url--59d4a0da-d74c-4b70-870f-48ab02de0b81", "indicator--59d4a0da-9b60-478f-b63b-4e1802de0b81", "indicator--59d4a0da-edd8-4715-a50d-43ec02de0b81", "observed-data--59d4a0da-c5f8-42d4-8dfd-450402de0b81", "url--59d4a0da-c5f8-42d4-8dfd-450402de0b81", "indicator--59d4a0da-52f0-421f-93cf-46b902de0b81", "indicator--59d4a0da-e200-4df3-9afe-44d302de0b81", "observed-data--59d4a0da-8964-4305-9aac-4cc602de0b81", "url--59d4a0da-8964-4305-9aac-4cc602de0b81", "indicator--59d4a0da-4c70-4d6c-858b-43ff02de0b81", "indicator--59d4a0da-f260-4592-a320-451a02de0b81", "observed-data--59d4a0da-b5c0-4500-923c-458d02de0b81", "url--59d4a0da-b5c0-4500-923c-458d02de0b81", "indicator--59d4a0da-2b88-4315-af2a-4dee02de0b81", "indicator--59d4a0da-54ec-44d7-a611-45f502de0b81", "observed-data--59d4a0da-55f0-4dd3-853e-452302de0b81", "url--59d4a0da-55f0-4dd3-853e-452302de0b81", "indicator--59d4a0da-24ac-4c9a-9ed0-46d202de0b81", "indicator--59d4a0da-b468-4875-a528-4f0902de0b81", "observed-data--59d4a0da-55b8-4813-a62a-42aa02de0b81", "url--59d4a0da-55b8-4813-a62a-42aa02de0b81", "indicator--59d4a0da-3e44-4d72-a76f-46b802de0b81", "indicator--59d4a0da-dc90-4b07-9a85-47ac02de0b81", "observed-data--59d4a0da-a858-4517-8dfe-4f5502de0b81", "url--59d4a0da-a858-4517-8dfe-4f5502de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "osint:source-type=\"blog-post\"", "misp-galaxy:threat-actor=\"Aurora Panda\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59d34439-4454-45a8-94dc-3e8a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "first_observed": "2017-10-04T08:50:34Z", "last_observed": "2017-10-04T08:50:34Z", "number_observed": 1, "object_refs": [ "url--59d34439-4454-45a8-94dc-3e8a950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59d34439-4454-45a8-94dc-3e8a950d210f", "value": "http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59d344c1-426c-49c5-9ff5-4eed950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Since my last post, we have found new evidence in the next stage payloads of the CCleaner supply chain attack that provide a stronger link between this attack and the Axiom group.\r\n\r\nFirst of all, our researchers would like to thank the entire team at Cisco Talos for their excellent work on this attack (their post regarding stage 2 can be found here) as well as their cooperation by allowing us access to the stage 2 payload. Also, we would like to give a special thanks to Kaspersky Labs for their collaboration." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d34505-26c0-45b8-ad15-3e8b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "description": "x86 Registry Payload", "pattern": "[file:hashes.SHA256 = 'f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d34505-22e0-4906-90c3-3e8b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "pattern": "[file:hashes.SHA256 = '07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d34505-2e78-4dc1-a67b-3e8b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "pattern": "[file:hashes.SHA256 = '0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d34505-3db8-4638-9c56-3e8b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "pattern": "[file:hashes.SHA256 = '20cd49fd0f244944a8f5ba1d7656af3026e67d170133c1b3546c8b2de38d4f27']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d34505-f7d0-4def-8e96-3e8b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "pattern": "[file:hashes.SHA256 = 'ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d34544-1b60-4b87-8b28-42df950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "description": "Stage 2 Payload", "pattern": "[file:hashes.SHA256 = 'dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d345d3-66fc-41a9-a259-4762950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "description": "x86 Trojanized Binary", "pattern": "[file:hashes.SHA256 = '07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d345d3-b880-404c-8dfa-43d3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "description": "x64 Trojanized Binary", "pattern": "[file:hashes.SHA256 = '128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d34660-03b0-4649-93dc-4236950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '13.59.9.90']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d34915-eb94-48f5-8e04-3e86950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "description": "x64 Registry Payload", "pattern": "[file:hashes.SHA256 = '75eaa1889dbc93f11544cf3e40e3b9342b81b1678af5d83026496ee6a1b2ef79']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59d34b35-0d00-462b-903a-43a4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "first_observed": "2017-10-04T08:50:34Z", "last_observed": "2017-10-04T08:50:34Z", "number_observed": 1, "object_refs": [ "windows-registry-key--59d34b35-0d00-462b-903a-43a4950d210f" ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"Persistence mechanism\"" ] }, { "type": "windows-registry-key", "spec_version": "2.1", "id": "windows-registry-key--59d34b35-0d00-462b-903a-43a4950d210f", "key": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\001" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59d34b35-12cc-4033-9114-400e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "first_observed": "2017-10-04T08:50:34Z", "last_observed": "2017-10-04T08:50:34Z", "number_observed": 1, "object_refs": [ "windows-registry-key--59d34b35-12cc-4033-9114-400e950d210f" ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"Persistence mechanism\"" ] }, { "type": "windows-registry-key", "spec_version": "2.1", "id": "windows-registry-key--59d34b35-12cc-4033-9114-400e950d210f", "key": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\002" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59d34b35-3b98-432e-b9f2-40d1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "first_observed": "2017-10-04T08:50:34Z", "last_observed": "2017-10-04T08:50:34Z", "number_observed": 1, "object_refs": [ "windows-registry-key--59d34b35-3b98-432e-b9f2-40d1950d210f" ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"Persistence mechanism\"" ] }, { "type": "windows-registry-key", "spec_version": "2.1", "id": "windows-registry-key--59d34b35-3b98-432e-b9f2-40d1950d210f", "key": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\003" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59d34b35-7ebc-4b87-b031-45fc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "first_observed": "2017-10-04T08:50:34Z", "last_observed": "2017-10-04T08:50:34Z", "number_observed": 1, "object_refs": [ "windows-registry-key--59d34b35-7ebc-4b87-b031-45fc950d210f" ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"Persistence mechanism\"" ] }, { "type": "windows-registry-key", "spec_version": "2.1", "id": "windows-registry-key--59d34b35-7ebc-4b87-b031-45fc950d210f", "key": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\004" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59d34b35-f05c-4193-b489-4d53950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "first_observed": "2017-10-04T08:50:34Z", "last_observed": "2017-10-04T08:50:34Z", "number_observed": 1, "object_refs": [ "windows-registry-key--59d34b35-f05c-4193-b489-4d53950d210f" ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"Persistence mechanism\"" ] }, { "type": "windows-registry-key", "spec_version": "2.1", "id": "windows-registry-key--59d34b35-f05c-4193-b489-4d53950d210f", "key": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\HBP" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d4a0da-b11c-4106-bb81-424502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "description": "x64 Trojanized Binary - Xchecked via VT: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f", "pattern": "[file:hashes.SHA1 = '82691bf5d8ca1c760e0dbc67c99f89ecd890de08']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d4a0da-0ce0-47c9-a313-48fc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "description": "x64 Trojanized Binary - Xchecked via VT: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f", "pattern": "[file:hashes.MD5 = '52dda1e6ac12c24f2997cf05e0ea42c9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59d4a0da-d74c-4b70-870f-48ab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "first_observed": "2017-10-04T08:50:34Z", "last_observed": "2017-10-04T08:50:34Z", "number_observed": 1, "object_refs": [ "url--59d4a0da-d74c-4b70-870f-48ab02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59d4a0da-d74c-4b70-870f-48ab02de0b81", "value": "https://www.virustotal.com/file/128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f/analysis/1507088207/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d4a0da-9b60-478f-b63b-4e1802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "description": "x86 Trojanized Binary - Xchecked via VT: 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902", "pattern": "[file:hashes.SHA1 = '53c9ea5ac9b2efc5e8e0b4e3a051fa1615cc09a9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d4a0da-edd8-4715-a50d-43ec02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "description": "x86 Trojanized Binary - Xchecked via VT: 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902", "pattern": "[file:hashes.MD5 = 'd6fd2df91432ca21c79ece2c6637d1c6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59d4a0da-c5f8-42d4-8dfd-450402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "first_observed": "2017-10-04T08:50:34Z", "last_observed": "2017-10-04T08:50:34Z", "number_observed": 1, "object_refs": [ "url--59d4a0da-c5f8-42d4-8dfd-450402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59d4a0da-c5f8-42d4-8dfd-450402de0b81", "value": "https://www.virustotal.com/file/07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902/analysis/1507103949/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d4a0da-52f0-421f-93cf-46b902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "description": "Stage 2 Payload - Xchecked via VT: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83", "pattern": "[file:hashes.SHA1 = 'e7cca2da5161a313161a81a38a8b5773310a6801']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d4a0da-e200-4df3-9afe-44d302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "description": "Stage 2 Payload - Xchecked via VT: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83", "pattern": "[file:hashes.MD5 = '748aa5fcfa2af451c76039faf6a8684d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59d4a0da-8964-4305-9aac-4cc602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "first_observed": "2017-10-04T08:50:34Z", "last_observed": "2017-10-04T08:50:34Z", "number_observed": 1, "object_refs": [ "url--59d4a0da-8964-4305-9aac-4cc602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59d4a0da-8964-4305-9aac-4cc602de0b81", "value": "https://www.virustotal.com/file/dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83/analysis/1507084318/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d4a0da-4c70-4d6c-858b-43ff02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "description": "- Xchecked via VT: ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550", "pattern": "[file:hashes.SHA1 = '7dd556415487cc192b647c9a7fde70896eeee7a2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d4a0da-f260-4592-a320-451a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "description": "- Xchecked via VT: ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550", "pattern": "[file:hashes.MD5 = 'e77e708924168afd17dbe26bba8621af']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59d4a0da-b5c0-4500-923c-458d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "first_observed": "2017-10-04T08:50:34Z", "last_observed": "2017-10-04T08:50:34Z", "number_observed": 1, "object_refs": [ "url--59d4a0da-b5c0-4500-923c-458d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59d4a0da-b5c0-4500-923c-458d02de0b81", "value": "https://www.virustotal.com/file/ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550/analysis/1506960621/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d4a0da-2b88-4315-af2a-4dee02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "description": "- Xchecked via VT: 20cd49fd0f244944a8f5ba1d7656af3026e67d170133c1b3546c8b2de38d4f27", "pattern": "[file:hashes.SHA1 = '590ddc140152c2c5ce2f0dc7b21a297fd4102ba3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d4a0da-54ec-44d7-a611-45f502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "description": "- Xchecked via VT: 20cd49fd0f244944a8f5ba1d7656af3026e67d170133c1b3546c8b2de38d4f27", "pattern": "[file:hashes.MD5 = '8ad22f3e9e603ff89228f3c66d9949d9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59d4a0da-55f0-4dd3-853e-452302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "first_observed": "2017-10-04T08:50:34Z", "last_observed": "2017-10-04T08:50:34Z", "number_observed": 1, "object_refs": [ "url--59d4a0da-55f0-4dd3-853e-452302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59d4a0da-55f0-4dd3-853e-452302de0b81", "value": "https://www.virustotal.com/file/20cd49fd0f244944a8f5ba1d7656af3026e67d170133c1b3546c8b2de38d4f27/analysis/1446757665/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d4a0da-24ac-4c9a-9ed0-46d202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "description": "- Xchecked via VT: 0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2", "pattern": "[file:hashes.SHA1 = '40f9cde4ccd1b1b17a647c6fc72c5c5cd40d2b08']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d4a0da-b468-4875-a528-4f0902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "description": "- Xchecked via VT: 0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2", "pattern": "[file:hashes.MD5 = 'ba86c0c1d9a08284c61c4251762ad0df']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59d4a0da-55b8-4813-a62a-42aa02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "first_observed": "2017-10-04T08:50:34Z", "last_observed": "2017-10-04T08:50:34Z", "number_observed": 1, "object_refs": [ "url--59d4a0da-55b8-4813-a62a-42aa02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59d4a0da-55b8-4813-a62a-42aa02de0b81", "value": "https://www.virustotal.com/file/0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2/analysis/1506960528/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d4a0da-3e44-4d72-a76f-46b802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "description": "- Xchecked via VT: 07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d", "pattern": "[file:hashes.SHA1 = '60415999bc82dc9c8f4425f90e41a98d514f76a2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d4a0da-dc90-4b07-9a85-47ac02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "description": "- Xchecked via VT: 07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d", "pattern": "[file:hashes.MD5 = '35a4783a1db27f159d7506a78ca89101']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:50:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59d4a0da-a858-4517-8dfe-4f5502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:50:34.000Z", "modified": "2017-10-04T08:50:34.000Z", "first_observed": "2017-10-04T08:50:34Z", "last_observed": "2017-10-04T08:50:34Z", "number_observed": 1, "object_refs": [ "url--59d4a0da-a858-4517-8dfe-4f5502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59d4a0da-a858-4517-8dfe-4f5502de0b81", "value": "https://www.virustotal.com/file/07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d/analysis/1507055418/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }