{ "type": "bundle", "id": "bundle--5a0ac036-6fbc-4855-83af-422b950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-20T13:25:52.000Z", "modified": "2017-11-20T13:25:52.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "grouping", "spec_version": "2.1", "id": "grouping--5a0ac036-6fbc-4855-83af-422b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-20T13:25:52.000Z", "modified": "2017-11-20T13:25:52.000Z", "name": "OSINT - Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks", "context": "suspicious-activity", "object_refs": [ "observed-data--5a0ac04b-331c-457e-9154-4535950d210f", "url--5a0ac04b-331c-457e-9154-4535950d210f", "x-misp-attribute--5a0ac07e-7154-4727-9128-4b2b950d210f", "indicator--5a0ac277-6480-4635-a01f-4b80950d210f", "indicator--5a0ac277-b4a0-490f-8e6a-4941950d210f", "indicator--5a0ac405-e138-4948-8fd4-4827950d210f", "indicator--5a0ac405-1734-4d67-9c55-4422950d210f", "observed-data--5a0ac48c-b1fc-4778-9481-41b5950d210f", "windows-registry-key--5a0ac48c-b1fc-4778-9481-41b5950d210f", "indicator--5a0ac4d2-bfa0-4123-a4c6-46e3950d210f", "indicator--5a0ac4d2-1274-4dff-b646-43f4950d210f", "indicator--5a0ac4d2-8568-4190-8a0b-489e950d210f", "indicator--5a0ac4d2-74d4-41c3-b9aa-4102950d210f", "indicator--5a0ac4d2-2050-407e-b273-4948950d210f", "indicator--5a0ac4d2-2ae4-4411-818f-4932950d210f", "indicator--5a0ac4d2-15f0-4c1f-a22e-4a3a950d210f", "indicator--5a0ac4d2-9e94-47b9-8d1e-4867950d210f", "indicator--5a0ac4d2-97a8-4b76-bf49-4e0d950d210f", "indicator--5a0ac4d2-1908-41f4-ae48-4aa8950d210f", "indicator--5a0ac4d2-2b14-4a7c-86d9-46cd950d210f", "indicator--5a0ac4d2-ae4c-4005-bd7b-4548950d210f", "indicator--5a0ac4d2-b178-4a7e-b14b-4a16950d210f", "indicator--5a0ac4d2-f5a0-4806-9b9f-4519950d210f", "indicator--5a0ac4d2-57c8-4d89-916f-486f950d210f", "indicator--5a0ac4d2-1a24-4ae0-a9fc-4823950d210f", "indicator--5a0ac4d2-8fb0-49d9-ae66-4eb7950d210f", "indicator--5a0ac4d2-debc-4839-80be-4b11950d210f", "indicator--5a0ac4d2-1068-4201-9cc0-4b86950d210f", "observed-data--5a0ac521-3dfc-422a-b3fa-4d7c950d210f", "windows-registry-key--5a0ac521-3dfc-422a-b3fa-4d7c950d210f", "indicator--5a0ac521-ca08-4726-bad0-4466950d210f", "observed-data--5a0ac521-b370-4446-b84e-4bb2950d210f", "windows-registry-key--5a0ac521-b370-4446-b84e-4bb2950d210f", "indicator--5a0ac521-ab0c-4ac5-b31f-4cf5950d210f", "indicator--5a0ac577-0aec-403a-b697-4d69950d210f", "indicator--5a0ac577-90f4-482f-b813-4e55950d210f", "indicator--5a0ac577-9008-42f4-a39c-4dc9950d210f", "indicator--5a0ed8a4-6294-41ce-ae02-e7e802de0b81", "indicator--5a0ed8a4-8cbc-4980-a1c7-e7e802de0b81", "observed-data--5a0ed8a4-1f84-4696-a287-e7e802de0b81", "url--5a0ed8a4-1f84-4696-a287-e7e802de0b81", "indicator--5a0ed8a4-1748-4308-a4e3-e7e802de0b81", "indicator--5a0ed8a4-073c-4f4c-aea8-e7e802de0b81", "observed-data--5a0ed8a4-a5ec-4828-9615-e7e802de0b81", "url--5a0ed8a4-a5ec-4828-9615-e7e802de0b81", "indicator--5a0ed8a4-690c-47b9-8647-e7e802de0b81", "indicator--5a0ed8a4-0868-42fa-ad0f-e7e802de0b81", "observed-data--5a0ed8a4-6c28-4f4a-8db3-e7e802de0b81", "url--5a0ed8a4-6c28-4f4a-8db3-e7e802de0b81", "indicator--5a0ed8a4-fd94-4d5f-8e45-e7e802de0b81", "indicator--5a0ed8a4-1e1c-4eca-8532-e7e802de0b81", "observed-data--5a0ed8a4-2ee8-44be-abd5-e7e802de0b81", "url--5a0ed8a4-2ee8-44be-abd5-e7e802de0b81", "indicator--5a0ed8a4-4da0-47ea-9e6d-e7e802de0b81", "indicator--5a0ed8a5-a0cc-446a-8c32-e7e802de0b81", "observed-data--5a0ed8a5-2c5c-4318-9715-e7e802de0b81", "url--5a0ed8a5-2c5c-4318-9715-e7e802de0b81", "indicator--5a0acc3f-e330-4e19-b44c-4182950d210f", "indicator--5a0acc5a-879c-469b-b4d6-4e68950d210f", "indicator--5a0accd4-f164-4638-8503-080d950d210f", "indicator--5a0acced-4fe4-4b29-9407-4db2950d210f", "indicator--5a0acd03-9880-4d9b-8816-0c9f950d210f", "indicator--5a0acdd2-42b0-4178-9599-0ab7950d210f", "indicator--5a0ace3f-f0f8-481b-b90f-0cdb950d210f", "indicator--5a0aebe2-710c-459f-94f6-0d11950d210f", "indicator--5a0aece9-8a7c-4e23-a82e-0d11950d210f", "indicator--5a0aed28-c8b0-415b-b8f8-0d11950d210f", "indicator--5a0aed3e-9dc4-4f60-b423-4595950d210f", "indicator--5a0aed4f-581c-4aec-8ef1-0d11950d210f", "indicator--5a0aee8a-fb14-4018-9413-4a3f950d210f", "indicator--5a0aee9b-caf8-4ba4-af30-c1d9950d210f", "indicator--5a0aeeb0-5b5c-463f-b010-4dcf950d210f", "indicator--5a0aeefe-4eb4-43ad-9b97-4fec950d210f", "indicator--5a0aef74-a3f4-4cff-b3ff-c1d9950d210f", "indicator--5a0aef88-7b34-4633-983a-4a4b950d210f", "indicator--5a0aef9f-d298-42b6-8fd3-44b6950d210f", "indicator--5a0af012-82e4-49fa-9ca6-43e0950d210f", "indicator--5a0af027-e910-4a68-8d5a-0d11950d210f", "indicator--5a0af038-fa20-4d65-928f-be53950d210f", "indicator--5a0af04d-9574-4849-9eb7-4e6b950d210f", "indicator--5a0af05e-299c-445b-88c7-4fc7950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "osint:source-type=\"blog-post\"", "misp-galaxy:tool=\"Emotet\"", "misp-galaxy:banker=\"Qakbot\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a0ac04b-331c-457e-9154-4535950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:03.000Z", "modified": "2017-11-17T12:40:03.000Z", "first_observed": "2017-11-17T12:40:03Z", "last_observed": "2017-11-17T12:40:03Z", "number_observed": 1, "object_refs": [ "url--5a0ac04b-331c-457e-9154-4535950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a0ac04b-331c-457e-9154-4535950d210f", "value": "https://blogs.technet.microsoft.com/mmpc/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5a0ac07e-7154-4727-9128-4b2b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:03.000Z", "modified": "2017-11-17T12:40:03.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "The threat to information is greater than ever, with data breaches, phishing attacks, and other forms of information theft like point-of-sale malware and ATM hacks becoming all too common in today's threat landscape. Information-stealing trojans are in the same category of threats that deliver a steady stream of risk to data and can lead to significant financial loss.\r\n\r\nQakbot and Emotet are information stealers that have been showing renewed activity in recent months. These malware families are technically different, but they share many similarities in behavior. They both have the ultimate goal of stealing online banking credentials that malware operators can then use to steal money from online banking accounts. They can also steal other sensitive information using techniques like keylogging." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac277-6480-4635-a01f-4b80950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:03.000Z", "modified": "2017-11-17T12:40:03.000Z", "description": "Qakbot malware", "pattern": "[file:hashes.SHA256 = 'da00823090dae3dae452ddc8a4c2a3c087389b4aacf1f0c12d13c83c9fcaef9c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac277-b4a0-490f-8e6a-4941950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:03.000Z", "modified": "2017-11-17T12:40:03.000Z", "description": "Qakbot malware", "pattern": "[file:hashes.SHA256 = 'ca2d536b91b15e7fc44ec93bbed1f0f46ae65c723b8a4823253a2a91b8241f9a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac405-e138-4948-8fd4-4827950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:03.000Z", "modified": "2017-11-17T12:40:03.000Z", "pattern": "[file:name = '\\\\%APPDATA\\\\%\\\\Microsoft\\\\Cexpalgxx\\\\Cexpalgxx.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac405-1734-4d67-9c55-4422950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:03.000Z", "modified": "2017-11-17T12:40:03.000Z", "pattern": "[file:name = '\\\\%APPDATA\\\\%\\\\Microsoft\\\\Cexpalgxx\\\\Cexpalgxx32.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a0ac48c-b1fc-4778-9481-41b5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "first_observed": "2017-11-17T12:40:04Z", "last_observed": "2017-11-17T12:40:04Z", "number_observed": 1, "object_refs": [ "windows-registry-key--5a0ac48c-b1fc-4778-9481-41b5950d210f" ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"Persistence mechanism\"" ] }, { "type": "windows-registry-key", "spec_version": "2.1", "id": "windows-registry-key--5a0ac48c-b1fc-4778-9481-41b5950d210f", "key": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac4d2-bfa0-4123-a4c6-46e3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.236.252.178']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac4d2-1274-4dff-b646-43f4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '162.243.159.58']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac4d2-8568-4190-8a0b-489e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.33.55.157']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac4d2-74d4-41c3-b9aa-4102950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '77.244.245.37']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac4d2-2050-407e-b273-4948950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.81.212.79']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac4d2-2ae4-4411-818f-4932950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '173.212.192.45']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac4d2-15f0-4c1f-a22e-4a3a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.16.131.20']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac4d2-9e94-47b9-8d1e-4867950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '195.78.33.200']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac4d2-97a8-4b76-bf49-4e0d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '50.116.54.16']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac4d2-1908-41f4-ae48-4aa8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '212.83.166.45']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac4d2-2b14-4a7c-86d9-46cd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '137.74.254.64']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac4d2-ae4c-4005-bd7b-4548950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.227.137.34']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac4d2-b178-4a7e-b14b-4a16950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.165.220.214']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac4d2-f5a0-4806-9b9f-4519950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '85.143.221.180']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac4d2-57c8-4d89-916f-486f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '119.82.27.246']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac4d2-1a24-4ae0-a9fc-4823950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '194.88.246.7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac4d2-8fb0-49d9-ae66-4eb7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '206.214.220.79']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac4d2-debc-4839-80be-4b11950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '173.230.136.67']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac4d2-1068-4201-9cc0-4b86950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '173.224.218.25']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a0ac521-3dfc-422a-b3fa-4d7c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "first_observed": "2017-11-17T12:40:04Z", "last_observed": "2017-11-17T12:40:04Z", "number_observed": 1, "object_refs": [ "windows-registry-key--5a0ac521-3dfc-422a-b3fa-4d7c950d210f" ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"Persistence mechanism\"" ] }, { "type": "windows-registry-key", "spec_version": "2.1", "id": "windows-registry-key--5a0ac521-3dfc-422a-b3fa-4d7c950d210f", "key": "%appdata%\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\[random].lnk" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac521-ca08-4726-bad0-4466950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "pattern": "[file:name = '\\\\%Appdata\\\\%\\\\local\\\\[random]\\\\[random].exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a0ac521-b370-4446-b84e-4bb2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "first_observed": "2017-11-17T12:40:04Z", "last_observed": "2017-11-17T12:40:04Z", "number_observed": 1, "object_refs": [ "windows-registry-key--5a0ac521-b370-4446-b84e-4bb2950d210f" ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"Persistence mechanism\"" ] }, { "type": "windows-registry-key", "spec_version": "2.1", "id": "windows-registry-key--5a0ac521-b370-4446-b84e-4bb2950d210f", "key": "%localappdata%\\microsoft\\windows" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac521-ab0c-4ac5-b31f-4cf5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "pattern": "[file:name = '\\\\%WINDIR\\\\%\\\\System32\\\\netshedule.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac577-0aec-403a-b697-4d69950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "description": "Emotet downloader", "pattern": "[file:hashes.SHA256 = '4ce5366c7eef1fff1260d5d7a0aec72c1246621838bf8df07f4a6ab3e5369d96']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac577-90f4-482f-b813-4e55950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "description": "Emotet malware", "pattern": "[file:hashes.SHA256 = 'ffcb204da3ff72d268c8ac065c2e7cce5c65fafc2f549d92d0c280c6099bd440']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ac577-9008-42f4-a39c-4dc9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "description": "Emotet malware", "pattern": "[file:hashes.SHA256 = '59639027a7fd487295bad10db896528ea223684e6595cae4ce9a0bec8d809087']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ed8a4-6294-41ce-ae02-e7e802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "description": "Emotet malware - Xchecked via VT: 59639027a7fd487295bad10db896528ea223684e6595cae4ce9a0bec8d809087", "pattern": "[file:hashes.SHA1 = '9214359938285f26785f7eaf25a74dddea678065']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ed8a4-8cbc-4980-a1c7-e7e802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "description": "Emotet malware - Xchecked via VT: 59639027a7fd487295bad10db896528ea223684e6595cae4ce9a0bec8d809087", "pattern": "[file:hashes.MD5 = '5aa9fa89cee3ffc4c3009e34db830de0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a0ed8a4-1f84-4696-a287-e7e802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "first_observed": "2017-11-17T12:40:04Z", "last_observed": "2017-11-17T12:40:04Z", "number_observed": 1, "object_refs": [ "url--5a0ed8a4-1f84-4696-a287-e7e802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a0ed8a4-1f84-4696-a287-e7e802de0b81", "value": "https://www.virustotal.com/file/59639027a7fd487295bad10db896528ea223684e6595cae4ce9a0bec8d809087/analysis/1506215055/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ed8a4-1748-4308-a4e3-e7e802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "description": "Emotet malware - Xchecked via VT: ffcb204da3ff72d268c8ac065c2e7cce5c65fafc2f549d92d0c280c6099bd440", "pattern": "[file:hashes.SHA1 = 'a33763608d07880c5ca31fd68e30355c04201c92']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ed8a4-073c-4f4c-aea8-e7e802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "description": "Emotet malware - Xchecked via VT: ffcb204da3ff72d268c8ac065c2e7cce5c65fafc2f549d92d0c280c6099bd440", "pattern": "[file:hashes.MD5 = '03b933fb1b471d7710d82d8b3f6c62b1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a0ed8a4-a5ec-4828-9615-e7e802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "first_observed": "2017-11-17T12:40:04Z", "last_observed": "2017-11-17T12:40:04Z", "number_observed": 1, "object_refs": [ "url--5a0ed8a4-a5ec-4828-9615-e7e802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a0ed8a4-a5ec-4828-9615-e7e802de0b81", "value": "https://www.virustotal.com/file/ffcb204da3ff72d268c8ac065c2e7cce5c65fafc2f549d92d0c280c6099bd440/analysis/1510558151/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ed8a4-690c-47b9-8647-e7e802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "description": "Emotet downloader - Xchecked via VT: 4ce5366c7eef1fff1260d5d7a0aec72c1246621838bf8df07f4a6ab3e5369d96", "pattern": "[file:hashes.SHA1 = '82519982e32708e94c54ffce3c652714049a04f6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ed8a4-0868-42fa-ad0f-e7e802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "description": "Emotet downloader - Xchecked via VT: 4ce5366c7eef1fff1260d5d7a0aec72c1246621838bf8df07f4a6ab3e5369d96", "pattern": "[file:hashes.MD5 = '517d9598ac8aa0ef0cb7145ffd64805e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a0ed8a4-6c28-4f4a-8db3-e7e802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "first_observed": "2017-11-17T12:40:04Z", "last_observed": "2017-11-17T12:40:04Z", "number_observed": 1, "object_refs": [ "url--5a0ed8a4-6c28-4f4a-8db3-e7e802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a0ed8a4-6c28-4f4a-8db3-e7e802de0b81", "value": "https://www.virustotal.com/file/4ce5366c7eef1fff1260d5d7a0aec72c1246621838bf8df07f4a6ab3e5369d96/analysis/1510180240/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ed8a4-fd94-4d5f-8e45-e7e802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "description": "Qakbot malware - Xchecked via VT: ca2d536b91b15e7fc44ec93bbed1f0f46ae65c723b8a4823253a2a91b8241f9a", "pattern": "[file:hashes.SHA1 = '74153fa3ca1a97b68fdd31fa02c3e16daa03ac59']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ed8a4-1e1c-4eca-8532-e7e802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "description": "Qakbot malware - Xchecked via VT: ca2d536b91b15e7fc44ec93bbed1f0f46ae65c723b8a4823253a2a91b8241f9a", "pattern": "[file:hashes.MD5 = '54240940b30c9f21e006d87371f490e6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a0ed8a4-2ee8-44be-abd5-e7e802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "first_observed": "2017-11-17T12:40:04Z", "last_observed": "2017-11-17T12:40:04Z", "number_observed": 1, "object_refs": [ "url--5a0ed8a4-2ee8-44be-abd5-e7e802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a0ed8a4-2ee8-44be-abd5-e7e802de0b81", "value": "https://www.virustotal.com/file/ca2d536b91b15e7fc44ec93bbed1f0f46ae65c723b8a4823253a2a91b8241f9a/analysis/1510257822/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ed8a4-4da0-47ea-9e6d-e7e802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "description": "Qakbot malware - Xchecked via VT: da00823090dae3dae452ddc8a4c2a3c087389b4aacf1f0c12d13c83c9fcaef9c", "pattern": "[file:hashes.SHA1 = '4c04c92cf88dc1a0cc4829229786ac50c1a51aa5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ed8a5-a0cc-446a-8c32-e7e802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:04.000Z", "modified": "2017-11-17T12:40:04.000Z", "description": "Qakbot malware - Xchecked via VT: da00823090dae3dae452ddc8a4c2a3c087389b4aacf1f0c12d13c83c9fcaef9c", "pattern": "[file:hashes.MD5 = '692802635dbd973b7944ebc8dbc22e2a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-17T12:40:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a0ed8a5-2c5c-4318-9715-e7e802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-17T12:40:05.000Z", "modified": "2017-11-17T12:40:05.000Z", "first_observed": "2017-11-17T12:40:05Z", "last_observed": "2017-11-17T12:40:05Z", "number_observed": 1, "object_refs": [ "url--5a0ed8a5-2c5c-4318-9715-e7e802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a0ed8a5-2c5c-4318-9715-e7e802de0b81", "value": "https://www.virustotal.com/file/da00823090dae3dae452ddc8a4c2a3c087389b4aacf1f0c12d13c83c9fcaef9c/analysis/1510111314/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0acc3f-e330-4e19-b44c-4182950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-14T10:58:07.000Z", "modified": "2017-11-14T10:58:07.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '64.183.173.170') AND network-traffic:dst_port = '995']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-14T10:58:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0acc5a-879c-469b-b4d6-4e68950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-14T10:58:34.000Z", "modified": "2017-11-14T10:58:34.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '67.213.243.228') AND network-traffic:dst_port = '993']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-14T10:58:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0accd4-f164-4638-8503-080d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-14T11:00:36.000Z", "modified": "2017-11-14T11:00:36.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '96.67.244.225') AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-14T11:00:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0acced-4fe4-4b29-9407-4db2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-14T11:01:01.000Z", "modified": "2017-11-14T11:01:01.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '173.25.234.18') AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-14T11:01:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0acd03-9880-4d9b-8816-0c9f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-14T11:01:23.000Z", "modified": "2017-11-14T11:01:23.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '24.123.151.58') AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-14T11:01:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0acdd2-42b0-4178-9599-0ab7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-14T11:04:50.000Z", "modified": "2017-11-14T11:04:50.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '76.164.161.46') AND network-traffic:dst_port = '995']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-14T11:04:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0ace3f-f0f8-481b-b90f-0cdb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-14T11:06:39.000Z", "modified": "2017-11-14T11:06:39.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '68.115.254.146') AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-14T11:06:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0aebe2-710c-459f-94f6-0d11950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-14T13:13:06.000Z", "modified": "2017-11-14T13:13:06.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '198.57.88.73') AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-14T13:13:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0aece9-8a7c-4e23-a82e-0d11950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-14T13:17:29.000Z", "modified": "2017-11-14T13:17:29.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.21.79.34') AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-14T13:17:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0aed28-c8b0-415b-b8f8-0d11950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-14T13:18:32.000Z", "modified": "2017-11-14T13:18:32.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.51.185.121') AND network-traffic:dst_port = '465']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-14T13:18:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0aed3e-9dc4-4f60-b423-4595950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-14T13:18:54.000Z", "modified": "2017-11-14T13:18:54.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '71.3.55.80') AND network-traffic:dst_port = '993']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-14T13:18:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0aed4f-581c-4aec-8ef1-0d11950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-14T13:19:11.000Z", "modified": "2017-11-14T13:19:11.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '88.244.177.127') AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-14T13:19:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0aee8a-fb14-4018-9413-4a3f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-14T13:24:26.000Z", "modified": "2017-11-14T13:24:26.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '180.93.148.41') AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-14T13:24:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0aee9b-caf8-4ba4-af30-c1d9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-14T13:24:43.000Z", "modified": "2017-11-14T13:24:43.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '101.51.40.175') AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-14T13:24:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0aeeb0-5b5c-463f-b010-4dcf950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-14T13:25:04.000Z", "modified": "2017-11-14T13:25:04.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '73.166.94.110') AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-14T13:25:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0aeefe-4eb4-43ad-9b97-4fec950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-14T13:26:22.000Z", "modified": "2017-11-14T13:26:22.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '71.88.202.122') AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-14T13:26:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0aef74-a3f4-4cff-b3ff-c1d9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-14T13:28:20.000Z", "modified": "2017-11-14T13:28:20.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '74.5.136.50') AND network-traffic:dst_port = '990']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-14T13:28:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0aef88-7b34-4633-983a-4a4b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-14T13:28:40.000Z", "modified": "2017-11-14T13:28:40.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '89.43.179.209') AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-14T13:28:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0aef9f-d298-42b6-8fd3-44b6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-14T13:29:03.000Z", "modified": "2017-11-14T13:29:03.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '211.27.18.233') AND network-traffic:dst_port = '995']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-14T13:29:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0af012-82e4-49fa-9ca6-43e0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-14T13:30:58.000Z", "modified": "2017-11-14T13:30:58.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '96.82.91.67') AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-14T13:30:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0af027-e910-4a68-8d5a-0d11950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-14T13:31:19.000Z", "modified": "2017-11-14T13:31:19.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '98.194.132.179') AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-14T13:31:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0af038-fa20-4d65-928f-be53950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-14T13:31:36.000Z", "modified": "2017-11-14T13:31:36.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '98.113.137.220') AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-14T13:31:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0af04d-9574-4849-9eb7-4e6b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-14T13:31:57.000Z", "modified": "2017-11-14T13:31:57.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '24.184.200.177') AND network-traffic:dst_port = '2222']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-14T13:31:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a0af05e-299c-445b-88c7-4fc7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-14T13:32:14.000Z", "modified": "2017-11-14T13:32:14.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '105.224.247.34') AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-14T13:32:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }