{ "type": "bundle", "id": "bundle--5cacf210-9ecc-4a53-90a5-4c6a02de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-10T09:38:25.000Z", "modified": "2019-04-10T09:38:25.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "grouping", "spec_version": "2.1", "id": "grouping--5cacf210-9ecc-4a53-90a5-4c6a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-10T09:38:25.000Z", "modified": "2019-04-10T09:38:25.000Z", "name": "OSINT - Flame 2.0: Risen from the Ashes", "context": "suspicious-activity", "object_refs": [ "observed-data--5cacf25c-be88-4f49-9371-486d02de0b81", "url--5cacf25c-be88-4f49-9371-486d02de0b81", "x-misp-attribute--5cacf275-91f8-48f8-86b3-4a6602de0b81", "indicator--5cacf524-c7cc-4a00-bcf6-0c6a02de0b81", "indicator--5cacf2d6-8170-4ec2-8fa9-42a202de0b81", "indicator--5cacf361-d240-4b8b-89c1-479e02de0b81", "indicator--5cacf3a6-2794-4cca-b073-4d0102de0b81", "indicator--5cacf3d5-4984-4241-beef-4ecd02de0b81", "indicator--5cacf425-1e2c-467f-b0d9-4b9a02de0b81", "indicator--5cacf45c-a150-42cc-91d0-472b02de0b81", "indicator--5cacf4a2-992c-465c-b7e7-470f02de0b81", "indicator--5cacf4eb-ea8c-4cef-bbf0-4f8b02de0b81", "indicator--3ebf26f8-6710-4b32-a4a0-15d339e5350f", "x-misp-object--019aaeec-55dd-4ce1-b20a-d92710b6b041", "indicator--8697b11b-da93-4d4f-b701-a09aab24cb0d", "x-misp-object--e44af2bf-950a-474b-8042-113d217e5f63", "indicator--48fb1669-d25d-4800-a4bd-443720406f95", "x-misp-object--be651b15-0ff4-4119-9a0a-de4730dc814d", "indicator--7cc0330c-8e97-4662-8588-c4d54f58407c", "x-misp-object--5cf63775-757f-43f1-94ea-a33377e12cd1", "indicator--c301c4d8-3408-4e94-ac87-70c6b3f8d7a7", "x-misp-object--d0ff9ea2-f4ed-4174-b077-308b005ae017", "indicator--8c4f64e3-e346-40b6-b06f-8575a9ce1a83", "x-misp-object--9a473378-5c49-4dc1-a58b-38b7ac011d49", "indicator--287dff0c-5d73-4dca-badb-6de37ea6e766", "x-misp-object--6e6742a5-13ab-483f-a968-22170d66e6e2", "indicator--8403c5f0-33ff-475b-b1f1-aa1df43eff9d", "x-misp-object--13e40b04-1b14-4396-9507-786fb8ee0191", "x-misp-object--5cad948e-7a68-4202-ac52-46ea950d210f", "relationship--de08f9f3-e448-4c56-a349-029fc6deb925", "relationship--827e1c8e-5a2b-4f9f-8229-6d1657bd555b", "relationship--d02b47d1-e487-4a18-bc56-b12757e8ffc7", "relationship--b4f7ad66-1514-48b4-b595-0d610fb95387", "relationship--4e36db20-262d-4fe7-84c8-93338c4b6b21", "relationship--b7f839bb-60d4-4e45-b733-4f8f435fc1c1", "relationship--51f0e314-8d8a-4a13-a991-90929ad86adc", "relationship--9ee63211-8e30-42e5-be6b-d430900cac9a" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:mitre-enterprise-attack-malware=\"Flame\"", "misp-galaxy:tool=\"Flame\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cacf25c-be88-4f49-9371-486d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:28:28.000Z", "modified": "2019-04-09T19:28:28.000Z", "first_observed": "2019-04-09T19:28:28Z", "last_observed": "2019-04-09T19:28:28Z", "number_observed": 1, "object_refs": [ "url--5cacf25c-be88-4f49-9371-486d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5cacf25c-be88-4f49-9371-486d02de0b81", "value": "https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5cacf275-91f8-48f8-86b3-4a6602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:28:53.000Z", "modified": "2019-04-09T19:28:53.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Our investigation into the GOSSIPGIRL Supra Threat Actor (STA) started with a REPLICANTFARM signature name that tentatively links the cryptonym GOSSIPGIRL to Flame. From there,1we investigated MiniFlame and Gauss \u2013two families related to the Flame platform\u2013 withoutfinding any indication of succession to Flame\u2019s operations. Our investigation continued ontoStuxnet and Duqu but the altogether disappearance of Flame never sat right with us." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cacf524-c7cc-4a00-bcf6-0c6a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:40:20.000Z", "modified": "2019-04-09T19:40:20.000Z", "pattern": "[import\u200b \u200b\"pe\"import\u200b \u200b\"hash\"rule FLAME2_Orchestrator{meta:desc \u200b=\u200b \u200b\"Encrypted resources in Flame2.0 Orchestrators\"author \u200b=\u200b \u200b\"turla @ Uppercase\"hash1 \u200b=\"15a9b1d233c02d1fdf80071797ff9077f6ac374958f7d0f2b6e84b8d487c9cd1\"hash2 \u200b=\"426aa55d2afb9eb08b601d373671594f39a1d9d9a73639c4a64f17d674ca9a82\"hash3 \u200b=\"af8ccd0294530c659580f522fcc8492d92c2296dc068f9a42474d52b2b2f16e4\"condition:for\u200b any i \u200bin\u200b \u200b(\u200b0.\u200b.\u200bpe\u200b.\u200bnumber_of_resources \u200b-\u200b \u200b1\u200b):(\u200b(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"53b19d9863d8ff8cde8e4358d1b57c04\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"4849cc439e524ef6a9964a3666dddb13\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"62bfe21a8eb76fd07e22326c0073fef5\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"dfed2c71749b04dad46d0ce52834492c\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"9119aa701b39242a98be118d9c237ecc\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"b69d168e29fba6c88ad4e670949815aa\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"4849cc439e524ef6a9964a3666dddb13\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"1933a1e254b1657a6a2eb8ad1fbe6fa3\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"dfed2c71749b04dad46d0ce52834492c\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"9119aa701b39242a98be118d9c237ecc\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"b69d168e29fba6c88ad4e670949815aa\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"17c794f7056349cb82889b5e5b030d15\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"e15187f79b6916cb6763d29d215623c1\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"923963bb24f2e2ceac9f9759071dba88\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"9a2766aba7f2a56ef1ab24cf171ee0ed\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"ebe15bfb5a3944ea4952ddf0f73aa6e8\")\u200b)}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2019-04-09T19:40:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cacf2d6-8170-4ec2-8fa9-42a202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:30:30.000Z", "modified": "2019-04-09T19:30:30.000Z", "pattern": "[file:hashes.SHA256 = '15a9b1d233c02d1fdf80071797ff9077f6ac374958f7d0f2b6e84b8d487c9cd1' AND file:name = 'sensrsvcs.dll' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-09T19:30:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cacf361-d240-4b8b-89c1-479e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:32:49.000Z", "modified": "2019-04-09T19:32:49.000Z", "pattern": "[file:hashes.SHA256 = '426aa55d2afb9eb08b601d373671594f39a1d9d9a73639c4a64f17d674ca9a82' AND file:name = 'sensrsvcs.dll' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-09T19:32:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cacf3a6-2794-4cca-b073-4d0102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:33:58.000Z", "modified": "2019-04-09T19:33:58.000Z", "pattern": "[file:hashes.SHA256 = 'af8ccd0294530c659580f522fcc8492d92c2296dc068f9a42474d52b2b2f16e4' AND file:name = 'sensrsvr.dll' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-09T19:33:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cacf3d5-4984-4241-beef-4ecd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:34:45.000Z", "modified": "2019-04-09T19:34:45.000Z", "pattern": "[file:hashes.SHA256 = '69227d046ad108e5729e6bfaecc4e05a0da30d8e7e87769d9d3bbf17b4366e64' AND file:name = 'sensrsvr.dll' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-09T19:34:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cacf425-1e2c-467f-b0d9-4b9a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:36:05.000Z", "modified": "2019-04-09T19:36:05.000Z", "pattern": "[file:hashes.SHA256 = '0039eb194f00b975145a35ede6b48d9c1ea87a6b2e61ac015b3d38e7e46aecbb' AND file:name = 'wmisvcs64.dll' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-09T19:36:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cacf45c-a150-42cc-91d0-472b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:37:00.000Z", "modified": "2019-04-09T19:37:00.000Z", "pattern": "[file:hashes.SHA256 = '8cb78327bd69fda61afac9393187ad5533a63d43ebf74c0f9800bedb814b20ad' AND file:name = 'wmisvcs64.dll' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-09T19:37:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cacf4a2-992c-465c-b7e7-470f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:38:10.000Z", "modified": "2019-04-09T19:38:10.000Z", "pattern": "[file:hashes.SHA256 = 'b61c62724421d38a13c58877f31298bd663c1c8f8c3fe7d108eb9c8fe5ad0362' AND file:name = 'wmihost64.dll' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-09T19:38:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cacf4eb-ea8c-4cef-bbf0-4f8b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:39:23.000Z", "modified": "2019-04-09T19:39:23.000Z", "pattern": "[file:hashes.SHA256 = '134849f697ab5f31ffb043b06e9ca1c9b98ffebba8af8ccdedd036a6263bf3a4' AND file:name = 'wmihost.dll' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-09T19:39:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3ebf26f8-6710-4b32-a4a0-15d339e5350f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:40:47.000Z", "modified": "2019-04-09T19:40:47.000Z", "pattern": "[file:hashes.MD5 = '2529ecdd21ad9854d52ab737306bee59' AND file:hashes.SHA1 = 'b144c68108d9a9208accb562b141d8b8a15550d7' AND file:hashes.SHA256 = '69227d046ad108e5729e6bfaecc4e05a0da30d8e7e87769d9d3bbf17b4366e64']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-09T19:40:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--019aaeec-55dd-4ce1-b20a-d92710b6b041", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:40:47.000Z", "modified": "2019-04-09T19:40:47.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-04-09 19:25:12", "category": "Other", "uuid": "cda2bde6-b763-42f6-a894-5fd2298cec87" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/69227d046ad108e5729e6bfaecc4e05a0da30d8e7e87769d9d3bbf17b4366e64/analysis/1554837912/", "category": "Payload delivery", "uuid": "f12fd4ac-1d89-4c87-ab7f-8981d9e12f24" }, { "type": "text", "object_relation": "detection-ratio", "value": "4/70", "category": "Payload delivery", "uuid": "d7f96a43-c836-49fa-9a47-c9c7b955509d" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8697b11b-da93-4d4f-b701-a09aab24cb0d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:40:47.000Z", "modified": "2019-04-09T19:40:47.000Z", "pattern": "[file:hashes.MD5 = '2a2614756387176845187a7de247a98a' AND file:hashes.SHA1 = 'ef2f8fca2a010f49ab4080a6439651320b95e44f' AND file:hashes.SHA256 = '15a9b1d233c02d1fdf80071797ff9077f6ac374958f7d0f2b6e84b8d487c9cd1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-09T19:40:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--e44af2bf-950a-474b-8042-113d217e5f63", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:40:47.000Z", "modified": "2019-04-09T19:40:47.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-04-09 19:37:57", "category": "Other", "uuid": "23b15a5c-28e3-447a-b7a1-0cd24b6cf23f" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/15a9b1d233c02d1fdf80071797ff9077f6ac374958f7d0f2b6e84b8d487c9cd1/analysis/1554838677/", "category": "Payload delivery", "uuid": "e1f5cd2c-1b4b-4a24-9bc5-35d4794acab5" }, { "type": "text", "object_relation": "detection-ratio", "value": "6/66", "category": "Payload delivery", "uuid": "93a80e3b-e83c-4712-82e1-31c4e053ea2d" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--48fb1669-d25d-4800-a4bd-443720406f95", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:40:47.000Z", "modified": "2019-04-09T19:40:47.000Z", "pattern": "[file:hashes.MD5 = '7ab1c0c5e7d1ed834bccdfcafb5b07f2' AND file:hashes.SHA1 = '21d3d7c33f63def5aed98d54dac5de218c49a35f' AND file:hashes.SHA256 = '426aa55d2afb9eb08b601d373671594f39a1d9d9a73639c4a64f17d674ca9a82']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-09T19:40:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--be651b15-0ff4-4119-9a0a-de4730dc814d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:40:47.000Z", "modified": "2019-04-09T19:40:47.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-04-09 19:23:23", "category": "Other", "uuid": "912c83ff-cdc9-4485-a904-2384fb9e195c" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/426aa55d2afb9eb08b601d373671594f39a1d9d9a73639c4a64f17d674ca9a82/analysis/1554837803/", "category": "Payload delivery", "uuid": "fbc9682d-7d72-44c9-9b9d-2666493b4c12" }, { "type": "text", "object_relation": "detection-ratio", "value": "7/66", "category": "Payload delivery", "uuid": "03ee7243-f176-46d0-a04f-f34ae5ea6ddc" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7cc0330c-8e97-4662-8588-c4d54f58407c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:40:48.000Z", "modified": "2019-04-09T19:40:48.000Z", "pattern": "[file:hashes.MD5 = '15a0b9948d60e6bc6f60d7226caa923f' AND file:hashes.SHA1 = '16a02af1746adbc173a5dc5a16012468133777c5' AND file:hashes.SHA256 = '0039eb194f00b975145a35ede6b48d9c1ea87a6b2e61ac015b3d38e7e46aecbb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-09T19:40:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5cf63775-757f-43f1-94ea-a33377e12cd1", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:40:48.000Z", "modified": "2019-04-09T19:40:48.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-04-09 19:37:54", "category": "Other", "uuid": "1e091e6a-ebe5-4c3b-9b5f-c9cb6a375015" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/0039eb194f00b975145a35ede6b48d9c1ea87a6b2e61ac015b3d38e7e46aecbb/analysis/1554838674/", "category": "Payload delivery", "uuid": "8962d991-4022-46cd-b23b-ac1b66118e2e" }, { "type": "text", "object_relation": "detection-ratio", "value": "6/69", "category": "Payload delivery", "uuid": "15ef209b-969d-49a7-8eff-cd865725bfc8" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c301c4d8-3408-4e94-ac87-70c6b3f8d7a7", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:40:48.000Z", "modified": "2019-04-09T19:40:48.000Z", "pattern": "[file:hashes.MD5 = '98303a3a424c407a3e27ab818066811c' AND file:hashes.SHA1 = '5ab8b1ac11789606333ff94066cae6048a335ac5' AND file:hashes.SHA256 = 'af8ccd0294530c659580f522fcc8492d92c2296dc068f9a42474d52b2b2f16e4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-09T19:40:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--d0ff9ea2-f4ed-4174-b077-308b005ae017", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:40:48.000Z", "modified": "2019-04-09T19:40:48.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-04-09 19:28:00", "category": "Other", "uuid": "a56f74da-1eb6-4b0e-9946-f4f64bfaa448" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/af8ccd0294530c659580f522fcc8492d92c2296dc068f9a42474d52b2b2f16e4/analysis/1554838080/", "category": "Payload delivery", "uuid": "5ddc77d8-25bf-48b8-ba1e-a3e473a00edf" }, { "type": "text", "object_relation": "detection-ratio", "value": "10/67", "category": "Payload delivery", "uuid": "425ae711-425a-4400-bdea-ca8ccb8e9021" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8c4f64e3-e346-40b6-b06f-8575a9ce1a83", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:40:48.000Z", "modified": "2019-04-09T19:40:48.000Z", "pattern": "[file:hashes.MD5 = '6ce0a12d7461f3267af7fa835a0b5677' AND file:hashes.SHA1 = '941195b52f5ea4eb60027c3aeb67cd72e95f4c8e' AND file:hashes.SHA256 = 'b61c62724421d38a13c58877f31298bd663c1c8f8c3fe7d108eb9c8fe5ad0362']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-09T19:40:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--9a473378-5c49-4dc1-a58b-38b7ac011d49", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:40:48.000Z", "modified": "2019-04-09T19:40:48.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-04-09 19:16:19", "category": "Other", "uuid": "2294d851-edaf-4560-93de-6a3163cca0b4" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/b61c62724421d38a13c58877f31298bd663c1c8f8c3fe7d108eb9c8fe5ad0362/analysis/1554837379/", "category": "Payload delivery", "uuid": "086df5b9-0480-41c0-8d26-10c5e04a6d41" }, { "type": "text", "object_relation": "detection-ratio", "value": "5/68", "category": "Payload delivery", "uuid": "a9717401-7206-494d-983b-0f029dcf4c2a" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--287dff0c-5d73-4dca-badb-6de37ea6e766", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:40:48.000Z", "modified": "2019-04-09T19:40:48.000Z", "pattern": "[file:hashes.MD5 = '883034ba4657ba4765a20f680721d0ea' AND file:hashes.SHA1 = 'eafb4e041587f4204c2dda9bbb91622ce34421f0' AND file:hashes.SHA256 = '8cb78327bd69fda61afac9393187ad5533a63d43ebf74c0f9800bedb814b20ad']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-09T19:40:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--6e6742a5-13ab-483f-a968-22170d66e6e2", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:40:48.000Z", "modified": "2019-04-09T19:40:48.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-04-09 17:37:57", "category": "Other", "uuid": "12cc2922-c79a-47cd-9c00-a1c9edb9b3e8" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/8cb78327bd69fda61afac9393187ad5533a63d43ebf74c0f9800bedb814b20ad/analysis/1554831477/", "category": "Payload delivery", "uuid": "1cb396f5-1a48-470f-acd5-72a4ee4a577d" }, { "type": "text", "object_relation": "detection-ratio", "value": "3/70", "category": "Payload delivery", "uuid": "9dececda-d7d7-428b-aeb1-294204d06505" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8403c5f0-33ff-475b-b1f1-aa1df43eff9d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:40:48.000Z", "modified": "2019-04-09T19:40:48.000Z", "pattern": "[file:hashes.MD5 = '294be9caf93116430f7a8007a202e9fd' AND file:hashes.SHA1 = '45f348b46a745c1f45e4eac0185d73cc4e65edc3' AND file:hashes.SHA256 = '134849f697ab5f31ffb043b06e9ca1c9b98ffebba8af8ccdedd036a6263bf3a4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-09T19:40:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--13e40b04-1b14-4396-9507-786fb8ee0191", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-09T19:40:49.000Z", "modified": "2019-04-09T19:40:49.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-04-09 19:26:22", "category": "Other", "uuid": "6d627e0b-8860-4c24-b070-3147b81c8326" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/134849f697ab5f31ffb043b06e9ca1c9b98ffebba8af8ccdedd036a6263bf3a4/analysis/1554837982/", "category": "Payload delivery", "uuid": "a47abd4b-72f6-4b58-89c9-210de35edc1c" }, { "type": "text", "object_relation": "detection-ratio", "value": "7/69", "category": "Payload delivery", "uuid": "39dce544-f7ac-41b8-82d1-512fb42eb17b" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5cad948e-7a68-4202-ac52-46ea950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-10T07:00:30.000Z", "modified": "2019-04-10T07:00:30.000Z", "labels": [ "misp:name=\"microblog\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "post", "value": "@juanandres_gs\r\n and @silascutler\r\n released research into FLAME 2.0 Risen from the Ashes at #TheSAS2019 (link: https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0) medium.com/chronicle-blog\u2026 #yara rules included in the technical report (link: https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf) storage.googleapis.com/chronicle-rese\u2026", "category": "Other", "uuid": "5cad948e-7698-48e9-b3e4-4e8a950d210f" }, { "type": "text", "object_relation": "type", "value": "Twitter", "category": "Other", "uuid": "5cad948e-6674-469c-b14a-4206950d210f" }, { "type": "url", "object_relation": "url", "value": "https://mobile.twitter.com/markus_neis/status/1115478572116742144", "category": "Network activity", "to_ids": true, "uuid": "5cad948e-1124-4eda-a29c-4d75950d210f" }, { "type": "text", "object_relation": "username-quoted", "value": "@juanandres_gs", "category": "Other", "uuid": "5cad948e-ff3c-4461-bdc9-4e64950d210f" }, { "type": "text", "object_relation": "username-quoted", "value": "@silascutler", "category": "Other", "uuid": "5cad948e-7ee4-4ce8-9b4f-4c13950d210f" }, { "type": "url", "object_relation": "link", "value": "https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf", "category": "Network activity", "to_ids": true, "uuid": "5cad948e-52d0-4f79-8ea3-4674950d210f" }, { "type": "url", "object_relation": "link", "value": "https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0", "category": "Network activity", "to_ids": true, "uuid": "5cad948e-5a4c-43c9-94df-4e0a950d210f" }, { "type": "url", "object_relation": "link", "value": "https://t.co/E2b4nT2Xcl?amp=1", "category": "Network activity", "to_ids": true, "uuid": "5cad948e-daa0-4671-bad1-46b3950d210f" }, { "type": "url", "object_relation": "link", "value": "https://t.co/TajWhD5Bhq?amp=1", "category": "Network activity", "to_ids": true, "uuid": "5cad948e-65c0-457c-85bc-4152950d210f" }, { "type": "datetime", "object_relation": "creation-date", "value": "Apr 9, 2019 6:56 AM", "category": "Other", "uuid": "5cad948e-5738-46b0-8c2a-49fa950d210f" }, { "type": "text", "object_relation": "username", "value": "markus_neis", "category": "Other", "uuid": "5cad948e-326c-435c-be57-4450950d210f" } ], "x_misp_meta_category": "misc", "x_misp_name": "microblog" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--de08f9f3-e448-4c56-a349-029fc6deb925", "created": "2019-04-09T19:40:49.000Z", "modified": "2019-04-09T19:40:49.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--3ebf26f8-6710-4b32-a4a0-15d339e5350f", "target_ref": "x-misp-object--019aaeec-55dd-4ce1-b20a-d92710b6b041" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--827e1c8e-5a2b-4f9f-8229-6d1657bd555b", "created": "2019-04-09T19:40:49.000Z", "modified": "2019-04-09T19:40:49.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--8697b11b-da93-4d4f-b701-a09aab24cb0d", "target_ref": "x-misp-object--e44af2bf-950a-474b-8042-113d217e5f63" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d02b47d1-e487-4a18-bc56-b12757e8ffc7", "created": "2019-04-09T19:40:49.000Z", "modified": "2019-04-09T19:40:49.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--48fb1669-d25d-4800-a4bd-443720406f95", "target_ref": "x-misp-object--be651b15-0ff4-4119-9a0a-de4730dc814d" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b4f7ad66-1514-48b4-b595-0d610fb95387", "created": "2019-04-09T19:40:49.000Z", "modified": "2019-04-09T19:40:49.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--7cc0330c-8e97-4662-8588-c4d54f58407c", "target_ref": "x-misp-object--5cf63775-757f-43f1-94ea-a33377e12cd1" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4e36db20-262d-4fe7-84c8-93338c4b6b21", "created": "2019-04-09T19:40:49.000Z", "modified": "2019-04-09T19:40:49.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--c301c4d8-3408-4e94-ac87-70c6b3f8d7a7", "target_ref": "x-misp-object--d0ff9ea2-f4ed-4174-b077-308b005ae017" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b7f839bb-60d4-4e45-b733-4f8f435fc1c1", "created": "2019-04-09T19:40:49.000Z", "modified": "2019-04-09T19:40:49.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--8c4f64e3-e346-40b6-b06f-8575a9ce1a83", "target_ref": "x-misp-object--9a473378-5c49-4dc1-a58b-38b7ac011d49" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--51f0e314-8d8a-4a13-a991-90929ad86adc", "created": "2019-04-09T19:40:49.000Z", "modified": "2019-04-09T19:40:49.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--287dff0c-5d73-4dca-badb-6de37ea6e766", "target_ref": "x-misp-object--6e6742a5-13ab-483f-a968-22170d66e6e2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9ee63211-8e30-42e5-be6b-d430900cac9a", "created": "2019-04-09T19:40:49.000Z", "modified": "2019-04-09T19:40:49.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--8403c5f0-33ff-475b-b1f1-aa1df43eff9d", "target_ref": "x-misp-object--13e40b04-1b14-4396-9507-786fb8ee0191" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }