{ "type": "bundle", "id": "bundle--5d0c8dcc-eae0-4020-b1d0-5526950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-21T15:53:14.000Z", "modified": "2019-06-21T15:53:14.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5d0c8dcc-eae0-4020-b1d0-5526950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-21T15:53:14.000Z", "modified": "2019-06-21T15:53:14.000Z", "name": "OSINT - Hide \u00e2\u20ac\u02dcN Seek Botnet Updates Arsenal with Exploits Against Nexus Repository Manager & ThinkPHP", "published": "2019-06-21T15:53:29Z", "object_refs": [ "x-misp-attribute--5d0c9804-7248-45ae-ab57-47fa950d210f", "observed-data--5d0c9e1b-623c-4552-9a6c-41e1950d210f", "url--5d0c9e1b-623c-4552-9a6c-41e1950d210f", "indicator--5d0cae62-69cc-495e-932c-478e950d210f", "indicator--5d0cae78-e888-4c47-b54e-42b5950d210f", "indicator--5d0caf46-8778-4c85-b528-41cf950d210f", "indicator--5d0cb1e1-86b0-4d8c-8c6b-4283950d210f", "indicator--5d0cb1fd-b8a8-44a1-bde0-4b6e950d210f", "indicator--5d0cb217-01d4-460f-bb99-20b8950d210f", "indicator--5d0cb4d6-883c-4e2b-89b6-4bc1950d210f", "indicator--5d0cb4e8-48d8-492e-88e4-48bf950d210f", "indicator--6f9865b9-4cb9-42cc-9351-1fb8fd4f3b2b", "x-misp-object--360b84b9-09a3-414f-a88d-558b8503d0eb", "indicator--c3d5088e-84f5-4ef5-b213-67beb35b4e23", "x-misp-object--46bcd5b2-85e1-4961-ad0c-add96cfc111c", "indicator--50675af8-63e6-45fc-8705-fe07a29bcf6a", "x-misp-object--5fc7be9f-fde9-45be-a619-1952b90e8506", "indicator--9803a8e8-e8b7-4708-9565-3f261694a5cb", "x-misp-object--20480301-47fb-4a64-81c9-8aa80a18dc89", "indicator--4e6b8d5b-af14-4a65-833d-5e41861d39a3", "x-misp-object--599d8b4a-50a0-4a83-a25a-dd8b2879fe32", "indicator--40227e50-2444-4a4a-80fe-fe4eeddd8a0c", "x-misp-object--4aaab1e9-b177-41dc-b0a3-891174e327a5", "relationship--827ffad8-99f9-46ee-a041-bafa73baf570", "relationship--daee9148-fdc6-4e90-9bbe-11625c525586", "relationship--deb7ec17-f982-4462-8ac0-f1591da9c416", "relationship--2ae389eb-b3a1-4d7e-a4b0-d03037b32970", "relationship--d65fefc5-41b3-481e-8e8b-08bfb4ade268", "relationship--e8ed234a-b566-4ddd-bf42-7caa03c7c557" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:botnet=\"Hide and Seek\"", "misp-galaxy:malpedia=\"Hide and Seek\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"", "\tmalware_classification:malware-category=\"Botnet\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5d0c9804-7248-45ae-ab57-47fa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-21T08:40:36.000Z", "modified": "2019-06-21T08:40:36.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "The Hide \u00e2\u20ac\u02dcN Seek botnet was first discovered in January 2018 and is known for its unique use of Peer-to-Peer communication between bots.\r\n\r\nSince its discovery, the malware family has seen a couple of upgrades, from the addition of persistence and new exploits, to targeting Android devices via the Android Debug Bridge (ADB).\r\n\r\nThis post details a variant of the family first seen on the 21st of February 2019, incorporating two new exploits \u00e2\u20ac\u201c CVE-2018-20062 which targets ThinkPHP installations, and CVE-2019-7238, a Remote Code Execution (RCE) vulnerability in Sonatype Nexus Repository Manager (NXRM) 3 software installations.\r\n\r\nWhile the ThinkPHP exploit has already been seen employed by several Mirai variants, the only other instance of the CVE-2019-7238 vulnerability being exploited in the wild has been by the DDG botnet. Our research, outlined below, shows that the Hide \u00e2\u20ac\u02dcN Seek botnet incorporated this exploit back in February 2019, even before the DDG botnet." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5d0c9e1b-623c-4552-9a6c-41e1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-21T09:06:35.000Z", "modified": "2019-06-21T09:06:35.000Z", "first_observed": "2019-06-21T09:06:35Z", "last_observed": "2019-06-21T09:06:35Z", "number_observed": 1, "object_refs": [ "url--5d0c9e1b-623c-4552-9a6c-41e1950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5d0c9e1b-623c-4552-9a6c-41e1950d210f", "value": "https://unit42.paloaltonetworks.com/hide-n-seek-botnet-updates-arsenal-with-exploits-against-nexus-repository-manager-thinkphp/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d0cae62-69cc-495e-932c-478e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-21T10:16:02.000Z", "modified": "2019-06-21T10:16:02.000Z", "pattern": "[file:hashes.SHA256 = '49495c9aa08d7859fec1f99f487560b59d8a8914811746181e4e7edbee85341f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-06-21T10:16:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d0cae78-e888-4c47-b54e-42b5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-21T10:16:24.000Z", "modified": "2019-06-21T10:16:24.000Z", "pattern": "[file:hashes.SHA256 = 'd068e8f781879774f0bcc1f2a116211d41194b67024fe45966c8272a8038a7a1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-06-21T10:16:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d0caf46-8778-4c85-b528-41cf950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-21T10:19:50.000Z", "modified": "2019-06-21T10:19:50.000Z", "pattern": "[file:hashes.SHA256 = '1583fd1c6607b77f51411c4ad7c9225324fd1b069645062a348cd885de0ac382']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-06-21T10:19:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d0cb1e1-86b0-4d8c-8c6b-4283950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-21T10:30:57.000Z", "modified": "2019-06-21T10:30:57.000Z", "pattern": "[file:hashes.SHA256 = 'c082c39e595c7f23c04ce0d6597657d6e649585d5da49b5bd896e664b712e60d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-06-21T10:30:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d0cb1fd-b8a8-44a1-bde0-4b6e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-21T10:31:25.000Z", "modified": "2019-06-21T10:31:25.000Z", "pattern": "[file:hashes.SHA256 = '0b05202f4da9bbe1af1811707a76544453282c4f3c0ac9b353759c86742f4369']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-06-21T10:31:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d0cb217-01d4-460f-bb99-20b8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-21T10:31:51.000Z", "modified": "2019-06-21T10:31:51.000Z", "pattern": "[file:hashes.SHA256 = '73df4e952c581afc427fa18fa2d0bcfa409c1814cd872a3ccf05d44f934ce780']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-06-21T10:31:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d0cb4d6-883c-4e2b-89b6-4bc1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-21T10:43:34.000Z", "modified": "2019-06-21T10:43:34.000Z", "pattern": "[file:hashes.SHA256 = '500dd4c1a5c24495c3bb8173ce5c7b15ba3344aef855090b9b9585b2bfeea974']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-06-21T10:43:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d0cb4e8-48d8-492e-88e4-48bf950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-21T10:43:52.000Z", "modified": "2019-06-21T10:43:52.000Z", "pattern": "[file:hashes.SHA256 = '7e20c6cea88ade6a6c4a08ce48fe4ac2451069b7662a8dda4362a304b4854ec7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-06-21T10:43:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6f9865b9-4cb9-42cc-9351-1fb8fd4f3b2b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-21T15:52:47.000Z", "modified": "2019-06-21T15:52:47.000Z", "pattern": "[file:hashes.MD5 = 'cc4662e589e8fa58d26f1a8d1c0da21f' AND file:hashes.SHA1 = '15c5554d24169096e756beee8c15e96c6708f06c' AND file:hashes.SHA256 = '1583fd1c6607b77f51411c4ad7c9225324fd1b069645062a348cd885de0ac382']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-06-21T15:52:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--360b84b9-09a3-414f-a88d-558b8503d0eb", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-21T15:52:48.000Z", "modified": "2019-06-21T15:52:48.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-06-13T22:39:35", "category": "Other", "uuid": "56d8e60e-215c-4291-8f44-dfeb61084447" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/1583fd1c6607b77f51411c4ad7c9225324fd1b069645062a348cd885de0ac382/analysis/1560465575/", "category": "Payload delivery", "uuid": "c1da88a6-b89a-436f-90a0-dac5f2040c94" }, { "type": "text", "object_relation": "detection-ratio", "value": "34/57", "category": "Payload delivery", "uuid": "fa401d1d-e971-4d5b-96d4-5f9a142d1c6f" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c3d5088e-84f5-4ef5-b213-67beb35b4e23", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-21T15:52:48.000Z", "modified": "2019-06-21T15:52:48.000Z", "pattern": "[file:hashes.MD5 = '01a9c99b6c8b812b61ddda76ee5c1899' AND file:hashes.SHA1 = 'e919ad0e40298f1f79d67c2e8ccdbb0acdde5a2b' AND file:hashes.SHA256 = '7e20c6cea88ade6a6c4a08ce48fe4ac2451069b7662a8dda4362a304b4854ec7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-06-21T15:52:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--46bcd5b2-85e1-4961-ad0c-add96cfc111c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-21T15:52:48.000Z", "modified": "2019-06-21T15:52:48.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-06-18T19:16:22", "category": "Other", "uuid": "a9cd7679-ab30-44f0-a181-a34756f08f3f" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/7e20c6cea88ade6a6c4a08ce48fe4ac2451069b7662a8dda4362a304b4854ec7/analysis/1560885382/", "category": "Payload delivery", "uuid": "052fb771-186d-402c-8be5-02ea4657c5ae" }, { "type": "text", "object_relation": "detection-ratio", "value": "31/55", "category": "Payload delivery", "uuid": "22f740bd-ce13-43d6-b566-5d09c5cfd814" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--50675af8-63e6-45fc-8705-fe07a29bcf6a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-21T15:52:48.000Z", "modified": "2019-06-21T15:52:48.000Z", "pattern": "[file:hashes.MD5 = '6de70812923df430cff73fcf66830e6d' AND file:hashes.SHA1 = '13cc834fbf30e32146ae1be4a6bbba5b7be41ae3' AND file:hashes.SHA256 = '49495c9aa08d7859fec1f99f487560b59d8a8914811746181e4e7edbee85341f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-06-21T15:52:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5fc7be9f-fde9-45be-a619-1952b90e8506", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-21T15:52:48.000Z", "modified": "2019-06-21T15:52:48.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-06-13T22:39:35", "category": "Other", "uuid": "3c70bbea-cf02-4b93-8295-b3b4a116c77c" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/49495c9aa08d7859fec1f99f487560b59d8a8914811746181e4e7edbee85341f/analysis/1560465575/", "category": "Payload delivery", "uuid": "a330507d-9192-4e56-ad08-eeb3401a64ab" }, { "type": "text", "object_relation": "detection-ratio", "value": "29/58", "category": "Payload delivery", "uuid": "0ef769b9-de75-41b6-86d4-e97d6edef792" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9803a8e8-e8b7-4708-9565-3f261694a5cb", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-21T15:52:48.000Z", "modified": "2019-06-21T15:52:48.000Z", "pattern": "[file:hashes.MD5 = 'f54c7e19bc1db3b3897b6fe81a403db0' AND file:hashes.SHA1 = '20ee3e5634a7a826a68ec858474f65cd58190870' AND file:hashes.SHA256 = '0b05202f4da9bbe1af1811707a76544453282c4f3c0ac9b353759c86742f4369']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-06-21T15:52:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--20480301-47fb-4a64-81c9-8aa80a18dc89", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-21T15:52:49.000Z", "modified": "2019-06-21T15:52:49.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-06-14T16:31:05", "category": "Other", "uuid": "ad41b356-c3b3-4dcd-855e-7bd45c6d2891" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/0b05202f4da9bbe1af1811707a76544453282c4f3c0ac9b353759c86742f4369/analysis/1560529865/", "category": "Payload delivery", "uuid": "4f643b42-1af6-49d6-b5e8-43f72941844a" }, { "type": "text", "object_relation": "detection-ratio", "value": "24/50", "category": "Payload delivery", "uuid": "baa30bab-f182-4eb5-bba6-db9551c005d1" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4e6b8d5b-af14-4a65-833d-5e41861d39a3", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-21T15:52:49.000Z", "modified": "2019-06-21T15:52:49.000Z", "pattern": "[file:hashes.MD5 = '7c48b82ee08fbf7b4f4190b0973dfd5c' AND file:hashes.SHA1 = '1b278755efb2fefde2c32be6d0aa329ae35a9fc6' AND file:hashes.SHA256 = 'd068e8f781879774f0bcc1f2a116211d41194b67024fe45966c8272a8038a7a1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-06-21T15:52:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--599d8b4a-50a0-4a83-a25a-dd8b2879fe32", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-21T15:52:49.000Z", "modified": "2019-06-21T15:52:49.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-06-13T22:39:39", "category": "Other", "uuid": "e850ba03-ed6c-474a-ae87-db0f0c31551d" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/d068e8f781879774f0bcc1f2a116211d41194b67024fe45966c8272a8038a7a1/analysis/1560465579/", "category": "Payload delivery", "uuid": "4ed5c275-ec23-49f5-accf-23d17dfd73b8" }, { "type": "text", "object_relation": "detection-ratio", "value": "31/55", "category": "Payload delivery", "uuid": "6aeb3a94-650e-4c76-99da-75e53081eaba" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--40227e50-2444-4a4a-80fe-fe4eeddd8a0c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-21T15:52:49.000Z", "modified": "2019-06-21T15:52:49.000Z", "pattern": "[file:hashes.MD5 = '784ab23904c34c2033b8ab3fbb18645d' AND file:hashes.SHA1 = '75374fe86e63b1c60b02be4ebe3770a58a4423e1' AND file:hashes.SHA256 = 'c082c39e595c7f23c04ce0d6597657d6e649585d5da49b5bd896e664b712e60d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-06-21T15:52:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--4aaab1e9-b177-41dc-b0a3-891174e327a5", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-21T15:52:49.000Z", "modified": "2019-06-21T15:52:49.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-06-21T08:57:11", "category": "Other", "uuid": "67e1c498-a970-46de-8907-61e496935893" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/c082c39e595c7f23c04ce0d6597657d6e649585d5da49b5bd896e664b712e60d/analysis/1561107431/", "category": "Payload delivery", "uuid": "e57632b1-769b-4c66-bd28-0c73fdb20fa5" }, { "type": "text", "object_relation": "detection-ratio", "value": "31/57", "category": "Payload delivery", "uuid": "528491e6-7f21-401a-9749-cb93d8c6fa29" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--827ffad8-99f9-46ee-a041-bafa73baf570", "created": "2019-06-21T15:52:49.000Z", "modified": "2019-06-21T15:52:49.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--6f9865b9-4cb9-42cc-9351-1fb8fd4f3b2b", "target_ref": "x-misp-object--360b84b9-09a3-414f-a88d-558b8503d0eb" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--daee9148-fdc6-4e90-9bbe-11625c525586", "created": "2019-06-21T15:52:49.000Z", "modified": "2019-06-21T15:52:49.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--c3d5088e-84f5-4ef5-b213-67beb35b4e23", "target_ref": "x-misp-object--46bcd5b2-85e1-4961-ad0c-add96cfc111c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--deb7ec17-f982-4462-8ac0-f1591da9c416", "created": "2019-06-21T15:52:49.000Z", "modified": "2019-06-21T15:52:49.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--50675af8-63e6-45fc-8705-fe07a29bcf6a", "target_ref": "x-misp-object--5fc7be9f-fde9-45be-a619-1952b90e8506" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2ae389eb-b3a1-4d7e-a4b0-d03037b32970", "created": "2019-06-21T15:52:49.000Z", "modified": "2019-06-21T15:52:49.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--9803a8e8-e8b7-4708-9565-3f261694a5cb", "target_ref": "x-misp-object--20480301-47fb-4a64-81c9-8aa80a18dc89" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d65fefc5-41b3-481e-8e8b-08bfb4ade268", "created": "2019-06-21T15:52:50.000Z", "modified": "2019-06-21T15:52:50.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--4e6b8d5b-af14-4a65-833d-5e41861d39a3", "target_ref": "x-misp-object--599d8b4a-50a0-4a83-a25a-dd8b2879fe32" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e8ed234a-b566-4ddd-bf42-7caa03c7c557", "created": "2019-06-21T15:52:50.000Z", "modified": "2019-06-21T15:52:50.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--40227e50-2444-4a4a-80fe-fe4eeddd8a0c", "target_ref": "x-misp-object--4aaab1e9-b177-41dc-b0a3-891174e327a5" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }