{ "type": "bundle", "id": "bundle--571a87f2-13e0-4396-83e5-4780950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:25:49.000Z", "modified": "2016-04-22T20:25:49.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--571a87f2-13e0-4396-83e5-4780950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:25:49.000Z", "modified": "2016-04-22T20:25:49.000Z", "name": "OSINT - New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists", "published": "2016-04-22T20:26:23Z", "object_refs": [ "observed-data--571a8816-0ed8-4575-a709-4c0a950d210f", "url--571a8816-0ed8-4575-a709-4c0a950d210f", "x-misp-attribute--571a8824-8a5c-44b9-9f31-4530950d210f", "vulnerability--571a883e-bcdc-4fee-9ea8-4c53950d210f", "indicator--571a8856-6624-497d-a423-4aa2950d210f", "indicator--571a8857-814c-4806-973b-4cad950d210f", "indicator--571a8857-2c0c-4800-b4db-4a24950d210f", "indicator--571a886d-05c8-4a7a-aa10-4157950d210f", "indicator--571a886e-0314-4f2b-aca3-4845950d210f", "indicator--571a887c-6cb8-4016-9961-48e2950d210f", "indicator--571a887d-f61c-48c1-becf-47f8950d210f", "observed-data--571a88af-94b4-434b-b71a-4d46950d210f", "file--571a88af-94b4-434b-b71a-4d46950d210f", "observed-data--571a88af-3544-4294-928e-40c3950d210f", "file--571a88af-3544-4294-928e-40c3950d210f", "observed-data--571a88b0-719c-412f-9467-4cb0950d210f", "file--571a88b0-719c-412f-9467-4cb0950d210f", "observed-data--571a88b0-fc5c-4f6c-a9a9-490a950d210f", "file--571a88b0-fc5c-4f6c-a9a9-490a950d210f", "observed-data--571a88cd-6d50-45e8-8ce0-4af802de0b81", "file--571a88cd-6d50-45e8-8ce0-4af802de0b81", "observed-data--571a88cd-d5e8-47cd-babc-464402de0b81", "file--571a88cd-d5e8-47cd-babc-464402de0b81", "observed-data--571a88ce-cec0-41e5-8deb-458d02de0b81", "url--571a88ce-cec0-41e5-8deb-458d02de0b81", "observed-data--571a88ce-d5fc-4cb3-84d2-446b02de0b81", "file--571a88ce-d5fc-4cb3-84d2-446b02de0b81", "observed-data--571a88ce-3634-407f-b0f9-432302de0b81", "file--571a88ce-3634-407f-b0f9-432302de0b81", "observed-data--571a88ce-274c-4e90-a2e7-490602de0b81", "url--571a88ce-274c-4e90-a2e7-490602de0b81", "indicator--571a88cf-6db4-4145-9579-47ba02de0b81", "indicator--571a88cf-9f4c-4a9b-bb6d-4c1202de0b81", "observed-data--571a88cf-2694-462c-a1fd-497802de0b81", "url--571a88cf-2694-462c-a1fd-497802de0b81", "indicator--571a88d0-28b4-486e-a523-421502de0b81", "indicator--571a88d0-71cc-4ed6-90e6-4dc802de0b81", "observed-data--571a88d1-5970-43ee-a4fd-4a2e02de0b81", "url--571a88d1-5970-43ee-a4fd-4a2e02de0b81", "indicator--571a88d1-0264-4cec-a6ae-465a02de0b81", "indicator--571a88d1-9650-43b7-976c-4cd502de0b81", "observed-data--571a88d2-28a0-4dda-93fb-449802de0b81", "url--571a88d2-28a0-4dda-93fb-449802de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571a8816-0ed8-4575-a709-4c0a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:22:46.000Z", "modified": "2016-04-22T20:22:46.000Z", "first_observed": "2016-04-22T20:22:46Z", "last_observed": "2016-04-22T20:22:46Z", "number_observed": 1, "object_refs": [ "url--571a8816-0ed8-4575-a709-4c0a950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571a8816-0ed8-4575-a709-4c0a950d210f", "value": "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--571a8824-8a5c-44b9-9f31-4530950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:23:00.000Z", "modified": "2016-04-22T20:23:00.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Malware writers have always sought to develop feature-rich, easy to use tools that are also somewhat hard to detect via both host- and network-based detection systems. For many years, one of the go-to families of malware used by both less-skilled and advanced actors has been the Poison Ivy (aka PIVY) RAT. Poison Ivy has a convenient graphical user interface (GUI) for managing compromised hosts and provides easy access to a rich suite of post-compromise tools. It is no surprise it\u00e2\u20ac\u2122s now being used against pro-democracy organizations and supporters in Hong Kong that have long been a target of advanced attack campaigns." }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--571a883e-bcdc-4fee-9ea8-4c53950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:23:26.000Z", "modified": "2016-04-22T20:23:26.000Z", "name": "CVE-2015-2545", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2015-2545" } ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a8856-6624-497d-a423-4aa2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:23:50.000Z", "modified": "2016-04-22T20:23:50.000Z", "description": "Weaponized EPS Docs", "pattern": "[file:hashes.SHA256 = '13bdc52c2066e4b02bae5cc42bc9ec7dfcc1f19fbf35007aea93e9d62e3e3fd0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T20:23:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a8857-814c-4806-973b-4cad950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:23:51.000Z", "modified": "2016-04-22T20:23:51.000Z", "description": "Weaponized EPS Docs", "pattern": "[file:hashes.SHA256 = '4d38d4ee5b625e09b61a253a52eb29fcf9c506ee9329b3a90a0b3911e59174f2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T20:23:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a8857-2c0c-4800-b4db-4a24950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:23:51.000Z", "modified": "2016-04-22T20:23:51.000Z", "description": "Weaponized EPS Docs", "pattern": "[file:hashes.SHA256 = '9c6dc1c2ea5b2370b58b0ac11fde8287cd49aee3e089dbdf589cc8d51c1f7a9e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T20:23:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a886d-05c8-4a7a-aa10-4157950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:24:13.000Z", "modified": "2016-04-22T20:24:13.000Z", "description": "Poison Ivy shellcode files", "pattern": "[file:hashes.SHA256 = 'c707716afde80a41ce6eb7d6d93da2ea5ce00aa9e36944c20657d062330e13d8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T20:24:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a886e-0314-4f2b-aca3-4845950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:24:14.000Z", "modified": "2016-04-22T20:24:14.000Z", "description": "Poison Ivy shellcode files", "pattern": "[file:hashes.SHA256 = '0414bd2186d9748d129f66ff16e2c15df41bf173dc8e3c9cbd450571c99b3403']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T20:24:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a887c-6cb8-4016-9961-48e2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:24:28.000Z", "modified": "2016-04-22T20:24:28.000Z", "description": "C2 Domains", "pattern": "[domain-name:value = 'sent.leeh0m.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T20:24:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a887d-f61c-48c1-becf-47f8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:24:29.000Z", "modified": "2016-04-22T20:24:29.000Z", "description": "C2 Domains", "pattern": "[domain-name:value = 'found.leeh0m.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T20:24:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571a88af-94b4-434b-b71a-4d46950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:25:19.000Z", "modified": "2016-04-22T20:25:19.000Z", "first_observed": "2016-04-22T20:25:19Z", "last_observed": "2016-04-22T20:25:19Z", "number_observed": 1, "object_refs": [ "file--571a88af-94b4-434b-b71a-4d46950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--571a88af-94b4-434b-b71a-4d46950d210f", "name": "RasTls.exe" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571a88af-3544-4294-928e-40c3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:25:19.000Z", "modified": "2016-04-22T20:25:19.000Z", "first_observed": "2016-04-22T20:25:19Z", "last_observed": "2016-04-22T20:25:19Z", "number_observed": 1, "object_refs": [ "file--571a88af-3544-4294-928e-40c3950d210f" ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--571a88af-3544-4294-928e-40c3950d210f", "hashes": { "SHA-256": "0191cb2a2624b532b2dffef6690824f7f32ea00730e5aef5d86c4bad6edf9ead" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571a88b0-719c-412f-9467-4cb0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:25:20.000Z", "modified": "2016-04-22T20:25:20.000Z", "first_observed": "2016-04-22T20:25:20Z", "last_observed": "2016-04-22T20:25:20Z", "number_observed": 1, "object_refs": [ "file--571a88b0-719c-412f-9467-4cb0950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--571a88b0-719c-412f-9467-4cb0950d210f", "name": "ssMUIDLL.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571a88b0-fc5c-4f6c-a9a9-490a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:25:20.000Z", "modified": "2016-04-22T20:25:20.000Z", "first_observed": "2016-04-22T20:25:20Z", "last_observed": "2016-04-22T20:25:20Z", "number_observed": 1, "object_refs": [ "file--571a88b0-fc5c-4f6c-a9a9-490a950d210f" ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--571a88b0-fc5c-4f6c-a9a9-490a950d210f", "hashes": { "SHA-256": "7a424ad3f3106b87e8e82c7125834d7d8af8730a2a97485a639928f66d5f6bf4" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571a88cd-6d50-45e8-8ce0-4af802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:25:49.000Z", "modified": "2016-04-22T20:25:49.000Z", "first_observed": "2016-04-22T20:25:49Z", "last_observed": "2016-04-22T20:25:49Z", "number_observed": 1, "object_refs": [ "file--571a88cd-6d50-45e8-8ce0-4af802de0b81" ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--571a88cd-6d50-45e8-8ce0-4af802de0b81", "hashes": { "SHA-1": "e9ccf4e139bbbd114b67cc3cee260d1cb638c9d0" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571a88cd-d5e8-47cd-babc-464402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:25:49.000Z", "modified": "2016-04-22T20:25:49.000Z", "first_observed": "2016-04-22T20:25:49Z", "last_observed": "2016-04-22T20:25:49Z", "number_observed": 1, "object_refs": [ "file--571a88cd-d5e8-47cd-babc-464402de0b81" ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--571a88cd-d5e8-47cd-babc-464402de0b81", "hashes": { "MD5": "2fecb7d30ac753db36973a72048b4173" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571a88ce-cec0-41e5-8deb-458d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:25:49.000Z", "modified": "2016-04-22T20:25:49.000Z", "first_observed": "2016-04-22T20:25:49Z", "last_observed": "2016-04-22T20:25:49Z", "number_observed": 1, "object_refs": [ "url--571a88ce-cec0-41e5-8deb-458d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571a88ce-cec0-41e5-8deb-458d02de0b81", "value": "https://www.virustotal.com/file/7a424ad3f3106b87e8e82c7125834d7d8af8730a2a97485a639928f66d5f6bf4/analysis/1459770131/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571a88ce-d5fc-4cb3-84d2-446b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:25:50.000Z", "modified": "2016-04-22T20:25:50.000Z", "first_observed": "2016-04-22T20:25:50Z", "last_observed": "2016-04-22T20:25:50Z", "number_observed": 1, "object_refs": [ "file--571a88ce-d5fc-4cb3-84d2-446b02de0b81" ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--571a88ce-d5fc-4cb3-84d2-446b02de0b81", "hashes": { "SHA-1": "11d8bbd1a76e2e9ad43539480fed29bb07ef0a4d" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571a88ce-3634-407f-b0f9-432302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:25:50.000Z", "modified": "2016-04-22T20:25:50.000Z", "first_observed": "2016-04-22T20:25:50Z", "last_observed": "2016-04-22T20:25:50Z", "number_observed": 1, "object_refs": [ "file--571a88ce-3634-407f-b0f9-432302de0b81" ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--571a88ce-3634-407f-b0f9-432302de0b81", "hashes": { "MD5": "8ddc664747b4c424c4ed576362134f3c" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571a88ce-274c-4e90-a2e7-490602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:25:50.000Z", "modified": "2016-04-22T20:25:50.000Z", "first_observed": "2016-04-22T20:25:50Z", "last_observed": "2016-04-22T20:25:50Z", "number_observed": 1, "object_refs": [ "url--571a88ce-274c-4e90-a2e7-490602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571a88ce-274c-4e90-a2e7-490602de0b81", "value": "https://www.virustotal.com/file/0191cb2a2624b532b2dffef6690824f7f32ea00730e5aef5d86c4bad6edf9ead/analysis/1461310950/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a88cf-6db4-4145-9579-47ba02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:25:51.000Z", "modified": "2016-04-22T20:25:51.000Z", "description": "Weaponized EPS Docs - Xchecked via VT: 9c6dc1c2ea5b2370b58b0ac11fde8287cd49aee3e089dbdf589cc8d51c1f7a9e", "pattern": "[file:hashes.SHA1 = '0e06e99c8f1c8882fd1f35793c50213f1905494f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T20:25:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a88cf-9f4c-4a9b-bb6d-4c1202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:25:51.000Z", "modified": "2016-04-22T20:25:51.000Z", "description": "Weaponized EPS Docs - Xchecked via VT: 9c6dc1c2ea5b2370b58b0ac11fde8287cd49aee3e089dbdf589cc8d51c1f7a9e", "pattern": "[file:hashes.MD5 = '50064d33625970a8145add7e3e242fe3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T20:25:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571a88cf-2694-462c-a1fd-497802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:25:51.000Z", "modified": "2016-04-22T20:25:51.000Z", "first_observed": "2016-04-22T20:25:51Z", "last_observed": "2016-04-22T20:25:51Z", "number_observed": 1, "object_refs": [ "url--571a88cf-2694-462c-a1fd-497802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571a88cf-2694-462c-a1fd-497802de0b81", "value": "https://www.virustotal.com/file/9c6dc1c2ea5b2370b58b0ac11fde8287cd49aee3e089dbdf589cc8d51c1f7a9e/analysis/1461331258/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a88d0-28b4-486e-a523-421502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:25:52.000Z", "modified": "2016-04-22T20:25:52.000Z", "description": "Weaponized EPS Docs - Xchecked via VT: 4d38d4ee5b625e09b61a253a52eb29fcf9c506ee9329b3a90a0b3911e59174f2", "pattern": "[file:hashes.SHA1 = 'c3ed7bd750192bd43e7fb30d515a109850fb6342']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T20:25:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a88d0-71cc-4ed6-90e6-4dc802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:25:52.000Z", "modified": "2016-04-22T20:25:52.000Z", "description": "Weaponized EPS Docs - Xchecked via VT: 4d38d4ee5b625e09b61a253a52eb29fcf9c506ee9329b3a90a0b3911e59174f2", "pattern": "[file:hashes.MD5 = 'e1b4a5a565fdfcec52346d3b6063c587']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T20:25:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571a88d1-5970-43ee-a4fd-4a2e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:25:53.000Z", "modified": "2016-04-22T20:25:53.000Z", "first_observed": "2016-04-22T20:25:53Z", "last_observed": "2016-04-22T20:25:53Z", "number_observed": 1, "object_refs": [ "url--571a88d1-5970-43ee-a4fd-4a2e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571a88d1-5970-43ee-a4fd-4a2e02de0b81", "value": "https://www.virustotal.com/file/4d38d4ee5b625e09b61a253a52eb29fcf9c506ee9329b3a90a0b3911e59174f2/analysis/1461331255/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a88d1-0264-4cec-a6ae-465a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:25:53.000Z", "modified": "2016-04-22T20:25:53.000Z", "description": "Weaponized EPS Docs - Xchecked via VT: 13bdc52c2066e4b02bae5cc42bc9ec7dfcc1f19fbf35007aea93e9d62e3e3fd0", "pattern": "[file:hashes.SHA1 = '12627ba5fea1f00d6ac0704d053c519db93f9122']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T20:25:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571a88d1-9650-43b7-976c-4cd502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:25:53.000Z", "modified": "2016-04-22T20:25:53.000Z", "description": "Weaponized EPS Docs - Xchecked via VT: 13bdc52c2066e4b02bae5cc42bc9ec7dfcc1f19fbf35007aea93e9d62e3e3fd0", "pattern": "[file:hashes.MD5 = '3fe0cbedec6969803a72b8c76a4a0a03']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-22T20:25:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571a88d2-28a0-4dda-93fb-449802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-22T20:25:54.000Z", "modified": "2016-04-22T20:25:54.000Z", "first_observed": "2016-04-22T20:25:54Z", "last_observed": "2016-04-22T20:25:54Z", "number_observed": 1, "object_refs": [ "url--571a88d2-28a0-4dda-93fb-449802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571a88d2-28a0-4dda-93fb-449802de0b81", "value": "https://www.virustotal.com/file/13bdc52c2066e4b02bae5cc42bc9ec7dfcc1f19fbf35007aea93e9d62e3e3fd0/analysis/1461331255/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }