{ "type": "bundle", "id": "bundle--5aec6eea-74a4-43f9-8910-498d950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-08T12:35:57.000Z", "modified": "2018-05-08T12:35:57.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5aec6eea-74a4-43f9-8910-498d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-08T12:35:57.000Z", "modified": "2018-05-08T12:35:57.000Z", "name": "OSINT - Lojack Becomes a Double-Agent", "published": "2018-05-08T12:36:18Z", "object_refs": [ "observed-data--5aec6ef5-5a7c-4347-831f-74f2950d210f", "url--5aec6ef5-5a7c-4347-831f-74f2950d210f", "x-misp-attribute--5af00b50-fc10-4c75-9377-4bbd950d210f", "indicator--5af00d25-a910-4e88-a867-426e950d210f", "indicator--5af00d93-a6b4-4b8f-9fb1-43ca950d210f", "indicator--5af00d94-ffd8-4907-918e-4383950d210f", "indicator--5af00d94-6300-43dd-ba35-4b40950d210f", "indicator--5af00d94-9d14-48f9-8270-47f7950d210f", "indicator--5af00d95-e6a8-4e88-96c9-419c950d210f", "indicator--5af00d95-7908-4212-8d24-4172950d210f", "indicator--5af00d96-edac-43fa-be4f-4e88950d210f", "indicator--5af00d96-5b48-4c5b-9e1d-4883950d210f", "indicator--5af01102-533c-4841-929e-47b9950d210f", "observed-data--5af01180-185c-49e1-9d78-4cb0950d210f", "file--5af01180-185c-49e1-9d78-4cb0950d210f", "observed-data--5af01180-6ba0-4139-922a-4e95950d210f", "file--5af01180-6ba0-4139-922a-4e95950d210f", "indicator--5af015d7-9b54-4085-9086-4b65950d210f", "observed-data--5af1995f-cdb4-416c-a13f-48fd950d210f", "url--5af1995f-cdb4-416c-a13f-48fd950d210f", "indicator--74089204-8a39-410d-b274-c63a7c6edd93", "x-misp-object--9c973c81-cfc7-45f9-895d-ce12cb73e25f", "indicator--c24f479b-83fb-41c6-8f0d-8ccf53b431c1", "x-misp-object--2f9fccfb-465f-406c-aeef-3e329a966f34", "indicator--dd0cab48-6f62-4bd6-b10a-18200635fb54", "x-misp-object--c01bde93-91b5-4cfe-82f2-35da847471b9", "indicator--5eda63ae-1893-42e5-846a-e9995000bde9", "x-misp-object--669adb50-5e7d-4c8d-8510-38a08aea3ba7", "indicator--41d7368a-bbcc-4b09-8db4-959a210b2e52", "x-misp-object--14781af2-cede-4e8a-b613-76a5eb9bd981", "indicator--e7b0d6ff-7062-460a-baaa-2f1387ae9eda", "x-misp-object--e8a84d77-4552-4789-9fff-c5b4d1f21c0b", "indicator--f8bd20cd-39f4-4edd-b539-348389f5df61", "x-misp-object--1015a558-4051-4d03-9a34-a0c9448ee953", "relationship--9f162ccf-2ef1-4a81-8933-0f7fa953711c", "relationship--798f00bc-a765-4c00-aadc-eee89833f8c6", "relationship--ed181e18-7abd-4ffb-8b30-2e8e95c9fe66", "relationship--87e081bb-cad1-4ea2-b9d1-fb44702de1ed", "relationship--9e10ae9e-c120-4c6d-bf40-5c189dceae13", "relationship--72061549-42f5-4397-a683-5fa8537dfb8b", "relationship--de604b76-20ee-45c0-830c-fc3c55288bfe" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT28\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5aec6ef5-5a7c-4347-831f-74f2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-08T06:57:16.000Z", "modified": "2018-05-08T06:57:16.000Z", "first_observed": "2018-05-08T06:57:16Z", "last_observed": "2018-05-08T06:57:16Z", "number_observed": 1, "object_refs": [ "url--5aec6ef5-5a7c-4347-831f-74f2950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5aec6ef5-5a7c-4347-831f-74f2950d210f", "value": "https://asert.arbornetworks.com/lojack-becomes-a-double-agent/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5af00b50-fc10-4c75-9377-4bbd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-08T06:57:17.000Z", "modified": "2018-05-08T06:57:17.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "ASERT recently discovered Lojack agents containing malicious C2s. These hijacked agents pointed to suspected Fancy Bear (a.k.a. APT28, Pawn Storm) domains. The InfoSec community and the U.S. government have both attributed Fancy Bear activity to Russian espionage activity. Fancy Bear actors typically choose geopolitical targets, such as governments and international organizations. They also target industries that do business with such organizations, such as defense contractors. Lojack, formally known as Computrace, is a legitimate laptop recovery solution used by a number of companies to protect their assets should they be stolen. Lojack makes an excellent double-agent due to appearing as legit software while natively allowing remote code execution. Although the initial intrusion vector for this activity remains unknown, Fancy Bear often utilizes phishing email to deliver payloads." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5af00d25-a910-4e88-a867-426e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-07T08:24:05.000Z", "modified": "2018-05-07T08:24:05.000Z", "pattern": "[file:hashes.MD5 = 'cf45ec807321d12f8df35fa434591460']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-05-07T08:24:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5af00d93-a6b4-4b8f-9fb1-43ca950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-07T08:25:55.000Z", "modified": "2018-05-07T08:25:55.000Z", "pattern": "[file:hashes.MD5 = 'f1df1a795eb784f7bfc3ba9a7e3b00ac']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-05-07T08:25:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5af00d94-ffd8-4907-918e-4383950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-08T06:57:17.000Z", "modified": "2018-05-08T06:57:17.000Z", "description": "Rogue C2 Servers", "pattern": "[domain-name:value = 'sysanalyticweb.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-05-08T06:57:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5af00d94-6300-43dd-ba35-4b40950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-07T08:25:56.000Z", "modified": "2018-05-07T08:25:56.000Z", "pattern": "[file:hashes.MD5 = '6eaa1ff5f33df3169c209f98cc5012d0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-05-07T08:25:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5af00d94-9d14-48f9-8270-47f7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-07T08:25:56.000Z", "modified": "2018-05-07T08:25:56.000Z", "pattern": "[file:hashes.MD5 = 'f3c6e16f0dd2b0e55a7dad365c3877d4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-05-07T08:25:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5af00d95-e6a8-4e88-96c9-419c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-08T06:57:18.000Z", "modified": "2018-05-08T06:57:18.000Z", "description": "Rogue C2 Servers", "pattern": "[domain-name:value = 'elaxo.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-05-08T06:57:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5af00d95-7908-4212-8d24-4172950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-08T06:57:18.000Z", "modified": "2018-05-08T06:57:18.000Z", "description": "Rogue C2 Servers", "pattern": "[domain-name:value = 'ikmtrust.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-05-08T06:57:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5af00d96-edac-43fa-be4f-4e88950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-07T08:25:58.000Z", "modified": "2018-05-07T08:25:58.000Z", "pattern": "[file:hashes.MD5 = 'f391556d9f89499fa8ee757cb3472710']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-05-07T08:25:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5af00d96-5b48-4c5b-9e1d-4883950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-08T06:57:19.000Z", "modified": "2018-05-08T06:57:19.000Z", "description": "Rogue C2 Servers", "pattern": "[domain-name:value = 'lxwo.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-05-08T06:57:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5af01102-533c-4841-929e-47b9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-08T06:57:19.000Z", "modified": "2018-05-08T06:57:19.000Z", "pattern": "[domain-name:value = 'search.namequery.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-05-08T06:57:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5af01180-185c-49e1-9d78-4cb0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-07T08:42:40.000Z", "modified": "2018-05-07T08:42:40.000Z", "first_observed": "2018-05-07T08:42:40Z", "last_observed": "2018-05-07T08:42:40Z", "number_observed": 1, "object_refs": [ "file--5af01180-185c-49e1-9d78-4cb0950d210f" ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5af01180-185c-49e1-9d78-4cb0950d210f", "hashes": { "MD5": "e78e3b0171b189074d2539c7baaa0719" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5af01180-6ba0-4139-922a-4e95950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-07T08:42:40.000Z", "modified": "2018-05-07T08:42:40.000Z", "first_observed": "2018-05-07T08:42:40Z", "last_observed": "2018-05-07T08:42:40Z", "number_observed": 1, "object_refs": [ "file--5af01180-6ba0-4139-922a-4e95950d210f" ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5af01180-6ba0-4139-922a-4e95950d210f", "hashes": { "MD5": "ac1a85d3ca1b6265cad4ed41b696f9b7" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5af015d7-9b54-4085-9086-4b65950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-08T06:57:19.000Z", "modified": "2018-05-08T06:57:19.000Z", "pattern": "[rule ComputraceAgent\r\n{\r\n meta:\r\n description = \"Absolute Computrace Agent Executable\"\r\n thread_level = 3\r\n in_the_wild = true\r\n strings:\r\n $a = {D1 E0 F5 8B 4D 0C 83 D1 00 8B EC FF 33 83 C3 04}\r\n $mz = {4d 5a}\r\n $b1 = {72 70 63 6E 65 74 70 2E 65 78 65 00 72 70 63 6E 65 74 70 00}\r\n $b2 = {54 61 67 49 64 00}\r\n condition:\r\n ($mz at 0 ) and ($a or ($b1 and $b2))\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2018-05-08T06:57:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5af1995f-cdb4-416c-a13f-48fd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-08T12:34:39.000Z", "modified": "2018-05-08T12:34:39.000Z", "first_observed": "2018-05-08T12:34:39Z", "last_observed": "2018-05-08T12:34:39Z", "number_observed": 1, "object_refs": [ "url--5af1995f-cdb4-416c-a13f-48fd950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5af1995f-cdb4-416c-a13f-48fd950d210f", "value": "https://www.blackhat.com/docs/us-14/materials/us-14-Kamluk-Computrace-Backdoor-Revisited-WP.pdf" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--74089204-8a39-410d-b274-c63a7c6edd93", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-08T06:57:23.000Z", "modified": "2018-05-08T06:57:23.000Z", "pattern": "[file:hashes.MD5 = 'f391556d9f89499fa8ee757cb3472710' AND file:hashes.SHA1 = '2529f6eda28d54490119d2123d22da56783c704f' AND file:hashes.SHA256 = '060448ffd71fe2edbb5fe7c6298ad2b077e57fa6ed6d4250fbd799dd85488843']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-05-08T06:57:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--9c973c81-cfc7-45f9-895d-ce12cb73e25f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-08T06:57:21.000Z", "modified": "2018-05-08T06:57:21.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-05-07T19:19:38", "category": "Other", "uuid": "5af14a51-af7c-4242-938c-4a6502de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "37/66", "category": "Other", "uuid": "5af14a52-a9ac-44c6-a47c-45bd02de0b81" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/060448ffd71fe2edbb5fe7c6298ad2b077e57fa6ed6d4250fbd799dd85488843/analysis/1525720778/", "category": "External analysis", "uuid": "5af14a52-4f74-4dc9-bc66-476e02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c24f479b-83fb-41c6-8f0d-8ccf53b431c1", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-08T06:57:25.000Z", "modified": "2018-05-08T06:57:25.000Z", "pattern": "[file:hashes.MD5 = '6eaa1ff5f33df3169c209f98cc5012d0' AND file:hashes.SHA1 = '10d571d66d3ab7b9ddf6a850cb9b8e38b07623c0' AND file:hashes.SHA256 = '27dd9de09e22efa2ef12e9e2f462fa9da83684bdb4ec900dd86439c5758107d9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-05-08T06:57:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--2f9fccfb-465f-406c-aeef-3e329a966f34", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-08T06:57:23.000Z", "modified": "2018-05-08T06:57:23.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-05-07T19:19:25", "category": "Other", "uuid": "5af14a53-4c14-41f6-a7e4-40d402de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "39/66", "category": "Other", "uuid": "5af14a54-aea0-4d40-b51d-4b0a02de0b81" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/27dd9de09e22efa2ef12e9e2f462fa9da83684bdb4ec900dd86439c5758107d9/analysis/1525720765/", "category": "External analysis", "uuid": "5af14a54-2e64-444f-995b-477d02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--dd0cab48-6f62-4bd6-b10a-18200635fb54", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-08T06:57:27.000Z", "modified": "2018-05-08T06:57:27.000Z", "pattern": "[file:hashes.MD5 = 'cf45ec807321d12f8df35fa434591460' AND file:hashes.SHA1 = 'ddaa06a4021baf980a08caea899f2904609410b9' AND file:hashes.SHA256 = '0860f29226069a732f988cb70ea6d51057d204d421bb709b8e759376b0c4d201']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-05-08T06:57:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--c01bde93-91b5-4cfe-82f2-35da847471b9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-08T06:57:26.000Z", "modified": "2018-05-08T06:57:26.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-05-07T19:19:42", "category": "Other", "uuid": "5af14a56-0e3c-4e31-986e-412d02de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "38/66", "category": "Other", "uuid": "5af14a56-5194-443a-9a91-40e202de0b81" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/0860f29226069a732f988cb70ea6d51057d204d421bb709b8e759376b0c4d201/analysis/1525720782/", "category": "External analysis", "uuid": "5af14a56-8afc-4bf6-ada7-45e802de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5eda63ae-1893-42e5-846a-e9995000bde9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-08T06:57:30.000Z", "modified": "2018-05-08T06:57:30.000Z", "pattern": "[file:hashes.MD5 = 'f1df1a795eb784f7bfc3ba9a7e3b00ac' AND file:hashes.SHA1 = '1470995de2278ae79646d524e7c311dad29aee17' AND file:hashes.SHA256 = 'e029ed8cfe34185c94b15c74f52d6fdf9bf9b635853c466b2589c1d9f3639200']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-05-08T06:57:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--669adb50-5e7d-4c8d-8510-38a08aea3ba7", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-08T06:57:28.000Z", "modified": "2018-05-08T06:57:28.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-05-07T19:19:47", "category": "Other", "uuid": "5af14a58-552c-4cec-a7b2-4cb802de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "40/65", "category": "Other", "uuid": "5af14a59-2cc0-4f38-a25d-447602de0b81" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/e029ed8cfe34185c94b15c74f52d6fdf9bf9b635853c466b2589c1d9f3639200/analysis/1525720787/", "category": "External analysis", "uuid": "5af14a59-8ae8-48a9-9ffa-4fcd02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--41d7368a-bbcc-4b09-8db4-959a210b2e52", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-08T06:57:32.000Z", "modified": "2018-05-08T06:57:32.000Z", "pattern": "[file:hashes.MD5 = 'e78e3b0171b189074d2539c7baaa0719' AND file:hashes.SHA1 = '5f45bf0f57aa1f7c9d676740989b58cbffaf0ceb' AND file:hashes.SHA256 = '998aa45b4cd6ca30610c3f7dc1603c2c1feb49b0e2d968d29f64f1658f4d40d5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-05-08T06:57:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--14781af2-cede-4e8a-b613-76a5eb9bd981", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-08T06:57:30.000Z", "modified": "2018-05-08T06:57:30.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-05-07T10:10:04", "category": "Other", "comment": "Clean samples", "uuid": "5af14a5b-431c-4912-8b73-4f4a02de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "12/66", "category": "Other", "comment": "Clean samples", "uuid": "5af14a5b-1414-4b04-837f-467d02de0b81" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/998aa45b4cd6ca30610c3f7dc1603c2c1feb49b0e2d968d29f64f1658f4d40d5/analysis/1525687804/", "category": "External analysis", "comment": "Clean samples", "uuid": "5af14a5b-f6e8-4eee-8b26-407b02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e7b0d6ff-7062-460a-baaa-2f1387ae9eda", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-08T06:57:34.000Z", "modified": "2018-05-08T06:57:34.000Z", "pattern": "[file:hashes.MD5 = 'f3c6e16f0dd2b0e55a7dad365c3877d4' AND file:hashes.SHA1 = '397d97e278110a48bd2cb11bb5632b99a9100dbd' AND file:hashes.SHA256 = 'fa8de430fb491d898ee4e557977f036f2aae5f019c3b0552c9e0223da748fc27']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-05-08T06:57:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--e8a84d77-4552-4789-9fff-c5b4d1f21c0b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-08T06:57:33.000Z", "modified": "2018-05-08T06:57:33.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-05-07T19:19:32", "category": "Other", "uuid": "5af14a5d-f2e8-40ca-8c36-4c1f02de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "41/66", "category": "Other", "uuid": "5af14a5d-144c-4b96-995e-4be302de0b81" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/fa8de430fb491d898ee4e557977f036f2aae5f019c3b0552c9e0223da748fc27/analysis/1525720772/", "category": "External analysis", "uuid": "5af14a5d-e504-4fec-a7e5-4ca802de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f8bd20cd-39f4-4edd-b539-348389f5df61", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-08T06:57:37.000Z", "modified": "2018-05-08T06:57:37.000Z", "pattern": "[file:hashes.MD5 = 'ac1a85d3ca1b6265cad4ed41b696f9b7' AND file:hashes.SHA1 = '8ff7b74efffadb3a102ed0ec614c918526d0ea6b' AND file:hashes.SHA256 = '32d8c36c829be1cdbed56201a0e663227fe74d479f1732a7974fb50fdf09c02e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-05-08T06:57:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--1015a558-4051-4d03-9a34-a0c9448ee953", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-05-08T06:57:35.000Z", "modified": "2018-05-08T06:57:35.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-05-07T01:42:42", "category": "Other", "comment": "Clean samples", "uuid": "5af14a60-7864-4f9e-9808-499c02de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "8/65", "category": "Other", "comment": "Clean samples", "uuid": "5af14a60-6228-4a34-aaf8-48bc02de0b81" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/32d8c36c829be1cdbed56201a0e663227fe74d479f1732a7974fb50fdf09c02e/analysis/1525657362/", "category": "External analysis", "comment": "Clean samples", "uuid": "5af14a60-3b6c-4561-aba5-47b102de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9f162ccf-2ef1-4a81-8933-0f7fa953711c", "created": "2018-05-08T06:57:37.000Z", "modified": "2018-05-08T06:57:37.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--74089204-8a39-410d-b274-c63a7c6edd93", "target_ref": "x-misp-object--9c973c81-cfc7-45f9-895d-ce12cb73e25f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--798f00bc-a765-4c00-aadc-eee89833f8c6", "created": "2018-05-08T06:57:37.000Z", "modified": "2018-05-08T06:57:37.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--c24f479b-83fb-41c6-8f0d-8ccf53b431c1", "target_ref": "x-misp-object--2f9fccfb-465f-406c-aeef-3e329a966f34" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ed181e18-7abd-4ffb-8b30-2e8e95c9fe66", "created": "2018-05-08T06:57:37.000Z", "modified": "2018-05-08T06:57:37.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--dd0cab48-6f62-4bd6-b10a-18200635fb54", "target_ref": "x-misp-object--c01bde93-91b5-4cfe-82f2-35da847471b9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--87e081bb-cad1-4ea2-b9d1-fb44702de1ed", "created": "2018-05-08T06:57:37.000Z", "modified": "2018-05-08T06:57:37.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5eda63ae-1893-42e5-846a-e9995000bde9", "target_ref": "x-misp-object--669adb50-5e7d-4c8d-8510-38a08aea3ba7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9e10ae9e-c120-4c6d-bf40-5c189dceae13", "created": "2018-05-08T06:57:37.000Z", "modified": "2018-05-08T06:57:37.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--41d7368a-bbcc-4b09-8db4-959a210b2e52", "target_ref": "x-misp-object--14781af2-cede-4e8a-b613-76a5eb9bd981" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--72061549-42f5-4397-a683-5fa8537dfb8b", "created": "2018-05-08T06:57:38.000Z", "modified": "2018-05-08T06:57:38.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--e7b0d6ff-7062-460a-baaa-2f1387ae9eda", "target_ref": "x-misp-object--e8a84d77-4552-4789-9fff-c5b4d1f21c0b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--de604b76-20ee-45c0-830c-fc3c55288bfe", "created": "2018-05-08T06:57:38.000Z", "modified": "2018-05-08T06:57:38.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--f8bd20cd-39f4-4edd-b539-348389f5df61", "target_ref": "x-misp-object--1015a558-4051-4d03-9a34-a0c9448ee953" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }