{ "type": "bundle", "id": "bundle--5b3b7b6f-6234-45ea-be4f-ab8202de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T14:00:12.000Z", "modified": "2018-07-03T14:00:12.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5b3b7b6f-6234-45ea-be4f-ab8202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T14:00:12.000Z", "modified": "2018-07-03T14:00:12.000Z", "name": "OSINT - Down but Not Out: A Look Into Recent Exploit Kit Activities", "published": "2018-07-03T14:03:14Z", "object_refs": [ "observed-data--5b3b7b80-2e20-4f5a-b8a8-ab8202de0b81", "url--5b3b7b80-2e20-4f5a-b8a8-ab8202de0b81", "x-misp-attribute--5b3b7ba2-e47c-404d-928f-415002de0b81", "indicator--5b3b7e1c-756c-4e5a-aa63-46d002de0b81", "indicator--5b3b7e1c-a6c0-44b4-b4e7-415f02de0b81", "indicator--5b3b7e1d-bbec-4f67-aef5-40d702de0b81", "indicator--5b3b7e37-a474-4145-94c3-4b1402de0b81", "indicator--5b3b7e78-3d10-4fee-842a-ae7e02de0b81", "indicator--5b3b7e78-63a8-46d0-b8df-ae7e02de0b81", "indicator--5b3b7e79-0498-40d8-b851-ae7e02de0b81", "indicator--5b3b7f41-9ca8-45cb-b4f8-ab8202de0b81", "indicator--5b3b7f41-b204-4a20-a7e2-ab8202de0b81", "indicator--5b3b7f41-cd24-4412-969c-ab8202de0b81", "indicator--5b3b7f42-acc0-4282-98f3-ab8202de0b81", "indicator--5b3b7f42-db68-451e-8a47-ab8202de0b81", "indicator--5b3b7f43-c578-46ca-acbb-ab8202de0b81", "indicator--5b3b7f43-ab28-4653-b8ea-ab8202de0b81", "indicator--5b3b7f44-3a94-4042-ab95-ab8202de0b81", "indicator--5b3b7f44-7518-4f82-a1fb-ab8202de0b81", "indicator--5b3b7f45-c1d8-47e7-b326-ab8202de0b81", "indicator--5b3b8010-54e0-4e3c-85bb-ae8f02de0b81", "indicator--5b3b8010-0738-42da-8b4e-ae8f02de0b81", "indicator--5b3b8011-1f14-4735-9bc2-ae8f02de0b81", "indicator--5b3b8078-ec74-4cff-bfa6-4b9d02de0b81", "indicator--5b3b8078-ad54-4d3b-9cd0-424d02de0b81", "indicator--5b3b8079-b7f4-4277-858a-432902de0b81", "indicator--5b3b8079-8bb0-447f-ae3d-4d3d02de0b81", "x-misp-object--73665dc3-b0f2-4564-91b8-2932403695d7", "x-misp-object--d02d31c4-8128-41d2-bd3b-825b2389df8c", "x-misp-object--1924a25c-c807-4fa6-a14c-d8061c3c72a3", "x-misp-object--bcc933cf-b284-4ab8-b1fa-2e2c8a2e1613", "x-misp-object--25e765d8-e066-4981-a075-0912806c404c", "x-misp-object--87ffa5a2-5445-4088-81a6-13475f44401a", "x-misp-object--a23c9b1d-82e5-4df2-9308-78f86d3e7f59", "x-misp-object--1c6f0eb3-95ce-493b-96b4-33424617a396", "relationship--0d3797c1-336d-4f90-bd77-72af5174e18e", "relationship--fc47cb35-af10-4576-b0ed-1eb3c9b29210", "relationship--6b1941e2-0323-4f93-a626-7c7392398c58", "relationship--0f0953c4-9d27-47d7-b2ca-2d94217daf7e" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:exploit-kit=\"RIG\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5b3b7b80-2e20-4f5a-b8a8-ab8202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:34:56.000Z", "modified": "2018-07-03T13:34:56.000Z", "first_observed": "2018-07-03T13:34:56Z", "last_observed": "2018-07-03T13:34:56Z", "number_observed": 1, "object_refs": [ "url--5b3b7b80-2e20-4f5a-b8a8-ab8202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5b3b7b80-2e20-4f5a-b8a8-ab8202de0b81", "value": "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-recent-exploit-kit-activities/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5b3b7ba2-e47c-404d-928f-415002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:35:30.000Z", "modified": "2018-07-03T13:35:30.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Exploit kits may be down, but they\u00e2\u20ac\u2122re not out. While they\u00e2\u20ac\u2122re still using the same techniques that involve malvertisements or embedding links in spam and malicious or compromised websites, their latest activities are making them significant factors in the threat landscape again. This is the case with Rig and GrandSoft, as well as the private exploit kit Magnitude \u00e2\u20ac\u201d exploit kits we found roping in relatively recent vulnerabilities to deliver cryptocurrency-mining malware, ransomware, botnet loaders, and banking trojans.\r\n\r\nBased on the exploit kits\u00e2\u20ac\u2122 latest activities, it appears they and their users are shifting tactics by joining the bandwagon, like capitalizing on cryptocurrency\u00e2\u20ac\u2122s popularity or using off-the-rack malware. We expect this to be the status quo this year, given the profitability of using cryptocurrency miners and the convenience of using ready-made malware. We also foresee more exploits that work on other software, such as CVE-2018-8174, which can be exploited via Microsoft Word and Internet Explorer." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b3b7e1c-756c-4e5a-aa63-46d002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:46:04.000Z", "modified": "2018-07-03T13:46:04.000Z", "description": "Malicious domains and IP addresses related to GrandSoft exploit kit", "pattern": "[domain-name:value = 'ethical-buyback.lesbianssahgbrewingqzw.xyz']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-03T13:46:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b3b7e1c-a6c0-44b4-b4e7-415f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:46:04.000Z", "modified": "2018-07-03T13:46:04.000Z", "description": "Malicious domains and IP addresses related to GrandSoft exploit kit", "pattern": "[url:value = 'ethical-buyback.lesbianssahgbrewingqzw.xyz/masking_celebration-skies']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-03T13:46:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b3b7e1d-bbec-4f67-aef5-40d702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:46:05.000Z", "modified": "2018-07-03T13:46:05.000Z", "description": "Malicious domains and IP addresses related to GrandSoft exploit kit", "pattern": "[url:value = 'papconnecting.net/wp-content/traffic.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-03T13:46:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b3b7e37-a474-4145-94c3-4b1402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:46:31.000Z", "modified": "2018-07-03T13:46:31.000Z", "description": "GandCrab C&C", "pattern": "[domain-name:value = 'carder.bit']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-03T13:46:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b3b7e78-3d10-4fee-842a-ae7e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:47:36.000Z", "modified": "2018-07-03T13:47:36.000Z", "pattern": "[url:value = '91.210.104.247/debug.txt']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-03T13:47:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b3b7e78-63a8-46d0-b8df-ae7e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:47:36.000Z", "modified": "2018-07-03T13:47:36.000Z", "description": "GandCrab Ransomware", "pattern": "[url:value = '91.210.104.247/putty.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-03T13:47:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b3b7e79-0498-40d8-b851-ae7e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:47:37.000Z", "modified": "2018-07-03T13:47:37.000Z", "description": "(BlackTDS IP)", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '200.74.240.219']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-03T13:47:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b3b7f41-9ca8-45cb-b4f8-ab8202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:50:57.000Z", "modified": "2018-07-03T13:50:57.000Z", "description": "Magniber Payment Server", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '54.37.57.152']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-03T13:50:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b3b7f41-b204-4a20-a7e2-ab8202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:50:57.000Z", "modified": "2018-07-03T13:50:57.000Z", "description": "Magniber Payment Server", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '64.188.10.44']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-03T13:50:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b3b7f41-cd24-4412-969c-ab8202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:50:57.000Z", "modified": "2018-07-03T13:50:57.000Z", "description": "Magniber Payment Server", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '139.60.161.51']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-03T13:50:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b3b7f42-acc0-4282-98f3-ab8202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:50:58.000Z", "modified": "2018-07-03T13:50:58.000Z", "description": "Magnigate Step 1", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '149.56.159.203']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-03T13:50:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b3b7f42-db68-451e-8a47-ab8202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:50:58.000Z", "modified": "2018-07-03T13:50:58.000Z", "description": "Magnitude EK", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '167.114.191.124']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-03T13:50:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b3b7f43-c578-46ca-acbb-ab8202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:50:59.000Z", "modified": "2018-07-03T13:50:59.000Z", "description": "Magnigate Step 2", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '167.114.33.110']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-03T13:50:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b3b7f43-ab28-4653-b8ea-ab8202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:50:59.000Z", "modified": "2018-07-03T13:50:59.000Z", "description": "Magniber Payment Server", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.244.150.110']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-03T13:50:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b3b7f44-3a94-4042-ab95-ab8202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:51:00.000Z", "modified": "2018-07-03T13:51:00.000Z", "description": "Magnigate Step 2", "pattern": "[domain-name:value = 'fedpart.website']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-03T13:51:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b3b7f44-7518-4f82-a1fb-ab8202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:51:00.000Z", "modified": "2018-07-03T13:51:00.000Z", "description": "Magnitude landing page", "pattern": "[domain-name:value = 'addrole.space']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-03T13:51:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b3b7f45-c1d8-47e7-b326-ab8202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:51:01.000Z", "modified": "2018-07-03T13:51:01.000Z", "description": "Magnigate Step 1b", "pattern": "[domain-name:value = 'taxhuge.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-03T13:51:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b3b8010-54e0-4e3c-85bb-ae8f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:54:24.000Z", "modified": "2018-07-03T13:54:24.000Z", "description": "Rig EK; also where Kardon Loader was downloaded", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.225.37.242']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-03T13:54:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b3b8010-0738-42da-8b4e-ae8f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:54:24.000Z", "modified": "2018-07-03T13:54:24.000Z", "description": "Malicious domains and IP addresses related to Rig exploit kit", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '193.23.181.154']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-03T13:54:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b3b8011-1f14-4735-9bc2-ae8f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:54:25.000Z", "modified": "2018-07-03T13:54:25.000Z", "description": "Malicious domains and IP addresses related to Rig exploit kit", "pattern": "[url:value = '193.23.181.154/crypto/?placement=198395354']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-03T13:54:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b3b8078-ec74-4cff-bfa6-4b9d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:56:08.000Z", "modified": "2018-07-03T13:56:08.000Z", "description": "TROJ_DLOADR.SULQ", "pattern": "[file:hashes.SHA256 = '69ec63646a589127c573fed9498a11d3e75009751ac5e16a80e7aa684ad66240']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-03T13:56:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b3b8078-ad54-4d3b-9cd0-424d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:56:08.000Z", "modified": "2018-07-03T13:56:08.000Z", "description": "TROJ_KARDONLDR.A", "pattern": "[file:hashes.SHA256 = 'aca8e9ecb7c8797c1bc03202a738a0ad586b00968f6c21ab83b9bb43b5c49243']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-03T13:56:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b3b8079-b7f4-4277-858a-432902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:56:09.000Z", "modified": "2018-07-03T13:56:09.000Z", "description": "TROJ_KARIUS.A", "pattern": "[file:hashes.SHA256 = '5f7d3d7bf2ad424b8552ae78682a4f89080b41fedbcc34edce2b2a2c8baf47d4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-03T13:56:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b3b8079-8bb0-447f-ae3d-4d3d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:56:09.000Z", "modified": "2018-07-03T13:56:09.000Z", "description": "COINMINER_MALXMR.SM4-WIN32", "pattern": "[file:hashes.SHA256 = '24d17158531180849f5b0819ac965d796886b8238d8a690e2a7ecb3d7fd3bf2b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-03T13:56:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--73665dc3-b0f2-4564-91b8-2932403695d7", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:57:55.000Z", "modified": "2018-07-03T13:57:55.000Z", "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"" ], "x_misp_meta_category": "file", "x_misp_name": "file" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--d02d31c4-8128-41d2-bd3b-825b2389df8c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:57:53.000Z", "modified": "2018-07-03T13:57:53.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--1924a25c-c807-4fa6-a14c-d8061c3c72a3", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:57:57.000Z", "modified": "2018-07-03T13:57:57.000Z", "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"" ], "x_misp_meta_category": "file", "x_misp_name": "file" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--bcc933cf-b284-4ab8-b1fa-2e2c8a2e1613", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:57:56.000Z", "modified": "2018-07-03T13:57:56.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--25e765d8-e066-4981-a075-0912806c404c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:58:00.000Z", "modified": "2018-07-03T13:58:00.000Z", "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"" ], "x_misp_meta_category": "file", "x_misp_name": "file" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--87ffa5a2-5445-4088-81a6-13475f44401a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:57:58.000Z", "modified": "2018-07-03T13:57:58.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--a23c9b1d-82e5-4df2-9308-78f86d3e7f59", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:58:02.000Z", "modified": "2018-07-03T13:58:02.000Z", "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"" ], "x_misp_meta_category": "file", "x_misp_name": "file" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--1c6f0eb3-95ce-493b-96b4-33424617a396", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-03T13:58:01.000Z", "modified": "2018-07-03T13:58:01.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0d3797c1-336d-4f90-bd77-72af5174e18e", "created": "2018-07-03T13:58:02.000Z", "modified": "2018-07-03T13:58:02.000Z", "relationship_type": "analysed-with", "source_ref": "x-misp-object--73665dc3-b0f2-4564-91b8-2932403695d7", "target_ref": "x-misp-object--d02d31c4-8128-41d2-bd3b-825b2389df8c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fc47cb35-af10-4576-b0ed-1eb3c9b29210", "created": "2018-07-03T13:58:02.000Z", "modified": "2018-07-03T13:58:02.000Z", "relationship_type": "analysed-with", "source_ref": "x-misp-object--1924a25c-c807-4fa6-a14c-d8061c3c72a3", "target_ref": "x-misp-object--bcc933cf-b284-4ab8-b1fa-2e2c8a2e1613" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6b1941e2-0323-4f93-a626-7c7392398c58", "created": "2018-07-03T13:58:02.000Z", "modified": "2018-07-03T13:58:02.000Z", "relationship_type": "analysed-with", "source_ref": "x-misp-object--25e765d8-e066-4981-a075-0912806c404c", "target_ref": "x-misp-object--87ffa5a2-5445-4088-81a6-13475f44401a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0f0953c4-9d27-47d7-b2ca-2d94217daf7e", "created": "2018-07-03T13:58:02.000Z", "modified": "2018-07-03T13:58:02.000Z", "relationship_type": "analysed-with", "source_ref": "x-misp-object--a23c9b1d-82e5-4df2-9308-78f86d3e7f59", "target_ref": "x-misp-object--1c6f0eb3-95ce-493b-96b4-33424617a396" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }