{ "type": "bundle", "id": "bundle--5a26b513-1ffc-497b-8cac-c53a950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T09:07:39.000Z", "modified": "2018-10-26T09:07:39.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5a26b513-1ffc-497b-8cac-c53a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T09:07:39.000Z", "modified": "2018-10-26T09:07:39.000Z", "name": "OSINT - Multi-stage malware sneaks into Google Play", "published": "2018-10-26T09:07:52Z", "object_refs": [ "observed-data--5a26b520-8974-4557-9ecb-4260950d210f", "url--5a26b520-8974-4557-9ecb-4260950d210f", "indicator--5a2e4c0c-e20c-4386-bdc9-c566950d210f", "indicator--5a2e4c0c-5e7c-446d-979f-c566950d210f", "indicator--5a2e4c0d-6ec0-4617-b698-c566950d210f", "indicator--5a2e4c0d-0d90-4608-b0e4-c566950d210f", "indicator--5a2e4c0e-ae14-4d56-81da-c566950d210f", "x-misp-attribute--5a2e4c7f-9ce8-418d-ae08-b401950d210f", "indicator--5a2e4046-8b60-456b-8b75-5467950d210f", "indicator--5a2e4265-81d0-44f3-ba7c-5daf950d210f", "indicator--5a2e42c6-1420-41e4-8580-60de950d210f", "indicator--5a2e4302-df2c-4db4-8bba-71d3950d210f", "indicator--5a2e46e8-f488-40cd-a9ec-878d950d210f", "indicator--5a2e499b-4ccc-4e5c-ae67-bb07950d210f", "indicator--5a2e4a5b-b27c-4c2f-9112-ba38950d210f", "indicator--5a2e4a97-e268-44ea-ada6-bbe1950d210f", "indicator--11c074b2-9ef5-468f-9a71-70ea7abb9d67", "x-misp-object--df8032d7-cbe9-49fd-9747-63d74730df9f", "indicator--475d3bb8-eb86-4c51-a3a3-15ab39d91ddf", "x-misp-object--94031eb7-4ff3-486e-b44f-eb4fa2ab0c1c", "indicator--90b018c5-f3af-4ebf-9bb9-452b205d3038", "x-misp-object--caa22be8-c2c9-465f-8aaa-c20e3eafec9f", "indicator--a62c5ce0-9e21-466e-b317-a0a00fef80ef", "x-misp-object--1263f071-0c4b-4d90-b6ef-81682679e425", "indicator--959b41df-ba0f-4520-a633-f28b0d7e5b21", "x-misp-object--9c3a68e0-2e10-46ad-adda-0237549ebcd1", "indicator--973efe60-da30-4d60-aa15-6a1ee7f82e22", "x-misp-object--6b985af4-f961-4f8d-b2f7-513b6ed1c140", "indicator--ae8d1770-da33-4160-92e5-bc56fe5781d5", "x-misp-object--095999e8-cf65-4068-9aa8-111b4596ae64", "indicator--01689a22-9fef-4b84-bc15-84a951d19e66", "x-misp-object--2f933552-e105-4559-9ba2-4adb53dde71b" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "circl:incident-classification=\"malware\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a26b520-8974-4557-9ecb-4260950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-05T15:03:03.000Z", "modified": "2017-12-05T15:03:03.000Z", "first_observed": "2017-12-05T15:03:03Z", "last_observed": "2017-12-05T15:03:03Z", "number_observed": 1, "object_refs": [ "url--5a26b520-8974-4557-9ecb-4260950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a26b520-8974-4557-9ecb-4260950d210f", "value": "https://www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2e4c0c-e20c-4386-bdc9-c566950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-11T09:12:44.000Z", "modified": "2017-12-11T09:12:44.000Z", "description": "Hardcoded domains hosting links to the third-stage payloads", "pattern": "[domain-name:value = 'loaderclientarea24.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-11T09:12:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2e4c0c-5e7c-446d-979f-c566950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-11T09:12:44.000Z", "modified": "2017-12-11T09:12:44.000Z", "description": "Hardcoded domains hosting links to the third-stage payloads", "pattern": "[domain-name:value = 'loaderclientarea22.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-11T09:12:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2e4c0d-6ec0-4617-b698-c566950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-11T09:12:45.000Z", "modified": "2017-12-11T09:12:45.000Z", "description": "Hardcoded domains hosting links to the third-stage payloads", "pattern": "[domain-name:value = 'loaderclientarea20.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-11T09:12:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2e4c0d-0d90-4608-b0e4-c566950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-11T09:12:45.000Z", "modified": "2017-12-11T09:12:45.000Z", "description": "Hardcoded domains hosting links to the third-stage payloads", "pattern": "[domain-name:value = 'loaderclientarea15.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-11T09:12:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2e4c0e-ae14-4d56-81da-c566950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-11T09:12:46.000Z", "modified": "2017-12-11T09:12:46.000Z", "description": "Hardcoded domains hosting links to the third-stage payloads", "pattern": "[domain-name:value = 'loaderclientarea13.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-11T09:12:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5a2e4c7f-9ce8-418d-ae08-b401950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-11T09:14:49.000Z", "modified": "2017-12-11T09:14:49.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Anti-detection features\r\n\r\nThese malware samples all employ a multi-stage architecture and encryption to stay under the radar.\r\n\r\nAfter being downloaded and installed, these apps do not request any suspicious permissions and even mimic the activity the user expects them to exhibit.\r\n\r\nAlong with this, the malicious app also decrypts and executes its payload \u00e2\u20ac\u201c that is, the first-stage payload. This payload decrypts and executes the second-stage payload, which is stored in the assets of the initial app downloaded from Google Play. These steps are invisible to the user and serve as obfuscatory measures." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2e4046-8b60-456b-8b75-5467950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-11T08:22:30.000Z", "modified": "2017-12-11T08:22:30.000Z", "pattern": "[file:hashes.SHA1 = '9ab5a05bc3c8f1931a3a49278e18d2116f529704' AND file:name = 'com.fleeeishei.erabladmounsem']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-11T08:22:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2e4265-81d0-44f3-ba7c-5daf950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-11T08:31:33.000Z", "modified": "2017-12-11T08:31:33.000Z", "pattern": "[file:hashes.SHA1 = '2e47c816a517548a0fbf809324d63868708d00d0' AND file:name = 'com.softmuiiurket.cleanerforandroid']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-11T08:31:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2e42c6-1420-41e4-8580-60de950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-11T08:33:10.000Z", "modified": "2017-12-11T08:33:10.000Z", "pattern": "[file:hashes.SHA1 = 'de64139e6e91ac0dde755d2ef49d60251984652f' AND file:name = 'com.expjhvjhertsoft.bestrambooster']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-11T08:33:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2e4302-df2c-4db4-8bba-71d3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-11T08:34:10.000Z", "modified": "2017-12-11T08:34:10.000Z", "pattern": "[file:hashes.SHA1 = '6ab844c8fd654aaec29dac095214f4430012ee0e' AND file:name = 'gotov.games.toppro']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-11T08:34:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2e46e8-f488-40cd-a9ec-878d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-11T08:50:48.000Z", "modified": "2017-12-11T08:50:48.000Z", "pattern": "[file:hashes.SHA1 = 'c8dd6815f30367695938a7613c11e029055279a2' AND file:name = 'slots.forgame.vul']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-11T08:50:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2e499b-4ccc-4e5c-ae67-bb07950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-11T09:02:19.000Z", "modified": "2017-12-11T09:02:19.000Z", "pattern": "[file:hashes.SHA1 = '47442bfdfbc0fb350b8b30271c310fe44ffb119a' AND file:name = 'com.bucholregaum.hampelpa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-11T09:02:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2e4a5b-b27c-4c2f-9112-ba38950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-11T09:05:31.000Z", "modified": "2017-12-11T09:05:31.000Z", "pattern": "[file:hashes.SHA1 = '604e6dcdf1fa1f7b5a85892ac3761bed81405bf6' AND file:name = 'com.peridesuramant.worldnews']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-11T09:05:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2e4a97-e268-44ea-ada6-bbe1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-11T09:06:31.000Z", "modified": "2017-12-11T09:06:31.000Z", "pattern": "[file:hashes.SHA1 = '532079b31e3acef2d71c75b31d77480304b2f7b9' AND file:name = 'com.peridesurrramant.worldnews']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-11T09:06:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--11c074b2-9ef5-468f-9a71-70ea7abb9d67", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T09:05:46.000Z", "modified": "2018-10-26T09:05:46.000Z", "pattern": "[file:hashes.MD5 = '4e6183687717cf7d7adc906cf5450729' AND file:hashes.SHA1 = 'c8dd6815f30367695938a7613c11e029055279a2' AND file:hashes.SHA256 = 'd6e48539252c4425bbb8f4b7e60f9ca6cbb703f324bbf1dde025a3d935b74cb9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-10-26T09:05:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--df8032d7-cbe9-49fd-9747-63d74730df9f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T09:05:49.000Z", "modified": "2018-10-26T09:05:49.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-10-04T21:24:43", "category": "Other", "uuid": "72b61313-867c-48fe-afae-33879fda2b33" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/d6e48539252c4425bbb8f4b7e60f9ca6cbb703f324bbf1dde025a3d935b74cb9/analysis/1538688283/", "category": "External analysis", "uuid": "4f384fe0-2a17-4c90-81bd-1eea46dcb4dc" }, { "type": "text", "object_relation": "detection-ratio", "value": "30/61", "category": "Other", "uuid": "2fdf0dd7-f0e3-4a27-b288-fd731165a63b" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--475d3bb8-eb86-4c51-a3a3-15ab39d91ddf", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T09:05:50.000Z", "modified": "2018-10-26T09:05:50.000Z", "pattern": "[file:hashes.MD5 = '21af98ec1a99ae37367d2e71d16b85fa' AND file:hashes.SHA1 = 'de64139e6e91ac0dde755d2ef49d60251984652f' AND file:hashes.SHA256 = 'f0c97217377ab0b4dd71baf5529d79e6349e477e69d4043a82f9c768ef46a932']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-10-26T09:05:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--94031eb7-4ff3-486e-b44f-eb4fa2ab0c1c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T09:05:58.000Z", "modified": "2018-10-26T09:05:58.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-10-04T21:32:29", "category": "Other", "uuid": "beace62d-a2d6-42ad-a1ff-0d85f7ccf447" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/f0c97217377ab0b4dd71baf5529d79e6349e477e69d4043a82f9c768ef46a932/analysis/1538688749/", "category": "External analysis", "uuid": "f5e4dc71-0ada-47da-9c85-dd7999b9fdb4" }, { "type": "text", "object_relation": "detection-ratio", "value": "30/62", "category": "Other", "uuid": "69190414-96bf-48ed-8a7c-2e002e4ef9eb" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--90b018c5-f3af-4ebf-9bb9-452b205d3038", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T09:06:12.000Z", "modified": "2018-10-26T09:06:12.000Z", "pattern": "[file:hashes.MD5 = 'f9617beec1b56eace79e870cb0925ffd' AND file:hashes.SHA1 = '604e6dcdf1fa1f7b5a85892ac3761bed81405bf6' AND file:hashes.SHA256 = '3fc104c7fb8f6419aa5b45a3abfcc545ddb8e225f1b6dcaf5824075cbdf5dddd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-10-26T09:06:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--caa22be8-c2c9-465f-8aaa-c20e3eafec9f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T09:06:14.000Z", "modified": "2018-10-26T09:06:14.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-10-04T21:32:21", "category": "Other", "uuid": "f3bd1117-6b76-40f4-b890-3ff8c3a11b3a" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/3fc104c7fb8f6419aa5b45a3abfcc545ddb8e225f1b6dcaf5824075cbdf5dddd/analysis/1538688741/", "category": "External analysis", "uuid": "081c6e6e-4bcc-4223-9840-923e63ed044c" }, { "type": "text", "object_relation": "detection-ratio", "value": "30/62", "category": "Other", "uuid": "70e00152-a2f1-46fd-b7c7-55f38c1255a4" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a62c5ce0-9e21-466e-b317-a0a00fef80ef", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T09:06:16.000Z", "modified": "2018-10-26T09:06:16.000Z", "pattern": "[file:hashes.MD5 = 'c4acc83183ac0fabe92fc02ae5ef3ca4' AND file:hashes.SHA1 = '9ab5a05bc3c8f1931a3a49278e18d2116f529704' AND file:hashes.SHA256 = 'dd857e8505cedf84b316eb0f5cdcba1386fb8412bc630e671f474aeedfccb387']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-10-26T09:06:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--1263f071-0c4b-4d90-b6ef-81682679e425", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T09:06:23.000Z", "modified": "2018-10-26T09:06:23.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-10-04T21:32:25", "category": "Other", "uuid": "8aa24a31-7fdd-4ed4-a632-705aa09205d3" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/dd857e8505cedf84b316eb0f5cdcba1386fb8412bc630e671f474aeedfccb387/analysis/1538688745/", "category": "External analysis", "uuid": "0cc5c304-cd11-41a5-9583-7e971aad4310" }, { "type": "text", "object_relation": "detection-ratio", "value": "34/62", "category": "Other", "uuid": "5263a8d1-50e1-4f76-8f4b-d73cef90d7ed" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--959b41df-ba0f-4520-a633-f28b0d7e5b21", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T09:06:25.000Z", "modified": "2018-10-26T09:06:25.000Z", "pattern": "[file:hashes.MD5 = 'a0dcd9907a3726edfb8e7de48b3aa8f6' AND file:hashes.SHA1 = '6ab844c8fd654aaec29dac095214f4430012ee0e' AND file:hashes.SHA256 = 'e980dc97b0b63158e251e6055d0f4362bf0a105bd999146de048f13a8f4aadb7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-10-26T09:06:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--9c3a68e0-2e10-46ad-adda-0237549ebcd1", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T09:06:27.000Z", "modified": "2018-10-26T09:06:27.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-10-04T21:24:52", "category": "Other", "uuid": "fac591a5-dfe8-45be-994b-d62da1b2a50d" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/e980dc97b0b63158e251e6055d0f4362bf0a105bd999146de048f13a8f4aadb7/analysis/1538688292/", "category": "External analysis", "uuid": "58702d62-de2f-4573-b03a-f18fd9513e2e" }, { "type": "text", "object_relation": "detection-ratio", "value": "29/62", "category": "Other", "uuid": "7a7627ca-a13a-48e8-8fad-142354ccfc99" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--973efe60-da30-4d60-aa15-6a1ee7f82e22", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T09:06:29.000Z", "modified": "2018-10-26T09:06:29.000Z", "pattern": "[file:hashes.MD5 = '327d37ad6391c674f2f5a96e08cbc95f' AND file:hashes.SHA1 = '47442bfdfbc0fb350b8b30271c310fe44ffb119a' AND file:hashes.SHA256 = 'ef3dfcd3e1351f46ee3cbfb3f71fe9d06a445d8affe2e679f34d8bf4bb618849']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-10-26T09:06:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--6b985af4-f961-4f8d-b2f7-513b6ed1c140", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T09:06:43.000Z", "modified": "2018-10-26T09:06:43.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-10-04T21:32:08", "category": "Other", "uuid": "1b0b2e29-f922-40e2-b9e7-e1138cc8cd16" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/ef3dfcd3e1351f46ee3cbfb3f71fe9d06a445d8affe2e679f34d8bf4bb618849/analysis/1538688728/", "category": "External analysis", "uuid": "e48a740f-3a6a-4209-b09f-9ce33ca4d094" }, { "type": "text", "object_relation": "detection-ratio", "value": "31/61", "category": "Other", "uuid": "6184c6e0-29e2-4165-8e42-ccf5bbb23b19" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ae8d1770-da33-4160-92e5-bc56fe5781d5", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T09:06:57.000Z", "modified": "2018-10-26T09:06:57.000Z", "pattern": "[file:hashes.MD5 = '2d5b8b4a868cbb8947f869f789fef5ff' AND file:hashes.SHA1 = '532079b31e3acef2d71c75b31d77480304b2f7b9' AND file:hashes.SHA256 = 'd2a6cbe9acd4193188f7aa6d922c916999845da82171889526550790f5632b47']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-10-26T09:06:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--095999e8-cf65-4068-9aa8-111b4596ae64", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T09:07:06.000Z", "modified": "2018-10-26T09:07:06.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-10-04T21:32:13", "category": "Other", "uuid": "9f46d30d-be05-4c45-be71-9d342e9a2fa1" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/d2a6cbe9acd4193188f7aa6d922c916999845da82171889526550790f5632b47/analysis/1538688733/", "category": "External analysis", "uuid": "5d3c8f72-90a2-466d-82ae-de692d5e9523" }, { "type": "text", "object_relation": "detection-ratio", "value": "28/60", "category": "Other", "uuid": "4d7c5d08-44bb-456b-8b95-19a3c5f79d4c" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--01689a22-9fef-4b84-bc15-84a951d19e66", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T09:07:15.000Z", "modified": "2018-10-26T09:07:15.000Z", "pattern": "[file:hashes.MD5 = '2ed45ea4f3b26adcc5eaa88b5234c997' AND file:hashes.SHA1 = '2e47c816a517548a0fbf809324d63868708d00d0' AND file:hashes.SHA256 = 'ab9f1a59fcae8374282a39f244f164b58dbed4d16c37366bf2272c9509a7502e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-10-26T09:07:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--2f933552-e105-4559-9ba2-4adb53dde71b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T09:07:17.000Z", "modified": "2018-10-26T09:07:17.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-10-04T21:31:07", "category": "Other", "uuid": "973e093c-1a25-4961-9a70-1047fb6be0e7" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/ab9f1a59fcae8374282a39f244f164b58dbed4d16c37366bf2272c9509a7502e/analysis/1538688667/", "category": "External analysis", "uuid": "8f0d0a5f-9323-4973-b32a-adaf4007fe08" }, { "type": "text", "object_relation": "detection-ratio", "value": "30/60", "category": "Other", "uuid": "2367705e-c040-48af-8d75-755949bfadf7" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }