{ "type": "bundle", "id": "bundle--5aa670db-6ef0-4d81-8e90-9476950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:28:45.000Z", "modified": "2018-03-12T12:28:45.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5aa670db-6ef0-4d81-8e90-9476950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:28:45.000Z", "modified": "2018-03-12T12:28:45.000Z", "name": "OSINT - APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS", "published": "2018-03-12T12:28:53Z", "object_refs": [ "indicator--5aa670f5-39b4-4382-9f91-0fa3950d210f", "indicator--5aa670f6-d5ac-4682-9a04-0fa3950d210f", "indicator--5aa670f6-d5d4-4202-9a37-0fa3950d210f", "indicator--5aa670f7-0014-4df2-a56f-0fa3950d210f", "indicator--5aa670f7-6a48-4bdf-8746-0fa3950d210f", "indicator--5aa67102-ced4-4a30-b0d7-0fa3950d210f", "indicator--5aa6710e-52b4-40af-ac3b-0fa3950d210f", "indicator--5aa6710f-fe88-4d3d-96a7-0fa3950d210f", "indicator--5aa6710f-50d0-4454-860d-0fa3950d210f", "indicator--5aa6711b-a1c4-40d1-92b7-0fa3950d210f", "indicator--5aa6711b-f3b8-4787-b246-0fa3950d210f", "indicator--5aa67145-28d0-47cb-927a-d9cd950d210f", "indicator--5aa67145-68d0-4b05-a406-d9cd950d210f", "indicator--5aa67146-a2d0-4ed0-968e-d9cd950d210f", "indicator--5aa67146-e6a4-40d8-a37c-d9cd950d210f", "indicator--5aa67146-1288-4aa0-9671-d9cd950d210f", "x-misp-attribute--5aa67163-e99c-4bf6-9649-d928950d210f", "x-misp-attribute--5aa67177-ac60-43db-9bd5-4053950d210f", "x-misp-attribute--5aa671e4-c8f4-4d39-ad4b-9394950d210f", "observed-data--5aa67218-06ac-49e7-baa9-d9cd950d210f", "url--5aa67218-06ac-49e7-baa9-d9cd950d210f", "indicator--0e812898-7fc4-40f8-ac95-7a23e22438de", "x-misp-object--bf2e6e7d-19c6-4341-94b9-8f15b563b0b3", "indicator--06f1e0a0-004c-4356-9f89-380b53274f42", "x-misp-object--326d28d2-bc18-4205-945a-2b3ef2cfa9fa", "indicator--f1bdc5bc-932a-4efa-9855-e8e3981fbd2f", "x-misp-object--3d28abc7-0edd-438c-bd55-54bfbf90e295", "indicator--c752a171-4c3d-403e-bb4a-5dae51f2993f", "x-misp-object--8840afc4-669d-4a92-8a3e-a104c2994436", "relationship--a005ae7b-b8f7-4a2c-86c8-c13326cdb305", "relationship--cd285172-a13c-4ec1-8ba2-055168779522", "relationship--38b769f3-474a-4237-955e-729a945314a1", "relationship--71760f26-1f64-48fd-a3ff-7495e23a3b97" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:threat-actor=\"Mirage\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aa670f5-39b4-4382-9f91-0fa3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:27:51.000Z", "modified": "2018-03-12T12:27:51.000Z", "description": "Possible linked APT15 domains include:", "pattern": "[domain-name:value = 'micakiz.wikaba.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-12T12:27:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aa670f6-d5ac-4682-9a04-0fa3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:27:51.000Z", "modified": "2018-03-12T12:27:51.000Z", "description": "Possible linked APT15 domains include:", "pattern": "[domain-name:value = 'cavanic9.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-12T12:27:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aa670f6-d5d4-4202-9a37-0fa3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:27:52.000Z", "modified": "2018-03-12T12:27:52.000Z", "description": "Possible linked APT15 domains include:", "pattern": "[domain-name:value = 'ridingduck.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-12T12:27:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aa670f7-0014-4df2-a56f-0fa3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:27:52.000Z", "modified": "2018-03-12T12:27:52.000Z", "description": "Possible linked APT15 domains include:", "pattern": "[domain-name:value = 'zipcodeterm.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-12T12:27:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aa670f7-6a48-4bdf-8746-0fa3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:27:52.000Z", "modified": "2018-03-12T12:27:52.000Z", "description": "Possible linked APT15 domains include:", "pattern": "[domain-name:value = 'dnsapp.info']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-12T12:27:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aa67102-ced4-4a30-b0d7-0fa3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:27:53.000Z", "modified": "2018-03-12T12:27:53.000Z", "description": "RoyalDNS backdoor was seen communicating to the domain:", "pattern": "[domain-name:value = 'andspurs.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-12T12:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aa6710e-52b4-40af-ac3b-0fa3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:27:53.000Z", "modified": "2018-03-12T12:27:53.000Z", "description": "The BS2005 backdoor utilised the following domains for C2:", "pattern": "[domain-name:value = 'run.linodepower.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-12T12:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aa6710f-fe88-4d3d-96a7-0fa3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:27:53.000Z", "modified": "2018-03-12T12:27:53.000Z", "description": "The BS2005 backdoor utilised the following domains for C2:", "pattern": "[domain-name:value = 'singa.linodepower.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-12T12:27:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aa6710f-50d0-4454-860d-0fa3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:27:54.000Z", "modified": "2018-03-12T12:27:54.000Z", "description": "The BS2005 backdoor utilised the following domains for C2:", "pattern": "[domain-name:value = 'log.autocount.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-12T12:27:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aa6711b-a1c4-40d1-92b7-0fa3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:27:54.000Z", "modified": "2018-03-12T12:27:54.000Z", "description": "The RoyalCli backdoor was attempting to communicate to the following domains:", "pattern": "[domain-name:value = 'news.memozilla.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-12T12:27:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aa6711b-f3b8-4787-b246-0fa3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:27:55.000Z", "modified": "2018-03-12T12:27:55.000Z", "description": "The RoyalCli backdoor was attempting to communicate to the following domains:", "pattern": "[domain-name:value = 'video.memozilla.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-12T12:27:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aa67145-28d0-47cb-927a-d9cd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:23:33.000Z", "modified": "2018-03-12T12:23:33.000Z", "description": "Royal DNS", "pattern": "[file:hashes.SHA256 = 'bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-12T12:23:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aa67145-68d0-4b05-a406-d9cd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:23:33.000Z", "modified": "2018-03-12T12:23:33.000Z", "description": "BS2005", "pattern": "[file:hashes.SHA256 = '750d9eecd533f89b8aa13aeab173a1cf813b021b6824bc30e60f5db6fa7b950b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-12T12:23:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aa67146-a2d0-4ed0-968e-d9cd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:23:34.000Z", "modified": "2018-03-12T12:23:34.000Z", "description": "BS2005", "pattern": "[file:hashes.SHA256 = '6ea9cc475d41ca07fa206eb84b10cf2bbd2392366890de5ae67241afa2f4269f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-12T12:23:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aa67146-e6a4-40d8-a37c-d9cd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:23:34.000Z", "modified": "2018-03-12T12:23:34.000Z", "description": "RoyalCli", "pattern": "[file:hashes.SHA256 = '6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-12T12:23:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aa67146-1288-4aa0-9671-d9cd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:23:34.000Z", "modified": "2018-03-12T12:23:34.000Z", "description": "MS Exchange Tool", "pattern": "[file:hashes.SHA256 = '16b868d1bef6be39f69b4e976595e7bd46b6c0595cf6bc482229dbb9e64f1bce']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-12T12:23:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5aa67163-e99c-4bf6-9649-d928950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:27:55.000Z", "modified": "2018-03-12T12:27:55.000Z", "labels": [ "misp:type=\"pdb\"", "misp:category=\"Artifacts dropped\"" ], "x_misp_category": "Artifacts dropped", "x_misp_type": "pdb", "x_misp_value": "%USERPROFILE%\\documents\\visual studio 2010\\Projects\\RoyalCli\\Release\\RoyalCli.pdb" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5aa67177-ac60-43db-9bd5-4053950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:27:56.000Z", "modified": "2018-03-12T12:27:56.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS\r\nIn May 2017, NCC Group's Incident Response team reacted to an ongoing incident where our client, which provides a range of services to UK Government, suffered a network compromise involving the advanced persistent threat group APT15.\r\n\r\nAPT15 is also known as, Ke3chang, Mirage, Vixen Panda GREF and Playful Dragon.\r\nA number of sensitive documents were stolen by the attackers during the incident and we believe APT15 was targeting information related to UK government departments and military technology." }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5aa671e4-c8f4-4d39-ad4b-9394950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:27:56.000Z", "modified": "2018-03-12T12:27:56.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Other\"" ], "x_misp_category": "Other", "x_misp_type": "text", "x_misp_value": "5aa64b62-8f2c-4081-a6f9-4480950d210f" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5aa67218-06ac-49e7-baa9-d9cd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:27:56.000Z", "modified": "2018-03-12T12:27:56.000Z", "first_observed": "2018-03-12T12:27:56Z", "last_observed": "2018-03-12T12:27:56Z", "number_observed": 1, "object_refs": [ "url--5aa67218-06ac-49e7-baa9-d9cd950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5aa67218-06ac-49e7-baa9-d9cd950d210f", "value": "https://github.com/nccgroup/Royal_APT" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0e812898-7fc4-40f8-ac95-7a23e22438de", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:28:00.000Z", "modified": "2018-03-12T12:28:00.000Z", "pattern": "[file:hashes.MD5 = 'ed21ce2beee56f0a0b1c5a62a80c128b' AND file:hashes.SHA1 = '201e74fd33724a872ab89f8a002a560d1ce73e54' AND file:hashes.SHA256 = '750d9eecd533f89b8aa13aeab173a1cf813b021b6824bc30e60f5db6fa7b950b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-12T12:28:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--bf2e6e7d-19c6-4341-94b9-8f15b563b0b3", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:27:58.000Z", "modified": "2018-03-12T12:27:58.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/750d9eecd533f89b8aa13aeab173a1cf813b021b6824bc30e60f5db6fa7b950b/analysis/1520793006/", "category": "External analysis", "comment": "BS2005", "uuid": "5aa6724e-e14c-4ad9-ad8e-947502de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "44/67", "category": "Other", "comment": "BS2005", "uuid": "5aa6724f-fd84-4c88-9a54-947502de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2018-03-11T18:30:06", "category": "Other", "comment": "BS2005", "uuid": "5aa6724f-d5a8-4efc-b433-947502de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--06f1e0a0-004c-4356-9f89-380b53274f42", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:28:02.000Z", "modified": "2018-03-12T12:28:02.000Z", "pattern": "[file:hashes.MD5 = '941a4fc3d2a3289017cf9c56584d1168' AND file:hashes.SHA1 = '3d4ee6cbfaeb7890bb0b2d41547849f8e2d9243f' AND file:hashes.SHA256 = 'bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-12T12:28:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--326d28d2-bc18-4205-945a-2b3ef2cfa9fa", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:28:00.000Z", "modified": "2018-03-12T12:28:00.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d/analysis/1520841997/", "category": "External analysis", "comment": "Royal DNS", "uuid": "5aa67250-7bc8-45a9-b533-947502de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "7/65", "category": "Other", "comment": "Royal DNS", "uuid": "5aa67251-59a4-4b15-9b43-947502de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2018-03-12T08:06:37", "category": "Other", "comment": "Royal DNS", "uuid": "5aa67251-5338-45f7-a3c9-947502de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f1bdc5bc-932a-4efa-9855-e8e3981fbd2f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:28:04.000Z", "modified": "2018-03-12T12:28:04.000Z", "pattern": "[file:hashes.MD5 = '5e5c9e6e710f67f4886e4f4169d02b1d' AND file:hashes.SHA1 = 'a35297163ed0efcb71e63069a3115737d2fe2d1d' AND file:hashes.SHA256 = '6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-12T12:28:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--3d28abc7-0edd-438c-bd55-54bfbf90e295", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:28:03.000Z", "modified": "2018-03-12T12:28:03.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785/analysis/1520793104/", "category": "External analysis", "comment": "RoyalCli", "uuid": "5aa67253-ffe8-4691-9928-947502de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "45/67", "category": "Other", "comment": "RoyalCli", "uuid": "5aa67253-2ca8-410a-914b-947502de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2018-03-11T18:31:44", "category": "Other", "comment": "RoyalCli", "uuid": "5aa67253-568c-41df-8205-947502de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c752a171-4c3d-403e-bb4a-5dae51f2993f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:28:07.000Z", "modified": "2018-03-12T12:28:07.000Z", "pattern": "[file:hashes.MD5 = 'd21a7e349e796064ce10f2f6ede31c71' AND file:hashes.SHA1 = '63fbd3feb41c0b6de892b4a70a6241d123ec1e5a' AND file:hashes.SHA256 = '16b868d1bef6be39f69b4e976595e7bd46b6c0595cf6bc482229dbb9e64f1bce']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-03-12T12:28:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--8840afc4-669d-4a92-8a3e-a104c2994436", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-03-12T12:28:05.000Z", "modified": "2018-03-12T12:28:05.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/16b868d1bef6be39f69b4e976595e7bd46b6c0595cf6bc482229dbb9e64f1bce/analysis/1520844201/", "category": "External analysis", "comment": "MS Exchange Tool", "uuid": "5aa67255-56f0-4687-875c-947502de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "2/67", "category": "Other", "comment": "MS Exchange Tool", "uuid": "5aa67255-5500-48d8-9364-947502de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2018-03-12T08:43:21", "category": "Other", "comment": "MS Exchange Tool", "uuid": "5aa67255-bb78-4fff-b7bf-947502de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a005ae7b-b8f7-4a2c-86c8-c13326cdb305", "created": "2018-03-12T12:28:06.000Z", "modified": "2018-03-12T12:28:06.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--0e812898-7fc4-40f8-ac95-7a23e22438de", "target_ref": "x-misp-object--bf2e6e7d-19c6-4341-94b9-8f15b563b0b3" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cd285172-a13c-4ec1-8ba2-055168779522", "created": "2018-03-12T12:28:06.000Z", "modified": "2018-03-12T12:28:06.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--06f1e0a0-004c-4356-9f89-380b53274f42", "target_ref": "x-misp-object--326d28d2-bc18-4205-945a-2b3ef2cfa9fa" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--38b769f3-474a-4237-955e-729a945314a1", "created": "2018-03-12T12:28:06.000Z", "modified": "2018-03-12T12:28:06.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--f1bdc5bc-932a-4efa-9855-e8e3981fbd2f", "target_ref": "x-misp-object--3d28abc7-0edd-438c-bd55-54bfbf90e295" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--71760f26-1f64-48fd-a3ff-7495e23a3b97", "created": "2018-03-12T12:28:07.000Z", "modified": "2018-03-12T12:28:07.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--c752a171-4c3d-403e-bb4a-5dae51f2993f", "target_ref": "x-misp-object--8840afc4-669d-4a92-8a3e-a104c2994436" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }