{ "type": "bundle", "id": "bundle--57153590-f73c-49fa-be4b-4737950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-08T09:44:58.000Z", "modified": "2016-07-08T09:44:58.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--57153590-f73c-49fa-be4b-4737950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-08T09:44:58.000Z", "modified": "2016-07-08T09:44:58.000Z", "name": "OSINT - ASERT Threat Intelligence Report 2016-03 The Four-Element Sword Engagement", "published": "2017-01-11T20:14:15Z", "object_refs": [ "observed-data--5715359f-6c3c-49f6-9447-4a6b950d210f", "url--5715359f-6c3c-49f6-9447-4a6b950d210f", "vulnerability--571535d0-050c-4c6f-9eee-4b3c950d210f", "vulnerability--571535d0-ee34-47e6-8ae9-4c82950d210f", "vulnerability--571535d0-b898-4ab7-80f4-4555950d210f", "vulnerability--571535d0-c074-4f8b-b2dc-4fb9950d210f", "indicator--57153622-b0fc-4002-ae3c-3e3c950d210f", "indicator--5715eae1-b6f0-46c6-af87-40de950d210f", "indicator--5715f2ce-b55c-4357-bdfe-43d5950d210f", "indicator--5715f2cf-ee4c-4585-a40e-4d6c950d210f", "indicator--5715f2cf-8de8-4475-a716-4de1950d210f", "indicator--5715f3b3-6998-40e7-9235-4b3e950d210f", "indicator--5715f3b4-c4f0-4b6b-8661-494f950d210f", "observed-data--5715f40b-36e0-4bcc-935b-4c64950d210f", "file--5715f40b-36e0-4bcc-935b-4c64950d210f", "observed-data--5715f500-cff4-42db-a2d9-44b1950d210f", "domain-name--5715f500-cff4-42db-a2d9-44b1950d210f", "observed-data--5715f500-5c34-42da-bd1f-497f950d210f", "domain-name--5715f500-5c34-42da-bd1f-497f950d210f", "indicator--5715f658-9c1c-4a06-9273-4785950d210f", "observed-data--5715f659-3464-4c20-9622-489c950d210f", "domain-name--5715f659-3464-4c20-9622-489c950d210f", "observed-data--5715f9f2-4e18-46a8-a304-4aaf950d210f", "domain-name--5715f9f2-4e18-46a8-a304-4aaf950d210f", "observed-data--5715f9f2-de84-4c91-8d98-4f9c950d210f", "domain-name--5715f9f2-de84-4c91-8d98-4f9c950d210f", "observed-data--5715f9f3-44bc-457b-90cb-40a1950d210f", "domain-name--5715f9f3-44bc-457b-90cb-40a1950d210f", "observed-data--5715f9f3-f55c-4519-b36f-4547950d210f", "domain-name--5715f9f3-f55c-4519-b36f-4547950d210f", "observed-data--5715f9f3-818c-4fdd-bd6f-45a4950d210f", "domain-name--5715f9f3-818c-4fdd-bd6f-45a4950d210f", "observed-data--5715f9f3-61e4-431c-96da-426e950d210f", "domain-name--5715f9f3-61e4-431c-96da-426e950d210f", "observed-data--5715f9f4-3954-463f-8012-48a4950d210f", "domain-name--5715f9f4-3954-463f-8012-48a4950d210f", "observed-data--5715f9f4-1008-435d-b573-431d950d210f", "domain-name--5715f9f4-1008-435d-b573-431d950d210f", "observed-data--5715f9f4-2cd0-4d29-827e-40fc950d210f", "domain-name--5715f9f4-2cd0-4d29-827e-40fc950d210f", "observed-data--5715fb1f-18ec-4ed6-8a25-4abd950d210f", "network-traffic--5715fb1f-18ec-4ed6-8a25-4abd950d210f", "ipv4-addr--5715fb1f-18ec-4ed6-8a25-4abd950d210f", "indicator--5715fc97-a5a4-4538-bf86-4bcc950d210f", "indicator--5715fd00-807c-4ce8-8f27-437d950d210f", "indicator--5715feb0-6a48-44c4-b1ba-4a57950d210f", "indicator--571600ba-b0b0-4adb-bd01-43ef950d210f", "indicator--571600bb-a9b4-4883-ac7d-4d5a950d210f", "indicator--571600bb-045c-4cbc-b0d6-43da950d210f", "indicator--571600bb-54f0-43d7-83cb-4b3c950d210f", "indicator--571600bc-6348-4e1e-b96d-4cf2950d210f", "indicator--571600bc-8178-4d6f-b5fd-47a4950d210f", "indicator--571610cd-4774-4e4e-bd0a-4407950d210f", "observed-data--571613a9-3a2c-478a-a180-43a1950d210f", "email-message--571613a9-3a2c-478a-a180-43a1950d210f", "email-addr--571613a9-3a2c-478a-a180-43a1950d210f", "observed-data--571613c3-5d04-4eea-9690-4b95950d210f", "email-message--571613c3-5d04-4eea-9690-4b95950d210f", "observed-data--571613d5-dc64-43bc-9481-42d0950d210f", "email-message--571613d5-dc64-43bc-9481-42d0950d210f", "file--571613d5-dc64-43bc-9481-42d0950d210f", "observed-data--57161b17-23b8-4631-96fd-4bad950d210f", "email-message--57161b17-23b8-4631-96fd-4bad950d210f", "email-addr--57161b17-23b8-4631-96fd-4bad950d210f", "observed-data--57161b2a-89a0-4f7c-9258-4f93950d210f", "email-message--57161b2a-89a0-4f7c-9258-4f93950d210f", "observed-data--57161b3f-f344-447f-804d-4be4950d210f", "email-message--57161b3f-f344-447f-804d-4be4950d210f", "file--57161b3f-f344-447f-804d-4be4950d210f", "indicator--57161c89-443c-40bb-a5f8-4cbb950d210f", "indicator--57161e37-fe5c-4f2a-b9ec-4eea950d210f", "indicator--57161ec1-1d00-4ab1-b71d-4cd4950d210f", "observed-data--57161eef-6108-4bf2-9029-4966950d210f", "file--57161eef-6108-4bf2-9029-4966950d210f", "x-misp-attribute--57161f87-c9ec-4f8f-a2ee-48ef950d210f", "indicator--57162012-72b8-433b-b5e2-4651950d210f", "indicator--57162013-7804-4691-ac9e-4a15950d210f", "indicator--571620af-e57c-4008-80f2-4933950d210f", "indicator--571620b0-7c50-43ef-9724-4c76950d210f", "indicator--571620b0-5e38-4e8c-9c29-416d950d210f", "indicator--571623e1-aaf8-4d39-a018-4a6e950d210f", "indicator--571623e1-3bb0-4f0b-8543-4483950d210f", "indicator--571623e1-44e0-4808-9333-4c60950d210f", "indicator--571623e2-1a50-4035-927b-4453950d210f", "indicator--571623e2-80e4-4864-a72c-4ca1950d210f", "indicator--571623e2-0aa4-44a7-9198-4cc1950d210f", "indicator--57162442-63f4-4891-9148-4876950d210f", "indicator--57162442-3070-40ac-8735-4c27950d210f", "indicator--5716247b-2390-4de2-951c-4bc2950d210f", "indicator--5716247c-22d4-421d-9e0e-4f80950d210f", "indicator--57162852-bbe8-4aa9-a420-4f3a950d210f", "indicator--57162a9a-7fd8-4e15-91ac-4ad5950d210f", "indicator--57162a9b-e1e0-444f-bab2-46e3950d210f", "indicator--57162a9b-3828-4d68-8917-4d4f950d210f", "indicator--57162a9c-162c-42a2-b2aa-4af9950d210f", "indicator--57162a9d-6488-4e2c-852c-4ec9950d210f", "indicator--57162b1b-f190-45e8-a60c-4b3d950d210f", "indicator--57162b3a-443c-40f1-9f45-40cb950d210f", "indicator--57162b62-5d5c-4a71-a20b-458b950d210f", "indicator--57162b63-ecd8-4688-aa03-45bc950d210f", "indicator--57162be0-4da4-41ff-a407-440d950d210f", "indicator--57162be0-b2b0-4a8d-83be-4446950d210f", "indicator--57162bed-1bfc-4f65-bb04-4e8a02de0b81", "observed-data--57162bee-b524-49ab-9591-43a702de0b81", "url--57162bee-b524-49ab-9591-43a702de0b81", "indicator--57162bee-44f4-423e-9c17-4a6202de0b81", "observed-data--57162bee-05b0-4a80-af98-436002de0b81", "url--57162bee-05b0-4a80-af98-436002de0b81", "observed-data--57162bef-5094-438d-b933-46c902de0b81", "file--57162bef-5094-438d-b933-46c902de0b81", "observed-data--57162bef-6dcc-4dc2-9a86-419402de0b81", "url--57162bef-6dcc-4dc2-9a86-419402de0b81", "indicator--57162bef-6e34-4ad3-964f-40aa02de0b81", "observed-data--57162bf0-8618-4bdb-9e83-4d3102de0b81", "url--57162bf0-8618-4bdb-9e83-4d3102de0b81", "indicator--57162bf0-b654-42a6-92c0-4cb202de0b81", "indicator--57162bf0-fb5c-4756-810e-4a9f02de0b81", "observed-data--57162bf1-3924-4392-ab1e-48a302de0b81", "url--57162bf1-3924-4392-ab1e-48a302de0b81", "indicator--57162bf1-6a38-4c76-89ec-441502de0b81", "observed-data--57162bf1-1d44-4294-9d0e-412b02de0b81", "url--57162bf1-1d44-4294-9d0e-412b02de0b81", "indicator--57162bf1-b520-4634-bdc0-4bd202de0b81", "observed-data--57162bf2-324c-4447-9a59-4ed702de0b81", "url--57162bf2-324c-4447-9a59-4ed702de0b81", "indicator--57162bf2-96bc-4f65-8358-454502de0b81", "observed-data--57162bf2-f18c-491d-8c87-475102de0b81", "url--57162bf2-f18c-491d-8c87-475102de0b81", "indicator--57162bf3-3e24-4b6c-997e-498202de0b81", "observed-data--57162bf3-afb4-4ac7-b466-4e8902de0b81", "url--57162bf3-afb4-4ac7-b466-4e8902de0b81", "indicator--57162bf3-5e1c-4c4a-a19e-424002de0b81", "observed-data--57162bf4-0c00-4b36-ad3d-4a8802de0b81", "url--57162bf4-0c00-4b36-ad3d-4a8802de0b81", "indicator--57162bf4-6bf4-435d-92cc-493902de0b81", "indicator--57162bf4-a518-4dd7-8c8b-4b6902de0b81", "observed-data--57162bf5-7020-440e-94b6-4d4f02de0b81", "url--57162bf5-7020-440e-94b6-4d4f02de0b81", "indicator--57162bf5-f478-4079-b265-40bc02de0b81", "indicator--57162bf5-af2c-4d7f-8068-4c6402de0b81", "observed-data--57162bf6-0ef8-4188-9ac9-45d202de0b81", "url--57162bf6-0ef8-4188-9ac9-45d202de0b81", "indicator--57162bf6-6068-46fd-a2fe-49ef02de0b81", "observed-data--57162bf6-8e08-4388-865b-42b102de0b81", "url--57162bf6-8e08-4388-865b-42b102de0b81", "indicator--57162bf7-00c0-407d-bd0a-48c102de0b81", "observed-data--57162bf7-3248-4844-84a2-44aa02de0b81", "url--57162bf7-3248-4844-84a2-44aa02de0b81", "indicator--57162d48-9f6c-4250-b463-4c73950d210f", "indicator--57162d49-a7fc-4dc4-9fc7-46a4950d210f", "indicator--57162d49-fa0c-4103-ab37-4905950d210f", "indicator--57162d4a-afa8-4668-812a-4191950d210f", "indicator--57162d4a-fbac-4e6d-9bce-427e950d210f", "indicator--57162d4a-ffc8-4fe8-ae07-4722950d210f", "indicator--57162d4b-fea8-47c9-b704-447a950d210f", "indicator--57162d4b-cb90-49de-8706-4258950d210f", "x-misp-attribute--57162fe0-9dd8-4d4b-b5db-4511950d210f", "indicator--57163109-be58-4cc7-89c1-4446950d210f", "indicator--57163109-6304-413e-9884-4a42950d210f", "indicator--57163109-1e04-4ef4-bf92-480b950d210f", "indicator--571632f1-d2f8-4e0c-9322-4370950d210f", "indicator--571632f1-9d80-4532-9288-4598950d210f", "indicator--571632f2-4d40-4809-af5e-411a950d210f", "indicator--571632f2-5290-46c4-bd6b-48d3950d210f", "indicator--571632f3-f5b8-4fe6-bff3-4e11950d210f", "indicator--571632f3-63a8-43a2-9260-43b9950d210f", "indicator--571632f4-d0a0-4595-9c2d-46fa950d210f", "indicator--571632f5-2e3c-4637-95ce-46db950d210f", "indicator--571632f5-6a74-4bfc-bb34-499a950d210f", "indicator--571632f6-743c-4e90-8619-4c5a950d210f", "indicator--571632f7-b1dc-4a7e-98d1-43c3950d210f", "indicator--571632f7-ba34-4fde-b022-499e950d210f", "indicator--571632f8-ba50-40d4-b668-40b6950d210f", "indicator--571632f8-b0ac-45b2-b300-4acd950d210f", "indicator--571633f1-ceac-4898-af6f-4077950d210f", "indicator--571633f2-853c-4d2a-99c0-4157950d210f", "indicator--5716356d-8e44-44e0-bdbe-43e8950d210f", "indicator--57163585-4fa0-4a17-9aab-46c2950d210f", "indicator--571635aa-1d00-4b7f-b330-4030950d210f", "indicator--571635c2-8fb0-46d1-ba3d-4861950d210f", "indicator--5716360a-2a3c-429e-82dd-49d2950d210f", "indicator--5716363b-7a90-44eb-92d5-46e3950d210f", "indicator--5716364b-1940-4d7c-a2ee-4ba3950d210f", "indicator--5716365c-65b4-4d71-9618-4d3c950d210f", "indicator--5716366b-7980-4c53-a04c-44ae950d210f", "indicator--5716367d-2b88-45b5-a3bb-4915950d210f", "indicator--5716368e-b1b0-4184-aa05-445c950d210f", "indicator--571637b8-b8a0-472d-982f-49ac950d210f", "indicator--571637b9-a1d4-47e7-924c-478d950d210f", "indicator--57163938-0878-4bcb-a764-4f47950d210f", "indicator--57163939-db08-4130-8859-4246950d210f", "indicator--5716393a-be40-4cea-860e-4198950d210f", "indicator--5716393a-59ec-46a8-be9f-4729950d210f", "indicator--5716393a-9718-4575-b267-4c6d950d210f", "indicator--571639c0-0f48-454b-b4f5-4f8e950d210f", "indicator--57163b0d-9214-43d4-9c9f-4d5f950d210f", "indicator--57163b0d-3c58-4378-b036-4eea950d210f", "indicator--5717249f-c33c-4b52-926b-4475950d210f", "indicator--57172612-830c-44ef-8b61-4f00950d210f", "indicator--57172613-bf60-445b-b242-4473950d210f", "indicator--571727ae-9478-46db-87bb-4241950d210f", "indicator--571727ae-ef9c-4de4-af85-4e73950d210f", "indicator--571727af-0e74-4f10-9b4c-4965950d210f", "indicator--571727b0-16e0-45d6-a286-4a06950d210f", "indicator--571727b0-e65c-469d-a368-4a7f950d210f", "indicator--571727b1-66c8-4be7-8ee1-43c3950d210f", "indicator--571727b2-5eb0-4dce-98b8-4dba950d210f", "indicator--571727b2-c0ec-413f-abe2-467c950d210f", "indicator--571727b3-cc50-4e24-8329-49c8950d210f", "indicator--571727b4-a3b8-4cbc-be4a-4ebc950d210f", "indicator--571727b5-f7e8-45ce-b313-4df9950d210f", "indicator--57172a14-7bd8-4080-9f8a-4167950d210f", "indicator--57172b09-ec08-4253-84d9-497402de0b81", "observed-data--57172b0a-fb18-45f2-8f9d-4ac102de0b81", "url--57172b0a-fb18-45f2-8f9d-4ac102de0b81", "indicator--57172b0a-c39c-4fb0-ad04-437302de0b81", "observed-data--57172b0a-3154-4f7c-9b4a-473702de0b81", "url--57172b0a-3154-4f7c-9b4a-473702de0b81", "indicator--57172b0b-c0ac-4958-9e53-420a02de0b81", "observed-data--57172b0b-1d78-4aae-939a-4a6d02de0b81", "url--57172b0b-1d78-4aae-939a-4a6d02de0b81", "indicator--57172b0b-0a64-4adf-bf72-441802de0b81", "observed-data--57172b0c-83d0-4f34-9174-4a5e02de0b81", "url--57172b0c-83d0-4f34-9174-4a5e02de0b81", "indicator--57172b0c-8a80-4cb3-a81d-44ed02de0b81", "observed-data--57172b0c-49a0-4108-813f-4ef302de0b81", "url--57172b0c-49a0-4108-813f-4ef302de0b81", "indicator--57172b0d-b1fc-4e7a-af10-416702de0b81", "observed-data--57172b0d-78a8-457f-af6d-446f02de0b81", "url--57172b0d-78a8-457f-af6d-446f02de0b81", "indicator--57172b0e-7aa4-49ce-aeb6-43b002de0b81", "observed-data--57172b0e-2518-42b2-a3f1-40e902de0b81", "url--57172b0e-2518-42b2-a3f1-40e902de0b81", "indicator--57172b0e-0ba8-4133-bb81-4bf902de0b81", "observed-data--57172b0f-0068-4f9d-8aa1-414002de0b81", "url--57172b0f-0068-4f9d-8aa1-414002de0b81", "indicator--57172b0f-cc1c-49b9-8bae-4bf302de0b81", "observed-data--57172b0f-e398-420a-a136-49d302de0b81", "url--57172b0f-e398-420a-a136-49d302de0b81", "indicator--57172b10-07e0-4001-a6d8-4fac02de0b81", "observed-data--57172b10-30a4-4633-9876-46b902de0b81", "url--57172b10-30a4-4633-9876-46b902de0b81", "indicator--57172b11-b8f4-4ba3-8482-4f6e02de0b81", "observed-data--57172b11-45b0-42ab-9d84-41a302de0b81", "url--57172b11-45b0-42ab-9d84-41a302de0b81", "indicator--57172b11-b554-4a57-9917-474502de0b81", "observed-data--57172b12-f8e0-43a0-b10f-469802de0b81", "url--57172b12-f8e0-43a0-b10f-469802de0b81", "indicator--57172b12-ccb4-414a-892f-4d1602de0b81", "observed-data--57172b12-b1d4-4cb1-a6d8-48ee02de0b81", "url--57172b12-b1d4-4cb1-a6d8-48ee02de0b81", "indicator--57172b13-c430-4759-beca-4a0e02de0b81", "observed-data--57172b13-f4b0-42e3-94e1-4fa402de0b81", "url--57172b13-f4b0-42e3-94e1-4fa402de0b81", "indicator--57172b14-295c-4018-8c0b-4ff702de0b81", "observed-data--57172b14-4674-4191-94f8-4a8802de0b81", "url--57172b14-4674-4191-94f8-4a8802de0b81", "indicator--57172b14-6408-4a0d-83f5-4e9b02de0b81", "observed-data--57172b15-8988-4d9e-a32e-420602de0b81", "url--57172b15-8988-4d9e-a32e-420602de0b81", "indicator--57172b15-ae10-4a05-a760-470702de0b81", "observed-data--57172b15-61e4-481c-be10-44b702de0b81", "url--57172b15-61e4-481c-be10-44b702de0b81", "indicator--57172b16-3340-4e35-97a0-4bd902de0b81", "observed-data--57172b16-0ce0-4c6f-b784-454502de0b81", "url--57172b16-0ce0-4c6f-b784-454502de0b81", "indicator--57172b17-5f24-4f62-b72b-4c2002de0b81", "observed-data--57172b17-4414-4f3f-8fc8-49ea02de0b81", "url--57172b17-4414-4f3f-8fc8-49ea02de0b81", "indicator--57172b17-868c-4c3b-b79d-45aa02de0b81", "indicator--57172b18-fe4c-41b3-abfe-4c5602de0b81", "observed-data--57172b18-ec7c-4e74-b032-49e302de0b81", "url--57172b18-ec7c-4e74-b032-49e302de0b81", "indicator--57172b18-d2dc-423c-ba45-49a002de0b81", "indicator--57172b19-ab98-403b-bea6-44ce02de0b81", "observed-data--57172b19-c660-45a5-8c0d-4d5802de0b81", "url--57172b19-c660-45a5-8c0d-4d5802de0b81", "indicator--57172b19-bd24-4c48-9f17-44cb02de0b81", "indicator--57172b1a-48e0-4588-acb3-48fa02de0b81", "observed-data--57172b1a-3d00-4a32-a155-4a8f02de0b81", "url--57172b1a-3d00-4a32-a155-4a8f02de0b81", "indicator--57172b1b-bda4-481e-91aa-4f1a02de0b81", "indicator--57172b1b-dc30-447b-898a-458202de0b81", "observed-data--57172b1b-43d4-40b6-baac-41e702de0b81", "url--57172b1b-43d4-40b6-baac-41e702de0b81", "indicator--57172b1c-b8d0-4a48-bb1d-46da02de0b81", "indicator--57172b1c-4444-48d9-b21d-408b02de0b81", "observed-data--57172b1c-dfbc-4ceb-af43-40ed02de0b81", "url--57172b1c-dfbc-4ceb-af43-40ed02de0b81", "indicator--57172b1d-edf0-4761-baab-4b6902de0b81", "indicator--57172b1d-add4-4872-8f43-46aa02de0b81", "observed-data--57172b1d-0d80-4dbf-80b8-4b8202de0b81", "url--57172b1d-0d80-4dbf-80b8-4b8202de0b81", "indicator--57172b1e-faac-4a67-a2ff-472802de0b81", "indicator--57172b1e-d608-4814-bd1c-4a7502de0b81", "observed-data--57172b1e-dd84-43fe-b7c0-4adf02de0b81", "url--57172b1e-dd84-43fe-b7c0-4adf02de0b81", "indicator--57172b1f-add0-49b0-adfa-4e4e02de0b81", "indicator--57172b1f-3090-4011-a9e9-444902de0b81", "observed-data--57172b20-0268-42e0-9264-4cd902de0b81", "url--57172b20-0268-42e0-9264-4cd902de0b81", "indicator--57172b20-9494-4e9e-9e67-40e902de0b81", "indicator--57172b20-f1b0-4c9a-b746-484102de0b81", "observed-data--57172b21-3880-4218-9131-437a02de0b81", "url--57172b21-3880-4218-9131-437a02de0b81", "indicator--57172b21-5834-47e6-a2c7-41f402de0b81", "indicator--57172b21-2738-44d4-857b-426e02de0b81", "observed-data--57172b22-3068-4484-8cfd-444602de0b81", "url--57172b22-3068-4484-8cfd-444602de0b81", "indicator--57172b22-7284-4c9d-a29e-49e902de0b81", "indicator--57172b22-8e80-4eab-ae04-417102de0b81", "observed-data--57172b23-045c-4ba6-8d54-41c502de0b81", "url--57172b23-045c-4ba6-8d54-41c502de0b81", "indicator--57172b54-6d44-460d-ac20-40a7950d210f", "indicator--57172ba9-9b28-4af8-91e6-44e4950d210f", "indicator--57172baa-a0c4-40e6-8de2-4c99950d210f", "indicator--57173004-40c8-44cc-a582-464a950d210f", "indicator--57173005-f2dc-43f4-bd30-48b8950d210f", "indicator--57173006-1804-4885-b572-44a9950d210f", "indicator--57173006-d0c4-47fc-903c-4f7f950d210f", "indicator--571733d2-a0fc-4909-8c81-44ea950d210f", "indicator--571733d2-f430-45fa-b095-4a07950d210f", "indicator--571733d2-0f0c-4b63-9c9a-4615950d210f", "indicator--571733d3-ce08-4636-9f75-41cb950d210f", "indicator--571733d3-7fe4-430d-a31d-44aa950d210f", "indicator--571733d3-a8e4-4198-aecd-4594950d210f", "indicator--57173d6f-0adc-4af5-b8c1-45ce950d210f", "indicator--57173e35-4b34-4a16-8442-478c950d210f", "indicator--57173e4a-4b18-4646-9a26-4712950d210f", "indicator--57173e4a-99b8-4146-b38d-48df950d210f", "indicator--57173e97-6cd4-47eb-92ad-46c2950d210f", "indicator--57173eb0-68b4-4ad0-a243-4022950d210f", "indicator--57173ebe-e2f8-49b3-b75c-4275950d210f", "indicator--57173ebf-7e30-489d-bd92-4eb3950d210f", "indicator--57173ecc-4858-4e78-a121-4223950d210f", "indicator--57173ecd-ff54-4b11-921f-46fb950d210f", "indicator--5717445c-4344-4af2-8fe9-4151950d210f", "indicator--571744ad-ea7c-4e0f-b713-4893950d210f", "indicator--571744ad-c1f8-4606-b0b2-45bc950d210f", "indicator--571744ae-aee8-4190-98ae-426d950d210f", "indicator--571744ae-7ae4-4ddc-bf3c-45ef950d210f", "indicator--571744ae-1af4-4757-8408-42d7950d210f", "indicator--571744af-a4b8-4e3c-9228-49b4950d210f", "indicator--57174506-afbc-44f1-b90c-45d6950d210f", "indicator--5717452e-22d8-4278-b18b-40c3950d210f", "indicator--5717452e-f668-4202-bc83-4fcc950d210f", "indicator--5717452f-e860-4d6e-be0a-412d950d210f", "indicator--5717452f-bc28-48f8-a88f-4621950d210f", "indicator--57174530-8628-4ec1-945e-4f28950d210f", "indicator--571745f2-29dc-4434-8a4e-4f24950d210f", "indicator--571745f3-0710-48a7-8a66-4f4b950d210f", "indicator--571745f4-eab8-481e-bfbc-41b7950d210f", "indicator--57174605-6328-49df-a999-4ad9950d210f", "indicator--57174606-b230-42b0-b806-47f2950d210f", "indicator--57174623-6d50-40d8-9fb3-47c6950d210f", "indicator--57174624-8aa0-4072-bc11-4657950d210f", "indicator--57174624-a420-4946-be1d-473e950d210f", "indicator--57174625-257c-43c7-a6a6-4b5f950d210f", "indicator--57174626-4614-4979-b6a0-41d4950d210f", "indicator--57174626-632c-4e4f-ad7f-42ff950d210f", "indicator--57174627-93e4-4f5c-8c97-4251950d210f", "indicator--57174628-8e70-4cc8-9987-4952950d210f", "indicator--57174628-caf4-49ba-86d9-40a2950d210f", "indicator--57174629-38f4-4809-b539-4fd9950d210f", "indicator--5717462a-b1b0-4b33-bf15-45c2950d210f", "indicator--571746e1-8018-47cf-8445-4d2a950d210f", "indicator--571746e2-b3b8-4478-9c44-4c84950d210f", "indicator--571746e2-5f40-4465-a168-4030950d210f", "indicator--571746e3-9830-4503-8e36-475c950d210f", "indicator--571746e3-489c-4e77-afe4-43b8950d210f", "indicator--571746e4-9dd0-4067-8ec7-4fba950d210f", "indicator--571746e5-e05c-451b-9a26-4efa950d210f", "indicator--571746e6-c760-4569-96ff-4d91950d210f", "indicator--571746e6-e8b4-4c80-8fe4-430e950d210f", "indicator--57174768-a980-4cfc-adce-4ef9950d210f", "indicator--57174798-6d98-4b70-b485-4cca950d210f", "indicator--571747a8-e860-46cd-b1b3-44c1950d210f", "indicator--5717486b-e948-4e87-b418-42fe950d210f", "indicator--5717486b-ac80-4461-911a-49fc950d210f", "indicator--571748d1-aef0-4c8b-991b-4c00950d210f", "indicator--571748d2-03c0-4806-a97b-4b36950d210f", "indicator--57174a07-2508-4ee1-a57b-4894950d210f", "indicator--57174a84-d848-4ef3-8677-43fa950d210f", "indicator--57174a84-7878-4c38-ac38-4c38950d210f", "indicator--57174a85-8a24-41d6-bc55-4eef950d210f", "indicator--57174aaa-2894-4f79-83c3-48bb950d210f", "indicator--57174b68-2ef8-49f4-82fc-4e38950d210f", "x-misp-attribute--57174b99-21b4-4881-8088-44f2950d210f", "indicator--57174be5-742c-456a-a9be-4030950d210f", "indicator--57174be5-2e14-46d9-a003-4125950d210f", "indicator--57174be5-41e0-41d6-a2e5-4294950d210f", "observed-data--57174bfd-9390-4ea8-b4fd-4a39950d210f", "file--57174bfd-9390-4ea8-b4fd-4a39950d210f", "observed-data--57174c0d-7a14-496d-81b4-4e90950d210f", "file--57174c0d-7a14-496d-81b4-4e90950d210f", "observed-data--57174c53-7610-4095-b503-4f52950d210f", "file--57174c53-7610-4095-b503-4f52950d210f", "observed-data--57174cef-6628-4d5c-a692-4a51950d210f", "file--57174cef-6628-4d5c-a692-4a51950d210f", "observed-data--57174cff-aa9c-441c-8d64-4493950d210f", "file--57174cff-aa9c-441c-8d64-4493950d210f", "observed-data--57174d12-942c-4080-977e-4467950d210f", "file--57174d12-942c-4080-977e-4467950d210f", "observed-data--57174d22-fcec-4be8-9b94-44a9950d210f", "file--57174d22-fcec-4be8-9b94-44a9950d210f", "observed-data--57174dd8-3f30-4838-af62-400a950d210f", "file--57174dd8-3f30-4838-af62-400a950d210f", "observed-data--57174df1-3968-479d-85d5-4e03950d210f", "file--57174df1-3968-479d-85d5-4e03950d210f", "observed-data--57174dff-78ac-400f-bbd4-4c75950d210f", "file--57174dff-78ac-400f-bbd4-4c75950d210f", "observed-data--57174e0a-10e0-4022-9a31-4ba1950d210f", "file--57174e0a-10e0-4022-9a31-4ba1950d210f", "observed-data--57174e1d-32dc-46d5-b717-41c3950d210f", "file--57174e1d-32dc-46d5-b717-41c3950d210f", "observed-data--57174e2d-4558-4971-aa84-4d5a950d210f", "file--57174e2d-4558-4971-aa84-4d5a950d210f", "observed-data--57174e3a-3abc-4d57-b5f7-449b950d210f", "file--57174e3a-3abc-4d57-b5f7-449b950d210f", "observed-data--57174e48-e2dc-4f15-9ae2-4adb950d210f", "file--57174e48-e2dc-4f15-9ae2-4adb950d210f", "observed-data--57174e54-5018-495b-b18a-48eb950d210f", "file--57174e54-5018-495b-b18a-48eb950d210f", "observed-data--57174e6a-c71c-4c48-a9f4-444b950d210f", "file--57174e6a-c71c-4c48-a9f4-444b950d210f", "indicator--571787f5-98d0-4631-b8c7-4f0102de0b81", "observed-data--571787f5-31d0-4bc2-986d-4bd102de0b81", "url--571787f5-31d0-4bc2-986d-4bd102de0b81", "indicator--571787f6-6d58-4685-aa4c-4b1e02de0b81", "observed-data--571787f6-b9e4-4e7f-812f-476102de0b81", "url--571787f6-b9e4-4e7f-812f-476102de0b81", "indicator--571787f7-5640-43a9-a1f8-42d202de0b81", "observed-data--571787f7-ed70-43ad-84b7-428702de0b81", "url--571787f7-ed70-43ad-84b7-428702de0b81", "indicator--571787f8-d818-4455-aec2-4cf002de0b81", "observed-data--571787f8-0bc0-4113-bd2a-446d02de0b81", "url--571787f8-0bc0-4113-bd2a-446d02de0b81", "indicator--571787f8-6338-476e-8153-44af02de0b81", "observed-data--571787f9-1f18-4b3a-ac70-482102de0b81", "url--571787f9-1f18-4b3a-ac70-482102de0b81", "indicator--571787f9-5f08-4091-97a4-40e702de0b81", "observed-data--571787fa-074c-4412-a3f1-4c2302de0b81", "url--571787fa-074c-4412-a3f1-4c2302de0b81", "indicator--571787fa-81e4-400a-8f49-4e9902de0b81", "observed-data--571787fa-e10c-4ac1-ac7d-4c5b02de0b81", "url--571787fa-e10c-4ac1-ac7d-4c5b02de0b81", "observed-data--571787fb-44bc-4692-b11b-4b2502de0b81", "url--571787fb-44bc-4692-b11b-4b2502de0b81", "observed-data--571787fb-7fcc-4e67-bed8-429a02de0b81", "url--571787fb-7fcc-4e67-bed8-429a02de0b81", "observed-data--571787fc-cb4c-49f7-991d-45d002de0b81", "url--571787fc-cb4c-49f7-991d-45d002de0b81", "indicator--571787fc-b710-46bc-a454-496202de0b81", "observed-data--571787fc-b338-4b49-a732-473902de0b81", "url--571787fc-b338-4b49-a732-473902de0b81", "indicator--571787fd-6dc4-4c44-82c0-43d602de0b81", "observed-data--571787fd-9b0c-4c22-98cb-41c302de0b81", "url--571787fd-9b0c-4c22-98cb-41c302de0b81", "indicator--571787fe-2ed8-4e88-8cba-4b9002de0b81", "observed-data--571787fe-bf88-4d38-b4a9-47d702de0b81", "url--571787fe-bf88-4d38-b4a9-47d702de0b81", "indicator--571787fe-7404-450d-a9bd-415a02de0b81", "observed-data--571787ff-8ac4-41cb-bbfe-43b102de0b81", "url--571787ff-8ac4-41cb-bbfe-43b102de0b81", "indicator--571787ff-3858-4bdc-bd8f-430e02de0b81", "observed-data--571787ff-9184-46e3-bda4-460202de0b81", "url--571787ff-9184-46e3-bda4-460202de0b81", "indicator--57178800-8b30-4513-b981-431902de0b81", "observed-data--57178800-8760-437a-8ecf-494b02de0b81", "url--57178800-8760-437a-8ecf-494b02de0b81", "indicator--57178801-c614-4982-8611-42d002de0b81", "observed-data--57178801-e5fc-46db-9b1c-41d802de0b81", "url--57178801-e5fc-46db-9b1c-41d802de0b81", "observed-data--57178801-90c4-4fad-b307-420c02de0b81", "url--57178801-90c4-4fad-b307-420c02de0b81", "observed-data--57178802-d774-4018-b499-4c2002de0b81", "url--57178802-d774-4018-b499-4c2002de0b81", "indicator--577f761a-5ec4-4532-9e7b-093bc0a8f687" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5715359f-6c3c-49f6-9447-4a6b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-18T19:29:35.000Z", "modified": "2016-04-18T19:29:35.000Z", "first_observed": "2016-04-18T19:29:35Z", "last_observed": "2016-04-18T19:29:35Z", "number_observed": 1, "object_refs": [ "url--5715359f-6c3c-49f6-9447-4a6b950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5715359f-6c3c-49f6-9447-4a6b950d210f", "value": "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/04/ASERT-Threat-Intelligence-Report-2016-03-The-Four-Element-Sword-Engagement.pdf" }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--571535d0-050c-4c6f-9eee-4b3c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-18T19:30:24.000Z", "modified": "2016-04-18T19:30:24.000Z", "name": "CVE-2012-0158", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2012-0158" } ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--571535d0-ee34-47e6-8ae9-4c82950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-18T19:30:24.000Z", "modified": "2016-04-18T19:30:24.000Z", "name": "CVE-2012-1856", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2012-1856" } ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--571535d0-b898-4ab7-80f4-4555950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-18T19:30:24.000Z", "modified": "2016-04-18T19:30:24.000Z", "name": "CVE-2015-1641", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2015-1641" } ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--571535d0-c074-4f8b-b2dc-4fb9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-18T19:30:24.000Z", "modified": "2016-04-18T19:30:24.000Z", "name": "CVE-2015-1770", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2015-1770" } ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57153622-b0fc-4002-ae3c-3e3c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-18T19:31:46.000Z", "modified": "2016-04-18T19:31:46.000Z", "description": "On port 7386", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '198.55.120.143']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-18T19:31:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5715eae1-b6f0-46c6-af87-40de950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:02:23.000Z", "modified": "2016-04-19T12:02:23.000Z", "description": "On port 8080", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '180.169.28.58']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:02:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5715f2ce-b55c-4357-bdfe-43d5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T08:56:46.000Z", "modified": "2016-04-19T08:56:46.000Z", "description": "spearfish", "pattern": "[file:hashes.MD5 = '7d4f8341b58602a17184bc5c07311e8b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T08:56:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5715f2cf-ee4c-4585-a40e-4d6c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T08:56:47.000Z", "modified": "2016-04-19T08:56:47.000Z", "description": "RTF", "pattern": "[file:hashes.MD5 = 'c674ae90f686d831cffc223a55782a93']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T08:56:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5715f2cf-8de8-4475-a716-4de1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T09:05:35.000Z", "modified": "2016-04-19T09:05:35.000Z", "pattern": "[file:name = 'IEChecker.exe' AND file:hashes.MD5 = '46c7d064a34c4e02bb2df56e0f8470c0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T09:05:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5715f3b3-6998-40e7-9235-4b3e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T09:16:38.000Z", "modified": "2016-04-19T09:16:38.000Z", "description": "spearfish", "pattern": "[file:hashes.SHA256 = 'bacc4edb5e775d2c957022ad8360946c19f9f75ef2709c1db2d6708d53ec2cd1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T09:16:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5715f3b4-c4f0-4b6b-8661-494f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T09:05:15.000Z", "modified": "2016-04-19T09:05:15.000Z", "pattern": "[file:name = 'IEChecker.exe' AND file:hashes.SHA256 = '7a200c4df99887991c638fe625d07a4a3fc2bdc887112437752b3df5c8da79b6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T09:05:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5715f40b-36e0-4bcc-935b-4c64950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T09:02:03.000Z", "modified": "2016-04-19T09:02:03.000Z", "first_observed": "2016-04-19T09:02:03Z", "last_observed": "2016-04-19T09:02:03Z", "number_observed": 1, "object_refs": [ "file--5715f40b-36e0-4bcc-935b-4c64950d210f" ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5715f40b-36e0-4bcc-935b-4c64950d210f", "hashes": { "SHA-256": "af2cc5bb8d97bf019280c80e2891103a8a1d5e5f8c6305b6f6c4dd83ec245a7d" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5715f500-cff4-42db-a2d9-44b1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T09:12:43.000Z", "modified": "2016-04-19T09:12:43.000Z", "first_observed": "2016-04-19T09:12:43Z", "last_observed": "2016-04-19T09:12:43Z", "number_observed": 1, "object_refs": [ "domain-name--5715f500-cff4-42db-a2d9-44b1950d210f" ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--5715f500-cff4-42db-a2d9-44b1950d210f", "value": "goodnewspaper.f3322.org" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5715f500-5c34-42da-bd1f-497f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T09:12:48.000Z", "modified": "2016-04-19T09:12:48.000Z", "first_observed": "2016-04-19T09:12:48Z", "last_observed": "2016-04-19T09:12:48Z", "number_observed": 1, "object_refs": [ "domain-name--5715f500-5c34-42da-bd1f-497f950d210f" ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--5715f500-5c34-42da-bd1f-497f950d210f", "value": "20080628.3322.org" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5715f658-9c1c-4a06-9273-4785950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T09:11:52.000Z", "modified": "2016-04-19T09:11:52.000Z", "description": "Associated with 180.169.28.58 TCP/8080", "pattern": "[domain-name:value = 'goodnewspaper.3322.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T09:11:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5715f659-3464-4c20-9622-489c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T09:12:37.000Z", "modified": "2016-04-19T09:12:37.000Z", "first_observed": "2016-04-19T09:12:37Z", "last_observed": "2016-04-19T09:12:37Z", "number_observed": 1, "object_refs": [ "domain-name--5715f659-3464-4c20-9622-489c950d210f" ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--5715f659-3464-4c20-9622-489c950d210f", "value": "goodnewspaper.gicp.net" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5715f9f2-4e18-46a8-a304-4aaf950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T09:27:14.000Z", "modified": "2016-04-19T09:27:14.000Z", "first_observed": "2016-04-19T09:27:14Z", "last_observed": "2016-04-19T09:27:14Z", "number_observed": 1, "object_refs": [ "domain-name--5715f9f2-4e18-46a8-a304-4aaf950d210f" ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--5715f9f2-4e18-46a8-a304-4aaf950d210f", "value": "uyguhr.sov.te" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5715f9f2-de84-4c91-8d98-4f9c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T09:27:14.000Z", "modified": "2016-04-19T09:27:14.000Z", "first_observed": "2016-04-19T09:27:14Z", "last_observed": "2016-04-19T09:27:14Z", "number_observed": 1, "object_refs": [ "domain-name--5715f9f2-de84-4c91-8d98-4f9c950d210f" ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--5715f9f2-de84-4c91-8d98-4f9c950d210f", "value": "oyghur.yebhio.net" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5715f9f3-44bc-457b-90cb-40a1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T09:27:15.000Z", "modified": "2016-04-19T09:27:15.000Z", "first_observed": "2016-04-19T09:27:15Z", "last_observed": "2016-04-19T09:27:15Z", "number_observed": 1, "object_refs": [ "domain-name--5715f9f3-44bc-457b-90cb-40a1950d210f" ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--5715f9f3-44bc-457b-90cb-40a1950d210f", "value": "www.uyghuri.mrface.com" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5715f9f3-f55c-4519-b36f-4547950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T09:27:15.000Z", "modified": "2016-04-19T09:27:15.000Z", "first_observed": "2016-04-19T09:27:15Z", "last_observed": "2016-04-19T09:27:15Z", "number_observed": 1, "object_refs": [ "domain-name--5715f9f3-f55c-4519-b36f-4547950d210f" ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--5715f9f3-f55c-4519-b36f-4547950d210f", "value": "uyghuri.mrface.com" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5715f9f3-818c-4fdd-bd6f-45a4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T09:27:15.000Z", "modified": "2016-04-19T09:27:15.000Z", "first_observed": "2016-04-19T09:27:15Z", "last_observed": "2016-04-19T09:27:15Z", "number_observed": 1, "object_refs": [ "domain-name--5715f9f3-818c-4fdd-bd6f-45a4950d210f" ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--5715f9f3-818c-4fdd-bd6f-45a4950d210f", "value": "uygur.elcp.net" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5715f9f3-61e4-431c-96da-426e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T09:27:15.000Z", "modified": "2016-04-19T09:27:15.000Z", "first_observed": "2016-04-19T09:27:15Z", "last_observed": "2016-04-19T09:27:15Z", "number_observed": 1, "object_refs": [ "domain-name--5715f9f3-61e4-431c-96da-426e950d210f" ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--5715f9f3-61e4-431c-96da-426e950d210f", "value": "uyguhr1.webhop.net" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5715f9f4-3954-463f-8012-48a4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T09:27:16.000Z", "modified": "2016-04-19T09:27:16.000Z", "first_observed": "2016-04-19T09:27:16Z", "last_observed": "2016-04-19T09:27:16Z", "number_observed": 1, "object_refs": [ "domain-name--5715f9f4-3954-463f-8012-48a4950d210f" ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--5715f9f4-3954-463f-8012-48a4950d210f", "value": "uygur.51vip.biz" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5715f9f4-1008-435d-b573-431d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T09:27:16.000Z", "modified": "2016-04-19T09:27:16.000Z", "first_observed": "2016-04-19T09:27:16Z", "last_observed": "2016-04-19T09:27:16Z", "number_observed": 1, "object_refs": [ "domain-name--5715f9f4-1008-435d-b573-431d950d210f" ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--5715f9f4-1008-435d-b573-431d950d210f", "value": "uyguhr.epac.to" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5715f9f4-2cd0-4d29-827e-40fc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T09:27:16.000Z", "modified": "2016-04-19T09:27:16.000Z", "first_observed": "2016-04-19T09:27:16Z", "last_observed": "2016-04-19T09:27:16Z", "number_observed": 1, "object_refs": [ "domain-name--5715f9f4-2cd0-4d29-827e-40fc950d210f" ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--5715f9f4-2cd0-4d29-827e-40fc950d210f", "value": "xinxin20080628.gicp.net" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5715fb1f-18ec-4ed6-8a25-4abd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T09:32:15.000Z", "modified": "2016-04-19T09:32:15.000Z", "first_observed": "2016-04-19T09:32:15Z", "last_observed": "2016-04-19T09:32:15Z", "number_observed": 1, "object_refs": [ "network-traffic--5715fb1f-18ec-4ed6-8a25-4abd950d210f", "ipv4-addr--5715fb1f-18ec-4ed6-8a25-4abd950d210f" ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5715fb1f-18ec-4ed6-8a25-4abd950d210f", "dst_ref": "ipv4-addr--5715fb1f-18ec-4ed6-8a25-4abd950d210f", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5715fb1f-18ec-4ed6-8a25-4abd950d210f", "value": "114.60.106.156" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5715fc97-a5a4-4538-bf86-4bcc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T09:38:31.000Z", "modified": "2016-04-19T09:38:31.000Z", "description": "malicious RTF targeting CVE-\u00c2\u00ad2010\u00e2\u20ac\u00903333", "pattern": "[file:hashes.SHA256 = '14fcfccb0ae8988f95924256a38477fcc5c2c213d8a55e5a83c8c1bb67a4b6d4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T09:38:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5715fd00-807c-4ce8-8f27-437d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:07:52.000Z", "modified": "2016-04-19T12:07:52.000Z", "pattern": "[domain-name:value = 'humanbeing2009.gicp.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:07:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5715feb0-6a48-44c4-b1ba-4a57950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T11:09:32.000Z", "modified": "2016-04-19T11:09:32.000Z", "pattern": "[email-message:body_multipart[*].body_raw_ref.name = '\u00e8\u02c6\u2021\u00e5\u00a4\u00a9\u00e7\u00a9\u00ba\u00e6\u0153\u2030\u00e7\u00b4\u201e!12\u00e5\u20ac\u20392016\u00e5\u00b9\u00b4\u00e4\u00b8\u008d\u00e5\u008f\u00af\u00e9\u0152\u00af\u00e9\u0081\u017d\u00e7\u0161\u201e\u00e5\u00a4\u00a9\u00e6\u2013\u2021\u00e7\u008f\u00be\u00e8\u00b1\u00a1mm.doc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T11:09:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"email-attachment\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571600ba-b0b0-4adb-bd01-43ef950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T09:56:10.000Z", "modified": "2016-04-19T09:56:10.000Z", "description": "spearfish", "pattern": "[file:hashes.MD5 = 'b6e22968461bfb2934c556fc44d0baf0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T09:56:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571600bb-a9b4-4883-ac7d-4d5a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T09:56:11.000Z", "modified": "2016-04-19T09:56:11.000Z", "description": "RTF", "pattern": "[file:hashes.MD5 = '74a4fe17dc7101dbb2bb8f0c41069057']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T09:56:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571600bb-045c-4cbc-b0d6-43da950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T09:56:11.000Z", "modified": "2016-04-19T09:56:11.000Z", "description": "~tmp.doc", "pattern": "[file:hashes.MD5 = 'fcfe3867e4fa17d52c51235cf68a86c2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T09:56:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571600bb-54f0-43d7-83cb-4b3c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T09:56:11.000Z", "modified": "2016-04-19T09:56:11.000Z", "description": "spearfish", "pattern": "[file:hashes.SHA256 = '4f52292a2136eb7f9538230ae54a323c518fa44cf6de5d10ca7a04ecb6a77872']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T09:56:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571600bc-6348-4e1e-b96d-4cf2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T09:56:12.000Z", "modified": "2016-04-19T09:56:12.000Z", "description": "RTF", "pattern": "[file:hashes.SHA256 = '0683fac0b564fe5d2096e207b374a238a811e67b87856fc19bdf8eb3d6f76b49']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T09:56:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571600bc-8178-4d6f-b5fd-47a4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T09:56:12.000Z", "modified": "2016-04-19T09:56:12.000Z", "description": "~tmp.doc", "pattern": "[file:hashes.SHA256 = '60ef10cce9974cdc8a453d8fdd8ddf0cad49c6f07d2c4d095ff483998685b421']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T09:56:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571610cd-4774-4e4e-bd0a-4407950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:07:46.000Z", "modified": "2016-04-19T12:07:46.000Z", "pattern": "[domain-name:value = 'webmonder.gicp.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:07:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571613a9-3a2c-478a-a180-43a1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T11:16:57.000Z", "modified": "2016-04-19T11:16:57.000Z", "first_observed": "2016-04-19T11:16:57Z", "last_observed": "2016-04-19T11:16:57Z", "number_observed": 1, "object_refs": [ "email-message--571613a9-3a2c-478a-a180-43a1950d210f", "email-addr--571613a9-3a2c-478a-a180-43a1950d210f" ], "labels": [ "misp:type=\"email-src\"", "misp:category=\"Payload delivery\"" ] }, { "type": "email-message", "spec_version": "2.1", "id": "email-message--571613a9-3a2c-478a-a180-43a1950d210f", "is_multipart": false, "from_ref": "email-addr--571613a9-3a2c-478a-a180-43a1950d210f" }, { "type": "email-addr", "spec_version": "2.1", "id": "email-addr--571613a9-3a2c-478a-a180-43a1950d210f", "value": "hkhumanrights.asia@gmail.com" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571613c3-5d04-4eea-9690-4b95950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T11:17:23.000Z", "modified": "2016-04-19T11:17:23.000Z", "first_observed": "2016-04-19T11:17:23Z", "last_observed": "2016-04-19T11:17:23Z", "number_observed": 1, "object_refs": [ "email-message--571613c3-5d04-4eea-9690-4b95950d210f" ], "labels": [ "misp:type=\"email-subject\"", "misp:category=\"Payload delivery\"" ] }, { "type": "email-message", "spec_version": "2.1", "id": "email-message--571613c3-5d04-4eea-9690-4b95950d210f", "is_multipart": false, "subject": "US Congress sanctions $6 million fund for Tibetans in Nepal anf India" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571613d5-dc64-43bc-9481-42d0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T11:17:41.000Z", "modified": "2016-04-19T11:17:41.000Z", "first_observed": "2016-04-19T11:17:41Z", "last_observed": "2016-04-19T11:17:41Z", "number_observed": 1, "object_refs": [ "email-message--571613d5-dc64-43bc-9481-42d0950d210f", "file--571613d5-dc64-43bc-9481-42d0950d210f" ], "labels": [ "misp:type=\"email-attachment\"", "misp:category=\"Payload delivery\"" ] }, { "type": "email-message", "spec_version": "2.1", "id": "email-message--571613d5-dc64-43bc-9481-42d0950d210f", "is_multipart": true, "body_multipart": [ { "body_raw_ref": "file--571613d5-dc64-43bc-9481-42d0950d210f", "content_disposition": "attachment; filename='US Congress sanctions $6 million fund for Tibetans in Nepal anf India.doc'" } ] }, { "type": "file", "spec_version": "2.1", "id": "file--571613d5-dc64-43bc-9481-42d0950d210f", "name": "US Congress sanctions $6 million fund for Tibetans in Nepal anf India.doc" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57161b17-23b8-4631-96fd-4bad950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T11:48:39.000Z", "modified": "2016-04-19T11:48:39.000Z", "first_observed": "2016-04-19T11:48:39Z", "last_observed": "2016-04-19T11:48:39Z", "number_observed": 1, "object_refs": [ "email-message--57161b17-23b8-4631-96fd-4bad950d210f", "email-addr--57161b17-23b8-4631-96fd-4bad950d210f" ], "labels": [ "misp:type=\"email-src\"", "misp:category=\"Payload delivery\"" ] }, { "type": "email-message", "spec_version": "2.1", "id": "email-message--57161b17-23b8-4631-96fd-4bad950d210f", "is_multipart": false, "from_ref": "email-addr--57161b17-23b8-4631-96fd-4bad950d210f" }, { "type": "email-addr", "spec_version": "2.1", "id": "email-addr--57161b17-23b8-4631-96fd-4bad950d210f", "value": "bill_clay6801@yahoo.com" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57161b2a-89a0-4f7c-9258-4f93950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T11:48:58.000Z", "modified": "2016-04-19T11:48:58.000Z", "first_observed": "2016-04-19T11:48:58Z", "last_observed": "2016-04-19T11:48:58Z", "number_observed": 1, "object_refs": [ "email-message--57161b2a-89a0-4f7c-9258-4f93950d210f" ], "labels": [ "misp:type=\"email-subject\"", "misp:category=\"Payload delivery\"" ] }, { "type": "email-message", "spec_version": "2.1", "id": "email-message--57161b2a-89a0-4f7c-9258-4f93950d210f", "is_multipart": false, "subject": "[BULK] TIBET, OUR BELOVED NATION AND WILL NEVER FORGET IT." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57161b3f-f344-447f-804d-4be4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T11:49:19.000Z", "modified": "2016-04-19T11:49:19.000Z", "first_observed": "2016-04-19T11:49:19Z", "last_observed": "2016-04-19T11:49:19Z", "number_observed": 1, "object_refs": [ "email-message--57161b3f-f344-447f-804d-4be4950d210f", "file--57161b3f-f344-447f-804d-4be4950d210f" ], "labels": [ "misp:type=\"email-attachment\"", "misp:category=\"Payload delivery\"" ] }, { "type": "email-message", "spec_version": "2.1", "id": "email-message--57161b3f-f344-447f-804d-4be4950d210f", "is_multipart": true, "body_multipart": [ { "body_raw_ref": "file--57161b3f-f344-447f-804d-4be4950d210f", "content_disposition": "attachment; filename='brochure .rar'" } ] }, { "type": "file", "spec_version": "2.1", "id": "file--57161b3f-f344-447f-804d-4be4950d210f", "name": "brochure .rar" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57161c89-443c-40bb-a5f8-4cbb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:33:42.000Z", "modified": "2016-04-19T12:33:42.000Z", "pattern": "[file:name = 'brochure .doc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:33:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57161e37-fe5c-4f2a-b9ec-4eea950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:01:59.000Z", "modified": "2016-04-19T12:01:59.000Z", "description": "On port 8080; Located in Honk Kong", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.240.203.232']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:01:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57161ec1-1d00-4ab1-b71d-4cd4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:04:17.000Z", "modified": "2016-04-19T12:04:17.000Z", "pattern": "[file:name = 'uhfx.dat']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:04:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57161eef-6108-4bf2-9029-4966950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:05:03.000Z", "modified": "2016-04-19T12:05:03.000Z", "first_observed": "2016-04-19T12:05:03Z", "last_observed": "2016-04-19T12:05:03Z", "number_observed": 1, "object_refs": [ "file--57161eef-6108-4bf2-9029-4966950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57161eef-6108-4bf2-9029-4966950d210f", "name": "yxsrhsxhxdbldkc.dat" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--57161f87-c9ec-4f8f-a2ee-48ef950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:08:17.000Z", "modified": "2016-04-19T12:08:17.000Z", "labels": [ "misp:type=\"pdb\"", "misp:category=\"Artifacts dropped\"" ], "x_misp_category": "Artifacts dropped", "x_misp_type": "pdb", "x_misp_value": "Q:\\Projects\\Br2012\\Release\\svc.pdb" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162012-72b8-433b-b5e2-4651950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:09:54.000Z", "modified": "2016-04-19T12:09:54.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.MD5 = 'a0dc5723d3e20e93b48a960b31c984c0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:09:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162013-7804-4691-ac9e-4a15950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:09:55.000Z", "modified": "2016-04-19T12:09:55.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.SHA256 = '185fc01ec8adbaa94da741c4c1cf1b83185ae63899f14ce9949553c5dac3ecf6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:09:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571620af-e57c-4008-80f2-4933950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:12:31.000Z", "modified": "2016-04-19T12:12:31.000Z", "description": "Imported via the freetext import.", "pattern": "[domain-name:value = 'akm.epac.to']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:12:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571620b0-7c50-43ef-9724-4c76950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:12:32.000Z", "modified": "2016-04-19T12:12:32.000Z", "description": "Imported via the freetext import.", "pattern": "[domain-name:value = 'gugehotel.cn']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:12:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571620b0-5e38-4e8c-9c29-416d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:12:32.000Z", "modified": "2016-04-19T12:12:32.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = '107.183.86']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:12:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571623e1-aaf8-4d39-a018-4a6e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:26:09.000Z", "modified": "2016-04-19T12:26:09.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.MD5 = '937c13f5915a103aec8d28bdec7cc769']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:26:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571623e1-3bb0-4f0b-8543-4483950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:26:09.000Z", "modified": "2016-04-19T12:26:09.000Z", "description": "On port 443", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.160.247.21']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:26:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571623e1-44e0-4808-9333-4c60950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:26:09.000Z", "modified": "2016-04-19T12:26:09.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.MD5 = '19b2ed8ab09a43151c9951ff0432a861']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:26:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571623e2-1a50-4035-927b-4453950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:26:10.000Z", "modified": "2016-04-19T12:26:10.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.SHA256 = '9d69221584a5c6f8147479282eae3017c2884ae5138d3b910c36a2a38039c776']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:26:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571623e2-80e4-4864-a72c-4ca1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:26:10.000Z", "modified": "2016-04-19T12:26:10.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.MD5 = 'b2ae8c02163dcee142afe71188914321']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:26:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571623e2-0aa4-44a7-9198-4cc1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:26:10.000Z", "modified": "2016-04-19T12:26:10.000Z", "description": "Imported via the freetext import.", "pattern": "[domain-name:value = 'wins.microsoftmse.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:26:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162442-63f4-4891-9148-4876950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:27:46.000Z", "modified": "2016-04-19T12:27:46.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.MD5 = '0566703ccda6c60816ef1d8d917aa7b0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:27:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162442-3070-40ac-8735-4c27950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:27:46.000Z", "modified": "2016-04-19T12:27:46.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.SHA256 = '766e0c75bb13986f6a18f9f6af422dbda8c6717becc9b02cc4046943a960d21f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:27:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5716247b-2390-4de2-951c-4bc2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:28:43.000Z", "modified": "2016-04-19T12:28:43.000Z", "description": "Imported via the freetext import.", "pattern": "[domain-name:value = 'adc.microsoftmse.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:28:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5716247c-22d4-421d-9e0e-4f80950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:28:44.000Z", "modified": "2016-04-19T12:28:44.000Z", "description": "Imported via the freetext import.", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '122.10.9.121']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:28:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162852-bbe8-4aa9-a420-4f3a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:45:06.000Z", "modified": "2016-04-19T12:45:06.000Z", "pattern": "[rule kivars_service {\r\n\r\nmeta:\r\n\r\n\tdescription = \"Detects instances of Kivars malware when installed as a service\"\r\n\tauthor = \"cwilson@arbor.net\"\r\n\tSHA\u00e2\u20ac\u0090256 = \"443d24d719dec79a2e1be682943795b617064d86f2ebaec7975978f0b1f6950d\"\r\n\tSHA-256 = \"44439e2ae675c548ad193aa67baa8e6abff5cc60c8a4c843a5c9f0c13ffec2d8\"\r\n\tSHA\u00c2\u00ad-256 = \"74ed059519573a393aa7562e2a2afaf046cf872ea51f708a22b58b85c98718a8\"\r\n\tSHA\u00c2\u00ad\u00e2\u20ac\u0090256 = \"80748362762996d4b23f8d4e55d2ef8ca2689b84cc0b5984f420afbb73acad1f\"\r\n\tSHA\u00e2\u20ac\u0090256 = \"9ba14273bfdd4a4b192c625d900b29e1fc3c8673154d3b4c4c3202109e918c8d\"\r\n\tSHA-256 = \"fba3cd920165b47cb39f3c970b8157b4e776cc062c74579a252d8dd2874b2e6b\"\r\n\r\nstrings:\r\n\r\n\t$s1 = \"\\\\Projects\\\\Br2012\\\\Release\\\\svc.pdb\"\r\n\t$s2 = \"This is a flag\"\r\n\t$s3 = \"svc.dll\"\r\n\t$s4 = \"ServiceMain\"\r\n\t$s5 = \"winsta0\"\r\n\r\ncondition:\r\n\r\n\tuint16(0) == 0x5A4D and < 1000000 and (all of ($s*))\r\n\r\n}]", "pattern_type": "yara", "valid_from": "2016-04-19T12:45:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Payload delivery\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162a9a-7fd8-4e15-91ac-4ad5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:54:50.000Z", "modified": "2016-04-19T12:54:50.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.MD5 = '905d1cd328c8cfc378fb00bfa38f0427']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:54:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162a9b-e1e0-444f-bab2-46e3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:06:52.000Z", "modified": "2016-04-19T13:06:52.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.IMPHASH = 'fea5902afa6e504a798c73a09b83df5e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:06:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"imphash\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162a9b-3828-4d68-8917-4d4f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:54:51.000Z", "modified": "2016-04-19T12:54:51.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'tnyjs.dll' AND file:hashes.MD5 = '5bc954d76342d2860192398f186f3310']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:54:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162a9c-162c-42a2-b2aa-4af9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:54:52.000Z", "modified": "2016-04-19T12:54:52.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'uhfx.dll' AND file:hashes.MD5 = '6db7ad23186f445c410f59a41e7f8ac5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:54:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162a9d-6488-4e2c-852c-4ec9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:54:53.000Z", "modified": "2016-04-19T12:54:53.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.SHA256 = '18219708781208889af05842ea6d563e56910424ec97ef8f695c0c7a82610a23']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:54:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162b1b-f190-45e8-a60c-4b3d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:56:59.000Z", "modified": "2016-04-19T12:56:59.000Z", "pattern": "[file:name = 'tnyjs.dll' AND file:hashes.SHA256 = '5676c0b2d3c139dbef5bafa0184576bd1a4ccbd3f7d40b4a6a099a1e61bc2a39']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:56:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162b3a-443c-40f1-9f45-40cb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:57:30.000Z", "modified": "2016-04-19T12:57:30.000Z", "pattern": "[file:name = 'uhfx.dll' AND file:hashes.SHA256 = 'a46905252567ed2fe17a407d8ae14036fde180f0a42756304109f34d1e8ad872']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:57:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162b62-5d5c-4a71-a20b-458b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:58:49.000Z", "modified": "2016-04-19T12:58:49.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'brochure .rar' AND file:hashes.MD5 = 'c8c6365bf21d947e8e986d4766a9fc16']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:58:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162b63-ecd8-4688-aa03-45bc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T12:59:03.000Z", "modified": "2016-04-19T12:59:03.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'brochure .doc' AND file:hashes.MD5 = '835fee42132feebe9b3231297e5e71a8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T12:59:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162be0-4da4-41ff-a407-440d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:01:30.000Z", "modified": "2016-04-19T13:01:30.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'brochure .rar' AND file:hashes.SHA256 = 'e8af4f3504b0e1cf165dfd1070342b831fd7b5b45da94c6f2a25c28dd6eb3c4a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:01:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162be0-b2b0-4a8d-83be-4446950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:02:19.000Z", "modified": "2016-04-19T13:02:19.000Z", "pattern": "[file:name = 'brochure .doc' AND file:hashes.SHA256 = '0ed325b841a2beb446c5e9a6825deaa021651c8b627aa7147d89edde05af6598']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:02:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162bed-1bfc-4f65-bb04-4e8a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:29.000Z", "modified": "2016-04-19T13:00:29.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 9d69221584a5c6f8147479282eae3017c2884ae5138d3b910c36a2a38039c776", "pattern": "[file:hashes.SHA1 = 'c3a1b57a062bfd27ea9a56f6439193369970e336']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:00:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57162bee-b524-49ab-9591-43a702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:30.000Z", "modified": "2016-04-19T13:00:30.000Z", "first_observed": "2016-04-19T13:00:30Z", "last_observed": "2016-04-19T13:00:30Z", "number_observed": 1, "object_refs": [ "url--57162bee-b524-49ab-9591-43a702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57162bee-b524-49ab-9591-43a702de0b81", "value": "https://www.virustotal.com/file/9d69221584a5c6f8147479282eae3017c2884ae5138d3b910c36a2a38039c776/analysis/1436830597/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162bee-44f4-423e-9c17-4a6202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:30.000Z", "modified": "2016-04-19T13:00:30.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 766e0c75bb13986f6a18f9f6af422dbda8c6717becc9b02cc4046943a960d21f", "pattern": "[file:hashes.SHA1 = '83d3bb544e0542dd9c4168350adef928e4205e69']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:00:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57162bee-05b0-4a80-af98-436002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:30.000Z", "modified": "2016-04-19T13:00:30.000Z", "first_observed": "2016-04-19T13:00:30Z", "last_observed": "2016-04-19T13:00:30Z", "number_observed": 1, "object_refs": [ "url--57162bee-05b0-4a80-af98-436002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57162bee-05b0-4a80-af98-436002de0b81", "value": "https://www.virustotal.com/file/766e0c75bb13986f6a18f9f6af422dbda8c6717becc9b02cc4046943a960d21f/analysis/1457068422/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57162bef-5094-438d-b933-46c902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:31.000Z", "modified": "2016-04-19T13:00:31.000Z", "first_observed": "2016-04-19T13:00:31Z", "last_observed": "2016-04-19T13:00:31Z", "number_observed": 1, "object_refs": [ "file--57162bef-5094-438d-b933-46c902de0b81" ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57162bef-5094-438d-b933-46c902de0b81", "hashes": { "SHA-1": "26f1e48f5e05f6d1f923e3a74219ca7bfa7c0995" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57162bef-6dcc-4dc2-9a86-419402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:31.000Z", "modified": "2016-04-19T13:00:31.000Z", "first_observed": "2016-04-19T13:00:31Z", "last_observed": "2016-04-19T13:00:31Z", "number_observed": 1, "object_refs": [ "url--57162bef-6dcc-4dc2-9a86-419402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57162bef-6dcc-4dc2-9a86-419402de0b81", "value": "https://www.virustotal.com/file/af2cc5bb8d97bf019280c80e2891103a8a1d5e5f8c6305b6f6c4dd83ec245a7d/analysis/1453438981/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162bef-6e34-4ad3-964f-40aa02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:31.000Z", "modified": "2016-04-19T13:00:31.000Z", "description": "spearfish - Xchecked via VT: bacc4edb5e775d2c957022ad8360946c19f9f75ef2709c1db2d6708d53ec2cd1", "pattern": "[file:hashes.SHA1 = 'c1e63556e2bb088b15d2ccb1c0fe6c9ce29cf4e6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:00:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57162bf0-8618-4bdb-9e83-4d3102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:32.000Z", "modified": "2016-04-19T13:00:32.000Z", "first_observed": "2016-04-19T13:00:32Z", "last_observed": "2016-04-19T13:00:32Z", "number_observed": 1, "object_refs": [ "url--57162bf0-8618-4bdb-9e83-4d3102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57162bf0-8618-4bdb-9e83-4d3102de0b81", "value": "https://www.virustotal.com/file/bacc4edb5e775d2c957022ad8360946c19f9f75ef2709c1db2d6708d53ec2cd1/analysis/1455727175/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162bf0-b654-42a6-92c0-4cb202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:32.000Z", "modified": "2016-04-19T13:00:32.000Z", "description": "malicious RTF targeting CVE-\u00c2\u00ad2010\u00e2\u20ac\u00903333 - Xchecked via VT: 14fcfccb0ae8988f95924256a38477fcc5c2c213d8a55e5a83c8c1bb67a4b6d4", "pattern": "[file:hashes.SHA1 = '256ede6a7bff266589aaf996a47bf3eedcd8b980']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:00:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162bf0-fb5c-4756-810e-4a9f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:32.000Z", "modified": "2016-04-19T13:00:32.000Z", "description": "malicious RTF targeting CVE-\u00c2\u00ad2010\u00e2\u20ac\u00903333 - Xchecked via VT: 14fcfccb0ae8988f95924256a38477fcc5c2c213d8a55e5a83c8c1bb67a4b6d4", "pattern": "[file:hashes.MD5 = 'c7c4a469ddf4bef2daf9bacc7711f0ae']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:00:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57162bf1-3924-4392-ab1e-48a302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:33.000Z", "modified": "2016-04-19T13:00:33.000Z", "first_observed": "2016-04-19T13:00:33Z", "last_observed": "2016-04-19T13:00:33Z", "number_observed": 1, "object_refs": [ "url--57162bf1-3924-4392-ab1e-48a302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57162bf1-3924-4392-ab1e-48a302de0b81", "value": "https://www.virustotal.com/file/14fcfccb0ae8988f95924256a38477fcc5c2c213d8a55e5a83c8c1bb67a4b6d4/analysis/1457552893/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162bf1-6a38-4c76-89ec-441502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:33.000Z", "modified": "2016-04-19T13:00:33.000Z", "description": "RTF - Xchecked via VT: 0683fac0b564fe5d2096e207b374a238a811e67b87856fc19bdf8eb3d6f76b49", "pattern": "[file:hashes.SHA1 = '133f5b9bb5d344109c9c628f5dce248b838c257b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:00:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57162bf1-1d44-4294-9d0e-412b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:33.000Z", "modified": "2016-04-19T13:00:33.000Z", "first_observed": "2016-04-19T13:00:33Z", "last_observed": "2016-04-19T13:00:33Z", "number_observed": 1, "object_refs": [ "url--57162bf1-1d44-4294-9d0e-412b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57162bf1-1d44-4294-9d0e-412b02de0b81", "value": "https://www.virustotal.com/file/0683fac0b564fe5d2096e207b374a238a811e67b87856fc19bdf8eb3d6f76b49/analysis/1453026661/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162bf1-b520-4634-bdc0-4bd202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:33.000Z", "modified": "2016-04-19T13:00:33.000Z", "description": "spearfish - Xchecked via VT: 4f52292a2136eb7f9538230ae54a323c518fa44cf6de5d10ca7a04ecb6a77872", "pattern": "[file:hashes.SHA1 = '9a794b18a1452269adfcc8315520959b512d1c37']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:00:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57162bf2-324c-4447-9a59-4ed702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:34.000Z", "modified": "2016-04-19T13:00:34.000Z", "first_observed": "2016-04-19T13:00:34Z", "last_observed": "2016-04-19T13:00:34Z", "number_observed": 1, "object_refs": [ "url--57162bf2-324c-4447-9a59-4ed702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57162bf2-324c-4447-9a59-4ed702de0b81", "value": "https://www.virustotal.com/file/4f52292a2136eb7f9538230ae54a323c518fa44cf6de5d10ca7a04ecb6a77872/analysis/1455729543/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162bf2-96bc-4f65-8358-454502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:34.000Z", "modified": "2016-04-19T13:00:34.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 185fc01ec8adbaa94da741c4c1cf1b83185ae63899f14ce9949553c5dac3ecf6", "pattern": "[file:hashes.SHA1 = '6fdd47a2a9dcddd93d9b8ee8a9bb2a28632df58b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:00:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57162bf2-f18c-491d-8c87-475102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:34.000Z", "modified": "2016-04-19T13:00:34.000Z", "first_observed": "2016-04-19T13:00:34Z", "last_observed": "2016-04-19T13:00:34Z", "number_observed": 1, "object_refs": [ "url--57162bf2-f18c-491d-8c87-475102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57162bf2-f18c-491d-8c87-475102de0b81", "value": "https://www.virustotal.com/file/185fc01ec8adbaa94da741c4c1cf1b83185ae63899f14ce9949553c5dac3ecf6/analysis/1453280584/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162bf3-3e24-4b6c-997e-498202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:35.000Z", "modified": "2016-04-19T13:00:35.000Z", "description": "- Xchecked via VT: 5676c0b2d3c139dbef5bafa0184576bd1a4ccbd3f7d40b4a6a099a1e61bc2a39", "pattern": "[file:hashes.SHA1 = '09b7e38aa3279eab002f8528c9cae52601bb1038']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:00:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57162bf3-afb4-4ac7-b466-4e8902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:35.000Z", "modified": "2016-04-19T13:00:35.000Z", "first_observed": "2016-04-19T13:00:35Z", "last_observed": "2016-04-19T13:00:35Z", "number_observed": 1, "object_refs": [ "url--57162bf3-afb4-4ac7-b466-4e8902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57162bf3-afb4-4ac7-b466-4e8902de0b81", "value": "https://www.virustotal.com/file/5676c0b2d3c139dbef5bafa0184576bd1a4ccbd3f7d40b4a6a099a1e61bc2a39/analysis/1456612300/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162bf3-5e1c-4c4a-a19e-424002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:35.000Z", "modified": "2016-04-19T13:00:35.000Z", "description": "- Xchecked via VT: 7a200c4df99887991c638fe625d07a4a3fc2bdc887112437752b3df5c8da79b6", "pattern": "[file:hashes.SHA1 = 'c6fe39647f6e902ed7737f4ed057fdda419d5bb3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:00:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57162bf4-0c00-4b36-ad3d-4a8802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:36.000Z", "modified": "2016-04-19T13:00:36.000Z", "first_observed": "2016-04-19T13:00:36Z", "last_observed": "2016-04-19T13:00:36Z", "number_observed": 1, "object_refs": [ "url--57162bf4-0c00-4b36-ad3d-4a8802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57162bf4-0c00-4b36-ad3d-4a8802de0b81", "value": "https://www.virustotal.com/file/7a200c4df99887991c638fe625d07a4a3fc2bdc887112437752b3df5c8da79b6/analysis/1452693896/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162bf4-6bf4-435d-92cc-493902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:36.000Z", "modified": "2016-04-19T13:00:36.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 937c13f5915a103aec8d28bdec7cc769", "pattern": "[file:hashes.SHA256 = '51c0d075067709c9f8794a25a7e3920bf69f8c755a1794e857acd818ea8a1010']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:00:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162bf4-a518-4dd7-8c8b-4b6902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:36.000Z", "modified": "2016-04-19T13:00:36.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 937c13f5915a103aec8d28bdec7cc769", "pattern": "[file:hashes.SHA1 = '2a09888223879b1c44ed1780edf48d089a9925f7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:00:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57162bf5-7020-440e-94b6-4d4f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:37.000Z", "modified": "2016-04-19T13:00:37.000Z", "first_observed": "2016-04-19T13:00:37Z", "last_observed": "2016-04-19T13:00:37Z", "number_observed": 1, "object_refs": [ "url--57162bf5-7020-440e-94b6-4d4f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57162bf5-7020-440e-94b6-4d4f02de0b81", "value": "https://www.virustotal.com/file/51c0d075067709c9f8794a25a7e3920bf69f8c755a1794e857acd818ea8a1010/analysis/1458152391/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162bf5-f478-4079-b265-40bc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:37.000Z", "modified": "2016-04-19T13:00:37.000Z", "description": "Imported via the freetext import. - Xchecked via VT: b2ae8c02163dcee142afe71188914321", "pattern": "[file:hashes.SHA256 = '4a5d864f69aff245793606b694bcbc5243b81e0b018596bce85ecab0e12ac849']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:00:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162bf5-af2c-4d7f-8068-4c6402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:37.000Z", "modified": "2016-04-19T13:00:37.000Z", "description": "Imported via the freetext import. - Xchecked via VT: b2ae8c02163dcee142afe71188914321", "pattern": "[file:hashes.SHA1 = '08d7b5b8c9375e6d8ed7201dcb40d741d4d7866c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:00:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57162bf6-0ef8-4188-9ac9-45d202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:38.000Z", "modified": "2016-04-19T13:00:38.000Z", "first_observed": "2016-04-19T13:00:38Z", "last_observed": "2016-04-19T13:00:38Z", "number_observed": 1, "object_refs": [ "url--57162bf6-0ef8-4188-9ac9-45d202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57162bf6-0ef8-4188-9ac9-45d202de0b81", "value": "https://www.virustotal.com/file/4a5d864f69aff245793606b694bcbc5243b81e0b018596bce85ecab0e12ac849/analysis/1414340059/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162bf6-6068-46fd-a2fe-49ef02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:38.000Z", "modified": "2016-04-19T13:00:38.000Z", "description": "Imported via the freetext import. - Xchecked via VT: c8c6365bf21d947e8e986d4766a9fc16", "pattern": "[file:hashes.SHA1 = 'e12e06f42cbdf05e91b89e364ed4319dd257fc71']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:00:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57162bf6-8e08-4388-865b-42b102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:38.000Z", "modified": "2016-04-19T13:00:38.000Z", "first_observed": "2016-04-19T13:00:38Z", "last_observed": "2016-04-19T13:00:38Z", "number_observed": 1, "object_refs": [ "url--57162bf6-8e08-4388-865b-42b102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57162bf6-8e08-4388-865b-42b102de0b81", "value": "https://www.virustotal.com/file/e8af4f3504b0e1cf165dfd1070342b831fd7b5b45da94c6f2a25c28dd6eb3c4a/analysis/1451715280/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162bf7-00c0-407d-bd0a-48c102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:39.000Z", "modified": "2016-04-19T13:00:39.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 835fee42132feebe9b3231297e5e71a8", "pattern": "[file:hashes.SHA1 = '3370ec0c71056a6fc6860c54dee96675ffb85b92']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:00:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57162bf7-3248-4844-84a2-44aa02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:00:39.000Z", "modified": "2016-04-19T13:00:39.000Z", "first_observed": "2016-04-19T13:00:39Z", "last_observed": "2016-04-19T13:00:39Z", "number_observed": 1, "object_refs": [ "url--57162bf7-3248-4844-84a2-44aa02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57162bf7-3248-4844-84a2-44aa02de0b81", "value": "https://www.virustotal.com/file/0ed325b841a2beb446c5e9a6825deaa021651c8b627aa7147d89edde05af6598/analysis/1456325644/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162d48-9f6c-4250-b463-4c73950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:06:16.000Z", "modified": "2016-04-19T13:06:16.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.MD5 = 'ba77d50870756d247a580b8a3a56722c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:06:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162d49-a7fc-4dc4-9fc7-46a4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:06:17.000Z", "modified": "2016-04-19T13:06:17.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.MD5 = '1c4e3c4df094c32faf0c30f6a613c63e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:06:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162d49-fa0c-4103-ab37-4905950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:06:17.000Z", "modified": "2016-04-19T13:06:17.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.MD5 = '89e4cff1496aafa0776619729a75d4ab']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:06:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162d4a-afa8-4668-812a-4191950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:06:18.000Z", "modified": "2016-04-19T13:06:18.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.MD5 = 'f25634becd08d5298db1f3014e477e00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:06:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162d4a-fbac-4e6d-9bce-427e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:06:18.000Z", "modified": "2016-04-19T13:06:18.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.SHA256 = 'ad251fd7427c0334f34aabe100a216b4af48b1ab4a01705f44b3421edd0be6ae']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:06:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162d4a-ffc8-4fe8-ae07-4722950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:06:18.000Z", "modified": "2016-04-19T13:06:18.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.SHA256 = 'f6bc895b36446d172c4a99be2587376b48fa3b1b0f6150eb8ab83f649f7b8bc6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:06:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162d4b-fea8-47c9-b704-447a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:06:19.000Z", "modified": "2016-04-19T13:06:19.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.SHA256 = '8dfcae0eb358f48fc30163e58c75823117f6fd501a48f3dfeb19a06d1c21aa51']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:06:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57162d4b-cb90-49de-8706-4258950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:06:19.000Z", "modified": "2016-04-19T13:06:19.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.SHA256 = 'f8a18e8b8e6606617e3a63ee5a3050a1b30361703c9a7d9e2d5cc94090c9907b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:06:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--57162fe0-9dd8-4d4b-b5db-4511950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:17:20.000Z", "modified": "2016-04-19T13:17:20.000Z", "labels": [ "misp:type=\"pdb\"", "misp:category=\"Artifacts dropped\"" ], "x_misp_category": "Artifacts dropped", "x_misp_type": "pdb", "x_misp_value": "D:\\WORK\\T9000\\N_Inst_User_M1\\Release\\N_Inst_User32.pdb" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57163109-be58-4cc7-89c1-4446950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:22:17.000Z", "modified": "2016-04-19T13:22:17.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'igfxtray.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:22:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57163109-6304-413e-9884-4a42950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:22:17.000Z", "modified": "2016-04-19T13:22:17.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'Data/dtl.dat']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:22:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57163109-1e04-4ef4-bf92-480b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:22:17.000Z", "modified": "2016-04-19T13:22:17.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'Data/glp.uin']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:22:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571632f1-d2f8-4e0c-9322-4370950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:30:25.000Z", "modified": "2016-04-19T13:30:25.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'http://198.55.120.143:7386/B/ResN32.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:30:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571632f1-9d80-4532-9288-4598950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:30:25.000Z", "modified": "2016-04-19T13:30:25.000Z", "description": "RTF", "pattern": "[file:hashes.MD5 = 'fdb6543bfb77aa6ddff0f4dfe07e442f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:30:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571632f2-4d40-4809-af5e-411a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:30:26.000Z", "modified": "2016-04-19T13:30:26.000Z", "description": "T9000 main binary", "pattern": "[file:hashes.MD5 = 'd8d70851641efbdfce8d561e6b1a2f29']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:30:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571632f2-5290-46c4-bd6b-48d3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:30:26.000Z", "modified": "2016-04-19T13:30:26.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'Elevate.dll' AND file:hashes.MD5 = '1d335f6a58cb9fab503a9b9cb371f57b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:30:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571632f3-f5b8-4fe6-bff3-4e11950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:30:27.000Z", "modified": "2016-04-19T13:30:27.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'QQMgr.dll' AND file:hashes.MD5 = 'b9c584c7c34d14599de8cd3b72f2074b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:30:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571632f3-63a8-43a2-9260-43b9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:30:27.000Z", "modified": "2016-04-19T13:30:27.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'QQMgr.inf' AND file:hashes.MD5 = '8ac933be588f49560179c26ddbc6a753']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:30:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571632f4-d0a0-4595-9c2d-46fa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:30:28.000Z", "modified": "2016-04-19T13:30:28.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'ResN32.dat' AND file:hashes.MD5 = '50753c28878ce10a748fbd7b831ecbe1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:30:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571632f5-2e3c-4637-95ce-46db950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:30:29.000Z", "modified": "2016-04-19T13:30:29.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'ResN32.dll' AND file:hashes.MD5 = 'a45e5c32fc2bc7be9d6e4bba8b2807bf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:30:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571632f5-6a74-4bfc-bb34-499a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:30:29.000Z", "modified": "2016-04-19T13:30:29.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'hccutils.dll' AND file:hashes.MD5 = '2299fb8268f47294eb2b18282540a955']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:30:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571632f6-743c-4e90-8619-4c5a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:30:30.000Z", "modified": "2016-04-19T13:30:30.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'hccutils.inf' AND file:hashes.MD5 = '2f31ef1a8fca047ed0d623010d569857']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:30:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571632f7-b1dc-4a7e-98d1-43c3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:30:31.000Z", "modified": "2016-04-19T13:30:31.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'hjwe.dat' AND file:hashes.MD5 = 'd3601a5160b8d122261989d147221eb7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:30:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571632f7-ba34-4fde-b022-499e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:30:31.000Z", "modified": "2016-04-19T13:30:31.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'qhnj.dat' AND file:hashes.MD5 = 'a9de62186cb8d0e23b0dc75e1ae373ac']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:30:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571632f8-ba50-40d4-b668-40b6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:30:32.000Z", "modified": "2016-04-19T13:30:32.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'tyeu.dat' AND file:hashes.MD5 = '29ec20f5fa1817dc9250c434e61420ea']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:30:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571632f8-b0ac-45b2-b300-4acd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:30:32.000Z", "modified": "2016-04-19T13:30:32.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'vnkd.dat' AND file:hashes.MD5 = '35f4ce864c3a3dc016fea3459d6402a9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:30:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571633f1-ceac-4898-af6f-4077950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:36:06.000Z", "modified": "2016-04-19T13:36:06.000Z", "description": "RTF", "pattern": "[file:hashes.SHA256 = '8e4de6fb35ce4cd47e06b48fb86b7da3eba02031cfd8ae714e25f8f7903f0141']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:36:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571633f2-853c-4d2a-99c0-4157950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:36:34.000Z", "modified": "2016-04-19T13:36:34.000Z", "description": "T9000 man binary", "pattern": "[file:hashes.SHA256 = '7c04286734718300e2c0691be9b6622f2d2525ca07ab27102a424af6f8cc3aec']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:36:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5716356d-8e44-44e0-bdbe-43e8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:41:01.000Z", "modified": "2016-04-19T13:41:01.000Z", "pattern": "[file:name = 'Elevate.dll' AND file:hashes.SHA256 = '9c23febc49c7b17387767844356d38d5578727ee1150956164883cf555fe7f95']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:41:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57163585-4fa0-4a17-9aab-46c2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:41:25.000Z", "modified": "2016-04-19T13:41:25.000Z", "pattern": "[file:name = 'QQMgr.dll' AND file:hashes.SHA256 = 'bf1b00b7430899d33795ef3405142e880ef8dcbda8aab0b19d80875a14ed852f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571635aa-1d00-4b7f-b330-4030950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:42:02.000Z", "modified": "2016-04-19T13:42:02.000Z", "pattern": "[file:name = 'ResN32.dat' AND file:hashes.SHA256 = '5b90fa081e3ac29a7339995f9b087dab9981409ff62e3215eb558908c6b96b14']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:42:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571635c2-8fb0-46d1-ba3d-4861950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:42:26.000Z", "modified": "2016-04-19T13:42:26.000Z", "pattern": "[file:name = 'QQMgr.inf' AND file:hashes.SHA256 = 'ace7e3535f2f1fe32e693920a9f411eea21682c87a8e6661d3b67330cd221a2a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:42:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5716360a-2a3c-429e-82dd-49d2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:43:38.000Z", "modified": "2016-04-19T13:43:38.000Z", "pattern": "[file:name = 'ResN32.dll' AND file:hashes.SHA256 = '1cea4e49bd785378d8beb863bb8eb662042dffd18c85b8c14c74a0367071d9a7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:43:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5716363b-7a90-44eb-92d5-46e3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:44:27.000Z", "modified": "2016-04-19T13:44:27.000Z", "pattern": "[file:name = 'hccutils.dll' AND file:hashes.SHA256 = '3dfc94605daf51ebd7bbccbb3a9049999f8d555db0999a6a7e6265a7e458cab9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:44:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5716364b-1940-4d7c-a2ee-4ba3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:44:43.000Z", "modified": "2016-04-19T13:44:43.000Z", "pattern": "[file:name = 'hccutils.inf' AND file:hashes.SHA256 = 'f05cd0353817bf6c2cab396181464c31c352d6dea07e2d688def261dd6542b27']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:44:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5716365c-65b4-4d71-9618-4d3c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:45:00.000Z", "modified": "2016-04-19T13:45:00.000Z", "pattern": "[file:name = 'hjwe.dat' AND file:hashes.SHA256 = 'bb73261072d2ef220b8f87c6bb7488ad2da736790898d61f33a5fb7747abf48b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:45:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5716366b-7980-4c53-a04c-44ae950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:45:15.000Z", "modified": "2016-04-19T13:45:15.000Z", "pattern": "[file:name = 'vnkd.dat' AND file:hashes.SHA256 = 'c22b40db7f9f8ebdbde4e5fc3a44e15449f75c40830c88932f9abd541cc78465']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:45:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5716367d-2b88-45b5-a3bb-4915950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:45:33.000Z", "modified": "2016-04-19T13:45:33.000Z", "pattern": "[file:name = 'tyeu.dat' AND file:hashes.SHA256 = 'e52b5ed63719a2798314a9c49c42c0ed4eb22a1ac4a2ad30e8bfc899edcea926']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:45:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5716368e-b1b0-4184-aa05-445c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:45:50.000Z", "modified": "2016-04-19T13:45:50.000Z", "pattern": "[file:name = 'qhnj.dat' AND file:hashes.SHA256 = 'c61dbc7b51caab1d0353cbba9a8f51f65ef167459277c1c16f15eb6c7025cfe3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:45:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571637b8-b8a0-472d-982f-49ac950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:50:48.000Z", "modified": "2016-04-19T13:50:48.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.MD5 = 'fb1e8c42d11e3a2de97814e451ee3375']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:50:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571637b9-a1d4-47e7-924c-478d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:50:49.000Z", "modified": "2016-04-19T13:50:49.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.SHA256 = 'd5fa43be20aa94baf1737289c5034e2235f1393890fb6f4e8d4104565be52d8c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:50:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57163938-0878-4bcb-a764-4f47950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:57:56.000Z", "modified": "2016-04-19T13:57:56.000Z", "description": "RTF", "pattern": "[file:hashes.MD5 = 'da97c88858214242374f27d32e27d957']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:57:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57163939-db08-4130-8859-4246950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:57:13.000Z", "modified": "2016-04-19T13:57:13.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'E804.tmp' AND file:hashes.MD5 = 'e4e8493898d94f737ff4dc8fab743a4a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:57:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5716393a-be40-4cea-860e-4198950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:58:09.000Z", "modified": "2016-04-19T13:58:09.000Z", "description": "bait file", "pattern": "[file:hashes.MD5 = '9ae498307da6c2e677a97a458bff1aea']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:58:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5716393a-59ec-46a8-be9f-4729950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:58:34.000Z", "modified": "2016-04-19T13:58:34.000Z", "description": "RTF", "pattern": "[file:hashes.SHA256 = '647b443ecaa38d2834e5681f20540fa84a5cf2b7e1bee6a2524ce59783cb8d1b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:58:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5716393a-9718-4575-b267-4c6d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:58:59.000Z", "modified": "2016-04-19T13:58:59.000Z", "description": "bait file", "pattern": "[file:hashes.SHA256 = '4f1784a4e4181b4c80f8d77675a267cbdd0e35ea1756c9fdb82294251bef1d28']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:58:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571639c0-0f48-454b-b4f5-4f8e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T13:59:28.000Z", "modified": "2016-04-19T13:59:28.000Z", "pattern": "[file:name = 'E804.tmp' AND file:hashes.SHA256 = '5f3d0a319ecc875cc64a40a34d2283cb329abcf79ad02f487fbfd6bef153943c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T13:59:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57163b0d-9214-43d4-9c9f-4d5f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T14:05:01.000Z", "modified": "2016-04-19T14:05:01.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.MD5 = 'e1269c22ad1e057b9c91523498b4b04d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T14:05:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57163b0d-3c58-4378-b036-4eea950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-19T14:05:01.000Z", "modified": "2016-04-19T14:05:01.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.SHA256 = 'b9914fb8c645e0c41d497db303c1ffa594da709686252fccb8d28dffac86275b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-19T14:05:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5717249f-c33c-4b52-926b-4475950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T06:41:35.000Z", "modified": "2016-04-20T06:41:35.000Z", "description": "Imported via the freetext import.", "pattern": "[domain-name:value = 'yeaton.xicp.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T06:41:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172612-830c-44ef-8b61-4f00950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T06:47:46.000Z", "modified": "2016-04-20T06:47:46.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'BC29.tmp' AND file:hashes.MD5 = 'e4e8493898d94f737ff4dc8fab743a4a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T06:47:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172613-bf60-445b-b242-4473950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T06:47:47.000Z", "modified": "2016-04-20T06:47:47.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = '~tmp.doc' AND file:hashes.MD5 = '751196ce79dacd906eec9b5a1c92890b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T06:47:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571727ae-9478-46db-87bb-4241950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T06:54:38.000Z", "modified": "2016-04-20T06:54:38.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = '~tmp.doc' AND file:hashes.MD5 = 'e6ad959a18725954a56a7954d3f47671']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T06:54:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571727ae-ef9c-4de4-af85-4e73950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T06:54:38.000Z", "modified": "2016-04-20T06:54:38.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'iuso.exe' AND file:hashes.MD5 = '07eb4867e436bbef759a9877402af994']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T06:54:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571727af-0e74-4f10-9b4c-4965950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T06:54:39.000Z", "modified": "2016-04-20T06:54:39.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'wget.bat' AND file:hashes.MD5 = '47e60e347b5791d5f17939f9c97fee01']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T06:54:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571727b0-16e0-45d6-a286-4a06950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T06:54:40.000Z", "modified": "2016-04-20T06:54:40.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'wget.exe' AND file:hashes.MD5 = 'f9f8d1c53d312f17c6f830e7b4e6651d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T06:54:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571727b0-e65c-469d-a368-4a7f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T06:54:40.000Z", "modified": "2016-04-20T06:54:40.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'wthk.txt' AND file:hashes.MD5 = 'd579d7a42ff140952da57264614c37bc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T06:54:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571727b1-66c8-4be7-8ee1-43c3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T06:54:41.000Z", "modified": "2016-04-20T06:54:41.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'conhost.exe' AND file:hashes.MD5 = 'f70b295c6a5121b918682310ce0c2165']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T06:54:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571727b2-5eb0-4dce-98b8-4dba950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T06:54:42.000Z", "modified": "2016-04-20T06:54:42.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'SBieDll.dll' AND file:hashes.MD5 = 'f80edbb0fcfe7cec17592f61a06e4df2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T06:54:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571727b2-c0ec-413f-abe2-467c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T06:54:42.000Z", "modified": "2016-04-20T06:54:42.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'dll2.xor' AND file:hashes.MD5 = 'ce8ec932be16b69ffa06626b3b423395']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T06:54:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571727b3-cc50-4e24-8329-49c8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T06:54:43.000Z", "modified": "2016-04-20T06:54:43.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'maindll.dll' AND file:hashes.MD5 = 'd8ede9e6c3a1a30398b0b98130ee3b38']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T06:54:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571727b4-a3b8-4cbc-be4a-4ebc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T06:54:44.000Z", "modified": "2016-04-20T06:54:44.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'nvsvc.exe' AND file:hashes.MD5 = 'e0eb981ad6be0bd16246d5d442028687']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T06:54:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571727b5-f7e8-45ce-b313-4df9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T06:54:45.000Z", "modified": "2016-04-20T06:54:45.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'runas.exe' AND file:hashes.MD5 = '6a541de84074a2c4ff99eb43252d9030']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T06:54:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172a14-7bd8-4080-9f8a-4167950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:04:52.000Z", "modified": "2016-04-20T07:04:52.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.MD5 = '983333e2c878a62d95747c36748198f0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:04:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b09-ec08-4253-84d9-497402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:08:57.000Z", "modified": "2016-04-20T07:08:57.000Z", "description": "Imported via the freetext import. - Xchecked via VT: b9914fb8c645e0c41d497db303c1ffa594da709686252fccb8d28dffac86275b", "pattern": "[file:hashes.SHA1 = '5ff7e8bd99466159e0285a2029cd3bdd3fed220b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:08:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b0a-fb18-45f2-8f9d-4ac102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:08:58.000Z", "modified": "2016-04-20T07:08:58.000Z", "first_observed": "2016-04-20T07:08:58Z", "last_observed": "2016-04-20T07:08:58Z", "number_observed": 1, "object_refs": [ "url--57172b0a-fb18-45f2-8f9d-4ac102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b0a-fb18-45f2-8f9d-4ac102de0b81", "value": "https://www.virustotal.com/file/b9914fb8c645e0c41d497db303c1ffa594da709686252fccb8d28dffac86275b/analysis/1395781579/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b0a-c39c-4fb0-ad04-437302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:08:58.000Z", "modified": "2016-04-20T07:08:58.000Z", "description": "T9000 man binary - Xchecked via VT: 7c04286734718300e2c0691be9b6622f2d2525ca07ab27102a424af6f8cc3aec", "pattern": "[file:hashes.SHA1 = '94be2b286a5b0bfe1a0aa575153f919cb3e1d4d9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:08:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b0a-3154-4f7c-9b4a-473702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:08:58.000Z", "modified": "2016-04-20T07:08:58.000Z", "first_observed": "2016-04-20T07:08:58Z", "last_observed": "2016-04-20T07:08:58Z", "number_observed": 1, "object_refs": [ "url--57172b0a-3154-4f7c-9b4a-473702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b0a-3154-4f7c-9b4a-473702de0b81", "value": "https://www.virustotal.com/file/7c04286734718300e2c0691be9b6622f2d2525ca07ab27102a424af6f8cc3aec/analysis/1456141482/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b0b-c0ac-4958-9e53-420a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:08:59.000Z", "modified": "2016-04-20T07:08:59.000Z", "description": "RTF - Xchecked via VT: 8e4de6fb35ce4cd47e06b48fb86b7da3eba02031cfd8ae714e25f8f7903f0141", "pattern": "[file:hashes.SHA1 = 'e4007951cfbc27216e9c81eb75bff9ddac9d6f7c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:08:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b0b-1d78-4aae-939a-4a6d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:08:59.000Z", "modified": "2016-04-20T07:08:59.000Z", "first_observed": "2016-04-20T07:08:59Z", "last_observed": "2016-04-20T07:08:59Z", "number_observed": 1, "object_refs": [ "url--57172b0b-1d78-4aae-939a-4a6d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b0b-1d78-4aae-939a-4a6d02de0b81", "value": "https://www.virustotal.com/file/8e4de6fb35ce4cd47e06b48fb86b7da3eba02031cfd8ae714e25f8f7903f0141/analysis/1457170420/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b0b-0a64-4adf-bf72-441802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:08:59.000Z", "modified": "2016-04-20T07:08:59.000Z", "description": "Imported via the freetext import. - Xchecked via VT: d5fa43be20aa94baf1737289c5034e2235f1393890fb6f4e8d4104565be52d8c", "pattern": "[file:hashes.SHA1 = '2552c92922e2391246e761dcfc1e4b930fc4ae2f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:08:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b0c-83d0-4f34-9174-4a5e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:00.000Z", "modified": "2016-04-20T07:09:00.000Z", "first_observed": "2016-04-20T07:09:00Z", "last_observed": "2016-04-20T07:09:00Z", "number_observed": 1, "object_refs": [ "url--57172b0c-83d0-4f34-9174-4a5e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b0c-83d0-4f34-9174-4a5e02de0b81", "value": "https://www.virustotal.com/file/d5fa43be20aa94baf1737289c5034e2235f1393890fb6f4e8d4104565be52d8c/analysis/1455281121/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b0c-8a80-4cb3-a81d-44ed02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:00.000Z", "modified": "2016-04-20T07:09:00.000Z", "description": "RTF - Xchecked via VT: 647b443ecaa38d2834e5681f20540fa84a5cf2b7e1bee6a2524ce59783cb8d1b", "pattern": "[file:hashes.SHA1 = 'b57c11f3f3b272d3ac49cc6ef684ccebe48ebf15']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b0c-49a0-4108-813f-4ef302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:00.000Z", "modified": "2016-04-20T07:09:00.000Z", "first_observed": "2016-04-20T07:09:00Z", "last_observed": "2016-04-20T07:09:00Z", "number_observed": 1, "object_refs": [ "url--57172b0c-49a0-4108-813f-4ef302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b0c-49a0-4108-813f-4ef302de0b81", "value": "https://www.virustotal.com/file/647b443ecaa38d2834e5681f20540fa84a5cf2b7e1bee6a2524ce59783cb8d1b/analysis/1453199270/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b0d-b1fc-4e7a-af10-416702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:01.000Z", "modified": "2016-04-20T07:09:01.000Z", "description": "Imported via the freetext import. - Xchecked via VT: f6bc895b36446d172c4a99be2587376b48fa3b1b0f6150eb8ab83f649f7b8bc6", "pattern": "[file:hashes.SHA1 = 'a44f10783544927137fe94d998523c4ac9a45b92']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b0d-78a8-457f-af6d-446f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:01.000Z", "modified": "2016-04-20T07:09:01.000Z", "first_observed": "2016-04-20T07:09:01Z", "last_observed": "2016-04-20T07:09:01Z", "number_observed": 1, "object_refs": [ "url--57172b0d-78a8-457f-af6d-446f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b0d-78a8-457f-af6d-446f02de0b81", "value": "https://www.virustotal.com/file/f6bc895b36446d172c4a99be2587376b48fa3b1b0f6150eb8ab83f649f7b8bc6/analysis/1452679497/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b0e-7aa4-49ce-aeb6-43b002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:02.000Z", "modified": "2016-04-20T07:09:02.000Z", "description": "Imported via the freetext import. - Xchecked via VT: ad251fd7427c0334f34aabe100a216b4af48b1ab4a01705f44b3421edd0be6ae", "pattern": "[file:hashes.SHA1 = '2dcb8061c8473c48a6877b26a8704d1b764e7ece']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b0e-2518-42b2-a3f1-40e902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:02.000Z", "modified": "2016-04-20T07:09:02.000Z", "first_observed": "2016-04-20T07:09:02Z", "last_observed": "2016-04-20T07:09:02Z", "number_observed": 1, "object_refs": [ "url--57172b0e-2518-42b2-a3f1-40e902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b0e-2518-42b2-a3f1-40e902de0b81", "value": "https://www.virustotal.com/file/ad251fd7427c0334f34aabe100a216b4af48b1ab4a01705f44b3421edd0be6ae/analysis/1453200173/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b0e-0ba8-4133-bb81-4bf902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:02.000Z", "modified": "2016-04-20T07:09:02.000Z", "description": "- Xchecked via VT: c61dbc7b51caab1d0353cbba9a8f51f65ef167459277c1c16f15eb6c7025cfe3", "pattern": "[file:hashes.SHA1 = 'cbac437a51f5b0942ddd4999eeee83dabd8f4304']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b0f-0068-4f9d-8aa1-414002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:03.000Z", "modified": "2016-04-20T07:09:03.000Z", "first_observed": "2016-04-20T07:09:03Z", "last_observed": "2016-04-20T07:09:03Z", "number_observed": 1, "object_refs": [ "url--57172b0f-0068-4f9d-8aa1-414002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b0f-0068-4f9d-8aa1-414002de0b81", "value": "https://www.virustotal.com/file/c61dbc7b51caab1d0353cbba9a8f51f65ef167459277c1c16f15eb6c7025cfe3/analysis/1458792067/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b0f-cc1c-49b9-8bae-4bf302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:03.000Z", "modified": "2016-04-20T07:09:03.000Z", "description": "- Xchecked via VT: e52b5ed63719a2798314a9c49c42c0ed4eb22a1ac4a2ad30e8bfc899edcea926", "pattern": "[file:hashes.SHA1 = '9f99c171532faec90ac1371ff077423b3cb64613']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b0f-e398-420a-a136-49d302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:03.000Z", "modified": "2016-04-20T07:09:03.000Z", "first_observed": "2016-04-20T07:09:03Z", "last_observed": "2016-04-20T07:09:03Z", "number_observed": 1, "object_refs": [ "url--57172b0f-e398-420a-a136-49d302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b0f-e398-420a-a136-49d302de0b81", "value": "https://www.virustotal.com/file/e52b5ed63719a2798314a9c49c42c0ed4eb22a1ac4a2ad30e8bfc899edcea926/analysis/1459253251/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b10-07e0-4001-a6d8-4fac02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:04.000Z", "modified": "2016-04-20T07:09:04.000Z", "description": "- Xchecked via VT: c22b40db7f9f8ebdbde4e5fc3a44e15449f75c40830c88932f9abd541cc78465", "pattern": "[file:hashes.SHA1 = 'c25ac5e3c7739cb404d38437933539d082ed0919']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b10-30a4-4633-9876-46b902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:04.000Z", "modified": "2016-04-20T07:09:04.000Z", "first_observed": "2016-04-20T07:09:04Z", "last_observed": "2016-04-20T07:09:04Z", "number_observed": 1, "object_refs": [ "url--57172b10-30a4-4633-9876-46b902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b10-30a4-4633-9876-46b902de0b81", "value": "https://www.virustotal.com/file/c22b40db7f9f8ebdbde4e5fc3a44e15449f75c40830c88932f9abd541cc78465/analysis/1457523266/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b11-b8f4-4ba3-8482-4f6e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:05.000Z", "modified": "2016-04-20T07:09:05.000Z", "description": "- Xchecked via VT: bb73261072d2ef220b8f87c6bb7488ad2da736790898d61f33a5fb7747abf48b", "pattern": "[file:hashes.SHA1 = '5842ba2f51517d3276f5662398d6d3f19e44a345']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b11-45b0-42ab-9d84-41a302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:05.000Z", "modified": "2016-04-20T07:09:05.000Z", "first_observed": "2016-04-20T07:09:05Z", "last_observed": "2016-04-20T07:09:05Z", "number_observed": 1, "object_refs": [ "url--57172b11-45b0-42ab-9d84-41a302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b11-45b0-42ab-9d84-41a302de0b81", "value": "https://www.virustotal.com/file/bb73261072d2ef220b8f87c6bb7488ad2da736790898d61f33a5fb7747abf48b/analysis/1454685259/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b11-b554-4a57-9917-474502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:05.000Z", "modified": "2016-04-20T07:09:05.000Z", "description": "- Xchecked via VT: f05cd0353817bf6c2cab396181464c31c352d6dea07e2d688def261dd6542b27", "pattern": "[file:hashes.SHA1 = 'c2c49007a99b79f6e74382fa22ed595602a24130']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b12-f8e0-43a0-b10f-469802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:06.000Z", "modified": "2016-04-20T07:09:06.000Z", "first_observed": "2016-04-20T07:09:06Z", "last_observed": "2016-04-20T07:09:06Z", "number_observed": 1, "object_refs": [ "url--57172b12-f8e0-43a0-b10f-469802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b12-f8e0-43a0-b10f-469802de0b81", "value": "https://www.virustotal.com/file/f05cd0353817bf6c2cab396181464c31c352d6dea07e2d688def261dd6542b27/analysis/1461046893/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b12-ccb4-414a-892f-4d1602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:06.000Z", "modified": "2016-04-20T07:09:06.000Z", "description": "- Xchecked via VT: 3dfc94605daf51ebd7bbccbb3a9049999f8d555db0999a6a7e6265a7e458cab9", "pattern": "[file:hashes.SHA1 = 'cb57196bde3f520e87c948b4676bf487c0fd513e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b12-b1d4-4cb1-a6d8-48ee02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:06.000Z", "modified": "2016-04-20T07:09:06.000Z", "first_observed": "2016-04-20T07:09:06Z", "last_observed": "2016-04-20T07:09:06Z", "number_observed": 1, "object_refs": [ "url--57172b12-b1d4-4cb1-a6d8-48ee02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b12-b1d4-4cb1-a6d8-48ee02de0b81", "value": "https://www.virustotal.com/file/3dfc94605daf51ebd7bbccbb3a9049999f8d555db0999a6a7e6265a7e458cab9/analysis/1459165746/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b13-c430-4759-beca-4a0e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:07.000Z", "modified": "2016-04-20T07:09:07.000Z", "description": "- Xchecked via VT: 1cea4e49bd785378d8beb863bb8eb662042dffd18c85b8c14c74a0367071d9a7", "pattern": "[file:hashes.SHA1 = 'fb7eba5de0304aa81711e645d6f3f203a1092613']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b13-f4b0-42e3-94e1-4fa402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:07.000Z", "modified": "2016-04-20T07:09:07.000Z", "first_observed": "2016-04-20T07:09:07Z", "last_observed": "2016-04-20T07:09:07Z", "number_observed": 1, "object_refs": [ "url--57172b13-f4b0-42e3-94e1-4fa402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b13-f4b0-42e3-94e1-4fa402de0b81", "value": "https://www.virustotal.com/file/1cea4e49bd785378d8beb863bb8eb662042dffd18c85b8c14c74a0367071d9a7/analysis/1455281133/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b14-295c-4018-8c0b-4ff702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:08.000Z", "modified": "2016-04-20T07:09:08.000Z", "description": "- Xchecked via VT: ace7e3535f2f1fe32e693920a9f411eea21682c87a8e6661d3b67330cd221a2a", "pattern": "[file:hashes.SHA1 = 'd9296175d7894bdbd5db1b7b477bdd39b8652ac6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b14-4674-4191-94f8-4a8802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:08.000Z", "modified": "2016-04-20T07:09:08.000Z", "first_observed": "2016-04-20T07:09:08Z", "last_observed": "2016-04-20T07:09:08Z", "number_observed": 1, "object_refs": [ "url--57172b14-4674-4191-94f8-4a8802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b14-4674-4191-94f8-4a8802de0b81", "value": "https://www.virustotal.com/file/ace7e3535f2f1fe32e693920a9f411eea21682c87a8e6661d3b67330cd221a2a/analysis/1461046904/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b14-6408-4a0d-83f5-4e9b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:08.000Z", "modified": "2016-04-20T07:09:08.000Z", "description": "- Xchecked via VT: 5b90fa081e3ac29a7339995f9b087dab9981409ff62e3215eb558908c6b96b14", "pattern": "[file:hashes.SHA1 = '6f3c21da298db324b7d2c299c219bd75c49d9dfd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b15-8988-4d9e-a32e-420602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:09.000Z", "modified": "2016-04-20T07:09:09.000Z", "first_observed": "2016-04-20T07:09:09Z", "last_observed": "2016-04-20T07:09:09Z", "number_observed": 1, "object_refs": [ "url--57172b15-8988-4d9e-a32e-420602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b15-8988-4d9e-a32e-420602de0b81", "value": "https://www.virustotal.com/file/5b90fa081e3ac29a7339995f9b087dab9981409ff62e3215eb558908c6b96b14/analysis/1461046903/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b15-ae10-4a05-a760-470702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:09.000Z", "modified": "2016-04-20T07:09:09.000Z", "description": "- Xchecked via VT: bf1b00b7430899d33795ef3405142e880ef8dcbda8aab0b19d80875a14ed852f", "pattern": "[file:hashes.SHA1 = '73160d3a59db4a5858cd51ef7428a444caaf7cc4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b15-61e4-481c-be10-44b702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:09.000Z", "modified": "2016-04-20T07:09:09.000Z", "first_observed": "2016-04-20T07:09:09Z", "last_observed": "2016-04-20T07:09:09Z", "number_observed": 1, "object_refs": [ "url--57172b15-61e4-481c-be10-44b702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b15-61e4-481c-be10-44b702de0b81", "value": "https://www.virustotal.com/file/bf1b00b7430899d33795ef3405142e880ef8dcbda8aab0b19d80875a14ed852f/analysis/1456141391/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b16-3340-4e35-97a0-4bd902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:10.000Z", "modified": "2016-04-20T07:09:10.000Z", "description": "- Xchecked via VT: 9c23febc49c7b17387767844356d38d5578727ee1150956164883cf555fe7f95", "pattern": "[file:hashes.SHA1 = 'b8f03d78c139faee34293a727e7be74ad0a511d9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b16-0ce0-4c6f-b784-454502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:10.000Z", "modified": "2016-04-20T07:09:10.000Z", "first_observed": "2016-04-20T07:09:10Z", "last_observed": "2016-04-20T07:09:10Z", "number_observed": 1, "object_refs": [ "url--57172b16-0ce0-4c6f-b784-454502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b16-0ce0-4c6f-b784-454502de0b81", "value": "https://www.virustotal.com/file/9c23febc49c7b17387767844356d38d5578727ee1150956164883cf555fe7f95/analysis/1456962260/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b17-5f24-4f62-b72b-4c2002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:11.000Z", "modified": "2016-04-20T07:09:11.000Z", "description": "- Xchecked via VT: 5f3d0a319ecc875cc64a40a34d2283cb329abcf79ad02f487fbfd6bef153943c", "pattern": "[file:hashes.SHA1 = 'd22394046ee36dce7ca64ff95d095cdb02c88629']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b17-4414-4f3f-8fc8-49ea02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:11.000Z", "modified": "2016-04-20T07:09:11.000Z", "first_observed": "2016-04-20T07:09:11Z", "last_observed": "2016-04-20T07:09:11Z", "number_observed": 1, "object_refs": [ "url--57172b17-4414-4f3f-8fc8-49ea02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b17-4414-4f3f-8fc8-49ea02de0b81", "value": "https://www.virustotal.com/file/5f3d0a319ecc875cc64a40a34d2283cb329abcf79ad02f487fbfd6bef153943c/analysis/1454953266/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b17-868c-4c3b-b79d-45aa02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:11.000Z", "modified": "2016-04-20T07:09:11.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 983333e2c878a62d95747c36748198f0", "pattern": "[file:hashes.SHA256 = 'ef97f13f49266a170f4d334482376bb31335fc323ed80917b9943207ff75f750']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b18-fe4c-41b3-abfe-4c5602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:12.000Z", "modified": "2016-04-20T07:09:12.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 983333e2c878a62d95747c36748198f0", "pattern": "[file:hashes.SHA1 = 'b27957884d6506b24751b3d81fb243fb4d97afe5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b18-ec7c-4e74-b032-49e302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:12.000Z", "modified": "2016-04-20T07:09:12.000Z", "first_observed": "2016-04-20T07:09:12Z", "last_observed": "2016-04-20T07:09:12Z", "number_observed": 1, "object_refs": [ "url--57172b18-ec7c-4e74-b032-49e302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b18-ec7c-4e74-b032-49e302de0b81", "value": "https://www.virustotal.com/file/ef97f13f49266a170f4d334482376bb31335fc323ed80917b9943207ff75f750/analysis/1385566211/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b18-d2dc-423c-ba45-49a002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:12.000Z", "modified": "2016-04-20T07:09:12.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 6a541de84074a2c4ff99eb43252d9030", "pattern": "[file:hashes.SHA256 = '5b34b3365eb6a6c700b391172849a2668d66a167669018ae3b9555bc2d1e54ab']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b19-ab98-403b-bea6-44ce02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:13.000Z", "modified": "2016-04-20T07:09:13.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 6a541de84074a2c4ff99eb43252d9030", "pattern": "[file:hashes.SHA1 = 'c2ffd2f81a33e962b48df1b39c296a163e34aeea']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b19-c660-45a5-8c0d-4d5802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:13.000Z", "modified": "2016-04-20T07:09:13.000Z", "first_observed": "2016-04-20T07:09:13Z", "last_observed": "2016-04-20T07:09:13Z", "number_observed": 1, "object_refs": [ "url--57172b19-c660-45a5-8c0d-4d5802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b19-c660-45a5-8c0d-4d5802de0b81", "value": "https://www.virustotal.com/file/5b34b3365eb6a6c700b391172849a2668d66a167669018ae3b9555bc2d1e54ab/analysis/1456856209/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b19-bd24-4c48-9f17-44cb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:13.000Z", "modified": "2016-04-20T07:09:13.000Z", "description": "Imported via the freetext import. - Xchecked via VT: e0eb981ad6be0bd16246d5d442028687", "pattern": "[file:hashes.SHA256 = 'ec05e37230e6534fa148b8e022f797ad0afe80f699fbd222a46672118663cf00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b1a-48e0-4588-acb3-48fa02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:14.000Z", "modified": "2016-04-20T07:09:14.000Z", "description": "Imported via the freetext import. - Xchecked via VT: e0eb981ad6be0bd16246d5d442028687", "pattern": "[file:hashes.SHA1 = 'cbeffef7965a081490171ad36e3001bd74e4123b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b1a-3d00-4a32-a155-4a8f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:14.000Z", "modified": "2016-04-20T07:09:14.000Z", "first_observed": "2016-04-20T07:09:14Z", "last_observed": "2016-04-20T07:09:14Z", "number_observed": 1, "object_refs": [ "url--57172b1a-3d00-4a32-a155-4a8f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b1a-3d00-4a32-a155-4a8f02de0b81", "value": "https://www.virustotal.com/file/ec05e37230e6534fa148b8e022f797ad0afe80f699fbd222a46672118663cf00/analysis/1456856205/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b1b-bda4-481e-91aa-4f1a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:15.000Z", "modified": "2016-04-20T07:09:15.000Z", "description": "Imported via the freetext import. - Xchecked via VT: d8ede9e6c3a1a30398b0b98130ee3b38", "pattern": "[file:hashes.SHA256 = '5838582ea26312cc60b43da555189b439d3688597a705e3a52dc4d935517f69d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b1b-dc30-447b-898a-458202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:15.000Z", "modified": "2016-04-20T07:09:15.000Z", "description": "Imported via the freetext import. - Xchecked via VT: d8ede9e6c3a1a30398b0b98130ee3b38", "pattern": "[file:hashes.SHA1 = '7536c344b450af882910ce8c9620d0254aff294c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b1b-43d4-40b6-baac-41e702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:15.000Z", "modified": "2016-04-20T07:09:15.000Z", "first_observed": "2016-04-20T07:09:15Z", "last_observed": "2016-04-20T07:09:15Z", "number_observed": 1, "object_refs": [ "url--57172b1b-43d4-40b6-baac-41e702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b1b-43d4-40b6-baac-41e702de0b81", "value": "https://www.virustotal.com/file/5838582ea26312cc60b43da555189b439d3688597a705e3a52dc4d935517f69d/analysis/1461075979/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b1c-b8d0-4a48-bb1d-46da02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:16.000Z", "modified": "2016-04-20T07:09:16.000Z", "description": "Imported via the freetext import. - Xchecked via VT: f80edbb0fcfe7cec17592f61a06e4df2", "pattern": "[file:hashes.SHA256 = '2ac69633da711f244377483d99fac53089ec6614a61d8a1492a0e7228cbb8ffd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b1c-4444-48d9-b21d-408b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:16.000Z", "modified": "2016-04-20T07:09:16.000Z", "description": "Imported via the freetext import. - Xchecked via VT: f80edbb0fcfe7cec17592f61a06e4df2", "pattern": "[file:hashes.SHA1 = 'e11c82def33edf7162c6b3b24546af341069f4f4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b1c-dfbc-4ceb-af43-40ed02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:16.000Z", "modified": "2016-04-20T07:09:16.000Z", "first_observed": "2016-04-20T07:09:16Z", "last_observed": "2016-04-20T07:09:16Z", "number_observed": 1, "object_refs": [ "url--57172b1c-dfbc-4ceb-af43-40ed02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b1c-dfbc-4ceb-af43-40ed02de0b81", "value": "https://www.virustotal.com/file/2ac69633da711f244377483d99fac53089ec6614a61d8a1492a0e7228cbb8ffd/analysis/1461089261/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b1d-edf0-4761-baab-4b6902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:17.000Z", "modified": "2016-04-20T07:09:17.000Z", "description": "Imported via the freetext import. - Xchecked via VT: f70b295c6a5121b918682310ce0c2165", "pattern": "[file:hashes.SHA256 = '4849af113960f473749acf71d11d56854589cf21d623e66c7408bebd5ad0608f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b1d-add4-4872-8f43-46aa02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:17.000Z", "modified": "2016-04-20T07:09:17.000Z", "description": "Imported via the freetext import. - Xchecked via VT: f70b295c6a5121b918682310ce0c2165", "pattern": "[file:hashes.SHA1 = '367c0e93dc97478e2f0101e23cae084467932cb2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b1d-0d80-4dbf-80b8-4b8202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:17.000Z", "modified": "2016-04-20T07:09:17.000Z", "first_observed": "2016-04-20T07:09:17Z", "last_observed": "2016-04-20T07:09:17Z", "number_observed": 1, "object_refs": [ "url--57172b1d-0d80-4dbf-80b8-4b8202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b1d-0d80-4dbf-80b8-4b8202de0b81", "value": "https://www.virustotal.com/file/4849af113960f473749acf71d11d56854589cf21d623e66c7408bebd5ad0608f/analysis/1461046897/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b1e-faac-4a67-a2ff-472802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:18.000Z", "modified": "2016-04-20T07:09:18.000Z", "description": "Imported via the freetext import. - Xchecked via VT: d579d7a42ff140952da57264614c37bc", "pattern": "[file:hashes.SHA256 = '5b875ecf0b7f67a4429aeaa841eddf8e6b58771e16dbdb43ad6918aa7a5b582d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b1e-d608-4814-bd1c-4a7502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:18.000Z", "modified": "2016-04-20T07:09:18.000Z", "description": "Imported via the freetext import. - Xchecked via VT: d579d7a42ff140952da57264614c37bc", "pattern": "[file:hashes.SHA1 = '62d16dc7335729e2d3508335b12787865f4f6035']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b1e-dd84-43fe-b7c0-4adf02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:18.000Z", "modified": "2016-04-20T07:09:18.000Z", "first_observed": "2016-04-20T07:09:18Z", "last_observed": "2016-04-20T07:09:18Z", "number_observed": 1, "object_refs": [ "url--57172b1e-dd84-43fe-b7c0-4adf02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b1e-dd84-43fe-b7c0-4adf02de0b81", "value": "https://www.virustotal.com/file/5b875ecf0b7f67a4429aeaa841eddf8e6b58771e16dbdb43ad6918aa7a5b582d/analysis/1452527131/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b1f-add0-49b0-adfa-4e4e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:19.000Z", "modified": "2016-04-20T07:09:19.000Z", "description": "Imported via the freetext import. - Xchecked via VT: f9f8d1c53d312f17c6f830e7b4e6651d", "pattern": "[file:hashes.SHA256 = 'bedfbfe249b4a2be35bbfb1cf166d2119e132ee7c608909d34238e9eba6c9749']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b1f-3090-4011-a9e9-444902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:19.000Z", "modified": "2016-04-20T07:09:19.000Z", "description": "Imported via the freetext import. - Xchecked via VT: f9f8d1c53d312f17c6f830e7b4e6651d", "pattern": "[file:hashes.SHA1 = '6b3eb6069b69fbcfa6e1e9c231ce95674d698f51']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b20-0268-42e0-9264-4cd902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:20.000Z", "modified": "2016-04-20T07:09:20.000Z", "first_observed": "2016-04-20T07:09:20Z", "last_observed": "2016-04-20T07:09:20Z", "number_observed": 1, "object_refs": [ "url--57172b20-0268-42e0-9264-4cd902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b20-0268-42e0-9264-4cd902de0b81", "value": "https://www.virustotal.com/file/bedfbfe249b4a2be35bbfb1cf166d2119e132ee7c608909d34238e9eba6c9749/analysis/1461046900/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b20-9494-4e9e-9e67-40e902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:20.000Z", "modified": "2016-04-20T07:09:20.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 47e60e347b5791d5f17939f9c97fee01", "pattern": "[file:hashes.SHA256 = '9b6053e784c5762fdb9931f9064ba6e52c26c2d4b09efd6ff13ca87bbb33c692']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b20-f1b0-4c9a-b746-484102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:20.000Z", "modified": "2016-04-20T07:09:20.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 47e60e347b5791d5f17939f9c97fee01", "pattern": "[file:hashes.SHA1 = '86ba123a6c28df4a470de09c5fdc5ac5ae3d24ce']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b21-3880-4218-9131-437a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:21.000Z", "modified": "2016-04-20T07:09:21.000Z", "first_observed": "2016-04-20T07:09:21Z", "last_observed": "2016-04-20T07:09:21Z", "number_observed": 1, "object_refs": [ "url--57172b21-3880-4218-9131-437a02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b21-3880-4218-9131-437a02de0b81", "value": "https://www.virustotal.com/file/9b6053e784c5762fdb9931f9064ba6e52c26c2d4b09efd6ff13ca87bbb33c692/analysis/1461046910/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b21-5834-47e6-a2c7-41f402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:21.000Z", "modified": "2016-04-20T07:09:21.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 07eb4867e436bbef759a9877402af994", "pattern": "[file:hashes.SHA256 = 'cf717a646a015ee72f965488f8df2dd3c36c4714ccc755c295645fe8d150d082']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b21-2738-44d4-857b-426e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:21.000Z", "modified": "2016-04-20T07:09:21.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 07eb4867e436bbef759a9877402af994", "pattern": "[file:hashes.SHA1 = '4d758a60b57d2f693fc4a87cbc74ec1744a644ce']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b22-3068-4484-8cfd-444602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:22.000Z", "modified": "2016-04-20T07:09:22.000Z", "first_observed": "2016-04-20T07:09:22Z", "last_observed": "2016-04-20T07:09:22Z", "number_observed": 1, "object_refs": [ "url--57172b22-3068-4484-8cfd-444602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b22-3068-4484-8cfd-444602de0b81", "value": "https://www.virustotal.com/file/cf717a646a015ee72f965488f8df2dd3c36c4714ccc755c295645fe8d150d082/analysis/1452794663/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b22-7284-4c9d-a29e-49e902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:22.000Z", "modified": "2016-04-20T07:09:22.000Z", "description": "Imported via the freetext import. - Xchecked via VT: e6ad959a18725954a56a7954d3f47671", "pattern": "[file:hashes.SHA256 = 'f0b5336b6f890e2029ac242ad2b613cad535828f7b7004a2284683f3195b7616']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b22-8e80-4eab-ae04-417102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:22.000Z", "modified": "2016-04-20T07:09:22.000Z", "description": "Imported via the freetext import. - Xchecked via VT: e6ad959a18725954a56a7954d3f47671", "pattern": "[file:hashes.SHA1 = '62fbb1ed89888cbe7ffa7d01537545574c244bfd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:09:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57172b23-045c-4ba6-8d54-41c502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:09:23.000Z", "modified": "2016-04-20T07:09:23.000Z", "first_observed": "2016-04-20T07:09:23Z", "last_observed": "2016-04-20T07:09:23Z", "number_observed": 1, "object_refs": [ "url--57172b23-045c-4ba6-8d54-41c502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57172b23-045c-4ba6-8d54-41c502de0b81", "value": "https://www.virustotal.com/file/f0b5336b6f890e2029ac242ad2b613cad535828f7b7004a2284683f3195b7616/analysis/1461046885/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172b54-6d44-460d-ac20-40a7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:10:12.000Z", "modified": "2016-04-20T07:10:12.000Z", "description": "On port 8008", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '59.188.12.123']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:10:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172ba9-9b28-4af8-91e6-44e4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:11:37.000Z", "modified": "2016-04-20T07:11:37.000Z", "description": "RTF", "pattern": "[file:hashes.MD5 = '09ddd70517cb48a46d9f93644b29c72f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:11:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57172baa-a0c4-40e6-8de2-4c99950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:11:38.000Z", "modified": "2016-04-20T07:11:38.000Z", "description": "RAR", "pattern": "[file:hashes.MD5 = 'd8becbd6f188e3fb2c4d23a2d36d137b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:11:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57173004-40c8-44cc-a582-464a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:30:12.000Z", "modified": "2016-04-20T07:30:12.000Z", "description": "On port 8080", "pattern": "[url:value = 'www.whitewall.top']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:30:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57173005-f2dc-43f4-bd30-48b8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:30:13.000Z", "modified": "2016-04-20T07:30:13.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'fsguidll.exe' AND file:hashes.MD5 = '2d7a648ebe64e536944c011c8dcbb375']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:30:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57173006-1804-4885-b572-44a9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:30:14.000Z", "modified": "2016-04-20T07:30:14.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'fslapi.dll' AND file:hashes.MD5 = '13d3d0699562a57cf575dd7f969b3141']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:30:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57173006-d0c4-47fc-903c-4f7f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:30:14.000Z", "modified": "2016-04-20T07:30:14.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'fslapi.dll.gui' AND file:hashes.MD5 = '894c251a3aad150f80a8af2539baf9d1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:30:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571733d2-a0fc-4909-8c81-44ea950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:46:26.000Z", "modified": "2016-04-20T07:46:26.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.MD5 = '533cd66cf420e8919329ee850077319c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:46:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571733d2-f430-45fa-b095-4a07950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:46:26.000Z", "modified": "2016-04-20T07:46:26.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.SHA256 = '0ba814941a0adb344cbf2a90552a66b52faa99a24d3107735da1db5a0e1f8360']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:46:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571733d2-0f0c-4b63-9c9a-4615950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:46:26.000Z", "modified": "2016-04-20T07:46:26.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.MD5 = 'e327abcfd09be4e8f64ef35026309747']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:46:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571733d3-ce08-4636-9f75-41cb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:46:27.000Z", "modified": "2016-04-20T07:46:27.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.SHA256 = '8b6ef2f4e2af608c755b3114e98ab78ac89e089db5b0bece7f2dc68bd1026a78']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:46:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571733d3-7fe4-430d-a31d-44aa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:46:27.000Z", "modified": "2016-04-20T07:46:27.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.MD5 = '103873e3fa8dfc2360bb5c22761da04a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:46:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571733d3-a8e4-4198-aecd-4594950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T07:46:27.000Z", "modified": "2016-04-20T07:46:27.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.SHA256 = '40099e0f13ba47bd4ea4f3f49228ac8cffdf07700c4ef8089e3b5d8013e914a3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T07:46:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57173d6f-0adc-4af5-b8c1-45ce950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T08:27:58.000Z", "modified": "2016-04-20T08:27:58.000Z", "description": "RTF", "pattern": "[file:hashes.MD5 = '98bcd226890c5c2694ef9a34a23c9fbf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T08:27:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57173e35-4b34-4a16-8442-478c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T08:30:45.000Z", "modified": "2016-04-20T08:30:45.000Z", "description": "RTF", "pattern": "[file:hashes.SHA256 = 'e13a0357cd51795100dbce25fe846783fbb7fd22c5efe438d9059edc10492f49']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T08:30:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57173e4a-4b18-4646-9a26-4712950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T08:31:06.000Z", "modified": "2016-04-20T08:31:06.000Z", "description": "Imported via the freetext import.", "pattern": "[domain-name:value = 'softinc.pw']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T08:31:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57173e4a-99b8-4146-b38d-48df950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T08:31:06.000Z", "modified": "2016-04-20T08:31:06.000Z", "description": "Imported via the freetext import.", "pattern": "[domain-name:value = 'www.tibetimes.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T08:31:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57173e97-6cd4-47eb-92ad-46c2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T08:32:23.000Z", "modified": "2016-04-20T08:32:23.000Z", "description": "RTF", "pattern": "[file:hashes.SHA256 = 'a0da9887b4c5af009a41b783db7ffedf949013abc70777c0ec539299628a51eb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T08:32:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57173eb0-68b4-4ad0-a243-4022950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T08:32:48.000Z", "modified": "2016-04-20T08:32:48.000Z", "description": "RTF", "pattern": "[file:hashes.MD5 = 'b51dd4d5731b71c1a191294466cc8288']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T08:32:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57173ebe-e2f8-49b3-b75c-4275950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T08:33:02.000Z", "modified": "2016-04-20T08:33:02.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = '90t69cf82.dll' AND file:hashes.MD5 = '86ebcbb3bdd8af257b52daa869ddd6c1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T08:33:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57173ebf-7e30-489d-bd92-4eb3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T08:33:03.000Z", "modified": "2016-04-20T08:33:03.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'B412.tmp' AND file:hashes.MD5 = '111273c8cba88636a036e250c2626b12']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T08:33:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57173ecc-4858-4e78-a121-4223950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T08:33:16.000Z", "modified": "2016-04-20T08:33:16.000Z", "description": "Imported via the freetext import.", "pattern": "[domain-name:value = 'manhaton.123nat.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T08:33:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57173ecd-ff54-4b11-921f-46fb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T08:33:17.000Z", "modified": "2016-04-20T08:33:17.000Z", "description": "On port 8030", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '122.10.112.126']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T08:33:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5717445c-4344-4af2-8fe9-4151950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T08:57:00.000Z", "modified": "2016-04-20T08:57:00.000Z", "description": "RTF", "pattern": "[file:hashes.SHA256 = '58f8a906b49711d2a6aaed0b59e1c1b7fcf5757666e0567fe50e996bfe0a4589']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T08:57:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571744ad-ea7c-4e0f-b713-4893950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T08:58:21.000Z", "modified": "2016-04-20T08:58:21.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'www.turkistanuyghur.top']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T08:58:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571744ad-c1f8-4606-b0b2-45bc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T08:58:21.000Z", "modified": "2016-04-20T08:58:21.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'www.yawropauyghur.top']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T08:58:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571744ae-aee8-4190-98ae-426d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T08:58:22.000Z", "modified": "2016-04-20T08:58:22.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'www.japanuyghur.top']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T08:58:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571744ae-7ae4-4ddc-bf3c-45ef950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T08:58:22.000Z", "modified": "2016-04-20T08:58:22.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'www.hotansft.top']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T08:58:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571744ae-1af4-4757-8408-42d7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T08:58:22.000Z", "modified": "2016-04-20T08:58:22.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'www.amerikauyghur.top']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T08:58:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571744af-a4b8-4e3c-9228-49b4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T08:58:23.000Z", "modified": "2016-04-20T08:58:23.000Z", "description": "Imported via the freetext import.", "pattern": "[domain-name:value = 'turkiyeuyghur.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T08:58:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57174506-afbc-44f1-b90c-45d6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T08:59:50.000Z", "modified": "2016-04-20T08:59:50.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'Micbt/BTFly.dump' AND file:hashes.MD5 = 'f7c04e8b188fa38d0f62f620e3bf01dc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T08:59:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5717452e-22d8-4278-b18b-40c3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:00:30.000Z", "modified": "2016-04-20T09:00:30.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'Micbt/CltID.ini' AND file:hashes.MD5 = '54afa267dd5acef3858dd6dbea609cd9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:00:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5717452e-f668-4202-bc83-4fcc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:00:30.000Z", "modified": "2016-04-20T09:00:30.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'Micbt/IconConfigBt.DAT' AND file:hashes.MD5 = '516774cb0d5d56b300c402f63fe47523']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:00:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5717452f-e860-4d6e-be0a-412d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:00:31.000Z", "modified": "2016-04-20T09:00:31.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'Micbt/MemoryLoad.dump' AND file:hashes.MD5 = 'db0f8ba69aa71e9404b52d951458b97c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:00:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5717452f-bc28-48f8-a88f-4621950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:00:31.000Z", "modified": "2016-04-20T09:00:31.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'Micbt/RasTls.dll' AND file:hashes.MD5 = '1e9e9ce1445a13c1ff4bf82f4a38de0d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:00:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57174530-8628-4ec1-945e-4f28950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:00:32.000Z", "modified": "2016-04-20T09:00:32.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'Micbt/RasTls.exe' AND file:hashes.MD5 = '62944e26b36b1dcace429ae26ba66164']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:00:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571745f2-29dc-4434-8a4e-4f24950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:03:46.000Z", "modified": "2016-04-20T09:03:46.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'fsguidll.exe' AND file:hashes.SHA256 = '5c5e3201d6343e0536b86cb4ab0831c482a304c62cd09c01ac8bdeee5755f635']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:03:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571745f3-0710-48a7-8a66-4f4b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:03:47.000Z", "modified": "2016-04-20T09:03:47.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'fslapi.dll' AND file:hashes.SHA256 = '2a6ef9dde178c4afe32fe676ff864162f104d85fac2439986de32366625dc083']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:03:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571745f4-eab8-481e-bfbc-41b7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:03:48.000Z", "modified": "2016-04-20T09:03:48.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'fslapi.dll.gui' AND file:hashes.SHA256 = 'dc4dac22d58ed7c0cadb13a621f42cb9a01851385ca0dc5b94a73c91677a0739']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:03:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57174605-6328-49df-a999-4ad9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:04:05.000Z", "modified": "2016-04-20T09:04:05.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'BC29.tmp' AND file:hashes.SHA256 = '5f3d0a319ecc875cc64a40a34d2283cb329abcf79ad02f487fbfd6bef153943c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:04:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57174606-b230-42b0-b806-47f2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:04:06.000Z", "modified": "2016-04-20T09:04:06.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = '~tmp.doc' AND file:hashes.SHA256 = '76d54a0c8ed8d9a0b02f52d2400c8e74a9473e9bc92aeb558b2f4c894da1b88f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:04:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57174623-6d50-40d8-9fb3-47c6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:04:35.000Z", "modified": "2016-04-20T09:04:35.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = '~tmp.doc' AND file:hashes.SHA256 = 'f0b5336b6f890e2029ac242ad2b613cad535828f7b7004a2284683f3195b7616']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:04:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57174624-8aa0-4072-bc11-4657950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:04:36.000Z", "modified": "2016-04-20T09:04:36.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'iuso.exe' AND file:hashes.SHA256 = 'cf717a646a015ee72f965488f8df2dd3c36c4714ccc755c295645fe8d150d082']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:04:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57174624-a420-4946-be1d-473e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:04:36.000Z", "modified": "2016-04-20T09:04:36.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'wget.bat' AND file:hashes.SHA256 = '9b6053e784c5762fdb9931f9064ba6e52c26c2d4b09efd6ff13ca87bbb33c692']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:04:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57174625-257c-43c7-a6a6-4b5f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:04:37.000Z", "modified": "2016-04-20T09:04:37.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'wget.exe' AND file:hashes.SHA256 = 'bedfbfe249b4a2be35bbfb1cf166d2119e132ee7c608909d34238e9eba6c9749']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:04:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57174626-4614-4979-b6a0-41d4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:04:38.000Z", "modified": "2016-04-20T09:04:38.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'wthk.txt' AND file:hashes.SHA256 = '5b875ecf0b7f67a4429aeaa841eddf8e6b58771e16dbdb43ad6918aa7a5b582d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:04:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57174626-632c-4e4f-ad7f-42ff950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:04:38.000Z", "modified": "2016-04-20T09:04:38.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'conhost.exe' AND file:hashes.SHA256 = '4849af113960f473749acf71d11d56854589cf21d623e66c7408bebd5ad0608f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:04:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57174627-93e4-4f5c-8c97-4251950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:04:39.000Z", "modified": "2016-04-20T09:04:39.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'SbieDll.dll' AND file:hashes.SHA256 = '2ac69633da711f244377483d99fac53089ec6614a61d8a1492a0e7228cbb8ffd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:04:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57174628-8e70-4cc8-9987-4952950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:04:40.000Z", "modified": "2016-04-20T09:04:40.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'dll2.xor' AND file:hashes.SHA256 = 'c3fee1c7d402f144023dade4e63dc65db42fc4d6430f9885ece6aa7fa77cade0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:04:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57174628-caf4-49ba-86d9-40a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:04:40.000Z", "modified": "2016-04-20T09:04:40.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'maindll.dll' AND file:hashes.SHA256 = '5838582ea26312cc60b43da555189b439d3688597a705e3a52dc4d935517f69d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:04:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57174629-38f4-4809-b539-4fd9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:04:41.000Z", "modified": "2016-04-20T09:04:41.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'nvsvc.exe' AND file:hashes.SHA256 = 'ec05e37230e6534fa148b8e022f797ad0afe80f699fbd222a46672118663cf00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:04:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5717462a-b1b0-4b33-bf15-45c2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:04:42.000Z", "modified": "2016-04-20T09:04:42.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'runas.exe' AND file:hashes.SHA256 = '5b34b3365eb6a6c700b391172849a2668d66a167669018ae3b9555bc2d1e54ab']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:04:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571746e1-8018-47cf-8445-4d2a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:07:45.000Z", "modified": "2016-04-20T09:07:45.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = '90t69cf82.dll' AND file:hashes.SHA256 = 'afd0eae5065a689f8fc48c0cfc5b87f4caecc2fb6b1cef4c5e977fc2cc98509d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:07:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571746e2-b3b8-4478-9c44-4c84950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:07:46.000Z", "modified": "2016-04-20T09:07:46.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'B512.tmp' AND file:hashes.SHA256 = 'cdb1d2f843ce797084cfc90107a2582e4861f4051aab0f6ac374468f491232a5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:07:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571746e2-5f40-4465-a168-4030950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:07:46.000Z", "modified": "2016-04-20T09:07:46.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = '~tmp.doc' AND file:hashes.SHA256 = 'aecd3e146632e9dfa0a92f486855144df0f87181feb67ac414a618fd52960c8c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:07:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571746e3-9830-4503-8e36-475c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:07:47.000Z", "modified": "2016-04-20T09:07:47.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'Micbt/BTFly.dump' AND file:hashes.SHA256 = '3b828a81ff5b0766c99284524b18fcd10d553191741bc1ed89904cdaa79baae1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:07:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571746e3-489c-4e77-afe4-43b8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:07:47.000Z", "modified": "2016-04-20T09:07:47.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'Micbt/CltID.ini' AND file:hashes.SHA256 = '1590a42e67fe02892dfeb6f29e0e6ae91c503d4ea91b550557c513e92f5ac7eb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:07:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571746e4-9dd0-4067-8ec7-4fba950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:07:48.000Z", "modified": "2016-04-20T09:07:48.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'Micbt/IconConfigBt.DAT' AND file:hashes.SHA256 = '0a47bd32b83f09be1ea5a29dce6b7d307de7b3cdd69f836e0c810fd578f85c7c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:07:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571746e5-e05c-451b-9a26-4efa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:07:49.000Z", "modified": "2016-04-20T09:07:49.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'Micbt/MemoryLoad.dump' AND file:hashes.SHA256 = 'aace766acea06845c29b306a9e080edcb3407635398007f3b9b5e053198b54f4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:07:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571746e6-c760-4569-96ff-4d91950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:07:50.000Z", "modified": "2016-04-20T09:07:50.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'Micbt/RasTls.dll' AND file:hashes.SHA256 = 'bc2f7ebcad10aa48a69680f14fc57434436b821d5e7f2666a0f6d8795b0d37d1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:07:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571746e6-e8b4-4c80-8fe4-430e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:07:50.000Z", "modified": "2016-04-20T09:07:50.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'Micbt/RasTls.exe' AND file:hashes.SHA256 = 'f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:07:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57174768-a980-4cfc-adce-4ef9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:10:00.000Z", "modified": "2016-04-20T09:10:00.000Z", "description": "recognized as Gh0stRAT", "pattern": "[file:name = '~tmp.doc' AND file:hashes.MD5 = 'e538ad13417b773714b75b5d602e4c6e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:10:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57174798-6d98-4b70-b485-4cca950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:10:48.000Z", "modified": "2016-04-20T09:10:48.000Z", "pattern": "[file:name = '~1' AND file:hashes.SHA256 = 'df50ea33616c916720c81d65563175d998a2c606360eeb3c8b727a482de3a4fc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:10:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571747a8-e860-46cd-b1b3-44c1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:11:04.000Z", "modified": "2016-04-20T09:11:04.000Z", "pattern": "[file:name = '~1' AND file:hashes.MD5 = 'b901f0b4aa6a3a6875235f96fce15839']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:11:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5717486b-e948-4e87-b418-42fe950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:14:19.000Z", "modified": "2016-04-20T09:14:19.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'One Tibetan Protester is Freed, Two Others Are Jailed.doc' AND file:hashes.MD5 = 'facd2fbf26e974bdeae3e4db19753f03']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:14:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5717486b-ac80-4461-911a-49fc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:14:19.000Z", "modified": "2016-04-20T09:14:19.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'One Tibetan Protester is Freed, Two Others Are Jailed.doc' AND file:hashes.SHA256 = '1140e06fa8580cf869744b01cc037c2d2d2b5af7f26f5b3448d9a536674d681c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:14:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571748d1-aef0-4c8b-991b-4c00950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:20:13.000Z", "modified": "2016-04-20T09:20:13.000Z", "description": "RTF", "pattern": "[file:hashes.SHA256 = '41d05788d844b59f8eb79aeb2060dd5b7bdcad01e8d720f4b8b80d552e41cfe2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:20:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571748d2-03c0-4806-a97b-4b36950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:20:07.000Z", "modified": "2016-04-20T09:20:07.000Z", "description": "RAR \r\n8EC7.tmp", "pattern": "[file:hashes.SHA256 = 'ddc05b9f39f579f64742980980ca9820b83a243889bbc5baa37f5c2c1c4beb30']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:20:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57174a07-2508-4ee1-a57b-4894950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:21:11.000Z", "modified": "2016-04-20T09:21:11.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.PEHASH = 'ffb7a38174aab4744cc4a509e34800aee9be8e57']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:21:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"pehash\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57174a84-d848-4ef3-8677-43fa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:23:16.000Z", "modified": "2016-04-20T09:23:16.000Z", "description": "Imported via the freetext import.", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '118.193.240.195']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:23:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57174a84-7878-4c38-ac38-4c38950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:23:16.000Z", "modified": "2016-04-20T09:23:16.000Z", "description": "On port 8080", "pattern": "[url:value = 'http://www.whitewall.top:8080/850D3011FA326CBB6F57A965']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:23:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57174a85-8a24-41d6-bc55-4eef950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:23:17.000Z", "modified": "2016-04-20T09:23:17.000Z", "description": "On port 995", "pattern": "[url:value = 'http://www.whitewall.top:995/5724DD3DCC4A19E8416E5691']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:23:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57174aaa-2894-4f79-83c3-48bb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:23:54.000Z", "modified": "2016-04-20T09:23:54.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.MD5 = 'ee49bd5f35cc3012b5b606aca9b0f561']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:23:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57174b68-2ef8-49f4-82fc-4e38950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:27:04.000Z", "modified": "2016-04-20T09:27:04.000Z", "description": "Imported via the freetext import.", "pattern": "[file:hashes.SSDEEP = '6144:NwOD0nTHfnxBl7p01yDn8FJD1O6JN0MrvVburdr3QM5o1Zx0a4VgLjv9uM+yb3Hx:ZbqQM5oBfv9uMt5yGg']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"ssdeep\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--57174b99-21b4-4881-8088-44f2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:27:53.000Z", "modified": "2016-04-20T09:27:53.000Z", "labels": [ "misp:type=\"pdb\"", "misp:category=\"Artifacts dropped\"" ], "x_misp_category": "Artifacts dropped", "x_misp_type": "pdb", "x_misp_value": "Y:/UDPSbieDLL/Release/SBieDLL.pdb" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57174be5-742c-456a-a9be-4030950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:29:09.000Z", "modified": "2016-04-20T09:29:09.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = '2016\u00e7\u00b8\u00bd\u00e7\u00b5\u00b1\u00e9\u0081\u00b8\u00e8\u02c6\u2030\u00e6\u00b0\u2018\u00e6\u0192\u2026\u00e4\u00b8\u00ad\u00e5\u00bf\u0192\u00e9\u00a0\u0090\u00e6\u00b8\u00ac\u00e5\u20ac\u00bc.doc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:29:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57174be5-2e14-46d9-a003-4125950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:29:09.000Z", "modified": "2016-04-20T09:29:09.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'www.kcico.com.tw/data/openwebmail/doc/wthk.txt']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:29:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57174be5-41e0-41d6-a2e5-4294950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:29:09.000Z", "modified": "2016-04-20T09:29:09.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = '\u00e4\u00b8\u00ad\u00e5\u203a\u00bd\u00e5\u203a\u00bd\u00e5\u00ae\u00b6\u00e5\u00ae\u2030\u00e5\u2026\u00a8\u00e5\u00a7\u201d\u00e5\u2018\u02dc\u00e4\u00bc\u0161\u00e6\u0153\u00ba\u00e6\u017e\u201e\u00e8\u00ae\u00be\u00e7\u00bd\u00ae\u00e5\u2019\u0152\u00e4\u00ba\u00ba\u00e5\u2018\u02dc\u00e5\u0090\u008d\u00e5\u008d\u2022\u00e6\u008f\u0090\u00e5\u2030\u008d\u00e6\u203a\u009d\u00e5\u2026\u2030.docx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T09:29:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57174bfd-9390-4ea8-b4fd-4a39950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:29:33.000Z", "modified": "2016-04-20T09:29:33.000Z", "first_observed": "2016-04-20T09:29:33Z", "last_observed": "2016-04-20T09:29:33Z", "number_observed": 1, "object_refs": [ "file--57174bfd-9390-4ea8-b4fd-4a39950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57174bfd-9390-4ea8-b4fd-4a39950d210f", "name": "One Tibetan Protester is Freed, Two Others Are Jailed.doc" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57174c0d-7a14-496d-81b4-4e90950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:29:49.000Z", "modified": "2016-04-20T09:29:49.000Z", "first_observed": "2016-04-20T09:29:49Z", "last_observed": "2016-04-20T09:29:49Z", "number_observed": 1, "object_refs": [ "file--57174c0d-7a14-496d-81b4-4e90950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57174c0d-7a14-496d-81b4-4e90950d210f", "name": "HUMAN RIGHTS SITUATION IN TIBET.doc" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57174c53-7610-4095-b503-4f52950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:30:59.000Z", "modified": "2016-04-20T09:30:59.000Z", "first_observed": "2016-04-20T09:30:59Z", "last_observed": "2016-04-20T09:30:59Z", "number_observed": 1, "object_refs": [ "file--57174c53-7610-4095-b503-4f52950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57174c53-7610-4095-b503-4f52950d210f", "name": "[tibethouse] Upcoming Program Announcemet Last Week of December.doc" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57174cef-6628-4d5c-a692-4a51950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:33:35.000Z", "modified": "2016-04-20T09:33:35.000Z", "first_observed": "2016-04-20T09:33:35Z", "last_observed": "2016-04-20T09:33:35Z", "number_observed": 1, "object_refs": [ "file--57174cef-6628-4d5c-a692-4a51950d210f" ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57174cef-6628-4d5c-a692-4a51950d210f", "hashes": { "SHA-256": "40099e0f13ba47bd4ea4f3f49228ac8cffdf07700c4ef8089e3b5d8013e914a3" }, "name": "PlugX" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57174cff-aa9c-441c-8d64-4493950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:33:51.000Z", "modified": "2016-04-20T09:33:51.000Z", "first_observed": "2016-04-20T09:33:51Z", "last_observed": "2016-04-20T09:33:51Z", "number_observed": 1, "object_refs": [ "file--57174cff-aa9c-441c-8d64-4493950d210f" ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57174cff-aa9c-441c-8d64-4493950d210f", "hashes": { "SHA-256": "a78ea84acf57e0c54d5b1e5e3bd5eec31cc5935f16d9575e049e161420736e32" }, "name": "ufbidruosivibuted" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57174d12-942c-4080-977e-4467950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:34:10.000Z", "modified": "2016-04-20T09:34:10.000Z", "first_observed": "2016-04-20T09:34:10Z", "last_observed": "2016-04-20T09:34:10Z", "number_observed": 1, "object_refs": [ "file--57174d12-942c-4080-977e-4467950d210f" ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57174d12-942c-4080-977e-4467950d210f", "hashes": { "MD5": "103873e3fa8dfc2360bb5c22761da04a" }, "name": "PlugX" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57174d22-fcec-4be8-9b94-44a9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:34:26.000Z", "modified": "2016-04-20T09:34:26.000Z", "first_observed": "2016-04-20T09:34:26Z", "last_observed": "2016-04-20T09:34:26Z", "number_observed": 1, "object_refs": [ "file--57174d22-fcec-4be8-9b94-44a9950d210f" ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57174d22-fcec-4be8-9b94-44a9950d210f", "hashes": { "MD5": "caefdd6ca90ff791cdeff9313136972e" }, "name": "ufbidruosivibuted" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57174dd8-3f30-4838-af62-400a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:37:28.000Z", "modified": "2016-04-20T09:37:28.000Z", "first_observed": "2016-04-20T09:37:28Z", "last_observed": "2016-04-20T09:37:28Z", "number_observed": 1, "object_refs": [ "file--57174dd8-3f30-4838-af62-400a950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57174dd8-3f30-4838-af62-400a950d210f", "name": "keylog" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57174df1-3968-479d-85d5-4e03950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:37:53.000Z", "modified": "2016-04-20T09:37:53.000Z", "first_observed": "2016-04-20T09:37:53Z", "last_observed": "2016-04-20T09:37:53Z", "number_observed": 1, "object_refs": [ "file--57174df1-3968-479d-85d5-4e03950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57174df1-3968-479d-85d5-4e03950d210f", "name": "xx6.tmp" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57174dff-78ac-400f-bbd4-4c75950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:38:07.000Z", "modified": "2016-04-20T09:38:07.000Z", "first_observed": "2016-04-20T09:38:07Z", "last_observed": "2016-04-20T09:38:07Z", "number_observed": 1, "object_refs": [ "file--57174dff-78ac-400f-bbd4-4c75950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57174dff-78ac-400f-bbd4-4c75950d210f", "name": "xx3.tmp" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57174e0a-10e0-4022-9a31-4ba1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:38:18.000Z", "modified": "2016-04-20T09:38:18.000Z", "first_observed": "2016-04-20T09:38:18Z", "last_observed": "2016-04-20T09:38:18Z", "number_observed": 1, "object_refs": [ "file--57174e0a-10e0-4022-9a31-4ba1950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57174e0a-10e0-4022-9a31-4ba1950d210f", "name": "xx1.tmp" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57174e1d-32dc-46d5-b717-41c3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:38:37.000Z", "modified": "2016-04-20T09:38:37.000Z", "first_observed": "2016-04-20T09:38:37Z", "last_observed": "2016-04-20T09:38:37Z", "number_observed": 1, "object_refs": [ "file--57174e1d-32dc-46d5-b717-41c3950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57174e1d-32dc-46d5-b717-41c3950d210f", "name": "srvlic.dll" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57174e2d-4558-4971-aa84-4d5a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:38:53.000Z", "modified": "2016-04-20T09:38:53.000Z", "first_observed": "2016-04-20T09:38:53Z", "last_observed": "2016-04-20T09:38:53Z", "number_observed": 1, "object_refs": [ "file--57174e2d-4558-4971-aa84-4d5a950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57174e2d-4558-4971-aa84-4d5a950d210f", "name": "conhost.log" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57174e3a-3abc-4d57-b5f7-449b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:39:06.000Z", "modified": "2016-04-20T09:39:06.000Z", "first_observed": "2016-04-20T09:39:06Z", "last_observed": "2016-04-20T09:39:06Z", "number_observed": 1, "object_refs": [ "file--57174e3a-3abc-4d57-b5f7-449b950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57174e3a-3abc-4d57-b5f7-449b950d210f", "name": "xx4.tmp" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57174e48-e2dc-4f15-9ae2-4adb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:39:20.000Z", "modified": "2016-04-20T09:39:20.000Z", "first_observed": "2016-04-20T09:39:20Z", "last_observed": "2016-04-20T09:39:20Z", "number_observed": 1, "object_refs": [ "file--57174e48-e2dc-4f15-9ae2-4adb950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57174e48-e2dc-4f15-9ae2-4adb950d210f", "name": "xx2.tmp" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57174e54-5018-495b-b18a-48eb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:39:32.000Z", "modified": "2016-04-20T09:39:32.000Z", "first_observed": "2016-04-20T09:39:32Z", "last_observed": "2016-04-20T09:39:32Z", "number_observed": 1, "object_refs": [ "file--57174e54-5018-495b-b18a-48eb950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57174e54-5018-495b-b18a-48eb950d210f", "name": "xx5.tmp" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57174e6a-c71c-4c48-a9f4-444b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T09:39:54.000Z", "modified": "2016-04-20T09:39:54.000Z", "first_observed": "2016-04-20T09:39:54Z", "last_observed": "2016-04-20T09:39:54Z", "number_observed": 1, "object_refs": [ "file--57174e6a-c71c-4c48-a9f4-444b950d210f" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--57174e6a-c71c-4c48-a9f4-444b950d210f", "name": "up.dat" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571787f5-98d0-4631-b8c7-4f0102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:25.000Z", "modified": "2016-04-20T13:45:25.000Z", "description": "RAR \r\n8EC7.tmp - Xchecked via VT: ddc05b9f39f579f64742980980ca9820b83a243889bbc5baa37f5c2c1c4beb30", "pattern": "[file:hashes.SHA1 = 'b3d8f4587f40a598d19ed23c552c02120fd3c0ce']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:45:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571787f5-31d0-4bc2-986d-4bd102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:25.000Z", "modified": "2016-04-20T13:45:25.000Z", "first_observed": "2016-04-20T13:45:25Z", "last_observed": "2016-04-20T13:45:25Z", "number_observed": 1, "object_refs": [ "url--571787f5-31d0-4bc2-986d-4bd102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571787f5-31d0-4bc2-986d-4bd102de0b81", "value": "https://www.virustotal.com/file/ddc05b9f39f579f64742980980ca9820b83a243889bbc5baa37f5c2c1c4beb30/analysis/1458560144/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571787f6-6d58-4685-aa4c-4b1e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:26.000Z", "modified": "2016-04-20T13:45:26.000Z", "description": "RTF - Xchecked via VT: 41d05788d844b59f8eb79aeb2060dd5b7bdcad01e8d720f4b8b80d552e41cfe2", "pattern": "[file:hashes.SHA1 = '4782223722758b1281f31b77f1eb0f8da38af258']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:45:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571787f6-b9e4-4e7f-812f-476102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:26.000Z", "modified": "2016-04-20T13:45:26.000Z", "first_observed": "2016-04-20T13:45:26Z", "last_observed": "2016-04-20T13:45:26Z", "number_observed": 1, "object_refs": [ "url--571787f6-b9e4-4e7f-812f-476102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571787f6-b9e4-4e7f-812f-476102de0b81", "value": "https://www.virustotal.com/file/41d05788d844b59f8eb79aeb2060dd5b7bdcad01e8d720f4b8b80d552e41cfe2/analysis/1458273608/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571787f7-5640-43a9-a1f8-42d202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:27.000Z", "modified": "2016-04-20T13:45:27.000Z", "description": "RTF - Xchecked via VT: 58f8a906b49711d2a6aaed0b59e1c1b7fcf5757666e0567fe50e996bfe0a4589", "pattern": "[file:hashes.SHA1 = '5ec656d194a15d41b831de750a37e40b28b19c45']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:45:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571787f7-ed70-43ad-84b7-428702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:27.000Z", "modified": "2016-04-20T13:45:27.000Z", "first_observed": "2016-04-20T13:45:27Z", "last_observed": "2016-04-20T13:45:27Z", "number_observed": 1, "object_refs": [ "url--571787f7-ed70-43ad-84b7-428702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571787f7-ed70-43ad-84b7-428702de0b81", "value": "https://www.virustotal.com/file/58f8a906b49711d2a6aaed0b59e1c1b7fcf5757666e0567fe50e996bfe0a4589/analysis/1458825268/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571787f8-d818-4455-aec2-4cf002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:28.000Z", "modified": "2016-04-20T13:45:28.000Z", "description": "RTF - Xchecked via VT: a0da9887b4c5af009a41b783db7ffedf949013abc70777c0ec539299628a51eb", "pattern": "[file:hashes.SHA1 = 'f44dc6b644d7534276c18d8f43420f6f9dac4ef3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:45:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571787f8-0bc0-4113-bd2a-446d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:28.000Z", "modified": "2016-04-20T13:45:28.000Z", "first_observed": "2016-04-20T13:45:28Z", "last_observed": "2016-04-20T13:45:28Z", "number_observed": 1, "object_refs": [ "url--571787f8-0bc0-4113-bd2a-446d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571787f8-0bc0-4113-bd2a-446d02de0b81", "value": "https://www.virustotal.com/file/a0da9887b4c5af009a41b783db7ffedf949013abc70777c0ec539299628a51eb/analysis/1456924149/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571787f8-6338-476e-8153-44af02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:28.000Z", "modified": "2016-04-20T13:45:28.000Z", "description": "RTF - Xchecked via VT: e13a0357cd51795100dbce25fe846783fbb7fd22c5efe438d9059edc10492f49", "pattern": "[file:hashes.SHA1 = 'ca8fa4afeeae67ef57dcb22ff2326734f119a8d6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:45:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571787f9-1f18-4b3a-ac70-482102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:29.000Z", "modified": "2016-04-20T13:45:29.000Z", "first_observed": "2016-04-20T13:45:29Z", "last_observed": "2016-04-20T13:45:29Z", "number_observed": 1, "object_refs": [ "url--571787f9-1f18-4b3a-ac70-482102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571787f9-1f18-4b3a-ac70-482102de0b81", "value": "https://www.virustotal.com/file/e13a0357cd51795100dbce25fe846783fbb7fd22c5efe438d9059edc10492f49/analysis/1452944526/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571787f9-5f08-4091-97a4-40e702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:29.000Z", "modified": "2016-04-20T13:45:29.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 8b6ef2f4e2af608c755b3114e98ab78ac89e089db5b0bece7f2dc68bd1026a78", "pattern": "[file:hashes.SHA1 = 'b8ea4d22bd988c021bc45c3a3e84362edca91e78']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:45:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571787fa-074c-4412-a3f1-4c2302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:30.000Z", "modified": "2016-04-20T13:45:30.000Z", "first_observed": "2016-04-20T13:45:30Z", "last_observed": "2016-04-20T13:45:30Z", "number_observed": 1, "object_refs": [ "url--571787fa-074c-4412-a3f1-4c2302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571787fa-074c-4412-a3f1-4c2302de0b81", "value": "https://www.virustotal.com/file/8b6ef2f4e2af608c755b3114e98ab78ac89e089db5b0bece7f2dc68bd1026a78/analysis/1459770897/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571787fa-81e4-400a-8f49-4e9902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:30.000Z", "modified": "2016-04-20T13:45:30.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 0ba814941a0adb344cbf2a90552a66b52faa99a24d3107735da1db5a0e1f8360", "pattern": "[file:hashes.SHA1 = '0bdd3484e69af639c3564aa7ab679defc4434def']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:45:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571787fa-e10c-4ac1-ac7d-4c5b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:30.000Z", "modified": "2016-04-20T13:45:30.000Z", "first_observed": "2016-04-20T13:45:30Z", "last_observed": "2016-04-20T13:45:30Z", "number_observed": 1, "object_refs": [ "url--571787fa-e10c-4ac1-ac7d-4c5b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571787fa-e10c-4ac1-ac7d-4c5b02de0b81", "value": "https://www.virustotal.com/file/0ba814941a0adb344cbf2a90552a66b52faa99a24d3107735da1db5a0e1f8360/analysis/1459770252/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571787fb-44bc-4692-b11b-4b2502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:31.000Z", "modified": "2016-04-20T13:45:31.000Z", "first_observed": "2016-04-20T13:45:31Z", "last_observed": "2016-04-20T13:45:31Z", "number_observed": 1, "object_refs": [ "url--571787fb-44bc-4692-b11b-4b2502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571787fb-44bc-4692-b11b-4b2502de0b81", "value": "https://www.virustotal.com/file/5b875ecf0b7f67a4429aeaa841eddf8e6b58771e16dbdb43ad6918aa7a5b582d/analysis/1461148223/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571787fb-7fcc-4e67-bed8-429a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:31.000Z", "modified": "2016-04-20T13:45:31.000Z", "first_observed": "2016-04-20T13:45:31Z", "last_observed": "2016-04-20T13:45:31Z", "number_observed": 1, "object_refs": [ "url--571787fb-7fcc-4e67-bed8-429a02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571787fb-7fcc-4e67-bed8-429a02de0b81", "value": "https://www.virustotal.com/file/51c0d075067709c9f8794a25a7e3920bf69f8c755a1794e857acd818ea8a1010/analysis/1461146860/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571787fc-cb4c-49f7-991d-45d002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:32.000Z", "modified": "2016-04-20T13:45:32.000Z", "first_observed": "2016-04-20T13:45:32Z", "last_observed": "2016-04-20T13:45:32Z", "number_observed": 1, "object_refs": [ "url--571787fc-cb4c-49f7-991d-45d002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571787fc-cb4c-49f7-991d-45d002de0b81", "value": "https://www.virustotal.com/file/4a5d864f69aff245793606b694bcbc5243b81e0b018596bce85ecab0e12ac849/analysis/1461147529/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571787fc-b710-46bc-a454-496202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:32.000Z", "modified": "2016-04-20T13:45:32.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 1140e06fa8580cf869744b01cc037c2d2d2b5af7f26f5b3448d9a536674d681c", "pattern": "[file:hashes.SHA1 = '6dd646bd56e04c6d394f87c97976ccd04ed613df']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:45:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571787fc-b338-4b49-a732-473902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:32.000Z", "modified": "2016-04-20T13:45:32.000Z", "first_observed": "2016-04-20T13:45:32Z", "last_observed": "2016-04-20T13:45:32Z", "number_observed": 1, "object_refs": [ "url--571787fc-b338-4b49-a732-473902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571787fc-b338-4b49-a732-473902de0b81", "value": "https://www.virustotal.com/file/1140e06fa8580cf869744b01cc037c2d2d2b5af7f26f5b3448d9a536674d681c/analysis/1452854114/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571787fd-6dc4-4c44-82c0-43d602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:33.000Z", "modified": "2016-04-20T13:45:33.000Z", "description": "Imported via the freetext import. - Xchecked via VT: f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68", "pattern": "[file:hashes.SHA1 = '2616da1697f7c764ee7fb558887a6a3279861fac']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:45:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571787fd-9b0c-4c22-98cb-41c302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:33.000Z", "modified": "2016-04-20T13:45:33.000Z", "first_observed": "2016-04-20T13:45:33Z", "last_observed": "2016-04-20T13:45:33Z", "number_observed": 1, "object_refs": [ "url--571787fd-9b0c-4c22-98cb-41c302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571787fd-9b0c-4c22-98cb-41c302de0b81", "value": "https://www.virustotal.com/file/f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68/analysis/1461070473/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571787fe-2ed8-4e88-8cba-4b9002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:34.000Z", "modified": "2016-04-20T13:45:34.000Z", "description": "Imported via the freetext import. - Xchecked via VT: bc2f7ebcad10aa48a69680f14fc57434436b821d5e7f2666a0f6d8795b0d37d1", "pattern": "[file:hashes.SHA1 = '90c9b15d6f5943c515b41d7f306a7bd6eef1845a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:45:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571787fe-bf88-4d38-b4a9-47d702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:34.000Z", "modified": "2016-04-20T13:45:34.000Z", "first_observed": "2016-04-20T13:45:34Z", "last_observed": "2016-04-20T13:45:34Z", "number_observed": 1, "object_refs": [ "url--571787fe-bf88-4d38-b4a9-47d702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571787fe-bf88-4d38-b4a9-47d702de0b81", "value": "https://www.virustotal.com/file/bc2f7ebcad10aa48a69680f14fc57434436b821d5e7f2666a0f6d8795b0d37d1/analysis/1455192800/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571787fe-7404-450d-a9bd-415a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:34.000Z", "modified": "2016-04-20T13:45:34.000Z", "description": "Imported via the freetext import. - Xchecked via VT: aecd3e146632e9dfa0a92f486855144df0f87181feb67ac414a618fd52960c8c", "pattern": "[file:hashes.SHA1 = '79cc8f5b155179360a7a2de772ed1f3945aaf49c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:45:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571787ff-8ac4-41cb-bbfe-43b102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:35.000Z", "modified": "2016-04-20T13:45:35.000Z", "first_observed": "2016-04-20T13:45:35Z", "last_observed": "2016-04-20T13:45:35Z", "number_observed": 1, "object_refs": [ "url--571787ff-8ac4-41cb-bbfe-43b102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571787ff-8ac4-41cb-bbfe-43b102de0b81", "value": "https://www.virustotal.com/file/aecd3e146632e9dfa0a92f486855144df0f87181feb67ac414a618fd52960c8c/analysis/1455797633/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--571787ff-3858-4bdc-bd8f-430e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:35.000Z", "modified": "2016-04-20T13:45:35.000Z", "description": "Imported via the freetext import. - Xchecked via VT: afd0eae5065a689f8fc48c0cfc5b87f4caecc2fb6b1cef4c5e977fc2cc98509d", "pattern": "[file:hashes.SHA1 = 'cd8581dc95a92bab7f8025fcc5908d27c183b425']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:45:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--571787ff-9184-46e3-bda4-460202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:35.000Z", "modified": "2016-04-20T13:45:35.000Z", "first_observed": "2016-04-20T13:45:35Z", "last_observed": "2016-04-20T13:45:35Z", "number_observed": 1, "object_refs": [ "url--571787ff-9184-46e3-bda4-460202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--571787ff-9184-46e3-bda4-460202de0b81", "value": "https://www.virustotal.com/file/afd0eae5065a689f8fc48c0cfc5b87f4caecc2fb6b1cef4c5e977fc2cc98509d/analysis/1454375598/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57178800-8b30-4513-b981-431902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:36.000Z", "modified": "2016-04-20T13:45:36.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 2a6ef9dde178c4afe32fe676ff864162f104d85fac2439986de32366625dc083", "pattern": "[file:hashes.SHA1 = 'c6f146def58b701f406a73958cdaacbe53860090']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:45:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57178800-8760-437a-8ecf-494b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:36.000Z", "modified": "2016-04-20T13:45:36.000Z", "first_observed": "2016-04-20T13:45:36Z", "last_observed": "2016-04-20T13:45:36Z", "number_observed": 1, "object_refs": [ "url--57178800-8760-437a-8ecf-494b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57178800-8760-437a-8ecf-494b02de0b81", "value": "https://www.virustotal.com/file/2a6ef9dde178c4afe32fe676ff864162f104d85fac2439986de32366625dc083/analysis/1455406891/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57178801-c614-4982-8611-42d002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:37.000Z", "modified": "2016-04-20T13:45:37.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 5c5e3201d6343e0536b86cb4ab0831c482a304c62cd09c01ac8bdeee5755f635", "pattern": "[file:hashes.SHA1 = 'f1ec39dddb224a6a1e40d55c8f6877c908f92bcf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57178801-e5fc-46db-9b1c-41d802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:37.000Z", "modified": "2016-04-20T13:45:37.000Z", "first_observed": "2016-04-20T13:45:37Z", "last_observed": "2016-04-20T13:45:37Z", "number_observed": 1, "object_refs": [ "url--57178801-e5fc-46db-9b1c-41d802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57178801-e5fc-46db-9b1c-41d802de0b81", "value": "https://www.virustotal.com/file/5c5e3201d6343e0536b86cb4ab0831c482a304c62cd09c01ac8bdeee5755f635/analysis/1461046907/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57178801-90c4-4fad-b307-420c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:37.000Z", "modified": "2016-04-20T13:45:37.000Z", "first_observed": "2016-04-20T13:45:37Z", "last_observed": "2016-04-20T13:45:37Z", "number_observed": 1, "object_refs": [ "url--57178801-90c4-4fad-b307-420c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57178801-90c4-4fad-b307-420c02de0b81", "value": "https://www.virustotal.com/file/5676c0b2d3c139dbef5bafa0184576bd1a4ccbd3f7d40b4a6a099a1e61bc2a39/analysis/1461146345/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57178802-d774-4018-b499-4c2002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:45:38.000Z", "modified": "2016-04-20T13:45:38.000Z", "first_observed": "2016-04-20T13:45:38Z", "last_observed": "2016-04-20T13:45:38Z", "number_observed": 1, "object_refs": [ "url--57178802-d774-4018-b499-4c2002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57178802-d774-4018-b499-4c2002de0b81", "value": "https://www.virustotal.com/file/7a200c4df99887991c638fe625d07a4a3fc2bdc887112437752b3df5c8da79b6/analysis/1461146164/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--577f761a-5ec4-4532-9e7b-093bc0a8f687", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-08T09:44:58.000Z", "modified": "2016-07-08T09:44:58.000Z", "description": "Some SNORT IDS Rule.", "pattern": "[alert udp any any -> any 53 (msg:\"NF - APT LURK0 C&C Domain - www.amerikauyghur.top\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|0d|amerikauyghur|03|top\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016101; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT LURK0 C&C Domain - dge.123nat.com\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|dge|06|123nat|03|com\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016102; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT LURK0 C&C Domain - manhaton.123nat.com\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|08|manhaton|06|123nat|03|com\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016103; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT Saker C&C Domain - bsnl.wang\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|04|bsnl|04|wang\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016104; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT Saker C&C Domain - www.onebook.top\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|07|onebook|03|top\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016105; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT Saker C&C Domain - www.togolaga.com\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|08|togolaga|03|com\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016106; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT Saker C&C Domain - unisers.com\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|07|unisers|03|com\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016107; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT Saker C&C Domain - www.dicemention.com\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|0b|dicemention|03|com\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016108; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT Saker C&C Domain - www.updatenewes.com\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|0b|updatenewes|03|com\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016109; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT Saker C&C Domain - softinc.pw\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|07|softinc|02|pw\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016110; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT Saker C&C Domain - www.notebookhk.net\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|0a|notebookhk|03|net\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016111; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT-PlugX C&C Domain - www.whitewall.top\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|09|whitewall|03|top\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016112; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT-T9000 Win32/Agent.XST Domain - www.kcico.com.tw\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|05|kcico|03|com|02|tw\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016113; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT-T9000 Win32/Agent.XST Domain - www.tibetimes.com\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|09|tibetimes|03|com\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016114; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT-T9000 Win32/Agent.XST Domain - softinc.pw\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|07|softinc|02|pw\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016115; rev:1;)\r\n\r\nalert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:\"NF - Win32/Agent.XST Checkin\"; flow:established,to_server; content:\"POST\"; http_method; content:!\"Referer|3a|\"; http_header; content:!\"Accept|3a|\"; http_header; content:\"Content-Type|3a 20|text/html|0d 0a|\"; http_header; content:\"this is UP\"; depth:10; http_client_body; fast_pattern; content:\"|00 00 00 00|\"; http_client_body; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016116; rev:1;)\r\n\r\nalert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:\"NF - Win32/Agent.XST Keepalive\"; flow:established,to_server; content:\"POST|20|\"; depth:5; content:\".asp|20|HTTP/1.\"; distance:0; content:!\"Referer|3a|\"; distance:0; content:!\"Accept|3a|\"; distance:0; content:\"Content-Length|3a 20|2|0d 0a|\"; distance:0; fast_pattern; content:\"Content-Type|3a 20|text/html|0d 0a|\"; content:\"|0d 0a 0d 0a|ok\"; distance:0; threshold: type limit, count 1, seconds 60, track by_src; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016117; rev:1;)\r\n\r\nalert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:\"NF - Win32/Agent.XST/UP007 Checkin 2\"; flow:established,to_server; content:\"POST\"; http_method; content:!\"Referer|3a|\"; http_header; content:!\"Accept|3a|\"; http_header; content:\"Content-Type|3a 20|text/html|0d 0a|\"; http_header; content:\"this is UP\"; depth:10; http_client_body; fast_pattern; content:\"|00 00 00 00|\"; http_client_body; reference:url,citizenlab.org/2016/04/between-hong-kong-and-burma; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016118; rev:1;)\r\n\r\nalert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:\"NF - Win32/Agent.XST/UP007 Keepalive 2\"; flow:established,to_server; content:\"POST|20|\"; depth:5; content:\".asp|20|HTTP/1.\"; distance:0; content:!\"Referer|3a|\"; distance:0; content:!\"Accept|3a|\"; distance:0; content:\"Content-Length|3a 20|5|0d 0a|\"; distance:0; fast_pattern; content:\"Content-Type|3a 20|text/html|0d 0a|\"; content:\"|0d 0a 0d 0a|READY\"; distance:0; threshold:type limit, count 1, seconds 60, track by_src; reference:url,citizenlab.org/2016/04/between-hong-kong-and-burma; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016119; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT-PlugX Related Domain - www.turkistanuyghur.top\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|0F|turkistanuyghur|03|top\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016120; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT-PlugX Related Domain - www.yawropauyghur.top\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|0d|yawropauyghur|03|top\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016121; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT-PlugX Related Domain - www.japanuyghur.top\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|0b|japanuyghur|03|top\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016122; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT-PlugX Related Domain - www.hotansft.top\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|08|hotansft|03|top\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016123; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT-PlugX Related Domain - www.amerikauyghur.top\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|0d|amerikauyghur|03|top\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016124; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT-PlugX Related Domain - www.yawropauyghur.top\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|0d|yawropauyghur|03|top\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016125; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT-PlugX Related Domain - www.turkistanuyghur.top\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|0f|turkistanuyghur|03|top\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016126; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT-PlugX Related Domain - www.turkistanuyghur.top\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|0f|turkistanuyghur|03|top\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016127; rev:1;)]", "pattern_type": "snort", "valid_from": "2016-07-08T09:44:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"snort\"", "misp:category=\"Network activity\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }