{ "type": "bundle", "id": "bundle--5991e185-1808-4a0a-8df5-c44402de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:50:16.000Z", "modified": "2017-08-14T17:50:16.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5991e185-1808-4a0a-8df5-c44402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:50:16.000Z", "modified": "2017-08-14T17:50:16.000Z", "name": "OSINT - The Blockbuster Saga Continues", "published": "2017-08-14T17:50:46Z", "object_refs": [ "observed-data--5991e193-efc8-41e2-ba11-457902de0b81", "url--5991e193-efc8-41e2-ba11-457902de0b81", "x-misp-attribute--5991e1ac-9748-4213-8c8c-43a302de0b81", "indicator--5991e1db-a100-4d93-8ea9-43e802de0b81", "indicator--5991e1db-a54c-4a1a-aa45-424f02de0b81", "indicator--5991e1db-2eb8-455e-96c6-4fc602de0b81", "indicator--5991e1db-39ac-4838-8009-476402de0b81", "indicator--5991e1e7-904c-4e34-8757-480b02de0b81", "indicator--5991e1e7-2ee8-4650-b835-43e402de0b81", "indicator--5991e1e7-cb88-40d2-a89f-470f02de0b81", "indicator--5991e1e7-49b8-467e-b9b5-4b2602de0b81", "indicator--5991e1e7-13d4-4131-a75f-4a3c02de0b81", "indicator--5991e1e7-5600-4357-996d-428302de0b81", "indicator--5991e1e7-2e88-4fc1-bee3-49d802de0b81", "indicator--5991e1e7-bca0-4130-89e2-482402de0b81", "indicator--5991e1e7-f7c4-4234-a9be-4ff302de0b81", "indicator--5991e1fa-f61c-46df-bdbf-480d02de0b81", "indicator--5991e1fa-a230-4e68-bcf7-41fc02de0b81", "indicator--5991e1fa-62a4-4a41-8dac-427602de0b81", "indicator--5991e1fa-3940-4f00-9f46-4e0202de0b81", "indicator--5991e1fa-d738-41b9-8ba2-4f9c02de0b81", "indicator--5991e1fa-e264-424e-83e6-4b8802de0b81", "indicator--5991e1fa-82b4-4493-8543-4ab102de0b81", "indicator--5991e1fa-1c84-4131-a807-46a802de0b81", "indicator--5991e1fa-9584-4430-b291-47b102de0b81", "indicator--5991e1fa-1714-4972-8a39-476502de0b81", "indicator--5991e1fa-9be8-43d4-8b9a-421f02de0b81", "indicator--5991e1fa-ba30-4d3c-b87f-496802de0b81", "indicator--5991e1fa-aa18-479c-a1f1-43af02de0b81", "indicator--5991e1fa-1bb0-4184-a3e4-48b102de0b81", "indicator--5991e2c3-aa68-4032-84fe-c43b02de0b81", "indicator--5991e2c3-8b14-48ef-aa08-c43b02de0b81", "observed-data--5991e2c3-8464-426c-b0da-c43b02de0b81", "url--5991e2c3-8464-426c-b0da-c43b02de0b81", "indicator--5991e2c3-ba9c-4d0f-8d37-c43b02de0b81", "indicator--5991e2c3-66dc-42fa-9886-c43b02de0b81", "observed-data--5991e2c3-ae8c-46ce-acea-c43b02de0b81", "url--5991e2c3-ae8c-46ce-acea-c43b02de0b81", "indicator--5991e2c3-381c-4078-82ea-c43b02de0b81", "indicator--5991e2c3-44ec-4848-932a-c43b02de0b81", "observed-data--5991e2c3-6d14-4f2d-97e4-c43b02de0b81", "url--5991e2c3-6d14-4f2d-97e4-c43b02de0b81", "indicator--5991e2c3-86c8-45bb-8eb6-c43b02de0b81", "indicator--5991e2c3-c03c-4e9d-8e62-c43b02de0b81", "observed-data--5991e2c3-ffac-4a61-9bd6-c43b02de0b81", "url--5991e2c3-ffac-4a61-9bd6-c43b02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5991e193-efc8-41e2-ba11-457902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "first_observed": "2017-08-14T17:49:55Z", "last_observed": "2017-08-14T17:49:55Z", "number_observed": 1, "object_refs": [ "url--5991e193-efc8-41e2-ba11-457902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5991e193-efc8-41e2-ba11-457902de0b81", "value": "https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5991e1ac-9748-4213-8c8c-43a302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Unit 42 researchers at Palo Alto Networks have discovered new attack activity targeting individuals involved with United States defense contractors. Through analysis of malicious code, files, and infrastructure it is clear the group behind this campaign is either directly responsible for or has cooperated with the group which conducted Operation Blockbuster Sequel and, ultimately, Operation Blockbuster (originally outlined by researchers from Novetta). The threat actors are reusing tools, techniques, and procedures which overlap throughout these operations with little variance. Attacks originating from this threat group have not ceased since our previous report (from April of 2017) and have continued through July of 2017." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1db-a100-4d93-8ea9-43e802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[url:value = 'http://210.202.40.35/CKRQST/event/careers/jobs/description/docs/NGC1398.doc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1db-a54c-4a1a-aa45-424f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[url:value = 'http://210.202.40.35/CKRQST/Company/HR/Position/lm/L1915.doc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1db-2eb8-455e-96c6-4fc602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[url:value = 'http://104.192.193.149/Event/careers/jobs/description/docs/LJC077.doc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1db-39ac-4838-8009-476402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[url:value = 'http://lansingturbo.org/docs/WebDAV.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1e7-904c-4e34-8757-480b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.192.193.149']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1e7-2ee8-4650-b835-43e402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '176.35.250.93']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1e7-cb88-40d2-a89f-470f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '213.152.51.169']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1e7-49b8-467e-b9b5-4b2602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '108.222.149.173']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1e7-13d4-4131-a75f-4a3c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '197.246.6.83']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1e7-5600-4357-996d-428302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '118.140.97.6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1e7-2e88-4fc1-bee3-49d802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '210.202.40.35']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1e7-bca0-4130-89e2-482402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '59.90.93.97']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1e7-f7c4-4234-a9be-4ff302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '107.6.12.135']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1fa-f61c-46df-bdbf-480d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[file:hashes.SHA256 = '4d4465bd9a57c7a3c0b80fa3282697554a1419794afa36e544a4ae06d60c1615']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1fa-a230-4e68-bcf7-41fc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[file:hashes.SHA256 = 'f390ef86a4ad92dde125c983e6470f08344b9eaa14c17a1e6c4bb7ebfa7c4ec9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1fa-62a4-4a41-8dac-427602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[file:hashes.SHA256 = 'acfae7e2fdda02e81b3e03f8c30741744d629cd672db424027f7caa59c975897']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1fa-3940-4f00-9f46-4e0202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[file:hashes.SHA256 = '7429a6b6e8518a1ec1d1c37a8786359885f2fd4abde560adaef331ca9deaeefd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1fa-d738-41b9-8ba2-4f9c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[file:hashes.SHA256 = 'e09224a24a14a08c6fcb79b00b4a7b3097c84f805f5f2adefe2f7d04d7b4a8ee']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1fa-e264-424e-83e6-4b8802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[file:hashes.SHA256 = '062aadf3eb69686f4881860d88ce472e6b1c07e1f586d840dd2ee1f7b76cabe7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1fa-82b4-4493-8543-4ab102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[file:hashes.SHA256 = 'c63a415d23fc4ab10ad3acfdd47d42b5c7444604485ab45147277cca82fffb34']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1fa-1c84-4131-a807-46a802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[file:hashes.SHA256 = '16c3a7f143e831dd0481d2d57aae885090e22ec55cc8282009f641755d423fcd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1fa-9584-4430-b291-47b102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[file:hashes.SHA256 = 'de2d458c8e4befcd478a0010789d80997793790b18a347d10a595d6e87d91f34']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1fa-1714-4972-8a39-476502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[file:hashes.SHA256 = '2f133525f76ab0ebb0b370601673361253074c337f0b0895d0f0cb5bc261cfcb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1fa-9be8-43d4-8b9a-421f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[file:hashes.SHA256 = 'e83a08bcb4353bfd6edcdedbc9ead9ab179a620e15155b60d18153bed9892f38']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1fa-ba30-4d3c-b87f-496802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[file:hashes.SHA256 = '6f673981892701d42159489c1b2614c098a04e4674b23e1cd0fd8911766e71a0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1fa-aa18-479c-a1f1-43af02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[file:hashes.SHA256 = 'ad075279d2ee6958105889d852e0d7f4266f746cb0078ac1b362f05a45b5828d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e1fa-1bb0-4184-a3e4-48b102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "pattern": "[file:hashes.SHA256 = '1288e105c83a6f4bbad8471a9b5bedafeea684a8d8b73a1a7518137d446c2e1e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e2c3-aa68-4032-84fe-c43b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "description": "- Xchecked via VT: 1288e105c83a6f4bbad8471a9b5bedafeea684a8d8b73a1a7518137d446c2e1e", "pattern": "[file:hashes.SHA1 = '67d2eceea179d3e0e3b99a4464cca82bec2236dc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e2c3-8b14-48ef-aa08-c43b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "description": "- Xchecked via VT: 1288e105c83a6f4bbad8471a9b5bedafeea684a8d8b73a1a7518137d446c2e1e", "pattern": "[file:hashes.MD5 = '307866c7d98fc9a050c0d178d95b3e8f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5991e2c3-8464-426c-b0da-c43b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "first_observed": "2017-08-14T17:49:55Z", "last_observed": "2017-08-14T17:49:55Z", "number_observed": 1, "object_refs": [ "url--5991e2c3-8464-426c-b0da-c43b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5991e2c3-8464-426c-b0da-c43b02de0b81", "value": "https://www.virustotal.com/file/1288e105c83a6f4bbad8471a9b5bedafeea684a8d8b73a1a7518137d446c2e1e/analysis/1502714543/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e2c3-ba9c-4d0f-8d37-c43b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "description": "- Xchecked via VT: 6f673981892701d42159489c1b2614c098a04e4674b23e1cd0fd8911766e71a0", "pattern": "[file:hashes.SHA1 = 'cbb56d1aff6ddd7c280c52fd03ca10529b1b2e36']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e2c3-66dc-42fa-9886-c43b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "description": "- Xchecked via VT: 6f673981892701d42159489c1b2614c098a04e4674b23e1cd0fd8911766e71a0", "pattern": "[file:hashes.MD5 = '766ec87da598965efc2fb7e5a5b60ee2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5991e2c3-ae8c-46ce-acea-c43b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "first_observed": "2017-08-14T17:49:55Z", "last_observed": "2017-08-14T17:49:55Z", "number_observed": 1, "object_refs": [ "url--5991e2c3-ae8c-46ce-acea-c43b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5991e2c3-ae8c-46ce-acea-c43b02de0b81", "value": "https://www.virustotal.com/file/6f673981892701d42159489c1b2614c098a04e4674b23e1cd0fd8911766e71a0/analysis/1502715759/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e2c3-381c-4078-82ea-c43b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "description": "- Xchecked via VT: 16c3a7f143e831dd0481d2d57aae885090e22ec55cc8282009f641755d423fcd", "pattern": "[file:hashes.SHA1 = '9e2017128dd01108571b241f6c2b435d98d52d3c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e2c3-44ec-4848-932a-c43b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "description": "- Xchecked via VT: 16c3a7f143e831dd0481d2d57aae885090e22ec55cc8282009f641755d423fcd", "pattern": "[file:hashes.MD5 = 'e8aa28ad79c9adcf9bb8629973fdfa24']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5991e2c3-6d14-4f2d-97e4-c43b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "first_observed": "2017-08-14T17:49:55Z", "last_observed": "2017-08-14T17:49:55Z", "number_observed": 1, "object_refs": [ "url--5991e2c3-6d14-4f2d-97e4-c43b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5991e2c3-6d14-4f2d-97e4-c43b02de0b81", "value": "https://www.virustotal.com/file/16c3a7f143e831dd0481d2d57aae885090e22ec55cc8282009f641755d423fcd/analysis/1502724035/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e2c3-86c8-45bb-8eb6-c43b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "description": "- Xchecked via VT: acfae7e2fdda02e81b3e03f8c30741744d629cd672db424027f7caa59c975897", "pattern": "[file:hashes.SHA1 = 'e784d38b6e628357d93e0db926590c8ef5393d1a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5991e2c3-c03c-4e9d-8e62-c43b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "description": "- Xchecked via VT: acfae7e2fdda02e81b3e03f8c30741744d629cd672db424027f7caa59c975897", "pattern": "[file:hashes.MD5 = 'aa9548f3b03cc481c8c195fd458bc6dc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-14T17:49:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5991e2c3-ffac-4a61-9bd6-c43b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-14T17:49:55.000Z", "modified": "2017-08-14T17:49:55.000Z", "first_observed": "2017-08-14T17:49:55Z", "last_observed": "2017-08-14T17:49:55Z", "number_observed": 1, "object_refs": [ "url--5991e2c3-ffac-4a61-9bd6-c43b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5991e2c3-ffac-4a61-9bd6-c43b02de0b81", "value": "https://www.virustotal.com/file/acfae7e2fdda02e81b3e03f8c30741744d629cd672db424027f7caa59c975897/analysis/1502715852/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }