{ "type": "bundle", "id": "bundle--59a1a900-0714-4bcc-be9f-447c02de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--59a1a900-0714-4bcc-be9f-447c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "name": "OSINT - Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures", "published": "2017-08-26T19:39:55Z", "object_refs": [ "observed-data--59a1a90c-8e04-4fc8-bf0e-447d02de0b81", "url--59a1a90c-8e04-4fc8-bf0e-447d02de0b81", "x-misp-attribute--59a1a91a-f438-4135-a500-ae1a02de0b81", "indicator--59a1ce0d-af54-429a-9a56-408d02de0b81", "indicator--59a1ce0d-c274-4745-8395-46ca02de0b81", "indicator--59a1ce0d-f620-4573-be85-427202de0b81", "indicator--59a1ce0d-c218-45cc-b7fe-415f02de0b81", "indicator--59a1ce0d-d6b8-43fd-affa-428b02de0b81", "indicator--59a1ce0d-0560-46d0-9d6a-4eb102de0b81", "indicator--59a1ce0d-2dac-490c-a7d4-459102de0b81", "indicator--59a1ce0d-30b8-4c6d-9066-4ae002de0b81", "indicator--59a1ce0d-4ca8-4322-ad44-4f1a02de0b81", "indicator--59a1ce0d-eef8-48eb-b77a-495702de0b81", "indicator--59a1ce0d-f94c-4cb2-92b6-47c602de0b81", "indicator--59a1ce0d-2624-4905-896e-43a702de0b81", "indicator--59a1ce0d-7d98-42d8-b7bc-488f02de0b81", "indicator--59a1ce0d-df10-451e-94bb-40d602de0b81", "indicator--59a1ce0d-9e24-4465-939f-462f02de0b81", "indicator--59a1ce0d-b9b0-4eb2-a26a-4b9102de0b81", "indicator--59a1ce0d-c1d0-48d8-a50b-487b02de0b81", "indicator--59a1ce0d-c3d4-44ca-9a77-4b1602de0b81", "observed-data--59a1ce3e-2f44-4cd3-8e28-add202de0b81", "url--59a1ce3e-2f44-4cd3-8e28-add202de0b81", "observed-data--59a1ce3e-d3f0-4f4f-aa69-add202de0b81", "url--59a1ce3e-d3f0-4f4f-aa69-add202de0b81", "observed-data--59a1ce3e-8710-4479-8ad0-add202de0b81", "url--59a1ce3e-8710-4479-8ad0-add202de0b81", "observed-data--59a1ce3f-7ddc-43eb-aae7-add202de0b81", "url--59a1ce3f-7ddc-43eb-aae7-add202de0b81", "observed-data--59a1ce3f-e8d8-4ba8-82e2-add202de0b81", "url--59a1ce3f-e8d8-4ba8-82e2-add202de0b81", "observed-data--59a1ce3f-f950-4a5c-a1c6-add202de0b81", "url--59a1ce3f-f950-4a5c-a1c6-add202de0b81", "observed-data--59a1ce3f-8bb8-46d8-9e93-add202de0b81", "url--59a1ce3f-8bb8-46d8-9e93-add202de0b81", "indicator--59a1ce7c-bbdc-4f01-ad34-4af202de0b81", "indicator--59a1ce7c-3e08-4941-8a7c-4fe102de0b81", "observed-data--59a1ce7c-71fc-46a8-8deb-414302de0b81", "url--59a1ce7c-71fc-46a8-8deb-414302de0b81", "indicator--59a1ce7c-5b34-423e-98a4-48af02de0b81", "indicator--59a1ce7c-2fb8-4784-9876-490002de0b81", "observed-data--59a1ce7c-c558-42cf-989b-4b9f02de0b81", "url--59a1ce7c-c558-42cf-989b-4b9f02de0b81", "indicator--59a1ce7c-16f0-4356-a71d-477302de0b81", "indicator--59a1ce7c-b4ac-4c0e-ab92-4bf302de0b81", "observed-data--59a1ce7c-c8a8-4982-be1c-489702de0b81", "url--59a1ce7c-c8a8-4982-be1c-489702de0b81", "indicator--59a1ce7c-3518-4970-b6c7-4bc002de0b81", "indicator--59a1ce7c-3570-4889-a5ba-427702de0b81", "observed-data--59a1ce7c-1ed8-47df-a9b9-425402de0b81", "url--59a1ce7c-1ed8-47df-a9b9-425402de0b81", "indicator--59a1ce7c-f688-48e0-9763-4b1e02de0b81", "indicator--59a1ce7c-68f8-44db-9bb5-409e02de0b81", "observed-data--59a1ce7c-8e60-4246-a504-443802de0b81", "url--59a1ce7c-8e60-4246-a504-443802de0b81", "indicator--59a1ce7c-6334-4439-bc93-44f502de0b81", "indicator--59a1ce7c-96b8-475f-be09-48c102de0b81", "observed-data--59a1ce7c-d6fc-416b-9324-43f502de0b81", "url--59a1ce7c-d6fc-416b-9324-43f502de0b81", "indicator--59a1ce7c-1950-43f5-893e-4f6402de0b81", "indicator--59a1ce7c-2eb8-4bc7-aeb6-455d02de0b81", "observed-data--59a1ce7c-8008-4639-bce8-4b7a02de0b81", "url--59a1ce7c-8008-4639-bce8-4b7a02de0b81", "indicator--59a1ce7c-cbbc-4984-8e85-419b02de0b81", "indicator--59a1ce7c-ade4-4b9c-b213-46a002de0b81", "observed-data--59a1ce7c-d288-48a4-a173-4f6002de0b81", "url--59a1ce7c-d288-48a4-a173-4f6002de0b81", "indicator--59a1ce7c-b694-4d38-8305-4e0d02de0b81", "indicator--59a1ce7c-48bc-4081-9523-41a602de0b81", "observed-data--59a1ce7c-624c-408b-8fb8-42e902de0b81", "url--59a1ce7c-624c-408b-8fb8-42e902de0b81", "indicator--59a1ce7c-cc38-4ce4-a3c9-471702de0b81", "indicator--59a1ce7c-d0b0-4f83-8433-4dfe02de0b81", "observed-data--59a1ce7c-b7b8-474b-bd23-455c02de0b81", "url--59a1ce7c-b7b8-474b-bd23-455c02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a1a90c-8e04-4fc8-bf0e-447d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "first_observed": "2017-08-26T19:39:39Z", "last_observed": "2017-08-26T19:39:39Z", "number_observed": 1, "object_refs": [ "url--59a1a90c-8e04-4fc8-bf0e-447d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a1a90c-8e04-4fc8-bf0e-447d02de0b81", "value": "https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59a1a91a-f438-4135-a500-ae1a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Proofpoint recently observed a targeted email campaign attempting a spearphishing attack using a Game of Thrones lure. The malicious attachment, which offered salacious spoilers and video clips, attempted to install a \u00e2\u20ac\u01539002\u00e2\u20ac\u009d remote access Trojan (RAT) historically used by state-sponsored actors. Previous attacks involving the 9002 RAT include:\r\n\r\nOperation Aurora, an attack on companies such as Google, widely attributed to the Chinese government [1,2]\r\nOperation Ephemeral Hydra, a strategic website compromise utilizing an Internet Explorer zero-day [3], which FireEye attributed to an APT actor without a country attribution\r\nAttacks on Asian countries described by Palo Alto [4]\r\nOnce installed, the 9002 RAT provides attackers with extensive data exfiltration capabilities." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce0d-af54-429a-9a56-408d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "pattern": "[url:value = 'http://27.255.83.3/x/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce0d-c274-4745-8395-46ca02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "pattern": "[url:value = 'http://27.255.83.3/y/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce0d-f620-4573-be85-427202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.255.83.3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce0d-c218-45cc-b7fe-415f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "pattern": "[file:hashes.SHA256 = '9e49d214e2325597b6d648780cf8980f4cc16811b21f586308e3e9866f40d1cd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce0d-d6b8-43fd-affa-428b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "description": "%APPDATA%\\y.jpg", "pattern": "[file:hashes.SHA256 = '5a678529aea9195b787be8c788ef4bb03e38e425ad6d0c9fafd44ed03aa46b65']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce0d-0560-46d0-9d6a-4eb102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "pattern": "[file:hashes.SHA256 = 'efdb6351ac3902b18535fcd30432e98ffa2d8bc4224bdb3aba7f8ca0f44cec79']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce0d-2dac-490c-a7d4-459102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "description": "Party_photos_201612.zip", "pattern": "[file:hashes.SHA256 = 'bdd695363117ba9fb23a7cbcd484d79e7a469c11ab9a6e2ad9a50c678097f100']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce0d-30b8-4c6d-9066-4ae002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "description": "need help.docx", "pattern": "[file:hashes.SHA256 = '192e8925589fa9a7f64cba04817c180e6f26ad080bf0f966a63a3280766b066a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce0d-4ca8-4322-ad44-4f1a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "description": "Party-001.jpg.lnk", "pattern": "[file:hashes.SHA256 = '774acdc37157e7560eca4a167558780e1cc2f5dfd203cbcb795ec05373d46fe0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce0d-eef8-48eb-b77a-495702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "description": "Photos20140214.zip", "pattern": "[file:hashes.SHA256 = '56dda2ed3cd67cadc53f4b9e493c4601e45c5112772ade5b0c36b61858ab7852']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce0d-f94c-4cb2-92b6-47c602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "description": "Party-pics-201304.zip", "pattern": "[file:hashes.SHA256 = '83151fe6980a39eeda961c6a8f0baba13b6da853661ccbf5c7d9a97ec73d1b70']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce0d-2624-4905-896e-43a702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "description": "Party_Photos_Packed.zip", "pattern": "[file:hashes.SHA256 = 'b54d547e33b0ea6ba161ac4ce06a50076f1e55a3bc592a0fb56bbc34dc96fd43']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce0d-7d98-42d8-b7bc-488f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "description": "Photos20140215.zip", "pattern": "[file:hashes.SHA256 = 'db6b67704b77d271e40e0259a68ce2224504081545619d33b4909e6e6a385ec6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce0d-df10-451e-94bb-40d602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "description": "PartyPics.7z", "pattern": "[file:hashes.SHA256 = 'fb8eff8dcf41a4cfd0b5775327a607b76269b725f1b46dc5dd04b1f5e2433ee7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce0d-9e24-4465-939f-462f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "description": "PhotoShow.jar", "pattern": "[file:hashes.SHA256 = '559c0f2948d1d3179420eecd78b1e7c36c4960ec5d110c63bf6c853d30f1b308']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce0d-b9b0-4eb2-a26a-4b9102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "description": "Upins_tmp.exe (dropped by PhotoShow.jar)", "pattern": "[file:hashes.SHA256 = '0b7613e0f739eb63fd5ed9e99934d54a38e56c558ab8d1a4f586a7c88d37a428']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce0d-c1d0-48d8-a50b-487b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "pattern": "[domain-name:value = 'mn1.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce0d-c3d4-44ca-9a77-4b1602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "pattern": "[domain-name:value = 'mx.i26.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a1ce3e-2f44-4cd3-8e28-add202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "first_observed": "2017-08-26T19:39:39Z", "last_observed": "2017-08-26T19:39:39Z", "number_observed": 1, "object_refs": [ "url--59a1ce3e-2f44-4cd3-8e28-add202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a1ce3e-2f44-4cd3-8e28-add202de0b81", "value": "https://community.saas.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/228686#.WaBdzB9ifW8" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a1ce3e-d3f0-4f4f-aa69-add202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "first_observed": "2017-08-26T19:39:39Z", "last_observed": "2017-08-26T19:39:39Z", "number_observed": 1, "object_refs": [ "url--59a1ce3e-d3f0-4f4f-aa69-add202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a1ce3e-d3f0-4f4f-aa69-add202de0b81", "value": "http://www.washingtontimes.com/news/2010/mar/24/cyber-attack-on-us-firms-google-traced-to-chinese/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a1ce3e-8710-4479-8ad0-add202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "first_observed": "2017-08-26T19:39:39Z", "last_observed": "2017-08-26T19:39:39Z", "number_observed": 1, "object_refs": [ "url--59a1ce3e-8710-4479-8ad0-add202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a1ce3e-8710-4479-8ad0-add202de0b81", "value": "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a1ce3f-7ddc-43eb-aae7-add202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "first_observed": "2017-08-26T19:39:39Z", "last_observed": "2017-08-26T19:39:39Z", "number_observed": 1, "object_refs": [ "url--59a1ce3f-7ddc-43eb-aae7-add202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a1ce3f-7ddc-43eb-aae7-add202de0b81", "value": "https://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a1ce3f-e8d8-4ba8-82e2-add202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "first_observed": "2017-08-26T19:39:39Z", "last_observed": "2017-08-26T19:39:39Z", "number_observed": 1, "object_refs": [ "url--59a1ce3f-e8d8-4ba8-82e2-add202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a1ce3f-e8d8-4ba8-82e2-add202de0b81", "value": "https://github.com/EmpireProject/Empire/blob/master/data/module_source/code_execution/Invoke-Shellcode.ps1" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a1ce3f-f950-4a5c-a1c6-add202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "first_observed": "2017-08-26T19:39:39Z", "last_observed": "2017-08-26T19:39:39Z", "number_observed": 1, "object_refs": [ "url--59a1ce3f-f950-4a5c-a1c6-add202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a1ce3f-f950-4a5c-a1c6-add202de0b81", "value": "http://security-is-just-an-illusion.blogspot.nl/2013/02/45-x-antivirus-software-fail-again-java.html" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a1ce3f-8bb8-46d8-9e93-add202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:39.000Z", "modified": "2017-08-26T19:39:39.000Z", "first_observed": "2017-08-26T19:39:39Z", "last_observed": "2017-08-26T19:39:39Z", "number_observed": 1, "object_refs": [ "url--59a1ce3f-8bb8-46d8-9e93-add202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a1ce3f-8bb8-46d8-9e93-add202de0b81", "value": "https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce7c-bbdc-4f01-ad34-4af202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "description": "PhotoShow.jar - Xchecked via VT: 559c0f2948d1d3179420eecd78b1e7c36c4960ec5d110c63bf6c853d30f1b308", "pattern": "[file:hashes.SHA1 = 'fb262cae70ea79b831b6b4e049d03fb27ba93b10']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce7c-3e08-4941-8a7c-4fe102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "description": "PhotoShow.jar - Xchecked via VT: 559c0f2948d1d3179420eecd78b1e7c36c4960ec5d110c63bf6c853d30f1b308", "pattern": "[file:hashes.MD5 = '300eb3eb70e30332cc339487f19c1123']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a1ce7c-71fc-46a8-8deb-414302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "first_observed": "2017-08-26T19:39:40Z", "last_observed": "2017-08-26T19:39:40Z", "number_observed": 1, "object_refs": [ "url--59a1ce7c-71fc-46a8-8deb-414302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a1ce7c-71fc-46a8-8deb-414302de0b81", "value": "https://www.virustotal.com/file/559c0f2948d1d3179420eecd78b1e7c36c4960ec5d110c63bf6c853d30f1b308/analysis/1399034900/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce7c-5b34-423e-98a4-48af02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "description": "PartyPics.7z - Xchecked via VT: fb8eff8dcf41a4cfd0b5775327a607b76269b725f1b46dc5dd04b1f5e2433ee7", "pattern": "[file:hashes.SHA1 = '6b323d58163f0feb4b3c351f00fac34df048f618']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce7c-2fb8-4784-9876-490002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "description": "PartyPics.7z - Xchecked via VT: fb8eff8dcf41a4cfd0b5775327a607b76269b725f1b46dc5dd04b1f5e2433ee7", "pattern": "[file:hashes.MD5 = '4fa9e1ee1943edbfc1f47abec1e166a6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a1ce7c-c558-42cf-989b-4b9f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "first_observed": "2017-08-26T19:39:40Z", "last_observed": "2017-08-26T19:39:40Z", "number_observed": 1, "object_refs": [ "url--59a1ce7c-c558-42cf-989b-4b9f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a1ce7c-c558-42cf-989b-4b9f02de0b81", "value": "https://www.virustotal.com/file/fb8eff8dcf41a4cfd0b5775327a607b76269b725f1b46dc5dd04b1f5e2433ee7/analysis/1397745647/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce7c-16f0-4356-a71d-477302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "description": "Photos20140215.zip - Xchecked via VT: db6b67704b77d271e40e0259a68ce2224504081545619d33b4909e6e6a385ec6", "pattern": "[file:hashes.SHA1 = 'f6fdfc3bd51b6ddb317e6920d8bf43bb06b84e7d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce7c-b4ac-4c0e-ab92-4bf302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "description": "Photos20140215.zip - Xchecked via VT: db6b67704b77d271e40e0259a68ce2224504081545619d33b4909e6e6a385ec6", "pattern": "[file:hashes.MD5 = 'be0324f6b62794a0cc2d836ae3d3ca4d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a1ce7c-c8a8-4982-be1c-489702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "first_observed": "2017-08-26T19:39:40Z", "last_observed": "2017-08-26T19:39:40Z", "number_observed": 1, "object_refs": [ "url--59a1ce7c-c8a8-4982-be1c-489702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a1ce7c-c8a8-4982-be1c-489702de0b81", "value": "https://www.virustotal.com/file/db6b67704b77d271e40e0259a68ce2224504081545619d33b4909e6e6a385ec6/analysis/1397835917/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce7c-3518-4970-b6c7-4bc002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "description": "Party_Photos_Packed.zip - Xchecked via VT: b54d547e33b0ea6ba161ac4ce06a50076f1e55a3bc592a0fb56bbc34dc96fd43", "pattern": "[file:hashes.SHA1 = '0e532e856e5d8e9ed7497a04709a69375bce52c5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce7c-3570-4889-a5ba-427702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "description": "Party_Photos_Packed.zip - Xchecked via VT: b54d547e33b0ea6ba161ac4ce06a50076f1e55a3bc592a0fb56bbc34dc96fd43", "pattern": "[file:hashes.MD5 = 'ae61b4f25bd0101d39eb925e36082802']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a1ce7c-1ed8-47df-a9b9-425402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "first_observed": "2017-08-26T19:39:40Z", "last_observed": "2017-08-26T19:39:40Z", "number_observed": 1, "object_refs": [ "url--59a1ce7c-1ed8-47df-a9b9-425402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a1ce7c-1ed8-47df-a9b9-425402de0b81", "value": "https://www.virustotal.com/file/b54d547e33b0ea6ba161ac4ce06a50076f1e55a3bc592a0fb56bbc34dc96fd43/analysis/1421863355/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce7c-f688-48e0-9763-4b1e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "description": "Party-pics-201304.zip - Xchecked via VT: 83151fe6980a39eeda961c6a8f0baba13b6da853661ccbf5c7d9a97ec73d1b70", "pattern": "[file:hashes.SHA1 = '4d5c9a03af619caae4dbeb7dca0a739c2e4babb2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce7c-68f8-44db-9bb5-409e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "description": "Party-pics-201304.zip - Xchecked via VT: 83151fe6980a39eeda961c6a8f0baba13b6da853661ccbf5c7d9a97ec73d1b70", "pattern": "[file:hashes.MD5 = 'cbbadbb5eab890d10ee48853fe9e7781']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a1ce7c-8e60-4246-a504-443802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "first_observed": "2017-08-26T19:39:40Z", "last_observed": "2017-08-26T19:39:40Z", "number_observed": 1, "object_refs": [ "url--59a1ce7c-8e60-4246-a504-443802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a1ce7c-8e60-4246-a504-443802de0b81", "value": "https://www.virustotal.com/file/83151fe6980a39eeda961c6a8f0baba13b6da853661ccbf5c7d9a97ec73d1b70/analysis/1400689562/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce7c-6334-4439-bc93-44f502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "description": "Photos20140214.zip - Xchecked via VT: 56dda2ed3cd67cadc53f4b9e493c4601e45c5112772ade5b0c36b61858ab7852", "pattern": "[file:hashes.SHA1 = '8c1e699ef25443cf8857b6eb4c8eb5618186377a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce7c-96b8-475f-be09-48c102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "description": "Photos20140214.zip - Xchecked via VT: 56dda2ed3cd67cadc53f4b9e493c4601e45c5112772ade5b0c36b61858ab7852", "pattern": "[file:hashes.MD5 = '2c77abcc72475c7e0f446f807e14b22a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a1ce7c-d6fc-416b-9324-43f502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "first_observed": "2017-08-26T19:39:40Z", "last_observed": "2017-08-26T19:39:40Z", "number_observed": 1, "object_refs": [ "url--59a1ce7c-d6fc-416b-9324-43f502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a1ce7c-d6fc-416b-9324-43f502de0b81", "value": "https://www.virustotal.com/file/56dda2ed3cd67cadc53f4b9e493c4601e45c5112772ade5b0c36b61858ab7852/analysis/1397837529/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce7c-1950-43f5-893e-4f6402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "description": "Party-001.jpg.lnk - Xchecked via VT: 774acdc37157e7560eca4a167558780e1cc2f5dfd203cbcb795ec05373d46fe0", "pattern": "[file:hashes.SHA1 = 'c7becef454d23d2e6b77add4925fed36d38f24c8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce7c-2eb8-4bc7-aeb6-455d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "description": "Party-001.jpg.lnk - Xchecked via VT: 774acdc37157e7560eca4a167558780e1cc2f5dfd203cbcb795ec05373d46fe0", "pattern": "[file:hashes.MD5 = '1ec3ec4af040b71eda4eb1c30116b1a3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a1ce7c-8008-4639-bce8-4b7a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "first_observed": "2017-08-26T19:39:40Z", "last_observed": "2017-08-26T19:39:40Z", "number_observed": 1, "object_refs": [ "url--59a1ce7c-8008-4639-bce8-4b7a02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a1ce7c-8008-4639-bce8-4b7a02de0b81", "value": "https://www.virustotal.com/file/774acdc37157e7560eca4a167558780e1cc2f5dfd203cbcb795ec05373d46fe0/analysis/1426834440/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce7c-cbbc-4984-8e85-419b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "description": "need help.docx - Xchecked via VT: 192e8925589fa9a7f64cba04817c180e6f26ad080bf0f966a63a3280766b066a", "pattern": "[file:hashes.SHA1 = '34e2667c67c9ff2ca30c35b03c6acc7a6ad84471']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce7c-ade4-4b9c-b213-46a002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "description": "need help.docx - Xchecked via VT: 192e8925589fa9a7f64cba04817c180e6f26ad080bf0f966a63a3280766b066a", "pattern": "[file:hashes.MD5 = '325be1a107e0e20748c19bb243a26b13']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a1ce7c-d288-48a4-a173-4f6002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "first_observed": "2017-08-26T19:39:40Z", "last_observed": "2017-08-26T19:39:40Z", "number_observed": 1, "object_refs": [ "url--59a1ce7c-d288-48a4-a173-4f6002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a1ce7c-d288-48a4-a173-4f6002de0b81", "value": "https://www.virustotal.com/file/192e8925589fa9a7f64cba04817c180e6f26ad080bf0f966a63a3280766b066a/analysis/1503662047/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce7c-b694-4d38-8305-4e0d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "description": "Party_photos_201612.zip - Xchecked via VT: bdd695363117ba9fb23a7cbcd484d79e7a469c11ab9a6e2ad9a50c678097f100", "pattern": "[file:hashes.SHA1 = 'cfef71b39afb7b73f33f514a20b5c5b32b5f1012']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce7c-48bc-4081-9523-41a602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "description": "Party_photos_201612.zip - Xchecked via VT: bdd695363117ba9fb23a7cbcd484d79e7a469c11ab9a6e2ad9a50c678097f100", "pattern": "[file:hashes.MD5 = '5b3733bfa52e6af1520ad53f93789737']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a1ce7c-624c-408b-8fb8-42e902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "first_observed": "2017-08-26T19:39:40Z", "last_observed": "2017-08-26T19:39:40Z", "number_observed": 1, "object_refs": [ "url--59a1ce7c-624c-408b-8fb8-42e902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a1ce7c-624c-408b-8fb8-42e902de0b81", "value": "https://www.virustotal.com/file/bdd695363117ba9fb23a7cbcd484d79e7a469c11ab9a6e2ad9a50c678097f100/analysis/1499332325/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce7c-cc38-4ce4-a3c9-471702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "description": "- Xchecked via VT: 9e49d214e2325597b6d648780cf8980f4cc16811b21f586308e3e9866f40d1cd", "pattern": "[file:hashes.SHA1 = '644a3b395f8d7baaa4aae65e80363bf955698a79']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a1ce7c-d0b0-4f83-8433-4dfe02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "description": "- Xchecked via VT: 9e49d214e2325597b6d648780cf8980f4cc16811b21f586308e3e9866f40d1cd", "pattern": "[file:hashes.MD5 = '7e8bc04a964d33a375c2c970f0697908']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-26T19:39:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a1ce7c-b7b8-474b-bd23-455c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-26T19:39:40.000Z", "modified": "2017-08-26T19:39:40.000Z", "first_observed": "2017-08-26T19:39:40Z", "last_observed": "2017-08-26T19:39:40Z", "number_observed": 1, "object_refs": [ "url--59a1ce7c-b7b8-474b-bd23-455c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a1ce7c-b7b8-474b-bd23-455c02de0b81", "value": "https://www.virustotal.com/file/9e49d214e2325597b6d648780cf8980f4cc16811b21f586308e3e9866f40d1cd/analysis/1499333974/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }