{ "type": "bundle", "id": "bundle--570c9451-ec50-4ecc-b031-47b4950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:01.000Z", "modified": "2016-04-12T07:02:01.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--570c9451-ec50-4ecc-b031-47b4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:01.000Z", "modified": "2016-04-12T07:02:01.000Z", "name": "OSINT - New Locky Variant Implements Evasion Techniques", "published": "2016-04-12T07:03:29Z", "object_refs": [ "observed-data--570c9481-4494-46ca-8e1c-4786950d210f", "url--570c9481-4494-46ca-8e1c-4786950d210f", "x-misp-attribute--570c9491-25e4-444a-908a-4f6f950d210f", "indicator--570c9d58-bdb8-44a3-bf86-430f950d210f", "indicator--570c9d58-4dfc-4c71-adb5-4fd9950d210f", "indicator--570c9d58-c0e8-4224-88f7-4b29950d210f", "indicator--570c9d59-78b8-4656-b296-4ec1950d210f", "indicator--570c9d59-401c-4127-9ce6-4bfb950d210f", "indicator--570c9d5a-2f18-4044-93b5-4ad0950d210f", "indicator--570c9d5a-4d48-46f5-81f3-484a950d210f", "indicator--570c9d5a-b614-4327-b70d-4c76950d210f", "indicator--570c9d5b-31d8-4216-ba1c-4782950d210f", "indicator--570c9d5b-7114-42d6-b606-48b7950d210f", "indicator--570c9d5b-4004-4d49-9ebe-4dd2950d210f", "indicator--570c9d69-deac-40cc-a8ab-434502de0b81", "indicator--570c9d69-413c-4c5c-a624-497f02de0b81", "observed-data--570c9d69-599c-46bb-93ae-47a402de0b81", "url--570c9d69-599c-46bb-93ae-47a402de0b81", "indicator--570c9d6a-5670-4c74-a38f-4b9502de0b81", "indicator--570c9d6a-0840-4603-8eb0-4ede02de0b81", "observed-data--570c9d6a-f8dc-4480-a3e9-433b02de0b81", "url--570c9d6a-f8dc-4480-a3e9-433b02de0b81", "indicator--570c9d6b-07f8-4bfe-ab59-48d302de0b81", "indicator--570c9d6b-d740-4b20-8476-40c202de0b81", "observed-data--570c9d6b-7534-4119-88f2-40a102de0b81", "url--570c9d6b-7534-4119-88f2-40a102de0b81", "indicator--570c9d6b-8278-455e-ac9f-4a7a02de0b81", "indicator--570c9d6c-464c-433a-909c-4f6d02de0b81", "observed-data--570c9d6c-4eac-4223-83be-49c802de0b81", "url--570c9d6c-4eac-4223-83be-49c802de0b81", "indicator--570c9d6d-4c88-4759-b81c-433402de0b81", "indicator--570c9d6d-22ac-402c-ab98-4a6602de0b81", "observed-data--570c9d6d-0e78-423b-91eb-480302de0b81", "url--570c9d6d-0e78-423b-91eb-480302de0b81", "indicator--570c9d6e-f308-4bcc-98a8-47cf02de0b81", "indicator--570c9d6e-db38-4f2f-aa28-46ba02de0b81", "observed-data--570c9d6e-ac6c-4287-8f7a-474402de0b81", "url--570c9d6e-ac6c-4287-8f7a-474402de0b81", "indicator--570c9d6e-22e8-4fca-b406-48d602de0b81", "indicator--570c9d6f-0410-4443-8036-48a802de0b81", "observed-data--570c9d6f-cfa8-402c-a027-42c802de0b81", "url--570c9d6f-cfa8-402c-a027-42c802de0b81", "indicator--570c9d6f-ab88-4ce2-8f07-4c7702de0b81", "indicator--570c9d70-3bd4-41c1-9e82-437f02de0b81", "observed-data--570c9d70-3e9c-46ae-8993-4d5d02de0b81", "url--570c9d70-3e9c-46ae-8993-4d5d02de0b81", "indicator--570c9d70-d444-4f7a-8d3b-4c0a02de0b81", "indicator--570c9d71-007c-4df4-a1db-47ba02de0b81", "observed-data--570c9d71-864c-4ae7-af74-42a802de0b81", "url--570c9d71-864c-4ae7-af74-42a802de0b81", "indicator--570c9d71-1c64-46b8-be3e-4dc302de0b81", "indicator--570c9d71-faa8-4253-95ce-4fa002de0b81", "observed-data--570c9d72-7658-4ae1-a57c-4ce402de0b81", "url--570c9d72-7658-4ae1-a57c-4ce402de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "malware_classification:malware-category=\"Ransomware\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--570c9481-4494-46ca-8e1c-4786950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T06:24:01.000Z", "modified": "2016-04-12T06:24:01.000Z", "first_observed": "2016-04-12T06:24:01Z", "last_observed": "2016-04-12T06:24:01Z", "number_observed": 1, "object_refs": [ "url--570c9481-4494-46ca-8e1c-4786950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--570c9481-4494-46ca-8e1c-4786950d210f", "value": "http://blog.checkpoint.com/2016/04/11/new-locky-variant-implements-evasion-techniques/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--570c9491-25e4-444a-908a-4f6f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T06:24:17.000Z", "modified": "2016-04-12T06:24:17.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Following Check Point\u00e2\u20ac\u2122s recent discovery of a new communication scheme implemented by the Locky ransomware, our research teams decided to take a closer look at the inner workings of this new variant and map any new features it introduces.\r\n\r\nWhen Locky first appeared, we thoroughly analyzed its logic, like many other industry researchers. Our analysis showed that while not very sophisticated, Locky is a very efficient malware with a solid functionality and encryption algorithms. Judging by the amount of victim reports and detections generated by Locky in the past month alone, it is safe to say our observation was indeed correct.\r\n\r\nLocky\u00e2\u20ac\u2122s major drawback is not in its code, but rather in the quick and effective response by the security industry. Many successful security detections, on almost any possible security platform, caused the actors behind Locky to miss out on potential victims, as the malware was blocked from execution or even blocked altogether by internet gateways, not reaching the victim\u00e2\u20ac\u2122s computer at all. The changes we observed in this new Locky variant clearly show the Locky creators are very much aware of this fact, and therefore increased their efforts to evade security controls to gain a higher infection rate." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d58-bdb8-44a3-bf86-430f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:01:44.000Z", "modified": "2016-04-12T07:01:44.000Z", "description": "Sample", "pattern": "[file:hashes.SHA256 = '8f708c299215e2d0e8ce557c96ec771acdbbfffa46a25330caa61fe841e23877']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:01:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d58-4dfc-4c71-adb5-4fd9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:01:44.000Z", "modified": "2016-04-12T07:01:44.000Z", "description": "Sample", "pattern": "[file:hashes.SHA256 = '003d28f180472b832722435d27e216835a8a330f992797006d307f8f14c4a2d3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:01:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d58-c0e8-4224-88f7-4b29950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:01:44.000Z", "modified": "2016-04-12T07:01:44.000Z", "description": "Sample", "pattern": "[file:hashes.SHA256 = '2674aebd85c3d0a384edf57c82ef22b3de5fa8aaa1217f80a1d47f71d71ae87d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:01:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d59-78b8-4656-b296-4ec1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:01:45.000Z", "modified": "2016-04-12T07:01:45.000Z", "description": "Sample", "pattern": "[file:hashes.SHA256 = '5780dde27ff31a38c269e763f3648bdabcad25d5db083c43c55502fdefe9f051']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:01:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d59-401c-4127-9ce6-4bfb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:01:45.000Z", "modified": "2016-04-12T07:01:45.000Z", "description": "Sample", "pattern": "[file:hashes.SHA256 = '588dfcfe90feaedc724b80919b580e4398f1b8474f5aae979de0e76e7c6c07e4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:01:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d5a-2f18-4044-93b5-4ad0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:01:46.000Z", "modified": "2016-04-12T07:01:46.000Z", "description": "Sample", "pattern": "[file:hashes.SHA256 = '64d51aaf4abe4e87013056277277f05c55c6554d2a7005374f254983ac846c4d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:01:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d5a-4d48-46f5-81f3-484a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:01:46.000Z", "modified": "2016-04-12T07:01:46.000Z", "description": "Sample", "pattern": "[file:hashes.SHA256 = 'a2e965cde2b734cc99a8f69ad1a7549ba740c5983a90490f6a3701ca2bca966c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:01:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d5a-b614-4327-b70d-4c76950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:01:46.000Z", "modified": "2016-04-12T07:01:46.000Z", "description": "Sample", "pattern": "[file:hashes.SHA256 = 'a5dc65cbe073898d09d2e07480f430a585cb309316cb4a32e3548b68c7416518']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:01:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d5b-31d8-4216-ba1c-4782950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:01:47.000Z", "modified": "2016-04-12T07:01:47.000Z", "description": "Sample", "pattern": "[file:hashes.SHA256 = 'abf1caa982e32c8eb73916083504d42e6851fcbc09772a52e815df0e4fbdcdb5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:01:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d5b-7114-42d6-b606-48b7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:01:47.000Z", "modified": "2016-04-12T07:01:47.000Z", "description": "Sample", "pattern": "[file:hashes.SHA256 = 'e608637e38fc964bee96984ed568e5095451787030d6a8f75bf9be8511a91691']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:01:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d5b-4004-4d49-9ebe-4dd2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:01:47.000Z", "modified": "2016-04-12T07:01:47.000Z", "description": "Sample", "pattern": "[file:hashes.SHA256 = 'f229c3ffa4de0bd43eaf1f7cbad920147982dd79f6032027117e23d5f6369f7e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:01:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d69-deac-40cc-a8ab-434502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:01.000Z", "modified": "2016-04-12T07:02:01.000Z", "description": "Sample - Xchecked via VT: f229c3ffa4de0bd43eaf1f7cbad920147982dd79f6032027117e23d5f6369f7e", "pattern": "[file:hashes.SHA1 = '16cc2d7f4892114c2d6c2a134e923e693868c711']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:02:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d69-413c-4c5c-a624-497f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:01.000Z", "modified": "2016-04-12T07:02:01.000Z", "description": "Sample - Xchecked via VT: f229c3ffa4de0bd43eaf1f7cbad920147982dd79f6032027117e23d5f6369f7e", "pattern": "[file:hashes.MD5 = 'b686846507cfdbf480e8002ca12ad2f1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:02:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--570c9d69-599c-46bb-93ae-47a402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:01.000Z", "modified": "2016-04-12T07:02:01.000Z", "first_observed": "2016-04-12T07:02:01Z", "last_observed": "2016-04-12T07:02:01Z", "number_observed": 1, "object_refs": [ "url--570c9d69-599c-46bb-93ae-47a402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--570c9d69-599c-46bb-93ae-47a402de0b81", "value": "https://www.virustotal.com/file/f229c3ffa4de0bd43eaf1f7cbad920147982dd79f6032027117e23d5f6369f7e/analysis/1460375902/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d6a-5670-4c74-a38f-4b9502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:02.000Z", "modified": "2016-04-12T07:02:02.000Z", "description": "Sample - Xchecked via VT: e608637e38fc964bee96984ed568e5095451787030d6a8f75bf9be8511a91691", "pattern": "[file:hashes.SHA1 = '9d4f5902806c4030e6aa1f89f4a5b30f871b34d2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:02:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d6a-0840-4603-8eb0-4ede02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:02.000Z", "modified": "2016-04-12T07:02:02.000Z", "description": "Sample - Xchecked via VT: e608637e38fc964bee96984ed568e5095451787030d6a8f75bf9be8511a91691", "pattern": "[file:hashes.MD5 = '4baa17713e2937d31aaaa327ee4af83a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:02:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--570c9d6a-f8dc-4480-a3e9-433b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:02.000Z", "modified": "2016-04-12T07:02:02.000Z", "first_observed": "2016-04-12T07:02:02Z", "last_observed": "2016-04-12T07:02:02Z", "number_observed": 1, "object_refs": [ "url--570c9d6a-f8dc-4480-a3e9-433b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--570c9d6a-f8dc-4480-a3e9-433b02de0b81", "value": "https://www.virustotal.com/file/e608637e38fc964bee96984ed568e5095451787030d6a8f75bf9be8511a91691/analysis/1460405757/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d6b-07f8-4bfe-ab59-48d302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:03.000Z", "modified": "2016-04-12T07:02:03.000Z", "description": "Sample - Xchecked via VT: abf1caa982e32c8eb73916083504d42e6851fcbc09772a52e815df0e4fbdcdb5", "pattern": "[file:hashes.SHA1 = 'f32cc53d6fd08efbe38530b5c32651a432380733']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:02:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d6b-d740-4b20-8476-40c202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:03.000Z", "modified": "2016-04-12T07:02:03.000Z", "description": "Sample - Xchecked via VT: abf1caa982e32c8eb73916083504d42e6851fcbc09772a52e815df0e4fbdcdb5", "pattern": "[file:hashes.MD5 = 'deaa2618c7c021fe99e742633768d7f6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:02:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--570c9d6b-7534-4119-88f2-40a102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:03.000Z", "modified": "2016-04-12T07:02:03.000Z", "first_observed": "2016-04-12T07:02:03Z", "last_observed": "2016-04-12T07:02:03Z", "number_observed": 1, "object_refs": [ "url--570c9d6b-7534-4119-88f2-40a102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--570c9d6b-7534-4119-88f2-40a102de0b81", "value": "https://www.virustotal.com/file/abf1caa982e32c8eb73916083504d42e6851fcbc09772a52e815df0e4fbdcdb5/analysis/1460160638/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d6b-8278-455e-ac9f-4a7a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:03.000Z", "modified": "2016-04-12T07:02:03.000Z", "description": "Sample - Xchecked via VT: a5dc65cbe073898d09d2e07480f430a585cb309316cb4a32e3548b68c7416518", "pattern": "[file:hashes.SHA1 = 'a8b628d6cd9da9c15fe257ad1c4df193f3e106ec']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:02:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d6c-464c-433a-909c-4f6d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:04.000Z", "modified": "2016-04-12T07:02:04.000Z", "description": "Sample - Xchecked via VT: a5dc65cbe073898d09d2e07480f430a585cb309316cb4a32e3548b68c7416518", "pattern": "[file:hashes.MD5 = '3bbe188f3cfe4a013a0c0050b1e500aa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:02:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--570c9d6c-4eac-4223-83be-49c802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:04.000Z", "modified": "2016-04-12T07:02:04.000Z", "first_observed": "2016-04-12T07:02:04Z", "last_observed": "2016-04-12T07:02:04Z", "number_observed": 1, "object_refs": [ "url--570c9d6c-4eac-4223-83be-49c802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--570c9d6c-4eac-4223-83be-49c802de0b81", "value": "https://www.virustotal.com/file/a5dc65cbe073898d09d2e07480f430a585cb309316cb4a32e3548b68c7416518/analysis/1460053639/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d6d-4c88-4759-b81c-433402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:05.000Z", "modified": "2016-04-12T07:02:05.000Z", "description": "Sample - Xchecked via VT: a2e965cde2b734cc99a8f69ad1a7549ba740c5983a90490f6a3701ca2bca966c", "pattern": "[file:hashes.SHA1 = '982a12e64a3ea4042a07727c767d137745b771a9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:02:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d6d-22ac-402c-ab98-4a6602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:05.000Z", "modified": "2016-04-12T07:02:05.000Z", "description": "Sample - Xchecked via VT: a2e965cde2b734cc99a8f69ad1a7549ba740c5983a90490f6a3701ca2bca966c", "pattern": "[file:hashes.MD5 = '8f622a4e2bce80717c71ca255af04c51']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:02:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--570c9d6d-0e78-423b-91eb-480302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:05.000Z", "modified": "2016-04-12T07:02:05.000Z", "first_observed": "2016-04-12T07:02:05Z", "last_observed": "2016-04-12T07:02:05Z", "number_observed": 1, "object_refs": [ "url--570c9d6d-0e78-423b-91eb-480302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--570c9d6d-0e78-423b-91eb-480302de0b81", "value": "https://www.virustotal.com/file/a2e965cde2b734cc99a8f69ad1a7549ba740c5983a90490f6a3701ca2bca966c/analysis/1459941472/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d6e-f308-4bcc-98a8-47cf02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:06.000Z", "modified": "2016-04-12T07:02:06.000Z", "description": "Sample - Xchecked via VT: 64d51aaf4abe4e87013056277277f05c55c6554d2a7005374f254983ac846c4d", "pattern": "[file:hashes.SHA1 = 'c869a3a1030f19a1cf5e1656e3d747eee51b2ba8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:02:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d6e-db38-4f2f-aa28-46ba02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:06.000Z", "modified": "2016-04-12T07:02:06.000Z", "description": "Sample - Xchecked via VT: 64d51aaf4abe4e87013056277277f05c55c6554d2a7005374f254983ac846c4d", "pattern": "[file:hashes.MD5 = '3621540d2088c6b1215a4a965348a333']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:02:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--570c9d6e-ac6c-4287-8f7a-474402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:06.000Z", "modified": "2016-04-12T07:02:06.000Z", "first_observed": "2016-04-12T07:02:06Z", "last_observed": "2016-04-12T07:02:06Z", "number_observed": 1, "object_refs": [ "url--570c9d6e-ac6c-4287-8f7a-474402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--570c9d6e-ac6c-4287-8f7a-474402de0b81", "value": "https://www.virustotal.com/file/64d51aaf4abe4e87013056277277f05c55c6554d2a7005374f254983ac846c4d/analysis/1460251565/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d6e-22e8-4fca-b406-48d602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:06.000Z", "modified": "2016-04-12T07:02:06.000Z", "description": "Sample - Xchecked via VT: 588dfcfe90feaedc724b80919b580e4398f1b8474f5aae979de0e76e7c6c07e4", "pattern": "[file:hashes.SHA1 = '1048807f48dd1a8b72bb36903930a91014638afd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:02:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d6f-0410-4443-8036-48a802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:07.000Z", "modified": "2016-04-12T07:02:07.000Z", "description": "Sample - Xchecked via VT: 588dfcfe90feaedc724b80919b580e4398f1b8474f5aae979de0e76e7c6c07e4", "pattern": "[file:hashes.MD5 = 'f79c950fa3efc3bb29a4f15ae05448f2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:02:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--570c9d6f-cfa8-402c-a027-42c802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:07.000Z", "modified": "2016-04-12T07:02:07.000Z", "first_observed": "2016-04-12T07:02:07Z", "last_observed": "2016-04-12T07:02:07Z", "number_observed": 1, "object_refs": [ "url--570c9d6f-cfa8-402c-a027-42c802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--570c9d6f-cfa8-402c-a027-42c802de0b81", "value": "https://www.virustotal.com/file/588dfcfe90feaedc724b80919b580e4398f1b8474f5aae979de0e76e7c6c07e4/analysis/1459908170/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d6f-ab88-4ce2-8f07-4c7702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:07.000Z", "modified": "2016-04-12T07:02:07.000Z", "description": "Sample - Xchecked via VT: 5780dde27ff31a38c269e763f3648bdabcad25d5db083c43c55502fdefe9f051", "pattern": "[file:hashes.SHA1 = '251b2892efb68540bfca93c092ac88c47f3f629e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:02:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d70-3bd4-41c1-9e82-437f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:08.000Z", "modified": "2016-04-12T07:02:08.000Z", "description": "Sample - Xchecked via VT: 5780dde27ff31a38c269e763f3648bdabcad25d5db083c43c55502fdefe9f051", "pattern": "[file:hashes.MD5 = '8dacc97d71cefc25bad375a9b5bc67d4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:02:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--570c9d70-3e9c-46ae-8993-4d5d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:08.000Z", "modified": "2016-04-12T07:02:08.000Z", "first_observed": "2016-04-12T07:02:08Z", "last_observed": "2016-04-12T07:02:08Z", "number_observed": 1, "object_refs": [ "url--570c9d70-3e9c-46ae-8993-4d5d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--570c9d70-3e9c-46ae-8993-4d5d02de0b81", "value": "https://www.virustotal.com/file/5780dde27ff31a38c269e763f3648bdabcad25d5db083c43c55502fdefe9f051/analysis/1459958907/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d70-d444-4f7a-8d3b-4c0a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:08.000Z", "modified": "2016-04-12T07:02:08.000Z", "description": "Sample - Xchecked via VT: 2674aebd85c3d0a384edf57c82ef22b3de5fa8aaa1217f80a1d47f71d71ae87d", "pattern": "[file:hashes.SHA1 = '412eb41a02682d056c61cb03c30852d397c7132c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:02:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d71-007c-4df4-a1db-47ba02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:09.000Z", "modified": "2016-04-12T07:02:09.000Z", "description": "Sample - Xchecked via VT: 2674aebd85c3d0a384edf57c82ef22b3de5fa8aaa1217f80a1d47f71d71ae87d", "pattern": "[file:hashes.MD5 = 'd8771f8d6fc74f03c453dc06284e5f5e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:02:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--570c9d71-864c-4ae7-af74-42a802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:09.000Z", "modified": "2016-04-12T07:02:09.000Z", "first_observed": "2016-04-12T07:02:09Z", "last_observed": "2016-04-12T07:02:09Z", "number_observed": 1, "object_refs": [ "url--570c9d71-864c-4ae7-af74-42a802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--570c9d71-864c-4ae7-af74-42a802de0b81", "value": "https://www.virustotal.com/file/2674aebd85c3d0a384edf57c82ef22b3de5fa8aaa1217f80a1d47f71d71ae87d/analysis/1459872907/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d71-1c64-46b8-be3e-4dc302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:09.000Z", "modified": "2016-04-12T07:02:09.000Z", "description": "Sample - Xchecked via VT: 003d28f180472b832722435d27e216835a8a330f992797006d307f8f14c4a2d3", "pattern": "[file:hashes.SHA1 = '456ca2c7c5b1fe65db7b26810cf2e2a89b8eb2c9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:02:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--570c9d71-faa8-4253-95ce-4fa002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:09.000Z", "modified": "2016-04-12T07:02:09.000Z", "description": "Sample - Xchecked via VT: 003d28f180472b832722435d27e216835a8a330f992797006d307f8f14c4a2d3", "pattern": "[file:hashes.MD5 = 'ec0fae82b75ee1d7ce72b49d97dec4a1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-12T07:02:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--570c9d72-7658-4ae1-a57c-4ce402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-12T07:02:10.000Z", "modified": "2016-04-12T07:02:10.000Z", "first_observed": "2016-04-12T07:02:10Z", "last_observed": "2016-04-12T07:02:10Z", "number_observed": 1, "object_refs": [ "url--570c9d72-7658-4ae1-a57c-4ce402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--570c9d72-7658-4ae1-a57c-4ce402de0b81", "value": "https://www.virustotal.com/file/003d28f180472b832722435d27e216835a8a330f992797006d307f8f14c4a2d3/analysis/1460015668/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }