{ "type": "bundle", "id": "bundle--58dbc5ad-10a4-4da9-9e7e-4b97950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:18:41.000Z", "modified": "2017-03-29T20:18:41.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--58dbc5ad-10a4-4da9-9e7e-4b97950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:18:41.000Z", "modified": "2017-03-29T20:18:41.000Z", "name": "OSINT - Trojanized Adobe Installer used to Install DragonOK\u00e2\u20ac\u2122s New Custom Backdoor", "published": "2017-03-29T20:20:18Z", "object_refs": [ "observed-data--58dbc5d4-5f34-4f5e-b2e3-4664950d210f", "url--58dbc5d4-5f34-4f5e-b2e3-4664950d210f", "x-misp-attribute--58dbc5ef-6c24-4801-86c5-4944950d210f", "indicator--58dc159d-b54c-4e52-9ee3-4b1d02de0b81", "indicator--58dc159e-6a80-44ee-94fd-456702de0b81", "indicator--58dc159f-5910-4d6d-b3c1-4e0602de0b81", "indicator--58dc15a0-80f0-4d65-973b-40b302de0b81", "indicator--58dc15c1-cf94-482f-9ee5-418802de0b81", "indicator--58dc15c2-649c-473f-9045-4ee202de0b81", "indicator--58dc15c3-bb6c-4d2e-a33c-428802de0b81", "indicator--58dc15c4-cd04-4b0d-b884-473d02de0b81", "indicator--58dc1635-62b4-4b6b-adc9-453f02de0b81", "indicator--58dc1636-6c58-4d65-8fdd-402902de0b81", "vulnerability--58dc1637-eaa4-46be-91b3-413702de0b81", "indicator--58dc1637-6314-4a40-87bf-421502de0b81", "indicator--58dc1638-d968-4a8c-bbc9-454802de0b81", "indicator--58dc1639-f108-4f79-bbe8-420902de0b81", "indicator--58dc16b0-ca90-4d27-baf8-485402de0b81", "indicator--58dc16b1-e6b4-4ed3-ba45-421602de0b81", "observed-data--58dc16b2-9a68-4d13-a606-4c7a02de0b81", "url--58dc16b2-9a68-4d13-a606-4c7a02de0b81", "indicator--58dc16b3-b000-483c-aa79-4a4702de0b81", "indicator--58dc16b3-a060-437a-a68a-4dc102de0b81", "observed-data--58dc16b4-5908-4e49-9f32-469e02de0b81", "url--58dc16b4-5908-4e49-9f32-469e02de0b81", "indicator--58dc16b5-e74c-4858-b681-41bc02de0b81", "indicator--58dc16b6-1b2c-45a2-8f5b-4e4c02de0b81", "observed-data--58dc16b7-4fd4-42d2-8141-45ab02de0b81", "url--58dc16b7-4fd4-42d2-8141-45ab02de0b81", "indicator--58dc16b8-2fe8-41a4-aba2-445c02de0b81", "indicator--58dc16b9-d638-40f0-a691-420602de0b81", "observed-data--58dc16ba-fae0-49ff-9c9a-4f3502de0b81", "url--58dc16ba-fae0-49ff-9c9a-4f3502de0b81", "indicator--58dc16bb-2338-471e-a37e-4c7002de0b81", "indicator--58dc16bc-4508-47e8-82d3-4a7c02de0b81", "observed-data--58dc16bd-4788-4ad3-b66b-430102de0b81", "url--58dc16bd-4788-4ad3-b66b-430102de0b81", "indicator--58dc16be-d024-4e8c-b92a-4fd002de0b81", "indicator--58dc16bf-c7dc-4064-8375-4c3102de0b81", "observed-data--58dc16c0-3678-4c8f-8f5d-44d902de0b81", "url--58dc16c0-3678-4c8f-8f5d-44d902de0b81", "indicator--58dc16c1-a448-4d35-b828-4f1102de0b81", "indicator--58dc16c2-2a20-456e-972f-4bd602de0b81", "observed-data--58dc16c3-3474-468a-8d3a-49c502de0b81", "url--58dc16c3-3474-468a-8d3a-49c502de0b81", "indicator--58dc16c4-b198-4843-8b67-427f02de0b81", "indicator--58dc16c5-9344-4378-8cd6-49b302de0b81", "observed-data--58dc16c6-3f00-45de-8e32-475902de0b81", "url--58dc16c6-3f00-45de-8e32-475902de0b81", "indicator--58dc16c7-de10-424e-87f1-48ad02de0b81", "indicator--58dc16c7-fa90-4207-bc4e-452302de0b81", "observed-data--58dc16c8-4a68-42c6-9f2f-438302de0b81", "url--58dc16c8-4a68-42c6-9f2f-438302de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:tool=\"KHRAT\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dbc5d4-5f34-4f5e-b2e3-4664950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:18:41.000Z", "modified": "2017-03-29T20:18:41.000Z", "first_observed": "2017-03-29T20:18:41Z", "last_observed": "2017-03-29T20:18:41Z", "number_observed": 1, "object_refs": [ "url--58dbc5d4-5f34-4f5e-b2e3-4664950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dbc5d4-5f34-4f5e-b2e3-4664950d210f", "value": "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--58dbc5ef-6c24-4801-86c5-4944950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:18:41.000Z", "modified": "2017-03-29T20:18:41.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Since January of this year, Forcepoint Security Labs\u00e2\u201e\u00a2 have observed that the DragonOK campaign have started to target political parties in Cambodia. DragonOK is an active targeted attack that was first discovered in 2014. It is known to target organizations from Taiwan, Japan, Tibet and Russia with spear-phishing emails containing malicious attachments. \r\n\r\nThe latest dropper they used is disguised as an Adobe Reader installer and installs yet another new custom remote access tool (RAT). We have named this RAT \u00e2\u20ac\u0153KHRAT\u00e2\u20ac\u009d based on one of the command and control servers used, kh[.]inter-ctrip[.]com, which pertained to Cambodia\u00e2\u20ac\u2122s country code." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc159d-b54c-4e52-9ee3-4b1d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:18:41.000Z", "modified": "2017-03-29T20:18:41.000Z", "description": "Compilation 05/01/2017 05:37", "pattern": "[file:hashes.SHA256 = '17a07b1f5e573899c846edba801f1606ce8f77c2f52e3298d2d2b066730b0bf0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:18:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc159e-6a80-44ee-94fd-456702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:18:41.000Z", "modified": "2017-03-29T20:18:41.000Z", "description": "Compilation 05/01/2017 05:37", "pattern": "[file:hashes.SHA256 = 'a5a9598e1d33331f5aeabb277122549d4a7cf1ddbfa00d50e272b57934a6696f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:18:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc159f-5910-4d6d-b3c1-4e0602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:18:41.000Z", "modified": "2017-03-29T20:18:41.000Z", "description": "Compilation 16/02/2017 03:53", "pattern": "[file:hashes.SHA256 = '540d6dd720514cf01a02b516a85d8f761d77fa90f0d05f06bfb90ed66beb235b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:18:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc15a0-80f0-4d65-973b-40b302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:18:41.000Z", "modified": "2017-03-29T20:18:41.000Z", "description": "Compilation 08/03/2017 01:43", "pattern": "[file:hashes.SHA256 = 'ffc0ebad7c1888cc4a3f5cd86a5942014b9e15a833e575614cd01a0bb6f5de2e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:18:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc15c1-cf94-482f-9ee5-418802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:18:41.000Z", "modified": "2017-03-29T20:18:41.000Z", "description": "KHRAT C2s", "pattern": "[domain-name:value = 'cookie.inter-ctrip.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:18:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc15c2-649c-473f-9045-4ee202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:18:41.000Z", "modified": "2017-03-29T20:18:41.000Z", "description": "KHRAT C2s", "pattern": "[domain-name:value = 'help.inter-ctrip.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:18:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc15c3-bb6c-4d2e-a33c-428802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:18:41.000Z", "modified": "2017-03-29T20:18:41.000Z", "description": "KHRAT C2s", "pattern": "[domain-name:value = 'bit.inter-ctrip.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:18:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc15c4-cd04-4b0d-b884-473d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:18:41.000Z", "modified": "2017-03-29T20:18:41.000Z", "description": "KHRAT C2s", "pattern": "[domain-name:value = 'kh.inter-ctrip.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:18:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc1635-62b4-4b6b-adc9-453f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:18:41.000Z", "modified": "2017-03-29T20:18:41.000Z", "description": "(\"reader112_en_ha_install.exe\", dropper)", "pattern": "[file:hashes.SHA256 = 'bba604effa42399ed6e91c271b78b442d01d36d1570a9574acacfc870e09dce2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:18:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc1636-6c58-4d65-8fdd-402902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:18:41.000Z", "modified": "2017-03-29T20:18:41.000Z", "description": "(RTF dropper with CVE-2015-1641 exploit, unknown filename)", "pattern": "[file:hashes.SHA256 = '9cdebd98b7889d9a57e5b7ea584d7e03d8ba67c02519b587373204cae0603df0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:18:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--58dc1637-eaa4-46be-91b3-413702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:18:41.000Z", "modified": "2017-03-29T20:18:41.000Z", "name": "CVE-2015-1641", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"External analysis\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2015-1641" } ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc1637-6314-4a40-87bf-421502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:18:41.000Z", "modified": "2017-03-29T20:18:41.000Z", "description": "(\u00e2\u20ac\u0153KFC.exe\u00e2\u20ac\u009d, KHRAT loader)", "pattern": "[file:hashes.SHA256 = 'd9ce24d627edb170145fb78e6acb5ea3cb44a87cd06c05842d78f4fc9b732ec5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:18:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc1638-d968-4a8c-bbc9-454802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:18:41.000Z", "modified": "2017-03-29T20:18:41.000Z", "description": "(\u00e2\u20ac\u0153The plan CPP split CNRP!.doc.exe\u00e2\u20ac\u009d, dropper)", "pattern": "[file:hashes.SHA256 = 'a6e22dfe21993678c6f1b0892c2db085bb8c4342bdf78628456f562d5db1181b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:18:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc1639-f108-4f79-bbe8-420902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:18:41.000Z", "modified": "2017-03-29T20:18:41.000Z", "description": "(\u00e2\u20ac\u0153KFC.com\u00e2\u20ac\u009d, KHRAT loader)", "pattern": "[file:hashes.SHA256 = '77354141d22998d7166fd80a12d9b913199137b4725495bd9168beb5365f69e7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:18:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc16b0-ca90-4d27-baf8-485402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:18:56.000Z", "modified": "2017-03-29T20:18:56.000Z", "description": "(\u00e2\u20ac\u0153KFC.com\u00e2\u20ac\u009d, KHRAT loader) - Xchecked via VT: 77354141d22998d7166fd80a12d9b913199137b4725495bd9168beb5365f69e7", "pattern": "[file:hashes.SHA1 = '02c7e31f90ec4bb77dc68c32e626f7ed9a22c1e9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:18:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc16b1-e6b4-4ed3-ba45-421602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:18:57.000Z", "modified": "2017-03-29T20:18:57.000Z", "description": "(\u00e2\u20ac\u0153KFC.com\u00e2\u20ac\u009d, KHRAT loader) - Xchecked via VT: 77354141d22998d7166fd80a12d9b913199137b4725495bd9168beb5365f69e7", "pattern": "[file:hashes.MD5 = 'aea2d5b5e72c0432904039316efa1bd2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:18:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dc16b2-9a68-4d13-a606-4c7a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:18:58.000Z", "modified": "2017-03-29T20:18:58.000Z", "first_observed": "2017-03-29T20:18:58Z", "last_observed": "2017-03-29T20:18:58Z", "number_observed": 1, "object_refs": [ "url--58dc16b2-9a68-4d13-a606-4c7a02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dc16b2-9a68-4d13-a606-4c7a02de0b81", "value": "https://www.virustotal.com/file/77354141d22998d7166fd80a12d9b913199137b4725495bd9168beb5365f69e7/analysis/1490651490/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc16b3-b000-483c-aa79-4a4702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:18:59.000Z", "modified": "2017-03-29T20:18:59.000Z", "description": "(\u00e2\u20ac\u0153The plan CPP split CNRP!.doc.exe\u00e2\u20ac\u009d, dropper) - Xchecked via VT: a6e22dfe21993678c6f1b0892c2db085bb8c4342bdf78628456f562d5db1181b", "pattern": "[file:hashes.SHA1 = '8a3a1f879dc0d6ad274223d0cecc471164f67dfe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:18:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc16b3-a060-437a-a68a-4dc102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:18:59.000Z", "modified": "2017-03-29T20:18:59.000Z", "description": "(\u00e2\u20ac\u0153The plan CPP split CNRP!.doc.exe\u00e2\u20ac\u009d, dropper) - Xchecked via VT: a6e22dfe21993678c6f1b0892c2db085bb8c4342bdf78628456f562d5db1181b", "pattern": "[file:hashes.MD5 = '4772aaf68a7a408fa2a344fdef1bd167']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:18:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dc16b4-5908-4e49-9f32-469e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:19:00.000Z", "modified": "2017-03-29T20:19:00.000Z", "first_observed": "2017-03-29T20:19:00Z", "last_observed": "2017-03-29T20:19:00Z", "number_observed": 1, "object_refs": [ "url--58dc16b4-5908-4e49-9f32-469e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dc16b4-5908-4e49-9f32-469e02de0b81", "value": "https://www.virustotal.com/file/a6e22dfe21993678c6f1b0892c2db085bb8c4342bdf78628456f562d5db1181b/analysis/1490681567/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc16b5-e74c-4858-b681-41bc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:19:01.000Z", "modified": "2017-03-29T20:19:01.000Z", "description": "(\u00e2\u20ac\u0153KFC.exe\u00e2\u20ac\u009d, KHRAT loader) - Xchecked via VT: d9ce24d627edb170145fb78e6acb5ea3cb44a87cd06c05842d78f4fc9b732ec5", "pattern": "[file:hashes.SHA1 = 'bffefb8f7d0ec8048e5180e5fb68b327c44dfd25']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:19:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc16b6-1b2c-45a2-8f5b-4e4c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:19:02.000Z", "modified": "2017-03-29T20:19:02.000Z", "description": "(\u00e2\u20ac\u0153KFC.exe\u00e2\u20ac\u009d, KHRAT loader) - Xchecked via VT: d9ce24d627edb170145fb78e6acb5ea3cb44a87cd06c05842d78f4fc9b732ec5", "pattern": "[file:hashes.MD5 = 'e9e5af639641b50d5d1747d43a5fd648']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:19:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dc16b7-4fd4-42d2-8141-45ab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:19:03.000Z", "modified": "2017-03-29T20:19:03.000Z", "first_observed": "2017-03-29T20:19:03Z", "last_observed": "2017-03-29T20:19:03Z", "number_observed": 1, "object_refs": [ "url--58dc16b7-4fd4-42d2-8141-45ab02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dc16b7-4fd4-42d2-8141-45ab02de0b81", "value": "https://www.virustotal.com/file/d9ce24d627edb170145fb78e6acb5ea3cb44a87cd06c05842d78f4fc9b732ec5/analysis/1490681777/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc16b8-2fe8-41a4-aba2-445c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:19:04.000Z", "modified": "2017-03-29T20:19:04.000Z", "description": "(RTF dropper with CVE-2015-1641 exploit, unknown filename) - Xchecked via VT: 9cdebd98b7889d9a57e5b7ea584d7e03d8ba67c02519b587373204cae0603df0", "pattern": "[file:hashes.SHA1 = 'e73047c30c30152b0b52bc82a0f109154c9d444a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:19:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc16b9-d638-40f0-a691-420602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:19:05.000Z", "modified": "2017-03-29T20:19:05.000Z", "description": "(RTF dropper with CVE-2015-1641 exploit, unknown filename) - Xchecked via VT: 9cdebd98b7889d9a57e5b7ea584d7e03d8ba67c02519b587373204cae0603df0", "pattern": "[file:hashes.MD5 = 'bb70e1711b7474944b8487b5849dc8de']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:19:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dc16ba-fae0-49ff-9c9a-4f3502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:19:06.000Z", "modified": "2017-03-29T20:19:06.000Z", "first_observed": "2017-03-29T20:19:06Z", "last_observed": "2017-03-29T20:19:06Z", "number_observed": 1, "object_refs": [ "url--58dc16ba-fae0-49ff-9c9a-4f3502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dc16ba-fae0-49ff-9c9a-4f3502de0b81", "value": "https://www.virustotal.com/file/9cdebd98b7889d9a57e5b7ea584d7e03d8ba67c02519b587373204cae0603df0/analysis/1490622667/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc16bb-2338-471e-a37e-4c7002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:19:07.000Z", "modified": "2017-03-29T20:19:07.000Z", "description": "(\"reader112_en_ha_install.exe\", dropper) - Xchecked via VT: bba604effa42399ed6e91c271b78b442d01d36d1570a9574acacfc870e09dce2", "pattern": "[file:hashes.SHA1 = '760c1e68f7fdc633bdd0cf4a14f0f8f2a1048fa7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:19:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc16bc-4508-47e8-82d3-4a7c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:19:08.000Z", "modified": "2017-03-29T20:19:08.000Z", "description": "(\"reader112_en_ha_install.exe\", dropper) - Xchecked via VT: bba604effa42399ed6e91c271b78b442d01d36d1570a9574acacfc870e09dce2", "pattern": "[file:hashes.MD5 = 'e8a702d15148d8dbe9b0d87c71b6c93e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:19:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dc16bd-4788-4ad3-b66b-430102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:19:09.000Z", "modified": "2017-03-29T20:19:09.000Z", "first_observed": "2017-03-29T20:19:09Z", "last_observed": "2017-03-29T20:19:09Z", "number_observed": 1, "object_refs": [ "url--58dc16bd-4788-4ad3-b66b-430102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dc16bd-4788-4ad3-b66b-430102de0b81", "value": "https://www.virustotal.com/file/bba604effa42399ed6e91c271b78b442d01d36d1570a9574acacfc870e09dce2/analysis/1490617814/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc16be-d024-4e8c-b92a-4fd002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:19:10.000Z", "modified": "2017-03-29T20:19:10.000Z", "description": "Compilation 08/03/2017 01:43 - Xchecked via VT: ffc0ebad7c1888cc4a3f5cd86a5942014b9e15a833e575614cd01a0bb6f5de2e", "pattern": "[file:hashes.SHA1 = 'bf0522bd5ff0b4583bb23c6c5f88a7c69196b025']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:19:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc16bf-c7dc-4064-8375-4c3102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:19:11.000Z", "modified": "2017-03-29T20:19:11.000Z", "description": "Compilation 08/03/2017 01:43 - Xchecked via VT: ffc0ebad7c1888cc4a3f5cd86a5942014b9e15a833e575614cd01a0bb6f5de2e", "pattern": "[file:hashes.MD5 = 'dabbdb8ca7bc3454bc0c682e18569062']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:19:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dc16c0-3678-4c8f-8f5d-44d902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:19:12.000Z", "modified": "2017-03-29T20:19:12.000Z", "first_observed": "2017-03-29T20:19:12Z", "last_observed": "2017-03-29T20:19:12Z", "number_observed": 1, "object_refs": [ "url--58dc16c0-3678-4c8f-8f5d-44d902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dc16c0-3678-4c8f-8f5d-44d902de0b81", "value": "https://www.virustotal.com/file/ffc0ebad7c1888cc4a3f5cd86a5942014b9e15a833e575614cd01a0bb6f5de2e/analysis/1490617887/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc16c1-a448-4d35-b828-4f1102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:19:13.000Z", "modified": "2017-03-29T20:19:13.000Z", "description": "Compilation 16/02/2017 03:53 - Xchecked via VT: 540d6dd720514cf01a02b516a85d8f761d77fa90f0d05f06bfb90ed66beb235b", "pattern": "[file:hashes.SHA1 = '7b2faee6e1c2b9d81775aab0d41c89e8ff36d5cf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:19:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc16c2-2a20-456e-972f-4bd602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:19:14.000Z", "modified": "2017-03-29T20:19:14.000Z", "description": "Compilation 16/02/2017 03:53 - Xchecked via VT: 540d6dd720514cf01a02b516a85d8f761d77fa90f0d05f06bfb90ed66beb235b", "pattern": "[file:hashes.MD5 = 'cd6f95f767b26b1fcac8ad33d25131c7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:19:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dc16c3-3474-468a-8d3a-49c502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:19:15.000Z", "modified": "2017-03-29T20:19:15.000Z", "first_observed": "2017-03-29T20:19:15Z", "last_observed": "2017-03-29T20:19:15Z", "number_observed": 1, "object_refs": [ "url--58dc16c3-3474-468a-8d3a-49c502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dc16c3-3474-468a-8d3a-49c502de0b81", "value": "https://www.virustotal.com/file/540d6dd720514cf01a02b516a85d8f761d77fa90f0d05f06bfb90ed66beb235b/analysis/1490778691/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc16c4-b198-4843-8b67-427f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:19:16.000Z", "modified": "2017-03-29T20:19:16.000Z", "description": "Compilation 05/01/2017 05:37 - Xchecked via VT: a5a9598e1d33331f5aeabb277122549d4a7cf1ddbfa00d50e272b57934a6696f", "pattern": "[file:hashes.SHA1 = 'ba4f2368178b6a12b05c6373fbbe8506e4cfe935']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:19:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc16c5-9344-4378-8cd6-49b302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:19:17.000Z", "modified": "2017-03-29T20:19:17.000Z", "description": "Compilation 05/01/2017 05:37 - Xchecked via VT: a5a9598e1d33331f5aeabb277122549d4a7cf1ddbfa00d50e272b57934a6696f", "pattern": "[file:hashes.MD5 = '156da506f2a89c6cc2c418ffcbbc7ae7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:19:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dc16c6-3f00-45de-8e32-475902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:19:18.000Z", "modified": "2017-03-29T20:19:18.000Z", "first_observed": "2017-03-29T20:19:18Z", "last_observed": "2017-03-29T20:19:18Z", "number_observed": 1, "object_refs": [ "url--58dc16c6-3f00-45de-8e32-475902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dc16c6-3f00-45de-8e32-475902de0b81", "value": "https://www.virustotal.com/file/a5a9598e1d33331f5aeabb277122549d4a7cf1ddbfa00d50e272b57934a6696f/analysis/1490778652/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc16c7-de10-424e-87f1-48ad02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:19:19.000Z", "modified": "2017-03-29T20:19:19.000Z", "description": "Compilation 05/01/2017 05:37 - Xchecked via VT: 17a07b1f5e573899c846edba801f1606ce8f77c2f52e3298d2d2b066730b0bf0", "pattern": "[file:hashes.SHA1 = 'c1e2032469155b2299782fb94004379718c2fd8e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:19:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dc16c7-fa90-4207-bc4e-452302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:19:19.000Z", "modified": "2017-03-29T20:19:19.000Z", "description": "Compilation 05/01/2017 05:37 - Xchecked via VT: 17a07b1f5e573899c846edba801f1606ce8f77c2f52e3298d2d2b066730b0bf0", "pattern": "[file:hashes.MD5 = '18fc1ed27e04309fe7f62e4221c5a459']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-29T20:19:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dc16c8-4a68-42c6-9f2f-438302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-29T20:19:20.000Z", "modified": "2017-03-29T20:19:20.000Z", "first_observed": "2017-03-29T20:19:20Z", "last_observed": "2017-03-29T20:19:20Z", "number_observed": 1, "object_refs": [ "url--58dc16c8-4a68-42c6-9f2f-438302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dc16c8-4a68-42c6-9f2f-438302de0b81", "value": "https://www.virustotal.com/file/17a07b1f5e573899c846edba801f1606ce8f77c2f52e3298d2d2b066730b0bf0/analysis/1490681838/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }