{ "type": "bundle", "id": "bundle--5a390de6-4a58-4a19-89fb-4620950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-21T03:00:39.000Z", "modified": "2017-12-21T03:00:39.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5a390de6-4a58-4a19-89fb-4620950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-21T03:00:39.000Z", "modified": "2017-12-21T03:00:39.000Z", "name": "OSINT - Zeus Panda Banking Trojan Targets Online Holiday Shoppers", "published": "2017-12-28T13:33:53Z", "object_refs": [ "observed-data--5a390e33-a644-4e3a-957d-1606950d210f", "url--5a390e33-a644-4e3a-957d-1606950d210f", "x-misp-attribute--5a390e5c-090c-4b23-83f0-1714950d210f", "indicator--5a390ecd-e0a8-4c1e-95bc-498c950d210f", "indicator--5a390eec-3874-4509-a0dd-1708950d210f", "indicator--5a390efa-6134-40fc-901a-1713950d210f", "indicator--5a390f86-f3c8-4662-96dd-1690950d210f", "indicator--5a390f86-06c8-4a7b-a2de-1690950d210f", "indicator--5a390f87-2be4-4d90-b4b6-1690950d210f", "indicator--5a390f87-208c-477f-a436-1690950d210f", "indicator--5a390f87-7364-456f-9669-1690950d210f", "indicator--5a390f87-7528-4d33-a029-1690950d210f", "indicator--5a3910b0-33e0-4ba5-b4e3-18e3950d210f", "indicator--5a3910b0-2350-40f6-bf70-18e3950d210f", "observed-data--5a390eac-8b20-4401-83c1-169e950d210f", "email-message--5a390eac-8b20-4401-83c1-169e950d210f", "indicator--5a390f46-b670-4975-842a-473d950d210f", "indicator--5a3910e8-d3fc-421d-a96b-1690950d210f", "indicator--5a39110d-413c-4ff2-b531-bfd8950d210f", "indicator--85fc2ee8-1979-4b2b-8a01-a6e86992950e", "x-misp-object--6ef84376-1a21-41b0-8079-fe58470e8a3b", "indicator--cd87750f-ad31-466c-8256-6bb5c496c7e8", "x-misp-object--8e8856ca-85ff-4643-9b60-708617003213", "indicator--23b939ba-58a7-4265-acbb-12945bdaf96f", "x-misp-object--1b72a2c1-dda3-4770-9bfd-a29f36fbb9b9", "indicator--c299d343-7fb7-4bda-bc3c-578213b2333d", "x-misp-object--5d0428a2-0eaa-4719-89c9-c696ddf72dfa", "relationship--b0556070-f446-477c-be63-d85e2e2e7431", "relationship--86d7ac08-4973-4345-9001-80ddac2e4a77", "relationship--143d16c5-b87d-4c5d-8593-159d8cdc09a1", "relationship--dd2b57d5-f4e8-4eaa-a61a-c55e339844e7" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:banker=\"Panda Banker\"", "type:OSINT", "osint:source-type=\"blog-post\"", "ms-caro-malware-full:malware-family=\"Banker\"", "malware_classification:malware-category=\"Trojan\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a390e33-a644-4e3a-957d-1606950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:11:54.000Z", "modified": "2017-12-20T09:11:54.000Z", "first_observed": "2017-12-20T09:11:54Z", "last_observed": "2017-12-20T09:11:54Z", "number_observed": 1, "object_refs": [ "url--5a390e33-a644-4e3a-957d-1606950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a390e33-a644-4e3a-957d-1606950d210f", "value": "https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5a390e5c-090c-4b23-83f0-1714950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:11:54.000Z", "modified": "2017-12-20T09:11:54.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Banking Trojans work by injecting code into web pages as they are viewed on infected machines, allowing the malware to harvest banking credentials and credit card information as victims interact with legitimate sites. Most often, the injects -- the code that actually performs the man-in-the-browser attacks -- are configured for region-specific banking sites. More recently, we have seen injects for online payment sites, casinos, retailers, and more appearing in banking Trojan campaigns.\r\n\r\nSince November -- a period of time that includes Thanksgiving, Black Friday, Cyber Monday and now leading up to Christmas -- we have observed Zeus Panda banking Trojan campaigns that have an increasing focus on non-banking targets with an extensive list of injects clearly designed to capitalize on holiday shopping and activities.\r\n\r\nMore specifically, these Zeus Panda (aka Panda Banker) campaigns expanded their injects to a variety of online shopping sites for brick and mortar retailers like Zara, specialty online retailers, travel sites, and video streaming sites, among others. The vast majority of these new targets will potentially see higher-than-normal numbers of credit card transactions for the holidays. While Zeus Panda can be configured to steal a variety of information, these injects collected the credit card number, address, phone number, DOB, SSN, and security question-related information such as mother\u00e2\u20ac\u2122s maiden name." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a390ecd-e0a8-4c1e-95bc-498c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-19T13:06:21.000Z", "modified": "2017-12-19T13:06:21.000Z", "pattern": "[file:name = 'receipt-package-5a0a062cae04a.doc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-19T13:06:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a390eec-3874-4509-a0dd-1708950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:11:54.000Z", "modified": "2017-12-20T09:11:54.000Z", "description": "Landing page redirection", "pattern": "[url:value = 'https://canadapost-packagecenter.com/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:11:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a390efa-6134-40fc-901a-1713950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:11:54.000Z", "modified": "2017-12-20T09:11:54.000Z", "pattern": "[file:name = 'resume.doc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:11:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a390f86-f3c8-4662-96dd-1690950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:11:54.000Z", "modified": "2017-12-20T09:11:54.000Z", "description": "Document payload", "pattern": "[url:value = 'http://80.82.67.217/moo.jpg']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:11:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a390f86-06c8-4a7b-a2de-1690950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-19T13:09:26.000Z", "modified": "2017-12-19T13:09:26.000Z", "description": "Panda", "pattern": "[file:hashes.SHA256 = '5f7a1b02d5b2904554e65bd01a12f1fa5ff2121eef53f3942c4e9e29c46bdce3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-19T13:09:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a390f87-2be4-4d90-b4b6-1690950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:11:54.000Z", "modified": "2017-12-20T09:11:54.000Z", "description": "Panda C&C", "pattern": "[domain-name:value = 'gromnes.top']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:11:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a390f87-208c-477f-a436-1690950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:11:54.000Z", "modified": "2017-12-20T09:11:54.000Z", "description": "Panda C&C", "pattern": "[domain-name:value = 'aklexim.top']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:11:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a390f87-7364-456f-9669-1690950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:11:54.000Z", "modified": "2017-12-20T09:11:54.000Z", "description": "Panda C&C", "pattern": "[domain-name:value = 'kichamyn.top']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:11:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a390f87-7528-4d33-a029-1690950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-19T13:09:27.000Z", "modified": "2017-12-19T13:09:27.000Z", "description": "Attachment", "pattern": "[file:hashes.SHA256 = 'e13594d83f2a573627e742baf33298b9eeec1ebb8c7955304b8c35559e5f23dc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-19T13:09:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3910b0-33e0-4ba5-b4e3-18e3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:11:54.000Z", "modified": "2017-12-20T09:11:54.000Z", "description": "Malicious URL in email", "pattern": "[url:value = 'http://www.nfk-trading.com/analyticsmmrxbctq/redirect/0849e22e843170e1600c1910df8cf9da-id-qblozsmn-to-package-awaiting']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:11:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3910b0-2350-40f6-bf70-18e3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:11:54.000Z", "modified": "2017-12-20T09:11:54.000Z", "description": "Document payload", "pattern": "[url:value = 'http://89.248.169.136/bigmac.jpg']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:11:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a390eac-8b20-4401-83c1-169e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-19T13:05:48.000Z", "modified": "2017-12-19T13:05:48.000Z", "first_observed": "2017-12-19T13:05:48Z", "last_observed": "2017-12-19T13:05:48Z", "number_observed": 1, "object_refs": [ "email-message--5a390eac-8b20-4401-83c1-169e950d210f" ], "labels": [ "misp:name=\"email\"", "misp:meta-category=\"network\"", "misp:to_ids=\"False\"" ] }, { "type": "email-message", "spec_version": "2.1", "id": "email-message--5a390eac-8b20-4401-83c1-169e950d210f", "is_multipart": false, "date": "2017-11-13T00:00:00Z", "subject": "Your package is ready to be picked up\u00e2\u20ac\u009d" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a390f46-b670-4975-842a-473d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-19T13:08:22.000Z", "modified": "2017-12-19T13:08:22.000Z", "pattern": "[email-message:date = '2017-12-11T00:00:00' AND email-message:subject = 'Application submitted from Gumtree Jobs by [First Last Names] for Field Sales Consultant - Status: Emailed' AND email-message:body_multipart[0].body_raw_ref.name = 'resume.doc' AND email-message:body_multipart[0].content_disposition = 'attachment']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-19T13:08:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"email\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3910e8-d3fc-421d-a96b-1690950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-19T13:15:20.000Z", "modified": "2017-12-19T13:15:20.000Z", "pattern": "[file:hashes.SHA256 = '2514dbf1549b517692e415af85baa6e5eca926cdedb526d2e255b5943501d98b' AND file:name = 'receipt-package-5a0a062cae04a.doc' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-19T13:15:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a39110d-413c-4ff2-b531-bfd8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-19T13:15:57.000Z", "modified": "2017-12-19T13:15:57.000Z", "description": "Panda executable", "pattern": "[file:hashes.SHA256 = 'ae92a4a5bc64db6af23219d7fa2d8bce98a5d7eb2eff7193e4f49698e3e5650d' AND file:name = 'Bigmac.jpg' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-19T13:15:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--85fc2ee8-1979-4b2b-8a01-a6e86992950e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:11:57.000Z", "modified": "2017-12-20T09:11:57.000Z", "pattern": "[file:hashes.MD5 = 'a02d6ca05cbc89a317d82945bcb6b15b' AND file:hashes.SHA1 = '2cacb877c487b6dae47fb16fdd1dc7b05595125b' AND file:hashes.SHA256 = 'ae92a4a5bc64db6af23219d7fa2d8bce98a5d7eb2eff7193e4f49698e3e5650d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:11:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--6ef84376-1a21-41b0-8079-fe58470e8a3b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:11:54.000Z", "modified": "2017-12-20T09:11:54.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/ae92a4a5bc64db6af23219d7fa2d8bce98a5d7eb2eff7193e4f49698e3e5650d/analysis/1513357351/", "category": "External analysis", "uuid": "5a3a295b-b3fc-4cce-92cd-431402de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "53/67", "category": "Other", "uuid": "5a3a295b-18c0-4bed-af46-433102de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-12-15T17:02:31", "category": "Other", "uuid": "5a3a295b-6208-4950-9d19-4b6a02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cd87750f-ad31-466c-8256-6bb5c496c7e8", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:11:58.000Z", "modified": "2017-12-20T09:11:58.000Z", "pattern": "[file:hashes.MD5 = '52b053886cc0ca44df86cba91de968fa' AND file:hashes.SHA1 = 'ef22bcec61cb2aea85cd93cede6af5f4b27e011b' AND file:hashes.SHA256 = '5f7a1b02d5b2904554e65bd01a12f1fa5ff2121eef53f3942c4e9e29c46bdce3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:11:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--8e8856ca-85ff-4643-9b60-708617003213", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:11:55.000Z", "modified": "2017-12-20T09:11:55.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/5f7a1b02d5b2904554e65bd01a12f1fa5ff2121eef53f3942c4e9e29c46bdce3/analysis/1513686510/", "category": "External analysis", "comment": "Panda", "uuid": "5a3a295b-c948-41f7-9f3c-4eb802de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "44/66", "category": "Other", "comment": "Panda", "uuid": "5a3a295b-1164-44e5-a7fb-4bc902de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-12-19T12:28:30", "category": "Other", "comment": "Panda", "uuid": "5a3a295b-f134-4097-aaad-481602de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--23b939ba-58a7-4265-acbb-12945bdaf96f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:11:58.000Z", "modified": "2017-12-20T09:11:58.000Z", "pattern": "[file:hashes.MD5 = 'b2a6ec17f49740ddc699640fb19f951d' AND file:hashes.SHA1 = '00d8ef79f6fe532815c0325fb6d7165cdae98548' AND file:hashes.SHA256 = 'e13594d83f2a573627e742baf33298b9eeec1ebb8c7955304b8c35559e5f23dc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:11:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--1b72a2c1-dda3-4770-9bfd-a29f36fbb9b9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:11:55.000Z", "modified": "2017-12-20T09:11:55.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/e13594d83f2a573627e742baf33298b9eeec1ebb8c7955304b8c35559e5f23dc/analysis/1513686599/", "category": "External analysis", "comment": "Attachment", "uuid": "5a3a295b-9dd4-4202-b6ac-44e102de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "27/58", "category": "Other", "comment": "Attachment", "uuid": "5a3a295b-bb18-4c9d-b107-418e02de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-12-19T12:29:59", "category": "Other", "comment": "Attachment", "uuid": "5a3a295b-30fc-4206-af56-438802de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c299d343-7fb7-4bda-bc3c-578213b2333d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:11:58.000Z", "modified": "2017-12-20T09:11:58.000Z", "pattern": "[file:hashes.MD5 = 'bcac60105cb24fdbcc03c1d52d09bfd1' AND file:hashes.SHA1 = '8eab9d3dfe6ac35a3624e916bb3cdc6d390a83d2' AND file:hashes.SHA256 = '2514dbf1549b517692e415af85baa6e5eca926cdedb526d2e255b5943501d98b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-20T09:11:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5d0428a2-0eaa-4719-89c9-c696ddf72dfa", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T09:11:55.000Z", "modified": "2017-12-20T09:11:55.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/2514dbf1549b517692e415af85baa6e5eca926cdedb526d2e255b5943501d98b/analysis/1513686655/", "category": "External analysis", "uuid": "5a3a295b-efcc-4b80-b82d-4cb402de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "33/58", "category": "Other", "uuid": "5a3a295b-3e4c-474f-8b74-480c02de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-12-19T12:30:55", "category": "Other", "uuid": "5a3a295b-f240-48da-adee-467702de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b0556070-f446-477c-be63-d85e2e2e7431", "created": "2017-12-28T13:33:53.000Z", "modified": "2017-12-28T13:33:53.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--85fc2ee8-1979-4b2b-8a01-a6e86992950e", "target_ref": "x-misp-object--6ef84376-1a21-41b0-8079-fe58470e8a3b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--86d7ac08-4973-4345-9001-80ddac2e4a77", "created": "2017-12-28T13:33:53.000Z", "modified": "2017-12-28T13:33:53.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--cd87750f-ad31-466c-8256-6bb5c496c7e8", "target_ref": "x-misp-object--8e8856ca-85ff-4643-9b60-708617003213" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--143d16c5-b87d-4c5d-8593-159d8cdc09a1", "created": "2017-12-28T13:33:53.000Z", "modified": "2017-12-28T13:33:53.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--23b939ba-58a7-4265-acbb-12945bdaf96f", "target_ref": "x-misp-object--1b72a2c1-dda3-4770-9bfd-a29f36fbb9b9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--dd2b57d5-f4e8-4eaa-a61a-c55e339844e7", "created": "2017-12-28T13:33:53.000Z", "modified": "2017-12-28T13:33:53.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--c299d343-7fb7-4bda-bc3c-578213b2333d", "target_ref": "x-misp-object--5d0428a2-0eaa-4719-89c9-c696ddf72dfa" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }