{ "type": "bundle", "id": "bundle--5a54ad87-3328-4dde-aa9f-4a7e950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-12T03:00:24.000Z", "modified": "2018-01-12T03:00:24.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5a54ad87-3328-4dde-aa9f-4a7e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-12T03:00:24.000Z", "modified": "2018-01-12T03:00:24.000Z", "name": "OSINT - MICROCIN MALWARE", "published": "2018-02-16T08:46:21Z", "object_refs": [ "observed-data--5a54adfd-02a8-4e79-96fa-4b61950d210f", "url--5a54adfd-02a8-4e79-96fa-4b61950d210f", "observed-data--5a54adfd-28c4-4050-9631-435a950d210f", "url--5a54adfd-28c4-4050-9631-435a950d210f", "indicator--5a571d5a-4528-4ebb-a311-099a950d210f", "indicator--5a571d5a-b69c-4bc7-bbf3-099a950d210f", "indicator--5a571d5a-dc2c-4cba-bb59-099a950d210f", "indicator--5a571d5a-a0b8-4492-a896-099a950d210f", "indicator--5a571d5a-3368-4bfd-85fa-099a950d210f", "indicator--5a571d5a-e770-443e-8d1f-099a950d210f", "indicator--5a571d5a-bea0-4630-807a-099a950d210f", "indicator--5a571dad-c290-481e-8188-4a23950d210f", "indicator--5a571dae-3804-47b1-91da-47a3950d210f", "indicator--5a571dae-f3f8-4ca1-8b83-4ed4950d210f", "indicator--5a571dae-a8a4-4182-8080-4027950d210f", "indicator--5a571dae-1cdc-4b24-9c68-4592950d210f", "indicator--5a571dae-a4c0-45e4-a33c-4d5c950d210f", "indicator--5a571dae-ea7c-447f-b125-44de950d210f", "indicator--5a571dae-8030-4e44-81b5-4c26950d210f", "indicator--5a571dae-b950-4557-b466-4823950d210f", "indicator--5a571dae-9e10-47b9-a693-438a950d210f", "indicator--5a571dae-3e74-4e95-97eb-4cff950d210f", "indicator--5a571dae-ded8-40c0-b51d-4ef1950d210f", "indicator--5a571dae-1d70-440c-b888-4466950d210f", "x-misp-attribute--5a571dce-ed9c-439a-bb6f-0ee0950d210f", "indicator--5a571880-d098-4276-b23e-439a950d210f", "indicator--0dae0b43-76e3-49a2-b984-c7cbd3ca6e02", "x-misp-object--200574ab-5db2-4aef-a3a9-db2d4870285b", "indicator--872eb001-bd68-4082-a707-f69e00ab1cfe", "x-misp-object--f06f8919-d425-414c-94d9-6461c49c81b1", "indicator--2c34de1e-5ccd-4750-b921-dbc1e57b4cb3", "x-misp-object--c688bc3b-d1af-443c-8363-d44c27a98060", "indicator--7613cc8b-ce21-4638-9ef6-3497d9415329", "x-misp-object--67d648f6-ac84-40ae-9edf-90144cd3b7d3", "indicator--9c677e93-f664-4a47-a479-c7807c12d2aa", "x-misp-object--f12656a4-afc0-4caf-b4d0-00701f6754bc", "indicator--f669bde1-8c02-4eca-953c-eba3dffcaf5a", "x-misp-object--1ffb93b4-6850-494f-82bd-0b0b9a00c94d", "x-misp-object--816abaaf-b4ea-468d-927d-b81c1ebe62b7", "relationship--431f6014-8f26-4cb1-a67f-b736e1e17c7e", "relationship--19f02259-7391-48d1-b5c0-1b1d97ad9707", "relationship--c0e69308-5691-42bb-9195-ce69791e4cec", "relationship--4f2d2620-5f93-4faa-9cf3-566e35eb2aa8", "relationship--82c18279-b3db-4bbd-b852-71bbc66b4c7c", "relationship--251848c4-02df-47a6-9cbb-3967c1a3d145", "relationship--4cc6d829-6e54-4ace-827d-dfde05496106" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "circl:incident-classification=\"malware\"", "osint:source-type=\"blog-post\"", "osint:source-type=\"technical-report\"", "misp-galaxy:threat-actor=\"Microcin\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a54adfd-02a8-4e79-96fa-4b61950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T13:30:38.000Z", "modified": "2018-01-11T13:30:38.000Z", "first_observed": "2018-01-11T13:30:38Z", "last_observed": "2018-01-11T13:30:38Z", "number_observed": 1, "object_refs": [ "url--5a54adfd-02a8-4e79-96fa-4b61950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"technical-report\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a54adfd-02a8-4e79-96fa-4b61950d210f", "value": "https://cdn.securelist.com/files/2017/09/Microcin_Technical_4PDF_eng_final_s.pdf" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a54adfd-28c4-4050-9631-435a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T13:30:38.000Z", "modified": "2018-01-11T13:30:38.000Z", "first_observed": "2018-01-11T13:30:38Z", "last_observed": "2018-01-11T13:30:38Z", "number_observed": 1, "object_refs": [ "url--5a54adfd-28c4-4050-9631-435a950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a54adfd-28c4-4050-9631-435a950d210f", "value": "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a571d5a-4528-4ebb-a311-099a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T08:16:26.000Z", "modified": "2018-01-11T08:16:26.000Z", "description": "malicious documents", "pattern": "[file:hashes.MD5 = '371bae0fc70563c7fa1ec0e3a0f037f4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T08:16:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a571d5a-b69c-4bc7-bbf3-099a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T08:16:26.000Z", "modified": "2018-01-11T08:16:26.000Z", "description": "malicious documents", "pattern": "[file:hashes.MD5 = 'f4deeb3db67bae6cc224802fbad1f3f6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T08:16:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a571d5a-dc2c-4cba-bb59-099a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T08:16:26.000Z", "modified": "2018-01-11T08:16:26.000Z", "description": "malicious documents", "pattern": "[file:hashes.MD5 = '3f288e450a375a26bd9c4de7f2bcfd66']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T08:16:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a571d5a-a0b8-4492-a896-099a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T08:16:26.000Z", "modified": "2018-01-11T08:16:26.000Z", "description": "malicious documents", "pattern": "[file:hashes.MD5 = '7bcf447a93fd37d068ec27dd04c301cb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T08:16:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a571d5a-3368-4bfd-85fa-099a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T08:16:26.000Z", "modified": "2018-01-11T08:16:26.000Z", "description": "malicious documents", "pattern": "[file:hashes.MD5 = '873105f03ae425101ea206dcd6bc539f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T08:16:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a571d5a-e770-443e-8d1f-099a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T08:16:26.000Z", "modified": "2018-01-11T08:16:26.000Z", "description": "malicious documents", "pattern": "[file:hashes.MD5 = 'ab6544e1eba3af3f5236d99b755c701c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T08:16:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a571d5a-bea0-4630-807a-099a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T08:16:26.000Z", "modified": "2018-01-11T08:16:26.000Z", "description": "malicious documents", "pattern": "[file:hashes.MD5 = '6e006124678ffc18458d1322de6232a7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T08:16:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a571dad-c290-481e-8188-4a23950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T08:17:49.000Z", "modified": "2018-01-11T08:17:49.000Z", "description": "backdoors", "pattern": "[file:hashes.MD5 = '056f811ef41c213b037008300b0daf0d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T08:17:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a571dae-3804-47b1-91da-47a3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T08:17:50.000Z", "modified": "2018-01-11T08:17:50.000Z", "description": "backdoors", "pattern": "[file:hashes.MD5 = '3ebcacb207b33bd5376d00b24cb3386c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T08:17:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a571dae-f3f8-4ca1-8b83-4ed4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T08:17:50.000Z", "modified": "2018-01-11T08:17:50.000Z", "description": "backdoors", "pattern": "[file:hashes.MD5 = '4644ce606ab4b62622e4a9e6a80d792d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T08:17:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a571dae-a8a4-4182-8080-4027950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T08:17:50.000Z", "modified": "2018-01-11T08:17:50.000Z", "description": "backdoors", "pattern": "[file:hashes.MD5 = '4ba4346984a380e22afaccff78688a54']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T08:17:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a571dae-1cdc-4b24-9c68-4592950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T08:17:50.000Z", "modified": "2018-01-11T08:17:50.000Z", "description": "backdoors", "pattern": "[file:hashes.MD5 = '60cb9e553884085700e359e5367d5fb4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T08:17:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a571dae-a4c0-45e4-a33c-4d5c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T08:17:50.000Z", "modified": "2018-01-11T08:17:50.000Z", "description": "backdoors", "pattern": "[file:hashes.MD5 = '7771e1738fc2e4de210ac06a5e62c534']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T08:17:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a571dae-ea7c-447f-b125-44de950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T08:17:50.000Z", "modified": "2018-01-11T08:17:50.000Z", "description": "backdoors", "pattern": "[file:hashes.MD5 = '7a290a29ea0d84e4475e021fa87ec466']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T08:17:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a571dae-8030-4e44-81b5-4c26950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T08:17:50.000Z", "modified": "2018-01-11T08:17:50.000Z", "description": "backdoors", "pattern": "[file:hashes.MD5 = '7d8ee0e91cd88bb36d84d52d1d796dea']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T08:17:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a571dae-b950-4557-b466-4823950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T08:17:50.000Z", "modified": "2018-01-11T08:17:50.000Z", "description": "backdoors", "pattern": "[file:hashes.MD5 = 'a54966098b2281e4b75b747dbb52f431']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T08:17:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a571dae-9e10-47b9-a693-438a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T08:17:50.000Z", "modified": "2018-01-11T08:17:50.000Z", "description": "backdoors", "pattern": "[file:hashes.MD5 = 'a5c7b7a26fa0f15cbf7bdd3db597fbe6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T08:17:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a571dae-3e74-4e95-97eb-4cff950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T08:17:50.000Z", "modified": "2018-01-11T08:17:50.000Z", "description": "backdoors", "pattern": "[file:hashes.MD5 = 'dc6c8bae242c43dad76970329270155e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T08:17:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a571dae-ded8-40c0-b51d-4ef1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T08:17:50.000Z", "modified": "2018-01-11T08:17:50.000Z", "description": "backdoors", "pattern": "[file:hashes.MD5 = '335cb36cc21c47b849d370a892d759b8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T08:17:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a571dae-1d70-440c-b888-4466950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T08:17:50.000Z", "modified": "2018-01-11T08:17:50.000Z", "description": "backdoors", "pattern": "[file:hashes.MD5 = '948fecf6a044b79de79dc69e09d9979b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T08:17:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5a571dce-ed9c-439a-bb6f-0ee0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T13:30:38.000Z", "modified": "2018-01-11T13:30:38.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "We\u00e2\u20ac\u2122re already used to the fact that complex cyberattacks use 0-day vulnerabilities, bypassing digital signature checks, virtual file systems, non-standard encryption algorithms and other tricks. Sometimes, however, all of this may be done in much simpler ways, as was the case in the malicious campaign that we detected a while ago \u00e2\u20ac\u201c we named it \u00e2\u20ac\u02dcMicrocin\u00e2\u20ac\u2122 after microini, one of the malicious components used in it.\r\n\r\nWe detected a suspicious RTF file. The document contained an exploit to the previously known and patched vulnerability CVE-2015-1641; however, its code had been modified considerably. Remarkably, the malicious document was delivered via websites that targeted a very narrow audience, so we suspected early on that we were dealing with a targeted attack. The threat actors took aim at users visiting forums with discussions on the state-subsidized housing that Russian military personnel and their families are entitled to." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a571880-d098-4276-b23e-439a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T07:55:47.000Z", "modified": "2018-01-11T07:55:47.000Z", "pattern": "[file:hashes.MD5 = 'a50b6ec77276cf235eaf2d14665bdb5c' AND file:name = '\u00d0\u0161\u00d0\u00b0\u00d0\u00ba\u00d0\u0178\u00d1\u20ac\u00d0\u00b8\u00d0\u00bd\u00d0\u00b8\u00d0\u00bc\u00d0\u00b0\u00d1\u201a\u00d1\u0152\u00d0\u0161\u00d0\u00b2\u00d0\u00b0\u00d1\u20ac\u00d1\u201a\u00d0\u00b8\u00d1\u20ac\u00d1\u0192-1.rtf' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T07:55:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0dae0b43-76e3-49a2-b984-c7cbd3ca6e02", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T11:30:49.000Z", "modified": "2018-01-11T11:30:49.000Z", "pattern": "[file:hashes.MD5 = '873105f03ae425101ea206dcd6bc539f' AND file:hashes.SHA1 = 'bd10265d0be8839ed7dc0fb576fb8901c347729b' AND file:hashes.SHA256 = 'c950c3fa513a487acfe2f1809e8e25e39d407fdf51553f272af81d2368cbeb0c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T11:30:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--200574ab-5db2-4aef-a3a9-db2d4870285b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T11:30:46.000Z", "modified": "2018-01-11T11:30:46.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/c950c3fa513a487acfe2f1809e8e25e39d407fdf51553f272af81d2368cbeb0c/analysis/1513681658/", "category": "External analysis", "comment": "malicious documents", "uuid": "5a574ae6-cde4-4bb3-9721-4f2602de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "30/60", "category": "Other", "comment": "malicious documents", "uuid": "5a574ae6-aea0-4b56-ab17-407602de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-12-19T11:07:38", "category": "Other", "comment": "malicious documents", "uuid": "5a574ae6-b690-4d21-b83f-43b202de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--872eb001-bd68-4082-a707-f69e00ab1cfe", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T11:30:49.000Z", "modified": "2018-01-11T11:30:49.000Z", "pattern": "[file:hashes.MD5 = '335cb36cc21c47b849d370a892d759b8' AND file:hashes.SHA1 = '150b8350ec483781d8d7a0643e6462c7a6e4d2a0' AND file:hashes.SHA256 = 'cbd43e70dc55e94140099722d7b91b07a3997722d4a539ecc4015f37ea14a26e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T11:30:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--f06f8919-d425-414c-94d9-6461c49c81b1", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T11:30:46.000Z", "modified": "2018-01-11T11:30:46.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/cbd43e70dc55e94140099722d7b91b07a3997722d4a539ecc4015f37ea14a26e/analysis/1510610117/", "category": "External analysis", "comment": "backdoors", "uuid": "5a574ae6-dacc-491e-9acf-4d9002de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "50/68", "category": "Other", "comment": "backdoors", "uuid": "5a574ae6-3560-46cb-8a05-401e02de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-11-13T21:55:17", "category": "Other", "comment": "backdoors", "uuid": "5a574ae6-7a5c-42bf-88e8-481302de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2c34de1e-5ccd-4750-b921-dbc1e57b4cb3", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T11:30:49.000Z", "modified": "2018-01-11T11:30:49.000Z", "pattern": "[file:hashes.MD5 = '7d8ee0e91cd88bb36d84d52d1d796dea' AND file:hashes.SHA1 = 'a0f68ae3f0263b5443b133b07701174947fa6105' AND file:hashes.SHA256 = '8a7d04229722539f2480270851184d75b26c375a77b468d8cbad6dbdb0c99271']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T11:30:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--c688bc3b-d1af-443c-8363-d44c27a98060", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T11:30:46.000Z", "modified": "2018-01-11T11:30:46.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/8a7d04229722539f2480270851184d75b26c375a77b468d8cbad6dbdb0c99271/analysis/1514186505/", "category": "External analysis", "comment": "backdoors", "uuid": "5a574ae6-ec14-4891-8080-4da102de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "46/67", "category": "Other", "comment": "backdoors", "uuid": "5a574ae6-0d04-4491-906c-48d402de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-12-25T07:21:45", "category": "Other", "comment": "backdoors", "uuid": "5a574ae6-831c-4274-8dc7-424702de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7613cc8b-ce21-4638-9ef6-3497d9415329", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T11:30:49.000Z", "modified": "2018-01-11T11:30:49.000Z", "pattern": "[file:hashes.MD5 = 'a50b6ec77276cf235eaf2d14665bdb5c' AND file:hashes.SHA1 = '938c879b547ca71a332308f6d9c87252b9addc59' AND file:hashes.SHA256 = '66f0cbc0aa7e96bf937d5fb72374be454d1d6a6c85860df9d8ee8a26adc2a75e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T11:30:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--67d648f6-ac84-40ae-9edf-90144cd3b7d3", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T11:30:47.000Z", "modified": "2018-01-11T11:30:47.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/66f0cbc0aa7e96bf937d5fb72374be454d1d6a6c85860df9d8ee8a26adc2a75e/analysis/1513683573/", "category": "External analysis", "uuid": "5a574ae7-62ec-42c6-8cfe-4d4302de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "30/60", "category": "Other", "uuid": "5a574ae7-8120-474c-a223-45b502de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-12-19T11:39:33", "category": "Other", "uuid": "5a574ae7-ba08-4b5a-abb8-47ad02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9c677e93-f664-4a47-a479-c7807c12d2aa", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T11:30:50.000Z", "modified": "2018-01-11T11:30:50.000Z", "pattern": "[file:hashes.MD5 = '948fecf6a044b79de79dc69e09d9979b' AND file:hashes.SHA1 = 'f7b8ef6431039ae12d4e7b1b997c1cc56e062611' AND file:hashes.SHA256 = '871ab24fd6ae15783dd9df5010d794b6121c4316b11f30a55f23ba37eef4b87a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T11:30:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--f12656a4-afc0-4caf-b4d0-00701f6754bc", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T11:30:47.000Z", "modified": "2018-01-11T11:30:47.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/871ab24fd6ae15783dd9df5010d794b6121c4316b11f30a55f23ba37eef4b87a/analysis/1510036080/", "category": "External analysis", "comment": "backdoors", "uuid": "5a574ae7-7408-4685-9c0e-472202de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "48/67", "category": "Other", "comment": "backdoors", "uuid": "5a574ae7-5c38-403b-8e2e-477902de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-11-07T06:28:00", "category": "Other", "comment": "backdoors", "uuid": "5a574ae7-f7b0-4743-a008-42ac02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f669bde1-8c02-4eca-953c-eba3dffcaf5a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T11:30:50.000Z", "modified": "2018-01-11T11:30:50.000Z", "pattern": "[file:hashes.MD5 = '3ebcacb207b33bd5376d00b24cb3386c' AND file:hashes.SHA1 = 'c4dfcaac739910a4c1c7171ed9902b2c7bb36b0b' AND file:hashes.SHA256 = '9dd9bb13c2698159eb78a0ecb4e8692fd96ca4ecb50eef194fa7479cb65efb7c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-11T11:30:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--1ffb93b4-6850-494f-82bd-0b0b9a00c94d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T11:30:47.000Z", "modified": "2018-01-11T11:30:47.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/9dd9bb13c2698159eb78a0ecb4e8692fd96ca4ecb50eef194fa7479cb65efb7c/analysis/1511174150/", "category": "External analysis", "comment": "backdoors", "uuid": "5a574ae7-0008-4f5f-b89f-4b9002de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "37/67", "category": "Other", "comment": "backdoors", "uuid": "5a574ae7-0bc0-4893-8517-4ff402de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-11-20T10:35:50", "category": "Other", "comment": "backdoors", "uuid": "5a574ae7-4020-4d97-abe2-456c02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--816abaaf-b4ea-468d-927d-b81c1ebe62b7", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-11T13:30:38.000Z", "modified": "2018-01-11T13:30:38.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/66f0cbc0aa7e96bf937d5fb72374be454d1d6a6c85860df9d8ee8a26adc2a75e/analysis/1513683573/", "category": "External analysis", "uuid": "5a5766fe-7e0c-4c7c-802d-424102de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "30/60", "category": "Other", "uuid": "5a5766fe-e0b8-4fb4-9625-438a02de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-12-19T11:39:33", "category": "Other", "uuid": "5a5766fe-2d04-45ff-a0b6-431302de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--431f6014-8f26-4cb1-a67f-b736e1e17c7e", "created": "2018-02-16T08:46:20.000Z", "modified": "2018-02-16T08:46:20.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5a571880-d098-4276-b23e-439a950d210f", "target_ref": "x-misp-object--816abaaf-b4ea-468d-927d-b81c1ebe62b7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--19f02259-7391-48d1-b5c0-1b1d97ad9707", "created": "2018-02-16T08:46:20.000Z", "modified": "2018-02-16T08:46:20.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--0dae0b43-76e3-49a2-b984-c7cbd3ca6e02", "target_ref": "x-misp-object--200574ab-5db2-4aef-a3a9-db2d4870285b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c0e69308-5691-42bb-9195-ce69791e4cec", "created": "2018-02-16T08:46:20.000Z", "modified": "2018-02-16T08:46:20.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--872eb001-bd68-4082-a707-f69e00ab1cfe", "target_ref": "x-misp-object--f06f8919-d425-414c-94d9-6461c49c81b1" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4f2d2620-5f93-4faa-9cf3-566e35eb2aa8", "created": "2018-02-16T08:46:21.000Z", "modified": "2018-02-16T08:46:21.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--2c34de1e-5ccd-4750-b921-dbc1e57b4cb3", "target_ref": "x-misp-object--c688bc3b-d1af-443c-8363-d44c27a98060" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--82c18279-b3db-4bbd-b852-71bbc66b4c7c", "created": "2018-02-16T08:46:21.000Z", "modified": "2018-02-16T08:46:21.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--7613cc8b-ce21-4638-9ef6-3497d9415329", "target_ref": "x-misp-object--67d648f6-ac84-40ae-9edf-90144cd3b7d3" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--251848c4-02df-47a6-9cbb-3967c1a3d145", "created": "2018-02-16T08:46:21.000Z", "modified": "2018-02-16T08:46:21.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--9c677e93-f664-4a47-a479-c7807c12d2aa", "target_ref": "x-misp-object--f12656a4-afc0-4caf-b4d0-00701f6754bc" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4cc6d829-6e54-4ace-827d-dfde05496106", "created": "2018-02-16T08:46:21.000Z", "modified": "2018-02-16T08:46:21.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--f669bde1-8c02-4eca-953c-eba3dffcaf5a", "target_ref": "x-misp-object--1ffb93b4-6850-494f-82bd-0b0b9a00c94d" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }