{ "type": "bundle", "id": "bundle--56f53e06-35d4-47e5-8d94-468e950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:39:04.000Z", "modified": "2016-03-25T13:39:04.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--56f53e06-35d4-47e5-8d94-468e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:39:04.000Z", "modified": "2016-03-25T13:39:04.000Z", "name": "OSINT - New self-protecting USB trojan able to avoid detection", "published": "2016-03-25T13:39:30Z", "object_refs": [ "observed-data--56f53e35-b344-46ca-97db-faee950d210f", "url--56f53e35-b344-46ca-97db-faee950d210f", "x-misp-attribute--56f53e46-8958-4c3d-8df8-49d2950d210f", "indicator--56f53ec9-f9dc-4503-9d20-47a0950d210f", "indicator--56f53ec9-1868-44ac-ba9f-4689950d210f", "indicator--56f53eca-8a78-4e7b-a147-4d82950d210f", "indicator--56f53eca-16c8-4dc6-8ace-4e9c950d210f", "indicator--56f53eca-a97c-4a7a-ae57-43e7950d210f", "x-misp-attribute--56f53ee1-7e54-4282-88ff-faf6950d210f", "x-misp-attribute--56f53ef3-5410-4b0e-ba5f-420e950d210f", "indicator--56f53f78-695c-41c0-ba97-faf102de0b81", "indicator--56f53f78-a2a4-49b0-ac3e-faf102de0b81", "observed-data--56f53f79-dec0-4f2c-bc1f-faf102de0b81", "url--56f53f79-dec0-4f2c-bc1f-faf102de0b81", "indicator--56f53f79-6f4c-4a0f-97ca-faf102de0b81", "indicator--56f53f79-cc60-48a6-b2ba-faf102de0b81", "observed-data--56f53f79-458c-4aa2-99f7-faf102de0b81", "url--56f53f79-458c-4aa2-99f7-faf102de0b81", "indicator--56f53f7a-37a4-4d3a-8e32-faf102de0b81", "indicator--56f53f7a-f820-4f3c-a4ef-faf102de0b81", "observed-data--56f53f7a-72d0-4c9a-b4be-faf102de0b81", "url--56f53f7a-72d0-4c9a-b4be-faf102de0b81", "indicator--56f53f7b-802c-4ef2-842a-faf102de0b81", "indicator--56f53f7b-a39c-4950-b1bb-faf102de0b81", "observed-data--56f53f7b-f5dc-4705-9c78-faf102de0b81", "url--56f53f7b-f5dc-4705-9c78-faf102de0b81", "indicator--56f53f7b-2a78-4a51-b285-faf102de0b81", "indicator--56f53f7c-1d78-4e34-983d-faf102de0b81", "observed-data--56f53f7c-b83c-42c2-897f-faf102de0b81", "url--56f53f7c-b83c-42c2-897f-faf102de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56f53e35-b344-46ca-97db-faee950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:33:41.000Z", "modified": "2016-03-25T13:33:41.000Z", "first_observed": "2016-03-25T13:33:41Z", "last_observed": "2016-03-25T13:33:41Z", "number_observed": 1, "object_refs": [ "url--56f53e35-b344-46ca-97db-faee950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56f53e35-b344-46ca-97db-faee950d210f", "value": "http://blog.eset.ie/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--56f53e46-8958-4c3d-8df8-49d2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:33:58.000Z", "modified": "2016-03-25T13:33:58.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "A unique data-stealing trojan has been spotted on USB devices in the wild \u00e2\u20ac\u201c and it is different from typical data-stealing malware. Each instance of this trojan relies on the particular USB device on which it is installed and it leaves no evidence on the compromised system. Moreover, it uses a very special mechanism to protect itself from being reproduced or copied, which makes it even harder to detect.\r\n\r\nIn this article we will examine the technical details of this interesting malware.\r\n\r\n\u00e2\u20ac\u009dWhat really sets this malware apart is its self-protection mechanism.\u00e2\u20ac\u009d\r\n\r\nWhere other malware uses \u00e2\u20ac\u02dcgood old-fashioned approaches\u00e2\u20ac\u2122 like Autorun files or crafted shortcuts in order to get users to run it, USB Thief uses also another technique. This method depends on the increasingly common practice of storing portable versions of popular applications such as Firefox, NotePad++ and TrueCrypt on USB drives.\r\n\r\nThe malware takes advantage of this trend by inserting itself into the command chain of such applications, in the form of a plugin or a dynamically linked library (DLL). And therefore, whenever such an application is executed, the malware will also be run in the background.\r\n\r\nWhat really sets this malware apart, however, is its self-protection mechanism." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f53ec9-f9dc-4503-9d20-47a0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:36:09.000Z", "modified": "2016-03-25T13:36:09.000Z", "description": "SHA1 hashes of decrypted binaries", "pattern": "[file:hashes.SHA1 = '2c188c395ab32eaa00e6b7aa031632248ff38b2e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-25T13:36:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f53ec9-1868-44ac-ba9f-4689950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:36:09.000Z", "modified": "2016-03-25T13:36:09.000Z", "description": "SHA1 hashes of decrypted binaries", "pattern": "[file:hashes.SHA1 = 'b03abe820c0517ccef98bc1785b7fd4cdf958278']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-25T13:36:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f53eca-8a78-4e7b-a147-4d82950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:36:10.000Z", "modified": "2016-03-25T13:36:10.000Z", "description": "SHA1 hashes of decrypted binaries", "pattern": "[file:hashes.SHA1 = '66d169e1e503725a720d903e1dfaf456db172767']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-25T13:36:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f53eca-16c8-4dc6-8ace-4e9c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:36:10.000Z", "modified": "2016-03-25T13:36:10.000Z", "description": "SHA1 hashes of decrypted binaries", "pattern": "[file:hashes.SHA1 = '4b2c60d77915c5695ec9d3c4364e6cd6946bd33c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-25T13:36:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f53eca-a97c-4a7a-ae57-43e7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:36:10.000Z", "modified": "2016-03-25T13:36:10.000Z", "description": "SHA1 hashes of decrypted binaries", "pattern": "[file:hashes.SHA1 = '76471b0f34abb3c2530a16f39e10e4478cb6816d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-25T13:36:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--56f53ee1-7e54-4282-88ff-faf6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:36:33.000Z", "modified": "2016-03-25T13:36:33.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_comment": "payload", "x_misp_type": "text", "x_misp_value": "Win32/PSW.Stealer.NAI trojan" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--56f53ef3-5410-4b0e-ba5f-420e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:36:56.000Z", "modified": "2016-03-25T13:36:56.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_type": "text", "x_misp_value": "Win32/TrojanDropper.Agent.RFT trojan" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f53f78-695c-41c0-ba97-faf102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:39:04.000Z", "modified": "2016-03-25T13:39:04.000Z", "description": "SHA1 hashes of decrypted binaries - Xchecked via VT: 2c188c395ab32eaa00e6b7aa031632248ff38b2e", "pattern": "[file:hashes.SHA256 = '9b07058b787c40aead135554108d12d4edde6b9d3dd5847a0cf4c03eb55cae50']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-25T13:39:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f53f78-a2a4-49b0-ac3e-faf102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:39:04.000Z", "modified": "2016-03-25T13:39:04.000Z", "description": "SHA1 hashes of decrypted binaries - Xchecked via VT: 2c188c395ab32eaa00e6b7aa031632248ff38b2e", "pattern": "[file:hashes.MD5 = 'd92895903d18c76016ff32a188e766d7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-25T13:39:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56f53f79-dec0-4f2c-bc1f-faf102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:39:05.000Z", "modified": "2016-03-25T13:39:05.000Z", "first_observed": "2016-03-25T13:39:05Z", "last_observed": "2016-03-25T13:39:05Z", "number_observed": 1, "object_refs": [ "url--56f53f79-dec0-4f2c-bc1f-faf102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56f53f79-dec0-4f2c-bc1f-faf102de0b81", "value": "https://www.virustotal.com/file/9b07058b787c40aead135554108d12d4edde6b9d3dd5847a0cf4c03eb55cae50/analysis/1458896127/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f53f79-6f4c-4a0f-97ca-faf102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:39:05.000Z", "modified": "2016-03-25T13:39:05.000Z", "description": "SHA1 hashes of decrypted binaries - Xchecked via VT: b03abe820c0517ccef98bc1785b7fd4cdf958278", "pattern": "[file:hashes.SHA256 = 'f2734d702a76fddcf1f6683b289b3d68cbece905ec6a4951ecf500ef8ee966ab']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-25T13:39:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f53f79-cc60-48a6-b2ba-faf102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:39:05.000Z", "modified": "2016-03-25T13:39:05.000Z", "description": "SHA1 hashes of decrypted binaries - Xchecked via VT: b03abe820c0517ccef98bc1785b7fd4cdf958278", "pattern": "[file:hashes.MD5 = '3a062a0e4b394022dca336d3cb0ccc2c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-25T13:39:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56f53f79-458c-4aa2-99f7-faf102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:39:05.000Z", "modified": "2016-03-25T13:39:05.000Z", "first_observed": "2016-03-25T13:39:05Z", "last_observed": "2016-03-25T13:39:05Z", "number_observed": 1, "object_refs": [ "url--56f53f79-458c-4aa2-99f7-faf102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56f53f79-458c-4aa2-99f7-faf102de0b81", "value": "https://www.virustotal.com/file/f2734d702a76fddcf1f6683b289b3d68cbece905ec6a4951ecf500ef8ee966ab/analysis/1458896995/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f53f7a-37a4-4d3a-8e32-faf102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:39:06.000Z", "modified": "2016-03-25T13:39:06.000Z", "description": "SHA1 hashes of decrypted binaries - Xchecked via VT: 66d169e1e503725a720d903e1dfaf456db172767", "pattern": "[file:hashes.SHA256 = '8e7f3a2e664e530015fd20fc4034bb957c97da500564d0d9354127896b6458cd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-25T13:39:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f53f7a-f820-4f3c-a4ef-faf102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:39:06.000Z", "modified": "2016-03-25T13:39:06.000Z", "description": "SHA1 hashes of decrypted binaries - Xchecked via VT: 66d169e1e503725a720d903e1dfaf456db172767", "pattern": "[file:hashes.MD5 = 'e60b3d75e2c4e3796bed5194d12ac9e4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-25T13:39:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56f53f7a-72d0-4c9a-b4be-faf102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:39:06.000Z", "modified": "2016-03-25T13:39:06.000Z", "first_observed": "2016-03-25T13:39:06Z", "last_observed": "2016-03-25T13:39:06Z", "number_observed": 1, "object_refs": [ "url--56f53f7a-72d0-4c9a-b4be-faf102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56f53f7a-72d0-4c9a-b4be-faf102de0b81", "value": "https://www.virustotal.com/file/8e7f3a2e664e530015fd20fc4034bb957c97da500564d0d9354127896b6458cd/analysis/1458896043/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f53f7b-802c-4ef2-842a-faf102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:39:07.000Z", "modified": "2016-03-25T13:39:07.000Z", "description": "SHA1 hashes of decrypted binaries - Xchecked via VT: 4b2c60d77915c5695ec9d3c4364e6cd6946bd33c", "pattern": "[file:hashes.SHA256 = 'a5b504fced6daf4f58989e7451441a2281d5e494dcf973ce19308da5e07514cc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-25T13:39:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f53f7b-a39c-4950-b1bb-faf102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:39:07.000Z", "modified": "2016-03-25T13:39:07.000Z", "description": "SHA1 hashes of decrypted binaries - Xchecked via VT: 4b2c60d77915c5695ec9d3c4364e6cd6946bd33c", "pattern": "[file:hashes.MD5 = 'a1bf4d93e6d844e9924c7e6e00f85550']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-25T13:39:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56f53f7b-f5dc-4705-9c78-faf102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:39:07.000Z", "modified": "2016-03-25T13:39:07.000Z", "first_observed": "2016-03-25T13:39:07Z", "last_observed": "2016-03-25T13:39:07Z", "number_observed": 1, "object_refs": [ "url--56f53f7b-f5dc-4705-9c78-faf102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56f53f7b-f5dc-4705-9c78-faf102de0b81", "value": "https://www.virustotal.com/file/a5b504fced6daf4f58989e7451441a2281d5e494dcf973ce19308da5e07514cc/analysis/1458896212/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f53f7b-2a78-4a51-b285-faf102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:39:07.000Z", "modified": "2016-03-25T13:39:07.000Z", "description": "SHA1 hashes of decrypted binaries - Xchecked via VT: 76471b0f34abb3c2530a16f39e10e4478cb6816d", "pattern": "[file:hashes.SHA256 = 'b297ef8df5c954a033c9c40200619f9a0c61d57bdd86197e36c92e3397913c48']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-25T13:39:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f53f7c-1d78-4e34-983d-faf102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:39:08.000Z", "modified": "2016-03-25T13:39:08.000Z", "description": "SHA1 hashes of decrypted binaries - Xchecked via VT: 76471b0f34abb3c2530a16f39e10e4478cb6816d", "pattern": "[file:hashes.MD5 = 'e08cde0ede2ab1ff892c03ff5e0b2585']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-25T13:39:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56f53f7c-b83c-42c2-897f-faf102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T13:39:08.000Z", "modified": "2016-03-25T13:39:08.000Z", "first_observed": "2016-03-25T13:39:08Z", "last_observed": "2016-03-25T13:39:08Z", "number_observed": 1, "object_refs": [ "url--56f53f7c-b83c-42c2-897f-faf102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56f53f7c-b83c-42c2-897f-faf102de0b81", "value": "https://www.virustotal.com/file/b297ef8df5c954a033c9c40200619f9a0c61d57bdd86197e36c92e3397913c48/analysis/1458896666/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }