{ "type": "bundle", "id": "bundle--5cf0f134-f504-42dd-b11e-9071950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T12:59:24.000Z", "modified": "2019-05-31T12:59:24.000Z", "name": "CthulhuSPRL.be", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5cf0f134-f504-42dd-b11e-9071950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T12:59:24.000Z", "modified": "2019-05-31T12:59:24.000Z", "name": "Emissary Panda Attacks Middle East Government Sharepoint Servers by Palo Alto Unit42", "published": "2019-05-31T13:00:17Z", "object_refs": [ "observed-data--5cf10f7b-00d4-443f-b2b0-4531950d210f", "url--5cf10f7b-00d4-443f-b2b0-4531950d210f", "vulnerability--5cf10f86-a5f8-4de9-8883-4d73950d210f", "indicator--5cf11062-7c4c-4b1d-ac88-4cc5950d210f", "indicator--5cf11062-9fa0-4692-9750-4257950d210f", "indicator--5cf11062-1914-4a55-b137-41d6950d210f", "indicator--5cf11062-894c-4f76-b99c-4639950d210f", "indicator--5cf11062-c2d4-4269-be73-4db5950d210f", "indicator--5cf11062-377c-4de2-9448-4a0a950d210f", "indicator--5cf11062-99ec-40c0-9281-4512950d210f", "indicator--5cf11062-8234-4c77-8250-4850950d210f", "indicator--5cf11062-f5e0-4d73-915e-4ab8950d210f", "indicator--5cf11062-9538-4612-a125-4dc8950d210f", "vulnerability--5cf11062-b3a8-48bd-84b1-4da8950d210f", "indicator--5cf11062-a1c4-488d-ac46-4eee950d210f", "indicator--5cf110fa-0344-4fbd-bca7-eea7950d210f", "indicator--5cf111e1-4024-41aa-be42-44d3950d210f", "indicator--5cf111e1-1334-42c9-9570-4b16950d210f", "indicator--5cf111e1-ebb0-46ec-80c2-40f2950d210f", "indicator--5cf111e1-58f4-4cbf-8c66-4045950d210f", "indicator--5cf111e1-254c-4d8f-9e26-41be950d210f", "indicator--5cf111e1-50bc-4182-a819-430f950d210f", "indicator--5cf111e1-2d28-46e0-8572-4b45950d210f", "indicator--5cf111e1-b518-4e6d-a90d-44c3950d210f", "indicator--5cf111e1-b34c-4a3e-b0b4-4b9f950d210f", "indicator--5cf111e1-d3cc-4c2c-85b1-414d950d210f", "indicator--5cf111e1-4f10-4eb6-8b1c-4ff7950d210f", "indicator--5cf111e1-c4dc-42c8-9d67-44e5950d210f", "indicator--5cf111e1-4df0-4ddd-a140-43ae950d210f", "indicator--5cf111e1-c7e4-4ed5-9635-4af9950d210f", "indicator--5cf111e1-d158-42da-8dbe-4828950d210f", "indicator--5cf113e1-a61c-4572-a3c6-eea7950d210f", "indicator--5cf113e1-b5e8-46e1-a5dd-eea7950d210f", "indicator--5cf113e1-8b94-42cd-a8e7-eea7950d210f", "indicator--5cf113e1-6c9c-4b25-8078-eea7950d210f", "indicator--5cf113e1-52b8-41c9-a7a0-eea7950d210f", "indicator--5cf113e1-7308-40da-bd53-eea7950d210f", "indicator--5cf113e1-dc00-44b0-8e34-eea7950d210f", "indicator--5cf113e1-5a74-409c-9602-eea7950d210f", "indicator--5cf113e1-323c-46cd-b6ec-eea7950d210f", "indicator--5cf113e1-2bd8-467f-91d5-eea7950d210f", "indicator--5cf113e1-b070-45e2-b7dd-eea7950d210f", "indicator--5cf113e1-4ef4-4334-af42-eea7950d210f", "indicator--5cf113e1-7f90-4c5f-b7bb-eea7950d210f", "indicator--5cf113e1-ac9c-44c1-9bd7-eea7950d210f", "indicator--5cf113e1-b28c-4298-b433-eea7950d210f", "indicator--5cf113e1-a4fc-4db4-ba07-eea7950d210f", "indicator--5cf113e1-5d40-45c1-942b-eea7950d210f", "indicator--5cf113e1-0750-4a43-b314-eea7950d210f", "indicator--5cf113e1-098c-4c83-925d-eea7950d210f", "indicator--5cf113e1-3b3c-4982-a3ff-eea7950d210f", "indicator--5cf113e1-83ec-41db-aa5a-eea7950d210f", "indicator--5cf113e1-241c-4f87-8049-eea7950d210f", "indicator--5cf113e1-c35c-4c47-977d-eea7950d210f", "indicator--5cf113e1-58b8-426c-9116-eea7950d210f", "indicator--5cf113e1-1e04-46d5-b0e2-eea7950d210f", "indicator--5cf113e2-85a4-4b17-8a79-eea7950d210f", "indicator--5cf113e2-a6fc-489d-830d-eea7950d210f", "indicator--5cf11443-5c1c-4ec6-8361-4188950d210f", "indicator--5cf11443-71e0-4c02-9469-4fea950d210f", "indicator--5cf11443-5c00-4428-957f-4052950d210f", "indicator--5cf1146c-8d1c-45c7-b23f-4985950d210f", "indicator--5cf1146c-a964-4838-8be2-4434950d210f", "indicator--5cf1146c-d820-4389-a536-4ab5950d210f", "indicator--5cf1146c-048c-4a4c-83e4-4c94950d210f", "indicator--5cf1146c-8c60-486c-a98a-4965950d210f", "indicator--5cf114fc-4dbc-4f3a-a659-4540950d210f", "indicator--5cf1150d-6518-4fbe-b7c1-4dcf950d210f", "x-misp-attribute--5cf124be-1fa4-49c1-81e4-de6c950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Threat Group-3390\"", "misp-galaxy:mitre-intrusion-set=\"Threat Group-3390 - G0027\"", "misp-galaxy:threat-actor=\"Emissary Panda\"", "misp-galaxy:threat-actor=\"LuckyMouse\"", "OSINT", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cf10f7b-00d4-443f-b2b0-4531950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:26:51.000Z", "modified": "2019-05-31T11:26:51.000Z", "first_observed": "2019-05-31T11:26:51Z", "last_observed": "2019-05-31T11:26:51Z", "number_observed": 1, "object_refs": [ "url--5cf10f7b-00d4-443f-b2b0-4531950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5cf10f7b-00d4-443f-b2b0-4531950d210f", "value": "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--5cf10f86-a5f8-4de9-8883-4d73950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:27:02.000Z", "modified": "2019-05-31T11:27:02.000Z", "name": "CVE-2019-0604", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"External analysis\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2019-0604" } ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf11062-7c4c-4b1d-ac88-4cc5950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:32:14.000Z", "modified": "2019-05-31T11:32:14.000Z", "pattern": "[file:hashes.SHA256 = '006569f0a7e501e58fe15a4323eedc08f9865239131b28dc5f95f750b4767b38']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:32:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf11062-9fa0-4692-9750-4257950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:32:20.000Z", "modified": "2019-05-31T11:32:20.000Z", "pattern": "[file:name = '/_layouts/15/error2.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:32:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf11062-1914-4a55-b137-41d6950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:32:23.000Z", "modified": "2019-05-31T11:32:23.000Z", "pattern": "[file:name = '/_layouts/15/errr.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:32:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf11062-894c-4f76-b99c-4639950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:32:28.000Z", "modified": "2019-05-31T11:32:28.000Z", "pattern": "[file:name = 'stylecs.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:32:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf11062-c2d4-4269-be73-4db5950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:32:10.000Z", "modified": "2019-05-31T11:32:10.000Z", "description": "stylecs.aspx", "pattern": "[file:hashes.SHA256 = '2feae7574a2cc4dea2bff4eceb92e3a77cf682c0a1e78ee70be931a251794b86']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:32:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf11062-377c-4de2-9448-4a0a950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:32:05.000Z", "modified": "2019-05-31T11:32:05.000Z", "pattern": "[file:name = 'stylecss.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:32:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf11062-99ec-40c0-9281-4512950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:31:50.000Z", "modified": "2019-05-31T11:31:50.000Z", "description": "stylecss.aspx", "pattern": "[file:hashes.SHA256 = 'd1ab0dff44508bac9005e95299704a887b0ffc42734a34b30ebf6d3916053dbe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:31:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf11062-8234-4c77-8250-4850950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:31:54.000Z", "modified": "2019-05-31T11:31:54.000Z", "pattern": "[file:name = 'test.aspx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:31:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf11062-f5e0-4d73-915e-4ab8950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:31:59.000Z", "modified": "2019-05-31T11:31:59.000Z", "description": "test.aspx", "pattern": "[file:hashes.SHA256 = '6b3f835acbd954af168184f57c9d8e6798898e9ee650bd543ea6f2e9d5cf6378']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:31:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf11062-9538-4612-a125-4dc8950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:31:31.000Z", "modified": "2019-05-31T11:31:31.000Z", "pattern": "[file:name = 'tool.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:31:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--5cf11062-b3a8-48bd-84b1-4da8950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:30:42.000Z", "modified": "2019-05-31T11:30:42.000Z", "name": "CVE-2017-0144", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"External analysis\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2017-0144" } ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf11062-a1c4-488d-ac46-4eee950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:30:58.000Z", "modified": "2019-05-31T11:30:58.000Z", "description": "used to check to see if they are vulnerable to CVE-2017-0144 (EternalBlue) patched in MS07-010", "pattern": "[file:name = 'checker1.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:30:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf110fa-0344-4fbd-bca7-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:34:27.000Z", "modified": "2019-05-31T11:34:27.000Z", "description": "Not the psexec from sysinternals but a remote execution functionality offered by a tool similar to PsExec offered by Impacket", "pattern": "[file:name = 'psexec.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:34:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf111e1-4024-41aa-be42-44d3950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:37:05.000Z", "modified": "2019-05-31T11:37:05.000Z", "pattern": "[file:name = 'm2.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:37:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf111e1-1334-42c9-9570-4b16950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:37:05.000Z", "modified": "2019-05-31T11:37:05.000Z", "description": "m2.exe", "pattern": "[file:hashes.SHA256 = 'b279a41359367408c627ffa8d80051ed0f04c76fbf6aed79b3b2963203e08ade']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:37:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf111e1-ebb0-46ec-80c2-40f2950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:37:05.000Z", "modified": "2019-05-31T11:37:05.000Z", "pattern": "[file:hashes.SHA256 = '7eea6e15bb13a3b65cca9405829123761bf7d12c6dc3b81ce499d8f6a0b25fb7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:37:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf111e1-58f4-4cbf-8c66-4045950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:37:05.000Z", "modified": "2019-05-31T11:37:05.000Z", "description": "HyperBro backdoor", "pattern": "[file:name = 's.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:37:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf111e1-254c-4d8f-9e26-41be950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:37:05.000Z", "modified": "2019-05-31T11:37:05.000Z", "description": "HyperBro backdoor", "pattern": "[file:hashes.SHA256 = '04f48ed27a83a57a971e73072ac5c769709306f2714022770fb364fd575fd462']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:37:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf111e1-50bc-4182-a819-430f950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:37:05.000Z", "modified": "2019-05-31T11:37:05.000Z", "description": "Legitimate cURL.", "pattern": "[file:name = 'curl.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:37:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf111e1-2d28-46e0-8572-4b45950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:37:05.000Z", "modified": "2019-05-31T11:37:05.000Z", "description": "Legitimate cURL", "pattern": "[file:hashes.SHA256 = 'abc16344cdfc78f532870f4dcfbb75794c9a7074e796477382564d7ba2122c7d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:37:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf111e1-b518-4e6d-a90d-44c3950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:37:05.000Z", "modified": "2019-05-31T11:37:05.000Z", "description": "Legitimate cURL.", "pattern": "[file:hashes.SHA256 = 'bbb9cd70fdc581812822679e6a875dcf5b7d32fd529a1d564948a5a3f6f9e3ab']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:37:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf111e1-b34c-4a3e-b0b4-4b9f950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:37:05.000Z", "modified": "2019-05-31T11:37:05.000Z", "description": "Compiled EternalBlue checker script", "pattern": "[file:hashes.SHA256 = '090cefebef655be7f879f2f14bd849ac20c4051d0c13e55410a49789738fad98']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:37:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf111e1-d3cc-4c2c-85b1-414d950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:37:05.000Z", "modified": "2019-05-31T11:37:05.000Z", "description": "C# Tool, likely from https://github.com/mubix/netview", "pattern": "[file:name = 'etool.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:37:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf111e1-4f10-4eb6-8b1c-4ff7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:37:05.000Z", "modified": "2019-05-31T11:37:05.000Z", "description": "C# Tool, likely from https://github.com/mubix/netview", "pattern": "[file:hashes.SHA256 = '38fa396770e0ecf60fe1ce089422283e2dc8599489bd18d5eb033255dd8e370c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:37:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf111e1-c4dc-42c8-9d67-44e5950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:37:05.000Z", "modified": "2019-05-31T11:37:05.000Z", "description": "Legitimate Sublime Text plugin host", "pattern": "[file:name = 'plugin_host.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:37:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf111e1-4df0-4ddd-a140-43ae950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:37:05.000Z", "modified": "2019-05-31T11:37:05.000Z", "description": "Legitimate Sublime Text plugin host", "pattern": "[file:hashes.SHA256 = '738abaa80e8b6ed21e16302cb91f6566f9322aebf7a22464f11ee9f4501da711']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:37:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf111e1-c7e4-4ed5-9635-4af9950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:37:05.000Z", "modified": "2019-05-31T11:37:05.000Z", "description": "Sideloaded DLL loaded by Sublime Text", "pattern": "[file:name = 'PYTHON33.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:37:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf111e1-d158-42da-8dbe-4828950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:37:05.000Z", "modified": "2019-05-31T11:37:05.000Z", "description": "Sideloaded DLL loaded by Sublime Text", "pattern": "[file:hashes.SHA256 = '2dde8881cd9b43633d69dfa60f23713d7375913845ac3fe9b4d8a618660c4528']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:37:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e1-a61c-4572-a3c6-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:37.000Z", "modified": "2019-05-31T11:45:37.000Z", "description": "SMB backdoor based on smbrelay3", "pattern": "[file:name = 'smb1.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e1-b5e8-46e1-a5dd-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:37.000Z", "modified": "2019-05-31T11:45:37.000Z", "description": "SMB backdoor based on smbrelay3", "pattern": "[file:hashes.SHA256 = '88027a44dc82a97e21f04121eea2e86b4ddf1bd7bbaa4ad009b97b50307570bd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e1-8b94-42cd-a8e7-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:37.000Z", "modified": "2019-05-31T11:45:37.000Z", "description": "Compiled zzz_exploit.py", "pattern": "[file:name = 'mcmd.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e1-6c9c-4b25-8078-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:37.000Z", "modified": "2019-05-31T11:45:37.000Z", "description": "Compiled zzz_exploit.py", "pattern": "[file:hashes.SHA256 = '738128b4f42c8d2335d68383d72734130c0c4184725c06851498a4cf0374a841']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e1-52b8-41c9-a7a0-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:37.000Z", "modified": "2019-05-31T11:45:37.000Z", "pattern": "[file:name = 'zzz_exploit.py']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e1-7308-40da-bd53-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:37.000Z", "modified": "2019-05-31T11:45:37.000Z", "description": "Compiled zzz_exploit.py", "pattern": "[file:name = 'mcafee.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e1-dc00-44b0-8e34-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:37.000Z", "modified": "2019-05-31T11:45:37.000Z", "description": "Compiled zzz_exploit.py", "pattern": "[file:hashes.SHA256 = '3bca0bb708c5dad1c683c6ead857a5ebfa15928a59211432459a3efa6a1afc59']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e1-5a74-409c-9602-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:37.000Z", "modified": "2019-05-31T11:45:37.000Z", "description": "pwdump", "pattern": "[file:name = 'dump.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e1-323c-46cd-b6ec-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:37.000Z", "modified": "2019-05-31T11:45:37.000Z", "description": "pwdump", "pattern": "[file:hashes.SHA256 = '29897f2ae25017455f904595872f2430b5f7fedd00ff1a46f1ea77e50940128e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e1-2bd8-467f-91d5-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:37.000Z", "modified": "2019-05-31T11:45:37.000Z", "description": "Compiled MS17-010 checker", "pattern": "[file:hashes.SHA256 = 'd0df8e1dcf30785a964ecdda9bd86374d35960e1817b25a6b0963da38e0b1333']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e1-b070-45e2-b7dd-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:37.000Z", "modified": "2019-05-31T11:45:37.000Z", "description": "Packed Mimikatz", "pattern": "[file:name = 'memory.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e1-4ef4-4334-af42-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:37.000Z", "modified": "2019-05-31T11:45:37.000Z", "description": "Packed Mimikatz", "pattern": "[file:hashes.SHA256 = 'a18326f929229da53d4cc340bde830f75e810122c58b523460c8d6ba62ede0e5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e1-7f90-4c5f-b7bb-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:37.000Z", "modified": "2019-05-31T11:45:37.000Z", "description": "Compiled MS17-010 checker", "pattern": "[file:name = 'checker.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e1-ac9c-44c1-9bd7-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:37.000Z", "modified": "2019-05-31T11:45:37.000Z", "description": "SMB backdoor based on smbrelay3", "pattern": "[file:name = 'smb.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e1-b28c-4298-b433-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:37.000Z", "modified": "2019-05-31T11:45:37.000Z", "description": "SMB backdoor based on smbrelay3", "pattern": "[file:hashes.SHA256 = '4a26ec5fd16ee13d869d6b0b6177e570444f6a007759ea94f1aa18fa831290a8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e1-a4fc-4db4-ba07-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:37.000Z", "modified": "2019-05-31T11:45:37.000Z", "description": "Termite", "pattern": "[file:name = 'agent_Win32.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e1-5d40-45c1-942b-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:37.000Z", "modified": "2019-05-31T11:45:37.000Z", "description": "Termite", "pattern": "[file:hashes.SHA256 = 'b2b2e900aa2e96ff44610032063012aa0435a47a5b416c384bd6e4e58a048ac9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e1-0750-4a43-b314-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:37.000Z", "modified": "2019-05-31T11:45:37.000Z", "description": "httprelay", "pattern": "[file:name = 'smb_exec.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e1-098c-4c83-925d-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:37.000Z", "modified": "2019-05-31T11:45:37.000Z", "description": "httprelay", "pattern": "[file:hashes.SHA256 = '475c7e88a6d73e619ec585a7c9e6e57d2efc8298b688ebc10a3c703322f1a4a7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e1-3b3c-4982-a3ff-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:37.000Z", "modified": "2019-05-31T11:45:37.000Z", "description": "Incognito", "pattern": "[file:name = 'incognito.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e1-83ec-41db-aa5a-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:37.000Z", "modified": "2019-05-31T11:45:37.000Z", "description": "Incognito", "pattern": "[file:hashes.SHA256 = '9f5f3a9ce156213445d08d1a9ea99356d2136924dc28a8ceca6d528f9dbd718b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e1-241c-4f87-8049-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:37.000Z", "modified": "2019-05-31T11:45:37.000Z", "description": "nbtscan", "pattern": "[file:name = 'nbtscan.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e1-c35c-4c47-977d-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:37.000Z", "modified": "2019-05-31T11:45:37.000Z", "description": "nbtscan", "pattern": "[file:hashes.SHA256 = 'c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e1-58b8-426c-9116-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:37.000Z", "modified": "2019-05-31T11:45:37.000Z", "description": "pwdump", "pattern": "[file:name = 'fgdump.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e1-1e04-46d5-b0e2-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:37.000Z", "modified": "2019-05-31T11:45:37.000Z", "description": "pwdump", "pattern": "[file:hashes.SHA256 = 'a6cad2d0f8dc05246846d2a9618fc93b7d97681331d5826f8353e7c3a3206e86']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e2-85a4-4b17-8a79-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:38.000Z", "modified": "2019-05-31T11:45:38.000Z", "pattern": "[file:name = 'smbexec.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf113e2-a6fc-489d-830d-eea7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:45:38.000Z", "modified": "2019-05-31T11:45:38.000Z", "pattern": "[file:hashes.SHA256 = 'e781ce2d795c5dd6b0a5b849a414f5bd05bb99785f2ebf36edb70399205817ee']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:45:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf11443-5c1c-4ec6-8361-4188950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:48:36.000Z", "modified": "2019-05-31T11:48:36.000Z", "description": "Legitimate CreateMedia.exe application from Microsoft\u00e2\u20ac\u2122s System Center 2012 Configuration Manager", "pattern": "[file:name = 'CreateMedia.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:48:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf11443-71e0-4c02-9469-4fea950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:48:45.000Z", "modified": "2019-05-31T11:48:45.000Z", "description": "Legitimate CreateMedia.exe application from Microsoft\u00e2\u20ac\u2122s System Center 2012 Configuration Manager", "pattern": "[file:hashes.SHA256 = '2bb22c7b97e4c4d07e17a259cbc48d72f7e3935aa873e3dd78d01c5bbf426088']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:48:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf11443-5c00-4428-957f-4052950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:48:55.000Z", "modified": "2019-05-31T11:48:55.000Z", "description": "Sideloaded DLL loaded by CreateMedia.exe", "pattern": "[file:name = 'CreateTsMediaAdm.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:48:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf1146c-8d1c-45c7-b23f-4985950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:48:14.000Z", "modified": "2019-05-31T11:48:14.000Z", "description": "Symantec pcAnywhere thinprobe application", "pattern": "[file:name = 'thinprobe.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:48:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf1146c-a964-4838-8be2-4434950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:48:17.000Z", "modified": "2019-05-31T11:48:17.000Z", "description": "Symantec pcAnywhere thinprobe application", "pattern": "[file:hashes.SHA256 = '76d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:48:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf1146c-d820-4389-a536-4ab5950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:48:20.000Z", "modified": "2019-05-31T11:48:20.000Z", "description": "Sideloaded DLL loaded by thinprobe.exe", "pattern": "[file:name = 'thinhostprobedll.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:48:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf1146c-048c-4a4c-83e4-4c94950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:48:25.000Z", "modified": "2019-05-31T11:48:25.000Z", "description": "Sideloaded DLL loaded by thinprobe.exe", "pattern": "[file:hashes.SHA256 = 'd40414b1173d59597ed1122361fe60303d3526f15320aede355c6ad9e7e239af']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:48:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf1146c-8c60-486c-a98a-4965950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:48:30.000Z", "modified": "2019-05-31T11:48:30.000Z", "description": "thumb.db Contains encrypted and compressed DLL payload run by sideloaded DLL", "pattern": "[file:hashes.SHA256 = '270ea24f2cef655bd89439ab76c1d49c80caaa8899ffa6f0ef36dc1beb894530']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:48:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf114fc-4dbc-4f3a-a659-4540950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:50:20.000Z", "modified": "2019-05-31T11:50:20.000Z", "pattern": "[url:value = 'https://185.12.45.134:443/ajax']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:50:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cf1150d-6518-4fbe-b7c1-4dcf950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T11:50:37.000Z", "modified": "2019-05-31T11:50:37.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.12.45.134']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-31T11:50:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5cf124be-1fa4-49c1-81e4-de6c950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2019-05-31T12:57:34.000Z", "modified": "2019-05-31T12:57:34.000Z", "labels": [ "misp:type=\"named pipe\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ], "x_misp_category": "Artifacts dropped", "x_misp_type": "named pipe", "x_misp_value": "\\\\.\\pipe\\testpipe" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }