{ "type": "bundle", "id": "bundle--5845344a-80bc-4c94-9ea8-4f39950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-13T03:00:43.000Z", "modified": "2018-01-13T03:00:43.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5845344a-80bc-4c94-9ea8-4f39950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-13T03:00:43.000Z", "modified": "2018-01-13T03:00:43.000Z", "name": "OSINT - MMD-0033-2015 - Linux/XorDDoS infection incident report (CNC: HOSTASA.ORG)", "published": "2018-02-16T08:48:09Z", "object_refs": [ "observed-data--58453471-130c-4e59-bd91-43e3950d210f", "url--58453471-130c-4e59-bd91-43e3950d210f", "x-misp-attribute--584534e9-6130-4419-8a7e-480e950d210f", "indicator--584535cc-3170-42af-a962-46f0950d210f", "indicator--584535cc-7c64-47d1-bece-41cd950d210f", "indicator--584535cc-55c0-45a4-845f-444f950d210f", "indicator--584535cc-09f8-4ff3-b148-4f0a950d210f", "indicator--584535cd-8664-47ce-ac71-4edb950d210f", "indicator--584535cd-feb0-4d4d-a5df-48df950d210f", "indicator--584535cd-a058-4e65-950c-4b2d950d210f", "indicator--584535cd-7c0c-447d-a65a-4a97950d210f", "indicator--584535cd-df28-43d2-b262-480c950d210f", "indicator--584535ce-b260-4fe1-a494-4ed3950d210f", "indicator--584535ce-d284-492d-ad13-4854950d210f", "indicator--584535ce-dc00-43a9-a9f0-47e0950d210f", "indicator--584535ce-062c-4524-883e-4266950d210f", "indicator--584535cf-641c-411a-b5e6-412f950d210f", "indicator--584535cf-5070-4869-9b6e-43e4950d210f", "indicator--584535d0-0390-464c-ac22-4afd950d210f", "indicator--a2f1551a-ffc6-439a-8ed9-5eb83308cc80", "x-misp-object--8c404d5c-48e0-4cb4-a64d-2b89af2399ee", "indicator--075320ce-9dca-48cd-a4ca-085096e80a7a", "x-misp-object--e865f3a2-beea-4193-a717-991bbb031ae0", "indicator--dcb939f0-8874-48f7-bce3-b8bbad431c41", "x-misp-object--63ddf759-d832-4a3d-a389-1462c56dc4cb", "indicator--4af33ce3-3a10-4c2e-bcb2-67bd4626e18b", "x-misp-object--c976c2d7-cfaf-48b4-bd93-827f80aa378b", "indicator--f3c99c36-0463-4296-80ff-5c8407bd7d95", "x-misp-object--176aed31-3194-43c2-90ce-8711f4450e5d", "relationship--9a1106a5-4b70-4fc9-b3a6-39e753d3c53a", "relationship--9c89f43b-aa3c-40a2-b301-acd418c253a6", "relationship--ea8d9a44-2c37-48d5-879f-b56064987965", "relationship--c0e640a1-be66-40dd-a8f7-7daeab084725", "relationship--77f4de7d-5c14-412d-9d5a-5f2c770bc027" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58453471-130c-4e59-bd91-43e3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-12T09:44:34.000Z", "modified": "2018-01-12T09:44:34.000Z", "first_observed": "2018-01-12T09:44:34Z", "last_observed": "2018-01-12T09:44:34Z", "number_observed": 1, "object_refs": [ "url--58453471-130c-4e59-bd91-43e3950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58453471-130c-4e59-bd91-43e3950d210f", "value": "http://blog.malwaremustdie.org/2015/06/mmd-0033-2015-linuxxorddos-infection_23.html" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--584534e9-6130-4419-8a7e-480e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-12T09:44:34.000Z", "modified": "2018-01-12T09:44:34.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Background\r\nThis post is an actual malware infection incident of the\"Linux/XOR.DDoS\" malware (please see previous post as reference-->[LINK]) and malware was in attempt to infect a real Linux server.\r\n\r\nIncident details:\r\n\r\nSource of attack:\r\nAn attack was coming from 107.182.141.40 with the below GeoIP details:\r\nThe attacker was compromising a Linux host via ssh password bruting to then executing a one liner shell (sh) command line and then the malware initiation commands was executed on the compromised system:" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--584535cc-3170-42af-a962-46f0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-12T09:44:34.000Z", "modified": "2018-01-12T09:44:34.000Z", "description": "On port 41625", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '107.182.141.40']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-12T09:44:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--584535cc-7c64-47d1-bece-41cd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-12T09:44:34.000Z", "modified": "2018-01-12T09:44:34.000Z", "pattern": "[domain-name:value = '44ro4.cn']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-12T09:44:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--584535cc-55c0-45a4-845f-444f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-12T09:44:34.000Z", "modified": "2018-01-12T09:44:34.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '198.15.234.66']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-12T09:44:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--584535cc-09f8-4ff3-b148-4f0a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-12T09:44:34.000Z", "modified": "2018-01-12T09:44:34.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.240.140.152']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-12T09:44:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--584535cd-8664-47ce-ac71-4edb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-12T09:44:34.000Z", "modified": "2018-01-12T09:44:34.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.240.141.54']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-12T09:44:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--584535cd-feb0-4d4d-a5df-48df950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-12T09:44:34.000Z", "modified": "2018-01-12T09:44:34.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.126.126.64']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-12T09:44:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--584535cd-a058-4e65-950c-4b2d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-12T09:44:34.000Z", "modified": "2018-01-12T09:44:34.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '23.234.60.143']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-12T09:44:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--584535cd-7c0c-447d-a65a-4a97950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-12T09:44:34.000Z", "modified": "2018-01-12T09:44:34.000Z", "pattern": "[domain-name:value = 'aa.hostasa.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-12T09:44:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--584535cd-df28-43d2-b262-480c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-12T09:44:34.000Z", "modified": "2018-01-12T09:44:34.000Z", "pattern": "[domain-name:value = 'ns4.hostasa.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-12T09:44:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--584535ce-b260-4fe1-a494-4ed3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-12T09:44:34.000Z", "modified": "2018-01-12T09:44:34.000Z", "pattern": "[domain-name:value = 'ns3.hostasa.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-12T09:44:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--584535ce-d284-492d-ad13-4854950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-12T09:44:34.000Z", "modified": "2018-01-12T09:44:34.000Z", "pattern": "[domain-name:value = 'ns2.hostasa.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-12T09:44:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--584535ce-dc00-43a9-a9f0-47e0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-05T09:39:26.000Z", "modified": "2016-12-05T09:39:26.000Z", "pattern": "[file:name = 'a06.zip' AND file:hashes.MD5 = '3c49b5160b981f06bd5242662f8d0a54']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-05T09:39:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--584535ce-062c-4524-883e-4266950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-05T09:39:26.000Z", "modified": "2016-12-05T09:39:26.000Z", "pattern": "[file:name = 'a07.zip' AND file:hashes.MD5 = 'bcb6b83a4e6e20ffe0ce3c750360ddf5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-05T09:39:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--584535cf-641c-411a-b5e6-412f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-05T09:39:27.000Z", "modified": "2016-12-05T09:39:27.000Z", "pattern": "[file:name = 'a08.zip' AND file:hashes.MD5 = 'a99c10cb9713770b9e7dda376cddee3a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-05T09:39:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--584535cf-5070-4869-9b6e-43e4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-05T09:39:27.000Z", "modified": "2016-12-05T09:39:27.000Z", "pattern": "[file:name = 'a09.zip' AND file:hashes.MD5 = 'd1b5b4b4b5a118e384c7ff487e14ac3f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-05T09:39:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--584535d0-0390-464c-ac22-4afd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-05T09:39:28.000Z", "modified": "2016-12-05T09:39:28.000Z", "pattern": "[file:name = 'a10.zip' AND file:hashes.MD5 = '83eea5625ca2affd3e841d3b374e88eb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-05T09:39:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a2f1551a-ffc6-439a-8ed9-5eb83308cc80", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-12T09:44:37.000Z", "modified": "2018-01-12T09:44:37.000Z", "pattern": "[file:hashes.MD5 = '3c49b5160b981f06bd5242662f8d0a54' AND file:hashes.SHA1 = 'c50933e1f8a194e608049839707d8d698dd5caa5' AND file:hashes.SHA256 = 'c394440c56fdcda9739fbb966e9ac2eab9e11e2eeff0720eb4c850a05b33eefc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-12T09:44:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--8c404d5c-48e0-4cb4-a64d-2b89af2399ee", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-12T09:44:34.000Z", "modified": "2018-01-12T09:44:34.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/c394440c56fdcda9739fbb966e9ac2eab9e11e2eeff0720eb4c850a05b33eefc/analysis/1495044102/", "category": "External analysis", "uuid": "5a588382-5a9c-4f0e-8ee9-4a1e02de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "41/55", "category": "Other", "uuid": "5a588382-47d4-494f-a42c-484b02de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-05-17T18:01:42", "category": "Other", "uuid": "5a588382-2fe4-4634-a2d8-4fd302de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--075320ce-9dca-48cd-a4ca-085096e80a7a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-12T09:44:37.000Z", "modified": "2018-01-12T09:44:37.000Z", "pattern": "[file:hashes.MD5 = 'd1b5b4b4b5a118e384c7ff487e14ac3f' AND file:hashes.SHA1 = '038b7e9406fe5cb0a0be8f95ac935923c6d83c28' AND file:hashes.SHA256 = '0a312a4154dcec2bc6ce1d3b51c037b122ace5848ec99c2b861ab6124addae9b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-12T09:44:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--e865f3a2-beea-4193-a717-991bbb031ae0", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-12T09:44:35.000Z", "modified": "2018-01-12T09:44:35.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/0a312a4154dcec2bc6ce1d3b51c037b122ace5848ec99c2b861ab6124addae9b/analysis/1494973480/", "category": "External analysis", "uuid": "5a588383-6004-4f2d-928d-4ffd02de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "39/56", "category": "Other", "uuid": "5a588383-cc48-4b4e-acfc-458302de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-05-16T22:24:40", "category": "Other", "uuid": "5a588383-f040-4fc0-8f07-47e202de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--dcb939f0-8874-48f7-bce3-b8bbad431c41", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-12T09:44:38.000Z", "modified": "2018-01-12T09:44:38.000Z", "pattern": "[file:hashes.MD5 = '83eea5625ca2affd3e841d3b374e88eb' AND file:hashes.SHA1 = 'dca946f677a1be95fb3ef6adc950730b4736a405' AND file:hashes.SHA256 = 'fd6060b963d1b5ca7a07b5a283ad99105298a6708e44d286440a506738a17e34']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-12T09:44:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--63ddf759-d832-4a3d-a389-1462c56dc4cb", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-12T09:44:35.000Z", "modified": "2018-01-12T09:44:35.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/fd6060b963d1b5ca7a07b5a283ad99105298a6708e44d286440a506738a17e34/analysis/1495062664/", "category": "External analysis", "uuid": "5a588383-b518-43b4-a9c0-461202de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "42/57", "category": "Other", "uuid": "5a588383-8f60-4231-a75c-45bf02de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-05-17T23:11:04", "category": "Other", "uuid": "5a588383-d874-40f3-aaeb-403602de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4af33ce3-3a10-4c2e-bcb2-67bd4626e18b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-12T09:44:38.000Z", "modified": "2018-01-12T09:44:38.000Z", "pattern": "[file:hashes.MD5 = 'a99c10cb9713770b9e7dda376cddee3a' AND file:hashes.SHA1 = '1f1dd4d74eba8949fb1d2316c13f77b3ffa96f98' AND file:hashes.SHA256 = '92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-12T09:44:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--c976c2d7-cfaf-48b4-bd93-827f80aa378b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-12T09:44:35.000Z", "modified": "2018-01-12T09:44:35.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86/analysis/1495027397/", "category": "External analysis", "uuid": "5a588383-0dc8-446d-bf84-405502de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "40/57", "category": "Other", "uuid": "5a588383-7a18-4f91-82a5-4c7202de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-05-17T13:23:17", "category": "Other", "uuid": "5a588383-bce4-46b2-a6eb-401f02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f3c99c36-0463-4296-80ff-5c8407bd7d95", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-12T09:44:38.000Z", "modified": "2018-01-12T09:44:38.000Z", "pattern": "[file:hashes.MD5 = 'bcb6b83a4e6e20ffe0ce3c750360ddf5' AND file:hashes.SHA1 = 'd88755b78834e87418aa3cb3bfee5de5c378bd2f' AND file:hashes.SHA256 = '61b0107a7a06ecbb8cc1d323967291d15450df7e8bab5d96c822a98c9399a521']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-12T09:44:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--176aed31-3194-43c2-90ce-8711f4450e5d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-12T09:44:35.000Z", "modified": "2018-01-12T09:44:35.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/61b0107a7a06ecbb8cc1d323967291d15450df7e8bab5d96c822a98c9399a521/analysis/1495007597/", "category": "External analysis", "uuid": "5a588383-a874-4dbe-9820-466402de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "42/57", "category": "Other", "uuid": "5a588383-e9b0-4feb-ab0c-40d802de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-05-17T07:53:17", "category": "Other", "uuid": "5a588383-8f98-40a9-a0a8-41e502de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9a1106a5-4b70-4fc9-b3a6-39e753d3c53a", "created": "2018-02-16T08:48:09.000Z", "modified": "2018-02-16T08:48:09.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--a2f1551a-ffc6-439a-8ed9-5eb83308cc80", "target_ref": "x-misp-object--8c404d5c-48e0-4cb4-a64d-2b89af2399ee" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9c89f43b-aa3c-40a2-b301-acd418c253a6", "created": "2018-02-16T08:48:09.000Z", "modified": "2018-02-16T08:48:09.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--075320ce-9dca-48cd-a4ca-085096e80a7a", "target_ref": "x-misp-object--e865f3a2-beea-4193-a717-991bbb031ae0" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ea8d9a44-2c37-48d5-879f-b56064987965", "created": "2018-02-16T08:48:09.000Z", "modified": "2018-02-16T08:48:09.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--dcb939f0-8874-48f7-bce3-b8bbad431c41", "target_ref": "x-misp-object--63ddf759-d832-4a3d-a389-1462c56dc4cb" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c0e640a1-be66-40dd-a8f7-7daeab084725", "created": "2018-02-16T08:48:09.000Z", "modified": "2018-02-16T08:48:09.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--4af33ce3-3a10-4c2e-bcb2-67bd4626e18b", "target_ref": "x-misp-object--c976c2d7-cfaf-48b4-bd93-827f80aa378b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--77f4de7d-5c14-412d-9d5a-5f2c770bc027", "created": "2018-02-16T08:48:09.000Z", "modified": "2018-02-16T08:48:09.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--f3c99c36-0463-4296-80ff-5c8407bd7d95", "target_ref": "x-misp-object--176aed31-3194-43c2-90ce-8711f4450e5d" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }