{ "type": "bundle", "id": "bundle--5b337e5f-4810-4cbe-bb0e-4b79950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:38:23.000Z", "modified": "2018-08-14T12:38:23.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5b337e5f-4810-4cbe-bb0e-4b79950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:38:23.000Z", "modified": "2018-08-14T12:38:23.000Z", "name": "OSINT - RedAlpha: New Campaigns Discovered Targeting the Tibetan Community", "published": "2018-08-14T12:39:56Z", "object_refs": [ "observed-data--5b337e8c-cee4-4d6d-b810-4276950d210f", "url--5b337e8c-cee4-4d6d-b810-4276950d210f", "observed-data--5b337edb-8318-4ec6-a18f-48db950d210f", "url--5b337edb-8318-4ec6-a18f-48db950d210f", "x-misp-attribute--5b337fa8-09a0-4771-b1cc-2f80950d210f", "indicator--5b605b1e-d01c-4031-8026-4d1e950d210f", "indicator--5b606297-aa30-4385-853f-41f9950d210f", "indicator--5b606297-8378-4d8c-8df2-4705950d210f", "indicator--5b6062db-b7c4-4424-a0cc-40fa950d210f", "indicator--5b61896c-d2a0-4f40-94a5-4215950d210f", "indicator--5b61896c-cc28-4b71-be77-4c17950d210f", "indicator--5b6195cb-7940-40be-ba96-46b1950d210f", "indicator--5b61a5d7-5810-45cb-a80d-4a7d950d210f", "indicator--5b61bc3b-c298-44cf-85f7-4624950d210f", "indicator--5b68544e-a118-4b18-a3a1-8674950d210f", "indicator--5b696185-abd8-4c4a-a7c0-4d3c950d210f", "indicator--5b696186-2ba0-4bdb-8835-4fa4950d210f", "indicator--5b696187-3674-4d2b-af94-40c7950d210f", "indicator--5b696816-b788-4c94-ad87-4f9d950d210f", "indicator--5b696816-05d4-4748-8410-46d8950d210f", "indicator--5b696817-66d0-439e-b619-4269950d210f", "indicator--5b696817-0fa0-4020-bf22-4a1a950d210f", "indicator--5b696818-c060-4f3c-9a48-4054950d210f", "indicator--5b696818-0924-4d39-847b-4a71950d210f", "indicator--5b697d88-0db0-4536-a89e-436d950d210f", "indicator--5b697d89-1520-42cb-a2cc-4ad1950d210f", "indicator--5b697d8a-3054-4ae5-9c06-4b72950d210f", "indicator--5b697f5f-3324-436c-93e1-4532950d210f", "indicator--5b69801a-f90c-4c6e-952e-41fb950d210f", "x-misp-object--5b33808f-c060-4227-891c-2f80950d210f", "indicator--5b605571-86c8-4306-806d-495f950d210f", "indicator--5b6063f0-5f28-4309-9719-4bf1950d210f", "indicator--951dbf05-efee-46a0-b2aa-89e5c6d0c898", "x-misp-object--4d6cc362-fb2b-4576-919d-8d66294873be", "x-misp-object--af9cbff4-9e65-4a79-a1ec-e88133cdfb98", "indicator--5b61631b-a13c-4dc0-b949-4342950d210f", "indicator--5b618e15-2084-466a-8f5c-44df950d210f", "indicator--5b619ae6-dff0-4f29-bc32-471a950d210f", "indicator--5b619c3f-9644-4d94-a4ac-4d40950d210f", "indicator--5b619eb3-4dac-4efa-b562-43ab950d210f", "indicator--5b61a1be-f9ec-428a-aede-468e950d210f", "indicator--5b61b7e1-e898-4c28-af5b-4a86950d210f", "indicator--5b61b964-b078-4a41-9a1e-48e3950d210f", "indicator--5b61b972-4cb4-4556-8dc2-4bf3950d210f", "indicator--5b62c621-9d58-40e1-9105-4272950d210f", "indicator--5b62c650-8358-49b9-9064-4ce8950d210f", "indicator--5b62cb24-ebc0-4131-aa65-425b950d210f", "indicator--b271dc1a-8e79-4c41-8fc0-9bbd1009a7e0", "x-misp-object--a51ea5b5-2181-4905-bda3-b2b1698c7c27", "indicator--d2ec20b7-d689-47e6-9228-01a281f3ad02", "x-misp-object--100f1a8d-1bc3-4000-92fe-bce0b793b222", "indicator--5510fbf8-41c8-4a11-bcf0-42aa4303742e", "x-misp-object--578b25b7-97b8-4d39-8537-323e64ffc399", "indicator--db3a215c-d9b8-4d91-952a-af20cfe86d4a", "x-misp-object--bbd7ab64-ac5f-4bf7-ad0c-7345423bcfa6", "indicator--3ec440df-26e1-4883-94d8-cf5a44d48bbd", "x-misp-object--c4f40e78-f5a3-449f-b8e0-bcb250e3da27", "x-misp-object--c0793ff5-50a6-4817-8df9-8c28ab90f3d1", "indicator--03b1be01-e7f1-41d2-bbeb-8c965ddd63d5", "x-misp-object--62a6d635-11fb-43df-b01e-c38b5a08489f", "x-misp-object--ab089f9c-349f-46f0-a2b2-ecfb3da24370", "x-misp-object--db693d26-2826-4534-9718-84cf465571bc", "x-misp-object--bc18676c-a419-4493-882b-dbffc94fae97", "x-misp-object--4c400be1-7bc4-4c3e-ad25-0c0056e9a6da", "x-misp-object--90f35bd9-30a9-467b-9f6e-7ed7648b7119", "x-misp-object--2e9f7a81-d071-4fa8-bb22-eae520f03d51", "indicator--5b67f371-c338-4728-8972-40ad950d210f", "indicator--5b67f468-6ce0-48a4-9f9e-4e4f950d210f", "indicator--5b67f49b-b550-450a-aabc-4439950d210f", "indicator--5b67f783-02e0-44e8-8d8f-493f950d210f", "indicator--5b67fc1a-9a38-404f-adcb-4b3a950d210f", "indicator--5b67fc4f-381c-4dbd-b49e-4e8b950d210f", "indicator--5b67fc62-4c2c-4fd6-b2a3-410e950d210f", "indicator--5b680069-22b0-45f4-aba4-427d950d210f", "indicator--5b68016d-a668-4301-8f51-4c52950d210f", "indicator--5b680c7c-77a0-4e19-814b-4245950d210f", "indicator--5b681333-943c-4633-9a90-45cd950d210f", "indicator--5b681452-d5fc-45b4-af6f-4457950d210f", "indicator--5b681a0a-4ab0-4f37-a19f-4726950d210f", "indicator--5b681a2a-0324-4910-a7eb-415d950d210f", "indicator--5b681a4c-0d40-4247-8c55-45c7950d210f", "indicator--5b681d2e-bd1c-4726-882d-406e950d210f", "indicator--5b681e31-67a8-4296-8fb7-433c950d210f", "indicator--5b681f1f-e07c-416a-8a29-4057950d210f", "indicator--5b682066-abf8-46ca-9b9b-484d950d210f", "indicator--5b6820cb-7730-4294-af2c-4a2f950d210f", "indicator--5b6821e7-aad4-4228-910a-4d8a950d210f", "indicator--5b6822a7-f514-4918-a494-4246950d210f", "indicator--5b6826c5-14a8-476f-9cf6-4867950d210f", "indicator--5b6826e4-a924-400b-b8e4-44d5950d210f", "indicator--5b682945-f85c-4fce-a9a0-45ef950d210f", "indicator--5b682ab7-6624-450d-8b75-46cc950d210f", "indicator--5b682b68-c684-4e35-9dd8-4f73950d210f", "indicator--5b683107-e504-49db-9aed-4ce8950d210f", "indicator--5b68311f-a2b0-440f-b8c9-446e950d210f", "indicator--5b683145-03a4-424b-bae8-4737950d210f", "indicator--5b68315c-a318-4645-86cb-448f950d210f", "indicator--5b683b3b-9bd8-4fa9-8352-4e8b950d210f", "indicator--5b683c0c-ef74-4489-a7b6-5955950d210f", "indicator--5b683cd5-0a60-4246-8575-4fd1950d210f", "indicator--5b68462b-45c4-4b41-9f65-41b2950d210f", "indicator--5b6852b5-70f4-475c-8caa-8673950d210f", "indicator--5b68552f-fc28-4fb4-b80b-c103950d210f", "indicator--5b6855be-76a8-40dc-bfe2-494e950d210f", "indicator--5b68564a-409c-43d2-a63b-c086950d210f", "indicator--5b694c8d-d2d0-4373-83a1-4223950d210f", "indicator--5b6950dc-d308-4352-ab07-474b950d210f", "indicator--5b6951da-54fc-4427-a661-4464950d210f", "indicator--5b6957dc-9424-494b-964a-49ed950d210f", "x-misp-object--5b695c81-e640-449a-a7c7-4a0e950d210f", "x-misp-object--5b695d6f-e188-4826-9b69-4ecb950d210f", "indicator--5b695fae-b2a4-4cf6-8334-4e93950d210f", "indicator--5b695fe3-aadc-45f7-ac2b-4416950d210f", "indicator--5b696006-2e38-4f9f-a314-480f950d210f", "indicator--5b69602f-90e8-466d-aa74-4a12950d210f", "indicator--5b696072-e840-4ab7-8f2b-4eec950d210f", "indicator--5b6960a5-8d20-405e-a193-4e1d950d210f", "indicator--5b6960bf-e118-455d-a813-0b55950d210f", "indicator--5b6960dc-86ec-4f89-b8dd-4088950d210f", "indicator--5b6960f7-3ba8-42cc-a2f7-402d950d210f", "indicator--5b696124-92cc-4823-9c30-40ab950d210f", "indicator--5b69613b-db30-4ec1-852f-44bc950d210f", "indicator--5b696150-9900-466c-8b82-45a8950d210f", "indicator--5b69642b-02cc-49b3-b97c-44f5950d210f", "indicator--5b6965c9-39b4-47c1-9084-46f2950d210f", "x-misp-object--5b69670b-b290-44f4-a9fc-42e4950d210f", "x-misp-object--5b6968ac-71ec-4a55-887d-47b7950d210f", "x-misp-object--5b696957-9e2c-49d6-8bdb-4ffa950d210f", "x-misp-object--5b69698a-8dd8-4aab-95b3-444e950d210f", "indicator--5b697015-cc1c-4720-8f44-442a950d210f", "indicator--5b697026-b170-41b0-937d-48cb950d210f", "x-misp-object--8f903648-f534-497c-8096-7eba34dfcdd4", "x-misp-object--280dd6e1-9ba8-47a3-9b6d-0249ed9e5c63", "x-misp-object--e0407f5c-72da-4b58-8ae9-627189b8808d", "x-misp-object--5c696617-e214-4531-a91a-45aee2b893ed", "indicator--b0e324d4-65be-418a-a8f8-735564d00606", "x-misp-object--a9c8e203-1200-4950-8f13-6732275ea6ad", "indicator--6321945e-cf4b-4c2b-947f-c7d5cf1d6bb8", "x-misp-object--21992a3f-2d25-4b0d-847d-154ab2829796", "x-misp-object--8b4dbb0e-58a1-4630-be3d-83e95966a6cf", "indicator--d9a8f64e-5cb6-4a6a-8db2-f3f6beee6f8f", "x-misp-object--7771644b-6de2-4a18-bc5f-c30dad0bd508", "indicator--304084df-e41e-4456-88e4-353baeb7d839", "x-misp-object--40e4d320-c62e-4322-ae15-b20e3369832d", "x-misp-object--589e9254-4f90-490a-bc8c-fdea36be01b3", "x-misp-object--71e73500-e019-4027-8696-5f48e8e0fd38", "x-misp-object--7e3abe32-cfe8-485f-a22b-7e2989d16ffa", "x-misp-object--6c1f2aee-af3d-4af0-a272-8aef0d5da562", "x-misp-object--4c58e35e-3b4a-4afb-9a3d-19b650bc2f6e", "x-misp-object--bf7d4471-6524-4cdd-821d-63b550a8d3c7", "x-misp-object--b5a9119a-4fae-4d63-8679-c0fcbe967f1c", "x-misp-object--3ed9a824-86f6-44c8-addb-00ba19e4b915", "indicator--5b605736-14d8-416e-beb0-4c30950d210f", "indicator--5b605b02-8624-40ab-99a1-4f5c950d210f", "indicator--5b6165b7-2d18-4189-bffe-4096950d210f", "indicator--5b6182d4-67b8-4785-ba0e-4d23950d210f", "indicator--5b618916-06bc-4a4b-971e-49dc950d210f", "indicator--5b61a522-1fe8-431f-8471-4467950d210f", "indicator--5b61bc26-8bb0-4860-8e09-4e88950d210f", "indicator--5b62cb45-8260-4632-b14e-4a07950d210f", "relationship--baba825d-d192-4d41-b1ee-7d40256592a8", "relationship--c771b500-de0f-4d2e-b1d6-72c15f7b4108", "relationship--d6977752-bd3c-4de0-a37b-0187d71da2d0", "relationship--8046270c-c3b2-4933-bd3b-3bd896573788", "relationship--063d48f2-3eef-4ca8-afb8-1a19fd79890d", "relationship--54f1e06a-dc3c-4677-8a22-e72996dff1d1", "relationship--5ff765e5-7a04-4b3e-b84c-bee7398a3e66", "relationship--52f79848-7df3-4395-839a-1b45365713fb", "relationship--8a43f156-b359-4a64-987c-fc0d961813fc", "relationship--26d7869a-8869-4575-80cd-eaa1e55fdd42", "relationship--9268486c-8f7e-42a9-a579-4867244922f1", "relationship--33c559b6-63c8-4722-8a96-1dfeaba42a2e", "relationship--27e90848-9303-4770-bb3b-b95c5a3d0f24", "relationship--5dd07992-82eb-49c2-8522-10c3429e9d7f", "relationship--af118c44-3335-4434-8424-659afc91e5ed", "relationship--eb0ea37a-74d9-4101-9f81-5de05728e755", "relationship--bdc49e5e-9a06-4388-bc2b-bdb5e7d5e502", "relationship--aa4684b5-4304-4a62-b407-dbf82a7956ff", "relationship--57f8067c-727d-4273-9147-935187c7deb6", "relationship--2bf92a41-c1c9-4fc7-b55c-986e03003d81", "relationship--1232b34d-f8b9-4bc9-a4bf-90cf49877d73", "relationship--572af3eb-618c-4db0-a967-cb1fa6ce5f19", "relationship--a0041b0a-37ee-4173-8d1b-58f47f62d4d5", "relationship--db1216de-eda3-4962-a1b2-ad8b0bb4d28e", "relationship--03cb466b-645f-4577-8a7b-a6787354520e", "relationship--478779d8-189b-44a9-bd17-e027ddad706a", "relationship--8b1a9efe-b4eb-491d-8b09-869d87673cab", "relationship--94bd2ac9-2838-4743-ab20-f415cf7d1d58", "relationship--a66a9261-8e8f-42c5-b4be-e44ddc94b6c1", "relationship--0bd05015-6ae9-433b-83d2-ac15d768d08e", "relationship--d4b039c4-2fca-4ca7-8057-85e326c9de3d", "relationship--be5e3385-a845-4e45-b078-119a52a00cff", "relationship--66e314f4-4281-4e22-a1a6-73e81bdbc9f8" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:rat=\"NJRat\"", "misp-galaxy:tool=\"njRAT\"", "misp-galaxy:threat-actor=\"RedAlpha\"", "misp-galaxy:sector=\"NGO\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5b337e8c-cee4-4d6d-b810-4276950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-27T12:09:48.000Z", "modified": "2018-06-27T12:09:48.000Z", "first_observed": "2018-06-27T12:09:48Z", "last_observed": "2018-06-27T12:09:48Z", "number_observed": 1, "object_refs": [ "url--5b337e8c-cee4-4d6d-b810-4276950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5b337e8c-cee4-4d6d-b810-4276950d210f", "value": "https://www.recordedfuture.com/redalpha-cyber-campaigns/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5b337edb-8318-4ec6-a18f-48db950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-27T12:11:07.000Z", "modified": "2018-06-27T12:11:07.000Z", "first_observed": "2018-06-27T12:11:07Z", "last_observed": "2018-06-27T12:11:07Z", "number_observed": 1, "object_refs": [ "url--5b337edb-8318-4ec6-a18f-48db950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5b337edb-8318-4ec6-a18f-48db950d210f", "value": "https://go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5b337fa8-09a0-4771-b1cc-2f80950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-27T12:14:32.000Z", "modified": "2018-06-27T12:14:32.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Scope Note: Recorded Future analyzed new malware targeting the Tibetan community. This report includes a detailed analysis of the malware itself and associated infrastructure. Sources include Recorded Future\u00e2\u20ac\u2122s platform, VirusTotal, ReversingLabs, and third-party metadata, as well as common OSINT and network metadata enrichments, such as DomainTools Iris and PassiveTotal, and researcher collaboration.1 The impetus of this research is twofold: to provide indicators to leverage for protection for likely victims and to raise awareness of a possible shift in adversary TTPs." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b605b1e-d01c-4031-8026-4d1e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-31T12:50:38.000Z", "modified": "2018-07-31T12:50:38.000Z", "description": "C2", "pattern": "[domain-name:value = 'doc.internetdocss.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-31T12:50:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b606297-aa30-4385-853f-41f9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-31T13:22:31.000Z", "modified": "2018-07-31T13:22:31.000Z", "pattern": "[url:value = 'http://doc.internetdocss.com/nethelpx86.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-31T13:22:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b606297-8378-4d8c-8df2-4705950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-31T13:22:31.000Z", "modified": "2018-07-31T13:22:31.000Z", "pattern": "[file:name = '\\\\%WINDIR\\\\%\\\\nethelp.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-31T13:22:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b6062db-b7c4-4424-a0cc-40fa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-31T13:23:39.000Z", "modified": "2018-07-31T13:23:39.000Z", "pattern": "[url:value = 'http://doc.internetdocss.com/audiox86.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-31T13:23:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b61896c-d2a0-4f40-94a5-4215950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-01T10:20:28.000Z", "modified": "2018-08-01T10:20:28.000Z", "description": "C2", "pattern": "[domain-name:value = 'www.hktechy.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-01T10:20:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b61896c-cc28-4b71-be77-4c17950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-01T10:20:28.000Z", "modified": "2018-08-01T10:20:28.000Z", "description": "C2", "pattern": "[domain-name:value = 'index.ackques.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-01T10:20:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b6195cb-7940-40be-ba96-46b1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-01T11:13:15.000Z", "modified": "2018-08-01T11:13:15.000Z", "pattern": "[url:value = 'index.acques.com/index.html']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-01T11:13:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b61a5d7-5810-45cb-a80d-4a7d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-01T12:21:43.000Z", "modified": "2018-08-01T12:21:43.000Z", "pattern": "[domain-name:value = 'striker.internetdocss.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-01T12:21:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b61bc3b-c298-44cf-85f7-4624950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-01T13:57:15.000Z", "modified": "2018-08-01T13:57:15.000Z", "pattern": "[url:value = 'http://doc.internetdocss.com/index?']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-01T13:57:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b68544e-a118-4b18-a3a1-8674950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T13:59:42.000Z", "modified": "2018-08-06T13:59:42.000Z", "description": "C2", "pattern": "[url:value = 'http://220.218.70.160/sec.hta']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T13:59:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b696185-abd8-4c4a-a7c0-4d3c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:08:21.000Z", "modified": "2018-08-07T09:08:21.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '122.10.84.146']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T09:08:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b696186-2ba0-4bdb-8835-4fa4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:08:22.000Z", "modified": "2018-08-07T09:08:22.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.245.22.117']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T09:08:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b696187-3674-4d2b-af94-40c7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:08:23.000Z", "modified": "2018-08-07T09:08:23.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.245.22.124']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T09:08:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b696816-b788-4c94-ad87-4f9d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:36:22.000Z", "modified": "2018-08-07T09:36:22.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.30.7.76']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T09:36:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b696816-05d4-4748-8410-46d8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:36:22.000Z", "modified": "2018-08-07T09:36:22.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.30.7.77']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T09:36:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b696817-66d0-439e-b619-4269950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:36:23.000Z", "modified": "2018-08-07T09:36:23.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.20.192.59']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T09:36:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b696817-0fa0-4020-bf22-4a1a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:36:23.000Z", "modified": "2018-08-07T09:36:23.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.20.195.140']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T09:36:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b696818-c060-4f3c-9a48-4054950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:36:24.000Z", "modified": "2018-08-07T09:36:24.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.20.192.4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T09:36:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b696818-0924-4d39-847b-4a71950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:36:24.000Z", "modified": "2018-08-07T09:36:24.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.20.192.248']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T09:36:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b697d88-0db0-4536-a89e-436d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T11:07:52.000Z", "modified": "2018-08-07T11:07:52.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '142.4.62.249']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T11:07:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b697d89-1520-42cb-a2cc-4ad1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T11:07:53.000Z", "modified": "2018-08-07T11:07:53.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.179.156']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T11:07:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b697d8a-3054-4ae5-9c06-4b72950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T11:07:54.000Z", "modified": "2018-08-07T11:07:54.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.179.160']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T11:07:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b697f5f-3324-436c-93e1-4532950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T11:15:43.000Z", "modified": "2018-08-07T11:15:43.000Z", "description": "2017 Campaign", "pattern": "[import \"pe\"\r\nrule apt_ZZ_RedAlpha_2017Campaign_Dropper\r\n{\r\n meta:\r\n desc = \"RedAlpha 2017 Campaign, Dropper\"\r\n author = \"JAG-S, Insikt Group, RecordedFuture\"\r\n TLP = \"White\"\r\n md5_x86 = \"cb71f3b4f08eba58857532ac90bac77d\"\r\n md5_x64 = \"1412102eda0c2e5a5a85cb193dbb1524\"\r\n strings:\r\n $drops1 = \"http://doc.internetdocss.com/nethelp x86.dll\" ascii wide\r\n $drops2 = \"http://doc.internetdocss.com/audio x86.exe\" ascii wide\r\n $drops3 = \"http://doc.internetdocss.com/nethelp x64.dll\" ascii wide\r\n $drops4 = \"http://doc.internetdocss.com/audio x64.exe\" ascii wide\r\n $source1 = \"http://doc.internetdocss.com/word x86.exe\" ascii wide\r\n $source2 = \"http://doc.internetdocss.com/word x64.exe\" ascii wide\r\n $path1 = \"\\\\Programs\\\\Startup\\\\audio.exe\" ascii wide\r\n $path2 = \"c:\\\\Windows\\\\nethelp.dll\" ascii wide\r\n $persistence1 = \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\svchost\" ascii\r\nwide\r\n $persistence2 = \"%SystemRoot%\\\\system32\\\\svchost.exe -k \" ascii wide\r\n $persistence3 = \"SYSTEM\\\\CurrentControlSet\\\\Services\\\\\" ascii wide\r\n $persistence4 = \"Parameters\" ascii wide\r\n $persistence5 = \"ServiceDll\" ascii wide\r\n $persistence6 = \"NetHelp\" ascii wide\r\n $persistence7 = \"Windows Internet Help\" ascii wide\r\n condition:\r\n uint16(0)==0x5A4D\r\n and\r\n filesize < 500KB\r\n and\r\n (\r\n (pe.imphash() == \"3697a1f9150de181026ce089c10657c3\" or pe.imphash() ==\r\n\"e6e566fc8a1dee3019821e84c5ad58cc\")\r\n or\r\n (\r\n any of ($drops*)\r\n or\r\n any of ($source*)\r\n or\r\n any of ($path*)\r\n or\r\n 6 of ($persistence*)\r\n )\r\n )\r\n}\r\n\r\nrule apt_ZZ_RedAlpha_2017Campaign_nethelp\r\n{\r\nmeta:\r\ndesc = \"RedAlpha 2017 Campaign, NetHelp Drop\"\r\nauthor = \"JAG-S, Insikt Group, RecordedFuture\"\r\nTLP = \"White\"\r\nmd5_x86 = \"42256b4753724f7feb411bc9912155fd\"\r\nmd5_x86 = \"6d1d6987d0677f40e473befab121ab1b\"\r\nmd5_x64 = \"8f0fe2620f8dadf93eee285834e35655\"\r\nmd5_x64 = \"cd32ce54ed94dfbde7fb85930a16597d\"\r\nmd5_x64_striker = \"6dd1be1e491d5bf9cd14686c185c3009\"\r\nstrings:\r\n$postreq1 = \"POST /index.html HTTP/1.1\" ascii wide\r\n$postreq2 = \"Host: index.ackques.com\" ascii wide\r\n$postreq3 = \"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101\r\nChrome /53.0\" ascii wide\r\n$postreq4 = \"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*\" ascii\r\nwide\r\n$postreq5 = \"Accept-Language: en-US;q=0.5,en;q=0.3\" ascii wide\r\n$postreq6 = \"Accept-Encoding: gzip, deflate\" ascii wide\r\n$postreq7 = \"Content-Type: application/x-www-form-urlencoded\" ascii wide\r\n$postreq8 = \"Content-Length: %d\" ascii wide\r\n$postreq9 = \"Connection: keep-alive\" ascii wide\r\n$postreq10 = \"Upgrade-Insecure-Requests: 1\" ascii wide\r\n$cnc1 = \"index.ackques.com\" ascii wide\r\n$cnc2 = \"www.hktechy.com\" ascii wide\r\n $cnc3 = \"striker.internetdocss.com\" ascii wide\r\n$service1 = \"Windows Internet Help\" ascii wide\r\n$service2 = \"Client.dll\" ascii wide\r\n$service3 = \"ServiceMain\" ascii wide\r\ncondition:\r\nuint16(0)==0x5A4D\r\nand\r\nfilesize < 500KB\r\nand\r\n(\r\n(pe.imphash() == \"bc902a5e56cbbaa82f4af26cf9f4567e\"\r\nor pe.imphash() == \"af5487e77c16d987ca02d59bdcf38489\"\r\nor pe.imphash() == \"6e109cbbd181ad567b90463d48302c72\"\r\nor pe.imphash() == \"df09df6d5ae774f280c43e3cc0e4a142\"\r\n)\r\nor\r\n(\r\nall of ($postreq*)\r\nor\r\nany of ($cnc*)\r\nor\r\nall of ($service*)\r\n)\r\n)\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2018-08-07T11:15:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Payload delivery\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b69801a-f90c-4c6e-952e-41fb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T11:18:50.000Z", "modified": "2018-08-07T11:18:50.000Z", "description": "2018 Campaign", "pattern": "[import \"pe\"\r\nrule apt_ZZ_RedAlpha_Dropper\r\n{\r\n meta:\r\n author = \"JAG-S, Insikt Group, Recorded Future\"\r\n tlp = \"White\"\r\n md5 = \"e6c0ac26b473d1e0fa9f74fdf1d01af8\"\r\n md5 = \"e28db08b2326a34958f00d68dfb034b0\"\r\n md5 = \"c94a39d58450b81087b4f1f5fd304add\"\r\n md5 = \"3a2b1a98c0a31ed32759f48df34b4bc8\"\r\n desc = \"RedAlpha Dropper\"\r\n version = \"1.0\"\r\n strings:\r\n $cnc = \"http://doc.internetdocss.com/index?\"\r\n condition:\r\n uint16(0) == 0x5A4D\r\n and filesize < 500KB\r\n and\r\n (pe.imphash() == \"17030637d18335c7267d09ec0ebc637c\" or pe.imphash() ==\r\n\"617fd4619e215a00dae98de5980a4210\")\r\n and\r\n all of them\r\n}\r\nrule apt_ZZ_RedAlpha_njRat\r\n{\r\n meta:\r\n author = \"JAG-S, Insikt Group, Recorded Future\"\r\n TLP = \"White\"\r\n md5 = \"c74608c70a59371cbf016316bebfab06\"\r\n date = \"04-14-2018\"\r\n desc = \"Second-stage njRAT, RedAlpha config\"\r\n version = \"1.1\"\r\n strings:\r\n $installName = \"serverdo.exe\" wide\r\n $port = \"9527\" wide\r\n $version = \"0.7d\" wide\r\n $c2 = \"doc.internetdocss.com\" wide\r\n condition:\r\n uint16(0) == 0x5A4D and filesize < 50KB\r\n and\r\n pe.imphash() == \"f34d5f2d4577ed6d9ceec516c1f5a744\"\r\n and\r\n all of them\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2018-08-07T11:18:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Payload delivery\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5b33808f-c060-4227-891c-2f80950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-27T12:20:09.000Z", "modified": "2018-06-27T12:20:09.000Z", "labels": [ "misp:name=\"microblog\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "post", "value": "Based on links to #malware used by Chinese APTs, our research team makes assessments about who exactly is behind the newly discovered RedAlpha campaigns: (link: http://bit.ly/2KaCeS0) bit.ly/2KaCeS0 #Analysis", "category": "Other", "uuid": "5b33808f-96b0-4315-aceb-2f80950d210f" }, { "type": "text", "object_relation": "type", "value": "Twitter", "category": "Other", "uuid": "5b338090-97ac-4266-af6a-2f80950d210f" }, { "type": "url", "object_relation": "url", "value": "https://mobile.twitter.com/RecordedFuture/status/1011675584198529024", "category": "Network activity", "to_ids": true, "uuid": "5b338090-7bc0-4dc3-8e93-2f80950d210f" }, { "type": "link", "object_relation": "link", "value": "https://t.co/D1MIxdpuBK?amp=1", "category": "External analysis", "to_ids": true, "uuid": "5b338092-51b8-45b2-b1f6-2f80950d210f" }, { "type": "url", "object_relation": "link", "value": "https://www.recordedfuture.com/redalpha-cyber-campaigns/", "category": "Payload delivery", "to_ids": true, "uuid": "5b338092-8fdc-46a8-91f2-2f80950d210f" }, { "type": "datetime", "object_relation": "creation-date", "value": "2018-06-26T20:20:00", "category": "Other", "uuid": "5b338093-a724-4628-9d75-2f80950d210f" }, { "type": "text", "object_relation": "username", "value": "@RecordedFuture", "category": "Other", "uuid": "5b338093-7b6c-4274-9555-2f80950d210f" } ], "x_misp_meta_category": "misc", "x_misp_name": "microblog" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b605571-86c8-4306-806d-495f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:31.000Z", "modified": "2018-08-14T12:36:31.000Z", "description": "PE32 executable (GUI) Intel 80386, for MS Windows\r\n2017 Audio dropper. Also observed being\r\ndeployed from Japanese IP\r\n220.218.70.160", "pattern": "[file:hashes.MD5 = 'cb71f3b4f08eba58857532ac90bac77d' AND file:hashes.SHA1 = '3142029872c39f393e765d59d68cf4f912170629' AND file:hashes.SHA256 = 'e94284e487e59b53efab9d4584fca766883b916118c9a8ff59514087555e9a8e' AND file:name = 'wordx86.exe\u00e2\u20ac\u009d' AND file:name = 'audiox86.exe\u00e2\u20ac\u009d' AND file:size = '93000' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-14T12:36:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b6063f0-5f28-4309-9719-4bf1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-02T10:03:08.000Z", "modified": "2018-08-02T10:03:08.000Z", "description": "PE32+ executable (GUI) x86-64, for MS Windows", "pattern": "[file:hashes.MD5 = '1412102eda0c2e5a5a85cb193dbb1524' AND file:name = 'wordx64.exe' AND file:name = 'audiox64.dll' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-02T10:03:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--951dbf05-efee-46a0-b2aa-89e5c6d0c898", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-31T14:57:38.000Z", "modified": "2018-07-31T14:57:38.000Z", "pattern": "[file:hashes.MD5 = '1412102eda0c2e5a5a85cb193dbb1524' AND file:hashes.SHA1 = 'f243d9d60dbae71ef36c0200372835f5093e954c' AND file:hashes.SHA256 = 'da25eb5db338f6ac42e0e48065c41fded56e14c6271d6cb5f6ae5fc23d5c38a8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-31T14:57:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--4d6cc362-fb2b-4576-919d-8d66294873be", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-31T14:57:36.000Z", "modified": "2018-07-31T14:57:36.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-05T10:54:21", "category": "Other", "uuid": "cdc06ac9-6db1-4e66-afc7-5f284c4b0d71" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/da25eb5db338f6ac42e0e48065c41fded56e14c6271d6cb5f6ae5fc23d5c38a8/analysis/1530788061/", "category": "External analysis", "uuid": "f625803b-9836-40a9-8fc4-badb7641d32a" }, { "type": "text", "object_relation": "detection-ratio", "value": "51/67", "category": "Other", "uuid": "39deaf89-4d50-41f0-94a8-231614288d89" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--af9cbff4-9e65-4a79-a1ec-e88133cdfb98", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-31T14:57:37.000Z", "modified": "2018-07-31T14:57:37.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-05T10:55:00", "category": "Other", "uuid": "c07ff68e-441d-4c99-95ef-3442a02573da" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/e94284e487e59b53efab9d4584fca766883b916118c9a8ff59514087555e9a8e/analysis/1530788100/", "category": "External analysis", "uuid": "fb7703c7-c989-4040-9e80-20cbefe11bad" }, { "type": "text", "object_relation": "detection-ratio", "value": "48/67", "category": "Other", "uuid": "cbecb56f-21ab-4fa0-8932-db8eeee8f165" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b61631b-a13c-4dc0-b949-4342950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:31.000Z", "modified": "2018-08-14T12:36:31.000Z", "description": "NetHelp Infostealer", "pattern": "[file:hashes.MD5 = '42256b4753724f7feb411bc9912155fd' AND file:hashes.SHA1 = '7e7d38b1687c5949528d35d8e405d995ac15d1b2' AND file:hashes.SHA256 = '293d5d84b2d4c4398e9e420c16c04dddf62132cd59cf7519109c6718c288adf3' AND file:name = 'nethelpx86.dll' AND file:name = 'nethelp.dll' AND file:name = 'audiox86.exe' AND file:size = '198000' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-14T12:36:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b618e15-2084-466a-8f5c-44df950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-01T10:40:21.000Z", "modified": "2018-08-01T10:40:21.000Z", "pattern": "[(network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'www.hktechy.com') AND network-traffic:dst_port = '80']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-01T10:40:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b619ae6-dff0-4f29-bc32-471a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-01T11:35:02.000Z", "modified": "2018-08-01T11:35:02.000Z", "description": "PE32 executable (GUI) Intel 80386, for MS Windows", "pattern": "[file:hashes.MD5 = '6d1d6987d0677f40e473befab121ab1b' AND file:name = 'audiox86' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-01T11:35:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b619c3f-9644-4d94-a4ac-4d40950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:31.000Z", "modified": "2018-08-14T12:36:31.000Z", "description": "PE32+ executable (DLL) (GUI) x86-64, for MS Windows", "pattern": "[file:hashes.MD5 = '8f0fe2620f8dadf93eee285834e35655' AND file:name = 'nethelp\\\\%20x64.dll' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-14T12:36:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b619eb3-4dac-4efa-b562-43ab950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:31.000Z", "modified": "2018-08-14T12:36:31.000Z", "description": "PE32+ executable (GUI) x86-64, for MS Windows", "pattern": "[file:hashes.MD5 = 'cd32ce54ed94dfbde7fb85930a16597d' AND file:name = 'audio\\\\%20x64.exe' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-14T12:36:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b61a1be-f9ec-428a-aede-468e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:31.000Z", "modified": "2018-08-14T12:36:31.000Z", "description": "PE32+ executable (DLL) (console) x86-64, for MS Windows", "pattern": "[file:hashes.MD5 = '6dd1be1e491d5bf9cd14686c185c3009' AND file:hashes.SHA1 = '1e9a0a147198b8dfb4a33fc5bb1406635bfbe514' AND file:hashes.SHA256 = 'd0d02f811f7c07301e91536f2e1d908c1e67e68d89afbd2bc5bfa2cc747e67ec' AND file:name = 'nethelp.dll' AND file:size = '254000' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-14T12:36:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b61b7e1-e898-4c28-af5b-4a86950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:31.000Z", "modified": "2018-08-14T12:36:31.000Z", "pattern": "[file:hashes.MD5 = '5228914b534a437eb7985702e78772be' AND file:hashes.SHA1 = '83d7ceb2e55ae3d6bbf0936376e82fe5bc97a963' AND file:hashes.SHA256 = '02bf5fdb11eee6ede01cc061206fe98f60a6b5c90ffead31e8f0a87ccfa414ef' AND file:size = '798000' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-14T12:36:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b61b964-b078-4a41-9a1e-48e3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:32.000Z", "modified": "2018-08-14T12:36:32.000Z", "pattern": "[file:hashes.MD5 = 'e6c0ac26b473d1e0fa9f74fdf1d01af8' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-14T12:36:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b61b972-4cb4-4556-8dc2-4bf3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:32.000Z", "modified": "2018-08-14T12:36:32.000Z", "pattern": "[file:hashes.MD5 = 'e28db08b2326a34958f00d68dfb034b0' AND file:hashes.SHA1 = '28bc84813b9dec660fe95d590ef33e574fe16254' AND file:hashes.SHA256 = '50a28a8ebc68b6c608a073278fbb4255912bf41fd0970192d439097af4670f81' AND file:name = 'winlogon.exe' AND file:size = '274000' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-14T12:36:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b62c621-9d58-40e1-9105-4272950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:32.000Z", "modified": "2018-08-14T12:36:32.000Z", "description": "PE32 executable (GUI) Intel 80386, for MS Windows", "pattern": "[file:hashes.MD5 = 'c94a39d58450b81087b4f1f5fd304add' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-14T12:36:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b62c650-8358-49b9-9064-4ce8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:32.000Z", "modified": "2018-08-14T12:36:32.000Z", "description": "PE32 executable (console) Intel 80386, for MS Windows", "pattern": "[file:hashes.MD5 = '3a2b1a98c0a31ed32759f48df34b4bc8' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-14T12:36:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b62cb24-ebc0-4131-aa65-425b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-02T10:03:08.000Z", "modified": "2018-08-02T10:03:08.000Z", "pattern": "[file:hashes.MD5 = 'c74608c70a59371cbf016316bebfab06' AND file:hashes.SHA1 = 'e781aa54be06e010f1096fcc39a95df144659bd3' AND file:hashes.SHA256 = '1967bd2047fd9dabe3d95bdaee7c8e7f8d5bd0e378968a634e157ec4d72db17c' AND file:name = 'serverdo.exe' AND file:size = '24000' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-02T10:03:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b271dc1a-8e79-4c41-8fc0-9bbd1009a7e0", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-02T10:03:08.000Z", "modified": "2018-08-02T10:03:08.000Z", "pattern": "[file:hashes.MD5 = 'cd32ce54ed94dfbde7fb85930a16597d' AND file:hashes.SHA1 = 'da9c4aad7e38b904106a059b9b6318746fa6175d' AND file:hashes.SHA256 = 'b1fe92e04de787bf222847ed889695f26277789b05fa389406a6c380be5d8376']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-02T10:03:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--a51ea5b5-2181-4905-bda3-b2b1698c7c27", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-02T10:03:07.000Z", "modified": "2018-08-02T10:03:07.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-05T10:54:06", "category": "Other", "uuid": "4b9cdbc3-8039-4f5f-a5d8-0c044c4db001" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/b1fe92e04de787bf222847ed889695f26277789b05fa389406a6c380be5d8376/analysis/1530788046/", "category": "External analysis", "uuid": "01bc974e-812b-4c2a-aff4-6edd4e5fe0db" }, { "type": "text", "object_relation": "detection-ratio", "value": "43/68", "category": "Other", "uuid": "c6aed43c-f6d9-4dec-948e-0a007f83ae47" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d2ec20b7-d689-47e6-9228-01a281f3ad02", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-02T10:03:11.000Z", "modified": "2018-08-02T10:03:11.000Z", "pattern": "[file:hashes.MD5 = '8f0fe2620f8dadf93eee285834e35655' AND file:hashes.SHA1 = '84b80f942683d1b29180861664ec31d56321b975' AND file:hashes.SHA256 = '25445c91f232b6c3ca3ec30fa1ef2f168ddff276ce3f15f9d8eb4f8b1d19a0ca']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-02T10:03:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--100f1a8d-1bc3-4000-92fe-bce0b793b222", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-02T10:03:10.000Z", "modified": "2018-08-02T10:03:10.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-05T10:54:46", "category": "Other", "uuid": "03525361-029b-45e1-901d-d638b67da8d0" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/25445c91f232b6c3ca3ec30fa1ef2f168ddff276ce3f15f9d8eb4f8b1d19a0ca/analysis/1530788086/", "category": "External analysis", "uuid": "c20c3051-7431-47f5-8e07-9f8cb38f4503" }, { "type": "text", "object_relation": "detection-ratio", "value": "41/66", "category": "Other", "uuid": "c48f0741-4780-4a4a-9228-e16aa95cdcb2" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5510fbf8-41c8-4a11-bcf0-42aa4303742e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-02T10:03:14.000Z", "modified": "2018-08-02T10:03:14.000Z", "pattern": "[file:hashes.MD5 = '6d1d6987d0677f40e473befab121ab1b' AND file:hashes.SHA1 = 'ba977849cde0836a10da99cbb952f672b360a311' AND file:hashes.SHA256 = 'e8b8e4d8694600116b0d7d6062d8f5b77f25e69e993f13be56399cadf175e512']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-02T10:03:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--578b25b7-97b8-4d39-8537-323e64ffc399", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-02T10:03:12.000Z", "modified": "2018-08-02T10:03:12.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-05T10:53:56", "category": "Other", "uuid": "39d6d6c8-ce32-4e70-9f88-a969ff043882" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/e8b8e4d8694600116b0d7d6062d8f5b77f25e69e993f13be56399cadf175e512/analysis/1530788036/", "category": "External analysis", "uuid": "1b5c3a81-7820-4538-98eb-3e4805a6d9bb" }, { "type": "text", "object_relation": "detection-ratio", "value": "47/67", "category": "Other", "uuid": "684a278f-7203-49ac-981d-e5fe53e016d2" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--db3a215c-d9b8-4d91-952a-af20cfe86d4a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-02T10:03:16.000Z", "modified": "2018-08-02T10:03:16.000Z", "pattern": "[file:hashes.MD5 = '3a2b1a98c0a31ed32759f48df34b4bc8' AND file:hashes.SHA1 = 'e86204a1c55448eb61c1d03895cf1aecf6c4ce07' AND file:hashes.SHA256 = '30e628bfbf80a8cb432b679fdeaccbe3c0ab7eaee8d0899fba7a16853abf35b9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-02T10:03:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--bbd7ab64-ac5f-4bf7-ad0c-7345423bcfa6", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-02T10:03:15.000Z", "modified": "2018-08-02T10:03:15.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-08-01T23:46:03", "category": "Other", "uuid": "1521fa81-70ac-4209-8ac0-020efaaf2b5c" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/30e628bfbf80a8cb432b679fdeaccbe3c0ab7eaee8d0899fba7a16853abf35b9/analysis/1533167163/", "category": "External analysis", "uuid": "be25cd41-41af-469a-ab3a-72b7edd67d5e" }, { "type": "text", "object_relation": "detection-ratio", "value": "50/67", "category": "Other", "uuid": "ee0ba7fa-de9b-4ed1-9dc1-4a7b1ade08f0" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3ec440df-26e1-4883-94d8-cf5a44d48bbd", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-02T10:03:19.000Z", "modified": "2018-08-02T10:03:19.000Z", "pattern": "[file:hashes.MD5 = 'c94a39d58450b81087b4f1f5fd304add' AND file:hashes.SHA1 = 'e15ed8a83c9e1745497fbf33aa9af3b19b2ecbda' AND file:hashes.SHA256 = 'd4c94b5fed3293f9474de519b6ef232070b38a07e924d0dee13eac728fdac26d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-02T10:03:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--c4f40e78-f5a3-449f-b8e0-bcb250e3da27", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-02T10:03:17.000Z", "modified": "2018-08-02T10:03:17.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-08-02T00:06:12", "category": "Other", "uuid": "f949f8be-c2c5-4941-a83c-e59cfb47047a" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/d4c94b5fed3293f9474de519b6ef232070b38a07e924d0dee13eac728fdac26d/analysis/1533168372/", "category": "External analysis", "uuid": "41e31e37-9f2e-4fe9-9753-79101bd04941" }, { "type": "text", "object_relation": "detection-ratio", "value": "46/66", "category": "Other", "uuid": "9d3bc97d-e36a-4746-ac96-c0a60d5e503f" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--c0793ff5-50a6-4817-8df9-8c28ab90f3d1", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-02T10:03:18.000Z", "modified": "2018-08-02T10:03:18.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-05T10:54:21", "category": "Other", "uuid": "7daa5c0a-a5aa-4e39-a7c2-9cb774d3f09a" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/da25eb5db338f6ac42e0e48065c41fded56e14c6271d6cb5f6ae5fc23d5c38a8/analysis/1530788061/", "category": "External analysis", "uuid": "eb42bd66-492e-4c88-893a-09743596dbb6" }, { "type": "text", "object_relation": "detection-ratio", "value": "51/67", "category": "Other", "uuid": "bf156d11-ec98-4904-9dbf-60d340f38d3c" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--03b1be01-e7f1-41d2-bbeb-8c965ddd63d5", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-02T10:03:22.000Z", "modified": "2018-08-02T10:03:22.000Z", "pattern": "[file:hashes.MD5 = 'e6c0ac26b473d1e0fa9f74fdf1d01af8' AND file:hashes.SHA1 = 'acf58d62cdee49cacd253bc759b043d883aad30a' AND file:hashes.SHA256 = 'd5c38ea22a4caad56490c6fae7605117dcbea771caef55a4d8072640be1727c5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-02T10:03:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--62a6d635-11fb-43df-b01e-c38b5a08489f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-02T10:03:21.000Z", "modified": "2018-08-02T10:03:21.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-31T23:56:41", "category": "Other", "uuid": "a38f4d5e-021b-42cc-90bc-bb3e8532c5cf" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/d5c38ea22a4caad56490c6fae7605117dcbea771caef55a4d8072640be1727c5/analysis/1533081401/", "category": "External analysis", "uuid": "867b2ea8-5a62-4fa1-a78c-749209dd6e40" }, { "type": "text", "object_relation": "detection-ratio", "value": "46/66", "category": "Other", "uuid": "730bccdd-09f3-49be-9abc-151632bee2ee" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--ab089f9c-349f-46f0-a2b2-ecfb3da24370", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-02T10:03:22.000Z", "modified": "2018-08-02T10:03:22.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-05T10:55:00", "category": "Other", "uuid": "b040a225-fc25-4c02-b728-f603912b7697" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/e94284e487e59b53efab9d4584fca766883b916118c9a8ff59514087555e9a8e/analysis/1530788100/", "category": "External analysis", "uuid": "88fb41f1-a0d8-4613-a27c-127fdd79f71b" }, { "type": "text", "object_relation": "detection-ratio", "value": "48/67", "category": "Other", "uuid": "5c49008c-9f4f-46be-936b-b3e89bcedefa" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--db693d26-2826-4534-9718-84cf465571bc", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-02T10:03:23.000Z", "modified": "2018-08-02T10:03:23.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-08-01T23:49:09", "category": "Other", "uuid": "a6f08c8a-389b-443f-8392-d683577b8359" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/02bf5fdb11eee6ede01cc061206fe98f60a6b5c90ffead31e8f0a87ccfa414ef/analysis/1533167349/", "category": "External analysis", "uuid": "23854605-57d3-4c4c-b52e-e0f76fcc54b0" }, { "type": "text", "object_relation": "detection-ratio", "value": "36/59", "category": "Other", "uuid": "46b9e96e-856d-4886-b317-f31a71f1e201" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--bc18676c-a419-4493-882b-dbffc94fae97", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-02T10:03:25.000Z", "modified": "2018-08-02T10:03:25.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-31T23:56:33", "category": "Other", "uuid": "4b3fd073-64b5-4d98-88b3-9b10f1b6a899" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/50a28a8ebc68b6c608a073278fbb4255912bf41fd0970192d439097af4670f81/analysis/1533081393/", "category": "External analysis", "uuid": "8f213639-c885-4015-9237-dcb58587a00d" }, { "type": "text", "object_relation": "detection-ratio", "value": "48/68", "category": "Other", "uuid": "5a1325fe-8172-4afc-8a53-9a6fcb44c68e" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--4c400be1-7bc4-4c3e-ad25-0c0056e9a6da", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-02T10:03:26.000Z", "modified": "2018-08-02T10:03:26.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-08-02T00:05:39", "category": "Other", "uuid": "815bce8f-9090-45ec-9b75-d1d992b21665" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/1967bd2047fd9dabe3d95bdaee7c8e7f8d5bd0e378968a634e157ec4d72db17c/analysis/1533168339/", "category": "External analysis", "uuid": "f729015f-82c7-4ce3-82ca-29c870f12df8" }, { "type": "text", "object_relation": "detection-ratio", "value": "61/68", "category": "Other", "uuid": "c058fdbf-c051-4377-9a58-e99faff08177" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--90f35bd9-30a9-467b-9f6e-7ed7648b7119", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-02T10:03:27.000Z", "modified": "2018-08-02T10:03:27.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-05T10:53:51", "category": "Other", "uuid": "d5f94bd5-fc5a-4aee-a7d6-f51eeda67291" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/d0d02f811f7c07301e91536f2e1d908c1e67e68d89afbd2bc5bfa2cc747e67ec/analysis/1530788031/", "category": "External analysis", "uuid": "1ffceaf7-f028-4f96-bf93-a2e29e09a4a0" }, { "type": "text", "object_relation": "detection-ratio", "value": "28/66", "category": "Other", "uuid": "7eb90641-2c5d-4785-b834-92e79e6fa703" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--2e9f7a81-d071-4fa8-bb22-eae520f03d51", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-02T10:03:28.000Z", "modified": "2018-08-02T10:03:28.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-05T10:54:11", "category": "Other", "uuid": "fefb306a-a08f-44c8-b831-2f868d3d74da" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/293d5d84b2d4c4398e9e420c16c04dddf62132cd59cf7519109c6718c288adf3/analysis/1530788051/", "category": "External analysis", "uuid": "07a85360-c323-45e7-aeac-b520d8ac5626" }, { "type": "text", "object_relation": "detection-ratio", "value": "43/67", "category": "Other", "uuid": "21dc7abb-a099-458c-9512-a670a6a4f220" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b67f371-c338-4728-8972-40ad950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T08:02:14.000Z", "modified": "2018-08-06T08:02:14.000Z", "description": "Japanese IP (Ucom-Corp)", "pattern": "[domain-name:value = 'doc.internetdocss.com' AND domain-name:resolves_to_refs[*].value = '220.218.70.160' AND domain-name:x_misp_first_seen = '2017-06-28T00:00:00' AND domain-name:x_misp_last_seen = '2017-09-14T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T08:02:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b67f468-6ce0-48a4-9f9e-4e4f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T07:20:52.000Z", "modified": "2018-08-06T07:20:52.000Z", "description": "Japanese IP", "pattern": "[domain-name:value = '220x218x70x160.ap220.ftth.ucom.ne.jp' AND domain-name:resolves_to_refs[*].value = '220.218.70.160' AND domain-name:x_misp_first_seen = '2016-10-27T00:00:00' AND domain-name:x_misp_last_seen = '2018-04-18T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T07:20:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b67f49b-b550-450a-aabc-4439950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T07:21:13.000Z", "modified": "2018-08-06T07:21:13.000Z", "description": "Japanese IP", "pattern": "[domain-name:value = 'u2xu2.com' AND domain-name:resolves_to_refs[*].value = '220.218.70.160' AND domain-name:x_misp_first_seen = '2017-08-20T00:00:00' AND domain-name:x_misp_last_seen = '2018-04-08T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T07:21:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b67f783-02e0-44e8-8d8f-493f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T07:23:47.000Z", "modified": "2018-08-06T07:23:47.000Z", "description": "Chinese IP belonging to Chinese VPS provider VPSQuan LLC.", "pattern": "[domain-name:value = 'hktechy.com' AND domain-name:resolves_to_refs[*].value = '198.44.172.97' AND domain-name:x_misp_first_seen = '2017-06-19T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T07:23:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b67fc1a-9a38-404f-adcb-4b3a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:32.000Z", "modified": "2018-08-14T12:36:32.000Z", "description": "2017 campaign dropper variant. Also\r\nobserved being deployed from Japanese IP\r\n220.218.70[.]160", "pattern": "[file:hashes.MD5 = '1412102eda0c2e5a5a85cb193dbb1524' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-14T12:36:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b67fc4f-381c-4dbd-b49e-4e8b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T07:44:15.000Z", "modified": "2018-08-06T07:44:15.000Z", "description": "Observed being deployed from Japanese IP\r\n220.218.70[.]160. Sample not available at\r\ntime of research in malware multiscanner\r\nrepositories. Possible variant of 2017\r\ninfostealer or dropper.", "pattern": "[file:hashes.MD5 = '1b67183acc18d7641917f4fe07c1b053' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T07:44:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b67fc62-4c2c-4fd6-b2a3-410e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:32.000Z", "modified": "2018-08-14T12:36:32.000Z", "description": "2017 NetHelp infostealer variant", "pattern": "[file:hashes.MD5 = '6d1d6987d0677f40e473befab121ab1b' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-14T12:36:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b680069-22b0-45f4-aba4-427d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T08:01:45.000Z", "modified": "2018-08-06T08:01:45.000Z", "description": "SG IP (Choopa LLC)", "pattern": "[domain-name:value = 'doc.internetdocss.com' AND domain-name:resolves_to_refs[*].value = '45.77.250.80' AND domain-name:x_misp_first_seen = '2018-03-30T00:00:00' AND domain-name:x_misp_last_seen = '2018-05-25T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T08:01:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b68016d-a668-4301-8f51-4c52950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T08:06:05.000Z", "modified": "2018-08-06T08:06:05.000Z", "description": "HK IP (Cloudie Limited)", "pattern": "[domain-name:value = 'doc.internetdocss.com' AND domain-name:resolves_to_refs[*].value = '122.10.84.146' AND domain-name:x_misp_first_seen = '2018-02-08T00:00:00' AND domain-name:x_misp_last_seen = '2018-03-27T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T08:06:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b680c7c-77a0-4e19-814b-4245950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T08:53:16.000Z", "modified": "2018-08-06T08:53:16.000Z", "description": "SG IP ", "pattern": "[domain-name:value = 'item.internetdocss.com' AND domain-name:resolves_to_refs[*].value = '45.77.250.80' AND domain-name:x_misp_first_seen = '2018-04-23T00:00:00' AND domain-name:x_misp_last_seen = '2018-05-01T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T08:53:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b681333-943c-4633-9a90-45cd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T09:21:55.000Z", "modified": "2018-08-06T09:21:55.000Z", "description": "SG IP ", "pattern": "[domain-name:value = 'cfr.internetdocss.com' AND domain-name:resolves_to_refs[*].value = '45.77.250.80' AND domain-name:x_misp_first_seen = '2018-04-17T00:00:00' AND domain-name:x_misp_last_seen = '2018-05-17T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T09:21:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b681452-d5fc-45b4-af6f-4457950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T09:26:42.000Z", "modified": "2018-08-06T09:26:42.000Z", "description": "SG IP ", "pattern": "[domain-name:value = 'tootopia.internetdocss.com' AND domain-name:resolves_to_refs[*].value = '45.77.250.80' AND domain-name:x_misp_first_seen = '2018-04-23T00:00:00' AND domain-name:x_misp_last_seen = '2018-05-17T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T09:26:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b681a0a-4ab0-4f37-a19f-4726950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T09:51:06.000Z", "modified": "2018-08-06T09:51:06.000Z", "description": "SG IP ", "pattern": "[domain-name:value = 'oc.internetdocss.com' AND domain-name:resolves_to_refs[*].value = '45.77.250.80' AND domain-name:x_misp_first_seen = '2018-03-06T00:00:00' AND domain-name:x_misp_last_seen = '2018-05-17T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T09:51:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b681a2a-0324-4910-a7eb-415d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T09:51:38.000Z", "modified": "2018-08-06T09:51:38.000Z", "description": "SG IP ", "pattern": "[domain-name:value = 'thewire.internetdocss.com' AND domain-name:resolves_to_refs[*].value = '45.77.250.80' AND domain-name:x_misp_first_seen = '2018-02-05T00:00:00' AND domain-name:x_misp_last_seen = '2018-05-17T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T09:51:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b681a4c-0d40-4247-8c55-45c7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T09:52:12.000Z", "modified": "2018-08-06T09:52:12.000Z", "description": "SG IP", "pattern": "[domain-name:value = 'tibet.internetdocss.com' AND domain-name:resolves_to_refs[*].value = '45.77.250.80' AND domain-name:x_misp_first_seen = '2018-03-19T00:00:00' AND domain-name:x_misp_last_seen = '2018-05-17T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T09:52:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b681d2e-bd1c-4726-882d-406e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T10:04:30.000Z", "modified": "2018-08-06T10:04:30.000Z", "description": "SG IP ", "pattern": "[domain-name:value = 'savetibet.internetdocss.com' AND domain-name:resolves_to_refs[*].value = '45.77.250.80' AND domain-name:x_misp_first_seen = '2018-03-19T00:00:00' AND domain-name:x_misp_last_seen = '2018-05-17T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T10:04:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b681e31-67a8-4296-8fb7-433c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T10:08:49.000Z", "modified": "2018-08-06T10:08:49.000Z", "description": "SG IP ", "pattern": "[domain-name:value = 'blog.tibetcul.internetdocss.com' AND domain-name:resolves_to_refs[*].value = '45.77.250.80' AND domain-name:x_misp_first_seen = '2018-03-19T00:00:00' AND domain-name:x_misp_last_seen = '2018-05-17T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T10:08:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b681f1f-e07c-416a-8a29-4057950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T10:12:47.000Z", "modified": "2018-08-06T10:12:47.000Z", "description": "SG IP ", "pattern": "[domain-name:value = 'rediff.internetdocss.com' AND domain-name:resolves_to_refs[*].value = '45.77.250.80' AND domain-name:x_misp_first_seen = '2018-03-19T00:00:00' AND domain-name:x_misp_last_seen = '2018-05-17T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T10:12:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b682066-abf8-46ca-9b9b-484d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T10:18:14.000Z", "modified": "2018-08-06T10:18:14.000Z", "description": "SG IP ", "pattern": "[domain-name:value = 'ndtv.internetdocss.com' AND domain-name:resolves_to_refs[*].value = '45.77.250.80' AND domain-name:x_misp_first_seen = '2018-03-19T00:00:00' AND domain-name:x_misp_last_seen = '2018-05-17T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T10:18:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b6820cb-7730-4294-af2c-4a2f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T10:19:55.000Z", "modified": "2018-08-06T10:19:55.000Z", "description": "SG IP ", "pattern": "[domain-name:value = 'business.internetdocss.com' AND domain-name:resolves_to_refs[*].value = '45.77.250.80' AND domain-name:x_misp_first_seen = '2018-03-19T00:00:00' AND domain-name:x_misp_last_seen = '2018-05-17T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T10:19:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b6821e7-aad4-4228-910a-4d8a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T10:24:39.000Z", "modified": "2018-08-06T10:24:39.000Z", "description": "SG IP ", "pattern": "[domain-name:value = 'apple.internetdocss.com' AND domain-name:resolves_to_refs[*].value = '45.77.250.80' AND domain-name:x_misp_first_seen = '2018-03-19T00:00:00' AND domain-name:x_misp_last_seen = '2018-05-17T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T10:24:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b6822a7-f514-4918-a494-4246950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T10:27:51.000Z", "modified": "2018-08-06T10:27:51.000Z", "description": "SG IP ", "pattern": "[domain-name:value = 'chinaaid.internetdocss.com' AND domain-name:resolves_to_refs[*].value = '45.77.250.80' AND domain-name:x_misp_first_seen = '2018-04-25T00:00:00' AND domain-name:x_misp_last_seen = '2018-05-17T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T10:27:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b6826c5-14a8-476f-9cf6-4867950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T10:45:25.000Z", "modified": "2018-08-06T10:45:25.000Z", "description": "SG IP ", "pattern": "[domain-name:value = 'epochtimes.internetdocss.com' AND domain-name:resolves_to_refs[*].value = '45.77.250.80' AND domain-name:x_misp_first_seen = '2018-04-21T00:00:00' AND domain-name:x_misp_last_seen = '2018-05-16T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T10:45:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b6826e4-a924-400b-b8e4-44d5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T10:45:56.000Z", "modified": "2018-08-06T10:45:56.000Z", "description": "SG IP ", "pattern": "[domain-name:value = 'artvoice.internetdocss.com' AND domain-name:resolves_to_refs[*].value = '45.77.250.80' AND domain-name:x_misp_first_seen = '2018-04-17T00:00:00' AND domain-name:x_misp_last_seen = '2018-05-16T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T10:45:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b682945-f85c-4fce-a9a0-45ef950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T10:56:05.000Z", "modified": "2018-08-06T10:56:05.000Z", "description": "SG IP ", "pattern": "[domain-name:value = 'docs.internetdocss.com' AND domain-name:resolves_to_refs[*].value = '45.77.250.80' AND domain-name:x_misp_first_seen = '2018-02-05T00:00:00' AND domain-name:x_misp_last_seen = '2018-05-16T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T10:56:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b682ab7-6624-450d-8b75-46cc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T11:02:15.000Z", "modified": "2018-08-06T11:02:15.000Z", "description": "SG IP ", "pattern": "[domain-name:value = 'www.apple.internetdocss.com' AND domain-name:resolves_to_refs[*].value = '45.77.250.80' AND domain-name:x_misp_first_seen = '2018-04-25T00:00:00' AND domain-name:x_misp_last_seen = '2018-04-25T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T11:02:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b682b68-c684-4e35-9dd8-4f73950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T11:05:12.000Z", "modified": "2018-08-06T11:05:12.000Z", "description": "SG IP ", "pattern": "[domain-name:value = 'www.doc.internetdocss.com' AND domain-name:resolves_to_refs[*].value = '45.77.250.80' AND domain-name:x_misp_first_seen = '2018-04-23T00:00:00' AND domain-name:x_misp_last_seen = '2018-04-23T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T11:05:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b683107-e504-49db-9aed-4ce8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T11:29:11.000Z", "modified": "2018-08-06T11:29:11.000Z", "description": "SG IP ", "pattern": "[domain-name:value = 'doc.internetdocss.com' AND domain-name:resolves_to_refs[*].value = '45.77.250.80' AND domain-name:x_misp_first_seen = '2018-04-16T00:00:00' AND domain-name:x_misp_last_seen = '2018-04-18T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T11:29:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b68311f-a2b0-440f-b8c9-446e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T11:29:35.000Z", "modified": "2018-08-06T11:29:35.000Z", "description": "SG IP ", "pattern": "[domain-name:value = 'vot.internetdocss.com' AND domain-name:resolves_to_refs[*].value = '45.77.250.80' AND domain-name:x_misp_first_seen = '2018-01-14T00:00:00' AND domain-name:x_misp_last_seen = '2018-04-18T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T11:29:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b683145-03a4-424b-bae8-4737950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T11:30:13.000Z", "modified": "2018-08-06T11:30:13.000Z", "description": "SG IP ", "pattern": "[domain-name:value = 'video.internetdocss.com' AND domain-name:resolves_to_refs[*].value = '45.77.250.80' AND domain-name:x_misp_first_seen = '2018-01-10T00:00:00' AND domain-name:x_misp_last_seen = '2018-04-18T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T11:30:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b68315c-a318-4645-86cb-448f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T11:30:36.000Z", "modified": "2018-08-06T11:30:36.000Z", "description": "SG IP ", "pattern": "[domain-name:value = 'my.anti-spammail.services' AND domain-name:resolves_to_refs[*].value = '45.77.250.80' AND domain-name:x_misp_first_seen = '2017-12-28T00:00:00' AND domain-name:x_misp_last_seen = '2018-04-07T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T11:30:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b683b3b-9bd8-4fa9-8352-4e8b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T12:12:43.000Z", "modified": "2018-08-06T12:12:43.000Z", "description": "China IP (Shenzhen Katherine Heng Technology Information Co., Ltd.)", "pattern": "[domain-name:value = 'u2xu2.com' AND domain-name:resolves_to_refs[*].value = '144.48.220.167' AND domain-name:x_misp_first_seen = '2107-08-20T00:00:00' AND domain-name:x_misp_last_seen = '2017-09-07T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T12:12:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b683c0c-ef74-4489-a7b6-5955950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T12:16:12.000Z", "modified": "2018-08-06T12:16:12.000Z", "description": "Hong Kong IP (Forewin Telecom Group Isp)", "pattern": "[domain-name:value = 'u2xu2.com' AND domain-name:resolves_to_refs[*].value = '27.126.179.158' AND domain-name:x_misp_first_seen = '2017-09-07T00:00:00' AND domain-name:x_misp_last_seen = '2017-09-07T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T12:16:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b683cd5-0a60-4246-8575-4fd1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T12:19:33.000Z", "modified": "2018-08-06T12:19:33.000Z", "description": "Japan IP (UCom Corp)", "pattern": "[domain-name:value = 'u2xu2.com' AND domain-name:resolves_to_refs[*].value = '220.218.70.160' AND domain-name:x_misp_first_seen = '2017-08-20T00:00:00' AND domain-name:x_misp_last_seen = '2018-04-08T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T12:19:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b68462b-45c4-4b41-9f65-41b2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T12:59:23.000Z", "modified": "2018-08-06T12:59:23.000Z", "description": "South Korean IP (Korea Telecom)", "pattern": "[domain-name:value = 'u2xu2.com' AND domain-name:resolves_to_refs[*].value = '211.44.63.39' AND domain-name:x_misp_first_seen = '2017-08-20T00:00:00' AND domain-name:x_misp_last_seen = '2018-05-27T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T12:59:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b6852b5-70f4-475c-8caa-8673950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T13:52:53.000Z", "modified": "2018-08-06T13:52:53.000Z", "pattern": "[file:hashes.MD5 = '1929db297c9d7d88a6427b8603a7145b' AND file:name = 'Microsoft_Word_97_-_2003___1.doc' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T13:52:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b68552f-fc28-4fb4-b80b-c103950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T14:03:27.000Z", "modified": "2018-08-06T14:03:27.000Z", "description": "HK IP (Forewin Telecom Group Limited).", "pattern": "[domain-name:value = 'striker.internetdocss.com' AND domain-name:resolves_to_refs[*].value = '27.126.179.157']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T14:03:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b6855be-76a8-40dc-bfe2-494e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T14:05:50.000Z", "modified": "2018-08-06T14:05:50.000Z", "description": "SSL cert was observed on all Forewin Telecom registered IPs in the range 27.126.179[.]156 \u00e2\u20ac\u201d 27.126.179[.]160.", "pattern": "[file:hashes.SHA1 = 'c8e61a4282589c93774be2cddc109599316087b7' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T14:05:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b68564a-409c-43d2-a63b-c086950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-06T14:08:10.000Z", "modified": "2018-08-06T14:08:10.000Z", "description": "SSL cert was active on the 27.126.179[.]159 Forewin IP when it had tk.u2xu2[.]com pointing to it", "pattern": "[file:hashes.SHA1 = 'dd3f4da890fa00b0b6032d1141f54490c093c297' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-06T14:08:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b694c8d-d2d0-4373-83a1-4223950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T07:38:53.000Z", "modified": "2018-08-07T07:38:53.000Z", "pattern": "[domain-name:value = 'http.ackques.com' AND domain-name:resolves_to_refs[*].value = '7.126.179.159']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T07:38:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b6950dc-d308-4352-ab07-474b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T07:58:32.000Z", "modified": "2018-08-07T07:58:32.000Z", "pattern": "[domain-name:value = 'sp.u2xu2.com' AND domain-name:resolves_to_refs[*].value = '122.10.84.146' AND domain-name:x_misp_first_seen = '2018-03-23T00:00:00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T07:58:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b6951da-54fc-4427-a661-4464950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T08:01:30.000Z", "modified": "2018-08-07T08:01:30.000Z", "description": "alternate\r\nMD5 should be 3a2b1a98c0a31ed32759f48df34b4bc8\u00e2\u20ac\u2039\r\nfirst-stage validator that includes a second stage payload that drops njRAT.", "pattern": "[file:name = 'qww.exe' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T08:01:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b6957dc-9424-494b-964a-49ed950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:32.000Z", "modified": "2018-08-14T12:36:32.000Z", "description": "version of njRAT (also\r\nknown as Bladibindi) hosted on the same 122.10.84.146 Hong Kong IP \r\nLikely related to the \u00e2\u20ac\u0153qww.exe\u00e2\u20ac\u009d validator.", "pattern": "[file:hashes.MD5 = 'c74608c70a59371cbf016316bebfab06' AND file:name = 'serverdo7468.exe' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-14T12:36:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5b695c81-e640-449a-a7c7-4a0e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T08:46:57.000Z", "modified": "2018-08-07T08:46:57.000Z", "labels": [ "misp:name=\"whois\"", "misp:meta-category=\"network\"" ], "x_misp_attributes": [ { "type": "whois-registrant-email", "object_relation": "registrant-email", "value": "steven-jain@outlook.com", "category": "Attribution", "uuid": "5b695c81-92b0-492b-902f-4abb950d210f" }, { "type": "domain", "object_relation": "domain", "value": "ktechy.com", "category": "Network activity", "to_ids": true, "uuid": "5b695c82-a494-49a2-8702-4395950d210f" } ], "x_misp_meta_category": "network", "x_misp_name": "whois" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5b695d6f-e188-4826-9b69-4ecb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T08:50:55.000Z", "modified": "2018-08-07T08:50:55.000Z", "labels": [ "misp:name=\"whois\"", "misp:meta-category=\"network\"" ], "x_misp_attributes": [ { "type": "whois-registrant-email", "object_relation": "registrant-email", "value": "steven-jain@outlook.com", "category": "Attribution", "uuid": "5b695d6f-bd1c-4571-a75c-4c1b950d210f" }, { "type": "domain", "object_relation": "domain", "value": "angtechy.com", "category": "Network activity", "to_ids": true, "uuid": "5b695d70-7270-4afc-859c-4e30950d210f" }, { "type": "ip-src", "object_relation": "ip-address", "value": "15.126.39.107", "category": "Network activity", "to_ids": true, "uuid": "5b695d71-305c-4846-a468-4554950d210f" }, { "type": "datetime", "object_relation": "creation-date", "value": "2017-06-20T00:00:00", "category": "Other", "uuid": "5b695d71-d858-4785-a9e1-452a950d210f" } ], "x_misp_meta_category": "network", "x_misp_name": "whois" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b695fae-b2a4-4cf6-8334-4e93950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:00:30.000Z", "modified": "2018-08-07T09:00:30.000Z", "description": "Spoofed Organization: China National Hotel Education Network (cqledi.org)", "pattern": "[domain-name:value = 'cqledu.com' AND domain-name:resolves_to_refs[*].value = '115.126.39.107']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T09:00:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b695fe3-aadc-45f7-ac2b-4416950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:01:23.000Z", "modified": "2018-08-07T09:01:23.000Z", "description": "Spoofed Organization: AOL webmail (mail.aol.com)", "pattern": "[domain-name:value = 'mail-aol.space' AND domain-name:resolves_to_refs[*].value = '115.126.39.107']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T09:01:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b696006-2e38-4f9f-a314-480f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:03:23.000Z", "modified": "2018-08-07T09:03:23.000Z", "description": "Spoofed Organization: Google Drive (drive.google.com)", "pattern": "[domain-name:value = 'drlve-gooog1e.com' AND domain-name:resolves_to_refs[*].value = '115.126.39.107']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T09:03:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b69602f-90e8-466d-aa74-4a12950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:02:39.000Z", "modified": "2018-08-07T09:02:39.000Z", "description": "Spoofed Organization: Microsoft Live (login.live.com)", "pattern": "[domain-name:value = 'login-live.space' AND domain-name:resolves_to_refs[*].value = '115.126.39.107']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T09:02:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b696072-e840-4ab7-8f2b-4eec950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:03:46.000Z", "modified": "2018-08-07T09:03:46.000Z", "description": "Spoofed Organization: Department of Special Investigations, Ministry of Justice of Thailand (mail.dsi.go.th)", "pattern": "[domain-name:value = 'mail-dsi-go.space' AND domain-name:resolves_to_refs[*].value = '115.126.39.107']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T09:03:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b6960a5-8d20-405e-a193-4e1d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:04:37.000Z", "modified": "2018-08-07T09:04:37.000Z", "description": "Spoofed Organization: Epoch Times, founded by Chinese-American Falun Gong practitioners (mail.epochtimes.com)", "pattern": "[domain-name:value = 'mail-epochtimes.space' AND domain-name:resolves_to_refs[*].value = '115.126.39.107']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T09:04:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b6960bf-e118-455d-a813-0b55950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:05:03.000Z", "modified": "2018-08-07T09:05:03.000Z", "description": "Spoofed Organization: Sri Lankan Ministry of Defence (mail.defence.lk)", "pattern": "[domain-name:value = 'mail-defense.tk' AND domain-name:resolves_to_refs[*].value = '115.126.39.107']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T09:05:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b6960dc-86ec-4f89-b8dd-4088950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:05:32.000Z", "modified": "2018-08-07T09:05:32.000Z", "description": "Spoofed Organization: Official website of His Holiness the Dalai Lama (webmail.dalailama.com)", "pattern": "[domain-name:value = 'webmail-dalailama.com' AND domain-name:resolves_to_refs[*].value = '115.126.39.107']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T09:05:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b6960f7-3ba8-42cc-a2f7-402d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:05:59.000Z", "modified": "2018-08-07T09:05:59.000Z", "description": "Spoofed Organization: Youxinpai (Beijing) Information Technology Co., Ltd. (Chinese used car auction site)", "pattern": "[domain-name:value = 'mail.youxinpai.com' AND domain-name:resolves_to_refs[*].value = '115.126.39.107']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T09:05:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b696124-92cc-4823-9c30-40ab950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:06:44.000Z", "modified": "2018-08-07T09:06:44.000Z", "description": "Spoofed Organization: Possibly a reference to \u00e2\u20ac\u2039GALVmed\u00e2\u20ac\u2122s\u00e2\u20ac\u2039 \u00e2\u20ac\u0153protecting livestock, saving human life\u00e2\u20ac\u009d mission statement. GALVmed stands for the Global Alliance for Livestock Veterinary Medicines.", "pattern": "[domain-name:value = 'plshl.com' AND domain-name:resolves_to_refs[*].value = '115.126.39.107']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T09:06:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b69613b-db30-4ec1-852f-44bc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:07:07.000Z", "modified": "2018-08-07T09:07:07.000Z", "description": "Spoofed Organization: Webmail login for Myanmar Posts and Telecommunications (webmail.mpt.net.mm)", "pattern": "[domain-name:value = 'webmail-mpt.space' AND domain-name:resolves_to_refs[*].value = '115.126.39.107']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T09:07:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b696150-9900-466c-8b82-45a8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:07:28.000Z", "modified": "2018-08-07T09:07:28.000Z", "description": "Spoofed Organization: Likely impersonating a website for exiled Chinese billionaire, Guo Wengui, who has made allegations of corruption against high-ranking individuals in the Communist Party of China.", "pattern": "[domain-name:value = 'wengiguowengui.space' AND domain-name:resolves_to_refs[*].value = '115.126.39.107']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T09:07:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b69642b-02cc-49b3-b97c-44f5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:23:49.000Z", "modified": "2018-08-07T09:23:49.000Z", "pattern": "[domain-name:value = 'tk.u2xu2.com' AND domain-name:resolves_to_refs[*].value = '27.126.179.159' AND domain-name:resolves_to_refs[*].value = '103.20.193.156']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T09:23:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b6965c9-39b4-47c1-9084-46f2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:26:33.000Z", "modified": "2018-08-07T09:26:33.000Z", "pattern": "[file:hashes.MD5 = '83ffd697edd0089204779f5bfb031023' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T09:26:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5b69670b-b290-44f4-a9fc-42e4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:31:55.000Z", "modified": "2018-08-07T09:31:55.000Z", "labels": [ "misp:name=\"whois\"", "misp:meta-category=\"network\"" ], "x_misp_attributes": [ { "type": "whois-registrant-email", "object_relation": "registrant-email", "value": "13316874955@163.com", "category": "Attribution", "uuid": "5b69670b-06c0-434e-a8f5-423b950d210f" }, { "type": "ip-src", "object_relation": "ip-address", "value": "103.20.193.156", "category": "Network activity", "to_ids": true, "uuid": "5b69670b-6d2c-43e0-940a-47ef950d210f" } ], "x_misp_meta_category": "network", "x_misp_name": "whois" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5b6968ac-71ec-4a55-887d-47b7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:38:52.000Z", "modified": "2018-08-07T09:38:52.000Z", "labels": [ "misp:name=\"whois\"", "misp:meta-category=\"network\"" ], "x_misp_attributes": [ { "type": "domain", "object_relation": "domain", "value": "cqyrxy.com", "category": "Network activity", "to_ids": true, "uuid": "5b6968ac-d304-45e9-9141-4b83950d210f" }, { "type": "ip-src", "object_relation": "ip-address", "value": "115.126.39.107", "category": "Network activity", "to_ids": true, "uuid": "5b6968ac-1118-427b-b30b-4a82950d210f" }, { "type": "whois-registrant-name", "object_relation": "registrant-name", "value": "ren minjie", "category": "Attribution", "uuid": "5b6968ad-c7d4-4c30-a301-4b78950d210f" } ], "x_misp_meta_category": "network", "x_misp_name": "whois" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5b696957-9e2c-49d6-8bdb-4ffa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:41:43.000Z", "modified": "2018-08-07T09:41:43.000Z", "labels": [ "misp:name=\"whois\"", "misp:meta-category=\"network\"" ], "x_misp_attributes": [ { "type": "whois-registrant-email", "object_relation": "registrant-email", "value": "6060841@qq.com", "category": "Attribution", "uuid": "5b696957-8c18-4cd2-9113-4a5c950d210f" }, { "type": "domain", "object_relation": "domain", "value": "drive-mail-google.com", "category": "Network activity", "to_ids": true, "uuid": "5b696957-8560-4a7d-a84c-4392950d210f" } ], "x_misp_meta_category": "network", "x_misp_name": "whois" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5b69698a-8dd8-4aab-95b3-444e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T09:42:34.000Z", "modified": "2018-08-07T09:42:34.000Z", "labels": [ "misp:name=\"whois\"", "misp:meta-category=\"network\"" ], "x_misp_attributes": [ { "type": "whois-registrant-email", "object_relation": "registrant-email", "value": "6060841@qq.com", "category": "Attribution", "uuid": "5b69698a-8e20-4a08-bb7c-4a5b950d210f" }, { "type": "domain", "object_relation": "domain", "value": "drive-accounts-gooogle.com", "category": "Network activity", "to_ids": true, "uuid": "5b69698b-20c4-49c4-ba14-4437950d210f" } ], "x_misp_meta_category": "network", "x_misp_name": "whois" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b697015-cc1c-4720-8f44-442a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T10:10:29.000Z", "modified": "2018-08-07T10:10:29.000Z", "pattern": "[file:hashes.MD5 = 'c6e336550bd1c087ee2a211781fd9280' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T10:10:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b697026-b170-41b0-937d-48cb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-07T10:10:46.000Z", "modified": "2018-08-07T10:10:46.000Z", "pattern": "[file:hashes.MD5 = 'd4ea9027edca1d01c62d9f43a2975d30' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-07T10:10:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--8f903648-f534-497c-8096-7eba34dfcdd4", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:29.000Z", "modified": "2018-08-14T12:36:29.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-05T10:54:06", "category": "Other", "uuid": "75b563cb-40ff-4062-bcd1-d850e8b003b2" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/b1fe92e04de787bf222847ed889695f26277789b05fa389406a6c380be5d8376/analysis/1530788046/", "category": "External analysis", "uuid": "471715ec-3776-45f7-8724-492559aa6773" }, { "type": "text", "object_relation": "detection-ratio", "value": "43/68", "category": "Other", "uuid": "afa8f64a-5c41-4303-a067-340cee586424" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--280dd6e1-9ba8-47a3-9b6d-0249ed9e5c63", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:30.000Z", "modified": "2018-08-14T12:36:30.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-05T10:54:46", "category": "Other", "uuid": "ac377751-3114-40cb-81b4-acfaa910e898" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/25445c91f232b6c3ca3ec30fa1ef2f168ddff276ce3f15f9d8eb4f8b1d19a0ca/analysis/1530788086/", "category": "External analysis", "uuid": "c2e4a91e-cd71-4894-8da1-b955fcabc837" }, { "type": "text", "object_relation": "detection-ratio", "value": "41/66", "category": "Other", "uuid": "06841d51-e4b1-477b-8385-bf774915accc" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--e0407f5c-72da-4b58-8ae9-627189b8808d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:31.000Z", "modified": "2018-08-14T12:36:31.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-08-08T00:29:46", "category": "Other", "uuid": "a32635f7-ed70-4cb9-8b8e-99865d2631aa" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/30e628bfbf80a8cb432b679fdeaccbe3c0ab7eaee8d0899fba7a16853abf35b9/analysis/1533688186/", "category": "External analysis", "uuid": "22d24b16-6991-437a-9d86-e487cc42a4e6" }, { "type": "text", "object_relation": "detection-ratio", "value": "49/68", "category": "Other", "uuid": "c6aac747-6dd5-4712-a7b8-2ed5a0526323" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5c696617-e214-4531-a91a-45aee2b893ed", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:32.000Z", "modified": "2018-08-14T12:36:32.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-08-08T00:48:00", "category": "Other", "uuid": "4cf28e26-60e2-4d7b-a15f-39b145132431" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/d4c94b5fed3293f9474de519b6ef232070b38a07e924d0dee13eac728fdac26d/analysis/1533689280/", "category": "External analysis", "uuid": "e15793af-bb6d-4a2d-a804-4c95fa23d290" }, { "type": "text", "object_relation": "detection-ratio", "value": "51/68", "category": "Other", "uuid": "90b0702d-0975-4f6a-b449-a80d8493d9d9" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b0e324d4-65be-418a-a8f8-735564d00606", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:36.000Z", "modified": "2018-08-14T12:36:36.000Z", "pattern": "[file:hashes.MD5 = 'c6e336550bd1c087ee2a211781fd9280' AND file:hashes.SHA1 = 'ebedaa84b473d939ba91e2dff7b47e8c0d5716b2' AND file:hashes.SHA256 = '7354fd9fdb07f2509f8dab3bb23df53e21dd02ab2a4745d27eddb4caeaf5be14']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-14T12:36:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--a9c8e203-1200-4950-8f13-6732275ea6ad", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:35.000Z", "modified": "2018-08-14T12:36:35.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-05T10:54:51", "category": "Other", "uuid": "778d6594-3b6f-4855-b1de-cf1221a1b205" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/7354fd9fdb07f2509f8dab3bb23df53e21dd02ab2a4745d27eddb4caeaf5be14/analysis/1530788091/", "category": "External analysis", "uuid": "4530a287-d37f-41e5-8a0e-2f5666455b9a" }, { "type": "text", "object_relation": "detection-ratio", "value": "38/67", "category": "Other", "uuid": "7b7b3c82-0a1a-4738-a570-ba1bb99065b2" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6321945e-cf4b-4c2b-947f-c7d5cf1d6bb8", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:39.000Z", "modified": "2018-08-14T12:36:39.000Z", "pattern": "[file:hashes.MD5 = '1929db297c9d7d88a6427b8603a7145b' AND file:hashes.SHA1 = 'f3ebba32e13b355e301d310cc63fbd799787f6c2' AND file:hashes.SHA256 = 'aa91afdab184f05495cb3cdd9ff71110b000fbb3480f2108d2522a999ff4e9dd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-14T12:36:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--21992a3f-2d25-4b0d-847d-154ab2829796", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:37.000Z", "modified": "2018-08-14T12:36:37.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-08-08T00:25:06", "category": "Other", "uuid": "82312aee-19bb-46da-8cf8-9d180b42ae54" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/aa91afdab184f05495cb3cdd9ff71110b000fbb3480f2108d2522a999ff4e9dd/analysis/1533687906/", "category": "External analysis", "uuid": "89a63c2c-369a-4ebf-8a4d-aef203be5d31" }, { "type": "text", "object_relation": "detection-ratio", "value": "24/60", "category": "Other", "uuid": "bef9095d-e1a6-4490-afed-46a607ef4ada" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--8b4dbb0e-58a1-4630-be3d-83e95966a6cf", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:38.000Z", "modified": "2018-08-14T12:36:38.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-05T10:53:56", "category": "Other", "uuid": "777aad28-4b29-4948-95a3-1299b7d2071e" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/e8b8e4d8694600116b0d7d6062d8f5b77f25e69e993f13be56399cadf175e512/analysis/1530788036/", "category": "External analysis", "uuid": "6f7d201e-e079-4834-a62a-4239770943f4" }, { "type": "text", "object_relation": "detection-ratio", "value": "47/67", "category": "Other", "uuid": "72c46566-7c5f-412c-83ed-f69f6c0a5ce7" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d9a8f64e-5cb6-4a6a-8db2-f3f6beee6f8f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:43.000Z", "modified": "2018-08-14T12:36:43.000Z", "pattern": "[file:hashes.MD5 = 'd4ea9027edca1d01c62d9f43a2975d30' AND file:hashes.SHA1 = '0163c73acebe691907f4100321dbbefc95a0da49' AND file:hashes.SHA256 = '8ddb7c0fdf7206441dfd999c49d1113b55e8b0d91de4205e39225d20ae8e567d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-14T12:36:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--7771644b-6de2-4a18-bc5f-c30dad0bd508", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:41.000Z", "modified": "2018-08-14T12:36:41.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-25T21:34:14", "category": "Other", "uuid": "98d5ca3c-7c60-4fde-a810-07b50e3432bd" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/8ddb7c0fdf7206441dfd999c49d1113b55e8b0d91de4205e39225d20ae8e567d/analysis/1532554454/", "category": "External analysis", "uuid": "5183e393-9731-466d-9aa0-837301040fd9" }, { "type": "text", "object_relation": "detection-ratio", "value": "0/61", "category": "Other", "uuid": "dc6a8dd9-5875-4eea-9ff1-a01509cc81ef" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--304084df-e41e-4456-88e4-353baeb7d839", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:45.000Z", "modified": "2018-08-14T12:36:45.000Z", "pattern": "[file:hashes.MD5 = '83ffd697edd0089204779f5bfb031023' AND file:hashes.SHA1 = 'c2862a30d486297a005915421f75703ae9b35223' AND file:hashes.SHA256 = '9cdaad7554b1b39fdaf0e5f0ad41e7006d36e0f9791dc9c1cf3d50b73f6ca907']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-14T12:36:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--40e4d320-c62e-4322-ae15-b20e3369832d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:43.000Z", "modified": "2018-08-14T12:36:43.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-23T12:02:40", "category": "Other", "uuid": "33d0f34d-43c8-4cb4-9b8a-689c381d498d" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/9cdaad7554b1b39fdaf0e5f0ad41e7006d36e0f9791dc9c1cf3d50b73f6ca907/analysis/1532347360/", "category": "External analysis", "uuid": "dcf618e1-7785-4bec-92e0-c53e9a9554b3" }, { "type": "text", "object_relation": "detection-ratio", "value": "41/68", "category": "Other", "uuid": "aebf6ce8-ce50-465c-a45f-128529204545" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--589e9254-4f90-490a-bc8c-fdea36be01b3", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:44.000Z", "modified": "2018-08-14T12:36:44.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-05T10:54:21", "category": "Other", "uuid": "bf1f3939-4ec3-4333-a357-2fea7066bcbb" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/da25eb5db338f6ac42e0e48065c41fded56e14c6271d6cb5f6ae5fc23d5c38a8/analysis/1530788061/", "category": "External analysis", "uuid": "026a9339-6f67-4387-9edf-194aea014a88" }, { "type": "text", "object_relation": "detection-ratio", "value": "51/67", "category": "Other", "uuid": "9aa50299-3e3e-4f06-bba1-c9a42b6b1289" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--71e73500-e019-4027-8696-5f48e8e0fd38", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:45.000Z", "modified": "2018-08-14T12:36:45.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-08-08T00:46:50", "category": "Other", "uuid": "daa79b42-ca0d-4e2b-ab63-11a84ee71104" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/1967bd2047fd9dabe3d95bdaee7c8e7f8d5bd0e378968a634e157ec4d72db17c/analysis/1533689210/", "category": "External analysis", "uuid": "cb2216af-140c-4ca2-8286-8c27cd5055c8" }, { "type": "text", "object_relation": "detection-ratio", "value": "56/67", "category": "Other", "uuid": "3f2ba997-79c0-4973-90f8-280d414805f1" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--7e3abe32-cfe8-485f-a22b-7e2989d16ffa", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:46.000Z", "modified": "2018-08-14T12:36:46.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-08-08T00:52:12", "category": "Other", "uuid": "a4c73e44-0dac-4016-a40c-6c422ce1041b" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/d5c38ea22a4caad56490c6fae7605117dcbea771caef55a4d8072640be1727c5/analysis/1533689532/", "category": "External analysis", "uuid": "05f75ddc-2a93-4453-a9af-d3d9e6b8139a" }, { "type": "text", "object_relation": "detection-ratio", "value": "46/67", "category": "Other", "uuid": "551d7e5c-1f9b-4c34-85f6-8bd7bc16df9c" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--6c1f2aee-af3d-4af0-a272-8aef0d5da562", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:47.000Z", "modified": "2018-08-14T12:36:47.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-08-03T00:10:07", "category": "Other", "uuid": "deffbcff-7552-4ba9-a3de-2c2d42dd124e" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/e94284e487e59b53efab9d4584fca766883b916118c9a8ff59514087555e9a8e/analysis/1533255007/", "category": "External analysis", "uuid": "903ad04e-95ce-4294-a54d-619a30d55c09" }, { "type": "text", "object_relation": "detection-ratio", "value": "47/67", "category": "Other", "uuid": "451dbe9e-271c-4fd7-9f0e-fd0f5312e2c7" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--4c58e35e-3b4a-4afb-9a3d-19b650bc2f6e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:48.000Z", "modified": "2018-08-14T12:36:48.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-08-08T00:51:25", "category": "Other", "uuid": "54d361e2-c296-49da-a4be-a50848f24982" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/50a28a8ebc68b6c608a073278fbb4255912bf41fd0970192d439097af4670f81/analysis/1533689485/", "category": "External analysis", "uuid": "c2563df5-adf7-421b-87c9-cfdd9a5cd842" }, { "type": "text", "object_relation": "detection-ratio", "value": "51/67", "category": "Other", "uuid": "c45c27d0-e143-4d53-b466-6baf239f345d" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--bf7d4471-6524-4cdd-821d-63b550a8d3c7", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:49.000Z", "modified": "2018-08-14T12:36:49.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-08-08T00:32:51", "category": "Other", "uuid": "60642d41-e70f-4883-a8de-19c025106808" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/02bf5fdb11eee6ede01cc061206fe98f60a6b5c90ffead31e8f0a87ccfa414ef/analysis/1533688371/", "category": "External analysis", "uuid": "f19c2bd6-eb00-43ee-9aa5-9b9986ecce34" }, { "type": "text", "object_relation": "detection-ratio", "value": "40/60", "category": "Other", "uuid": "60267fd9-e404-424b-8019-da9bc7560f51" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--b5a9119a-4fae-4d63-8679-c0fcbe967f1c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:50.000Z", "modified": "2018-08-14T12:36:50.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-05T10:53:51", "category": "Other", "uuid": "aa3de294-1dc1-41bd-b1f4-370ca5bf2fd6" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/d0d02f811f7c07301e91536f2e1d908c1e67e68d89afbd2bc5bfa2cc747e67ec/analysis/1530788031/", "category": "External analysis", "uuid": "7f22d474-a70c-470a-9ac9-c8631ca9848f" }, { "type": "text", "object_relation": "detection-ratio", "value": "28/66", "category": "Other", "uuid": "39546021-dba9-455b-bc52-7c06b92d3707" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--3ed9a824-86f6-44c8-addb-00ba19e4b915", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:36:51.000Z", "modified": "2018-08-14T12:36:51.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-05T10:54:11", "category": "Other", "uuid": "03c95ebb-bf6d-424e-8f1d-bdd3efeaab83" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/293d5d84b2d4c4398e9e420c16c04dddf62132cd59cf7519109c6718c288adf3/analysis/1530788051/", "category": "External analysis", "uuid": "6630d978-a6e1-4ea1-be98-527448caba04" }, { "type": "text", "object_relation": "detection-ratio", "value": "43/67", "category": "Other", "uuid": "8484bea3-c438-41ff-a461-458d1b85d880" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b605736-14d8-416e-beb0-4c30950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-31T12:33:58.000Z", "modified": "2018-07-31T12:33:58.000Z", "pattern": "[file:extensions.'windows-pebinary-ext'.imphash = '3697a1f9150de181026ce089c10657c3' AND file:extensions.'windows-pebinary-ext'.pe_type = 'exe' AND file:extensions.'windows-pebinary-ext'.x_misp_original_filename = 'wordx86.exe' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2017-06-11T06:40:50']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-31T12:33:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"pe\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b605b02-8624-40ab-99a1-4f5c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-31T12:50:10.000Z", "modified": "2018-07-31T12:50:10.000Z", "pattern": "[file:extensions.'windows-pebinary-ext'.pe_type = 'exe' AND file:extensions.'windows-pebinary-ext'.x_misp_original_filename = 'audiox86.exe' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2017-06-11T06:40:50']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-31T12:50:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"pe\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b6165b7-2d18-4189-bffe-4096950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-01T09:44:51.000Z", "modified": "2018-08-01T09:44:51.000Z", "description": "PE32 executable (DLL) (console) Intel 80386, for MS Windows", "pattern": "[file:extensions.'windows-pebinary-ext'.imphash = 'bc902a5e56cbbaa82f4af26cf9f4567e' AND file:extensions.'windows-pebinary-ext'.pe_type = 'dll' AND file:extensions.'windows-pebinary-ext'.x_misp_original_filename = 'nethelpx86.dll' AND file:extensions.'windows-pebinary-ext'.x_misp_internal_filename = 'Client.dll' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2017-06-11T03:18:30']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-01T09:44:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"pe\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b6182d4-67b8-4785-ba0e-4d23950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-01T09:52:20.000Z", "modified": "2018-08-01T09:52:20.000Z", "pattern": "[file:extensions.'windows-pebinary-ext'.imphash = 'bc902a5e56cbbaa82f4af26cf9f4567e' AND file:extensions.'windows-pebinary-ext'.pe_type = 'dll' AND file:extensions.'windows-pebinary-ext'.x_misp_original_filename = 'nethelp.dll' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2017-06-11T03:18:30' AND file:extensions.'windows-pebinary-ext'.x_misp_internal_filename = 'Client.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-01T09:52:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"pe\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b618916-06bc-4a4b-971e-49dc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-01T10:19:02.000Z", "modified": "2018-08-01T10:19:02.000Z", "pattern": "[file:extensions.'windows-pebinary-ext'.imphash = 'bc902a5e56cbbaa82f4af26cf9f4567e' AND file:extensions.'windows-pebinary-ext'.pe_type = 'exe' AND file:extensions.'windows-pebinary-ext'.x_misp_original_filename = 'audiox86.exe' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2017-06-11T03:18:30' AND file:extensions.'windows-pebinary-ext'.x_misp_internal_filename = 'Client.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-01T10:19:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"pe\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b61a522-1fe8-431f-8471-4467950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-01T12:18:42.000Z", "modified": "2018-08-01T12:18:42.000Z", "description": "PE32+ executable (DLL) (console) x86-64, for MS Windows", "pattern": "[file:extensions.'windows-pebinary-ext'.imphash = '9098d75f516f191276ef1836aecc30d4' AND file:extensions.'windows-pebinary-ext'.pe_type = 'exe' AND file:extensions.'windows-pebinary-ext'.x_misp_original_filename = 'nethelp.dll' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2017-07-06T02:14:08' AND file:extensions.'windows-pebinary-ext'.x_misp_internal_filename = 'Client.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-01T12:18:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"pe\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b61bc26-8bb0-4860-8e09-4e88950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-01T13:56:54.000Z", "modified": "2018-08-01T13:56:54.000Z", "description": "PE32 executable (GUI) Intel 80386, for MS Windows", "pattern": "[file:extensions.'windows-pebinary-ext'.imphash = '17030637d18335c7267d09ec0ebc637c' AND file:extensions.'windows-pebinary-ext'.pe_type = 'exe' AND file:extensions.'windows-pebinary-ext'.x_misp_original_filename = 'winlogon.exe' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2018-01-07T23:13:23']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-01T13:56:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"pe\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b62cb45-8260-4632-b14e-4a07950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-02T09:13:41.000Z", "modified": "2018-08-02T09:13:41.000Z", "pattern": "[file:extensions.'windows-pebinary-ext'.imphash = 'f34d5f2d4577ed6d9ceec516c1f5a744' AND file:extensions.'windows-pebinary-ext'.pe_type = 'exe' AND file:extensions.'windows-pebinary-ext'.x_misp_original_filename = 'serverdo.exe' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2018-03-06T01:16:01']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-02T09:13:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"pe\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--baba825d-d192-4d41-b1ee-7d40256592a8", "created": "2018-07-31T14:57:38.000Z", "modified": "2018-07-31T14:57:38.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5b605571-86c8-4306-806d-495f950d210f", "target_ref": "x-misp-object--af9cbff4-9e65-4a79-a1ec-e88133cdfb98" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c771b500-de0f-4d2e-b1d6-72c15f7b4108", "created": "2018-08-02T10:03:29.000Z", "modified": "2018-08-02T10:03:29.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5b605571-86c8-4306-806d-495f950d210f", "target_ref": "x-misp-object--ab089f9c-349f-46f0-a2b2-ecfb3da24370" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d6977752-bd3c-4de0-a37b-0187d71da2d0", "created": "2018-08-07T12:42:17.000Z", "modified": "2018-08-07T12:42:17.000Z", "relationship_type": "derived-from", "source_ref": "indicator--5b605571-86c8-4306-806d-495f950d210f", "target_ref": "indicator--5b605736-14d8-416e-beb0-4c30950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8046270c-c3b2-4933-bd3b-3bd896573788", "created": "2018-08-14T12:36:52.000Z", "modified": "2018-08-14T12:36:52.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5b605571-86c8-4306-806d-495f950d210f", "target_ref": "x-misp-object--6c1f2aee-af3d-4af0-a272-8aef0d5da562" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--063d48f2-3eef-4ca8-afb8-1a19fd79890d", "created": "2018-08-02T10:03:29.000Z", "modified": "2018-08-02T10:03:29.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5b6063f0-5f28-4309-9719-4bf1950d210f", "target_ref": "x-misp-object--c0793ff5-50a6-4817-8df9-8c28ab90f3d1" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--54f1e06a-dc3c-4677-8a22-e72996dff1d1", "created": "2018-07-31T14:57:39.000Z", "modified": "2018-07-31T14:57:39.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--951dbf05-efee-46a0-b2aa-89e5c6d0c898", "target_ref": "x-misp-object--4d6cc362-fb2b-4576-919d-8d66294873be" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5ff765e5-7a04-4b3e-b84c-bee7398a3e66", "created": "2018-08-02T10:03:29.000Z", "modified": "2018-08-02T10:03:29.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5b61631b-a13c-4dc0-b949-4342950d210f", "target_ref": "x-misp-object--2e9f7a81-d071-4fa8-bb22-eae520f03d51" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--52f79848-7df3-4395-839a-1b45365713fb", "created": "2018-08-14T12:36:52.000Z", "modified": "2018-08-14T12:36:52.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5b61631b-a13c-4dc0-b949-4342950d210f", "target_ref": "x-misp-object--3ed9a824-86f6-44c8-addb-00ba19e4b915" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8a43f156-b359-4a64-987c-fc0d961813fc", "created": "2018-08-14T12:36:52.000Z", "modified": "2018-08-14T12:36:52.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5b619c3f-9644-4d94-a4ac-4d40950d210f", "target_ref": "x-misp-object--280dd6e1-9ba8-47a3-9b6d-0249ed9e5c63" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--26d7869a-8869-4575-80cd-eaa1e55fdd42", "created": "2018-08-14T12:36:53.000Z", "modified": "2018-08-14T12:36:53.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5b619eb3-4dac-4efa-b562-43ab950d210f", "target_ref": "x-misp-object--8f903648-f534-497c-8096-7eba34dfcdd4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9268486c-8f7e-42a9-a579-4867244922f1", "created": "2018-08-02T10:03:30.000Z", "modified": "2018-08-02T10:03:30.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5b61a1be-f9ec-428a-aede-468e950d210f", "target_ref": "x-misp-object--90f35bd9-30a9-467b-9f6e-7ed7648b7119" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--33c559b6-63c8-4722-8a96-1dfeaba42a2e", "created": "2018-08-14T12:36:53.000Z", "modified": "2018-08-14T12:36:53.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5b61a1be-f9ec-428a-aede-468e950d210f", "target_ref": "x-misp-object--b5a9119a-4fae-4d63-8679-c0fcbe967f1c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--27e90848-9303-4770-bb3b-b95c5a3d0f24", "created": "2018-08-02T10:03:30.000Z", "modified": "2018-08-02T10:03:30.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5b61b7e1-e898-4c28-af5b-4a86950d210f", "target_ref": "x-misp-object--db693d26-2826-4534-9718-84cf465571bc" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5dd07992-82eb-49c2-8522-10c3429e9d7f", "created": "2018-08-14T12:36:53.000Z", "modified": "2018-08-14T12:36:53.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5b61b7e1-e898-4c28-af5b-4a86950d210f", "target_ref": "x-misp-object--bf7d4471-6524-4cdd-821d-63b550a8d3c7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--af118c44-3335-4434-8424-659afc91e5ed", "created": "2018-08-14T12:36:53.000Z", "modified": "2018-08-14T12:36:53.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5b61b964-b078-4a41-9a1e-48e3950d210f", "target_ref": "x-misp-object--7e3abe32-cfe8-485f-a22b-7e2989d16ffa" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--eb0ea37a-74d9-4101-9f81-5de05728e755", "created": "2018-08-02T10:03:30.000Z", "modified": "2018-08-02T10:03:30.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5b61b972-4cb4-4556-8dc2-4bf3950d210f", "target_ref": "x-misp-object--bc18676c-a419-4493-882b-dbffc94fae97" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bdc49e5e-9a06-4388-bc2b-bdb5e7d5e502", "created": "2018-08-14T12:36:53.000Z", "modified": "2018-08-14T12:36:53.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5b61b972-4cb4-4556-8dc2-4bf3950d210f", "target_ref": "x-misp-object--4c58e35e-3b4a-4afb-9a3d-19b650bc2f6e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--aa4684b5-4304-4a62-b407-dbf82a7956ff", "created": "2018-08-14T12:36:53.000Z", "modified": "2018-08-14T12:36:53.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5b62c621-9d58-40e1-9105-4272950d210f", "target_ref": "x-misp-object--5c696617-e214-4531-a91a-45aee2b893ed" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--57f8067c-727d-4273-9147-935187c7deb6", "created": "2018-08-14T12:36:53.000Z", "modified": "2018-08-14T12:36:53.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5b62c650-8358-49b9-9064-4ce8950d210f", "target_ref": "x-misp-object--e0407f5c-72da-4b58-8ae9-627189b8808d" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2bf92a41-c1c9-4fc7-b55c-986e03003d81", "created": "2018-08-02T10:03:30.000Z", "modified": "2018-08-02T10:03:30.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5b62cb24-ebc0-4131-aa65-425b950d210f", "target_ref": "x-misp-object--4c400be1-7bc4-4c3e-ad25-0c0056e9a6da" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1232b34d-f8b9-4bc9-a4bf-90cf49877d73", "created": "2018-08-02T10:03:30.000Z", "modified": "2018-08-02T10:03:30.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--b271dc1a-8e79-4c41-8fc0-9bbd1009a7e0", "target_ref": "x-misp-object--a51ea5b5-2181-4905-bda3-b2b1698c7c27" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--572af3eb-618c-4db0-a967-cb1fa6ce5f19", "created": "2018-08-02T10:03:30.000Z", "modified": "2018-08-02T10:03:30.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--d2ec20b7-d689-47e6-9228-01a281f3ad02", "target_ref": "x-misp-object--100f1a8d-1bc3-4000-92fe-bce0b793b222" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a0041b0a-37ee-4173-8d1b-58f47f62d4d5", "created": "2018-08-02T10:03:30.000Z", "modified": "2018-08-02T10:03:30.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5510fbf8-41c8-4a11-bcf0-42aa4303742e", "target_ref": "x-misp-object--578b25b7-97b8-4d39-8537-323e64ffc399" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--db1216de-eda3-4962-a1b2-ad8b0bb4d28e", "created": "2018-08-02T10:03:30.000Z", "modified": "2018-08-02T10:03:30.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--db3a215c-d9b8-4d91-952a-af20cfe86d4a", "target_ref": "x-misp-object--bbd7ab64-ac5f-4bf7-ad0c-7345423bcfa6" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--03cb466b-645f-4577-8a7b-a6787354520e", "created": "2018-08-02T10:03:31.000Z", "modified": "2018-08-02T10:03:31.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--3ec440df-26e1-4883-94d8-cf5a44d48bbd", "target_ref": "x-misp-object--c4f40e78-f5a3-449f-b8e0-bcb250e3da27" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--478779d8-189b-44a9-bd17-e027ddad706a", "created": "2018-08-02T10:03:31.000Z", "modified": "2018-08-02T10:03:31.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--03b1be01-e7f1-41d2-bbeb-8c965ddd63d5", "target_ref": "x-misp-object--62a6d635-11fb-43df-b01e-c38b5a08489f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8b1a9efe-b4eb-491d-8b09-869d87673cab", "created": "2018-08-14T12:36:53.000Z", "modified": "2018-08-14T12:36:53.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5b67fc1a-9a38-404f-adcb-4b3a950d210f", "target_ref": "x-misp-object--589e9254-4f90-490a-bc8c-fdea36be01b3" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--94bd2ac9-2838-4743-ab20-f415cf7d1d58", "created": "2018-08-14T12:36:53.000Z", "modified": "2018-08-14T12:36:53.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5b67fc62-4c2c-4fd6-b2a3-410e950d210f", "target_ref": "x-misp-object--8b4dbb0e-58a1-4630-be3d-83e95966a6cf" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a66a9261-8e8f-42c5-b4be-e44ddc94b6c1", "created": "2018-08-14T12:36:53.000Z", "modified": "2018-08-14T12:36:53.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5b6957dc-9424-494b-964a-49ed950d210f", "target_ref": "x-misp-object--71e73500-e019-4027-8696-5f48e8e0fd38" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0bd05015-6ae9-433b-83d2-ac15d768d08e", "created": "2018-08-14T12:36:53.000Z", "modified": "2018-08-14T12:36:53.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--b0e324d4-65be-418a-a8f8-735564d00606", "target_ref": "x-misp-object--a9c8e203-1200-4950-8f13-6732275ea6ad" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d4b039c4-2fca-4ca7-8057-85e326c9de3d", "created": "2018-08-14T12:36:53.000Z", "modified": "2018-08-14T12:36:53.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--6321945e-cf4b-4c2b-947f-c7d5cf1d6bb8", "target_ref": "x-misp-object--21992a3f-2d25-4b0d-847d-154ab2829796" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--be5e3385-a845-4e45-b078-119a52a00cff", "created": "2018-08-14T12:36:53.000Z", "modified": "2018-08-14T12:36:53.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--d9a8f64e-5cb6-4a6a-8db2-f3f6beee6f8f", "target_ref": "x-misp-object--7771644b-6de2-4a18-bc5f-c30dad0bd508" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--66e314f4-4281-4e22-a1a6-73e81bdbc9f8", "created": "2018-08-14T12:36:54.000Z", "modified": "2018-08-14T12:36:54.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--304084df-e41e-4456-88e4-353baeb7d839", "target_ref": "x-misp-object--40e4d320-c62e-4322-ae15-b20e3369832d" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }