{ "type": "bundle", "id": "bundle--5a3cc84d-2434-4ae6-8d76-c328950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-16T03:00:22.000Z", "modified": "2018-01-16T03:00:22.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5a3cc84d-2434-4ae6-8d76-c328950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-16T03:00:22.000Z", "modified": "2018-01-16T03:00:22.000Z", "name": "OSINT - Sednit espionage group now using custom exploit kit", "published": "2018-02-16T08:50:00Z", "object_refs": [ "observed-data--5a3cc85e-39cc-4aaf-8eec-4c5c950d210f", "url--5a3cc85e-39cc-4aaf-8eec-4c5c950d210f", "indicator--5a5c62c4-5fa8-47a1-ac11-42d1950d210f", "indicator--5a5c62c4-d124-4726-be84-4da3950d210f", "x-misp-attribute--5a5c62d9-9f74-422c-8f34-4b01950d210f", "indicator--5a5c638d-0124-4863-9ec0-4887950d210f", "indicator--5a5c638e-8a7c-43e1-937f-4b3b950d210f", "indicator--5a5c638e-bf5c-4a8b-95a1-46b8950d210f", "indicator--5a5c638f-4cec-4f74-827a-4e65950d210f", "indicator--5a5c638f-4558-4ffb-84e6-4e5c950d210f", "indicator--5a5c638f-aad4-4cda-b677-420f950d210f", "indicator--5a5c6390-a4a4-408c-ad20-45a1950d210f", "indicator--5a5c6390-ffd0-4f5b-a8e9-4b66950d210f", "indicator--5a5c6391-5ec8-4f4d-9dd1-4195950d210f", "observed-data--5a5c64c3-16fc-4549-ba11-46fb950d210f", "mutex--5a5c64c3-16fc-4549-ba11-46fb950d210f", "indicator--5a5c658d-553c-4781-b2b4-42e0950d210f", "indicator--5a5c658d-692c-41e7-bff7-4273950d210f", "indicator--5a5c658e-b0c0-4b6c-95b3-4a10950d210f", "indicator--5a5c65a4-a200-44f5-8df6-416f950d210f", "indicator--5a5c65a4-acbc-44bd-84eb-4716950d210f", "indicator--5a5c65ee-e860-4444-911d-4da6950d210f", "indicator--5a5c65ef-8130-414c-95a8-4513950d210f", "indicator--5a5c65ef-25c8-40c4-bcca-4adc950d210f", "indicator--5a5c65ef-9280-45a6-8a0d-40df950d210f", "indicator--935f70e3-fd7e-4dcd-80a9-71f5122d366e", "x-misp-object--6fb315f6-2c07-4d90-a911-0e19777e1ece", "indicator--a480344a-22a8-4fc6-9f8e-40ca8337e6f7", "x-misp-object--644f91bf-274d-4743-ae1e-075b0118c184", "relationship--3953fbd1-81dc-4f5c-8fee-7ed61f3e0ca9", "relationship--b8f9df2e-fb77-4281-b46d-1d9d282c8c76" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:exploit-kit=\"Sednit EK\"", "veris:actor:motive=\"Espionage\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a3cc85e-39cc-4aaf-8eec-4c5c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:33:18.000Z", "modified": "2018-01-15T09:33:18.000Z", "first_observed": "2018-01-15T09:33:18Z", "last_observed": "2018-01-15T09:33:18Z", "number_observed": 1, "object_refs": [ "url--5a3cc85e-39cc-4aaf-8eec-4c5c950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a3cc85e-39cc-4aaf-8eec-4c5c950d210f", "value": "https://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c62c4-5fa8-47a1-ac11-42d1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:33:19.000Z", "modified": "2018-01-15T09:33:19.000Z", "pattern": "[url:value = 'http://defenceiq.us/2rfKZL_BGwEQ']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:33:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c62c4-d124-4726-be84-4da3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:33:19.000Z", "modified": "2018-01-15T09:33:19.000Z", "pattern": "[url:value = 'http://cntt.akcdndata.com/gpw?file=stat.js']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:33:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5a5c62d9-9f74-422c-8f34-4b01950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:33:20.000Z", "modified": "2018-01-15T09:33:20.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "For at least five years the Sednit group has been relentlessly attacking various institutions, most notably in Eastern Europe. The group used several advanced pieces of malware for these targeted attacks, in particular the one we named Win32/Sednit, also known as Sofacy.\r\n\r\nWe recently came across cases of legitimate financial websites being redirected to a custom exploit kit. Based on our research and on some information provided by the Google Security Team, we were able to establish that it is used by the Sednit group. This is a new strategy for this group which has relied mostly on spear-phishing emails up until now.\r\n\r\nIn this blog, we will first examine on recent cases of spear-phishing emails using the CVE-2014-1761 Microsoft Word exploit. We will then focus on the exploit kit, which appears to still be in development and testing phase, and briefly describe the actual payload." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c638d-0124-4863-9ec0-4887950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:33:20.000Z", "modified": "2018-01-15T09:33:20.000Z", "description": "Military news", "pattern": "[domain-name:value = 'defenceiq.us']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:33:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c638e-8a7c-43e1-937f-4b3b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:33:20.000Z", "modified": "2018-01-15T09:33:20.000Z", "description": "Military news", "pattern": "[domain-name:value = 'defenceiq.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:33:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c638e-bf5c-4a8b-95a1-46b8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:33:20.000Z", "modified": "2018-01-15T09:33:20.000Z", "description": "Military news", "pattern": "[domain-name:value = 'armypress.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:33:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c638f-4cec-4f74-827a-4e65950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:33:21.000Z", "modified": "2018-01-15T09:33:21.000Z", "description": "Military news", "pattern": "[domain-name:value = 'armytime.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:33:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c638f-4558-4ffb-84e6-4e5c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:33:21.000Z", "modified": "2018-01-15T09:33:21.000Z", "description": "Foreign Affairs magazine", "pattern": "[domain-name:value = 'mfapress.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:33:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c638f-aad4-4cda-b677-420f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:33:22.000Z", "modified": "2018-01-15T09:33:22.000Z", "description": "Foreign Affairs magazine", "pattern": "[domain-name:value = 'foreignaffairs.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:33:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c6390-a4a4-408c-ad20-45a1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:33:22.000Z", "modified": "2018-01-15T09:33:22.000Z", "description": "Foreign Affairs magazine", "pattern": "[domain-name:value = 'mfapress.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:33:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c6390-ffd0-4f5b-a8e9-4b66950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:33:22.000Z", "modified": "2018-01-15T09:33:22.000Z", "description": "CACI International, defense & cyber security contractor", "pattern": "[domain-name:value = 'caciltd.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:33:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c6391-5ec8-4f4d-9dd1-4195950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:33:23.000Z", "modified": "2018-01-15T09:33:23.000Z", "description": "CACI International, defense & cyber security contractor", "pattern": "[domain-name:value = 'caci.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:33:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a5c64c3-16fc-4549-ba11-46fb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:33:23.000Z", "modified": "2018-01-15T09:33:23.000Z", "first_observed": "2018-01-15T09:33:23Z", "last_observed": "2018-01-15T09:33:23Z", "number_observed": 1, "object_refs": [ "mutex--5a5c64c3-16fc-4549-ba11-46fb950d210f" ], "labels": [ "misp:type=\"mutex\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "mutex", "spec_version": "2.1", "id": "mutex--5a5c64c3-16fc-4549-ba11-46fb950d210f", "name": "XSQWERSystemCriticalSection_for_1232321" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c658d-553c-4781-b2b4-42e0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:33:23.000Z", "modified": "2018-01-15T09:33:23.000Z", "pattern": "[domain-name:value = 'msonlinelive.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:33:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c658d-692c-41e7-bff7-4273950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:33:24.000Z", "modified": "2018-01-15T09:33:24.000Z", "pattern": "[domain-name:value = 'windows-updater.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:33:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c658e-b0c0-4b6c-95b3-4a10950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:33:24.000Z", "modified": "2018-01-15T09:33:24.000Z", "pattern": "[domain-name:value = 'azureon-line.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:33:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c65a4-a200-44f5-8df6-416f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:33:25.000Z", "modified": "2018-01-15T09:33:25.000Z", "pattern": "[file:name = 'edg6EF885E2.tmp']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:33:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c65a4-acbc-44bd-84eb-4716950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:33:26.000Z", "modified": "2018-01-15T09:33:26.000Z", "pattern": "[file:name = 'edg6E85F98675.tmp']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:33:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c65ee-e860-4444-911d-4da6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T08:27:26.000Z", "modified": "2018-01-15T08:27:26.000Z", "description": "Word exploit", "pattern": "[file:hashes.SHA1 = '86092636e7ffa22481ca89ac1b023c32c56b24cf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T08:27:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c65ef-8130-414c-95a8-4513950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T08:27:27.000Z", "modified": "2018-01-15T08:27:27.000Z", "description": "Word exploit", "pattern": "[file:hashes.SHA1 = '12223f098ba3088379ec1dc59440c662752ddabd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T08:27:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c65ef-25c8-40c4-bcca-4adc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T08:27:27.000Z", "modified": "2018-01-15T08:27:27.000Z", "description": "Dropper", "pattern": "[file:hashes.SHA1 = 'd61ee0b0d4ed95f3300735c81740a21b8beef337']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T08:27:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c65ef-9280-45a6-8a0d-40df950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T08:27:27.000Z", "modified": "2018-01-15T08:27:27.000Z", "description": "Payload", "pattern": "[file:hashes.SHA1 = 'd0db619a7a160949528d46d20fc0151bf9775c32']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T08:27:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--935f70e3-fd7e-4dcd-80a9-71f5122d366e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:33:29.000Z", "modified": "2018-01-15T09:33:29.000Z", "pattern": "[file:hashes.MD5 = 'df895e6479abf85c4c65d7d3a2451ddb' AND file:hashes.SHA1 = 'd61ee0b0d4ed95f3300735c81740a21b8beef337' AND file:hashes.SHA256 = '6ffaa374cfa9504b061b52a353913c6c120bd4fe43e1a79f69fba7f964e30a4e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:33:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--6fb315f6-2c07-4d90-a911-0e19777e1ece", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:33:28.000Z", "modified": "2018-01-15T09:33:28.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/6ffaa374cfa9504b061b52a353913c6c120bd4fe43e1a79f69fba7f964e30a4e/analysis/1515795459/", "category": "External analysis", "comment": "Dropper", "uuid": "5a5c7568-9fa0-46fb-b5e0-482d02de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "51/68", "category": "Other", "comment": "Dropper", "uuid": "5a5c7568-b834-46be-af37-4b5f02de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2018-01-12T22:17:39", "category": "Other", "comment": "Dropper", "uuid": "5a5c7568-8aec-4806-9c81-425c02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a480344a-22a8-4fc6-9f8e-40ca8337e6f7", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:33:32.000Z", "modified": "2018-01-15T09:33:32.000Z", "pattern": "[file:hashes.MD5 = 'ee64d3273f9b4d80020c24edcbbf961e' AND file:hashes.SHA1 = 'd0db619a7a160949528d46d20fc0151bf9775c32' AND file:hashes.SHA256 = 'e031299fa1381b40c660b8cd831bb861654f900a1e2952b1a76bedf140972a81']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:33:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--644f91bf-274d-4743-ae1e-075b0118c184", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:33:30.000Z", "modified": "2018-01-15T09:33:30.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/e031299fa1381b40c660b8cd831bb861654f900a1e2952b1a76bedf140972a81/analysis/1490591462/", "category": "External analysis", "comment": "Payload", "uuid": "5a5c756a-6948-4c29-89dc-443c02de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "44/61", "category": "Other", "comment": "Payload", "uuid": "5a5c756a-63e8-4ebb-af6b-49f602de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-03-27T05:11:02", "category": "Other", "comment": "Payload", "uuid": "5a5c756b-c6a8-4d3b-9ab5-426302de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3953fbd1-81dc-4f5c-8fee-7ed61f3e0ca9", "created": "2018-02-16T08:50:00.000Z", "modified": "2018-02-16T08:50:00.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--935f70e3-fd7e-4dcd-80a9-71f5122d366e", "target_ref": "x-misp-object--6fb315f6-2c07-4d90-a911-0e19777e1ece" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b8f9df2e-fb77-4281-b46d-1d9d282c8c76", "created": "2018-02-16T08:50:00.000Z", "modified": "2018-02-16T08:50:00.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--a480344a-22a8-4fc6-9f8e-40ca8337e6f7", "target_ref": "x-misp-object--644f91bf-274d-4743-ae1e-075b0118c184" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }