{ "type": "bundle", "id": "bundle--552e76b6-3b44-410e-a0a9-4fec950d210b", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T15:12:41.000Z", "modified": "2015-04-15T15:12:41.000Z", "name": "CthulhuSPRL.be", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--552e76b6-3b44-410e-a0a9-4fec950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T15:12:41.000Z", "modified": "2015-04-15T15:12:41.000Z", "name": "OSINT Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets by Palo Alto Unit42", "published": "2017-11-20T14:59:37Z", "object_refs": [ "observed-data--552e76cd-5a6c-4b3f-aec9-47d1950d210b", "url--552e76cd-5a6c-4b3f-aec9-47d1950d210b", "x-misp-attribute--552e76db-3ebc-4327-9550-494a950d210b", "observed-data--552e76fb-e018-49be-97dc-4cd9950d210b", "url--552e76fb-e018-49be-97dc-4cd9950d210b", "indicator--552e79a3-0ea4-4d0b-8d76-44b8950d210b", "indicator--552e79a3-0e0c-4f40-a40c-4b59950d210b", "indicator--552e79a3-3b78-4e06-bae5-4a96950d210b", "indicator--552e79a3-c120-47fa-83d8-450d950d210b", "indicator--552e7b3c-c450-426d-9943-4cce950d210b", "x-misp-attribute--552e7b51-39a0-48d3-ad1f-4a62950d210b", "indicator--552e7b5f-957c-4e45-8481-1539950d210b", "indicator--552e7b94-e1dc-4594-9221-4592950d210b", "indicator--552e7b94-2958-4692-a665-452f950d210b", "indicator--552e7b95-0a3c-4522-8850-4805950d210b", "indicator--552e7b95-f2cc-4a4e-8f4b-45c1950d210b", "indicator--552e7bb2-d774-42b7-94b6-47d6950d210b", "indicator--552e7bc6-5210-4bc3-9c59-4cf4950d210b", "indicator--552e7bdb-eb54-485d-aee5-1534950d210b", "indicator--552e7bfa-c7f8-4207-92dd-4cb1950d210b", "indicator--552e7c0d-8e70-4165-85a4-4fb8950d210b", "indicator--552e7c55-d884-4920-8b49-4843950d210b", "indicator--552e7c71-9a24-4abe-aef2-1534950d210b", "indicator--552e7c9e-207c-4efc-bf4a-403c950d210b", "indicator--552e7cae-34e8-4e05-9cee-4b50950d210b", "indicator--552e7cc6-2928-42c4-ab4a-468c950d210b", "indicator--552e7d5d-cdec-4afb-a0ae-484b950d210b", "indicator--552e7fe9-4294-4638-954e-2d3d950d210b", "indicator--56c65a7c-1364-4f10-a9c9-c652950d210f", "indicator--56c65a7e-ca60-48d9-a6a1-5f51950d210f", "indicator--56c65a80-01d8-42ca-b19d-599e950d210f", "indicator--56c65a7d-8344-42ac-8777-c651950d210f", "indicator--56c65a7f-25cc-4ced-b707-599f950d210f", "indicator--56c65a81-0c80-4738-8bfa-c650950d210f", "indicator--59b15050-20b4-4439-bab6-4cd5950d210f", "indicator--59b14f9f-34e0-4d67-a264-429c950d210f", "indicator--59b14f3d-6e74-4d60-bbf6-fc46950d210f", "indicator--59b14d83-618c-4a64-925a-43ad950d210f", "x-misp-attribute--59b15148-7220-4e76-a29d-4638950d210f", "indicator--59b151ae-6c70-461a-8aa1-430f950d210f", "x-misp-attribute--59b151eb-c048-4ae7-af03-4e28950d210f", "indicator--59b1521b-a8d4-4a9c-a26e-4fac950d210f", "x-misp-attribute--59b155bb-9a94-4af4-baba-4472950d210f", "x-misp-attribute--59b15546-37f4-4980-bd47-4976950d210f", "x-misp-attribute--59b1537d-79c4-456b-bec4-4f9b950d210f", "indicator--59b1530e-77e4-4484-9645-4972950d210f", "indicator--59b1529d-2ab0-429b-a8ae-45e8950d210f", "x-misp-attribute--59b15578-0c2c-445f-a3de-4d1a950d210f", "indicator--59b1529d-6e80-4824-991b-4be5950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "APT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--552e76cd-5a6c-4b3f-aec9-47d1950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T14:33:49.000Z", "modified": "2015-04-15T14:33:49.000Z", "first_observed": "2015-04-15T14:33:49Z", "last_observed": "2015-04-15T14:33:49Z", "number_observed": 1, "object_refs": [ "url--552e76cd-5a6c-4b3f-aec9-47d1950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--552e76cd-5a6c-4b3f-aec9-47d1950d210b", "value": "http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--552e76db-3ebc-4327-9550-494a950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T14:34:03.000Z", "modified": "2015-04-15T14:34:03.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "DragonOK" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--552e76fb-e018-49be-97dc-4cd9950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T14:34:35.000Z", "modified": "2015-04-15T14:34:35.000Z", "first_observed": "2015-04-15T14:34:35Z", "last_observed": "2015-04-15T14:34:35Z", "number_observed": 1, "object_refs": [ "url--552e76fb-e018-49be-97dc-4cd9950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--552e76fb-e018-49be-97dc-4cd9950d210b", "value": "https://www.fireeye.com/resources/pdfs/white-papers/fireeye-operation-quantum-entanglement.pdf" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--552e79a3-0ea4-4d0b-8d76-44b8950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T14:45:55.000Z", "modified": "2015-04-15T14:45:55.000Z", "pattern": "[url:value = '/news/STravel.asp']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-15T14:45:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--552e79a3-0e0c-4f40-a40c-4b59950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T14:45:55.000Z", "modified": "2015-04-15T14:45:55.000Z", "pattern": "[url:value = '/news/SJobs.asp']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-15T14:45:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--552e79a3-3b78-4e06-bae5-4a96950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T14:45:55.000Z", "modified": "2015-04-15T14:45:55.000Z", "pattern": "[url:value = '/news/SSports.asp']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-15T14:45:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--552e79a3-c120-47fa-83d8-450d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T14:45:55.000Z", "modified": "2015-04-15T14:45:55.000Z", "pattern": "[url:value = '/news/SWeather.asp']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-15T14:45:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--552e7b3c-c450-426d-9943-4cce950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T14:52:44.000Z", "modified": "2015-04-15T14:52:44.000Z", "description": "Sysget/HelloBridge", "pattern": "[domain-name:value = 'biosnews.info']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-15T14:52:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--552e7b51-39a0-48d3-ad1f-4a62950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T14:53:48.000Z", "modified": "2015-04-15T14:53:48.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Attribution\"" ], "x_misp_category": "Attribution", "x_misp_comment": "Debug symbols Sysget/HelloBridge", "x_misp_type": "text", "x_misp_value": "D:\\Work\\1021WinInetGEnc1\\Release\\WinInetG.pdb" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--552e7b5f-957c-4e45-8481-1539950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T14:53:34.000Z", "modified": "2015-04-15T14:53:34.000Z", "description": "Sysget/HelloBridge", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '23.229.234.160']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-15T14:53:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--552e7b94-e1dc-4594-9221-4592950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T14:54:12.000Z", "modified": "2015-04-15T14:54:12.000Z", "description": "Sysget/HelloBridge", "pattern": "[file:hashes.SHA256 = '227de988efdcf886bc0be7dc3df9f51a727664593de47352df31757853e42968']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-15T14:54:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--552e7b94-2958-4692-a665-452f950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T14:54:12.000Z", "modified": "2015-04-15T14:54:12.000Z", "description": "Sysget/HelloBridge", "pattern": "[file:hashes.SHA256 = '35784ec1968d322092cb6826f7795f65eeb0b8365ac8c7d8756851c92acf31ae']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-15T14:54:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--552e7b95-0a3c-4522-8850-4805950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T14:54:12.000Z", "modified": "2015-04-15T14:54:12.000Z", "description": "Sysget/HelloBridge", "pattern": "[file:hashes.SHA256 = '0b97ced3fabb14dbffa641d9bd1cc9dd8c97eab9cb6160d43202ee078e017989']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-15T14:54:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--552e7b95-f2cc-4a4e-8f4b-45c1950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T14:54:13.000Z", "modified": "2015-04-15T14:54:13.000Z", "description": "Sysget/HelloBridge", "pattern": "[file:hashes.SHA256 = '287e29ca7b2177fdaa561a96284726ada636dbbdaadfdbeadf88164e625ed88e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-15T14:54:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--552e7bb2-d774-42b7-94b6-47d6950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T14:54:42.000Z", "modified": "2015-04-15T14:54:42.000Z", "description": "PlugX", "pattern": "[file:hashes.SHA256 = '70ac649d31db748c4396a9a3f7a9c619c8d09e6400492ab3447520fb726083c4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-15T14:54:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--552e7bc6-5210-4bc3-9c59-4cf4950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T14:55:02.000Z", "modified": "2015-04-15T14:55:02.000Z", "description": "PlugX", "pattern": "[domain-name:value = 'http.tourecord.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-15T14:55:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--552e7bdb-eb54-485d-aee5-1534950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T14:58:08.000Z", "modified": "2015-04-15T14:58:08.000Z", "description": "PlugX & Poison Ivy & FirstFormerRAT", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.20.193.62']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-15T14:58:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--552e7bfa-c7f8-4207-92dd-4cb1950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T14:55:54.000Z", "modified": "2015-04-15T14:55:54.000Z", "description": "PoisonIvy", "pattern": "[file:hashes.SHA256 = '6e95215a52e1cbf4a58cb24c91750151170ea3d59fa9dbfe566e33a2ffc04f4c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-15T14:55:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--552e7c0d-8e70-4165-85a4-4fb8950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T14:56:13.000Z", "modified": "2015-04-15T14:56:13.000Z", "description": "Poison Ivy", "pattern": "[domain-name:value = 'bbs.reweblink.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-15T14:56:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--552e7c55-d884-4920-8b49-4843950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T14:57:35.000Z", "modified": "2015-04-15T14:57:35.000Z", "description": "FirstFormerRAT", "pattern": "[file:name = 'RpcRtRemote.dll' AND file:hashes.SHA256 = 'e68b70eaaf45fa43e726a29ce956f0e6ea26ece51165a1989e22597aebba244f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-15T14:57:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--552e7c71-9a24-4abe-aef2-1534950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T14:57:53.000Z", "modified": "2015-04-15T14:57:53.000Z", "pattern": "[domain-name:value = 'https.reweblink.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-15T14:57:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--552e7c9e-207c-4efc-bf4a-403c950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T14:58:38.000Z", "modified": "2015-04-15T14:58:38.000Z", "description": "Nflog", "pattern": "[file:hashes.SHA256 = '64cbcb1f5b8a9d98b3543e3bf342e8c799e0f74f582a5eb0dc383abac7692f63']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-15T14:58:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--552e7cae-34e8-4e05-9cee-4b50950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T14:58:54.000Z", "modified": "2015-04-15T14:58:54.000Z", "description": "Nflog", "pattern": "[domain-name:value = 'new.hotpmsn.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-15T14:58:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--552e7cc6-2928-42c4-ab4a-468c950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T14:59:18.000Z", "modified": "2015-04-15T14:59:18.000Z", "description": "Nflog", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '58.64.156.140']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-15T14:59:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--552e7d5d-cdec-4afb-a0ae-484b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T15:01:49.000Z", "modified": "2015-04-15T15:01:49.000Z", "description": "NewCT", "pattern": "[domain-name:value = 'bbs.jpaols.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-15T15:01:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--552e7fe9-4294-4638-954e-2d3d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-04-15T15:12:41.000Z", "modified": "2015-04-15T15:12:41.000Z", "pattern": "[domain-name:value = 'jpaols.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-04-15T15:12:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c65a7c-1364-4f10-a9c9-c652950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:57:48.000Z", "modified": "2016-02-18T23:57:48.000Z", "description": "Automatically added (via 227de988efdcf886bc0be7dc3df9f51a727664593de47352df31757853e42968)", "pattern": "[file:hashes.MD5 = '5a656afcd99ffac80db0b256e150e69c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:57:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c65a7e-ca60-48d9-a6a1-5f51950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:57:50.000Z", "modified": "2016-02-18T23:57:50.000Z", "description": "Automatically added (via 35784ec1968d322092cb6826f7795f65eeb0b8365ac8c7d8756851c92acf31ae)", "pattern": "[file:hashes.MD5 = 'da1d2288aab04a4f97d594d8dd2b8249']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:57:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c65a80-01d8-42ca-b19d-599e950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:57:52.000Z", "modified": "2016-02-18T23:57:52.000Z", "description": "Automatically added (via 287e29ca7b2177fdaa561a96284726ada636dbbdaadfdbeadf88164e625ed88e)", "pattern": "[file:hashes.MD5 = '9d10cc1cb4a0fd8d94c02fc5d7ba8bd1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:57:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c65a7d-8344-42ac-8777-c651950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:57:49.000Z", "modified": "2016-02-18T23:57:49.000Z", "description": "Automatically added (via 227de988efdcf886bc0be7dc3df9f51a727664593de47352df31757853e42968)", "pattern": "[file:hashes.SHA1 = 'd698174f2bee6665edda571865d2d6ce4c9995df']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:57:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c65a7f-25cc-4ced-b707-599f950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:57:51.000Z", "modified": "2016-02-18T23:57:51.000Z", "description": "Automatically added (via 35784ec1968d322092cb6826f7795f65eeb0b8365ac8c7d8756851c92acf31ae)", "pattern": "[file:hashes.SHA1 = '4f405b7d13748327d1d1737c0b050b104a39fba4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:57:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c65a81-0c80-4738-8bfa-c650950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:57:53.000Z", "modified": "2016-02-18T23:57:53.000Z", "description": "Automatically added (via 287e29ca7b2177fdaa561a96284726ada636dbbdaadfdbeadf88164e625ed88e)", "pattern": "[file:hashes.SHA1 = 'd2e1b0e27d0f134b4bab6bf9437067fdf6a16618']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:57:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59b15050-20b4-4439-bab6-4cd5950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2017-09-07T13:57:36.000Z", "modified": "2017-09-07T13:57:36.000Z", "description": "Sysget/HelloBrige HTTP GET request in response from a getinto command from the C2 server to download a file", "pattern": "[url:value = 'http://biosnews.info//index.php?fn=s3&file=']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-09-07T13:57:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "External analysis" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"External analysis\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59b14f9f-34e0-4d67-a264-429c950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2017-09-07T13:54:39.000Z", "modified": "2017-09-07T13:54:39.000Z", "description": "Sysget/HelloBridge HTTP POST request in response to a file upload response received from the C2 server", "pattern": "[url:value = 'http://biosnews.info//index.php?fn=s2&item=']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-09-07T13:54:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "External analysis" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"External analysis\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59b14f3d-6e74-4d60-bbf6-fc46950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2017-09-07T13:53:01.000Z", "modified": "2017-09-07T13:53:01.000Z", "description": "Sysget/HelloBridge Inital dropper HTTP GET request to C2 server", "pattern": "[url:value = 'http://biosnews.info/index.php?fn=s4&name=']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-09-07T13:53:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "External analysis" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"External analysis\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59b14d83-618c-4a64-925a-43ad950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2017-09-07T13:45:39.000Z", "modified": "2017-09-07T13:45:39.000Z", "description": "Sysget/HelloBridge configuration file", "pattern": "[file:name = '\\\\%temp\\\\%\\\\ibmCon6.tmp']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-09-07T13:45:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "External analysis" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"External analysis\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59b15148-7220-4e76-a29d-4638950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2017-09-07T14:01:44.000Z", "modified": "2017-09-07T14:01:44.000Z", "labels": [ "misp:type=\"other\"", "misp:category=\"External analysis\"", "misp:to_ids=\"True\"" ], "x_misp_category": "External analysis", "x_misp_comment": "PlugX - windows-service-displayname", "x_misp_type": "other", "x_misp_value": "RasTls" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59b151ae-6c70-461a-8aa1-430f950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2017-09-07T14:03:26.000Z", "modified": "2017-09-07T14:03:26.000Z", "description": "PlugX - persistence mechanism", "pattern": "[windows-registry-key:key = 'HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\RasTls' AND windows-registry-key:values.data = '\\\\%windir\\\\%\\\\system32\\\\svchost.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-09-07T14:03:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "External analysis" } ], "labels": [ "misp:type=\"regkey|value\"", "misp:category=\"External analysis\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59b151eb-c048-4ae7-af03-4e28950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2017-09-07T14:04:27.000Z", "modified": "2017-09-07T14:04:27.000Z", "labels": [ "misp:type=\"other\"", "misp:category=\"External analysis\"", "misp:to_ids=\"True\"" ], "x_misp_category": "External analysis", "x_misp_comment": "Sysget/HelloBridge - event object name", "x_misp_type": "other", "x_misp_value": "mcsong[]" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59b1521b-a8d4-4a9c-a26e-4fac950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2017-09-07T14:05:15.000Z", "modified": "2017-09-07T14:05:15.000Z", "description": "Sysget/HelloBrisge - persistence mechanism", "pattern": "[windows-registry-key:key = 'HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run' AND windows-registry-key:values.data = '\\\\%temp\\\\%\\\\notilv.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-09-07T14:05:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "External analysis" } ], "labels": [ "misp:type=\"regkey|value\"", "misp:category=\"External analysis\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59b155bb-9a94-4af4-baba-4472950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2017-09-07T14:20:43.000Z", "modified": "2017-09-07T14:20:43.000Z", "labels": [ "misp:type=\"other\"", "misp:category=\"External analysis\"", "misp:to_ids=\"True\"" ], "x_misp_category": "External analysis", "x_misp_comment": "FormerFirstRAT - hostname|port", "x_misp_type": "other", "x_misp_value": "https.reweblink.com|443" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59b15546-37f4-4980-bd47-4976950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2017-09-07T14:18:46.000Z", "modified": "2017-09-07T14:18:46.000Z", "labels": [ "misp:type=\"other\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_comment": "FormerFirstRAT - AES-128 encryption key", "x_misp_type": "other", "x_misp_value": "tucwatkins" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59b1537d-79c4-456b-bec4-4f9b950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2017-09-07T14:11:09.000Z", "modified": "2017-09-07T14:11:09.000Z", "labels": [ "misp:type=\"other\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_comment": "NFlog - event object name", "x_misp_type": "other", "x_misp_value": "GoogleZCM" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59b1530e-77e4-4484-9645-4972950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2017-09-07T14:09:18.000Z", "modified": "2017-09-07T14:09:18.000Z", "description": "NFlog - persistence mechanism", "pattern": "[windows-registry-key:key = 'HKCU\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\update']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-09-07T14:09:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "External analysis" } ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"External analysis\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59b1529d-2ab0-429b-a8ae-45e8950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2017-09-07T14:07:25.000Z", "modified": "2017-09-07T14:07:25.000Z", "description": "FormerFirstRAT - persistence mechanism", "pattern": "[windows-registry-key:key = 'HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\WmdmPmSp']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-09-07T14:07:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "External analysis" } ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"External analysis\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59b15578-0c2c-445f-a3de-4d1a950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2017-09-07T14:19:36.000Z", "modified": "2017-09-07T14:19:36.000Z", "labels": [ "misp:type=\"other\"", "misp:category=\"External analysis\"", "misp:to_ids=\"True\"" ], "x_misp_category": "External analysis", "x_misp_comment": "FormerFirstRAT - protocol|port for protocol anomaly detection", "x_misp_type": "other", "x_misp_value": "HTTP|443" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59b1529d-6e80-4824-991b-4be5950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2017-09-07T14:07:25.000Z", "modified": "2017-09-07T14:07:25.000Z", "description": "FormerFirstRAT - persistence mechanism", "pattern": "[windows-registry-key:key = 'HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\WmdmPmSp']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-09-07T14:07:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "External analysis" } ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"External analysis\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }