{ "type": "bundle", "id": "bundle--582dd48e-66bc-40c1-ae49-6fe8d56c6cd2", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2020-04-28T10:12:02.000Z", "modified": "2020-04-28T10:12:02.000Z", "name": "CiviCERT", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--582dd48e-66bc-40c1-ae49-6fe8d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2020-04-28T10:12:02.000Z", "modified": "2020-04-28T10:12:02.000Z", "name": "It\u2019s Parliamentary: KeyBoy and the targeting of the Tibetan Community", "published": "2020-10-10T09:42:52Z", "object_refs": [ "observed-data--582dd725-1a84-4454-b86e-7007d56c6cd2", "file--582dd725-1a84-4454-b86e-7007d56c6cd2", "indicator--582dd740-b944-4070-9b70-0692d56c6cd2", "indicator--582dd74f-c72c-4221-bc3f-6fe8d56c6cd2", "indicator--582dd75d-7a3c-4990-883d-0696d56c6cd2", "indicator--582dd76d-b590-4d21-9ff6-7005d56c6cd2", "indicator--582dd77a-cda4-42a0-9b86-7008d56c6cd2", "indicator--582dd78b-1198-4b24-b6d3-7006d56c6cd2", "indicator--582dd79a-c36c-4329-952c-7007d56c6cd2", "observed-data--582dd7b3-3fec-4380-b6a1-6ff1d56c6cd2", "file--582dd7b3-3fec-4380-b6a1-6ff1d56c6cd2", "indicator--582dd7c2-7434-4d28-af67-7007d56c6cd2", "indicator--582dd7d3-3800-473b-b088-7006d56c6cd2", "indicator--582dd7e1-7bcc-4b5c-b6ef-6ff0d56c6cd2", "indicator--582dd7ed-ff54-4450-9f8a-7008d56c6cd2", "indicator--582dd7f9-5180-4a45-baff-7005d56c6cd2", "indicator--582dd80c-aa34-453f-9a06-6fe8d56c6cd2", "indicator--582dd817-deac-4afa-a4a9-0696d56c6cd2", "indicator--582dd82e-469c-4a22-8669-6ff1d56c6cd2", "indicator--582dd83b-0524-4fed-a9e3-700dd56c6cd2", "observed-data--582dd9f5-639c-4a10-8ced-6ff0d56c6cd2", "url--582dd9f5-639c-4a10-8ced-6ff0d56c6cd2", "indicator--582dd859-da30-4ad9-9118-7005d56c6cd2", "indicator--582dd873-7d5c-4433-9e36-6ff0d56c6cd2", "indicator--582dd873-ef48-4fe2-8f27-6ff0d56c6cd2", "indicator--582dd873-7f8c-4373-aa0d-6ff0d56c6cd2", "indicator--582dd890-d548-436f-bd0a-6ff2d56c6cd2", "indicator--582dd890-e77c-48ef-b609-6ff2d56c6cd2", "indicator--582dd891-0d3c-41a2-9385-6ff2d56c6cd2", "indicator--582dd891-0e90-4e82-bfba-6ff2d56c6cd2", "indicator--582dd8ab-850c-4a68-812b-7007d56c6cd2", "indicator--582dd8ac-097c-45be-8370-7007d56c6cd2", "indicator--582dd8c1-9ec0-4fa4-8d06-700fd56c6cd2", "indicator--582dd8ed-34cc-49c9-9ae4-700fd56c6cd2", "indicator--582dd904-3f68-4706-b596-0696d56c6cd2", "indicator--582dd918-13bc-44e9-9b8d-6ff2d56c6cd2", "indicator--582dd924-6350-4beb-bc4d-700dd56c6cd2", "indicator--582dd932-aac0-48ba-8235-7006d56c6cd2", "indicator--582dd940-4910-478c-a8f6-700ed56c6cd2", "indicator--582dd94c-9948-4f28-a0a8-6ff1d56c6cd2", "indicator--582dd958-b8e4-47e1-b3bd-6ff0d56c6cd2", "indicator--582dd965-41f0-4ca5-a4f6-700fd56c6cd2", "indicator--582dd971-87dc-4fa4-a22b-7007d56c6cd2", "indicator--582dd982-e0b0-4f79-bab1-0696d56c6cd2", "indicator--582dd992-c5ac-438a-8737-7005d56c6cd2", "vulnerability--582dd9ad-23d0-45dd-9bee-6ff2d56c6cd2", "vulnerability--582dd9ad-a8e4-4cd1-b839-6ff2d56c6cd2", "vulnerability--582dd9ad-8e60-429f-b92c-6ff2d56c6cd2", "indicator--582dd9be-541c-40c0-875a-700dd56c6cd2", "indicator--582dd9cd-5bf4-40a1-9f79-700ed56c6cd2", "x-misp-attribute--582dd9d6-8564-46ea-9b4e-700ed56c6cd2", "indicator--5832bd46-65f0-4dad-892b-426702de0b81", "observed-data--5832bd47-c064-429b-bb2f-467302de0b81", "url--5832bd47-c064-429b-bb2f-467302de0b81", "indicator--5832bd47-9600-41f5-896c-4e8b02de0b81", "observed-data--5832bd48-b104-49f7-ae8e-436e02de0b81", "url--5832bd48-b104-49f7-ae8e-436e02de0b81", "indicator--5832bd48-3de0-4688-8add-48f502de0b81", "observed-data--5832bd49-a008-4fd1-bc69-4cd102de0b81", "url--5832bd49-a008-4fd1-bc69-4cd102de0b81", "indicator--5832bd49-19b0-4338-af0d-47c402de0b81", "observed-data--5832bd4a-8608-4468-9038-447602de0b81", "url--5832bd4a-8608-4468-9038-447602de0b81", "observed-data--5832bd4a-dd54-4a76-bf57-4b9c02de0b81", "file--5832bd4a-dd54-4a76-bf57-4b9c02de0b81", "observed-data--5832bd4b-25c4-4edb-8ab9-436502de0b81", "url--5832bd4b-25c4-4edb-8ab9-436502de0b81", "indicator--5832bd4c-0190-4a6f-9c4f-472202de0b81", "indicator--5832bd4c-d698-4f11-b5c9-476202de0b81", "observed-data--5832bd4d-e058-48a1-9e0a-483f02de0b81", "url--5832bd4d-e058-48a1-9e0a-483f02de0b81", "indicator--5832bd4d-c198-40bf-83ca-4c7002de0b81", "indicator--5832bd4e-dab8-4936-ac41-489e02de0b81", "observed-data--5832bd4e-88e0-452b-9d0b-47f602de0b81", "url--5832bd4e-88e0-452b-9d0b-47f602de0b81", "indicator--5832bd4f-f9d0-48f9-a3dc-4f2902de0b81", "indicator--5832bd4f-48d0-4d0b-9719-439d02de0b81", "observed-data--5832bd50-1ff0-44dd-b44d-401d02de0b81", "url--5832bd50-1ff0-44dd-b44d-401d02de0b81", "indicator--5832bd50-8af8-4d7a-bf57-4c1702de0b81", "indicator--5832bd51-76b0-4f37-860b-4b3802de0b81", "observed-data--5832bd51-1400-4733-9436-4f7902de0b81", "url--5832bd51-1400-4733-9436-4f7902de0b81", "indicator--5832bd52-5310-486b-876f-4b0e02de0b81", "indicator--5832bd52-2228-4453-b38e-41b102de0b81", "observed-data--5832bd53-a558-4ea4-957d-4e7202de0b81", "url--5832bd53-a558-4ea4-957d-4e7202de0b81", "indicator--5832bd53-d3f0-4c64-80cf-469402de0b81", "indicator--5832bd54-87e0-49a7-8971-480e02de0b81", "observed-data--5832bd54-0efc-4f4a-b342-4a8e02de0b81", "url--5832bd54-0efc-4f4a-b342-4a8e02de0b81", "indicator--5832bd55-6890-47d5-b97c-4a6402de0b81", "indicator--5832bd55-f334-44ed-81f9-401602de0b81", "observed-data--5832bd55-7e88-4e84-98fa-44ea02de0b81", "url--5832bd55-7e88-4e84-98fa-44ea02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "circl:incident-classification=\"phishing\"", "osint:source-type=\"blog-post\"", "misp-galaxy:tool=\"KeyBoy\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--582dd725-1a84-4454-b86e-7007d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:13:25.000Z", "modified": "2016-11-17T16:13:25.000Z", "first_observed": "2016-11-17T16:13:25Z", "last_observed": "2016-11-17T16:13:25Z", "number_observed": 1, "object_refs": [ "file--582dd725-1a84-4454-b86e-7007d56c6cd2" ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--582dd725-1a84-4454-b86e-7007d56c6cd2", "hashes": { "MD5": "8f08609e4e0b3d26814b3073a42df415" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd740-b944-4070-9b70-0692d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:13:51.000Z", "modified": "2016-11-17T16:13:51.000Z", "description": "Wab32res.dll payload, KeyBoy 20160509", "pattern": "[file:hashes.MD5 = '495adb1b9777002ecfe22aaf52fcee93']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-17T16:13:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd74f-c72c-4221-bc3f-6fe8d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:14:07.000Z", "modified": "2016-11-17T16:14:07.000Z", "description": "Payload KeyBoy P_20150313", "pattern": "[file:hashes.MD5 = '0c7e55509e0b6d4277b3facf864af018']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-17T16:14:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd75d-7a3c-4990-883d-0696d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:14:21.000Z", "modified": "2016-11-17T16:14:21.000Z", "description": "Payload KeyBoy 20151108", "pattern": "[file:hashes.MD5 = '98977426d544bd145979f65f0322ae30']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-17T16:14:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd76d-b590-4d21-9ff6-7005d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:14:37.000Z", "modified": "2016-11-17T16:14:37.000Z", "description": "Payload KeyBoy 20151108", "pattern": "[file:hashes.MD5 = 'c5b5f01ba24d6c02636388809f44472e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-17T16:14:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd77a-cda4-42a0-9b86-7008d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:14:50.000Z", "modified": "2016-11-17T16:14:50.000Z", "description": "64b KeyBoy payload 20151108", "pattern": "[file:hashes.MD5 = '371bc132499f455f06fa80696db0df27']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-17T16:14:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd78b-1198-4b24-b6d3-7006d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2020-04-28T10:12:02.000Z", "modified": "2020-04-28T10:12:02.000Z", "description": "wab32res.dll, agewkassif version", "pattern": "[file:hashes.MD5 = '087bffa8a570079948310dc9731c5709']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-04-28T10:12:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd79a-c36c-4329-952c-7007d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:15:22.000Z", "modified": "2016-11-17T16:15:22.000Z", "description": "Contains the Keyboy version", "pattern": "[windows-registry-key:key = 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\ZoneMap\\\\Ver']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-17T16:15:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--582dd7b3-3fec-4380-b6a1-6ff1d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:15:47.000Z", "modified": "2016-11-17T16:15:47.000Z", "first_observed": "2016-11-17T16:15:47Z", "last_observed": "2016-11-17T16:15:47Z", "number_observed": 1, "object_refs": [ "file--582dd7b3-3fec-4380-b6a1-6ff1d56c6cd2" ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--582dd7b3-3fec-4380-b6a1-6ff1d56c6cd2", "hashes": { "SHA-256": "58105e9772f6befbc319c147a97faded4fbacf839947b34fe3695ae72771da5d" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd7c2-7434-4d28-af67-7007d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:16:02.000Z", "modified": "2016-11-17T16:16:02.000Z", "description": "Wab32res.dll payload, KeyBoy 20160509", "pattern": "[file:hashes.SHA256 = '9a55577d357922711ab0821bf5379289293c8517ae1d94d48c389f306af57a04']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-17T16:16:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd7d3-3800-473b-b088-7006d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:16:19.000Z", "modified": "2016-11-17T16:16:19.000Z", "description": "Wab32res.dll payload, KeyBoy agewkassif version", "pattern": "[file:hashes.SHA256 = '5da2f14c382d7cac8dfa6c86e528a646a81f0b40cfee9611c8cfb4b5d589aa88']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-17T16:16:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd7e1-7bcc-4b5c-b6ef-6ff0d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:16:33.000Z", "modified": "2016-11-17T16:16:33.000Z", "pattern": "[import \"pe\"\r\nrule new_keyboy_export\r\n{\r\nmeta:\r\nauthor = \"Matt Brooks, @cmatthewbrooks\"\r\ndesc = \"Matches the new 2016 sample's export\"\r\ndate = \"2016-08-28\"\r\nmd5 = \"495adb1b9777002ecfe22aaf52fcee93\"\r\n\r\ncondition:\r\n//MZ header\r\nuint16(0) == 0x5A4D and\r\n\r\n//PE signature\r\nuint32(uint32(0x3C)) == 0x00004550 and\r\n\r\n\r\nfilesize < 200KB and\r\n\r\n\r\n//The malware family seems to share many exports\r\n//but this is the new kid on the block.\r\npe.exports(\"cfsUpdate\")\r\n}]", "pattern_type": "yara", "valid_from": "2016-11-17T16:16:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd7ed-ff54-4450-9f8a-7008d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:16:45.000Z", "modified": "2016-11-17T16:16:45.000Z", "pattern": "[rule new_keyboy_header_codes\r\n{\r\nmeta:\r\nauthor = \"Matt Brooks, @cmatthewbrooks\"\r\ndesc = \"Matches the 2016 sample's header codes\"\r\ndate = \"2016-08-28\"\r\nmd5 = \"495adb1b9777002ecfe22aaf52fcee93\"\r\n\r\nstrings:\r\n$s1 = \"*l*\" wide fullword\r\n$s2 = \"*a*\" wide fullword\r\n$s3 = \"*s*\" wide fullword\r\n$s4 = \"*d*\" wide fullword\r\n$s5 = \"*f*\" wide fullword\r\n$s6 = \"*g*\" wide fullword\r\n$s7 = \"*h*\" wide fullword\r\n\r\ncondition:\r\n//MZ header\r\nuint16(0) == 0x5A4D and\r\n\r\n//PE signature\r\nuint32(uint32(0x3C)) == 0x00004550 and\r\nfilesize < 200KB and\r\nall of them\r\n}]", "pattern_type": "yara", "valid_from": "2016-11-17T16:16:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd7f9-5180-4a45-baff-7005d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:16:57.000Z", "modified": "2016-11-17T16:16:57.000Z", "pattern": "[rule keyboy_commands\r\n{\r\nmeta:\r\nauthor = \"Matt Brooks, @cmatthewbrooks\"\r\ndesc = \"Matches the 2016 sample's sent and received commands\"\r\ndate = \"2016-08-28\"\r\nmd5 = \"495adb1b9777002ecfe22aaf52fcee93\"\r\n\r\nstrings:\r\n$s1 = \"Update\" wide fullword\r\n$s2 = \"UpdateAndRun\" wide fullword\r\n$s3 = \"Refresh\" wide fullword\r\n$s4 = \"OnLine\" wide fullword\r\n$s5 = \"Disconnect\" wide fullword\r\n$s6 = \"Pw_Error\" wide fullword\r\n$s7 = \"Pw_OK\" wide fullword\r\n$s8 = \"Sysinfo\" wide fullword\r\n$s9 = \"Download\" wide fullword\r\n$s10 = \"UploadFileOk\" wide fullword\r\n$s11 = \"RemoteRun\" wide fullword\r\n$s12 = \"FileManager\" wide fullword\r\n\r\ncondition:\r\n//MZ header\r\nuint16(0) == 0x5A4D and\r\n\r\n//PE signature\r\nuint32(uint32(0x3C)) == 0x00004550 and\r\nfilesize < 200KB and\r\n6 of them\r\n}]", "pattern_type": "yara", "valid_from": "2016-11-17T16:16:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd80c-aa34-453f-9a06-6fe8d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:17:16.000Z", "modified": "2016-11-17T16:17:16.000Z", "pattern": "[rule keyboy_errors\r\n{\r\nmeta:\r\nauthor = \"Matt Brooks, @cmatthewbrooks\"\r\ndesc = \"Matches the sample's shell error2 log statements\"\r\ndate = \"2016-08-28\"\r\nmd5 = \"495adb1b9777002ecfe22aaf52fcee93\"\r\n\r\nstrings:\r\n//These strings are in ASCII pre-2015 and UNICODE in 2016\r\n$error = \"Error2\" ascii wide\r\n//2016 specific:\r\n$s1 = \"Can't find [%s]!Check the file name and try again!\" ascii wide\r\n$s2 = \"Open [%s] error! %d\" ascii wide\r\n$s3 = \"The Size of [%s] is zero!\" ascii wide\r\n$s4 = \"CreateThread DownloadFile[%s] Error!\" ascii wide\r\n$s5 = \"UploadFile [%s] Error:Connect Server Failed!\" ascii wide\r\n$s6 = \"Receive [%s] Error(Recved[%d] != Send[%d])!\" ascii wide\r\n$s7 = \"Receive [%s] ok! Use %2.2f seconds, Average speed %2.2f k/s\" ascii wide\r\n$s8 = \"CreateThread UploadFile[%s] Error!\" ascii wide\r\n//Pre-2016:\r\n$s9 = \"Ready Download [%s] ok!\" ascii wide\r\n$s10 = \"Get ControlInfo from FileClient error!\" ascii wide\r\n$s11 = \"FileClient has a error!\" ascii wide\r\n$s12 = \"VirtualAlloc SendBuff Error(%d)\" ascii wide\r\n$s13 = \"ReadFile [%s] Error(%d)...\" ascii wide\r\n$s14 = \"ReadFile [%s] Data[Readed(%d) != FileSize(%d)] Error...\" ascii wide\r\n$s15 = \"CreateThread DownloadFile[%s] Error!\" ascii wide\r\n$s16 = \"RecvData MyRecv_Info Size Error!\" ascii wide\r\n$s17 = \"RecvData MyRecv_Info Tag Error!\" ascii wide\r\n$s18 = \"SendData szControlInfo_1 Error!\" ascii wide\r\n$s19 = \"SendData szControlInfo_3 Error!\" ascii wide\r\n$s20 = \"VirtualAlloc RecvBuff Error(%d)\" ascii wide\r\n$s21 = \"RecvData Error!\" ascii wide\r\n$s22 = \"WriteFile [%s} Error(%d)...\" ascii wide\r\n\r\ncondition:\r\n//MZ header\r\nuint16(0) == 0x5A4D and\r\n\r\n//PE signature\r\nuint32(uint32(0x3C)) == 0x00004550 and\r\nfilesize < 200KB and\r\n$error and 3 of ($s*)\r\n}]", "pattern_type": "yara", "valid_from": "2016-11-17T16:17:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd817-deac-4afa-a4a9-0696d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:17:39.000Z", "modified": "2016-11-17T16:17:39.000Z", "pattern": "[rule keyboy_systeminfo\r\n{\r\nmeta:\r\nauthor = \"Matt Brooks, @cmatthewbrooks\"\r\ndesc = \"Matches the system information format before sending to C2\"\r\ndate = \"2016-08-28\"\r\nmd5 = \"495adb1b9777002ecfe22aaf52fcee93\"\r\n\r\nstrings:\r\n//These strings are ASCII pre-2015 and UNICODE in 2016\r\n$s1 = \"SystemVersion: %s\" ascii wide\r\n$s2 = \"Product ID: %s\" ascii wide\r\n$s3 = \"InstallPath: %s\" ascii wide\r\n$s4 = \"InstallTime: %d-%d-%d, %02d:%02d:%02d\" ascii wide\r\n$s5 = \"ResgisterGroup: %s\" ascii wide\r\n$s6 = \"RegisterUser: %s\" ascii wide\r\n$s7 = \"ComputerName: %s\" ascii wide\r\n$s8 = \"WindowsDirectory: %s\" ascii wide\r\n$s9 = \"System Directory: %s\" ascii wide\r\n$s10 = \"Number of Processors: %d\" ascii wide\r\n$s11 = \"CPU[%d]: %s: %sMHz\" ascii wide\r\n$s12 = \"RAM: %dMB Total, %dMB Free.\" ascii wide\r\n$s13 = \"DisplayMode: %d x %d, %dHz, %dbit\" ascii wide\r\n$s14 = \"Uptime: %d Days %02u:%02u:%02u\" ascii wide\r\n\r\ncondition:\r\n//MZ header\r\nuint16(0) == 0x5A4D and\r\n\r\n//PE signature\r\nuint32(uint32(0x3C)) == 0x00004550 and\r\nfilesize < 200KB and\r\n7 of them\r\n}]", "pattern_type": "yara", "valid_from": "2016-11-17T16:17:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd82e-469c-4a22-8669-6ff1d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2020-04-28T10:11:57.000Z", "modified": "2020-04-28T10:11:57.000Z", "pattern": "[import \"pe\"\nrule keyboy_related_exports\n{\nmeta:\nauthor = \"Matt Brooks, @cmatthewbrooks\"\ndesc = \"Matches the new 2016 sample's export\"\ndate = \"2016-08-28\"\nmd5 = \"495adb1b9777002ecfe22aaf52fcee93\"\n\ncondition:\n//MZ header\nuint16(0) == 0x5A4D and\n\n//PE signature\nuint32(uint32(0x3C)) == 0x00004550 and\n\n\nfilesize < 200KB and\n\n\n//The malware family seems to share many exports\n//but this is the new kid on the block.\npe.exports(\"Embedding\") or\npe.exports(\"SSSS\") or\npe.exports(\"GetUP\")\n}]", "pattern_type": "yara", "valid_from": "2020-04-28T10:11:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd83b-0524-4fed-a9e3-700dd56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:18:03.000Z", "modified": "2016-11-17T16:18:03.000Z", "pattern": "[import \"pe\"\r\nrule keyboy_init_config_section\r\n{\r\nmeta:\r\nauthor = \"Matt Brooks, @cmatthewbrooks\"\r\ndesc = \"Matches the Init section where the config is stored\"\r\ndate = \"2016-08-28\"\r\n\r\ncondition:\r\n//MZ header\r\nuint16(0) == 0x5A4D and\r\n\r\n//PE signature\r\nuint32(uint32(0x3C)) == 0x00004550 and\r\n\r\n//Payloads are normally smaller but the new dropper we spotted\r\n//is a bit larger.\r\nfilesize < 300KB and\r\n\r\n//Observed virtual sizes of the .Init section vary but they've\r\n//always been 1024, 2048, or 4096 bytes.\r\nfor any i in (0..pe.number_of_sections - 1):\r\n(\r\npe.sections[i].name == \".Init\" and\r\npe.sections[i].virtual_size % 1024 == 0\r\n)\r\n}]", "pattern_type": "yara", "valid_from": "2016-11-17T16:18:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--582dd9f5-639c-4a10-8ced-6ff0d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:25:25.000Z", "modified": "2016-11-17T16:25:25.000Z", "first_observed": "2016-11-17T16:25:25Z", "last_observed": "2016-11-17T16:25:25Z", "number_observed": 1, "object_refs": [ "url--582dd9f5-639c-4a10-8ced-6ff0d56c6cd2" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--582dd9f5-639c-4a10-8ced-6ff0d56c6cd2", "value": "https://citizenlab.org/2016/11/parliament-keyboy/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd859-da30-4ad9-9118-7005d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:18:33.000Z", "modified": "2016-11-17T16:18:33.000Z", "description": "domain linked to one of the C2 IPs", "pattern": "[domain-name:value = 'tibetvoices.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-17T16:18:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd873-7d5c-4433-9e36-6ff0d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:18:58.000Z", "modified": "2016-11-17T16:18:58.000Z", "description": "C2 domains", "pattern": "[domain-name:value = 'www.about.jkub.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-17T16:18:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd873-ef48-4fe2-8f27-6ff0d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:18:59.000Z", "modified": "2016-11-17T16:18:59.000Z", "description": "C2 domains", "pattern": "[domain-name:value = 'www.eleven.mypop3.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-17T16:18:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd873-7f8c-4373-aa0d-6ff0d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:18:59.000Z", "modified": "2016-11-17T16:18:59.000Z", "description": "C2 domains", "pattern": "[domain-name:value = 'www.backus.myftp.name']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-17T16:18:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd890-d548-436f-bd0a-6ff2d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:19:28.000Z", "modified": "2016-11-17T16:19:28.000Z", "description": "C2 IP", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.125.12.147']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-17T16:19:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd890-e77c-48ef-b609-6ff2d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:19:28.000Z", "modified": "2016-11-17T16:19:28.000Z", "description": "C2 IP", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.40.102.233']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-17T16:19:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd891-0d3c-41a2-9385-6ff2d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:19:29.000Z", "modified": "2016-11-17T16:19:29.000Z", "description": "C2 IP", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '116.193.154.69']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-17T16:19:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd891-0e90-4e82-bfba-6ff2d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:19:29.000Z", "modified": "2016-11-17T16:19:29.000Z", "description": "C2 IP", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.242.134.243']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-17T16:19:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd8ab-850c-4a68-812b-7007d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:19:55.000Z", "modified": "2016-11-17T16:19:55.000Z", "description": "IPs for C2 Host: www.about.jkub.com", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.32.47.148']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-17T16:19:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd8ac-097c-45be-8370-7007d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:19:56.000Z", "modified": "2016-11-17T16:19:56.000Z", "description": "IPs for C2 Host: www.about.jkub.com", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '157.7.84.81']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-17T16:19:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd8c1-9ec0-4fa4-8d06-700fd56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:20:17.000Z", "modified": "2016-11-17T16:20:17.000Z", "description": "IP behind C2 Host: www.backus.myftp[.]name", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.241.149.43']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-17T16:20:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd8ed-34cc-49c9-9ae4-700fd56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:21:01.000Z", "modified": "2016-11-17T16:21:01.000Z", "description": "Other IP hosting tibetvoices.com", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '112.10.117.47']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-17T16:21:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd904-3f68-4706-b596-0696d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:21:24.000Z", "modified": "2016-11-17T16:21:24.000Z", "description": "Source of phishing emails", "pattern": "[email-message:from_ref.value = 'tibetanparliarnent@yahoo.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-17T16:21:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"email-src\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd918-13bc-44e9-9b8d-6ff2d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2020-04-28T10:11:08.000Z", "modified": "2020-04-28T10:11:08.000Z", "description": "theme of the conference.doc", "pattern": "[file:hashes.MD5 = '8307e444cad98b1b59568ad2eba5f201']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-04-28T10:11:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd924-6350-4beb-bc4d-700dd56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2020-04-28T10:11:06.000Z", "modified": "2020-04-28T10:11:06.000Z", "description": "Dw20.exe dropper", "pattern": "[file:hashes.MD5 = '0b4d45db323f68b465ae052d3a872068']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-04-28T10:11:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd932-aac0-48ba-8235-7006d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2020-04-28T10:11:33.000Z", "modified": "2020-04-28T10:11:33.000Z", "description": "Other similar doc", "pattern": "[file:hashes.MD5 = 'beadf21b923600554b0ce54df42e78f5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-04-28T10:11:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd940-4910-478c-a8f6-700ed56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:22:24.000Z", "modified": "2016-11-17T16:22:24.000Z", "description": "Dw20.exe dropper", "pattern": "[file:hashes.MD5 = '69df3d3df4d99bc6045d073d89c68697']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-17T16:22:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd94c-9948-4f28-a0a8-6ff1d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2020-04-28T10:11:17.000Z", "modified": "2020-04-28T10:11:17.000Z", "description": "Malicious doc with CVE-2014-4114 vulnerability", "pattern": "[file:hashes.MD5 = '05b5cf94f07fee666eb086c91182ad25']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-04-28T10:11:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd958-b8e4-47e1-b3bd-6ff0d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2020-04-28T10:11:15.000Z", "modified": "2020-04-28T10:11:15.000Z", "description": "Doc exploiting CVE-2012-0158", "pattern": "[file:hashes.MD5 = '8846d109b457a2ee44ddbf54d1cf7944']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-04-28T10:11:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd965-41f0-4ca5-a4f6-700fd56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2020-04-28T10:11:22.000Z", "modified": "2020-04-28T10:11:22.000Z", "description": "Attached file urgent action larung gar buddhist academy.rtf (CVE-2015-1641)", "pattern": "[file:hashes.MD5 = '913b82ff8f090670fc6387e3a7bea12d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-04-28T10:11:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd971-87dc-4fa4-a22b-7007d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2020-04-28T10:11:25.000Z", "modified": "2020-04-28T10:11:25.000Z", "description": "dropper of 'agewkassif' version", "pattern": "[file:hashes.MD5 = '23d284245e53ae4fe05c517d807ffccf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-04-28T10:11:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd982-e0b0-4f79-bab1-0696d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2020-04-28T10:11:27.000Z", "modified": "2020-04-28T10:11:27.000Z", "description": "dw20.exe dropper", "pattern": "[file:hashes.SHA256 = '5f24a5ee9ecfd4a8e5f967ffcf24580a83942cd7b09d310b9525962ed2614a49']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-04-28T10:11:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd992-c5ac-438a-8737-7005d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2020-04-28T10:11:31.000Z", "modified": "2020-04-28T10:11:31.000Z", "description": "dropper of 'agewkassif' sample", "pattern": "[file:hashes.SHA256 = '542c85fda8df8510c1b66a122e459aac8c0919f1fe9fa2c43fd87899cffa05bf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-04-28T10:11:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--582dd9ad-23d0-45dd-9bee-6ff2d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:24:13.000Z", "modified": "2016-11-17T16:24:13.000Z", "name": "CVE-2012-0158", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2012-0158" } ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--582dd9ad-a8e4-4cd1-b839-6ff2d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:24:13.000Z", "modified": "2016-11-17T16:24:13.000Z", "name": "CVE-2014-4114", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2014-4114" } ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--582dd9ad-8e60-429f-b92c-6ff2d56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:24:13.000Z", "modified": "2016-11-17T16:24:13.000Z", "name": "CVE-2015-1641", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2015-1641" } ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd9be-541c-40c0-875a-700dd56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:24:30.000Z", "modified": "2016-11-17T16:24:30.000Z", "pattern": "[rule CVE_2012_0158_KeyBoy {\r\nmeta:\r\nauthor = \"Etienne Maynier \"\r\ndescription = \"CVE-2012-0158 variant\"\r\nfile = \"8307e444cad98b1b59568ad2eba5f201\"\r\n\r\nstrings:\r\n$a = \"d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff09000600000000000000000000000100000001\" nocase // OLE header\r\n$b = \"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\" nocase // junk data\r\n$c = /5(\\{\\\\b0\\}|)[ ]*2006F00(\\{\\\\b0\\}|)[ ]*6F007(\\{\\\\b0\\}|)[ ]*400200045(\\{\\\\b0\\}|)[ ]*006(\\{\\\\b0\\}|)[ ]*E007(\\{\\\\b0\\}|)[ ]*400720079/ nocase\r\n$d = \"MSComctlLib.ListViewCtrl.2\"\r\n$e = \"ac38c874503c307405347aaaebf2ac2c31ebf6e8e3\" nocase //decoding shellcode\r\n\r\ncondition:\r\nall of them\r\n}]", "pattern_type": "yara", "valid_from": "2016-11-17T16:24:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--582dd9cd-5bf4-40a1-9f79-700ed56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-17T16:24:45.000Z", "modified": "2016-11-17T16:24:45.000Z", "pattern": "[rule keyboy_exploit_doc_meta{\r\nmeta:\r\nauthor = \"Matt Brooks, @cmatthewbrooks\"\r\ndesc = \"Matches the meta associated with these exploit docs\"\r\ndate = \"2016-09-30\"\r\n\r\nstrings:\r\n$role = \"{\\\\author Master}{\\\\operator Master}\"\r\n$creatim = \"{\\\\creatim\\\\yr2015\\\\mo10\\\\dy16\\\\hr11\\\\min37}\"\r\n$revtim = \"{\\\\revtim\\\\yr2015\\\\mo10\\\\dy16\\\\hr13\\\\min54}\"\r\n\r\ncondition:\r\nuint32be(0) == 0x7B5C7274 and\r\nfilesize < 1MB and\r\nall of them\r\n}]", "pattern_type": "yara", "valid_from": "2016-11-17T16:24:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--582dd9d6-8564-46ea-9b4e-700ed56c6cd2", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2020-04-28T10:10:55.000Z", "modified": "2020-04-28T10:10:55.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Payload type\"", "misp:to_ids=\"True\"" ], "x_misp_category": "Payload type", "x_misp_type": "text", "x_misp_value": "KeyBoy" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5832bd46-65f0-4dad-892b-426702de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2020-04-28T10:10:57.000Z", "modified": "2020-04-28T10:10:57.000Z", "description": "dropper of 'agewkassif' sample - Xchecked via VT: 542c85fda8df8510c1b66a122e459aac8c0919f1fe9fa2c43fd87899cffa05bf", "pattern": "[file:hashes.SHA1 = '3afd1071b8c05d743be976468f36663c22d57311']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-04-28T10:10:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5832bd47-c064-429b-bb2f-467302de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-21T09:24:23.000Z", "modified": "2016-11-21T09:24:23.000Z", "first_observed": "2016-11-21T09:24:23Z", "last_observed": "2016-11-21T09:24:23Z", "number_observed": 1, "object_refs": [ "url--5832bd47-c064-429b-bb2f-467302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5832bd47-c064-429b-bb2f-467302de0b81", "value": "https://www.virustotal.com/file/542c85fda8df8510c1b66a122e459aac8c0919f1fe9fa2c43fd87899cffa05bf/analysis/1479643747/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5832bd47-9600-41f5-896c-4e8b02de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2020-04-28T10:10:59.000Z", "modified": "2020-04-28T10:10:59.000Z", "description": "dw20.exe dropper - Xchecked via VT: 5f24a5ee9ecfd4a8e5f967ffcf24580a83942cd7b09d310b9525962ed2614a49", "pattern": "[file:hashes.SHA1 = 'c4611aff5e05ee92398b8700b878e016f4ff6113']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-04-28T10:10:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5832bd48-b104-49f7-ae8e-436e02de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-21T09:24:24.000Z", "modified": "2016-11-21T09:24:24.000Z", "first_observed": "2016-11-21T09:24:24Z", "last_observed": "2016-11-21T09:24:24Z", "number_observed": 1, "object_refs": [ "url--5832bd48-b104-49f7-ae8e-436e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5832bd48-b104-49f7-ae8e-436e02de0b81", "value": "https://www.virustotal.com/file/5f24a5ee9ecfd4a8e5f967ffcf24580a83942cd7b09d310b9525962ed2614a49/analysis/1479643732/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5832bd48-3de0-4688-8add-48f502de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-21T09:24:24.000Z", "modified": "2016-11-21T09:24:24.000Z", "description": "Wab32res.dll payload, KeyBoy agewkassif version - Xchecked via VT: 5da2f14c382d7cac8dfa6c86e528a646a81f0b40cfee9611c8cfb4b5d589aa88", "pattern": "[file:hashes.SHA1 = 'c97b12039e324721130d58d127c4e6f356e3f6e8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-21T09:24:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5832bd49-a008-4fd1-bc69-4cd102de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-21T09:24:25.000Z", "modified": "2016-11-21T09:24:25.000Z", "first_observed": "2016-11-21T09:24:25Z", "last_observed": "2016-11-21T09:24:25Z", "number_observed": 1, "object_refs": [ "url--5832bd49-a008-4fd1-bc69-4cd102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5832bd49-a008-4fd1-bc69-4cd102de0b81", "value": "https://www.virustotal.com/file/5da2f14c382d7cac8dfa6c86e528a646a81f0b40cfee9611c8cfb4b5d589aa88/analysis/1479643740/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5832bd49-19b0-4338-af0d-47c402de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-21T09:24:25.000Z", "modified": "2016-11-21T09:24:25.000Z", "description": "Wab32res.dll payload, KeyBoy 20160509 - Xchecked via VT: 9a55577d357922711ab0821bf5379289293c8517ae1d94d48c389f306af57a04", "pattern": "[file:hashes.SHA1 = '5bc42d475fa35e00e2584a4142c2767a4707019b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-21T09:24:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5832bd4a-8608-4468-9038-447602de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-21T09:24:26.000Z", "modified": "2016-11-21T09:24:26.000Z", "first_observed": "2016-11-21T09:24:26Z", "last_observed": "2016-11-21T09:24:26Z", "number_observed": 1, "object_refs": [ "url--5832bd4a-8608-4468-9038-447602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5832bd4a-8608-4468-9038-447602de0b81", "value": "https://www.virustotal.com/file/9a55577d357922711ab0821bf5379289293c8517ae1d94d48c389f306af57a04/analysis/1479499742/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5832bd4a-dd54-4a76-bf57-4b9c02de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-21T09:24:26.000Z", "modified": "2016-11-21T09:24:26.000Z", "first_observed": "2016-11-21T09:24:26Z", "last_observed": "2016-11-21T09:24:26Z", "number_observed": 1, "object_refs": [ "file--5832bd4a-dd54-4a76-bf57-4b9c02de0b81" ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5832bd4a-dd54-4a76-bf57-4b9c02de0b81", "hashes": { "SHA-1": "280dd67bbdfadaac0a4eb7a1c770387c216f3b8b" } }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5832bd4b-25c4-4edb-8ab9-436502de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-21T09:24:27.000Z", "modified": "2016-11-21T09:24:27.000Z", "first_observed": "2016-11-21T09:24:27Z", "last_observed": "2016-11-21T09:24:27Z", "number_observed": 1, "object_refs": [ "url--5832bd4b-25c4-4edb-8ab9-436502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5832bd4b-25c4-4edb-8ab9-436502de0b81", "value": "https://www.virustotal.com/file/58105e9772f6befbc319c147a97faded4fbacf839947b34fe3695ae72771da5d/analysis/1478876071/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5832bd4c-0190-4a6f-9c4f-472202de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2020-04-28T10:11:42.000Z", "modified": "2020-04-28T10:11:42.000Z", "description": "Doc exploiting CVE-2012-0158 - Xchecked via VT: 8846d109b457a2ee44ddbf54d1cf7944", "pattern": "[file:hashes.SHA256 = 'ba442907f3218c8664bbecb47f915c4469340219e0f05af8f2d108d72659ff0f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-04-28T10:11:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5832bd4c-d698-4f11-b5c9-476202de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2020-04-28T10:11:41.000Z", "modified": "2020-04-28T10:11:41.000Z", "description": "Doc exploiting CVE-2012-0158 - Xchecked via VT: 8846d109b457a2ee44ddbf54d1cf7944", "pattern": "[file:hashes.SHA1 = 'ba57bc840bc8fa5b7a235b2d2cff47af610aa14a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-04-28T10:11:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5832bd4d-e058-48a1-9e0a-483f02de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-21T09:24:29.000Z", "modified": "2016-11-21T09:24:29.000Z", "first_observed": "2016-11-21T09:24:29Z", "last_observed": "2016-11-21T09:24:29Z", "number_observed": 1, "object_refs": [ "url--5832bd4d-e058-48a1-9e0a-483f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5832bd4d-e058-48a1-9e0a-483f02de0b81", "value": "https://www.virustotal.com/file/ba442907f3218c8664bbecb47f915c4469340219e0f05af8f2d108d72659ff0f/analysis/1479483627/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5832bd4d-c198-40bf-83ca-4c7002de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2020-04-28T10:11:39.000Z", "modified": "2020-04-28T10:11:39.000Z", "description": "Malicious doc with CVE-2014-4114 vulnerability - Xchecked via VT: 05b5cf94f07fee666eb086c91182ad25", "pattern": "[file:hashes.SHA256 = '442e5d3d46330e814b4fdc5640b06732de69a08a574d92cd9a0df5eea62d88ed']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-04-28T10:11:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5832bd4e-dab8-4936-ac41-489e02de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2020-04-28T10:11:37.000Z", "modified": "2020-04-28T10:11:37.000Z", "description": "Malicious doc with CVE-2014-4114 vulnerability - Xchecked via VT: 05b5cf94f07fee666eb086c91182ad25", "pattern": "[file:hashes.SHA1 = '7631a0682a1a6423c95fd1b80263b8470717f0f8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-04-28T10:11:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5832bd4e-88e0-452b-9d0b-47f602de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-21T09:24:30.000Z", "modified": "2016-11-21T09:24:30.000Z", "first_observed": "2016-11-21T09:24:30Z", "last_observed": "2016-11-21T09:24:30Z", "number_observed": 1, "object_refs": [ "url--5832bd4e-88e0-452b-9d0b-47f602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5832bd4e-88e0-452b-9d0b-47f602de0b81", "value": "https://www.virustotal.com/file/442e5d3d46330e814b4fdc5640b06732de69a08a574d92cd9a0df5eea62d88ed/analysis/1479484054/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5832bd4f-f9d0-48f9-a3dc-4f2902de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2020-04-28T10:11:44.000Z", "modified": "2020-04-28T10:11:44.000Z", "description": "Other similar doc - Xchecked via VT: beadf21b923600554b0ce54df42e78f5", "pattern": "[file:hashes.SHA256 = 'b1d1b8fa9c104309fe27b3405d3572ac44d8401efba4868f743d45ed797d444b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-04-28T10:11:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5832bd4f-48d0-4d0b-9719-439d02de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2020-04-28T10:11:45.000Z", "modified": "2020-04-28T10:11:45.000Z", "description": "Other similar doc - Xchecked via VT: beadf21b923600554b0ce54df42e78f5", "pattern": "[file:hashes.SHA1 = 'd2bf4b04d05f398b4101e91873e71d5b0e121aeb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-04-28T10:11:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5832bd50-1ff0-44dd-b44d-401d02de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-21T09:24:32.000Z", "modified": "2016-11-21T09:24:32.000Z", "first_observed": "2016-11-21T09:24:32Z", "last_observed": "2016-11-21T09:24:32Z", "number_observed": 1, "object_refs": [ "url--5832bd50-1ff0-44dd-b44d-401d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5832bd50-1ff0-44dd-b44d-401d02de0b81", "value": "https://www.virustotal.com/file/b1d1b8fa9c104309fe27b3405d3572ac44d8401efba4868f743d45ed797d444b/analysis/1479485679/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5832bd50-8af8-4d7a-bf57-4c1702de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-21T09:24:32.000Z", "modified": "2016-11-21T09:24:32.000Z", "description": "64b KeyBoy payload 20151108 - Xchecked via VT: 371bc132499f455f06fa80696db0df27", "pattern": "[file:hashes.SHA256 = '4c9bf4ffbd7047f46035f89e6f7f4c63b8597ac63097577d467c157e3aa7ab4d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-21T09:24:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5832bd51-76b0-4f37-860b-4b3802de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-21T09:24:33.000Z", "modified": "2016-11-21T09:24:33.000Z", "description": "64b KeyBoy payload 20151108 - Xchecked via VT: 371bc132499f455f06fa80696db0df27", "pattern": "[file:hashes.SHA1 = 'aec5001d91673d052e9a0793aea0ebaea1a96e3d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-21T09:24:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5832bd51-1400-4733-9436-4f7902de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-21T09:24:33.000Z", "modified": "2016-11-21T09:24:33.000Z", "first_observed": "2016-11-21T09:24:33Z", "last_observed": "2016-11-21T09:24:33Z", "number_observed": 1, "object_refs": [ "url--5832bd51-1400-4733-9436-4f7902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5832bd51-1400-4733-9436-4f7902de0b81", "value": "https://www.virustotal.com/file/4c9bf4ffbd7047f46035f89e6f7f4c63b8597ac63097577d467c157e3aa7ab4d/analysis/1479643752/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5832bd52-5310-486b-876f-4b0e02de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-21T09:24:34.000Z", "modified": "2016-11-21T09:24:34.000Z", "description": "Payload KeyBoy 20151108 - Xchecked via VT: c5b5f01ba24d6c02636388809f44472e", "pattern": "[file:hashes.SHA256 = 'e6fdcf64d7e7d59366ba23c68332167dfc569b6acc71a03498d4a925ce9c1e0a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-21T09:24:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5832bd52-2228-4453-b38e-41b102de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-21T09:24:34.000Z", "modified": "2016-11-21T09:24:34.000Z", "description": "Payload KeyBoy 20151108 - Xchecked via VT: c5b5f01ba24d6c02636388809f44472e", "pattern": "[file:hashes.SHA1 = 'bbeacc746b6ddb61a3be7613bb155aa2b1ac422a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-21T09:24:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5832bd53-a558-4ea4-957d-4e7202de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-21T09:24:35.000Z", "modified": "2016-11-21T09:24:35.000Z", "first_observed": "2016-11-21T09:24:35Z", "last_observed": "2016-11-21T09:24:35Z", "number_observed": 1, "object_refs": [ "url--5832bd53-a558-4ea4-957d-4e7202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5832bd53-a558-4ea4-957d-4e7202de0b81", "value": "https://www.virustotal.com/file/e6fdcf64d7e7d59366ba23c68332167dfc569b6acc71a03498d4a925ce9c1e0a/analysis/1479481835/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5832bd53-d3f0-4c64-80cf-469402de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-21T09:24:35.000Z", "modified": "2016-11-21T09:24:35.000Z", "description": "Payload KeyBoy 20151108 - Xchecked via VT: 98977426d544bd145979f65f0322ae30", "pattern": "[file:hashes.SHA256 = '082da7874d6c0bfbe8f2d954c8a47f25a90ef83bda89c8495101dc95986d7977']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-21T09:24:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5832bd54-87e0-49a7-8971-480e02de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-21T09:24:36.000Z", "modified": "2016-11-21T09:24:36.000Z", "description": "Payload KeyBoy 20151108 - Xchecked via VT: 98977426d544bd145979f65f0322ae30", "pattern": "[file:hashes.SHA1 = 'edad39839bd60bcc1426df9c68df7de169cd062f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-21T09:24:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5832bd54-0efc-4f4a-b342-4a8e02de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-21T09:24:36.000Z", "modified": "2016-11-21T09:24:36.000Z", "first_observed": "2016-11-21T09:24:36Z", "last_observed": "2016-11-21T09:24:36Z", "number_observed": 1, "object_refs": [ "url--5832bd54-0efc-4f4a-b342-4a8e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5832bd54-0efc-4f4a-b342-4a8e02de0b81", "value": "https://www.virustotal.com/file/082da7874d6c0bfbe8f2d954c8a47f25a90ef83bda89c8495101dc95986d7977/analysis/1479643737/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5832bd55-6890-47d5-b97c-4a6402de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-21T09:24:37.000Z", "modified": "2016-11-21T09:24:37.000Z", "description": "Payload KeyBoy P_20150313 - Xchecked via VT: 0c7e55509e0b6d4277b3facf864af018", "pattern": "[file:hashes.SHA256 = '5395f709ef1ca64c57be367f9795b66b5775b6e73f57089386a85925cc0ec596']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-21T09:24:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5832bd55-f334-44ed-81f9-401602de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-21T09:24:37.000Z", "modified": "2016-11-21T09:24:37.000Z", "description": "Payload KeyBoy P_20150313 - Xchecked via VT: 0c7e55509e0b6d4277b3facf864af018", "pattern": "[file:hashes.SHA1 = 'a3655df2811069ea7a818517c9e9f11561fce3e8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-21T09:24:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5832bd55-7e88-4e84-98fa-44ea02de0b81", "created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2", "created": "2016-11-21T09:24:37.000Z", "modified": "2016-11-21T09:24:37.000Z", "first_observed": "2016-11-21T09:24:37Z", "last_observed": "2016-11-21T09:24:37Z", "number_observed": 1, "object_refs": [ "url--5832bd55-7e88-4e84-98fa-44ea02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5832bd55-7e88-4e84-98fa-44ea02de0b81", "value": "https://www.virustotal.com/file/5395f709ef1ca64c57be367f9795b66b5775b6e73f57089386a85925cc0ec596/analysis/1431473021/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }