{ "type": "bundle", "id": "bundle--56f8e7c3-74b4-4789-9e6a-6f2302de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T08:23:37.000Z", "modified": "2016-03-28T08:23:37.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--56f8e7c3-74b4-4789-9e6a-6f2302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T08:23:37.000Z", "modified": "2016-03-28T08:23:37.000Z", "name": "OSINT - Malware Employs PowerShell to Infect Systems", "published": "2016-03-28T08:25:54Z", "object_refs": [ "observed-data--56f8e7e8-4670-4d0f-a2db-3f2f02de0b81", "url--56f8e7e8-4670-4d0f-a2db-3f2f02de0b81", "indicator--56f8e800-3adc-4174-9cc1-3f2d02de0b81", "indicator--56f8e800-e618-40e3-9da4-3f2d02de0b81", "indicator--56f8e83a-044c-4f04-b0c8-3f2c02de0b81", "indicator--56f8e83a-8ba4-426b-b457-3f2c02de0b81", "observed-data--56f8e83a-2f44-473f-b5a0-3f2c02de0b81", "url--56f8e83a-2f44-473f-b5a0-3f2c02de0b81", "indicator--56f8e83b-1a50-4f31-9c66-3f2c02de0b81", "indicator--56f8e83b-64fc-4a7e-acd1-3f2c02de0b81", "observed-data--56f8e83b-60fc-4d9f-9478-3f2c02de0b81", "url--56f8e83b-60fc-4d9f-9478-3f2c02de0b81", "indicator--56f8e933-1844-4f61-9380-3f2b02de0b81", "indicator--56f8e95a-ed68-4cae-bbfb-74ad02de0b81", "indicator--56f8e984-bddc-4161-a586-3f2a02de0b81", "indicator--56f8ea09-0720-4335-922e-74ad02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "malware_classification:malware-category=\"Ransomware\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56f8e7e8-4670-4d0f-a2db-3f2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T08:14:32.000Z", "modified": "2016-03-28T08:14:32.000Z", "first_observed": "2016-03-28T08:14:32Z", "last_observed": "2016-03-28T08:14:32Z", "number_observed": 1, "object_refs": [ "url--56f8e7e8-4670-4d0f-a2db-3f2f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56f8e7e8-4670-4d0f-a2db-3f2f02de0b81", "value": "https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f8e800-3adc-4174-9cc1-3f2d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T08:14:56.000Z", "modified": "2016-03-28T08:14:56.000Z", "description": "Sample", "pattern": "[file:hashes.SHA1 = '846e9c0631139cfdcbf270f8bdc08cdd39e9a89d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T08:14:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f8e800-e618-40e3-9da4-3f2d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T08:14:56.000Z", "modified": "2016-03-28T08:14:56.000Z", "description": "Sample", "pattern": "[file:hashes.SHA1 = '6c41bf5ead73e98c56397c37114f2c5a46fd2640']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T08:14:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f8e83a-044c-4f04-b0c8-3f2c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T08:15:54.000Z", "modified": "2016-03-28T08:15:54.000Z", "description": "Sample - Xchecked via VT: 846e9c0631139cfdcbf270f8bdc08cdd39e9a89d", "pattern": "[file:hashes.SHA256 = 'e50bd23ece199e4cee6fcf145fd17141ac10f2f1bfc8e4dd7806134896045614']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T08:15:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f8e83a-8ba4-426b-b457-3f2c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T08:15:54.000Z", "modified": "2016-03-28T08:15:54.000Z", "description": "Sample - Xchecked via VT: 846e9c0631139cfdcbf270f8bdc08cdd39e9a89d", "pattern": "[file:hashes.MD5 = 'bbd877a68b3d4aa4117d829f03d164be']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T08:15:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56f8e83a-2f44-473f-b5a0-3f2c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T08:15:54.000Z", "modified": "2016-03-28T08:15:54.000Z", "first_observed": "2016-03-28T08:15:54Z", "last_observed": "2016-03-28T08:15:54Z", "number_observed": 1, "object_refs": [ "url--56f8e83a-2f44-473f-b5a0-3f2c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56f8e83a-2f44-473f-b5a0-3f2c02de0b81", "value": "https://www.virustotal.com/file/e50bd23ece199e4cee6fcf145fd17141ac10f2f1bfc8e4dd7806134896045614/analysis/1458376259/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f8e83b-1a50-4f31-9c66-3f2c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T08:15:55.000Z", "modified": "2016-03-28T08:15:55.000Z", "description": "Sample - Xchecked via VT: 6c41bf5ead73e98c56397c37114f2c5a46fd2640", "pattern": "[file:hashes.SHA256 = '77df37445d2a8951a876df6457f4ff869a6ee0f34a50ef472a30392673da5ec9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T08:15:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f8e83b-64fc-4a7e-acd1-3f2c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T08:15:55.000Z", "modified": "2016-03-28T08:15:55.000Z", "description": "Sample - Xchecked via VT: 6c41bf5ead73e98c56397c37114f2c5a46fd2640", "pattern": "[file:hashes.MD5 = '7f58d7dddec4b72bab0fb27cd852593e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T08:15:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56f8e83b-60fc-4d9f-9478-3f2c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T08:15:55.000Z", "modified": "2016-03-28T08:15:55.000Z", "first_observed": "2016-03-28T08:15:55Z", "last_observed": "2016-03-28T08:15:55Z", "number_observed": 1, "object_refs": [ "url--56f8e83b-60fc-4d9f-9478-3f2c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56f8e83b-60fc-4d9f-9478-3f2c02de0b81", "value": "https://www.virustotal.com/file/77df37445d2a8951a876df6457f4ff869a6ee0f34a50ef472a30392673da5ec9/analysis/1458289786/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f8e933-1844-4f61-9380-3f2b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T08:20:03.000Z", "modified": "2016-03-28T08:20:03.000Z", "description": "\" .lnk file downloading\"", "pattern": "[url:value = 'http://anonfile.xyz/f/7f58d7dddec4b72bab0fb27cd852593e.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T08:20:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f8e95a-ed68-4cae-bbfb-74ad02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T08:20:42.000Z", "modified": "2016-03-28T08:20:42.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.127.99.183']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T08:20:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f8e984-bddc-4161-a586-3f2a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T08:21:24.000Z", "modified": "2016-03-28T08:21:24.000Z", "pattern": "[file:hashes.MD5 = '7f58d7dddec4b72bab0fb27cd852593e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T08:21:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f8ea09-0720-4335-922e-74ad02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-28T08:23:37.000Z", "modified": "2016-03-28T08:23:37.000Z", "pattern": "[file:hashes.SHA1 = '6c41bf5ead73e98c56397c37114f2c5a46fd2640']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-28T08:23:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }