{ "type": "bundle", "id": "bundle--5717777b-a8b4-4876-b060-4339950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:24.000Z", "modified": "2016-04-20T13:37:24.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5717777b-a8b4-4876-b060-4339950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:24.000Z", "modified": "2016-04-20T13:37:24.000Z", "name": "OSINT - New Crypto-Ransomware JIGSAW Plays Nasty Games", "published": "2016-04-20T13:43:42Z", "object_refs": [ "observed-data--57177796-cd7c-4b46-a680-4827950d210f", "url--57177796-cd7c-4b46-a680-4827950d210f", "x-misp-attribute--571777ae-4f00-4231-8d8e-4796950d210f", "indicator--5717794f-427c-4971-94ca-47bf950d210f", "indicator--5717794f-0c2c-4338-87a6-4d0e950d210f", "indicator--57177950-ec94-43ac-a41e-4c54950d210f", "indicator--57177951-809c-4786-9ec1-4811950d210f", "indicator--57177951-d710-4bb8-a20d-4f46950d210f", "indicator--57177952-8580-4612-9c15-4335950d210f", "indicator--57177953-74fc-41bd-a542-4398950d210f", "indicator--57177953-5220-4571-8029-4538950d210f", "indicator--57177954-d174-401f-a3f4-4209950d210f", "observed-data--57177a3e-6b44-4c2d-b80d-49a4950d210f", "url--57177a3e-6b44-4c2d-b80d-49a4950d210f", "observed-data--57177a3f-2c24-44ec-88d4-4858950d210f", "domain-name--57177a3f-2c24-44ec-88d4-4858950d210f", "indicator--57178615-9754-4898-8b08-400802de0b81", "indicator--57178615-2894-45d4-9c9c-4fdd02de0b81", "observed-data--57178615-4ccc-4cb3-ba9f-4e5d02de0b81", "url--57178615-4ccc-4cb3-ba9f-4e5d02de0b81", "indicator--57178616-8334-49a1-894b-47b002de0b81", "indicator--57178616-2f48-49c5-b09f-43a102de0b81", "observed-data--57178616-c38c-41e1-8153-427302de0b81", "url--57178616-c38c-41e1-8153-427302de0b81", "indicator--57178617-f8f4-4418-9175-4c7802de0b81", "indicator--57178617-772c-419a-a05c-4ac202de0b81", "observed-data--57178617-7e78-4d57-b580-4ff702de0b81", "url--57178617-7e78-4d57-b580-4ff702de0b81", "indicator--57178618-2640-429a-9dfb-444602de0b81", "indicator--57178618-ec14-4daa-8a55-4db802de0b81", "observed-data--57178618-842c-4ff0-b9b4-4d3602de0b81", "url--57178618-842c-4ff0-b9b4-4d3602de0b81", "indicator--57178619-addc-4013-afec-4bb102de0b81", "indicator--57178619-42e0-4a5e-b2d3-472302de0b81", "observed-data--57178619-654c-44e2-9428-438c02de0b81", "url--57178619-654c-44e2-9428-438c02de0b81", "indicator--5717861a-8e9c-47e1-84c8-494702de0b81", "indicator--5717861a-3d08-457e-be9c-480c02de0b81", "observed-data--5717861a-3ab0-4f6d-8331-407602de0b81", "url--5717861a-3ab0-4f6d-8331-407602de0b81", "indicator--5717861b-7674-4714-b055-4ecb02de0b81", "indicator--5717861b-f874-4e76-b5a2-40e702de0b81", "observed-data--5717861b-b2fc-4335-9464-418e02de0b81", "url--5717861b-b2fc-4335-9464-418e02de0b81", "indicator--5717861c-d81c-455a-97a2-477902de0b81", "indicator--5717861c-56f4-4465-ae03-4a2402de0b81", "observed-data--5717861c-20c0-438e-b295-489a02de0b81", "url--5717861c-20c0-438e-b295-489a02de0b81", "indicator--5717861c-d06c-475f-bb8f-47eb02de0b81", "indicator--5717861d-adf0-4e8c-8670-4d5202de0b81", "observed-data--5717861d-48a0-448a-a172-431402de0b81", "url--5717861d-48a0-448a-a172-431402de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "malware_classification:malware-category=\"Ransomware\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57177796-cd7c-4b46-a680-4827950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T12:35:34.000Z", "modified": "2016-04-20T12:35:34.000Z", "first_observed": "2016-04-20T12:35:34Z", "last_observed": "2016-04-20T12:35:34Z", "number_observed": 1, "object_refs": [ "url--57177796-cd7c-4b46-a680-4827950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57177796-cd7c-4b46-a680-4827950d210f", "value": "http://blog.trendmicro.com/trendlabs-security-intelligence/jigsaw-ransomware-plays-games-victims/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--571777ae-4f00-4231-8d8e-4796950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T12:35:58.000Z", "modified": "2016-04-20T12:35:58.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "The evolution of crypto-ransomware in terms of behavior takes a step forward, and a creepy one at that. We have recently encountered a nasty crypto-ransomware variant called JIGSAW. Reminiscent to the horror film Saw, this malware toys with users by locking and deleting their files incrementally. To an extent, it instills fear and pressures users into paying the ransom. It even comes with an image of Saw\u00e2\u20ac\u2122s very own Billy the puppet, and the red analog clock to boot.\r\n\r\nIt\u00e2\u20ac\u2122s no longer a surprise that crypto-ransomware is the prevalent threat in today\u00e2\u20ac\u2122s computing landscape, given its promise of quick ROI for the cybercriminals behind it. It\u00e2\u20ac\u2122s also not surprising that many have joined this bandwagon. These days, the name of the crypto-ransomware game is to add \u00e2\u20ac\u0153unique\u00e2\u20ac\u009d features or \u00e2\u20ac\u0153creative\u00e2\u20ac\u009d ways to instill fear and put more pressure to users to pay up, despite the fact that, when it comes to their technical routines, there\u00e2\u20ac\u2122s not much difference among these malware. JIGSAW joins notable families like PETYA and CERBER that have emerged in the past couple of months alone." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5717794f-427c-4971-94ca-47bf950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T12:42:55.000Z", "modified": "2016-04-20T12:42:55.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'Ransom_JIGSAW.A' AND file:hashes.SHA1 = '0c269c5a641fd479269c2f353841a5bf9910888b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T12:42:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5717794f-0c2c-4338-87a6-4d0e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T12:42:55.000Z", "modified": "2016-04-20T12:42:55.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'Ransom_JIGSAW.A' AND file:hashes.SHA1 = 'dc307a673aa5eecb5c1400f1d342e03697564f98']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T12:42:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57177950-ec94-43ac-a41e-4c54950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T12:42:56.000Z", "modified": "2016-04-20T12:42:56.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'Ransom_JIGSAW.A' AND file:hashes.SHA1 = 'ce42e2c694ca4737ae68d3c9e333554c55afee27']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T12:42:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57177951-809c-4786-9ec1-4811950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T12:42:57.000Z", "modified": "2016-04-20T12:42:57.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'Ransom_JIGSAW.B' AND file:hashes.SHA1 = '1ad9f8695c10adb69bdebd6bdc39b119707d500e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T12:42:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57177951-d710-4bb8-a20d-4f46950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T12:42:57.000Z", "modified": "2016-04-20T12:42:57.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'Ransom_JIGSAW.C' AND file:hashes.SHA1 = 'ca40233610d40258539da0212a06af29b07c13f6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T12:42:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57177952-8580-4612-9c15-4335950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T12:42:58.000Z", "modified": "2016-04-20T12:42:58.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'Ransom_JIGSAW.C' AND file:hashes.SHA1 = 'f8431cf0a73e4ede5b4b38185d73d8472cfe2ae7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T12:42:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57177953-74fc-41bd-a542-4398950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T12:42:59.000Z", "modified": "2016-04-20T12:42:59.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'Ransom_JIGSAW.D' AND file:hashes.SHA1 = 'dce911b1c05da965c8733935723b88bc29d12756']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T12:42:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57177953-5220-4571-8029-4538950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T12:42:59.000Z", "modified": "2016-04-20T12:42:59.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'Ransom_JIGSAW.E' AND file:hashes.SHA1 = '3f6e3e5126c837f46a18ee988dbf5756c2b856aa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T12:42:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57177954-d174-401f-a3f4-4209950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T12:43:00.000Z", "modified": "2016-04-20T12:43:00.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = 'Ransom_JIGSAW.E' AND file:hashes.SHA1 = '92620194a581a91874a5284a775014e0d71a9db1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T12:43:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename|sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57177a3e-6b44-4c2d-b80d-49a4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T12:46:54.000Z", "modified": "2016-04-20T12:46:54.000Z", "first_observed": "2016-04-20T12:46:54Z", "last_observed": "2016-04-20T12:46:54Z", "number_observed": 1, "object_refs": [ "url--57177a3e-6b44-4c2d-b80d-49a4950d210f" ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57177a3e-6b44-4c2d-b80d-49a4950d210f", "value": "http://waldorftrust.com" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57177a3f-2c24-44ec-88d4-4858950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T12:46:55.000Z", "modified": "2016-04-20T12:46:55.000Z", "first_observed": "2016-04-20T12:46:55Z", "last_observed": "2016-04-20T12:46:55Z", "number_observed": 1, "object_refs": [ "domain-name--57177a3f-2c24-44ec-88d4-4858950d210f" ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--57177a3f-2c24-44ec-88d4-4858950d210f", "value": "1fichier.com" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57178615-9754-4898-8b08-400802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:25.000Z", "modified": "2016-04-20T13:37:25.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 92620194a581a91874a5284a775014e0d71a9db1", "pattern": "[file:hashes.SHA256 = '4cd26e0d543e7da413bff2d85a18d1fd18164059c68996049da570f9bdeb6c42']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:37:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57178615-2894-45d4-9c9c-4fdd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:25.000Z", "modified": "2016-04-20T13:37:25.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 92620194a581a91874a5284a775014e0d71a9db1", "pattern": "[file:hashes.MD5 = '473807de0d05cd6149060403ad01b658']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:37:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57178615-4ccc-4cb3-ba9f-4e5d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:25.000Z", "modified": "2016-04-20T13:37:25.000Z", "first_observed": "2016-04-20T13:37:25Z", "last_observed": "2016-04-20T13:37:25Z", "number_observed": 1, "object_refs": [ "url--57178615-4ccc-4cb3-ba9f-4e5d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57178615-4ccc-4cb3-ba9f-4e5d02de0b81", "value": "https://www.virustotal.com/file/4cd26e0d543e7da413bff2d85a18d1fd18164059c68996049da570f9bdeb6c42/analysis/1461138833/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57178616-8334-49a1-894b-47b002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:26.000Z", "modified": "2016-04-20T13:37:26.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 3f6e3e5126c837f46a18ee988dbf5756c2b856aa", "pattern": "[file:hashes.SHA256 = '773295583998b76b4e24b562f85fa685577067614133db4a7df3d2a28cb4cc3a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:37:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57178616-2f48-49c5-b09f-43a102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:26.000Z", "modified": "2016-04-20T13:37:26.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 3f6e3e5126c837f46a18ee988dbf5756c2b856aa", "pattern": "[file:hashes.MD5 = '89d6fc6c1a51cef335f7ee2bc2aa60ae']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:37:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57178616-c38c-41e1-8153-427302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:26.000Z", "modified": "2016-04-20T13:37:26.000Z", "first_observed": "2016-04-20T13:37:26Z", "last_observed": "2016-04-20T13:37:26Z", "number_observed": 1, "object_refs": [ "url--57178616-c38c-41e1-8153-427302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57178616-c38c-41e1-8153-427302de0b81", "value": "https://www.virustotal.com/file/773295583998b76b4e24b562f85fa685577067614133db4a7df3d2a28cb4cc3a/analysis/1461097304/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57178617-f8f4-4418-9175-4c7802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:27.000Z", "modified": "2016-04-20T13:37:27.000Z", "description": "Imported via the freetext import. - Xchecked via VT: dce911b1c05da965c8733935723b88bc29d12756", "pattern": "[file:hashes.SHA256 = 'a375201f22b6e71d8ea0f81266242e4638e1754aeee14059e9c5e39026d6c710']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:37:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57178617-772c-419a-a05c-4ac202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:27.000Z", "modified": "2016-04-20T13:37:27.000Z", "description": "Imported via the freetext import. - Xchecked via VT: dce911b1c05da965c8733935723b88bc29d12756", "pattern": "[file:hashes.MD5 = '3bee1d24189d4941f68b96da6e207be4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:37:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57178617-7e78-4d57-b580-4ff702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:27.000Z", "modified": "2016-04-20T13:37:27.000Z", "first_observed": "2016-04-20T13:37:27Z", "last_observed": "2016-04-20T13:37:27Z", "number_observed": 1, "object_refs": [ "url--57178617-7e78-4d57-b580-4ff702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57178617-7e78-4d57-b580-4ff702de0b81", "value": "https://www.virustotal.com/file/a375201f22b6e71d8ea0f81266242e4638e1754aeee14059e9c5e39026d6c710/analysis/1461135574/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57178618-2640-429a-9dfb-444602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:28.000Z", "modified": "2016-04-20T13:37:28.000Z", "description": "Imported via the freetext import. - Xchecked via VT: f8431cf0a73e4ede5b4b38185d73d8472cfe2ae7", "pattern": "[file:hashes.SHA256 = '9580e6c4deba3bd46419a402b6309f77c2ed47ad62299c82ec8578400c2a3a64']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:37:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57178618-ec14-4daa-8a55-4db802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:28.000Z", "modified": "2016-04-20T13:37:28.000Z", "description": "Imported via the freetext import. - Xchecked via VT: f8431cf0a73e4ede5b4b38185d73d8472cfe2ae7", "pattern": "[file:hashes.MD5 = '64e7c95aefe82efb39185321a6cdd5c4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:37:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57178618-842c-4ff0-b9b4-4d3602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:28.000Z", "modified": "2016-04-20T13:37:28.000Z", "first_observed": "2016-04-20T13:37:28Z", "last_observed": "2016-04-20T13:37:28Z", "number_observed": 1, "object_refs": [ "url--57178618-842c-4ff0-b9b4-4d3602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57178618-842c-4ff0-b9b4-4d3602de0b81", "value": "https://www.virustotal.com/file/9580e6c4deba3bd46419a402b6309f77c2ed47ad62299c82ec8578400c2a3a64/analysis/1461138863/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57178619-addc-4013-afec-4bb102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:29.000Z", "modified": "2016-04-20T13:37:29.000Z", "description": "Imported via the freetext import. - Xchecked via VT: ca40233610d40258539da0212a06af29b07c13f6", "pattern": "[file:hashes.SHA256 = 'd41b5d3d0c6c0e8e9c850eaedf84623f48ba8e72f3867e57b0d94ddaaca738ee']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:37:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57178619-42e0-4a5e-b2d3-472302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:29.000Z", "modified": "2016-04-20T13:37:29.000Z", "description": "Imported via the freetext import. - Xchecked via VT: ca40233610d40258539da0212a06af29b07c13f6", "pattern": "[file:hashes.MD5 = '4fe313da6d94379f996c31754df8eb30']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:37:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57178619-654c-44e2-9428-438c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:29.000Z", "modified": "2016-04-20T13:37:29.000Z", "first_observed": "2016-04-20T13:37:29Z", "last_observed": "2016-04-20T13:37:29Z", "number_observed": 1, "object_refs": [ "url--57178619-654c-44e2-9428-438c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57178619-654c-44e2-9428-438c02de0b81", "value": "https://www.virustotal.com/file/d41b5d3d0c6c0e8e9c850eaedf84623f48ba8e72f3867e57b0d94ddaaca738ee/analysis/1460698641/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5717861a-8e9c-47e1-84c8-494702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:30.000Z", "modified": "2016-04-20T13:37:30.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 1ad9f8695c10adb69bdebd6bdc39b119707d500e", "pattern": "[file:hashes.SHA256 = '917809beb6566079dbb6b686107756d9eb3ff4543f6b41ef327cea7497118457']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:37:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5717861a-3d08-457e-be9c-480c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:30.000Z", "modified": "2016-04-20T13:37:30.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 1ad9f8695c10adb69bdebd6bdc39b119707d500e", "pattern": "[file:hashes.MD5 = '6984a724843fb60130a965a9fc317f2d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:37:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5717861a-3ab0-4f6d-8331-407602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:30.000Z", "modified": "2016-04-20T13:37:30.000Z", "first_observed": "2016-04-20T13:37:30Z", "last_observed": "2016-04-20T13:37:30Z", "number_observed": 1, "object_refs": [ "url--5717861a-3ab0-4f6d-8331-407602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5717861a-3ab0-4f6d-8331-407602de0b81", "value": "https://www.virustotal.com/file/917809beb6566079dbb6b686107756d9eb3ff4543f6b41ef327cea7497118457/analysis/1461128493/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5717861b-7674-4714-b055-4ecb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:31.000Z", "modified": "2016-04-20T13:37:31.000Z", "description": "Imported via the freetext import. - Xchecked via VT: ce42e2c694ca4737ae68d3c9e333554c55afee27", "pattern": "[file:hashes.SHA256 = '31823040d8ccb20eab0b8653d01af370a6537017e69ead69f6f7b73d6ef7ac14']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:37:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5717861b-f874-4e76-b5a2-40e702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:31.000Z", "modified": "2016-04-20T13:37:31.000Z", "description": "Imported via the freetext import. - Xchecked via VT: ce42e2c694ca4737ae68d3c9e333554c55afee27", "pattern": "[file:hashes.MD5 = '4c153eacdfa8807f1c8fd98e5267da4b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:37:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5717861b-b2fc-4335-9464-418e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:31.000Z", "modified": "2016-04-20T13:37:31.000Z", "first_observed": "2016-04-20T13:37:31Z", "last_observed": "2016-04-20T13:37:31Z", "number_observed": 1, "object_refs": [ "url--5717861b-b2fc-4335-9464-418e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5717861b-b2fc-4335-9464-418e02de0b81", "value": "https://www.virustotal.com/file/31823040d8ccb20eab0b8653d01af370a6537017e69ead69f6f7b73d6ef7ac14/analysis/1460584418/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5717861c-d81c-455a-97a2-477902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:32.000Z", "modified": "2016-04-20T13:37:32.000Z", "description": "Imported via the freetext import. - Xchecked via VT: dc307a673aa5eecb5c1400f1d342e03697564f98", "pattern": "[file:hashes.SHA256 = '80a6681b00056a487bba1b66c046b798dfe18bf37aa30d8a4a1be968b9add997']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:37:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5717861c-56f4-4465-ae03-4a2402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:32.000Z", "modified": "2016-04-20T13:37:32.000Z", "description": "Imported via the freetext import. - Xchecked via VT: dc307a673aa5eecb5c1400f1d342e03697564f98", "pattern": "[file:hashes.MD5 = '1e0812fbdaa20a2b9aaddf531daed935']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:37:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5717861c-20c0-438e-b295-489a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:32.000Z", "modified": "2016-04-20T13:37:32.000Z", "first_observed": "2016-04-20T13:37:32Z", "last_observed": "2016-04-20T13:37:32Z", "number_observed": 1, "object_refs": [ "url--5717861c-20c0-438e-b295-489a02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5717861c-20c0-438e-b295-489a02de0b81", "value": "https://www.virustotal.com/file/80a6681b00056a487bba1b66c046b798dfe18bf37aa30d8a4a1be968b9add997/analysis/1461138898/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5717861c-d06c-475f-bb8f-47eb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:32.000Z", "modified": "2016-04-20T13:37:32.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 0c269c5a641fd479269c2f353841a5bf9910888b", "pattern": "[file:hashes.SHA256 = 'bc83ef30422eb7b0c8903d3b4f1d4258e25cf78e9357a30dac773f8d2c17aa28']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:37:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5717861d-adf0-4e8c-8670-4d5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:33.000Z", "modified": "2016-04-20T13:37:33.000Z", "description": "Imported via the freetext import. - Xchecked via VT: 0c269c5a641fd479269c2f353841a5bf9910888b", "pattern": "[file:hashes.MD5 = '5a9bd3d7f1534431a396a033d16ca496']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-20T13:37:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5717861d-48a0-448a-a172-431402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-20T13:37:33.000Z", "modified": "2016-04-20T13:37:33.000Z", "first_observed": "2016-04-20T13:37:33Z", "last_observed": "2016-04-20T13:37:33Z", "number_observed": 1, "object_refs": [ "url--5717861d-48a0-448a-a172-431402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5717861d-48a0-448a-a172-431402de0b81", "value": "https://www.virustotal.com/file/bc83ef30422eb7b0c8903d3b4f1d4258e25cf78e9357a30dac773f8d2c17aa28/analysis/1460698688/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }