{ "type": "bundle", "id": "bundle--5819948b-b170-4872-b8f6-5934950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:01.000Z", "modified": "2016-11-02T08:00:01.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5819948b-b170-4872-b8f6-5934950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:01.000Z", "modified": "2016-11-02T08:00:01.000Z", "name": "OSINT - Flying Dragon Eye: Uyghur Themed Threat Activity", "published": "2016-11-02T08:03:19Z", "object_refs": [ "x-misp-attribute--581994d6-aa60-461d-9870-5930950d210f", "observed-data--58199523-6178-43d6-8b1f-592e950d210f", "url--58199523-6178-43d6-8b1f-592e950d210f", "observed-data--58199523-0100-4667-81dc-592e950d210f", "url--58199523-0100-4667-81dc-592e950d210f", "observed-data--58199523-3db4-4c81-b411-592e950d210f", "url--58199523-3db4-4c81-b411-592e950d210f", "indicator--58199662-6d4c-4bf8-9d4e-69a2950d210f", "indicator--58199662-0a20-4530-8464-69a2950d210f", "indicator--58199662-4f08-47d8-aa1e-69a2950d210f", "indicator--58199663-b44c-4e29-b015-69a2950d210f", "indicator--58199663-f604-4123-b0c1-69a2950d210f", "indicator--58199663-3e64-4c5f-b2d9-69a2950d210f", "indicator--58199663-c4d8-41ac-812f-69a2950d210f", "indicator--58199664-74ac-4083-b6c9-69a2950d210f", "indicator--58199664-66a8-477a-8f98-69a2950d210f", "indicator--58199664-51f8-41dd-a14a-69a2950d210f", "indicator--58199664-95d0-4232-8769-69a2950d210f", "indicator--58199664-c480-4c4d-b02b-69a2950d210f", "indicator--58199665-68f4-440a-8c11-69a2950d210f", "indicator--58199665-e514-45d4-b192-69a2950d210f", "indicator--58199665-59c4-4e69-b920-69a2950d210f", "indicator--58199665-2eac-4570-aa90-69a2950d210f", "indicator--58199666-07a0-443d-84aa-69a2950d210f", "indicator--58199666-fec4-48b9-88d1-69a2950d210f", "indicator--5819969b-6a80-454a-86c3-7756950d210f", "indicator--58199710-c854-4314-a62c-5936950d210f", "indicator--58199711-6b68-4151-a624-5936950d210f", "indicator--58199793-682c-4562-8b4b-5930950d210f", "indicator--58199793-7cac-4fea-976e-5930950d210f", "indicator--581997bb-ace0-406a-9f0b-69b0950d210f", "indicator--581997bc-5918-45e0-9e31-69b0950d210f", "indicator--581999d8-b7bc-4e14-9b82-5931950d210f", "indicator--581999ff-a8a8-4c8c-b647-5932950d210f", "indicator--581999ff-ea9c-4ad2-8984-5932950d210f", "indicator--58199aae-5a18-4ced-86c8-69b0950d210f", "indicator--58199aae-14dc-4896-969c-69b0950d210f", "indicator--58199aae-c690-4324-b536-69b0950d210f", "indicator--58199aaf-1e80-4115-be88-69b0950d210f", "indicator--58199aaf-18e8-4d01-8825-69b0950d210f", "indicator--58199aaf-1df0-4c0d-8ce4-69b0950d210f", "indicator--58199aaf-1514-452d-b6ee-69b0950d210f", "indicator--58199ab0-3254-498e-b91c-69b0950d210f", "indicator--58199ab0-e800-497f-9335-69b0950d210f", "indicator--58199ab0-341c-4644-ae0c-69b0950d210f", "indicator--58199ab0-eab8-4ba6-9506-69b0950d210f", "indicator--58199ab1-0700-4e3e-88a2-69b0950d210f", "indicator--58199ab1-bb2c-4631-9ef1-69b0950d210f", "indicator--58199ac5-c9dc-4d15-bd66-5932950d210f", "indicator--58199b90-8720-459a-9cc4-69b0950d210f", "indicator--58199b90-a7c4-44fa-9165-69b0950d210f", "indicator--58199b90-87d0-4d4a-8edd-69b0950d210f", "indicator--58199b90-ad1c-4a4e-a85a-69b0950d210f", "indicator--58199b91-80b4-4ef5-b984-69b0950d210f", "indicator--58199b91-9930-4730-abd7-69b0950d210f", "indicator--58199b91-41ec-43b9-b895-69b0950d210f", "indicator--58199b91-8928-4177-8bc6-69b0950d210f", "indicator--58199b91-8910-4c5b-84d5-69b0950d210f", "indicator--58199b92-3990-40e3-99ae-69b0950d210f", "indicator--58199b92-5f60-4bc9-bc55-69b0950d210f", "indicator--58199b92-1da0-4cd8-aa4a-69b0950d210f", "indicator--58199b92-fa98-476a-b72c-69b0950d210f", "indicator--58199b93-fbd0-4a5f-bf4c-69b0950d210f", "indicator--58199b93-cc98-4b20-8bed-69b0950d210f", "indicator--58199d01-ddbc-4294-976e-593002de0b81", "indicator--58199d01-e758-4f49-8c30-593002de0b81", "observed-data--58199d01-d9a0-4d93-a953-593002de0b81", "url--58199d01-d9a0-4d93-a953-593002de0b81", "indicator--58199d02-52cc-4f23-903b-593002de0b81", "indicator--58199d02-16a8-4a5c-9879-593002de0b81", "observed-data--58199d02-d948-4059-8c23-593002de0b81", "url--58199d02-d948-4059-8c23-593002de0b81", "indicator--58199d03-955c-4de5-9ba9-593002de0b81", "indicator--58199d03-c30c-48a2-bc88-593002de0b81", "observed-data--58199d03-0da4-4b22-96c6-593002de0b81", "url--58199d03-0da4-4b22-96c6-593002de0b81", "indicator--58199d03-6b38-470f-aaf8-593002de0b81", "indicator--58199d04-ace4-4566-b96d-593002de0b81", "observed-data--58199d04-8f68-4815-b5fd-593002de0b81", "url--58199d04-8f68-4815-b5fd-593002de0b81", "indicator--58199d04-b1fc-4c68-973e-593002de0b81", "indicator--58199d04-22e4-42fc-a180-593002de0b81", "observed-data--58199d05-e6d4-46c7-809f-593002de0b81", "url--58199d05-e6d4-46c7-809f-593002de0b81", "indicator--58199d05-a17c-4c0b-8842-593002de0b81", "indicator--58199d05-3dec-4053-9bd8-593002de0b81", "observed-data--58199d05-a3d4-4ab0-8d16-593002de0b81", "url--58199d05-a3d4-4ab0-8d16-593002de0b81", "indicator--58199d06-8b1c-41bf-9739-593002de0b81", "indicator--58199d06-2f2c-40dc-b101-593002de0b81", "observed-data--58199d06-5488-450d-95a0-593002de0b81", "url--58199d06-5488-450d-95a0-593002de0b81", "indicator--58199d06-7d04-48bd-9241-593002de0b81", "indicator--58199d06-0020-414d-adda-593002de0b81", "observed-data--58199d07-c2c4-4782-9cd6-593002de0b81", "url--58199d07-c2c4-4782-9cd6-593002de0b81", "indicator--58199d07-78e4-4225-8b38-593002de0b81", "indicator--58199d07-36c0-4736-a131-593002de0b81", "observed-data--58199d07-898c-486b-8f12-593002de0b81", "url--58199d07-898c-486b-8f12-593002de0b81", "indicator--58199d07-b870-4c96-a744-593002de0b81", "indicator--58199d08-c570-45d7-a8ec-593002de0b81", "observed-data--58199d08-efcc-4637-9a08-593002de0b81", "url--58199d08-efcc-4637-9a08-593002de0b81", "indicator--58199d08-6324-4078-8911-593002de0b81", "indicator--58199d08-8cac-4304-afaf-593002de0b81", "observed-data--58199d09-9b1c-40a9-8c1b-593002de0b81", "url--58199d09-9b1c-40a9-8c1b-593002de0b81", "indicator--58199d09-cb20-4457-b416-593002de0b81", "observed-data--58199d09-e9f0-446e-85be-593002de0b81", "url--58199d09-e9f0-446e-85be-593002de0b81", "indicator--58199d09-2004-4f16-964d-593002de0b81", "observed-data--58199d0a-66e0-416c-9dcb-593002de0b81", "url--58199d0a-66e0-416c-9dcb-593002de0b81", "indicator--58199d0a-a2c4-4ab5-9e4d-593002de0b81", "observed-data--58199d0a-7e44-45e0-9fa5-593002de0b81", "url--58199d0a-7e44-45e0-9fa5-593002de0b81", "indicator--58199d0a-3c70-422f-ab84-593002de0b81", "observed-data--58199d0a-9d4c-4a30-b875-593002de0b81", "url--58199d0a-9d4c-4a30-b875-593002de0b81", "indicator--58199d0b-98f8-44bb-999b-593002de0b81", "observed-data--58199d0b-a2ac-4420-aa83-593002de0b81", "url--58199d0b-a2ac-4420-aa83-593002de0b81", "indicator--58199d0c-45cc-4ac6-816e-593002de0b81", "observed-data--58199d0c-6ec8-4d0b-a9cc-593002de0b81", "url--58199d0c-6ec8-4d0b-a9cc-593002de0b81", "indicator--58199d0d-41e0-4732-9124-593002de0b81", "observed-data--58199d0d-5df0-4539-9c22-593002de0b81", "url--58199d0d-5df0-4539-9c22-593002de0b81", "indicator--58199d0e-6504-460f-8263-593002de0b81", "observed-data--58199d0e-a3a0-4794-96ac-593002de0b81", "url--58199d0e-a3a0-4794-96ac-593002de0b81", "indicator--58199d0f-9834-4d37-9332-593002de0b81", "observed-data--58199d0f-7bbc-447e-8b45-593002de0b81", "url--58199d0f-7bbc-447e-8b45-593002de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "osint:source-type=\"blog-post\"", "osint:source-type=\"technical-report\"", "misp-galaxy:tool=\"PlugX\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--581994d6-aa60-461d-9870-5930950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:25:10.000Z", "modified": "2016-11-02T07:25:10.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "This paper documents attempted exploitation activity aimed at Uyghur interests outside of China. Exploitation is being attempted via the usual tactic of spear phishing containing malicious attachments to targets. The exploit code attached used for dropping the malware is older \u00e2\u20ac\u201c CVE-2012-0158 \u00e2\u20ac\u201c and from our vantage point, we have no indication of successful or failed exploitation. Nonetheless, we can obtain targeting information and insight into tactics from the spearphish messages used by the threat actors. Successful exploitation typically results in malware calling back to one or more Uyghur themed domain names. The malware payloads observed to be associated with the Uyghur themed C2 domains so far consist of PlugX, Gh0st RAT, and Saker/Xbox, although there may be others that are yet to be discovered.\r\n\r\nIt is possible that additional targeting well beyond CVE-2012-0158 is at play, although in this case it appears that threat actors still thought they could obtain benefit from using a four-year-old vulnerability that has been widely associated with numerous cyber-espionage operations over the years. This may be due to the weakness of defensive posture among those targeted and an attempt at higher return on investment by using exploit code that might still be adequate considering the targets. Pivots on threat infrastructure suggest that the same or related threat actors have direct or indirect access to other types of exploit code such as the \u00e2\u20ac\u0153Four Element Sword\u00e2\u20ac\u009d builder and the numerous types of malware delivered with it (PlugX, 9002 RAT 3102 variant, T9000, Grabber, Gh0st RAT LURK0 variant and perhaps others), profiled in previous ASERT threat intelligence products." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58199523-6178-43d6-8b1f-592e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:26:27.000Z", "modified": "2016-11-02T07:26:27.000Z", "first_observed": "2016-11-02T07:26:27Z", "last_observed": "2016-11-02T07:26:27Z", "number_observed": 1, "object_refs": [ "url--58199523-6178-43d6-8b1f-592e950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58199523-6178-43d6-8b1f-592e950d210f", "value": "https://www.arbornetworks.com/blog/asert/flying-dragon-eye-uyghur-themed-threat-activity/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58199523-0100-4667-81dc-592e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:26:27.000Z", "modified": "2016-11-02T07:26:27.000Z", "first_observed": "2016-11-02T07:26:27Z", "last_observed": "2016-11-02T07:26:27Z", "number_observed": 1, "object_refs": [ "url--58199523-0100-4667-81dc-592e950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58199523-0100-4667-81dc-592e950d210f", "value": "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/11/TLP-WHITE-Flying-Dragon-Eye-Uyghur-Themed-Threat-Activity.pdf" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58199523-3db4-4c81-b411-592e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:26:27.000Z", "modified": "2016-11-02T07:26:27.000Z", "first_observed": "2016-11-02T07:26:27Z", "last_observed": "2016-11-02T07:26:27Z", "number_observed": 1, "object_refs": [ "url--58199523-3db4-4c81-b411-592e950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58199523-3db4-4c81-b411-592e950d210f", "value": "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/09/FlyingDragonEye_IOC.csv" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199662-6d4c-4bf8-9d4e-69a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:31:46.000Z", "modified": "2016-11-02T07:31:46.000Z", "description": "suspicious domain", "pattern": "[domain-name:value = 'www.turkistanuyghur.top']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:31:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199662-0a20-4530-8464-69a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:31:46.000Z", "modified": "2016-11-02T07:31:46.000Z", "description": "suspicious domain", "pattern": "[domain-name:value = 'www.yawropauyghur.top']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:31:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199662-4f08-47d8-aa1e-69a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:31:46.000Z", "modified": "2016-11-02T07:31:46.000Z", "description": "suspicious domain", "pattern": "[domain-name:value = 'www.whitewall.top']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:31:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199663-b44c-4e29-b015-69a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:31:47.000Z", "modified": "2016-11-02T07:31:47.000Z", "description": "suspicious domain", "pattern": "[domain-name:value = 'dtsx.uygurinfo.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:31:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199663-f604-4123-b0c1-69a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:31:47.000Z", "modified": "2016-11-02T07:31:47.000Z", "description": "suspicious domain", "pattern": "[domain-name:value = 'ks.uygurinfo.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:31:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199663-3e64-4c5f-b2d9-69a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:31:47.000Z", "modified": "2016-11-02T07:31:47.000Z", "description": "suspicious domain", "pattern": "[domain-name:value = 'uygurinfo.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:31:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199663-c4d8-41ac-812f-69a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:31:47.000Z", "modified": "2016-11-02T07:31:47.000Z", "description": "suspicious domain", "pattern": "[domain-name:value = 'tibettimes.top']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:31:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199664-74ac-4083-b6c9-69a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:31:48.000Z", "modified": "2016-11-02T07:31:48.000Z", "description": "suspicious domain", "pattern": "[domain-name:value = 'www.amerikauyghur.top']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:31:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199664-66a8-477a-8f98-69a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:31:48.000Z", "modified": "2016-11-02T07:31:48.000Z", "description": "suspicious domain", "pattern": "[domain-name:value = 'www.japanuyghur.top']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:31:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199664-51f8-41dd-a14a-69a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:31:48.000Z", "modified": "2016-11-02T07:31:48.000Z", "description": "suspicious domain", "pattern": "[domain-name:value = 'www.hotansft.top']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:31:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199664-95d0-4232-8769-69a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:31:48.000Z", "modified": "2016-11-02T07:31:48.000Z", "description": "suspicious domain", "pattern": "[domain-name:value = 'turkiyeuyghur.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:31:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199664-c480-4c4d-b02b-69a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:31:48.000Z", "modified": "2016-11-02T07:31:48.000Z", "description": "suspicious domain", "pattern": "[domain-name:value = 'www.tibetimes.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:31:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199665-68f4-440a-8c11-69a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:31:49.000Z", "modified": "2016-11-02T07:31:49.000Z", "description": "suspicious domain", "pattern": "[domain-name:value = 'freetibet.top']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:31:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199665-e514-45d4-b192-69a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:31:49.000Z", "modified": "2016-11-02T07:31:49.000Z", "description": "suspicious domain", "pattern": "[domain-name:value = 'russiauyghur.top']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:31:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199665-59c4-4e69-b920-69a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:31:49.000Z", "modified": "2016-11-02T07:31:49.000Z", "description": "suspicious IP", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '59.188.83.144']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:31:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199665-2eac-4570-aa90-69a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:31:49.000Z", "modified": "2016-11-02T07:31:49.000Z", "description": "suspicious IP", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '118.193.225.133']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:31:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199666-07a0-443d-84aa-69a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:31:50.000Z", "modified": "2016-11-02T07:31:50.000Z", "description": "suspicious IP", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '118.193.240.218']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:31:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199666-fec4-48b9-88d1-69a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:31:50.000Z", "modified": "2016-11-02T07:31:50.000Z", "description": "suspicious IP", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '118.193.240.195']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:31:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5819969b-6a80-454a-86c3-7756950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:32:43.000Z", "modified": "2016-11-02T07:32:43.000Z", "description": "suspicious email", "pattern": "[email-message:from_ref.value = '2732115454@qq.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:32:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"email-src\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199710-c854-4314-a62c-5936950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:34:40.000Z", "modified": "2016-11-02T07:34:40.000Z", "description": "PlugX malware", "pattern": "[file:hashes.MD5 = 'fa85f8a332ac26892a8ad6f21491404a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:34:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199711-6b68-4151-a624-5936950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:34:41.000Z", "modified": "2016-11-02T07:34:41.000Z", "description": "PlugX malware", "pattern": "[file:hashes.SHA256 = 'a351040c0da2837f19b357baea4bffe194b0cd0d86bf262f8be1126e3a9d44d8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:34:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199793-682c-4562-8b4b-5930950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:36:51.000Z", "modified": "2016-11-02T07:36:51.000Z", "description": "Gh0stRAT LURK0", "pattern": "[file:hashes.SHA256 = 'b625e605932196efbc6c80a18f61a71d27d82935209a1abde2ec591973fed31e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:36:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199793-7cac-4fea-976e-5930950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:36:51.000Z", "modified": "2016-11-02T07:36:51.000Z", "description": "Gh0stRAT LURK0", "pattern": "[file:hashes.MD5 = '4edda0e2a8a415272f475f3af4d17dc1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:36:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--581997bb-ace0-406a-9f0b-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:37:31.000Z", "modified": "2016-11-02T07:37:31.000Z", "description": "Saker/Xbox", "pattern": "[file:hashes.SHA256 = 'c39e0fc30c2604b3eb9694591789a8e3d4cee7bcc4f9b03349e10c45304aef59']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:37:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--581997bc-5918-45e0-9e31-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:37:32.000Z", "modified": "2016-11-02T07:37:32.000Z", "description": "Saker/Xbox", "pattern": "[file:hashes.MD5 = '86088922528b4d0a5493046527b29822']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:37:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--581999d8-b7bc-4e14-9b82-5931950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:46:32.000Z", "modified": "2016-11-02T07:46:32.000Z", "description": "IP before sinkholing - www.turkiyeuyghur.com - Saker/Xbox", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '210.209.118.87']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:46:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--581999ff-a8a8-4c8c-b647-5932950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:47:11.000Z", "modified": "2016-11-02T07:47:11.000Z", "description": "Saker/Xbox", "pattern": "[file:hashes.SHA256 = '3714058d90b2149169188418773165b620abd1481b47d1551d79679bfe21d28c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:47:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--581999ff-ea9c-4ad2-8984-5932950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:47:11.000Z", "modified": "2016-11-02T07:47:11.000Z", "description": "Saker/Xbox", "pattern": "[file:hashes.MD5 = 'e490174855b8548161613fd5d9955e7a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:47:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199aae-5a18-4ced-86c8-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:50:06.000Z", "modified": "2016-11-02T07:50:06.000Z", "description": "Mutex match", "pattern": "[file:hashes.SHA256 = 'f15840fbade7a5611391193a4a53f63ef465ab451f7783da21cad7303ea3b68c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:50:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199aae-14dc-4896-969c-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:50:06.000Z", "modified": "2016-11-02T07:50:06.000Z", "description": "Mutex match", "pattern": "[file:hashes.MD5 = 'e49e235b301a4316ef58753c093279f0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:50:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199aae-c690-4324-b536-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:50:06.000Z", "modified": "2016-11-02T07:50:06.000Z", "description": "Mutex match", "pattern": "[file:hashes.SHA256 = '97ec795227818fedc70fad9f2df8cb839d9fb75b502f3598614610d4e8e1be78']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:50:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199aaf-1e80-4115-be88-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:50:07.000Z", "modified": "2016-11-02T07:50:07.000Z", "description": "Mutex match", "pattern": "[file:hashes.MD5 = '0ea68dd9463626082bb96ad373bd84e0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:50:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199aaf-18e8-4d01-8825-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:50:07.000Z", "modified": "2016-11-02T07:50:07.000Z", "description": "PEHash of Prior samples", "pattern": "[file:hashes.PEHASH = '59781db8be6bb162f5c8ee8cf950fe191417baa4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:50:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"pehash\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199aaf-1df0-4c0d-8ce4-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:50:07.000Z", "modified": "2016-11-02T07:50:07.000Z", "description": "Sample matching PEHash", "pattern": "[file:hashes.SHA256 = '444c6589ed030da41ba49d20ac38029e5213978fadef2ee94408e4f91395b488']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:50:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199aaf-1514-452d-b6ee-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:50:07.000Z", "modified": "2016-11-02T07:50:07.000Z", "description": "Sample matching PEHash", "pattern": "[file:hashes.MD5 = '1a169a7e52879bad47e2834abfe50361']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:50:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199ab0-3254-498e-b91c-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:50:08.000Z", "modified": "2016-11-02T07:50:08.000Z", "description": "Sample matching PEHash", "pattern": "[file:hashes.SHA256 = 'ef3e7b1c37aef1d8359169cca9409db4709632b9aa8bf44febe0d91e93ab537e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:50:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199ab0-e800-497f-9335-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:50:08.000Z", "modified": "2016-11-02T07:50:08.000Z", "description": "Sample matching PEHash", "pattern": "[file:hashes.MD5 = '731a9761626e39bb84b34343bdae67b0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:50:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199ab0-341c-4644-ae0c-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:50:08.000Z", "modified": "2016-11-02T07:50:08.000Z", "description": "Sample matching PEHash", "pattern": "[file:hashes.SHA256 = '62a033fc586c6220ee0c0ea8ff207ab038776455505fa2137e9591433ada26e1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:50:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199ab0-eab8-4ba6-9506-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:50:08.000Z", "modified": "2016-11-02T07:50:08.000Z", "description": "Sample matching PEHash", "pattern": "[file:hashes.MD5 = '1dc2e57dbf63051608cff83d8b88d352']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:50:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199ab1-0700-4e3e-88a2-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:50:09.000Z", "modified": "2016-11-02T07:50:09.000Z", "description": "Sample matching PEHash", "pattern": "[file:hashes.SHA256 = '087e45f63ce00c4df07f81837eceb0b322773822feee01cfc005e5fc14e50f5e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:50:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199ab1-bb2c-4631-9ef1-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:50:09.000Z", "modified": "2016-11-02T07:50:09.000Z", "description": "Sample matching PEHash", "pattern": "[file:hashes.MD5 = 'de07dc9e83bfd445ad7cc58baab671f2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:50:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199ac5-c9dc-4d15-bd66-5932950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:50:29.000Z", "modified": "2016-11-02T07:50:29.000Z", "description": "suspicious mutex in Saker/Xbox", "pattern": "[mutex:name = 'pcdebug.1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:50:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"mutex\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199b90-8720-459a-9cc4-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:53:52.000Z", "modified": "2016-11-02T07:53:52.000Z", "description": "Google aqsakla Rabiye isming.doc", "pattern": "[file:hashes.SHA256 = '3f3d0a5aa2799d6afe74c5cb6e077e375078b173263c5ca887ffe2e22164b10f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:53:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199b90-a7c4-44fa-9165-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:53:52.000Z", "modified": "2016-11-02T07:53:52.000Z", "description": "agahlandurushname.doc", "pattern": "[file:hashes.SHA256 = '7b587b104219784e9fd3dc9c13a0f652e73baed01e8c3b24828a92f151f3c698']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:53:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199b90-87d0-4d4a-8edd-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:53:52.000Z", "modified": "2016-11-02T07:53:52.000Z", "description": "chaqiriq.doc", "pattern": "[file:hashes.SHA256 = '4ab388b1310918144ad95e418ebe12251a97cb69fbed3f0dd9f04d780ddd132d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:53:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199b90-ad1c-4a4e-a85a-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:53:52.000Z", "modified": "2016-11-02T07:53:52.000Z", "description": "chaqiriq.doc", "pattern": "[file:hashes.SHA256 = '940d0770e644c152d60a13f9d40015a1089419361de33fe127e032f4bb446c69']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:53:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199b91-80b4-4ef5-b984-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:53:53.000Z", "modified": "2016-11-02T07:53:53.000Z", "description": "chqiriq.doc", "pattern": "[file:hashes.SHA256 = '0c35a508ece0c9269e176b6b278a96f7ca29e04a2ca2319a91b585f27abfe2f6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:53:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199b91-9930-4730-abd7-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:53:53.000Z", "modified": "2016-11-02T07:53:53.000Z", "description": "tetqiqat doklati.doc", "pattern": "[file:hashes.SHA256 = '5e818eeb0cffeb6f65f611a17f522560912ae19372e7f734be6df5e35ba82337']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:53:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199b91-41ec-43b9-b895-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:53:53.000Z", "modified": "2016-11-02T07:53:53.000Z", "description": "istepaname.doc", "pattern": "[file:hashes.SHA256 = 'e55912a134902ab73c52cb42f32051745214275b59a95d565cfcb7560d32f601']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:53:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199b91-8928-4177-8bc6-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:53:53.000Z", "modified": "2016-11-02T07:53:53.000Z", "description": "jedwel.doc", "pattern": "[file:hashes.SHA256 = '45e39db2a877ff2663efc4d66ed4084ffdb6ddb4926112b7c471872208b96767']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:53:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199b91-8910-4c5b-84d5-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:53:53.000Z", "modified": "2016-11-02T07:53:53.000Z", "description": "teklipname.doc", "pattern": "[file:hashes.SHA256 = 'f4fd8554710017caa042b52122d7985c7f510df8e2c26f1ffa6e27233bfe9b54']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:53:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199b92-3990-40e3-99ae-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:53:54.000Z", "modified": "2016-11-02T07:53:54.000Z", "description": "Tetqiqat doklati.doc", "pattern": "[file:hashes.SHA256 = '9feee2a3fe49fe774d414999ac393655255e7c035ffc93bbd031a2331fd89dc8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:53:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199b92-5f60-4bc9-bc55-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:53:54.000Z", "modified": "2016-11-02T07:53:54.000Z", "description": "uqturush.doc", "pattern": "[file:hashes.SHA256 = '3bbf0f821c89ba03d30deb63eec59c8e9e76c20578ad805de9971bdbcd2855d2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:53:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199b92-1da0-4cd8-aa4a-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:53:54.000Z", "modified": "2016-11-02T07:53:54.000Z", "description": "malware", "pattern": "[file:hashes.SHA256 = '69c2da4061890050dc0ca28db6f240c8ed6c4897f4174bcd5d1bca00ade537d5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:53:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199b92-fa98-476a-b72c-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:53:54.000Z", "modified": "2016-11-02T07:53:54.000Z", "description": "malware", "pattern": "[file:hashes.MD5 = '9de14f249afc4e6979d8f2106e405b21']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:53:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199b93-fbd0-4a5f-bf4c-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:53:55.000Z", "modified": "2016-11-02T07:53:55.000Z", "description": "malware", "pattern": "[file:hashes.SHA256 = 'be7a14927ff11536a5bfd6c21d3f4a304659001f1f13b6d90ce0e031522817e5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:53:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199b93-cc98-4b20-8bed-69b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T07:53:55.000Z", "modified": "2016-11-02T07:53:55.000Z", "description": "malware", "pattern": "[file:hashes.MD5 = '2f981ac92284f1c710e53a5a2d41257a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T07:53:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d01-ddbc-4294-976e-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:01.000Z", "modified": "2016-11-02T08:00:01.000Z", "description": "uqturush.doc - Xchecked via VT: 3bbf0f821c89ba03d30deb63eec59c8e9e76c20578ad805de9971bdbcd2855d2", "pattern": "[file:hashes.SHA1 = '3f4719e1132fbe99c61ba2860c01a59c1bb9eee4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d01-e758-4f49-8c30-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:01.000Z", "modified": "2016-11-02T08:00:01.000Z", "description": "uqturush.doc - Xchecked via VT: 3bbf0f821c89ba03d30deb63eec59c8e9e76c20578ad805de9971bdbcd2855d2", "pattern": "[file:hashes.MD5 = 'e680b0b3e1679d64044795ea9800d52e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58199d01-d9a0-4d93-a953-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:01.000Z", "modified": "2016-11-02T08:00:01.000Z", "first_observed": "2016-11-02T08:00:01Z", "last_observed": "2016-11-02T08:00:01Z", "number_observed": 1, "object_refs": [ "url--58199d01-d9a0-4d93-a953-593002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58199d01-d9a0-4d93-a953-593002de0b81", "value": "https://www.virustotal.com/file/3bbf0f821c89ba03d30deb63eec59c8e9e76c20578ad805de9971bdbcd2855d2/analysis/1457003870/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d02-52cc-4f23-903b-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:02.000Z", "modified": "2016-11-02T08:00:02.000Z", "description": "Tetqiqat doklati.doc - Xchecked via VT: 9feee2a3fe49fe774d414999ac393655255e7c035ffc93bbd031a2331fd89dc8", "pattern": "[file:hashes.SHA1 = '2fd166e52f0a4daa795763eb66207b1a14d8e59e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d02-16a8-4a5c-9879-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:02.000Z", "modified": "2016-11-02T08:00:02.000Z", "description": "Tetqiqat doklati.doc - Xchecked via VT: 9feee2a3fe49fe774d414999ac393655255e7c035ffc93bbd031a2331fd89dc8", "pattern": "[file:hashes.MD5 = '7d808f496a8e66adfa6af76838f1c3a4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58199d02-d948-4059-8c23-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:02.000Z", "modified": "2016-11-02T08:00:02.000Z", "first_observed": "2016-11-02T08:00:02Z", "last_observed": "2016-11-02T08:00:02Z", "number_observed": 1, "object_refs": [ "url--58199d02-d948-4059-8c23-593002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58199d02-d948-4059-8c23-593002de0b81", "value": "https://www.virustotal.com/file/9feee2a3fe49fe774d414999ac393655255e7c035ffc93bbd031a2331fd89dc8/analysis/1467389786/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d03-955c-4de5-9ba9-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:03.000Z", "modified": "2016-11-02T08:00:03.000Z", "description": "teklipname.doc - Xchecked via VT: f4fd8554710017caa042b52122d7985c7f510df8e2c26f1ffa6e27233bfe9b54", "pattern": "[file:hashes.SHA1 = 'ec8816b82bab16ae26777b17eea95883bea5c3fb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d03-c30c-48a2-bc88-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:03.000Z", "modified": "2016-11-02T08:00:03.000Z", "description": "teklipname.doc - Xchecked via VT: f4fd8554710017caa042b52122d7985c7f510df8e2c26f1ffa6e27233bfe9b54", "pattern": "[file:hashes.MD5 = '190b6d19b3d2088acbd56323dbd98973']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58199d03-0da4-4b22-96c6-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:03.000Z", "modified": "2016-11-02T08:00:03.000Z", "first_observed": "2016-11-02T08:00:03Z", "last_observed": "2016-11-02T08:00:03Z", "number_observed": 1, "object_refs": [ "url--58199d03-0da4-4b22-96c6-593002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58199d03-0da4-4b22-96c6-593002de0b81", "value": "https://www.virustotal.com/file/f4fd8554710017caa042b52122d7985c7f510df8e2c26f1ffa6e27233bfe9b54/analysis/1467397149/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d03-6b38-470f-aaf8-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:03.000Z", "modified": "2016-11-02T08:00:03.000Z", "description": "jedwel.doc - Xchecked via VT: 45e39db2a877ff2663efc4d66ed4084ffdb6ddb4926112b7c471872208b96767", "pattern": "[file:hashes.SHA1 = '3b59b1b2d5416bbb4a28da2a45414bc0605bcead']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d04-ace4-4566-b96d-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:04.000Z", "modified": "2016-11-02T08:00:04.000Z", "description": "jedwel.doc - Xchecked via VT: 45e39db2a877ff2663efc4d66ed4084ffdb6ddb4926112b7c471872208b96767", "pattern": "[file:hashes.MD5 = '9985b1ab655f26e8a05f8402ad0ea300']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58199d04-8f68-4815-b5fd-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:04.000Z", "modified": "2016-11-02T08:00:04.000Z", "first_observed": "2016-11-02T08:00:04Z", "last_observed": "2016-11-02T08:00:04Z", "number_observed": 1, "object_refs": [ "url--58199d04-8f68-4815-b5fd-593002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58199d04-8f68-4815-b5fd-593002de0b81", "value": "https://www.virustotal.com/file/45e39db2a877ff2663efc4d66ed4084ffdb6ddb4926112b7c471872208b96767/analysis/1467395826/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d04-b1fc-4c68-973e-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:04.000Z", "modified": "2016-11-02T08:00:04.000Z", "description": "istepaname.doc - Xchecked via VT: e55912a134902ab73c52cb42f32051745214275b59a95d565cfcb7560d32f601", "pattern": "[file:hashes.SHA1 = 'fbc27bcf672d1ea3d4ff9cb3a8fd6a55d92d8b74']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d04-22e4-42fc-a180-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:04.000Z", "modified": "2016-11-02T08:00:04.000Z", "description": "istepaname.doc - Xchecked via VT: e55912a134902ab73c52cb42f32051745214275b59a95d565cfcb7560d32f601", "pattern": "[file:hashes.MD5 = '6d9091def6fbf3ead3136eaa1861113c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58199d05-e6d4-46c7-809f-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:04.000Z", "modified": "2016-11-02T08:00:04.000Z", "first_observed": "2016-11-02T08:00:04Z", "last_observed": "2016-11-02T08:00:04Z", "number_observed": 1, "object_refs": [ "url--58199d05-e6d4-46c7-809f-593002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58199d05-e6d4-46c7-809f-593002de0b81", "value": "https://www.virustotal.com/file/e55912a134902ab73c52cb42f32051745214275b59a95d565cfcb7560d32f601/analysis/1458644189/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d05-a17c-4c0b-8842-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:05.000Z", "modified": "2016-11-02T08:00:05.000Z", "description": "tetqiqat doklati.doc - Xchecked via VT: 5e818eeb0cffeb6f65f611a17f522560912ae19372e7f734be6df5e35ba82337", "pattern": "[file:hashes.SHA1 = '29283c126924dca11b05af968a1de2ad46e8dc9c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d05-3dec-4053-9bd8-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:05.000Z", "modified": "2016-11-02T08:00:05.000Z", "description": "tetqiqat doklati.doc - Xchecked via VT: 5e818eeb0cffeb6f65f611a17f522560912ae19372e7f734be6df5e35ba82337", "pattern": "[file:hashes.MD5 = 'dad5fca029351bde31de9fff3541fdf5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58199d05-a3d4-4ab0-8d16-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:05.000Z", "modified": "2016-11-02T08:00:05.000Z", "first_observed": "2016-11-02T08:00:05Z", "last_observed": "2016-11-02T08:00:05Z", "number_observed": 1, "object_refs": [ "url--58199d05-a3d4-4ab0-8d16-593002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58199d05-a3d4-4ab0-8d16-593002de0b81", "value": "https://www.virustotal.com/file/5e818eeb0cffeb6f65f611a17f522560912ae19372e7f734be6df5e35ba82337/analysis/1467970728/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d06-8b1c-41bf-9739-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:06.000Z", "modified": "2016-11-02T08:00:06.000Z", "description": "chqiriq.doc - Xchecked via VT: 0c35a508ece0c9269e176b6b278a96f7ca29e04a2ca2319a91b585f27abfe2f6", "pattern": "[file:hashes.SHA1 = '4d697c3afd6b948ec28b7c4e9b0f1d63577ef170']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d06-2f2c-40dc-b101-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:06.000Z", "modified": "2016-11-02T08:00:06.000Z", "description": "chqiriq.doc - Xchecked via VT: 0c35a508ece0c9269e176b6b278a96f7ca29e04a2ca2319a91b585f27abfe2f6", "pattern": "[file:hashes.MD5 = '740d347f595983b88d8c4b415e900388']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58199d06-5488-450d-95a0-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:06.000Z", "modified": "2016-11-02T08:00:06.000Z", "first_observed": "2016-11-02T08:00:06Z", "last_observed": "2016-11-02T08:00:06Z", "number_observed": 1, "object_refs": [ "url--58199d06-5488-450d-95a0-593002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58199d06-5488-450d-95a0-593002de0b81", "value": "https://www.virustotal.com/file/0c35a508ece0c9269e176b6b278a96f7ca29e04a2ca2319a91b585f27abfe2f6/analysis/1467385502/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d06-7d04-48bd-9241-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:06.000Z", "modified": "2016-11-02T08:00:06.000Z", "description": "chaqiriq.doc - Xchecked via VT: 940d0770e644c152d60a13f9d40015a1089419361de33fe127e032f4bb446c69", "pattern": "[file:hashes.SHA1 = 'f7eab4176799794121cd9a8b288bcea09ad7e695']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d06-0020-414d-adda-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:06.000Z", "modified": "2016-11-02T08:00:06.000Z", "description": "chaqiriq.doc - Xchecked via VT: 940d0770e644c152d60a13f9d40015a1089419361de33fe127e032f4bb446c69", "pattern": "[file:hashes.MD5 = '24b6088b65b1f67cf04dfadd4719f807']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58199d07-c2c4-4782-9cd6-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:07.000Z", "modified": "2016-11-02T08:00:07.000Z", "first_observed": "2016-11-02T08:00:07Z", "last_observed": "2016-11-02T08:00:07Z", "number_observed": 1, "object_refs": [ "url--58199d07-c2c4-4782-9cd6-593002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58199d07-c2c4-4782-9cd6-593002de0b81", "value": "https://www.virustotal.com/file/940d0770e644c152d60a13f9d40015a1089419361de33fe127e032f4bb446c69/analysis/1467396978/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d07-78e4-4225-8b38-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:07.000Z", "modified": "2016-11-02T08:00:07.000Z", "description": "chaqiriq.doc - Xchecked via VT: 4ab388b1310918144ad95e418ebe12251a97cb69fbed3f0dd9f04d780ddd132d", "pattern": "[file:hashes.SHA1 = 'e4ad541c4386f24a7ab6e8f9be46e5100c759704']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d07-36c0-4736-a131-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:07.000Z", "modified": "2016-11-02T08:00:07.000Z", "description": "chaqiriq.doc - Xchecked via VT: 4ab388b1310918144ad95e418ebe12251a97cb69fbed3f0dd9f04d780ddd132d", "pattern": "[file:hashes.MD5 = '62d2cdce3736dc5d9a2f036d27ffc780']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58199d07-898c-486b-8f12-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:07.000Z", "modified": "2016-11-02T08:00:07.000Z", "first_observed": "2016-11-02T08:00:07Z", "last_observed": "2016-11-02T08:00:07Z", "number_observed": 1, "object_refs": [ "url--58199d07-898c-486b-8f12-593002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58199d07-898c-486b-8f12-593002de0b81", "value": "https://www.virustotal.com/file/4ab388b1310918144ad95e418ebe12251a97cb69fbed3f0dd9f04d780ddd132d/analysis/1457591232/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d07-b870-4c96-a744-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:07.000Z", "modified": "2016-11-02T08:00:07.000Z", "description": "agahlandurushname.doc - Xchecked via VT: 7b587b104219784e9fd3dc9c13a0f652e73baed01e8c3b24828a92f151f3c698", "pattern": "[file:hashes.SHA1 = '911d6bcf69b881df38971ae4c0d07c624cea9daf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d08-c570-45d7-a8ec-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:08.000Z", "modified": "2016-11-02T08:00:08.000Z", "description": "agahlandurushname.doc - Xchecked via VT: 7b587b104219784e9fd3dc9c13a0f652e73baed01e8c3b24828a92f151f3c698", "pattern": "[file:hashes.MD5 = '5ddded4e5686ad25a02db8ef534173f1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58199d08-efcc-4637-9a08-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:08.000Z", "modified": "2016-11-02T08:00:08.000Z", "first_observed": "2016-11-02T08:00:08Z", "last_observed": "2016-11-02T08:00:08Z", "number_observed": 1, "object_refs": [ "url--58199d08-efcc-4637-9a08-593002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58199d08-efcc-4637-9a08-593002de0b81", "value": "https://www.virustotal.com/file/7b587b104219784e9fd3dc9c13a0f652e73baed01e8c3b24828a92f151f3c698/analysis/1458310333/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d08-6324-4078-8911-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:08.000Z", "modified": "2016-11-02T08:00:08.000Z", "description": "Google aqsakla Rabiye isming.doc - Xchecked via VT: 3f3d0a5aa2799d6afe74c5cb6e077e375078b173263c5ca887ffe2e22164b10f", "pattern": "[file:hashes.SHA1 = '4879022a39c2917e629edffc3af1c57cf81c58ad']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d08-8cac-4304-afaf-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:08.000Z", "modified": "2016-11-02T08:00:08.000Z", "description": "Google aqsakla Rabiye isming.doc - Xchecked via VT: 3f3d0a5aa2799d6afe74c5cb6e077e375078b173263c5ca887ffe2e22164b10f", "pattern": "[file:hashes.MD5 = '5d16e305ef6dc2db9c0ff1b498277e8c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58199d09-9b1c-40a9-8c1b-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:09.000Z", "modified": "2016-11-02T08:00:09.000Z", "first_observed": "2016-11-02T08:00:09Z", "last_observed": "2016-11-02T08:00:09Z", "number_observed": 1, "object_refs": [ "url--58199d09-9b1c-40a9-8c1b-593002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58199d09-9b1c-40a9-8c1b-593002de0b81", "value": "https://www.virustotal.com/file/3f3d0a5aa2799d6afe74c5cb6e077e375078b173263c5ca887ffe2e22164b10f/analysis/1456781229/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d09-cb20-4457-b416-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:09.000Z", "modified": "2016-11-02T08:00:09.000Z", "description": "Sample matching PEHash - Xchecked via VT: 087e45f63ce00c4df07f81837eceb0b322773822feee01cfc005e5fc14e50f5e", "pattern": "[file:hashes.SHA1 = '24378312a80c9be83f2b7c294a168dd8e030a8b5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58199d09-e9f0-446e-85be-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:09.000Z", "modified": "2016-11-02T08:00:09.000Z", "first_observed": "2016-11-02T08:00:09Z", "last_observed": "2016-11-02T08:00:09Z", "number_observed": 1, "object_refs": [ "url--58199d09-e9f0-446e-85be-593002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58199d09-e9f0-446e-85be-593002de0b81", "value": "https://www.virustotal.com/file/087e45f63ce00c4df07f81837eceb0b322773822feee01cfc005e5fc14e50f5e/analysis/1442671182/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d09-2004-4f16-964d-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:09.000Z", "modified": "2016-11-02T08:00:09.000Z", "description": "Sample matching PEHash - Xchecked via VT: ef3e7b1c37aef1d8359169cca9409db4709632b9aa8bf44febe0d91e93ab537e", "pattern": "[file:hashes.SHA1 = '94b9a2835df032a5907cdd6bac8172270a4b7282']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58199d0a-66e0-416c-9dcb-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:10.000Z", "modified": "2016-11-02T08:00:10.000Z", "first_observed": "2016-11-02T08:00:10Z", "last_observed": "2016-11-02T08:00:10Z", "number_observed": 1, "object_refs": [ "url--58199d0a-66e0-416c-9dcb-593002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58199d0a-66e0-416c-9dcb-593002de0b81", "value": "https://www.virustotal.com/file/ef3e7b1c37aef1d8359169cca9409db4709632b9aa8bf44febe0d91e93ab537e/analysis/1462788842/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d0a-a2c4-4ab5-9e4d-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:10.000Z", "modified": "2016-11-02T08:00:10.000Z", "description": "Sample matching PEHash - Xchecked via VT: 444c6589ed030da41ba49d20ac38029e5213978fadef2ee94408e4f91395b488", "pattern": "[file:hashes.SHA1 = '9ccf2631deab313232966ec49ddb8be4c6c4467d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58199d0a-7e44-45e0-9fa5-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:10.000Z", "modified": "2016-11-02T08:00:10.000Z", "first_observed": "2016-11-02T08:00:10Z", "last_observed": "2016-11-02T08:00:10Z", "number_observed": 1, "object_refs": [ "url--58199d0a-7e44-45e0-9fa5-593002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58199d0a-7e44-45e0-9fa5-593002de0b81", "value": "https://www.virustotal.com/file/444c6589ed030da41ba49d20ac38029e5213978fadef2ee94408e4f91395b488/analysis/1441268734/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d0a-3c70-422f-ab84-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:10.000Z", "modified": "2016-11-02T08:00:10.000Z", "description": "Mutex match - Xchecked via VT: 97ec795227818fedc70fad9f2df8cb839d9fb75b502f3598614610d4e8e1be78", "pattern": "[file:hashes.SHA1 = '1142f615293497837744d81e53b8490caf490c27']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58199d0a-9d4c-4a30-b875-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:10.000Z", "modified": "2016-11-02T08:00:10.000Z", "first_observed": "2016-11-02T08:00:10Z", "last_observed": "2016-11-02T08:00:10Z", "number_observed": 1, "object_refs": [ "url--58199d0a-9d4c-4a30-b875-593002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58199d0a-9d4c-4a30-b875-593002de0b81", "value": "https://www.virustotal.com/file/97ec795227818fedc70fad9f2df8cb839d9fb75b502f3598614610d4e8e1be78/analysis/1442165720/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d0b-98f8-44bb-999b-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:11.000Z", "modified": "2016-11-02T08:00:11.000Z", "description": "Mutex match - Xchecked via VT: f15840fbade7a5611391193a4a53f63ef465ab451f7783da21cad7303ea3b68c", "pattern": "[file:hashes.SHA1 = '9db5c270a803e98b0135d16a1fa51c212de5d07d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58199d0b-a2ac-4420-aa83-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:11.000Z", "modified": "2016-11-02T08:00:11.000Z", "first_observed": "2016-11-02T08:00:11Z", "last_observed": "2016-11-02T08:00:11Z", "number_observed": 1, "object_refs": [ "url--58199d0b-a2ac-4420-aa83-593002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58199d0b-a2ac-4420-aa83-593002de0b81", "value": "https://www.virustotal.com/file/f15840fbade7a5611391193a4a53f63ef465ab451f7783da21cad7303ea3b68c/analysis/1442165665/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d0c-45cc-4ac6-816e-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:12.000Z", "modified": "2016-11-02T08:00:12.000Z", "description": "Saker/Xbox - Xchecked via VT: 3714058d90b2149169188418773165b620abd1481b47d1551d79679bfe21d28c", "pattern": "[file:hashes.SHA1 = 'f2d65afc2c1f59dc0bd4e1faaa41c0c976195408']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58199d0c-6ec8-4d0b-a9cc-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:12.000Z", "modified": "2016-11-02T08:00:12.000Z", "first_observed": "2016-11-02T08:00:12Z", "last_observed": "2016-11-02T08:00:12Z", "number_observed": 1, "object_refs": [ "url--58199d0c-6ec8-4d0b-a9cc-593002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58199d0c-6ec8-4d0b-a9cc-593002de0b81", "value": "https://www.virustotal.com/file/3714058d90b2149169188418773165b620abd1481b47d1551d79679bfe21d28c/analysis/1462960434/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d0d-41e0-4732-9124-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:13.000Z", "modified": "2016-11-02T08:00:13.000Z", "description": "Saker/Xbox - Xchecked via VT: c39e0fc30c2604b3eb9694591789a8e3d4cee7bcc4f9b03349e10c45304aef59", "pattern": "[file:hashes.SHA1 = '2dbd9349bcfb243398648e46f9994b727642e7cd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58199d0d-5df0-4539-9c22-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:13.000Z", "modified": "2016-11-02T08:00:13.000Z", "first_observed": "2016-11-02T08:00:13Z", "last_observed": "2016-11-02T08:00:13Z", "number_observed": 1, "object_refs": [ "url--58199d0d-5df0-4539-9c22-593002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58199d0d-5df0-4539-9c22-593002de0b81", "value": "https://www.virustotal.com/file/c39e0fc30c2604b3eb9694591789a8e3d4cee7bcc4f9b03349e10c45304aef59/analysis/1471881852/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d0e-6504-460f-8263-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:14.000Z", "modified": "2016-11-02T08:00:14.000Z", "description": "Gh0stRAT LURK0 - Xchecked via VT: b625e605932196efbc6c80a18f61a71d27d82935209a1abde2ec591973fed31e", "pattern": "[file:hashes.SHA1 = 'b6a78ea984a34a3ae00b5aca3445f1c12118029c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58199d0e-a3a0-4794-96ac-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:14.000Z", "modified": "2016-11-02T08:00:14.000Z", "first_observed": "2016-11-02T08:00:14Z", "last_observed": "2016-11-02T08:00:14Z", "number_observed": 1, "object_refs": [ "url--58199d0e-a3a0-4794-96ac-593002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58199d0e-a3a0-4794-96ac-593002de0b81", "value": "https://www.virustotal.com/file/b625e605932196efbc6c80a18f61a71d27d82935209a1abde2ec591973fed31e/analysis/1462776856/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58199d0f-9834-4d37-9332-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:15.000Z", "modified": "2016-11-02T08:00:15.000Z", "description": "PlugX malware - Xchecked via VT: a351040c0da2837f19b357baea4bffe194b0cd0d86bf262f8be1126e3a9d44d8", "pattern": "[file:hashes.SHA1 = '9a19a983e5c9db7f7675bbb93173699b12df3955']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-11-02T08:00:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58199d0f-7bbc-447e-8b45-593002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-11-02T08:00:15.000Z", "modified": "2016-11-02T08:00:15.000Z", "first_observed": "2016-11-02T08:00:15Z", "last_observed": "2016-11-02T08:00:15Z", "number_observed": 1, "object_refs": [ "url--58199d0f-7bbc-447e-8b45-593002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58199d0f-7bbc-447e-8b45-593002de0b81", "value": "https://www.virustotal.com/file/a351040c0da2837f19b357baea4bffe194b0cd0d86bf262f8be1126e3a9d44d8/analysis/1458560323/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }