{ "type": "bundle", "id": "bundle--58720d9e-8b54-40a9-9d80-42e7950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:57:46.000Z", "modified": "2017-01-08T10:57:46.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--58720d9e-8b54-40a9-9d80-42e7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:57:46.000Z", "modified": "2017-01-08T10:57:46.000Z", "name": "OSINT - MM Core In-Memory Backdoor Returns as \"BigBoss\" and \"SillyGoose\"", "published": "2017-01-08T11:18:15Z", "object_refs": [ "observed-data--58720dac-52b8-4003-a6c3-4836950d210f", "url--58720dac-52b8-4003-a6c3-4836950d210f", "x-misp-attribute--58720ddb-b720-488b-a2bf-43c2950d210f", "indicator--587217ec-4e98-42bf-b74a-424b950d210f", "indicator--587217ec-c724-4dcf-932a-4f85950d210f", "indicator--587217ed-cfd4-4326-997a-417a950d210f", "indicator--587217ee-116c-47fa-9494-43ad950d210f", "indicator--587217ee-18bc-4247-9bca-43da950d210f", "indicator--5872180a-6d30-4ddc-b39f-4ee3950d210f", "indicator--5872180a-39ac-43e5-9fcc-4ca4950d210f", "indicator--5872180b-eb54-473f-b2a7-4e36950d210f", "indicator--58721835-9658-4fa8-a5f7-4337950d210f", "indicator--58721836-b8e8-4eaf-8b19-4c34950d210f", "indicator--58721836-1084-43fc-8c42-45b9950d210f", "indicator--58721837-2fbc-460a-9f83-4899950d210f", "indicator--58721838-2b78-40e9-b9c9-4b77950d210f", "indicator--58721838-f638-4bba-9e22-497b950d210f", "indicator--58721839-a2b4-4163-a22b-45a1950d210f", "indicator--5872183a-f23c-4ff6-9b56-46f8950d210f", "indicator--5872183a-3db8-4a61-a3a2-4175950d210f", "indicator--5872183b-f2a4-4a22-8227-4e18950d210f", "indicator--58721854-dbb0-4266-8413-407b950d210f", "indicator--5872186a-99b0-411a-b17c-44c8950d210f", "indicator--5872186b-b6b8-4a62-b94b-4268950d210f", "indicator--5872190c-2478-489c-bd2a-443a950d210f", "indicator--5872190d-7000-425a-a1b5-4f13950d210f", "indicator--5872190d-e9c8-44e3-8919-407d950d210f", "indicator--5872190e-9338-4dba-8635-4fa9950d210f", "indicator--5872190f-fb0c-430d-bf45-4450950d210f", "indicator--5872190f-935c-4383-a9a9-479d950d210f", "indicator--58721910-04ec-4145-8714-4d34950d210f", "indicator--58721911-bfa4-42ff-9b08-4f4c950d210f", "indicator--58721911-9064-4f63-899c-4398950d210f", "indicator--58721912-becc-4f40-8b4f-4d88950d210f", "indicator--58721913-5370-4f55-b6ca-48c1950d210f", "indicator--58721914-6ba8-4b62-b14f-4ea1950d210f", "indicator--58721914-0e18-483c-b7e4-43fa950d210f", "indicator--58721915-cddc-495b-859f-45fe950d210f", "indicator--58721916-8cfc-4327-8fee-4e0d950d210f", "indicator--58721916-6d98-4bbf-992e-4280950d210f", "indicator--58721917-2178-42c3-b843-4066950d210f", "indicator--58721939-3100-4117-8ed9-4e58950d210f", "indicator--58721939-0f00-4a6d-966b-4703950d210f", "indicator--5872193a-b494-417b-9429-462d950d210f", "indicator--5872193b-d864-4ff3-a9e6-457e950d210f", "indicator--5872195a-2fc8-46ba-af9b-4376950d210f", "indicator--58721a10-f288-42b4-9702-4e1402de0b81", "indicator--58721a11-170c-44ad-97eb-4f2c02de0b81", "observed-data--58721a12-9fc8-496e-9634-49f702de0b81", "url--58721a12-9fc8-496e-9634-49f702de0b81", "indicator--58721a13-eba0-47a2-b999-4a2b02de0b81", "indicator--58721a13-f348-436e-a7cc-445202de0b81", "observed-data--58721a14-4514-462c-a44e-4d1c02de0b81", "url--58721a14-4514-462c-a44e-4d1c02de0b81", "indicator--58721a15-2874-4692-b24a-47b602de0b81", "indicator--58721a16-79ec-4e62-9d31-475c02de0b81", "observed-data--58721a16-b100-4e55-a771-4bc202de0b81", "url--58721a16-b100-4e55-a771-4bc202de0b81", "indicator--58721a17-7564-4a40-9826-4caa02de0b81", "indicator--58721a18-0f84-4bc6-aa83-450d02de0b81", "observed-data--58721a18-59e0-4238-8532-45bc02de0b81", "url--58721a18-59e0-4238-8532-45bc02de0b81", "indicator--58721a19-2abc-478e-b5fb-416102de0b81", "indicator--58721a1a-cb00-48df-bedc-41ef02de0b81", "observed-data--58721a1b-d7a8-430f-ab7d-4a7702de0b81", "url--58721a1b-d7a8-430f-ab7d-4a7702de0b81", "indicator--58721a1b-2f2c-41ea-8f54-456402de0b81", "indicator--58721a1c-7550-4fb8-8efb-45cc02de0b81", "observed-data--58721a1d-6e5c-41fb-bd35-491902de0b81", "url--58721a1d-6e5c-41fb-bd35-491902de0b81", "indicator--58721a1e-a7d8-4a04-ba60-4dbe02de0b81", "indicator--58721a1e-efec-4012-b0be-4cb202de0b81", "observed-data--58721a1f-2ad4-4c50-9306-44c902de0b81", "url--58721a1f-2ad4-4c50-9306-44c902de0b81", "indicator--58721a20-074c-47e6-a681-48cc02de0b81", "indicator--58721a21-28dc-40dd-83a8-431702de0b81", "observed-data--58721a21-1a9c-414f-94c7-43c702de0b81", "url--58721a21-1a9c-414f-94c7-43c702de0b81", "indicator--58721a22-d584-49ff-856c-40ab02de0b81", "indicator--58721a23-37fc-403c-a41a-48a902de0b81", "observed-data--58721a23-05e8-49af-9028-4e9002de0b81", "url--58721a23-05e8-49af-9028-4e9002de0b81", "indicator--58721a24-bf78-4e4f-a1c9-455502de0b81", "indicator--58721a25-7e24-48af-8641-48b902de0b81", "observed-data--58721a26-1990-4c1e-b4fe-4ac802de0b81", "url--58721a26-1990-4c1e-b4fe-4ac802de0b81", "indicator--58721a26-2a54-4c67-8966-401402de0b81", "indicator--58721a27-df90-4e23-a7d8-45b602de0b81", "observed-data--58721a28-5f34-4997-993f-45b402de0b81", "url--58721a28-5f34-4997-993f-45b402de0b81", "indicator--58721a29-513c-42cd-a8a9-414d02de0b81", "indicator--58721a29-5e84-4009-935f-4b3b02de0b81", "observed-data--58721a2a-950c-48b1-9e9c-47ad02de0b81", "url--58721a2a-950c-48b1-9e9c-47ad02de0b81", "indicator--58721a2b-e744-411e-b4bb-4f6202de0b81", "indicator--58721a2c-07b8-4db7-9de3-433602de0b81", "observed-data--58721a2c-2080-4fc2-af18-460202de0b81", "url--58721a2c-2080-4fc2-af18-460202de0b81", "indicator--58721a2d-c900-4abc-aeb2-4c6202de0b81", "indicator--58721a2e-0338-4f99-8c58-471302de0b81", "observed-data--58721a2f-bf20-41b2-bb9a-4a3002de0b81", "url--58721a2f-bf20-41b2-bb9a-4a3002de0b81", "indicator--58721a2f-19b0-4b16-81dd-49a202de0b81", "indicator--58721a30-4acc-414f-b8e8-45a702de0b81", "observed-data--58721a31-2a00-4bef-b78c-41eb02de0b81", "url--58721a31-2a00-4bef-b78c-41eb02de0b81", "indicator--58721a31-1f84-45b4-aaf4-4ace02de0b81", "indicator--58721a32-8fe8-45ad-8243-4fc502de0b81", "observed-data--58721a33-5160-4698-87dc-40ed02de0b81", "url--58721a33-5160-4698-87dc-40ed02de0b81", "indicator--58721a34-4718-401d-8c17-4eb802de0b81", "indicator--58721a34-8cac-494e-95cd-4e4802de0b81", "observed-data--58721a35-67f0-44c8-9dab-421c02de0b81", "url--58721a35-67f0-44c8-9dab-421c02de0b81", "indicator--58721a36-c628-4aa7-93d2-499f02de0b81", "indicator--58721a37-2c60-432a-9471-4e3402de0b81", "observed-data--58721a37-4c14-4040-b978-4e5c02de0b81", "url--58721a37-4c14-4040-b978-4e5c02de0b81", "indicator--58721a38-e2f4-400c-b548-478102de0b81", "indicator--58721a39-d50c-4ba2-b029-4c4102de0b81", "observed-data--58721a39-fc50-49eb-aa98-44be02de0b81", "url--58721a39-fc50-49eb-aa98-44be02de0b81", "indicator--58721a3a-475c-44a4-8137-43f002de0b81", "indicator--58721a3b-8860-4374-bcd3-4e4802de0b81", "observed-data--58721a3c-1a08-4680-9c4f-4e5102de0b81", "url--58721a3c-1a08-4680-9c4f-4e5102de0b81", "indicator--58721a3c-aa5c-46e5-9141-416202de0b81", "indicator--58721a3d-58ec-49c2-bb1b-424602de0b81", "observed-data--58721a3e-3fbc-42a7-85d3-47ca02de0b81", "url--58721a3e-3fbc-42a7-85d3-47ca02de0b81", "indicator--58721a3f-1e9c-45e9-9f31-4a1d02de0b81", "indicator--58721a3f-eba8-4c01-9964-429002de0b81", "observed-data--58721a40-54a0-4945-b198-4a6b02de0b81", "url--58721a40-54a0-4945-b198-4a6b02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:tool=\"MM Core\"", "ecsirt:malicious-code=\"malware\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58720dac-52b8-4003-a6c3-4836950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:00:12.000Z", "modified": "2017-01-08T10:00:12.000Z", "first_observed": "2017-01-08T10:00:12Z", "last_observed": "2017-01-08T10:00:12Z", "number_observed": 1, "object_refs": [ "url--58720dac-52b8-4003-a6c3-4836950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58720dac-52b8-4003-a6c3-4836950d210f", "value": "https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--58720ddb-b720-488b-a2bf-43c2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:00:59.000Z", "modified": "2017-01-08T10:00:59.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "In October 2016 Forcepoint Security Labs\u00e2\u201e\u00a2 discovered new versions of the MM Core backdoor being used in targeted attacks. Also known as \u00e2\u20ac\u0153BaneChant\u00e2\u20ac\u009d, MM Core is a file-less APT which is executed in memory by a downloader component. It was first reported in 2013 under the version number \u00e2\u20ac\u01532.0-LNK\u00e2\u20ac\u009d where it used the tag \u00e2\u20ac\u0153BaneChant\u00e2\u20ac\u009d in its command-and-control (C2) network request. A second version \u00e2\u20ac\u01532.1-LNK\u00e2\u20ac\u009d with the network tag \u00e2\u20ac\u0153StrangeLove\u00e2\u20ac\u009d was discovered shortly after.\r\n\r\nIn this blog we will detail our discovery of the next two versions of MM Core, namely \u00e2\u20ac\u0153BigBoss\u00e2\u20ac\u009d (2.2-LNK) and \u00e2\u20ac\u0153SillyGoose\u00e2\u20ac\u009d (2.3-LNK). Attacks using \"BigBoss\" appear likely to have occurred since mid-2015, whereas \"SillyGoose\" appears to have been distributed since September 2016. Both versions still appear to be active." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587217ec-4e98-42bf-b74a-424b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:43:56.000Z", "modified": "2017-01-08T10:43:56.000Z", "description": "Gratem Second Stage Payload Locations", "pattern": "[url:value = 'http://adnetwork33.redirectme.net/wp-content/themes/booswrap/layers.png']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:43:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587217ec-c724-4dcf-932a-4f85950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:43:56.000Z", "modified": "2017-01-08T10:43:56.000Z", "description": "Gratem Second Stage Payload Locations", "pattern": "[url:value = 'http://network-resources.net/wp-content/themes/booswrap/layers.png']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:43:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587217ed-cfd4-4326-997a-417a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:43:57.000Z", "modified": "2017-01-08T10:43:57.000Z", "description": "Gratem Second Stage Payload Locations", "pattern": "[url:value = 'http://adworks.webhop.me/wp-content/themes/bmw/s6.png']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:43:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587217ee-116c-47fa-9494-43ad950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:43:58.000Z", "modified": "2017-01-08T10:43:58.000Z", "description": "Gratem Second Stage Payload Locations", "pattern": "[url:value = 'http://adrev22.ddns.net/network/superads/logo.dat']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:43:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--587217ee-18bc-4247-9bca-43da950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:43:58.000Z", "modified": "2017-01-08T10:43:58.000Z", "description": "Gratem Second Stage Payload Locations", "pattern": "[url:value = 'http://davidjone.net/network/superads/logo.dat']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:43:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5872180a-6d30-4ddc-b39f-4ee3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:44:26.000Z", "modified": "2017-01-08T10:44:26.000Z", "description": "MM Core C2s", "pattern": "[url:value = 'http://presspublishing24.net/plugins/cc/mik.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:44:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5872180a-39ac-43e5-9fcc-4ca4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:44:26.000Z", "modified": "2017-01-08T10:44:26.000Z", "description": "MM Core C2s", "pattern": "[url:value = 'http://presspublishing24.net/plugins/slm/log.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:44:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5872180b-eb54-473f-b2a7-4e36950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:44:27.000Z", "modified": "2017-01-08T10:44:27.000Z", "description": "MM Core C2s", "pattern": "[url:value = 'http://presspublishing24.net/plugins/xim/trail.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:44:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721835-9658-4fa8-a5f7-4337950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:45:09.000Z", "modified": "2017-01-08T10:45:09.000Z", "description": "MM Core Payload Locations", "pattern": "[url:value = 'http://mockingbird.no-ip.org/plugins/xim/top.jpg']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:45:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721836-b8e8-4eaf-8b19-4c34950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:45:10.000Z", "modified": "2017-01-08T10:45:10.000Z", "description": "MM Core Payload Locations", "pattern": "[url:value = 'http://presspublishing24.net/plugins/xim/top.jpg']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:45:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721836-1084-43fc-8c42-45b9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:45:10.000Z", "modified": "2017-01-08T10:45:10.000Z", "description": "MM Core Payload Locations", "pattern": "[url:value = 'http://ichoose.zapto.org/plugins/cc/me.jpg']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:45:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721837-2fbc-460a-9f83-4899950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:45:11.000Z", "modified": "2017-01-08T10:45:11.000Z", "description": "MM Core Payload Locations", "pattern": "[url:value = 'http://presspublishing24.net/plugins/cc/me.jpg']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:45:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721838-2b78-40e9-b9c9-4b77950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:45:12.000Z", "modified": "2017-01-08T10:45:12.000Z", "description": "MM Core Payload Locations", "pattern": "[url:value = 'http://waterlily.ddns.net/plugins/slm/pogo.jpg']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:45:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721838-f638-4bba-9e22-497b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:45:12.000Z", "modified": "2017-01-08T10:45:12.000Z", "description": "MM Core Payload Locations", "pattern": "[url:value = 'http://presspublishing24.net/plugins/slm/pogo.jpg']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:45:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721839-a2b4-4163-a22b-45a1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:45:13.000Z", "modified": "2017-01-08T10:45:13.000Z", "description": "MM Core Payload Locations", "pattern": "[url:value = 'http://nayanew1.no-ip.org/plugins/xim/top.jpg']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:45:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5872183a-f23c-4ff6-9b56-46f8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:45:14.000Z", "modified": "2017-01-08T10:45:14.000Z", "description": "MM Core Payload Locations", "pattern": "[url:value = 'http://davidjone.net/plugins/xim/top.jpg']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:45:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5872183a-3db8-4a61-a3a2-4175950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:45:14.000Z", "modified": "2017-01-08T10:45:14.000Z", "description": "MM Core Payload Locations", "pattern": "[url:value = 'http://hawahawa123.no-ip.org/plugins/xim/logo.jpg']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:45:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5872183b-f2a4-4a22-8227-4e18950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:45:15.000Z", "modified": "2017-01-08T10:45:15.000Z", "description": "MM Core Payload Locations", "pattern": "[url:value = 'http://davidjone.net/plugins/xim/logo.jpg']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:45:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721854-dbb0-4266-8413-407b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:45:40.000Z", "modified": "2017-01-08T10:45:40.000Z", "description": "Dropper/Downloader Payload Locations", "pattern": "[url:value = 'http://davidjone.net/huan/normaldot.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:45:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5872186a-99b0-411a-b17c-44c8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:46:02.000Z", "modified": "2017-01-08T10:46:02.000Z", "description": "Related Gratem Samples", "pattern": "[file:hashes.SHA1 = '673f315388d9c3e47adc280da1ff8b85a0893525']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:46:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5872186b-b6b8-4a62-b94b-4268950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:46:03.000Z", "modified": "2017-01-08T10:46:03.000Z", "description": "Related Gratem Samples", "pattern": "[file:hashes.SHA1 = 'f7372222ec3e56d384e7ca2650eb39c0f420bc88']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:46:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5872190c-2478-489c-bd2a-443a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:48:44.000Z", "modified": "2017-01-08T10:48:44.000Z", "description": "Dropper/Downloader Samples", "pattern": "[file:hashes.SHA1 = 'f94bada2e3ef2461f9f9b291aac8ffbf81bf46ab']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:48:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5872190d-7000-425a-a1b5-4f13950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:48:45.000Z", "modified": "2017-01-08T10:48:45.000Z", "description": "Dropper/Downloader Samples", "pattern": "[file:hashes.SHA1 = 'ef59b4ffc8a92a5a49308ba98cb38949f74774f1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:48:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5872190d-e9c8-44e3-8919-407d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:48:45.000Z", "modified": "2017-01-08T10:48:45.000Z", "description": "Dropper/Downloader Samples", "pattern": "[file:hashes.SHA1 = '1cf86d87140f13bf88ede74654e01853bae2413c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:48:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5872190e-9338-4dba-8635-4fa9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:48:46.000Z", "modified": "2017-01-08T10:48:46.000Z", "description": "Dropper/Downloader Samples", "pattern": "[file:hashes.SHA1 = '415ad0a84fe7ae5b88a68b8c97d2d27de5b3aed2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:48:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5872190f-fb0c-430d-bf45-4450950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:48:47.000Z", "modified": "2017-01-08T10:48:47.000Z", "description": "Dropper/Downloader Samples", "pattern": "[file:hashes.SHA1 = 'e8bfa4ed85aac19ab2e77e2b6dfe77252288d89b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:48:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5872190f-935c-4383-a9a9-479d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:48:47.000Z", "modified": "2017-01-08T10:48:47.000Z", "description": "Dropper/Downloader Samples", "pattern": "[file:hashes.SHA1 = '83e7b2d6ea775c8eb1f6cfefb32df754609a8129']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:48:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721910-04ec-4145-8714-4d34950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:48:48.000Z", "modified": "2017-01-08T10:48:48.000Z", "description": "Dropper/Downloader Samples", "pattern": "[file:hashes.SHA1 = 'b931d3988eb37491506504990cae3081208e1a66']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:48:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721911-bfa4-42ff-9b08-4f4c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:48:49.000Z", "modified": "2017-01-08T10:48:49.000Z", "description": "Dropper/Downloader Samples", "pattern": "[file:hashes.SHA1 = '7031f4be6ced5241ae0dd4315d66a261f654dbd6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:48:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721911-9064-4f63-899c-4398950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:48:49.000Z", "modified": "2017-01-08T10:48:49.000Z", "description": "Dropper/Downloader Samples", "pattern": "[file:hashes.SHA1 = 'ab53485990ac503fb9c440ab469771fac661f3cc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:48:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721912-becc-4f40-8b4f-4d88950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:48:50.000Z", "modified": "2017-01-08T10:48:50.000Z", "description": "Dropper/Downloader Samples", "pattern": "[file:hashes.SHA1 = 'b8e6f570e02d105df2d78698de12ae80d66c54a2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:48:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721913-5370-4f55-b6ca-48c1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:48:51.000Z", "modified": "2017-01-08T10:48:51.000Z", "description": "Dropper/Downloader Samples", "pattern": "[file:hashes.SHA1 = '188776d098f61fa2c3b482b2ace202caee18b411']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:48:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721914-6ba8-4b62-b14f-4ea1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:48:52.000Z", "modified": "2017-01-08T10:48:52.000Z", "description": "Dropper/Downloader Samples", "pattern": "[file:hashes.SHA1 = 'e0ed40ec0196543814b00fd0aac7218f23de5ec5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:48:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721914-0e18-483c-b7e4-43fa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:48:52.000Z", "modified": "2017-01-08T10:48:52.000Z", "description": "Dropper/Downloader Samples", "pattern": "[file:hashes.SHA1 = '5498bb49083289dfc2557a7c205aed7f8b97b2a8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:48:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721915-cddc-495b-859f-45fe950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:48:53.000Z", "modified": "2017-01-08T10:48:53.000Z", "description": "Dropper/Downloader Samples", "pattern": "[file:hashes.SHA1 = 'ce18064f675348dd327569bd50528286929bc37a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:48:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721916-8cfc-4327-8fee-4e0d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:48:54.000Z", "modified": "2017-01-08T10:48:54.000Z", "description": "Dropper/Downloader Samples", "pattern": "[file:hashes.SHA1 = '3a8b7ce642a5b4d1147de227249ecb6a89cbd2d3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:48:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721916-6d98-4bbf-992e-4280950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:48:54.000Z", "modified": "2017-01-08T10:48:54.000Z", "description": "Dropper/Downloader Samples", "pattern": "[file:hashes.SHA1 = '21c1904477ceb8d4d26ac9306e844b4ba0af1b43']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:48:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721917-2178-42c3-b843-4066950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:48:55.000Z", "modified": "2017-01-08T10:48:55.000Z", "description": "Dropper/Downloader Samples", "pattern": "[file:hashes.SHA1 = 'f89a81c51e67c0bd3fc738bf927cd7cc95b05ea6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:48:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721939-3100-4117-8ed9-4e58950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:49:29.000Z", "modified": "2017-01-08T10:49:29.000Z", "description": "MM Core Unpacked DLL Samples", "pattern": "[file:hashes.SHA1 = '13b25ba2b139b9f45e21697ae00cf1b452eeeff5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:49:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721939-0f00-4a6d-966b-4703950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:49:29.000Z", "modified": "2017-01-08T10:49:29.000Z", "description": "MM Core Unpacked DLL Samples", "pattern": "[file:hashes.SHA1 = 'c58aac5567df7676c2b08e1235cd70daec3023e8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:49:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5872193a-b494-417b-9429-462d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:49:30.000Z", "modified": "2017-01-08T10:49:30.000Z", "description": "MM Core Unpacked DLL Samples", "pattern": "[file:hashes.SHA1 = '4372bb675827922280e8de87a78bf61a6a3e7e4d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:49:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5872193b-d864-4ff3-a9e6-457e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:49:31.000Z", "modified": "2017-01-08T10:49:31.000Z", "description": "MM Core Unpacked DLL Samples", "pattern": "[file:hashes.SHA1 = '08bfdefef8a1fb1ea6f292b1ed7d709fbbc2c602']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:49:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5872195a-2fc8-46ba-af9b-4376950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:50:02.000Z", "modified": "2017-01-08T10:50:02.000Z", "description": "US pak track ii naval dialogues.doc", "pattern": "[file:hashes.SHA1 = 'd336b8424a65f5c0b83328aa89089c2e4ddbcf72']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:50:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a10-f288-42b4-9702-4e1402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:04.000Z", "modified": "2017-01-08T10:53:04.000Z", "description": "US pak track ii naval dialogues.doc - Xchecked via VT: d336b8424a65f5c0b83328aa89089c2e4ddbcf72", "pattern": "[file:hashes.SHA256 = '72aea0644729cadfe668751587a1e6384c49c398580feecefc51385ecc018631']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a11-170c-44ad-97eb-4f2c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:05.000Z", "modified": "2017-01-08T10:53:05.000Z", "description": "US pak track ii naval dialogues.doc - Xchecked via VT: d336b8424a65f5c0b83328aa89089c2e4ddbcf72", "pattern": "[file:hashes.MD5 = 'c4cee8d6f30127938681c93dd19f2af4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58721a12-9fc8-496e-9634-49f702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:06.000Z", "modified": "2017-01-08T10:53:06.000Z", "first_observed": "2017-01-08T10:53:06Z", "last_observed": "2017-01-08T10:53:06Z", "number_observed": 1, "object_refs": [ "url--58721a12-9fc8-496e-9634-49f702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58721a12-9fc8-496e-9634-49f702de0b81", "value": "https://www.virustotal.com/file/72aea0644729cadfe668751587a1e6384c49c398580feecefc51385ecc018631/analysis/1483862088/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a13-eba0-47a2-b999-4a2b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:07.000Z", "modified": "2017-01-08T10:53:07.000Z", "description": "MM Core Unpacked DLL Samples - Xchecked via VT: 4372bb675827922280e8de87a78bf61a6a3e7e4d", "pattern": "[file:hashes.SHA256 = '0ec6c4342cf0cae5ba59a216ed074ac0574f04763ce4b5b1944daad9513491b6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a13-f348-436e-a7cc-445202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:07.000Z", "modified": "2017-01-08T10:53:07.000Z", "description": "MM Core Unpacked DLL Samples - Xchecked via VT: 4372bb675827922280e8de87a78bf61a6a3e7e4d", "pattern": "[file:hashes.MD5 = '060d13afdb2212a717666b251feda1d3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58721a14-4514-462c-a44e-4d1c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:08.000Z", "modified": "2017-01-08T10:53:08.000Z", "first_observed": "2017-01-08T10:53:08Z", "last_observed": "2017-01-08T10:53:08Z", "number_observed": 1, "object_refs": [ "url--58721a14-4514-462c-a44e-4d1c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58721a14-4514-462c-a44e-4d1c02de0b81", "value": "https://www.virustotal.com/file/0ec6c4342cf0cae5ba59a216ed074ac0574f04763ce4b5b1944daad9513491b6/analysis/1483698678/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a15-2874-4692-b24a-47b602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:09.000Z", "modified": "2017-01-08T10:53:09.000Z", "description": "MM Core Unpacked DLL Samples - Xchecked via VT: c58aac5567df7676c2b08e1235cd70daec3023e8", "pattern": "[file:hashes.SHA256 = '1d3ff6cdda68c63d254df70cef0dc9adfa414200f953499c40cbc75bf3936233']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a16-79ec-4e62-9d31-475c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:10.000Z", "modified": "2017-01-08T10:53:10.000Z", "description": "MM Core Unpacked DLL Samples - Xchecked via VT: c58aac5567df7676c2b08e1235cd70daec3023e8", "pattern": "[file:hashes.MD5 = 'bddb10729acb2dfe28a7017b261d63db']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58721a16-b100-4e55-a771-4bc202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:10.000Z", "modified": "2017-01-08T10:53:10.000Z", "first_observed": "2017-01-08T10:53:10Z", "last_observed": "2017-01-08T10:53:10Z", "number_observed": 1, "object_refs": [ "url--58721a16-b100-4e55-a771-4bc202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58721a16-b100-4e55-a771-4bc202de0b81", "value": "https://www.virustotal.com/file/1d3ff6cdda68c63d254df70cef0dc9adfa414200f953499c40cbc75bf3936233/analysis/1483633479/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a17-7564-4a40-9826-4caa02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:11.000Z", "modified": "2017-01-08T10:53:11.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: f89a81c51e67c0bd3fc738bf927cd7cc95b05ea6", "pattern": "[file:hashes.SHA256 = 'f938e87917ca8885001e922f43ef0fe5e67ff390e951a934254ddac808dca1a5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a18-0f84-4bc6-aa83-450d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:12.000Z", "modified": "2017-01-08T10:53:12.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: f89a81c51e67c0bd3fc738bf927cd7cc95b05ea6", "pattern": "[file:hashes.MD5 = 'a9c07b9fb099f44e7b8f53a74d7f71d0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58721a18-59e0-4238-8532-45bc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:12.000Z", "modified": "2017-01-08T10:53:12.000Z", "first_observed": "2017-01-08T10:53:12Z", "last_observed": "2017-01-08T10:53:12Z", "number_observed": 1, "object_refs": [ "url--58721a18-59e0-4238-8532-45bc02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58721a18-59e0-4238-8532-45bc02de0b81", "value": "https://www.virustotal.com/file/f938e87917ca8885001e922f43ef0fe5e67ff390e951a934254ddac808dca1a5/analysis/1483633483/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a19-2abc-478e-b5fb-416102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:13.000Z", "modified": "2017-01-08T10:53:13.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: 21c1904477ceb8d4d26ac9306e844b4ba0af1b43", "pattern": "[file:hashes.SHA256 = 'a3c8d6eaa6239112b1e881f18ea78f58949150fbf051e599b5d6f81e0d2e31c9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a1a-cb00-48df-bedc-41ef02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:14.000Z", "modified": "2017-01-08T10:53:14.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: 21c1904477ceb8d4d26ac9306e844b4ba0af1b43", "pattern": "[file:hashes.MD5 = '0932b703849364ca1537305761bc3429']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58721a1b-d7a8-430f-ab7d-4a7702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:15.000Z", "modified": "2017-01-08T10:53:15.000Z", "first_observed": "2017-01-08T10:53:15Z", "last_observed": "2017-01-08T10:53:15Z", "number_observed": 1, "object_refs": [ "url--58721a1b-d7a8-430f-ab7d-4a7702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58721a1b-d7a8-430f-ab7d-4a7702de0b81", "value": "https://www.virustotal.com/file/a3c8d6eaa6239112b1e881f18ea78f58949150fbf051e599b5d6f81e0d2e31c9/analysis/1460698281/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a1b-2f2c-41ea-8f54-456402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:15.000Z", "modified": "2017-01-08T10:53:15.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: 3a8b7ce642a5b4d1147de227249ecb6a89cbd2d3", "pattern": "[file:hashes.SHA256 = '033258861970b3addbe339e9f2c0fde210898896f31dce5d5f7b1d17d19c23eb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a1c-7550-4fb8-8efb-45cc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:16.000Z", "modified": "2017-01-08T10:53:16.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: 3a8b7ce642a5b4d1147de227249ecb6a89cbd2d3", "pattern": "[file:hashes.MD5 = '9e73734ac2ab5293c0f326245658b50e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58721a1d-6e5c-41fb-bd35-491902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:17.000Z", "modified": "2017-01-08T10:53:17.000Z", "first_observed": "2017-01-08T10:53:17Z", "last_observed": "2017-01-08T10:53:17Z", "number_observed": 1, "object_refs": [ "url--58721a1d-6e5c-41fb-bd35-491902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58721a1d-6e5c-41fb-bd35-491902de0b81", "value": "https://www.virustotal.com/file/033258861970b3addbe339e9f2c0fde210898896f31dce5d5f7b1d17d19c23eb/analysis/1483633482/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a1e-a7d8-4a04-ba60-4dbe02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:18.000Z", "modified": "2017-01-08T10:53:18.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: ce18064f675348dd327569bd50528286929bc37a", "pattern": "[file:hashes.SHA256 = 'ef549a3688f930bf3c5d49d95ed3d1de51be79af10f9d941892d85b25fabd795']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a1e-efec-4012-b0be-4cb202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:18.000Z", "modified": "2017-01-08T10:53:18.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: ce18064f675348dd327569bd50528286929bc37a", "pattern": "[file:hashes.MD5 = 'c27da5a756569012449c479609c3b959']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58721a1f-2ad4-4c50-9306-44c902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:19.000Z", "modified": "2017-01-08T10:53:19.000Z", "first_observed": "2017-01-08T10:53:19Z", "last_observed": "2017-01-08T10:53:19Z", "number_observed": 1, "object_refs": [ "url--58721a1f-2ad4-4c50-9306-44c902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58721a1f-2ad4-4c50-9306-44c902de0b81", "value": "https://www.virustotal.com/file/ef549a3688f930bf3c5d49d95ed3d1de51be79af10f9d941892d85b25fabd795/analysis/1483633482/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a20-074c-47e6-a681-48cc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:20.000Z", "modified": "2017-01-08T10:53:20.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: 5498bb49083289dfc2557a7c205aed7f8b97b2a8", "pattern": "[file:hashes.SHA256 = '87d743e1876dcb9e13ed8d1dc57125c7c0912b49aa9f02e2f3a45d0e11294317']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a21-28dc-40dd-83a8-431702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:21.000Z", "modified": "2017-01-08T10:53:21.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: 5498bb49083289dfc2557a7c205aed7f8b97b2a8", "pattern": "[file:hashes.MD5 = '6c833531eb3c6b97095b45fcc8f2a1e6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58721a21-1a9c-414f-94c7-43c702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:21.000Z", "modified": "2017-01-08T10:53:21.000Z", "first_observed": "2017-01-08T10:53:21Z", "last_observed": "2017-01-08T10:53:21Z", "number_observed": 1, "object_refs": [ "url--58721a21-1a9c-414f-94c7-43c702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58721a21-1a9c-414f-94c7-43c702de0b81", "value": "https://www.virustotal.com/file/87d743e1876dcb9e13ed8d1dc57125c7c0912b49aa9f02e2f3a45d0e11294317/analysis/1458047912/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a22-d584-49ff-856c-40ab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:22.000Z", "modified": "2017-01-08T10:53:22.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: e0ed40ec0196543814b00fd0aac7218f23de5ec5", "pattern": "[file:hashes.SHA256 = '1bf0dcf093a04a86c6679f99b6ec5293241b2a16b4749b5ff5af8e11e96ba2a9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a23-37fc-403c-a41a-48a902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:23.000Z", "modified": "2017-01-08T10:53:23.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: e0ed40ec0196543814b00fd0aac7218f23de5ec5", "pattern": "[file:hashes.MD5 = '898812640c2cb691e5d9cdea96fe9599']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58721a23-05e8-49af-9028-4e9002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:23.000Z", "modified": "2017-01-08T10:53:23.000Z", "first_observed": "2017-01-08T10:53:23Z", "last_observed": "2017-01-08T10:53:23Z", "number_observed": 1, "object_refs": [ "url--58721a23-05e8-49af-9028-4e9002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58721a23-05e8-49af-9028-4e9002de0b81", "value": "https://www.virustotal.com/file/1bf0dcf093a04a86c6679f99b6ec5293241b2a16b4749b5ff5af8e11e96ba2a9/analysis/1483633481/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a24-bf78-4e4f-a1c9-455502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:24.000Z", "modified": "2017-01-08T10:53:24.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: 188776d098f61fa2c3b482b2ace202caee18b411", "pattern": "[file:hashes.SHA256 = '4d22a45690d144ad29aaa06104085293e489ad319ba033ca0bd46759b3d5e42e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a25-7e24-48af-8641-48b902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:25.000Z", "modified": "2017-01-08T10:53:25.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: 188776d098f61fa2c3b482b2ace202caee18b411", "pattern": "[file:hashes.MD5 = 'bffc9f409be33207849207f62622db50']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58721a26-1990-4c1e-b4fe-4ac802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:26.000Z", "modified": "2017-01-08T10:53:26.000Z", "first_observed": "2017-01-08T10:53:26Z", "last_observed": "2017-01-08T10:53:26Z", "number_observed": 1, "object_refs": [ "url--58721a26-1990-4c1e-b4fe-4ac802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58721a26-1990-4c1e-b4fe-4ac802de0b81", "value": "https://www.virustotal.com/file/4d22a45690d144ad29aaa06104085293e489ad319ba033ca0bd46759b3d5e42e/analysis/1483633481/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a26-2a54-4c67-8966-401402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:26.000Z", "modified": "2017-01-08T10:53:26.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: b8e6f570e02d105df2d78698de12ae80d66c54a2", "pattern": "[file:hashes.SHA256 = 'e9d5e26e00f3ef239491bdfc80c8b4aabe551135b568c1ac9629202ed10cf2d0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a27-df90-4e23-a7d8-45b602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:27.000Z", "modified": "2017-01-08T10:53:27.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: b8e6f570e02d105df2d78698de12ae80d66c54a2", "pattern": "[file:hashes.MD5 = '2801b537960058643dfdb3fc5199246d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58721a28-5f34-4997-993f-45b402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:28.000Z", "modified": "2017-01-08T10:53:28.000Z", "first_observed": "2017-01-08T10:53:28Z", "last_observed": "2017-01-08T10:53:28Z", "number_observed": 1, "object_refs": [ "url--58721a28-5f34-4997-993f-45b402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58721a28-5f34-4997-993f-45b402de0b81", "value": "https://www.virustotal.com/file/e9d5e26e00f3ef239491bdfc80c8b4aabe551135b568c1ac9629202ed10cf2d0/analysis/1483698672/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a29-513c-42cd-a8a9-414d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:29.000Z", "modified": "2017-01-08T10:53:29.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: ab53485990ac503fb9c440ab469771fac661f3cc", "pattern": "[file:hashes.SHA256 = '0dec4b854bcbf15bda79a1a3d9f322d8519a3273155ad18d3b7ce7d36dfe9e85']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a29-5e84-4009-935f-4b3b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:29.000Z", "modified": "2017-01-08T10:53:29.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: ab53485990ac503fb9c440ab469771fac661f3cc", "pattern": "[file:hashes.MD5 = 'fe1eb07a9068c32efd032404a7472e58']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58721a2a-950c-48b1-9e9c-47ad02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:30.000Z", "modified": "2017-01-08T10:53:30.000Z", "first_observed": "2017-01-08T10:53:30Z", "last_observed": "2017-01-08T10:53:30Z", "number_observed": 1, "object_refs": [ "url--58721a2a-950c-48b1-9e9c-47ad02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58721a2a-950c-48b1-9e9c-47ad02de0b81", "value": "https://www.virustotal.com/file/0dec4b854bcbf15bda79a1a3d9f322d8519a3273155ad18d3b7ce7d36dfe9e85/analysis/1483633481/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a2b-e744-411e-b4bb-4f6202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:31.000Z", "modified": "2017-01-08T10:53:31.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: 7031f4be6ced5241ae0dd4315d66a261f654dbd6", "pattern": "[file:hashes.SHA256 = '4f3275de51c2d16e8df829d020eae4f2450c9b3afd3b3099d615278e29a00479']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a2c-07b8-4db7-9de3-433602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:32.000Z", "modified": "2017-01-08T10:53:32.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: 7031f4be6ced5241ae0dd4315d66a261f654dbd6", "pattern": "[file:hashes.MD5 = '380cfac90270b45518c17c224aa8e5be']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58721a2c-2080-4fc2-af18-460202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:32.000Z", "modified": "2017-01-08T10:53:32.000Z", "first_observed": "2017-01-08T10:53:32Z", "last_observed": "2017-01-08T10:53:32Z", "number_observed": 1, "object_refs": [ "url--58721a2c-2080-4fc2-af18-460202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58721a2c-2080-4fc2-af18-460202de0b81", "value": "https://www.virustotal.com/file/4f3275de51c2d16e8df829d020eae4f2450c9b3afd3b3099d615278e29a00479/analysis/1483633481/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a2d-c900-4abc-aeb2-4c6202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:33.000Z", "modified": "2017-01-08T10:53:33.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: b931d3988eb37491506504990cae3081208e1a66", "pattern": "[file:hashes.SHA256 = '86d414a51e946a9a5d8ce411f0f6b54154d7848c046cd58464b49733effdc47a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a2e-0338-4f99-8c58-471302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:34.000Z", "modified": "2017-01-08T10:53:34.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: b931d3988eb37491506504990cae3081208e1a66", "pattern": "[file:hashes.MD5 = 'ee4563761247361632046c8966a4c790']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58721a2f-bf20-41b2-bb9a-4a3002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:35.000Z", "modified": "2017-01-08T10:53:35.000Z", "first_observed": "2017-01-08T10:53:35Z", "last_observed": "2017-01-08T10:53:35Z", "number_observed": 1, "object_refs": [ "url--58721a2f-bf20-41b2-bb9a-4a3002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58721a2f-bf20-41b2-bb9a-4a3002de0b81", "value": "https://www.virustotal.com/file/86d414a51e946a9a5d8ce411f0f6b54154d7848c046cd58464b49733effdc47a/analysis/1483633481/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a2f-19b0-4b16-81dd-49a202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:35.000Z", "modified": "2017-01-08T10:53:35.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: 83e7b2d6ea775c8eb1f6cfefb32df754609a8129", "pattern": "[file:hashes.SHA256 = 'af34e0b3ecbe1f6aeabd5d74ba48a322f401d348de8a3345fe3e18a62d6d7a93']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a30-4acc-414f-b8e8-45a702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:36.000Z", "modified": "2017-01-08T10:53:36.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: 83e7b2d6ea775c8eb1f6cfefb32df754609a8129", "pattern": "[file:hashes.MD5 = 'f38ffc4bfe7b449389b05d483016625b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58721a31-2a00-4bef-b78c-41eb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:37.000Z", "modified": "2017-01-08T10:53:37.000Z", "first_observed": "2017-01-08T10:53:37Z", "last_observed": "2017-01-08T10:53:37Z", "number_observed": 1, "object_refs": [ "url--58721a31-2a00-4bef-b78c-41eb02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58721a31-2a00-4bef-b78c-41eb02de0b81", "value": "https://www.virustotal.com/file/af34e0b3ecbe1f6aeabd5d74ba48a322f401d348de8a3345fe3e18a62d6d7a93/analysis/1483633480/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a31-1f84-45b4-aaf4-4ace02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:37.000Z", "modified": "2017-01-08T10:53:37.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: e8bfa4ed85aac19ab2e77e2b6dfe77252288d89b", "pattern": "[file:hashes.SHA256 = '87496d1e934706d49b6a03b034f999c61772212b13e901f18453f7f8111defca']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a32-8fe8-45ad-8243-4fc502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:38.000Z", "modified": "2017-01-08T10:53:38.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: e8bfa4ed85aac19ab2e77e2b6dfe77252288d89b", "pattern": "[file:hashes.MD5 = '50b20197c9f9f3a8ded3a42aa6cf5315']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58721a33-5160-4698-87dc-40ed02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:39.000Z", "modified": "2017-01-08T10:53:39.000Z", "first_observed": "2017-01-08T10:53:39Z", "last_observed": "2017-01-08T10:53:39Z", "number_observed": 1, "object_refs": [ "url--58721a33-5160-4698-87dc-40ed02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58721a33-5160-4698-87dc-40ed02de0b81", "value": "https://www.virustotal.com/file/87496d1e934706d49b6a03b034f999c61772212b13e901f18453f7f8111defca/analysis/1475469859/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a34-4718-401d-8c17-4eb802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:40.000Z", "modified": "2017-01-08T10:53:40.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: 415ad0a84fe7ae5b88a68b8c97d2d27de5b3aed2", "pattern": "[file:hashes.SHA256 = '62ba328ada4ac69ac2ec9f9f101d16d5eb72b648c6bd078f735e17c8fc6b2829']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a34-8cac-494e-95cd-4e4802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:40.000Z", "modified": "2017-01-08T10:53:40.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: 415ad0a84fe7ae5b88a68b8c97d2d27de5b3aed2", "pattern": "[file:hashes.MD5 = '0647bac99b6a8407795134f5d67d4590']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58721a35-67f0-44c8-9dab-421c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:41.000Z", "modified": "2017-01-08T10:53:41.000Z", "first_observed": "2017-01-08T10:53:41Z", "last_observed": "2017-01-08T10:53:41Z", "number_observed": 1, "object_refs": [ "url--58721a35-67f0-44c8-9dab-421c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58721a35-67f0-44c8-9dab-421c02de0b81", "value": "https://www.virustotal.com/file/62ba328ada4ac69ac2ec9f9f101d16d5eb72b648c6bd078f735e17c8fc6b2829/analysis/1482068488/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a36-c628-4aa7-93d2-499f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:42.000Z", "modified": "2017-01-08T10:53:42.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: 1cf86d87140f13bf88ede74654e01853bae2413c", "pattern": "[file:hashes.SHA256 = '3d85b4f923e2201a21a3e27e86ea6a2d3fda9778899568e7c505de5a4b70653e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a37-2c60-432a-9471-4e3402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:43.000Z", "modified": "2017-01-08T10:53:43.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: 1cf86d87140f13bf88ede74654e01853bae2413c", "pattern": "[file:hashes.MD5 = '2826c9c6c25368f773c0e448572585d0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58721a37-4c14-4040-b978-4e5c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:43.000Z", "modified": "2017-01-08T10:53:43.000Z", "first_observed": "2017-01-08T10:53:43Z", "last_observed": "2017-01-08T10:53:43Z", "number_observed": 1, "object_refs": [ "url--58721a37-4c14-4040-b978-4e5c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58721a37-4c14-4040-b978-4e5c02de0b81", "value": "https://www.virustotal.com/file/3d85b4f923e2201a21a3e27e86ea6a2d3fda9778899568e7c505de5a4b70653e/analysis/1483633480/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a38-e2f4-400c-b548-478102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:44.000Z", "modified": "2017-01-08T10:53:44.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: ef59b4ffc8a92a5a49308ba98cb38949f74774f1", "pattern": "[file:hashes.SHA256 = 'dd4a29b9ad4644350878b4c073661481a64762c4be4a9aa20ff7b71453470cce']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a39-d50c-4ba2-b029-4c4102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:45.000Z", "modified": "2017-01-08T10:53:45.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: ef59b4ffc8a92a5a49308ba98cb38949f74774f1", "pattern": "[file:hashes.MD5 = '263b6c350cbf7354b99139be17c272d3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58721a39-fc50-49eb-aa98-44be02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:45.000Z", "modified": "2017-01-08T10:53:45.000Z", "first_observed": "2017-01-08T10:53:45Z", "last_observed": "2017-01-08T10:53:45Z", "number_observed": 1, "object_refs": [ "url--58721a39-fc50-49eb-aa98-44be02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58721a39-fc50-49eb-aa98-44be02de0b81", "value": "https://www.virustotal.com/file/dd4a29b9ad4644350878b4c073661481a64762c4be4a9aa20ff7b71453470cce/analysis/1483632797/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a3a-475c-44a4-8137-43f002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:46.000Z", "modified": "2017-01-08T10:53:46.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: f94bada2e3ef2461f9f9b291aac8ffbf81bf46ab", "pattern": "[file:hashes.SHA256 = 'e9d086bf3e1e657f847a2364ee1da56db50bfeb291a35f1f92f3b2a9125f6f5e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a3b-8860-4374-bcd3-4e4802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:47.000Z", "modified": "2017-01-08T10:53:47.000Z", "description": "Dropper/Downloader Samples - Xchecked via VT: f94bada2e3ef2461f9f9b291aac8ffbf81bf46ab", "pattern": "[file:hashes.MD5 = 'd692a057330361f8f58163f9aa7fc3a8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58721a3c-1a08-4680-9c4f-4e5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:48.000Z", "modified": "2017-01-08T10:53:48.000Z", "first_observed": "2017-01-08T10:53:48Z", "last_observed": "2017-01-08T10:53:48Z", "number_observed": 1, "object_refs": [ "url--58721a3c-1a08-4680-9c4f-4e5102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58721a3c-1a08-4680-9c4f-4e5102de0b81", "value": "https://www.virustotal.com/file/e9d086bf3e1e657f847a2364ee1da56db50bfeb291a35f1f92f3b2a9125f6f5e/analysis/1483712714/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a3c-aa5c-46e5-9141-416202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:48.000Z", "modified": "2017-01-08T10:53:48.000Z", "description": "Related Gratem Samples - Xchecked via VT: f7372222ec3e56d384e7ca2650eb39c0f420bc88", "pattern": "[file:hashes.SHA256 = 'c89fb4332fef7367543c6457d3a6bfbd4d4f6ad7bea915baefc0489ad0c2a873']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a3d-58ec-49c2-bb1b-424602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:49.000Z", "modified": "2017-01-08T10:53:49.000Z", "description": "Related Gratem Samples - Xchecked via VT: f7372222ec3e56d384e7ca2650eb39c0f420bc88", "pattern": "[file:hashes.MD5 = '1bbc1549b8fe1ced42e65d8375ff7010']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58721a3e-3fbc-42a7-85d3-47ca02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:50.000Z", "modified": "2017-01-08T10:53:50.000Z", "first_observed": "2017-01-08T10:53:50Z", "last_observed": "2017-01-08T10:53:50Z", "number_observed": 1, "object_refs": [ "url--58721a3e-3fbc-42a7-85d3-47ca02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58721a3e-3fbc-42a7-85d3-47ca02de0b81", "value": "https://www.virustotal.com/file/c89fb4332fef7367543c6457d3a6bfbd4d4f6ad7bea915baefc0489ad0c2a873/analysis/1483633479/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a3f-1e9c-45e9-9f31-4a1d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:51.000Z", "modified": "2017-01-08T10:53:51.000Z", "description": "Related Gratem Samples - Xchecked via VT: 673f315388d9c3e47adc280da1ff8b85a0893525", "pattern": "[file:hashes.SHA256 = 'a4ead13d2cb28c4443f023b5b87ec3bd641fb3ad590ca53ab41afefce9cbeccf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58721a3f-eba8-4c01-9964-429002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:51.000Z", "modified": "2017-01-08T10:53:51.000Z", "description": "Related Gratem Samples - Xchecked via VT: 673f315388d9c3e47adc280da1ff8b85a0893525", "pattern": "[file:hashes.MD5 = 'e2bc937f028602dda3fa56ad204ca726']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-08T10:53:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58721a40-54a0-4945-b198-4a6b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-08T10:53:52.000Z", "modified": "2017-01-08T10:53:52.000Z", "first_observed": "2017-01-08T10:53:52Z", "last_observed": "2017-01-08T10:53:52Z", "number_observed": 1, "object_refs": [ "url--58721a40-54a0-4945-b198-4a6b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58721a40-54a0-4945-b198-4a6b02de0b81", "value": "https://www.virustotal.com/file/a4ead13d2cb28c4443f023b5b87ec3bd641fb3ad590ca53ab41afefce9cbeccf/analysis/1483697879/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }