{ "type": "bundle", "id": "bundle--595d508c-dc3c-49e8-8288-4a6002de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:23.000Z", "modified": "2017-07-05T20:51:23.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--595d508c-dc3c-49e8-8288-4a6002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:23.000Z", "modified": "2017-07-05T20:51:23.000Z", "name": "OSINT - The MeDoc Connection", "published": "2017-07-05T20:51:47Z", "object_refs": [ "x-misp-attribute--595d509a-d224-4645-b1ac-439102de0b81", "observed-data--595d50a4-bd20-437d-8737-434802de0b81", "url--595d50a4-bd20-437d-8737-434802de0b81", "x-misp-attribute--595d50c5-f144-46fd-b6ff-46db02de0b81", "x-misp-attribute--595d50c6-db5c-4e7e-9db0-4d1002de0b81", "x-misp-attribute--595d50c6-569c-4921-b849-47d002de0b81", "x-misp-attribute--595d50c6-3ab8-40f2-bf02-4c4a02de0b81", "x-misp-attribute--595d50c6-8674-4393-aaa3-434a02de0b81", "x-misp-attribute--595d50c6-f770-47d6-a061-496202de0b81", "indicator--595d50d5-2328-427b-9535-4fe302de0b81", "indicator--595d50d5-f8e8-4769-93b1-400e02de0b81", "indicator--595d50e8-d3f0-4552-9306-437c02de0b81", "indicator--595d50e8-307c-4a7f-b19b-4e0502de0b81", "indicator--595d50e8-7a6c-493f-a1c8-452502de0b81", "indicator--595d50fb-f4a8-4e59-8d73-436402de0b81", "indicator--595d50fb-3ac8-473b-82c8-45f002de0b81", "indicator--595d50fb-1dcc-4ac3-9755-4ff802de0b81", "indicator--595d514c-c9ac-4ccd-bb65-499602de0b81", "indicator--595d514c-d144-4815-98f0-4c9d02de0b81", "observed-data--595d514c-81e4-4e91-8bc4-4be202de0b81", "url--595d514c-81e4-4e91-8bc4-4be202de0b81", "indicator--595d514c-a0ac-487c-a2ba-41f202de0b81", "indicator--595d514c-4188-483d-9fd9-4a9702de0b81", "observed-data--595d514c-1d84-4628-99a6-44a102de0b81", "url--595d514c-1d84-4628-99a6-44a102de0b81", "indicator--595d514c-857c-4902-81e0-455102de0b81", "indicator--595d514c-5fe8-42ca-850a-42c002de0b81", "observed-data--595d514c-d7c0-4e20-ba7f-4b9d02de0b81", "url--595d514c-d7c0-4e20-ba7f-4b9d02de0b81", "indicator--595d514c-9030-4303-9902-496d02de0b81", "indicator--595d514c-b8bc-4293-a0ea-4dff02de0b81", "observed-data--595d514c-c4e0-49cc-82d7-468802de0b81", "url--595d514c-c4e0-49cc-82d7-468802de0b81", "indicator--595d514c-0284-4d7b-9762-494a02de0b81", "indicator--595d514c-d754-4082-9b7a-451102de0b81", "observed-data--595d514c-3d18-431e-bcf0-457c02de0b81", "url--595d514c-3d18-431e-bcf0-457c02de0b81", "indicator--595d514c-0248-4f6d-a21e-422702de0b81", "indicator--595d514c-363c-4b80-b083-469102de0b81", "observed-data--595d514c-a394-41bb-9d53-404102de0b81", "url--595d514c-a394-41bb-9d53-404102de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--595d509a-d224-4645-b1ac-439102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:23.000Z", "modified": "2017-07-05T20:51:23.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "The Nyetya attack was a destructive ransomware variant that affected many organizations inside of Ukraine and multinational corporations with operations in Ukraine. In cooperation with Cisco Advanced Services Incident Response, Talos identified several key aspects of the attack. The investigation found a supply chain-focused attack at M.E.Doc software that delivered a destructive payload disguised as ransomware. By utilizing stolen credentials, the actor was able to manipulate the update server for M.E.Doc to proxy connections to an actor-controlled server. Based on the findings, Talos remains confident that the attack was destructive in nature. The effects were broad reaching, with Ukraine Cyber police confirming over 2000 affected companies in Ukraine alone." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--595d50a4-bd20-437d-8737-434802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:23.000Z", "modified": "2017-07-05T20:51:23.000Z", "first_observed": "2017-07-05T20:51:23Z", "last_observed": "2017-07-05T20:51:23Z", "number_observed": 1, "object_refs": [ "url--595d50a4-bd20-437d-8737-434802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--595d50a4-bd20-437d-8737-434802de0b81", "value": "http://blog.talosintelligence.com/2017/07/the-medoc-connection.html" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--595d50c5-f144-46fd-b6ff-46db02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:23.000Z", "modified": "2017-07-05T20:51:23.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_type": "text", "x_misp_value": "W32.Ransomware.Nyetya.Talos" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--595d50c6-db5c-4e7e-9db0-4d1002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:23.000Z", "modified": "2017-07-05T20:51:23.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_type": "text", "x_misp_value": "W32.F9D6FE8BD8.Backdoor.Ransomware.Nyetya.Talos" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--595d50c6-569c-4921-b849-47d002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:23.000Z", "modified": "2017-07-05T20:51:23.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_type": "text", "x_misp_value": "W32.D462966166.Backdoor.Ransomware.Nyetya.Talos" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--595d50c6-3ab8-40f2-bf02-4c4a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:23.000Z", "modified": "2017-07-05T20:51:23.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_type": "text", "x_misp_value": "W32.2FD2863D71.Backdoor.Ransomware.Nyetya.Talos" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--595d50c6-8674-4393-aaa3-434a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:23.000Z", "modified": "2017-07-05T20:51:23.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_type": "text", "x_misp_value": "W32.02EF73BD24-95.SBX.TG" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--595d50c6-f770-47d6-a061-496202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:23.000Z", "modified": "2017-07-05T20:51:23.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_type": "text", "x_misp_value": "W32.GenericKD:Petya.20h1.1201" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595d50d5-2328-427b-9535-4fe302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:23.000Z", "modified": "2017-07-05T20:51:23.000Z", "description": "MALICIOUS IP ADDRESSES:", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '176.31.182.167']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T20:51:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595d50d5-f8e8-4769-93b1-400e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:23.000Z", "modified": "2017-07-05T20:51:23.000Z", "description": "MALICIOUS IP ADDRESSES:", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '159.148.186.214']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T20:51:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595d50e8-d3f0-4552-9306-437c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:23.000Z", "modified": "2017-07-05T20:51:23.000Z", "description": "NYETYA MALWARE", "pattern": "[file:hashes.SHA256 = '027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T20:51:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595d50e8-307c-4a7f-b19b-4e0502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:23.000Z", "modified": "2017-07-05T20:51:23.000Z", "description": "NYETYA MALWARE", "pattern": "[file:hashes.SHA256 = '02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T20:51:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595d50e8-7a6c-493f-a1c8-452502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:23.000Z", "modified": "2017-07-05T20:51:23.000Z", "description": "NYETYA MALWARE", "pattern": "[file:hashes.SHA256 = 'eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T20:51:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595d50fb-f4a8-4e59-8d73-436402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:23.000Z", "modified": "2017-07-05T20:51:23.000Z", "description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR:", "pattern": "[file:hashes.SHA256 = 'f9d6fe8bd8aca6528dec7eaa9f1aafbecde15fd61668182f2ba8a7fc2b9a6740']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T20:51:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595d50fb-3ac8-473b-82c8-45f002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:23.000Z", "modified": "2017-07-05T20:51:23.000Z", "description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR:", "pattern": "[file:hashes.SHA256 = 'd462966166450416d6addd3bfdf48590f8440dd80fc571a389023b7c860ca3ac']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T20:51:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595d50fb-1dcc-4ac3-9755-4ff802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:23.000Z", "modified": "2017-07-05T20:51:23.000Z", "description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR:", "pattern": "[file:hashes.SHA256 = '2fd2863d711a1f18eeee5c7c82f2349c5d4e00465de9789da837fcdca4d00277']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T20:51:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595d514c-c9ac-4ccd-bb65-499602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:24.000Z", "modified": "2017-07-05T20:51:24.000Z", "description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR: - Xchecked via VT: 2fd2863d711a1f18eeee5c7c82f2349c5d4e00465de9789da837fcdca4d00277", "pattern": "[file:hashes.SHA1 = '3567434e2e49358e8210674641a20b147e0bd23c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T20:51:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595d514c-d144-4815-98f0-4c9d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:24.000Z", "modified": "2017-07-05T20:51:24.000Z", "description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR: - Xchecked via VT: 2fd2863d711a1f18eeee5c7c82f2349c5d4e00465de9789da837fcdca4d00277", "pattern": "[file:hashes.MD5 = '3efe62f6cb7285153114f888900a0962']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T20:51:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--595d514c-81e4-4e91-8bc4-4be202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:24.000Z", "modified": "2017-07-05T20:51:24.000Z", "first_observed": "2017-07-05T20:51:24Z", "last_observed": "2017-07-05T20:51:24Z", "number_observed": 1, "object_refs": [ "url--595d514c-81e4-4e91-8bc4-4be202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--595d514c-81e4-4e91-8bc4-4be202de0b81", "value": "https://www.virustotal.com/file/2fd2863d711a1f18eeee5c7c82f2349c5d4e00465de9789da837fcdca4d00277/analysis/1499286304/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595d514c-a0ac-487c-a2ba-41f202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:24.000Z", "modified": "2017-07-05T20:51:24.000Z", "description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR: - Xchecked via VT: d462966166450416d6addd3bfdf48590f8440dd80fc571a389023b7c860ca3ac", "pattern": "[file:hashes.SHA1 = '7f3b1c56c180369ae7891483675bec61f3182f27']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T20:51:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595d514c-4188-483d-9fd9-4a9702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:24.000Z", "modified": "2017-07-05T20:51:24.000Z", "description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR: - Xchecked via VT: d462966166450416d6addd3bfdf48590f8440dd80fc571a389023b7c860ca3ac", "pattern": "[file:hashes.MD5 = '87db6af04613f4bd70467720239117e5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T20:51:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--595d514c-1d84-4628-99a6-44a102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:24.000Z", "modified": "2017-07-05T20:51:24.000Z", "first_observed": "2017-07-05T20:51:24Z", "last_observed": "2017-07-05T20:51:24Z", "number_observed": 1, "object_refs": [ "url--595d514c-1d84-4628-99a6-44a102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--595d514c-1d84-4628-99a6-44a102de0b81", "value": "https://www.virustotal.com/file/d462966166450416d6addd3bfdf48590f8440dd80fc571a389023b7c860ca3ac/analysis/1499278990/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595d514c-857c-4902-81e0-455102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:24.000Z", "modified": "2017-07-05T20:51:24.000Z", "description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR: - Xchecked via VT: f9d6fe8bd8aca6528dec7eaa9f1aafbecde15fd61668182f2ba8a7fc2b9a6740", "pattern": "[file:hashes.SHA1 = '7b051e7e7a82f07873fa360958acc6492e4385dd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T20:51:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595d514c-5fe8-42ca-850a-42c002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:24.000Z", "modified": "2017-07-05T20:51:24.000Z", "description": "M.E.DOC ZVITPUBLISHEDOBJECTS.DLL FILES WITH BACKDOOR: - Xchecked via VT: f9d6fe8bd8aca6528dec7eaa9f1aafbecde15fd61668182f2ba8a7fc2b9a6740", "pattern": "[file:hashes.MD5 = '8f5718be4ba2c6e4f8ce1597248bb03f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T20:51:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--595d514c-d7c0-4e20-ba7f-4b9d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:24.000Z", "modified": "2017-07-05T20:51:24.000Z", "first_observed": "2017-07-05T20:51:24Z", "last_observed": "2017-07-05T20:51:24Z", "number_observed": 1, "object_refs": [ "url--595d514c-d7c0-4e20-ba7f-4b9d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--595d514c-d7c0-4e20-ba7f-4b9d02de0b81", "value": "https://www.virustotal.com/file/f9d6fe8bd8aca6528dec7eaa9f1aafbecde15fd61668182f2ba8a7fc2b9a6740/analysis/1499256049/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595d514c-9030-4303-9902-496d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:24.000Z", "modified": "2017-07-05T20:51:24.000Z", "description": "NYETYA MALWARE - Xchecked via VT: eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998", "pattern": "[file:hashes.SHA1 = '56c03d8e43f50568741704aee482704a4f5005ad']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T20:51:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595d514c-b8bc-4293-a0ea-4dff02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:24.000Z", "modified": "2017-07-05T20:51:24.000Z", "description": "NYETYA MALWARE - Xchecked via VT: eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998", "pattern": "[file:hashes.MD5 = '2813d34f6197eb4df42c886ec7f234a1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T20:51:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--595d514c-c4e0-49cc-82d7-468802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:24.000Z", "modified": "2017-07-05T20:51:24.000Z", "first_observed": "2017-07-05T20:51:24Z", "last_observed": "2017-07-05T20:51:24Z", "number_observed": 1, "object_refs": [ "url--595d514c-c4e0-49cc-82d7-468802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--595d514c-c4e0-49cc-82d7-468802de0b81", "value": "https://www.virustotal.com/file/eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998/analysis/1498939521/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595d514c-0284-4d7b-9762-494a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:24.000Z", "modified": "2017-07-05T20:51:24.000Z", "description": "NYETYA MALWARE - Xchecked via VT: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f", "pattern": "[file:hashes.SHA1 = '38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T20:51:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595d514c-d754-4082-9b7a-451102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:24.000Z", "modified": "2017-07-05T20:51:24.000Z", "description": "NYETYA MALWARE - Xchecked via VT: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f", "pattern": "[file:hashes.MD5 = '7e37ab34ecdcc3e77e24522ddfd4852d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T20:51:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--595d514c-3d18-431e-bcf0-457c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:24.000Z", "modified": "2017-07-05T20:51:24.000Z", "first_observed": "2017-07-05T20:51:24Z", "last_observed": "2017-07-05T20:51:24Z", "number_observed": 1, "object_refs": [ "url--595d514c-3d18-431e-bcf0-457c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--595d514c-3d18-431e-bcf0-457c02de0b81", "value": "https://www.virustotal.com/file/02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f/analysis/1499122164/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595d514c-0248-4f6d-a21e-422702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:24.000Z", "modified": "2017-07-05T20:51:24.000Z", "description": "NYETYA MALWARE - Xchecked via VT: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745", "pattern": "[file:hashes.SHA1 = '34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T20:51:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595d514c-363c-4b80-b083-469102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:24.000Z", "modified": "2017-07-05T20:51:24.000Z", "description": "NYETYA MALWARE - Xchecked via VT: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745", "pattern": "[file:hashes.MD5 = '71b6a493388e7d0b40c83ce903bc6b04']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T20:51:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--595d514c-a394-41bb-9d53-404102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T20:51:24.000Z", "modified": "2017-07-05T20:51:24.000Z", "first_observed": "2017-07-05T20:51:24Z", "last_observed": "2017-07-05T20:51:24Z", "number_observed": 1, "object_refs": [ "url--595d514c-a394-41bb-9d53-404102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--595d514c-a394-41bb-9d53-404102de0b81", "value": "https://www.virustotal.com/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/1499267430/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }