{ "type": "bundle", "id": "bundle--5a37c286-b27c-49e7-8c79-ed2e950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:57:37.000Z", "modified": "2017-12-18T13:57:37.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "grouping", "spec_version": "2.1", "id": "grouping--5a37c286-b27c-49e7-8c79-ed2e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:57:37.000Z", "modified": "2017-12-18T13:57:37.000Z", "name": "OSINT - Rehashed RAT Used in APT Campaign Against Vietnamese Organizations", "context": "suspicious-activity", "object_refs": [ "x-misp-attribute--5a37c310-fe98-4e0c-8a85-ed7e950d210f", "observed-data--5a37c320-10e0-40fe-b101-41be950d210f", "url--5a37c320-10e0-40fe-b101-41be950d210f", "indicator--5a37c39a-e51c-4e94-aa70-4624950d210f", "indicator--5a37c39a-94b4-4e3c-9920-487e950d210f", "indicator--5a37c39a-0990-4dee-807d-412e950d210f", "indicator--5a37c39a-11b0-4a56-ad0d-4a9b950d210f", "indicator--5a37c39a-2b88-49d7-9d70-4995950d210f", "indicator--5a37c39a-2b98-44e8-b2a8-40de950d210f", "indicator--5a37c39a-e7a4-4601-8090-44dd950d210f", "indicator--5a37c39a-a58c-4d47-a1c7-4ab0950d210f", "indicator--5a37c39a-4848-4c04-bedb-42e4950d210f", "indicator--5a37c39a-b858-4a24-b196-4ec8950d210f", "indicator--5a37c3ae-68e8-4c93-8990-ed2e950d210f", "indicator--5a37c3ae-8fd8-4d9e-b951-ed2e950d210f", "indicator--5a37c3c2-1348-469b-9f4c-4697950d210f", "indicator--5a37c3c2-e3dc-46a1-869d-4bf5950d210f", "indicator--5a37c3c2-9f14-4ffd-8bcc-4955950d210f", "indicator--5a37c3d8-006c-4fd8-b4f9-4ce0950d210f", "indicator--5a37c3ed-1a24-4906-89b8-48eb950d210f", "indicator--5a37c3ed-05a0-407e-9c80-4ed0950d210f", "indicator--5a37c3ed-eedc-4f84-8374-4da3950d210f", "indicator--5a37c838-6cf4-4379-ab05-46c3950d210f", "indicator--5a37c838-7e94-443d-ac6c-442c950d210f", "indicator--5a37c838-2f18-4d4c-bb82-447a950d210f", "indicator--5a37c838-99e0-407b-b49f-45b6950d210f", "indicator--5a37c838-b1a0-4941-a998-44b7950d210f", "indicator--5a37c838-ac4c-48db-8a98-49d8950d210f", "indicator--5a37c838-0394-4a48-878b-4a60950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:rat=\"NewCore\"", "type:OSINT", "osint:source-type=\"blog-post\"", "workflow:todo=\"expansion\"", "enisa:nefarious-activity-abuse=\"remote-access-tool\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5a37c310-fe98-4e0c-8a85-ed7e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:31:26.000Z", "modified": "2017-12-18T13:31:26.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Recently, FortiGuard Labs came across several malicious documents that exploit the vulnerability CVE-2012-0158. To evade suspicion from the victim, these RTF files drop decoy documents containing politically themed texts about a variety of Vietnamese government-related information. It was believed in a recent report that the hacking campaign where these documents were used was led by the Chinese hacking group 1937CN. The link to the group was found through malicious domains used as command and control servers by the attacker. In this blog, we will delve into the malware used in this campaign and will try to provide more clues as to the instigator of this campaign." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a37c320-10e0-40fe-b101-41be950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:31:19.000Z", "modified": "2017-12-18T13:31:19.000Z", "first_observed": "2017-12-18T13:31:19Z", "last_observed": "2017-12-18T13:31:19Z", "number_observed": 1, "object_refs": [ "url--5a37c320-10e0-40fe-b101-41be950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a37c320-10e0-40fe-b101-41be950d210f", "value": "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c39a-e51c-4e94-aa70-4624950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:33:14.000Z", "modified": "2017-12-18T13:33:14.000Z", "description": "Lure", "pattern": "[file:hashes.SHA256 = '2a4e8ae006be3a5ed2327b6422c4c6f8f274cfa9385c4a540bc617bff6a0f060']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:33:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c39a-94b4-4e3c-9920-487e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:33:14.000Z", "modified": "2017-12-18T13:33:14.000Z", "description": "Lure", "pattern": "[file:hashes.SHA256 = '3faacef20002f9deb1305c43ea75b8422fd29a1559c0cf01cf1cee6a1b94fc0e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:33:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c39a-0990-4dee-807d-412e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:33:14.000Z", "modified": "2017-12-18T13:33:14.000Z", "description": "Lure", "pattern": "[file:hashes.SHA256 = '5bdbf536e12c9150d15ae4af2d825ff2ec432d5147b0c3404c5d24655d9ebe52']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:33:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c39a-11b0-4a56-ad0d-4a9b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:33:14.000Z", "modified": "2017-12-18T13:33:14.000Z", "description": "Lure", "pattern": "[file:hashes.SHA256 = '14b4d8f787d11c7d72f66231e80997ef6ffa1d868d9d8f964bea36871e1c2ff2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:33:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c39a-2b88-49d7-9d70-4995950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:33:14.000Z", "modified": "2017-12-18T13:33:14.000Z", "description": "Lure", "pattern": "[file:hashes.SHA256 = '637c156508949c881763c019d2dca7c912da9ec63f01e3d3ba604f31b36e52ab']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:33:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c39a-2b98-44e8-b2a8-40de950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:33:14.000Z", "modified": "2017-12-18T13:33:14.000Z", "description": "Lure", "pattern": "[file:hashes.SHA256 = '5573f6ec22026b0c00945eec177f04212492bb05c33b4b80f73c65ce7fe5119a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:33:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c39a-e7a4-4601-8090-44dd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:33:14.000Z", "modified": "2017-12-18T13:33:14.000Z", "description": "Lure", "pattern": "[file:hashes.SHA256 = '00466938836129a634b573d2b57311200ab04aba7252cfbf6b77f435612ca6c6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:33:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c39a-a58c-4d47-a1c7-4ab0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:33:14.000Z", "modified": "2017-12-18T13:33:14.000Z", "description": "Lure", "pattern": "[file:hashes.SHA256 = 'c375946ba8abee48948f79a89ea5b4f823d8287c2feb3515755b22ba5bd8849d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:33:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c39a-4848-4c04-bedb-42e4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:33:14.000Z", "modified": "2017-12-18T13:33:14.000Z", "description": "Lure", "pattern": "[file:hashes.SHA256 = 'f6a4bab7d5664d7802f1007daa04ae71e0e2b829cd06faa9b93a465546837eb4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:33:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c39a-b858-4a24-b196-4ec8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:33:14.000Z", "modified": "2017-12-18T13:33:14.000Z", "description": "Lure", "pattern": "[file:hashes.SHA256 = 'fabf4debacb7950d403a84f4af25c084d0b576783006d334052ebf7ea432196e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:33:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c3ae-68e8-4c93-8990-ed2e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:33:34.000Z", "modified": "2017-12-18T13:33:34.000Z", "description": "Loader", "pattern": "[file:hashes.SHA256 = '9cebae97a067cd7c2be50d7fd8afe5e9cf935c11914a1ab5ff59e91c1e7e5fc4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:33:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c3ae-8fd8-4d9e-b951-ed2e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:33:34.000Z", "modified": "2017-12-18T13:33:34.000Z", "description": "Loader", "pattern": "[file:hashes.SHA256 = 'ea5b3320c5bbe2331fa3c0bd0adb3ec91f0aed97709e1b869b79f6a604ba002f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:33:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c3c2-1348-469b-9f4c-4697950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:33:54.000Z", "modified": "2017-12-18T13:33:54.000Z", "description": "Trojan Downloader", "pattern": "[file:hashes.SHA256 = 'edbcc384b8ae0a2f52f239e2e599c3d2053f98cc1f4bc91548ec420bec063be6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c3c2-e3dc-46a1-869d-4bf5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:33:54.000Z", "modified": "2017-12-18T13:33:54.000Z", "description": "Trojan Downloader", "pattern": "[file:hashes.SHA256 = '49efab1dedc6fffe5a8f980688a5ebefce1be3d0d180d5dd035f02ce396c9966']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c3c2-9f14-4ffd-8bcc-4955950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:33:54.000Z", "modified": "2017-12-18T13:33:54.000Z", "description": "Trojan Downloader", "pattern": "[file:hashes.SHA256 = 'df8475669a14a335c46c802f642dd5569c52f915093a680175c30cc9f28aacdb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c3d8-006c-4fd8-b4f9-4ce0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:34:16.000Z", "modified": "2017-12-18T13:34:16.000Z", "description": "NewCore RAT", "pattern": "[file:hashes.SHA256 = '37bd97779e854ea2fc43486ddb831a5acfd19cf89f06823c9fd3b20134cb1c35']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:34:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c3ed-1a24-4906-89b8-48eb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:34:37.000Z", "modified": "2017-12-18T13:34:37.000Z", "description": "Command and Control Servers", "pattern": "[domain-name:value = 'web.thoitietvietnam.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:34:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c3ed-05a0-407e-9c80-4ed0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:34:37.000Z", "modified": "2017-12-18T13:34:37.000Z", "description": "Command and Control Servers", "pattern": "[domain-name:value = 'dalat.dulichovietnam.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:34:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c3ed-eedc-4f84-8374-4da3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:34:37.000Z", "modified": "2017-12-18T13:34:37.000Z", "description": "Command and Control Servers", "pattern": "[domain-name:value = 'halong.dulichculao.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:34:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c838-6cf4-4379-ab05-46c3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:52:56.000Z", "modified": "2017-12-18T13:52:56.000Z", "description": "signed legitimate GoogleUpdate.exe version 1.3.33.5", "pattern": "[file:name = 'Taskeng.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:52:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c838-7e94-443d-ac6c-442c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:52:56.000Z", "modified": "2017-12-18T13:52:56.000Z", "description": "encrypted blob containing malware file", "pattern": "[file:name = 'Psisrndrx.ebd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:52:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c838-2f18-4d4c-bb82-447a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:52:56.000Z", "modified": "2017-12-18T13:52:56.000Z", "description": "decrypter and loader of malware file", "pattern": "[file:name = 'Goopdate.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:52:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c838-99e0-407b-b49f-45b6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:52:56.000Z", "modified": "2017-12-18T13:52:56.000Z", "description": "signed legitimate McAfee AV application", "pattern": "[file:name = 'SC&Cfg.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:52:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c838-b1a0-4941-a998-44b7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:52:56.000Z", "modified": "2017-12-18T13:52:56.000Z", "description": "contains the malware file", "pattern": "[file:name = 'Vsodscpl.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:52:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c838-ac4c-48db-8a98-49d8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:52:56.000Z", "modified": "2017-12-18T13:52:56.000Z", "description": "signed legitimate GoogleUpdate.exe version 1.3.30.3", "pattern": "[file:name = 'Systemm.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:52:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a37c838-0394-4a48-878b-4a60950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T13:52:56.000Z", "modified": "2017-12-18T13:52:56.000Z", "description": "encrypted blob containing malware file", "pattern": "[file:name = 'Systemsfb.ebd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T13:52:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }