{ "type": "bundle", "id": "bundle--5b43ce0c-47e8-476c-97d6-f56402de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-10T06:56:08.000Z", "modified": "2018-07-10T06:56:08.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5b43ce0c-47e8-476c-97d6-f56402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-10T06:56:08.000Z", "modified": "2018-07-10T06:56:08.000Z", "name": "OSINT - APT Attack In the Middle East: The Big Bang", "published": "2018-07-10T07:10:59Z", "object_refs": [ "observed-data--5b43ce1c-edb4-491d-95c5-43fd02de0b81", "url--5b43ce1c-edb4-491d-95c5-43fd02de0b81", "indicator--5b43ce38-f8ec-46cf-a6e1-4c6502de0b81", "indicator--5b43ce39-f540-4bca-96c8-472d02de0b81", "indicator--5b43ce39-cb38-4f9d-85b0-420802de0b81", "indicator--5b43ce3a-9dbc-485b-9b5b-483902de0b81", "indicator--5b43ce3a-4c8c-4399-b52e-429e02de0b81", "indicator--5b43ce3b-e330-4f8c-9fcd-4d4e02de0b81", "indicator--5b43ce3b-b098-4156-9bb1-489002de0b81", "indicator--5b43ce3b-a5bc-4932-9030-43d902de0b81", "indicator--5b43ce3c-3a70-4e79-a245-404402de0b81", "indicator--5b43ce3c-447c-4bcc-a5d7-452402de0b81", "indicator--5b43ce3d-bcb0-4078-9fb7-486c02de0b81", "indicator--5b43ce3d-8b4c-4b04-b52f-485602de0b81", "indicator--5b43ce3e-5608-466a-962a-408902de0b81", "x-misp-attribute--5b4454b3-ec70-438e-b9e3-4d7d950d210f", "indicator--5f89b9d8-fb5e-455c-8d75-74f4ded612c2", "x-misp-object--6ac23322-10a0-43c4-9004-c2c0991b2fb2", "indicator--67b678dd-a046-4e24-bfee-0003c0b29ec8", "x-misp-object--13a19efc-0f75-4608-a95b-b689504221ea", "indicator--e84f13a0-0878-494a-b532-2946d911523e", "x-misp-object--59ee6b52-0b6b-4f05-861c-ea6ded4e92f8", "indicator--5c62dfe6-83e5-470f-9fb9-37872d575e76", "x-misp-object--d7518f97-54c8-44e2-9bf8-db42b1a973c3", "indicator--9468ee5c-a526-4bba-92a5-0ca6ffda79e4", "x-misp-object--e694ba51-5a6f-4130-acf4-6b9dab32543a", "relationship--63387ae0-3ee5-4031-96f5-d6dc6c246963", "relationship--cb549dec-adef-4cc9-90ac-042e35d860a7", "relationship--2957aa7b-8850-45c8-b772-0f53ab6f0d08", "relationship--371e1979-c50b-48e6-9a87-7fe61fc48932", "relationship--a917e027-cc8a-4ded-9924-ee6654a0925d" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Attachment - T1193\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Screen Capture - T1113\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data from Information Repositories - T1213\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Commonly Used Port - T1043\"", "osint:source-type=\"blog-post\"", "misp-galaxy:threat-actor=\"The Big Bang\"", "osint:lifetime=\"perpetual\"", "estimative-language:confidence-in-analytic-judgment=\"moderate\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5b43ce1c-edb4-491d-95c5-43fd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-10T06:56:05.000Z", "modified": "2018-07-10T06:56:05.000Z", "first_observed": "2018-07-10T06:56:05Z", "last_observed": "2018-07-10T06:56:05Z", "number_observed": 1, "object_refs": [ "url--5b43ce1c-edb4-491d-95c5-43fd02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5b43ce1c-edb4-491d-95c5-43fd02de0b81", "value": "https://research.checkpoint.com/apt-attack-middle-east-big-bang/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b43ce38-f8ec-46cf-a6e1-4c6502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-10T06:56:05.000Z", "modified": "2018-07-10T06:56:05.000Z", "pattern": "[file:hashes.SHA1 = 'a210ac6ea0406d81fa5682e86997be25c73e9d1b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-10T06:56:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b43ce39-f540-4bca-96c8-472d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-10T06:56:05.000Z", "modified": "2018-07-10T06:56:05.000Z", "pattern": "[file:hashes.SHA1 = '994ebbe444183e0d67b13f91d75b0f9bcfb011db']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-10T06:56:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b43ce39-cb38-4f9d-85b0-420802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-10T06:56:05.000Z", "modified": "2018-07-10T06:56:05.000Z", "pattern": "[file:hashes.SHA1 = '74ea60b4e269817168e107bdccc42b3a1193c1e6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-10T06:56:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b43ce3a-9dbc-485b-9b5b-483902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-10T06:56:05.000Z", "modified": "2018-07-10T06:56:05.000Z", "pattern": "[file:hashes.SHA1 = '511bec782be41e85a013cbea95725d5807e3c2f2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-10T06:56:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b43ce3a-4c8c-4399-b52e-429e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-10T06:56:05.000Z", "modified": "2018-07-10T06:56:05.000Z", "pattern": "[file:hashes.SHA1 = '9e093a5b34c4e5dea59e374b409173565dc3b05b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-10T06:56:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b43ce3b-e330-4f8c-9fcd-4d4e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-10T06:56:05.000Z", "modified": "2018-07-10T06:56:05.000Z", "pattern": "[domain-name:value = 'lindamullins.info']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-10T06:56:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b43ce3b-b098-4156-9bb1-489002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-10T06:56:05.000Z", "modified": "2018-07-10T06:56:05.000Z", "pattern": "[domain-name:value = 'spgbotup.club']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-10T06:56:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b43ce3b-a5bc-4932-9030-43d902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-10T06:56:05.000Z", "modified": "2018-07-10T06:56:05.000Z", "pattern": "[domain-name:value = 'namyyeatop.club']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-10T06:56:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b43ce3c-3a70-4e79-a245-404402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-10T06:56:05.000Z", "modified": "2018-07-10T06:56:05.000Z", "pattern": "[domain-name:value = 'namybotter.info']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-10T06:56:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b43ce3c-447c-4bcc-a5d7-452402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-10T06:56:05.000Z", "modified": "2018-07-10T06:56:05.000Z", "pattern": "[domain-name:value = 'sanjynono.website']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-10T06:56:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b43ce3d-bcb0-4078-9fb7-486c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-10T06:56:05.000Z", "modified": "2018-07-10T06:56:05.000Z", "pattern": "[domain-name:value = 'exvsnomy.club']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-10T06:56:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b43ce3d-8b4c-4b04-b52f-485602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-10T06:56:05.000Z", "modified": "2018-07-10T06:56:05.000Z", "pattern": "[domain-name:value = 'ezofiezo.website']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-10T06:56:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b43ce3e-5608-466a-962a-408902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-10T06:56:05.000Z", "modified": "2018-07-10T06:56:05.000Z", "pattern": "[domain-name:value = 'hitmesanjjoy.pro']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-10T06:56:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5b4454b3-ec70-438e-b9e3-4d7d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-10T06:56:05.000Z", "modified": "2018-07-10T06:56:05.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Over the last few weeks, the Check Point Threat Intelligence Team discovered the comeback of an APT surveillance attack against institutions across the Middle East, specifically the Palestinian Authority.\r\n\r\nThe attack begins with a phishing email sent to targets that includes an attachment of a self-extracting archive containing two files: a Word document and a malicious executable. Posing to be from the Palestinian Political and National Guidance Commission, the Word document serves as a decoy, distracting victims while the malware is installed in the background.\r\n\r\nThe malware has several modules, some of which are:\r\n\r\n Taking a screenshot of the infected machine and sending it to the C&C server.\r\n Sending a list of documents with file extensions including .doc, .odt, .xls, .ppt, .pdf and more.\r\n Logging details about the system.\r\n Rebooting the system.\r\n Self-destructing the executable.\r\n\r\nWhile it is not clear exactly what the attacker is looking for, what is clear is that once he finds it, a second stage of the attack awaits, fetching additional modules and/or malware from the Command and Control server. This then is a surveillance attack in progress and has been dubbed \u00e2\u20ac\u02dcBig Bang\u00e2\u20ac\u2122 due to the attacker\u00e2\u20ac\u2122s fondness for the \u00e2\u20ac\u02dcBig Bang Theory\u00e2\u20ac\u2122 TV show, after which some of the malware\u00e2\u20ac\u2122s modules are named.\r\n\r\nA previous campaign of this APT group was uncovered by Talos in June 2017, and since then very little of this operation was seen in the wild. The Big Bang campaign described below incorporates improved capabilities and offensive infrastructure, and seems to be even more targeted." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5f89b9d8-fb5e-455c-8d75-74f4ded612c2", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-09T21:10:57.000Z", "modified": "2018-07-09T21:10:57.000Z", "pattern": "[file:hashes.MD5 = 'a3dc31c456508df7dfac8349eb0d2b65' AND file:hashes.SHA1 = '74ea60b4e269817168e107bdccc42b3a1193c1e6' AND file:hashes.SHA256 = '63a73cf005eb328f3c7e99f0d28da65980d9620b66d8c41939f6db023418c864']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-09T21:10:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--6ac23322-10a0-43c4-9004-c2c0991b2fb2", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-09T21:10:55.000Z", "modified": "2018-07-09T21:10:55.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-09T20:54:06", "category": "Other", "uuid": "d8dba617-c8c4-466d-99b9-0bc760fc64f6" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/63a73cf005eb328f3c7e99f0d28da65980d9620b66d8c41939f6db023418c864/analysis/1531169646/", "category": "External analysis", "uuid": "32da8334-bef5-4dd2-9c11-4bde99a3e834" }, { "type": "text", "object_relation": "detection-ratio", "value": "0/58", "category": "Other", "uuid": "f06cc6f8-9d16-4237-9edf-f22bffa514f1" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--67b678dd-a046-4e24-bfee-0003c0b29ec8", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-09T21:10:59.000Z", "modified": "2018-07-09T21:10:59.000Z", "pattern": "[file:hashes.MD5 = 'fd8c8ae6a261b0e88df06236c5b70be6' AND file:hashes.SHA1 = '511bec782be41e85a013cbea95725d5807e3c2f2' AND file:hashes.SHA256 = 'ac6462e9e26362f711783b9874d46fefce198c4c3ca947a5d4df7842a6c51224']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-09T21:10:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--13a19efc-0f75-4608-a95b-b689504221ea", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-09T21:10:58.000Z", "modified": "2018-07-09T21:10:58.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-09T10:06:12", "category": "Other", "uuid": "f6c73d92-dd22-4ecd-b81d-82dce73c212d" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/ac6462e9e26362f711783b9874d46fefce198c4c3ca947a5d4df7842a6c51224/analysis/1531130772/", "category": "External analysis", "uuid": "8f99dadd-67ca-4199-97e6-19277a85fcfb" }, { "type": "text", "object_relation": "detection-ratio", "value": "41/67", "category": "Other", "uuid": "db260972-06f4-4105-8732-a2a5e05b2b36" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e84f13a0-0878-494a-b532-2946d911523e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-09T21:11:02.000Z", "modified": "2018-07-09T21:11:02.000Z", "pattern": "[file:hashes.MD5 = '18864d22331fc6503641f128226aaea8' AND file:hashes.SHA1 = '994ebbe444183e0d67b13f91d75b0f9bcfb011db' AND file:hashes.SHA256 = 'e1f52ea30d25289f7a4a5c9d15be97c8a4dfe10eb68ac9d031edcc7275c23dbc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-09T21:11:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--59ee6b52-0b6b-4f05-861c-ea6ded4e92f8", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-09T21:11:00.000Z", "modified": "2018-07-09T21:11:00.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-09T10:06:11", "category": "Other", "uuid": "30bf9981-32fa-4aeb-b1a4-0f98d2e5f0c3" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/e1f52ea30d25289f7a4a5c9d15be97c8a4dfe10eb68ac9d031edcc7275c23dbc/analysis/1531130771/", "category": "External analysis", "uuid": "7130664a-5360-49d3-b551-c9dddafd4c17" }, { "type": "text", "object_relation": "detection-ratio", "value": "47/68", "category": "Other", "uuid": "a2025a9a-ca8a-48a6-a3a4-a3118ec625f3" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c62dfe6-83e5-470f-9fb9-37872d575e76", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-09T21:11:04.000Z", "modified": "2018-07-09T21:11:04.000Z", "pattern": "[file:hashes.MD5 = '81881a0841deaa0ef1ea92c51d8c8845' AND file:hashes.SHA1 = '9e093a5b34c4e5dea59e374b409173565dc3b05b' AND file:hashes.SHA256 = '4db68522600f2d8aabd255e2da999a9d9c9f1f18491cfce9dadf2296269a172b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-09T21:11:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--d7518f97-54c8-44e2-9bf8-db42b1a973c3", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-09T21:11:03.000Z", "modified": "2018-07-09T21:11:03.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-09T20:34:31", "category": "Other", "uuid": "cd137230-b3bb-4d53-b429-a0ccd6981c67" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/4db68522600f2d8aabd255e2da999a9d9c9f1f18491cfce9dadf2296269a172b/analysis/1531168471/", "category": "External analysis", "uuid": "b23e43db-c16a-4207-962e-3c2d632da209" }, { "type": "text", "object_relation": "detection-ratio", "value": "42/67", "category": "Other", "uuid": "89eed594-20f3-4eff-a527-7b02e13a4eae" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9468ee5c-a526-4bba-92a5-0ca6ffda79e4", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-09T21:11:06.000Z", "modified": "2018-07-09T21:11:06.000Z", "pattern": "[file:hashes.MD5 = '2f8face85084bea8adacac36ee2f641f' AND file:hashes.SHA1 = 'a210ac6ea0406d81fa5682e86997be25c73e9d1b' AND file:hashes.SHA256 = '0ed777075d67d00720021e4703bde809900f4715ccf0a2d4383e285801dca5ba']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-09T21:11:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--e694ba51-5a6f-4130-acf4-6b9dab32543a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-09T21:11:05.000Z", "modified": "2018-07-09T21:11:05.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-09T10:08:43", "category": "Other", "uuid": "d0f2ac63-e02e-4edb-beb2-73acd376f9ae" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/0ed777075d67d00720021e4703bde809900f4715ccf0a2d4383e285801dca5ba/analysis/1531130923/", "category": "External analysis", "uuid": "ea7e49cd-c2d2-4b91-bcb8-e57fd9782019" }, { "type": "text", "object_relation": "detection-ratio", "value": "47/67", "category": "Other", "uuid": "2ce142ab-e375-46a2-bd2d-8118b5ce9054" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--63387ae0-3ee5-4031-96f5-d6dc6c246963", "created": "2018-07-09T21:11:06.000Z", "modified": "2018-07-09T21:11:06.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5f89b9d8-fb5e-455c-8d75-74f4ded612c2", "target_ref": "x-misp-object--6ac23322-10a0-43c4-9004-c2c0991b2fb2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cb549dec-adef-4cc9-90ac-042e35d860a7", "created": "2018-07-09T21:11:06.000Z", "modified": "2018-07-09T21:11:06.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--67b678dd-a046-4e24-bfee-0003c0b29ec8", "target_ref": "x-misp-object--13a19efc-0f75-4608-a95b-b689504221ea" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2957aa7b-8850-45c8-b772-0f53ab6f0d08", "created": "2018-07-09T21:11:07.000Z", "modified": "2018-07-09T21:11:07.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--e84f13a0-0878-494a-b532-2946d911523e", "target_ref": "x-misp-object--59ee6b52-0b6b-4f05-861c-ea6ded4e92f8" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--371e1979-c50b-48e6-9a87-7fe61fc48932", "created": "2018-07-09T21:11:07.000Z", "modified": "2018-07-09T21:11:07.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5c62dfe6-83e5-470f-9fb9-37872d575e76", "target_ref": "x-misp-object--d7518f97-54c8-44e2-9bf8-db42b1a973c3" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a917e027-cc8a-4ded-9924-ee6654a0925d", "created": "2018-07-09T21:11:07.000Z", "modified": "2018-07-09T21:11:07.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--9468ee5c-a526-4bba-92a5-0ca6ffda79e4", "target_ref": "x-misp-object--e694ba51-5a6f-4130-acf4-6b9dab32543a" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }