1899 lines
No EOL
82 KiB
JSON
1899 lines
No EOL
82 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--584bdec1-da2c-495b-9e13-4b3402de0b81",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-27T08:58:23.000Z",
|
|
"modified": "2016-12-27T08:58:23.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--584bdec1-da2c-495b-9e13-4b3402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-27T08:58:23.000Z",
|
|
"modified": "2016-12-27T08:58:23.000Z",
|
|
"name": "OSINT - Now Mirai Has DGA Feature Built in",
|
|
"published": "2017-01-11T20:17:56Z",
|
|
"object_refs": [
|
|
"x-misp-attribute--584bded4-e034-4de8-af3a-47e202de0b81",
|
|
"observed-data--584bdefa-5d74-4794-b6aa-4a2e02de0b81",
|
|
"url--584bdefa-5d74-4794-b6aa-4a2e02de0b81",
|
|
"indicator--584bdf19-5554-47f0-8dce-431802de0b81",
|
|
"indicator--584bdf1a-83e8-4fb9-a733-4aa902de0b81",
|
|
"indicator--584bdf1a-00b4-45cb-b519-417102de0b81",
|
|
"indicator--584bdf1a-01bc-4dbd-adf7-483602de0b81",
|
|
"indicator--584bdf1a-33b0-4d84-8578-416102de0b81",
|
|
"indicator--584bdf1b-fd04-4200-b1db-41fd02de0b81",
|
|
"indicator--584bdf1b-28f0-4df9-82af-4aa502de0b81",
|
|
"indicator--584bdf1b-41ec-4b34-b1c8-4ef202de0b81",
|
|
"indicator--584bdf1b-a210-4a37-a1c0-4b5e02de0b81",
|
|
"indicator--584bdf1c-c9e4-4897-9564-4c7e02de0b81",
|
|
"indicator--584bdf1c-a914-49dd-83b6-415c02de0b81",
|
|
"indicator--584bdf1c-0f48-4d8a-afa7-4ae802de0b81",
|
|
"indicator--584bdf1c-fe5c-4569-b9a3-41c902de0b81",
|
|
"indicator--584bdf1d-833c-4949-8845-4a2c02de0b81",
|
|
"indicator--584bdf1d-4240-48cf-ba1b-413b02de0b81",
|
|
"indicator--584bdf1d-08ac-4628-a84e-441402de0b81",
|
|
"indicator--584bdf1d-f734-4b54-9fd5-482502de0b81",
|
|
"indicator--584bdf32-de34-48dd-b8e5-4b9902de0b81",
|
|
"indicator--584bdf33-d90c-4b98-b08f-408e02de0b81",
|
|
"indicator--584bdf33-d9c0-46e1-be48-467402de0b81",
|
|
"indicator--584bdf33-3d68-4758-842e-49c202de0b81",
|
|
"x-misp-attribute--584bdf4b-e604-4931-92af-4f0302de0b81",
|
|
"observed-data--584bdf69-b1a0-4920-b395-43a702de0b81",
|
|
"network-traffic--584bdf69-b1a0-4920-b395-43a702de0b81",
|
|
"ipv4-addr--584bdf69-b1a0-4920-b395-43a702de0b81",
|
|
"indicator--584be2c4-c5b4-4ba4-9ff0-4a7c02de0b81",
|
|
"indicator--584be2c4-21e8-478c-987b-4b5302de0b81",
|
|
"observed-data--584be2c4-aa60-4f7d-ac9c-43cb02de0b81",
|
|
"url--584be2c4-aa60-4f7d-ac9c-43cb02de0b81",
|
|
"indicator--584be2c4-e2bc-41f8-ae4f-45b702de0b81",
|
|
"indicator--584be2c5-101c-41f9-bda0-4e8502de0b81",
|
|
"observed-data--584be2c5-d030-4e7e-8e17-457a02de0b81",
|
|
"url--584be2c5-d030-4e7e-8e17-457a02de0b81",
|
|
"indicator--584be2c5-e460-4cf3-94ee-4a2c02de0b81",
|
|
"indicator--584be2c5-f220-4c45-bc41-433a02de0b81",
|
|
"observed-data--584be2c6-9a68-4e1f-a217-43f302de0b81",
|
|
"url--584be2c6-9a68-4e1f-a217-43f302de0b81",
|
|
"indicator--584be2c6-c3b8-4ab0-bc1c-401a02de0b81",
|
|
"indicator--584be2c6-a314-4fd5-9fe8-414102de0b81",
|
|
"observed-data--584be2c6-2788-40f9-b74d-4f0c02de0b81",
|
|
"url--584be2c6-2788-40f9-b74d-4f0c02de0b81",
|
|
"indicator--584be2c6-678c-4806-a664-4a8a02de0b81",
|
|
"indicator--584be2c7-5960-469f-9876-4d9a02de0b81",
|
|
"observed-data--584be2c7-1bfc-4c5c-b291-400802de0b81",
|
|
"url--584be2c7-1bfc-4c5c-b291-400802de0b81",
|
|
"indicator--584be2c7-79b8-4df7-8370-4dd602de0b81",
|
|
"indicator--584be2c7-5d44-4b2b-a4df-4d0c02de0b81",
|
|
"observed-data--584be2c8-cbd8-4f1d-b8f7-4f3202de0b81",
|
|
"url--584be2c8-cbd8-4f1d-b8f7-4f3202de0b81",
|
|
"indicator--584be2c8-80a8-47a2-b5d3-403902de0b81",
|
|
"indicator--584be2c8-1860-4329-b6aa-4b8e02de0b81",
|
|
"observed-data--584be2c8-c2e0-4547-bc5b-452a02de0b81",
|
|
"url--584be2c8-c2e0-4547-bc5b-452a02de0b81",
|
|
"indicator--584be2c8-e06c-4168-b80b-4f2602de0b81",
|
|
"indicator--584be2c9-f248-43d9-acd4-477b02de0b81",
|
|
"observed-data--584be2c9-e634-4a20-8896-411b02de0b81",
|
|
"url--584be2c9-e634-4a20-8896-411b02de0b81",
|
|
"indicator--584be2c9-366c-4add-b9e9-4d8602de0b81",
|
|
"indicator--584be2c9-e3d4-484d-8bf5-429802de0b81",
|
|
"observed-data--584be2ca-bf6c-4650-a746-4ef102de0b81",
|
|
"url--584be2ca-bf6c-4650-a746-4ef102de0b81",
|
|
"indicator--584be2ca-75c4-45a0-9589-431702de0b81",
|
|
"indicator--584be2ca-ede8-4c14-99f4-45a602de0b81",
|
|
"observed-data--584be2ca-6918-4559-b885-419302de0b81",
|
|
"url--584be2ca-6918-4559-b885-419302de0b81",
|
|
"indicator--584be2ca-bf48-4fa3-831b-40ef02de0b81",
|
|
"indicator--584be2cb-5224-47ef-8db2-4d9002de0b81",
|
|
"observed-data--584be2cb-84e4-497a-965a-420e02de0b81",
|
|
"url--584be2cb-84e4-497a-965a-420e02de0b81",
|
|
"indicator--584be2cb-6ca8-4893-b3cf-4b7902de0b81",
|
|
"indicator--584be2cb-7514-450c-affd-4f8e02de0b81",
|
|
"observed-data--584be2cc-bad0-4f8b-a5b2-4d4202de0b81",
|
|
"url--584be2cc-bad0-4f8b-a5b2-4d4202de0b81",
|
|
"indicator--584be2cc-3b84-4b81-b7f5-449802de0b81",
|
|
"indicator--584be2cc-c8d8-46f7-b6c7-480002de0b81",
|
|
"observed-data--584be2cc-448c-4f4f-a700-4bf302de0b81",
|
|
"url--584be2cc-448c-4f4f-a700-4bf302de0b81",
|
|
"indicator--584be2cd-7bc0-417c-8671-4c4102de0b81",
|
|
"indicator--584be2cd-3224-44cd-9cfa-4e1f02de0b81",
|
|
"observed-data--584be2cd-fa24-4442-a2d5-4ded02de0b81",
|
|
"url--584be2cd-fa24-4442-a2d5-4ded02de0b81",
|
|
"indicator--584be2cd-ef44-4df3-844e-41fd02de0b81",
|
|
"indicator--584be2cd-ddd4-43ed-8ba1-4daf02de0b81",
|
|
"observed-data--584be2ce-cca4-4731-9717-4ffb02de0b81",
|
|
"url--584be2ce-cca4-4731-9717-4ffb02de0b81",
|
|
"indicator--584be2ce-d4a8-4d01-8d90-45c002de0b81",
|
|
"indicator--584be2ce-5280-49a3-8d92-4c7902de0b81",
|
|
"observed-data--584be2ce-97a8-4a11-977d-4d7002de0b81",
|
|
"url--584be2ce-97a8-4a11-977d-4d7002de0b81",
|
|
"x-misp-attribute--58622d2f-25f8-426e-9c5a-3566bce2ab96"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"misp-galaxy:tool=\"Mirai\"",
|
|
"ms-caro-malware:malware-platform=\"Linux\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--584bded4-e034-4de8-af3a-47e202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T10:54:12.000Z",
|
|
"modified": "2016-12-10T10:54:12.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "Nearly 2 weeks ago, 2 new infection vectors (aka TCP ports of 7547 and 5555) were found being used to spread MIRAI malwares <A Few Observations of The New Mirai Variant on Port 7547>. My colleague Gensheng quickly set up some honeypots for that sort of vectors and soon had his harvests: 11 samples were captured on Nov 28th. Till now 53 unique samples have been captured by our honeypots from 6 hosting servers.\r\n\r\nWhen analyzing one of the new samples, my colleague Wenji found some DGA like code and doubted there was DGA feature there. The doubt was soon verified by evidences collected from our sandboxes. Detailed RE work shows there does exist a DGA feature in the newly distributed MIRAI samples spread through TCP ports 7547 and 5555. In this blog I would like to introduce our findings."
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--584bdefa-5d74-4794-b6aa-4a2e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T10:54:50.000Z",
|
|
"modified": "2016-12-10T10:54:50.000Z",
|
|
"first_observed": "2016-12-10T10:54:50Z",
|
|
"last_observed": "2016-12-10T10:54:50Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--584bdefa-5d74-4794-b6aa-4a2e02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--584bdefa-5d74-4794-b6aa-4a2e02de0b81",
|
|
"value": "http://blog.netlab.360.com/new-mirai-variant-with-dga/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584bdf19-5554-47f0-8dce-431802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T10:55:21.000Z",
|
|
"modified": "2016-12-10T10:55:21.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples.",
|
|
"pattern": "[file:hashes.MD5 = '005241cf76d31673a752a76bb0ba7118']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T10:55:21Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584bdf1a-83e8-4fb9-a733-4aa902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T10:55:22.000Z",
|
|
"modified": "2016-12-10T10:55:22.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples.",
|
|
"pattern": "[file:hashes.MD5 = '05891dbabc42a36f33c30535f0931555']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T10:55:22Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584bdf1a-00b4-45cb-b519-417102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T10:55:22.000Z",
|
|
"modified": "2016-12-10T10:55:22.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples.",
|
|
"pattern": "[file:hashes.MD5 = '0eb51d584712485300ad8e8126773941']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T10:55:22Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584bdf1a-01bc-4dbd-adf7-483602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T10:55:22.000Z",
|
|
"modified": "2016-12-10T10:55:22.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples.",
|
|
"pattern": "[file:hashes.MD5 = '15b35cfff4129b26c0f07bd4be462ba0']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T10:55:22Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584bdf1a-33b0-4d84-8578-416102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T10:55:22.000Z",
|
|
"modified": "2016-12-10T10:55:22.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples.",
|
|
"pattern": "[file:hashes.MD5 = '2da64ae2f8b1e8b75063760abfc94ecf']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T10:55:22Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584bdf1b-fd04-4200-b1db-41fd02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T10:55:23.000Z",
|
|
"modified": "2016-12-10T10:55:23.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples.",
|
|
"pattern": "[file:hashes.MD5 = '41ba9f3d13ce33526da52407e2f0589d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T10:55:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584bdf1b-28f0-4df9-82af-4aa502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T10:55:23.000Z",
|
|
"modified": "2016-12-10T10:55:23.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples.",
|
|
"pattern": "[file:hashes.MD5 = '4a8145ae760385c1c000113a9ea00a3a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T10:55:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584bdf1b-41ec-4b34-b1c8-4ef202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T10:55:23.000Z",
|
|
"modified": "2016-12-10T10:55:23.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples.",
|
|
"pattern": "[file:hashes.MD5 = '551380681560849cee3de36329ba4ed3']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T10:55:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584bdf1b-a210-4a37-a1c0-4b5e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T10:55:23.000Z",
|
|
"modified": "2016-12-10T10:55:23.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples.",
|
|
"pattern": "[file:hashes.MD5 = '72bbfc1ff6621a278e16cfc91906109f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T10:55:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584bdf1c-c9e4-4897-9564-4c7e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T10:55:24.000Z",
|
|
"modified": "2016-12-10T10:55:24.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples.",
|
|
"pattern": "[file:hashes.MD5 = '73f4312cc6f5067e505bc54c3b02b569']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T10:55:24Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584bdf1c-a914-49dd-83b6-415c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T10:55:24.000Z",
|
|
"modified": "2016-12-10T10:55:24.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples.",
|
|
"pattern": "[file:hashes.MD5 = '7d490eedc5b46aff00ffaaec7004e2a8']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T10:55:24Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584bdf1c-0f48-4d8a-afa7-4ae802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T10:55:24.000Z",
|
|
"modified": "2016-12-10T10:55:24.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples.",
|
|
"pattern": "[file:hashes.MD5 = '863dcf82883c885b0686dce747dcf502']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T10:55:24Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584bdf1c-fe5c-4569-b9a3-41c902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T10:55:24.000Z",
|
|
"modified": "2016-12-10T10:55:24.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples.",
|
|
"pattern": "[file:hashes.MD5 = 'bf136fb3b350a96fd1003b8557bb758a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T10:55:24Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584bdf1d-833c-4949-8845-4a2c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T10:55:25.000Z",
|
|
"modified": "2016-12-10T10:55:25.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples.",
|
|
"pattern": "[file:hashes.MD5 = 'bf650d39eb603d92973052ca80a4fdda']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T10:55:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584bdf1d-4240-48cf-ba1b-413b02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T10:55:25.000Z",
|
|
"modified": "2016-12-10T10:55:25.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples.",
|
|
"pattern": "[file:hashes.MD5 = 'd89b1be09de36e326611a2abbedb8751']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T10:55:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584bdf1d-08ac-4628-a84e-441402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T10:55:25.000Z",
|
|
"modified": "2016-12-10T10:55:25.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples.",
|
|
"pattern": "[file:hashes.MD5 = 'dbd92b08cbff8455ff76c453ff704dc6']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T10:55:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584bdf1d-f734-4b54-9fd5-482502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T10:55:25.000Z",
|
|
"modified": "2016-12-10T10:55:25.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples.",
|
|
"pattern": "[file:hashes.MD5 = 'eba670256b816e2d11f107f629d08494']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T10:55:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584bdf32-de34-48dd-b8e5-4b9902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T10:55:46.000Z",
|
|
"modified": "2016-12-10T10:55:46.000Z",
|
|
"description": "The hardcoded C2 domains in the samples are as follow",
|
|
"pattern": "[domain-name:value = 'zugzwang.me']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T10:55:46Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584bdf33-d90c-4b98-b08f-408e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T10:55:47.000Z",
|
|
"modified": "2016-12-10T10:55:47.000Z",
|
|
"description": "The hardcoded C2 domains in the samples are as follow",
|
|
"pattern": "[domain-name:value = 'tr069.online']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T10:55:47Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584bdf33-d9c0-46e1-be48-467402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T10:55:47.000Z",
|
|
"modified": "2016-12-10T10:55:47.000Z",
|
|
"description": "The hardcoded C2 domains in the samples are as follow",
|
|
"pattern": "[domain-name:value = 'tr069.tech']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T10:55:47Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584bdf33-3d68-4758-842e-49c202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T10:55:47.000Z",
|
|
"modified": "2016-12-10T10:55:47.000Z",
|
|
"description": "The hardcoded C2 domains in the samples are as follow",
|
|
"pattern": "[domain-name:value = 'tr069.support']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T10:55:47Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--584bdf4b-e604-4931-92af-4f0302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T10:56:11.000Z",
|
|
"modified": "2016-12-10T10:56:11.000Z",
|
|
"labels": [
|
|
"misp:type=\"whois-registrant-email\"",
|
|
"misp:category=\"Attribution\""
|
|
],
|
|
"x_misp_category": "Attribution",
|
|
"x_misp_type": "whois-registrant-email",
|
|
"x_misp_value": "dlinchkravitz@gmail.com"
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--584bdf69-b1a0-4920-b395-43a702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T10:56:41.000Z",
|
|
"modified": "2016-12-10T10:56:41.000Z",
|
|
"first_observed": "2016-12-10T10:56:41Z",
|
|
"last_observed": "2016-12-10T10:56:41Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"network-traffic--584bdf69-b1a0-4920-b395-43a702de0b81",
|
|
"ipv4-addr--584bdf69-b1a0-4920-b395-43a702de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-src\"",
|
|
"misp:category=\"Network activity\""
|
|
]
|
|
},
|
|
{
|
|
"type": "network-traffic",
|
|
"spec_version": "2.1",
|
|
"id": "network-traffic--584bdf69-b1a0-4920-b395-43a702de0b81",
|
|
"src_ref": "ipv4-addr--584bdf69-b1a0-4920-b395-43a702de0b81",
|
|
"protocols": [
|
|
"tcp"
|
|
]
|
|
},
|
|
{
|
|
"type": "ipv4-addr",
|
|
"spec_version": "2.1",
|
|
"id": "ipv4-addr--584bdf69-b1a0-4920-b395-43a702de0b81",
|
|
"value": "93.190.142.201"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2c4-c5b4-4ba4-9ff0-4a7c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:00.000Z",
|
|
"modified": "2016-12-10T11:11:00.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: eba670256b816e2d11f107f629d08494",
|
|
"pattern": "[file:hashes.SHA256 = 'c72d95ea10666be3446442bdf40d4b5a672d2f3e4f4627abbfa84389d2458e2d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2c4-21e8-478c-987b-4b5302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:00.000Z",
|
|
"modified": "2016-12-10T11:11:00.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: eba670256b816e2d11f107f629d08494",
|
|
"pattern": "[file:hashes.SHA1 = '8a25dee4ea7d61692b2b95bd047269543aaf0c81']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--584be2c4-aa60-4f7d-ac9c-43cb02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:00.000Z",
|
|
"modified": "2016-12-10T11:11:00.000Z",
|
|
"first_observed": "2016-12-10T11:11:00Z",
|
|
"last_observed": "2016-12-10T11:11:00Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--584be2c4-aa60-4f7d-ac9c-43cb02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--584be2c4-aa60-4f7d-ac9c-43cb02de0b81",
|
|
"value": "https://www.virustotal.com/file/c72d95ea10666be3446442bdf40d4b5a672d2f3e4f4627abbfa84389d2458e2d/analysis/1481086418/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2c4-e2bc-41f8-ae4f-45b702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:00.000Z",
|
|
"modified": "2016-12-10T11:11:00.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: dbd92b08cbff8455ff76c453ff704dc6",
|
|
"pattern": "[file:hashes.SHA256 = 'c69eef4b3c773ed94c467307949e5f779557f9908c34d36da52616f967dd518c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2c5-101c-41f9-bda0-4e8502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:01.000Z",
|
|
"modified": "2016-12-10T11:11:01.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: dbd92b08cbff8455ff76c453ff704dc6",
|
|
"pattern": "[file:hashes.SHA1 = '6933d555a008a07b859a55cddb704441915adf68']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:01Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--584be2c5-d030-4e7e-8e17-457a02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:01.000Z",
|
|
"modified": "2016-12-10T11:11:01.000Z",
|
|
"first_observed": "2016-12-10T11:11:01Z",
|
|
"last_observed": "2016-12-10T11:11:01Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--584be2c5-d030-4e7e-8e17-457a02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--584be2c5-d030-4e7e-8e17-457a02de0b81",
|
|
"value": "https://www.virustotal.com/file/c69eef4b3c773ed94c467307949e5f779557f9908c34d36da52616f967dd518c/analysis/1481318102/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2c5-e460-4cf3-94ee-4a2c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:01.000Z",
|
|
"modified": "2016-12-10T11:11:01.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: d89b1be09de36e326611a2abbedb8751",
|
|
"pattern": "[file:hashes.SHA256 = '31968911e51aef7ab8ff38f6af0b96c12bf100a4018c7fdab357b553f9450b20']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:01Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2c5-f220-4c45-bc41-433a02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:01.000Z",
|
|
"modified": "2016-12-10T11:11:01.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: d89b1be09de36e326611a2abbedb8751",
|
|
"pattern": "[file:hashes.SHA1 = '4ba724858ab32ca68348c54f284b8b3fad668566']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:01Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--584be2c6-9a68-4e1f-a217-43f302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:02.000Z",
|
|
"modified": "2016-12-10T11:11:02.000Z",
|
|
"first_observed": "2016-12-10T11:11:02Z",
|
|
"last_observed": "2016-12-10T11:11:02Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--584be2c6-9a68-4e1f-a217-43f302de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--584be2c6-9a68-4e1f-a217-43f302de0b81",
|
|
"value": "https://www.virustotal.com/file/31968911e51aef7ab8ff38f6af0b96c12bf100a4018c7fdab357b553f9450b20/analysis/1480953888/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2c6-c3b8-4ab0-bc1c-401a02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:02.000Z",
|
|
"modified": "2016-12-10T11:11:02.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: bf650d39eb603d92973052ca80a4fdda",
|
|
"pattern": "[file:hashes.SHA256 = '0a1cbf14e86c956cea5869dc88202aaa2f1c22e6a8ef63c9530787c08e2a2bcd']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2c6-a314-4fd5-9fe8-414102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:02.000Z",
|
|
"modified": "2016-12-10T11:11:02.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: bf650d39eb603d92973052ca80a4fdda",
|
|
"pattern": "[file:hashes.SHA1 = '03ecd3b49aa19589599c64e4e7a51206a592b4ef']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--584be2c6-2788-40f9-b74d-4f0c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:02.000Z",
|
|
"modified": "2016-12-10T11:11:02.000Z",
|
|
"first_observed": "2016-12-10T11:11:02Z",
|
|
"last_observed": "2016-12-10T11:11:02Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--584be2c6-2788-40f9-b74d-4f0c02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--584be2c6-2788-40f9-b74d-4f0c02de0b81",
|
|
"value": "https://www.virustotal.com/file/0a1cbf14e86c956cea5869dc88202aaa2f1c22e6a8ef63c9530787c08e2a2bcd/analysis/1481085845/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2c6-678c-4806-a664-4a8a02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:02.000Z",
|
|
"modified": "2016-12-10T11:11:02.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: bf136fb3b350a96fd1003b8557bb758a",
|
|
"pattern": "[file:hashes.SHA256 = '971156ec3dca4fa5c53723863966ed165d546a184f3c8ded008b029fd59d6a5a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2c7-5960-469f-9876-4d9a02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:03.000Z",
|
|
"modified": "2016-12-10T11:11:03.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: bf136fb3b350a96fd1003b8557bb758a",
|
|
"pattern": "[file:hashes.SHA1 = 'ac3d4472b885388f7ff1ababa6bbdb326a381c2a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:03Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--584be2c7-1bfc-4c5c-b291-400802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:03.000Z",
|
|
"modified": "2016-12-10T11:11:03.000Z",
|
|
"first_observed": "2016-12-10T11:11:03Z",
|
|
"last_observed": "2016-12-10T11:11:03Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--584be2c7-1bfc-4c5c-b291-400802de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--584be2c7-1bfc-4c5c-b291-400802de0b81",
|
|
"value": "https://www.virustotal.com/file/971156ec3dca4fa5c53723863966ed165d546a184f3c8ded008b029fd59d6a5a/analysis/1481310975/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2c7-79b8-4df7-8370-4dd602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:03.000Z",
|
|
"modified": "2016-12-10T11:11:03.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: 863dcf82883c885b0686dce747dcf502",
|
|
"pattern": "[file:hashes.SHA256 = 'f2a40a51777ead5ac980cc272a0ed1842eb999e2e9e7a8ff473a4841d6035892']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:03Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2c7-5d44-4b2b-a4df-4d0c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:03.000Z",
|
|
"modified": "2016-12-10T11:11:03.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: 863dcf82883c885b0686dce747dcf502",
|
|
"pattern": "[file:hashes.SHA1 = 'bdc86295fad70480f0c6edcc37981e3cf11d838c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:03Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--584be2c8-cbd8-4f1d-b8f7-4f3202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:04.000Z",
|
|
"modified": "2016-12-10T11:11:04.000Z",
|
|
"first_observed": "2016-12-10T11:11:04Z",
|
|
"last_observed": "2016-12-10T11:11:04Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--584be2c8-cbd8-4f1d-b8f7-4f3202de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--584be2c8-cbd8-4f1d-b8f7-4f3202de0b81",
|
|
"value": "https://www.virustotal.com/file/f2a40a51777ead5ac980cc272a0ed1842eb999e2e9e7a8ff473a4841d6035892/analysis/1481086829/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2c8-80a8-47a2-b5d3-403902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:04.000Z",
|
|
"modified": "2016-12-10T11:11:04.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: 7d490eedc5b46aff00ffaaec7004e2a8",
|
|
"pattern": "[file:hashes.SHA256 = '73edfb05ff537d798c39e0fcd29ed413b16f4947e80f21434c95f5a3d380100a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2c8-1860-4329-b6aa-4b8e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:04.000Z",
|
|
"modified": "2016-12-10T11:11:04.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: 7d490eedc5b46aff00ffaaec7004e2a8",
|
|
"pattern": "[file:hashes.SHA1 = '90cd69a987ec884e512602e36b0adbb4001da7e7']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--584be2c8-c2e0-4547-bc5b-452a02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:04.000Z",
|
|
"modified": "2016-12-10T11:11:04.000Z",
|
|
"first_observed": "2016-12-10T11:11:04Z",
|
|
"last_observed": "2016-12-10T11:11:04Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--584be2c8-c2e0-4547-bc5b-452a02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--584be2c8-c2e0-4547-bc5b-452a02de0b81",
|
|
"value": "https://www.virustotal.com/file/73edfb05ff537d798c39e0fcd29ed413b16f4947e80f21434c95f5a3d380100a/analysis/1480771841/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2c8-e06c-4168-b80b-4f2602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:04.000Z",
|
|
"modified": "2016-12-10T11:11:04.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: 73f4312cc6f5067e505bc54c3b02b569",
|
|
"pattern": "[file:hashes.SHA256 = 'baa0c722bab75882e771d96e9b4050976654ac270c59998f1fed4dabd4faa8cb']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2c9-f248-43d9-acd4-477b02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:05.000Z",
|
|
"modified": "2016-12-10T11:11:05.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: 73f4312cc6f5067e505bc54c3b02b569",
|
|
"pattern": "[file:hashes.SHA1 = '504311aa20cac6e975fbfd605490b532086410cb']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--584be2c9-e634-4a20-8896-411b02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:05.000Z",
|
|
"modified": "2016-12-10T11:11:05.000Z",
|
|
"first_observed": "2016-12-10T11:11:05Z",
|
|
"last_observed": "2016-12-10T11:11:05Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--584be2c9-e634-4a20-8896-411b02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--584be2c9-e634-4a20-8896-411b02de0b81",
|
|
"value": "https://www.virustotal.com/file/baa0c722bab75882e771d96e9b4050976654ac270c59998f1fed4dabd4faa8cb/analysis/1480771840/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2c9-366c-4add-b9e9-4d8602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:05.000Z",
|
|
"modified": "2016-12-10T11:11:05.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: 72bbfc1ff6621a278e16cfc91906109f",
|
|
"pattern": "[file:hashes.SHA256 = '3e49c5d6abb38d2bfb46c75e44502da0346e2358c000adc158f0cd58e4f72c8c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2c9-e3d4-484d-8bf5-429802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:05.000Z",
|
|
"modified": "2016-12-10T11:11:05.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: 72bbfc1ff6621a278e16cfc91906109f",
|
|
"pattern": "[file:hashes.SHA1 = '57e8ec1acee10540c94313f29461459a09088b0e']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--584be2ca-bf6c-4650-a746-4ef102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:06.000Z",
|
|
"modified": "2016-12-10T11:11:06.000Z",
|
|
"first_observed": "2016-12-10T11:11:06Z",
|
|
"last_observed": "2016-12-10T11:11:06Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--584be2ca-bf6c-4650-a746-4ef102de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--584be2ca-bf6c-4650-a746-4ef102de0b81",
|
|
"value": "https://www.virustotal.com/file/3e49c5d6abb38d2bfb46c75e44502da0346e2358c000adc158f0cd58e4f72c8c/analysis/1480943070/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2ca-75c4-45a0-9589-431702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:06.000Z",
|
|
"modified": "2016-12-10T11:11:06.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: 551380681560849cee3de36329ba4ed3",
|
|
"pattern": "[file:hashes.SHA256 = '9262bb58054acdfc6c2feb4bbca66957ddc9f58873a26d9365a64c2f267b26d6']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:06Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2ca-ede8-4c14-99f4-45a602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:06.000Z",
|
|
"modified": "2016-12-10T11:11:06.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: 551380681560849cee3de36329ba4ed3",
|
|
"pattern": "[file:hashes.SHA1 = '8b7ed8a16dc1796d0ddf95fcdf6b9dc9cb3d3b7f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:06Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--584be2ca-6918-4559-b885-419302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:06.000Z",
|
|
"modified": "2016-12-10T11:11:06.000Z",
|
|
"first_observed": "2016-12-10T11:11:06Z",
|
|
"last_observed": "2016-12-10T11:11:06Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--584be2ca-6918-4559-b885-419302de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--584be2ca-6918-4559-b885-419302de0b81",
|
|
"value": "https://www.virustotal.com/file/9262bb58054acdfc6c2feb4bbca66957ddc9f58873a26d9365a64c2f267b26d6/analysis/1480953888/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2ca-bf48-4fa3-831b-40ef02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:06.000Z",
|
|
"modified": "2016-12-10T11:11:06.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: 4a8145ae760385c1c000113a9ea00a3a",
|
|
"pattern": "[file:hashes.SHA256 = '453462c1ecfd757e2baa8ac5541460830c3ee9b060ce83a7a5bad912bf3bee07']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:06Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2cb-5224-47ef-8db2-4d9002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:07.000Z",
|
|
"modified": "2016-12-10T11:11:07.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: 4a8145ae760385c1c000113a9ea00a3a",
|
|
"pattern": "[file:hashes.SHA1 = '395d6ee324cf288b377ae39d2dd5860e07ad43bf']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:07Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--584be2cb-84e4-497a-965a-420e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:07.000Z",
|
|
"modified": "2016-12-10T11:11:07.000Z",
|
|
"first_observed": "2016-12-10T11:11:07Z",
|
|
"last_observed": "2016-12-10T11:11:07Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--584be2cb-84e4-497a-965a-420e02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--584be2cb-84e4-497a-965a-420e02de0b81",
|
|
"value": "https://www.virustotal.com/file/453462c1ecfd757e2baa8ac5541460830c3ee9b060ce83a7a5bad912bf3bee07/analysis/1480755180/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2cb-6ca8-4893-b3cf-4b7902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:07.000Z",
|
|
"modified": "2016-12-10T11:11:07.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: 41ba9f3d13ce33526da52407e2f0589d",
|
|
"pattern": "[file:hashes.SHA256 = '28a2977adbcb801addc98343ef3821f83c2911dfa8fcab171854fd9183088277']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:07Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2cb-7514-450c-affd-4f8e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:07.000Z",
|
|
"modified": "2016-12-10T11:11:07.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: 41ba9f3d13ce33526da52407e2f0589d",
|
|
"pattern": "[file:hashes.SHA1 = '4f876536a9ca9091a2884f08a4365de4202f6f64']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:07Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--584be2cc-bad0-4f8b-a5b2-4d4202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:08.000Z",
|
|
"modified": "2016-12-10T11:11:08.000Z",
|
|
"first_observed": "2016-12-10T11:11:08Z",
|
|
"last_observed": "2016-12-10T11:11:08Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--584be2cc-bad0-4f8b-a5b2-4d4202de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--584be2cc-bad0-4f8b-a5b2-4d4202de0b81",
|
|
"value": "https://www.virustotal.com/file/28a2977adbcb801addc98343ef3821f83c2911dfa8fcab171854fd9183088277/analysis/1480711854/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2cc-3b84-4b81-b7f5-449802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:08.000Z",
|
|
"modified": "2016-12-10T11:11:08.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: 2da64ae2f8b1e8b75063760abfc94ecf",
|
|
"pattern": "[file:hashes.SHA256 = '9f9c38740568cbe1fbb8171b1ad4221c43790ff106623555868abf76f9672e53']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:08Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2cc-c8d8-46f7-b6c7-480002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:08.000Z",
|
|
"modified": "2016-12-10T11:11:08.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: 2da64ae2f8b1e8b75063760abfc94ecf",
|
|
"pattern": "[file:hashes.SHA1 = 'b7959d5e50e757600d642a09d787913b64c105f8']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:08Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--584be2cc-448c-4f4f-a700-4bf302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:08.000Z",
|
|
"modified": "2016-12-10T11:11:08.000Z",
|
|
"first_observed": "2016-12-10T11:11:08Z",
|
|
"last_observed": "2016-12-10T11:11:08Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--584be2cc-448c-4f4f-a700-4bf302de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--584be2cc-448c-4f4f-a700-4bf302de0b81",
|
|
"value": "https://www.virustotal.com/file/9f9c38740568cbe1fbb8171b1ad4221c43790ff106623555868abf76f9672e53/analysis/1481310973/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2cd-7bc0-417c-8671-4c4102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:09.000Z",
|
|
"modified": "2016-12-10T11:11:09.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: 15b35cfff4129b26c0f07bd4be462ba0",
|
|
"pattern": "[file:hashes.SHA256 = 'c8304790269f92310c3769a19393f690d4f9b4f0c5dc1f017f9067aeea2e7e22']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2cd-3224-44cd-9cfa-4e1f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:09.000Z",
|
|
"modified": "2016-12-10T11:11:09.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: 15b35cfff4129b26c0f07bd4be462ba0",
|
|
"pattern": "[file:hashes.SHA1 = 'b2c55c49f1968de9b016b98e2e50e320fe008de1']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--584be2cd-fa24-4442-a2d5-4ded02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:09.000Z",
|
|
"modified": "2016-12-10T11:11:09.000Z",
|
|
"first_observed": "2016-12-10T11:11:09Z",
|
|
"last_observed": "2016-12-10T11:11:09Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--584be2cd-fa24-4442-a2d5-4ded02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--584be2cd-fa24-4442-a2d5-4ded02de0b81",
|
|
"value": "https://www.virustotal.com/file/c8304790269f92310c3769a19393f690d4f9b4f0c5dc1f017f9067aeea2e7e22/analysis/1480771840/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2cd-ef44-4df3-844e-41fd02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:09.000Z",
|
|
"modified": "2016-12-10T11:11:09.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: 0eb51d584712485300ad8e8126773941",
|
|
"pattern": "[file:hashes.SHA256 = '19ae41f248f6af0e942a6e46f004cce21a687d1f16988fbb5edce1a2bb9fa6bf']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2cd-ddd4-43ed-8ba1-4daf02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:09.000Z",
|
|
"modified": "2016-12-10T11:11:09.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: 0eb51d584712485300ad8e8126773941",
|
|
"pattern": "[file:hashes.SHA1 = '18bce2f0107b5fab1b0b7c453e2a6b6505200cbd']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--584be2ce-cca4-4731-9717-4ffb02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:10.000Z",
|
|
"modified": "2016-12-10T11:11:10.000Z",
|
|
"first_observed": "2016-12-10T11:11:10Z",
|
|
"last_observed": "2016-12-10T11:11:10Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--584be2ce-cca4-4731-9717-4ffb02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--584be2ce-cca4-4731-9717-4ffb02de0b81",
|
|
"value": "https://www.virustotal.com/file/19ae41f248f6af0e942a6e46f004cce21a687d1f16988fbb5edce1a2bb9fa6bf/analysis/1481086259/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2ce-d4a8-4d01-8d90-45c002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:10.000Z",
|
|
"modified": "2016-12-10T11:11:10.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: 05891dbabc42a36f33c30535f0931555",
|
|
"pattern": "[file:hashes.SHA256 = '006b32381cebeffd696678412db703dd0773b4bcb238c8e73437ddb3191e52bc']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:10Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584be2ce-5280-49a3-8d92-4c7902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:10.000Z",
|
|
"modified": "2016-12-10T11:11:10.000Z",
|
|
"description": "Currently the DGA feature is found in the following samples. - Xchecked via VT: 05891dbabc42a36f33c30535f0931555",
|
|
"pattern": "[file:hashes.SHA1 = '3d770480b6410cba39e19b3a2ff3bec774cabe47']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-10T11:11:10Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--584be2ce-97a8-4a11-977d-4d7002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-10T11:11:10.000Z",
|
|
"modified": "2016-12-10T11:11:10.000Z",
|
|
"first_observed": "2016-12-10T11:11:10Z",
|
|
"last_observed": "2016-12-10T11:11:10Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--584be2ce-97a8-4a11-977d-4d7002de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--584be2ce-97a8-4a11-977d-4d7002de0b81",
|
|
"value": "https://www.virustotal.com/file/006b32381cebeffd696678412db703dd0773b4bcb238c8e73437ddb3191e52bc/analysis/1481087825/"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--58622d2f-25f8-426e-9c5a-3566bce2ab96",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-27T08:58:23.000Z",
|
|
"modified": "2016-12-27T08:58:23.000Z",
|
|
"labels": [
|
|
"misp:type=\"threat-actor\"",
|
|
"misp:category=\"Attribution\""
|
|
],
|
|
"x_misp_category": "Attribution",
|
|
"x_misp_type": "threat-actor",
|
|
"x_misp_value": "Mirai"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |