misp-circl-feed/feeds/circl/stix-2.1/58d38baa-a47c-40c5-8c8f-45b4950d210f.json

1032 lines
No EOL
45 KiB
JSON

{
"type": "bundle",
"id": "bundle--58d38baa-a47c-40c5-8c8f-45b4950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:19.000Z",
"modified": "2017-03-23T09:29:19.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--58d38baa-a47c-40c5-8c8f-45b4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:19.000Z",
"modified": "2017-03-23T09:29:19.000Z",
"name": "OSINT - Winnti Abuses GitHub for C&C Communications",
"published": "2017-03-23T09:34:35Z",
"object_refs": [
"observed-data--58d38bd6-fd08-43d4-b092-4586950d210f",
"url--58d38bd6-fd08-43d4-b092-4586950d210f",
"x-misp-attribute--58d38bea-6cd0-4bb7-86f6-4534950d210f",
"indicator--58d393bd-bf10-4b1e-9cbf-4ebc950d210f",
"indicator--58d393be-6cb4-4753-8e81-4306950d210f",
"indicator--58d393bf-f3f0-4c43-81a3-461b950d210f",
"indicator--58d393c0-18f8-4311-b6a1-4cb5950d210f",
"indicator--58d393c0-5a30-47ca-be06-4960950d210f",
"indicator--58d393c1-75a4-42d5-915a-4c77950d210f",
"indicator--58d3950a-ffb4-4a6b-a442-4e10950d210f",
"indicator--58d3950b-d098-49b4-8ad8-4255950d210f",
"indicator--58d3950c-6c0c-41fc-b0ff-4e3c950d210f",
"indicator--58d3950d-9778-4477-93b7-4192950d210f",
"indicator--58d3950e-4164-48d4-bda4-45f8950d210f",
"indicator--58d3950f-6e7c-4959-8f43-4f6b950d210f",
"indicator--58d39510-5840-4bba-b5d3-43a1950d210f",
"indicator--58d39511-d928-4adc-a65c-41ec950d210f",
"indicator--58d39512-beac-4951-bd97-422f950d210f",
"indicator--58d39512-63ac-4119-b1d1-404c950d210f",
"indicator--58d39513-3674-4298-83a5-4e97950d210f",
"indicator--58d39514-ac10-4112-9f4a-44c6950d210f",
"indicator--58d39515-1c68-4743-8f45-4132950d210f",
"indicator--58d39582-f3b8-4540-bc74-478a02de0b81",
"indicator--58d39583-c104-4652-a263-44f802de0b81",
"observed-data--58d39584-3f08-4842-848f-475602de0b81",
"url--58d39584-3f08-4842-848f-475602de0b81",
"indicator--58d39585-7cf8-45ba-8f84-48a202de0b81",
"indicator--58d39586-7de0-4c69-b715-4bb902de0b81",
"observed-data--58d39587-6484-49c5-8cf5-43ac02de0b81",
"url--58d39587-6484-49c5-8cf5-43ac02de0b81",
"indicator--58d39588-a408-45a0-a2fa-4ba502de0b81",
"indicator--58d39589-a960-47cc-9923-483e02de0b81",
"observed-data--58d3958a-3b38-414e-96a1-4e8502de0b81",
"url--58d3958a-3b38-414e-96a1-4e8502de0b81",
"indicator--58d3958b-0dd0-40a0-97d2-446102de0b81",
"indicator--58d3958c-6118-4f70-aec5-463102de0b81",
"observed-data--58d3958d-3960-4962-8469-497502de0b81",
"url--58d3958d-3960-4962-8469-497502de0b81",
"indicator--58d3958e-f960-4209-8de4-4e5f02de0b81",
"indicator--58d3958f-2bf4-431b-a40d-41ed02de0b81",
"observed-data--58d39590-87e0-4b5e-9143-4fff02de0b81",
"url--58d39590-87e0-4b5e-9143-4fff02de0b81",
"indicator--58d39591-8ed8-4334-a252-473902de0b81",
"indicator--58d39592-3394-4c30-9626-4f5202de0b81",
"observed-data--58d39593-73e0-45fe-9265-4f1002de0b81",
"url--58d39593-73e0-45fe-9265-4f1002de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\"",
"misp-galaxy:tool=\"Winnti\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58d38bd6-fd08-43d4-b092-4586950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:19.000Z",
"modified": "2017-03-23T09:29:19.000Z",
"first_observed": "2017-03-23T09:29:19Z",
"last_observed": "2017-03-23T09:29:19Z",
"number_observed": 1,
"object_refs": [
"url--58d38bd6-fd08-43d4-b092-4586950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"estimative-language:likelihood-probability=\"almost-certain\"",
"admiralty-scale:source-reliability=\"b\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58d38bd6-fd08-43d4-b092-4586950d210f",
"value": "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58d38bea-6cd0-4bb7-86f6-4534950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:19.000Z",
"modified": "2017-03-23T09:29:19.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"estimative-language:likelihood-probability=\"almost-certain\"",
"admiralty-scale:source-reliability=\"b\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Developers constantly need to modify and rework their source codes when releasing new versions of applications or coding projects they create and maintain. This is what makes GitHub\u00e2\u20ac\u201dan online repository hosting service that provides version control management\u00e2\u20ac\u201dpopular. In many ways, it\u00e2\u20ac\u2122s like a social networking site for programmers and developers, one that provides a valuable platform for code management, sharing, collaboration, and integration.\r\n\r\nGitHub is no stranger to misuse, however. Open-source ransomware projects EDA2 and Hidden Tear\u00e2\u20ac\u201dsupposedly created for educational purposes\u00e2\u20ac\u201dwere hosted on GitHub, and have since spawned various offshoots that have been found targeting enterprises. Tools that exploited vulnerabilities in Internet of Things (IoT) devices were also made available on GitHub. Even the Limitless Keylogger, which was used in targeted attacks, was linked to a GitHub project.\r\n\r\nRecently, the Winnti group, a threat actor with a past of traditional cybercrime -particularly with financial fraud, has been seen abusing GitHub by turning it into a conduit for the command and control (C&C) communications of their seemingly new backdoor (detected by Trend Micro as BKDR64_WINNTI.ONM).\r\n\r\nOur research also showed that the group still uses some of the infamous PlugX malware variants\u00e2\u20ac\u201da staple in Winnti\u00e2\u20ac\u2122s arsenal\u00e2\u20ac\u201dto handle targeted attack operations via the GitHub account we identified."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d393bd-bf10-4b1e-9cbf-4ebc950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:19.000Z",
"modified": "2017-03-23T09:29:19.000Z",
"description": "cryptbase.dll",
"pattern": "[file:hashes.SHA256 = '06b077e31a6f339c4f3b1f61ba9a6a6ba827afe52ed5bed6a6bf56bf18a279ba']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d393be-6cb4-4753-8e81-4306950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:19.000Z",
"modified": "2017-03-23T09:29:19.000Z",
"description": "loadperf.dll",
"pattern": "[file:hashes.SHA256 = '1e63a7186886deea6c4e5c2a329eab76a60be3a65bca1ba9ed6e71f9a46b7e9d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d393bf-f3f0-4c43-81a3-461b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:19.000Z",
"modified": "2017-03-23T09:29:19.000Z",
"description": "loadoerf.ini",
"pattern": "[file:hashes.SHA256 = '7c37ebb96c54d5d8ea232951ccf56cb1d029facdd6b730f80ca2ad566f6c5d9b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d393c0-18f8-4311-b6a1-4cb5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:19.000Z",
"modified": "2017-03-23T09:29:19.000Z",
"description": "wbemcomn.ini",
"pattern": "[file:hashes.SHA256 = '9d04ef8708cf030b9688bf3e8287c1790023a76374e43bd332178e212420f9fb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d393c0-5a30-47ca-be06-4960950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:19.000Z",
"modified": "2017-03-23T09:29:19.000Z",
"description": "cryptbase.ini",
"pattern": "[file:hashes.SHA256 = 'b1a0d0508ee932bbf91625330d2136f33344ed70cb25f7e64be0620d32c4b9e2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d393c1-75a4-42d5-915a-4c77950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:19.000Z",
"modified": "2017-03-23T09:29:19.000Z",
"description": "wbemcomn.dll",
"pattern": "[file:hashes.SHA256 = 'e5273b72c853f12b77a11e9c08ae6432fabbb32238ac487af2fb959a6cc26089']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d3950a-ffb4-4a6b-a442-4e10950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:19.000Z",
"modified": "2017-03-23T09:29:19.000Z",
"description": "443 (HTTPS) 53 (DNS) 80 (HTTP)",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '160.16.243.129']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d3950b-d098-49b4-8ad8-4255950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:19.000Z",
"modified": "2017-03-23T09:29:19.000Z",
"description": "443 (HTTPS) 53 (DNS)",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.139.203.18']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d3950c-6c0c-41fc-b0ff-4e3c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:19.000Z",
"modified": "2017-03-23T09:29:19.000Z",
"description": "53 (DNS)",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.139.203.20']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d3950d-9778-4477-93b7-4192950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:19.000Z",
"modified": "2017-03-23T09:29:19.000Z",
"description": "443 (HTTPS) 53 (DNS)",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.139.203.22']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d3950e-4164-48d4-bda4-45f8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:19.000Z",
"modified": "2017-03-23T09:29:19.000Z",
"description": "53 (DNS)",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.139.203.27']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d3950f-6e7c-4959-8f43-4f6b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:19.000Z",
"modified": "2017-03-23T09:29:19.000Z",
"description": "53 (DNS)",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.139.203.34']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39510-5840-4bba-b5d3-43a1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:19.000Z",
"modified": "2017-03-23T09:29:19.000Z",
"description": "80 (HTTP)",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.139.62.58']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39511-d928-4adc-a65c-41ec950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:19.000Z",
"modified": "2017-03-23T09:29:19.000Z",
"description": "443 (HTTPS) 53 (DNS) 80 (HTTP)",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.139.62.60']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39512-beac-4951-bd97-422f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:19.000Z",
"modified": "2017-03-23T09:29:19.000Z",
"description": "443 (HTTPS)",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.139.62.61']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39512-63ac-4119-b1d1-404c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:19.000Z",
"modified": "2017-03-23T09:29:19.000Z",
"description": "443 (HTTPS) 53 (DNS) 80 (HTTP)",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '61.195.98.245']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39513-3674-4298-83a5-4e97950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:19.000Z",
"modified": "2017-03-23T09:29:19.000Z",
"description": "443 (HTTPS) 53 (DNS)",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '67.198.161.250']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39514-ac10-4112-9f4a-44c6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:19.000Z",
"modified": "2017-03-23T09:29:19.000Z",
"description": "443 (HTTPS)",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '67.198.161.251']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39515-1c68-4743-8f45-4132950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:19.000Z",
"modified": "2017-03-23T09:29:19.000Z",
"description": "443 (HTTPS)",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '67.198.161.252']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39582-f3b8-4540-bc74-478a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:38.000Z",
"modified": "2017-03-23T09:29:38.000Z",
"description": "wbemcomn.dll - Xchecked via VT: e5273b72c853f12b77a11e9c08ae6432fabbb32238ac487af2fb959a6cc26089",
"pattern": "[file:hashes.SHA1 = '08afbd47ce5f4e296d375b3a2d069993e09c090f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39583-c104-4652-a263-44f802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:39.000Z",
"modified": "2017-03-23T09:29:39.000Z",
"description": "wbemcomn.dll - Xchecked via VT: e5273b72c853f12b77a11e9c08ae6432fabbb32238ac487af2fb959a6cc26089",
"pattern": "[file:hashes.MD5 = '3301341e7e769c92aefb07e4bec15ad2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58d39584-3f08-4842-848f-475602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:40.000Z",
"modified": "2017-03-23T09:29:40.000Z",
"first_observed": "2017-03-23T09:29:40Z",
"last_observed": "2017-03-23T09:29:40Z",
"number_observed": 1,
"object_refs": [
"url--58d39584-3f08-4842-848f-475602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58d39584-3f08-4842-848f-475602de0b81",
"value": "https://www.virustotal.com/file/e5273b72c853f12b77a11e9c08ae6432fabbb32238ac487af2fb959a6cc26089/analysis/1490216161/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39585-7cf8-45ba-8f84-48a202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:41.000Z",
"modified": "2017-03-23T09:29:41.000Z",
"description": "cryptbase.ini - Xchecked via VT: b1a0d0508ee932bbf91625330d2136f33344ed70cb25f7e64be0620d32c4b9e2",
"pattern": "[file:hashes.SHA1 = '5e23c5b5f21c0a6f894d636cd4f4469bf28b53ba']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39586-7de0-4c69-b715-4bb902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:42.000Z",
"modified": "2017-03-23T09:29:42.000Z",
"description": "cryptbase.ini - Xchecked via VT: b1a0d0508ee932bbf91625330d2136f33344ed70cb25f7e64be0620d32c4b9e2",
"pattern": "[file:hashes.MD5 = '802890514844f6bab0cb2004c52025d6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58d39587-6484-49c5-8cf5-43ac02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:43.000Z",
"modified": "2017-03-23T09:29:43.000Z",
"first_observed": "2017-03-23T09:29:43Z",
"last_observed": "2017-03-23T09:29:43Z",
"number_observed": 1,
"object_refs": [
"url--58d39587-6484-49c5-8cf5-43ac02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58d39587-6484-49c5-8cf5-43ac02de0b81",
"value": "https://www.virustotal.com/file/b1a0d0508ee932bbf91625330d2136f33344ed70cb25f7e64be0620d32c4b9e2/analysis/1490216160/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39588-a408-45a0-a2fa-4ba502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:44.000Z",
"modified": "2017-03-23T09:29:44.000Z",
"description": "wbemcomn.ini - Xchecked via VT: 9d04ef8708cf030b9688bf3e8287c1790023a76374e43bd332178e212420f9fb",
"pattern": "[file:hashes.SHA1 = '51891247e3caa4e4f8f71b2eaf8ba47602dc0be1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39589-a960-47cc-9923-483e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:45.000Z",
"modified": "2017-03-23T09:29:45.000Z",
"description": "wbemcomn.ini - Xchecked via VT: 9d04ef8708cf030b9688bf3e8287c1790023a76374e43bd332178e212420f9fb",
"pattern": "[file:hashes.MD5 = '5b1852311cc9f5ccdddf35a9c473ab27']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58d3958a-3b38-414e-96a1-4e8502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:46.000Z",
"modified": "2017-03-23T09:29:46.000Z",
"first_observed": "2017-03-23T09:29:46Z",
"last_observed": "2017-03-23T09:29:46Z",
"number_observed": 1,
"object_refs": [
"url--58d3958a-3b38-414e-96a1-4e8502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58d3958a-3b38-414e-96a1-4e8502de0b81",
"value": "https://www.virustotal.com/file/9d04ef8708cf030b9688bf3e8287c1790023a76374e43bd332178e212420f9fb/analysis/1490216160/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d3958b-0dd0-40a0-97d2-446102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:47.000Z",
"modified": "2017-03-23T09:29:47.000Z",
"description": "loadoerf.ini - Xchecked via VT: 7c37ebb96c54d5d8ea232951ccf56cb1d029facdd6b730f80ca2ad566f6c5d9b",
"pattern": "[file:hashes.SHA1 = '1eddc0e76f1dd787091cfdcf98a058dd4319fd34']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d3958c-6118-4f70-aec5-463102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:48.000Z",
"modified": "2017-03-23T09:29:48.000Z",
"description": "loadoerf.ini - Xchecked via VT: 7c37ebb96c54d5d8ea232951ccf56cb1d029facdd6b730f80ca2ad566f6c5d9b",
"pattern": "[file:hashes.MD5 = 'c7d0ec5b742ee497b9ee536f23586949']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58d3958d-3960-4962-8469-497502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:49.000Z",
"modified": "2017-03-23T09:29:49.000Z",
"first_observed": "2017-03-23T09:29:49Z",
"last_observed": "2017-03-23T09:29:49Z",
"number_observed": 1,
"object_refs": [
"url--58d3958d-3960-4962-8469-497502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58d3958d-3960-4962-8469-497502de0b81",
"value": "https://www.virustotal.com/file/7c37ebb96c54d5d8ea232951ccf56cb1d029facdd6b730f80ca2ad566f6c5d9b/analysis/1489477860/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d3958e-f960-4209-8de4-4e5f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:50.000Z",
"modified": "2017-03-23T09:29:50.000Z",
"description": "loadperf.dll - Xchecked via VT: 1e63a7186886deea6c4e5c2a329eab76a60be3a65bca1ba9ed6e71f9a46b7e9d",
"pattern": "[file:hashes.SHA1 = '64093d8dbf2e108c73fb5f96bbf0c2fcd8975c94']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d3958f-2bf4-431b-a40d-41ed02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:51.000Z",
"modified": "2017-03-23T09:29:51.000Z",
"description": "loadperf.dll - Xchecked via VT: 1e63a7186886deea6c4e5c2a329eab76a60be3a65bca1ba9ed6e71f9a46b7e9d",
"pattern": "[file:hashes.MD5 = '879ce99e253e598a3c156258a9e81457']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58d39590-87e0-4b5e-9143-4fff02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:52.000Z",
"modified": "2017-03-23T09:29:52.000Z",
"first_observed": "2017-03-23T09:29:52Z",
"last_observed": "2017-03-23T09:29:52Z",
"number_observed": 1,
"object_refs": [
"url--58d39590-87e0-4b5e-9143-4fff02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58d39590-87e0-4b5e-9143-4fff02de0b81",
"value": "https://www.virustotal.com/file/1e63a7186886deea6c4e5c2a329eab76a60be3a65bca1ba9ed6e71f9a46b7e9d/analysis/1490193118/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39591-8ed8-4334-a252-473902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:53.000Z",
"modified": "2017-03-23T09:29:53.000Z",
"description": "cryptbase.dll - Xchecked via VT: 06b077e31a6f339c4f3b1f61ba9a6a6ba827afe52ed5bed6a6bf56bf18a279ba",
"pattern": "[file:hashes.SHA1 = '1a20d3333e220f6fe2980dff119705c0ddc59604']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d39592-3394-4c30-9626-4f5202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:54.000Z",
"modified": "2017-03-23T09:29:54.000Z",
"description": "cryptbase.dll - Xchecked via VT: 06b077e31a6f339c4f3b1f61ba9a6a6ba827afe52ed5bed6a6bf56bf18a279ba",
"pattern": "[file:hashes.MD5 = '5b2484ad1f74f2c19ff0d29e63c773d8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-23T09:29:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58d39593-73e0-45fe-9265-4f1002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-23T09:29:55.000Z",
"modified": "2017-03-23T09:29:55.000Z",
"first_observed": "2017-03-23T09:29:55Z",
"last_observed": "2017-03-23T09:29:55Z",
"number_observed": 1,
"object_refs": [
"url--58d39593-73e0-45fe-9265-4f1002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58d39593-73e0-45fe-9265-4f1002de0b81",
"value": "https://www.virustotal.com/file/06b077e31a6f339c4f3b1f61ba9a6a6ba827afe52ed5bed6a6bf56bf18a279ba/analysis/1490195522/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}