adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/5936a055-a640-42e1-9b7c-4676950d210f.json

365 lines
No EOL
16 KiB
JSON
Raw Permalink Blame History

{
"type": "bundle",
"id": "bundle--5936a055-a640-42e1-9b7c-4676950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-06T12:34:34.000Z",
"modified": "2017-06-06T12:34:34.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5936a055-a640-42e1-9b7c-4676950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-06T12:34:34.000Z",
"modified": "2017-06-06T12:34:34.000Z",
"name": "OSINT - \u00e2\u20ac\u0153Zusy\u00e2\u20ac\u009d PowerPoint Malware Spreads Without Needing Macros",
"published": "2017-06-06T12:35:10Z",
"object_refs": [
"indicator--5936a072-4bc0-4dc0-937e-4102950d210f",
"indicator--5936a072-8fb0-44cc-b13a-4ca0950d210f",
"indicator--5936a0af-a840-47a5-8b8b-4b5b950d210f",
"x-misp-attribute--5936a104-c5ac-470e-adab-b4f9950d210f",
"indicator--5936a142-89dc-4c16-a8fa-16e102de0b81",
"indicator--5936a142-b1d8-4f54-92b3-16e102de0b81",
"observed-data--5936a143-846c-4d3f-a468-16e102de0b81",
"url--5936a143-846c-4d3f-a468-16e102de0b81",
"indicator--5936a143-fc04-47c6-9d2e-16e102de0b81",
"indicator--5936a144-e26c-4d12-8246-16e102de0b81",
"observed-data--5936a144-1b20-49cc-8589-16e102de0b81",
"url--5936a144-1b20-49cc-8589-16e102de0b81",
"indicator--5936a145-96f8-4634-9369-16e102de0b81",
"indicator--5936a145-ebfc-4201-a806-16e102de0b81",
"observed-data--5936a145-f524-400b-8596-16e102de0b81",
"url--5936a145-f524-400b-8596-16e102de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:tool=\"Tinba\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5936a072-4bc0-4dc0-937e-4102950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-06T12:34:08.000Z",
"modified": "2017-06-06T12:34:08.000Z",
"description": "First-stage JSE payload",
"pattern": "[file:hashes.SHA256 = '55821b2be825629d6674884d93006440d131f77bed216d36ea20e4930a280302']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-06T12:34:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5936a072-8fb0-44cc-b13a-4ca0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-06T12:34:08.000Z",
"modified": "2017-06-06T12:34:08.000Z",
"description": "Second-stage EXE payload",
"pattern": "[file:hashes.SHA256 = '55c69d2b82addd7a0cd3bebe910cd42b7343bd3faa7593356bcdca13dd73a0ef']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-06T12:34:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5936a0af-a840-47a5-8b8b-4b5b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-06T12:34:08.000Z",
"modified": "2017-06-06T12:34:08.000Z",
"description": "PowerPoint dropper",
"pattern": "[file:hashes.SHA256 = '796a386b43f12b99568f55166e339fcf43a4792d292bdd05dafa97ee32518921']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-06T12:34:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5936a104-c5ac-470e-adab-b4f9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-06T12:34:08.000Z",
"modified": "2017-06-06T12:34:08.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "A new variant of a malware called \u00e2\u20ac\u0153Zusy\u00e2\u20ac\u009d has been found in the wild spreading as a PowerPoint file attached to spam emails with titles like \u00e2\u20ac\u0153Purchase Order #130527\u00e2\u20ac\u009d and \u00e2\u20ac\u0153Confirmation.\u00e2\u20ac\u009d It\u00e2\u20ac\u2122s interesting because it doesn\u00e2\u20ac\u2122t require the user to enable macros to execute. Most Office malware relies on users activating macros to download some executable payload which does most of the malicious stuff, but this malware uses the external program feature instead."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5936a142-89dc-4c16-a8fa-16e102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-06T12:34:10.000Z",
"modified": "2017-06-06T12:34:10.000Z",
"description": "First-stage JSE payload - Xchecked via VT: 55821b2be825629d6674884d93006440d131f77bed216d36ea20e4930a280302",
"pattern": "[file:hashes.SHA1 = '104919078a6d688e5848ff01b667b4d672b9b447']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-06T12:34:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5936a142-b1d8-4f54-92b3-16e102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-06T12:34:10.000Z",
"modified": "2017-06-06T12:34:10.000Z",
"description": "First-stage JSE payload - Xchecked via VT: 55821b2be825629d6674884d93006440d131f77bed216d36ea20e4930a280302",
"pattern": "[file:hashes.MD5 = 'f5b3d1128731cac04b2dc955c1a41114']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-06T12:34:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5936a143-846c-4d3f-a468-16e102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-06T12:34:11.000Z",
"modified": "2017-06-06T12:34:11.000Z",
"first_observed": "2017-06-06T12:34:11Z",
"last_observed": "2017-06-06T12:34:11Z",
"number_observed": 1,
"object_refs": [
"url--5936a143-846c-4d3f-a468-16e102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5936a143-846c-4d3f-a468-16e102de0b81",
"value": "https://www.virustotal.com/file/55821b2be825629d6674884d93006440d131f77bed216d36ea20e4930a280302/analysis/1496733775/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5936a143-fc04-47c6-9d2e-16e102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-06T12:34:11.000Z",
"modified": "2017-06-06T12:34:11.000Z",
"description": "PowerPoint dropper - Xchecked via VT: 796a386b43f12b99568f55166e339fcf43a4792d292bdd05dafa97ee32518921",
"pattern": "[file:hashes.SHA1 = '07a986e018c999c43e9eab1ceb0338e5d60699a8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-06T12:34:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5936a144-e26c-4d12-8246-16e102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-06T12:34:12.000Z",
"modified": "2017-06-06T12:34:12.000Z",
"description": "PowerPoint dropper - Xchecked via VT: 796a386b43f12b99568f55166e339fcf43a4792d292bdd05dafa97ee32518921",
"pattern": "[file:hashes.MD5 = '3bff3e4fec2b6030c89e792c05f049fc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-06T12:34:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5936a144-1b20-49cc-8589-16e102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-06T12:34:12.000Z",
"modified": "2017-06-06T12:34:12.000Z",
"first_observed": "2017-06-06T12:34:12Z",
"last_observed": "2017-06-06T12:34:12Z",
"number_observed": 1,
"object_refs": [
"url--5936a144-1b20-49cc-8589-16e102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5936a144-1b20-49cc-8589-16e102de0b81",
"value": "https://www.virustotal.com/file/796a386b43f12b99568f55166e339fcf43a4792d292bdd05dafa97ee32518921/analysis/1496730542/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5936a145-96f8-4634-9369-16e102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-06T12:34:13.000Z",
"modified": "2017-06-06T12:34:13.000Z",
"description": "Second-stage EXE payload - Xchecked via VT: 55c69d2b82addd7a0cd3bebe910cd42b7343bd3faa7593356bcdca13dd73a0ef",
"pattern": "[file:hashes.SHA1 = '7633a023852d5a0b625423bffc3bbb14b81c6a0c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-06T12:34:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5936a145-ebfc-4201-a806-16e102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-06T12:34:13.000Z",
"modified": "2017-06-06T12:34:13.000Z",
"description": "Second-stage EXE payload - Xchecked via VT: 55c69d2b82addd7a0cd3bebe910cd42b7343bd3faa7593356bcdca13dd73a0ef",
"pattern": "[file:hashes.MD5 = '13cdbd8c31155610b628423dc2720419']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-06T12:34:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5936a145-f524-400b-8596-16e102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-06T12:34:13.000Z",
"modified": "2017-06-06T12:34:13.000Z",
"first_observed": "2017-06-06T12:34:13Z",
"last_observed": "2017-06-06T12:34:13Z",
"number_observed": 1,
"object_refs": [
"url--5936a145-f524-400b-8596-16e102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5936a145-f524-400b-8596-16e102de0b81",
"value": "https://www.virustotal.com/file/55c69d2b82addd7a0cd3bebe910cd42b7343bd3faa7593356bcdca13dd73a0ef/analysis/1496717087/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink