misp-circl-feed/feeds/circl/stix-2.1/59f02f94-544c-4db8-b156-46ce950d210f.json

648 lines
No EOL
29 KiB
JSON

{
"type": "bundle",
"id": "bundle--59f02f94-544c-4db8-b156-46ce950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--59f02f94-544c-4db8-b156-46ce950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"name": "Bad Rabbit (via Pastebin)",
"published": "2017-10-25T08:20:21Z",
"object_refs": [
"observed-data--59f02fa9-e840-4096-972f-2ac2950d210f",
"url--59f02fa9-e840-4096-972f-2ac2950d210f",
"observed-data--59f02fe5-5a48-48c4-8d61-48e9950d210f",
"url--59f02fe5-5a48-48c4-8d61-48e9950d210f",
"observed-data--59f0302d-f78c-4fd3-b246-485e950d210f",
"url--59f0302d-f78c-4fd3-b246-485e950d210f",
"observed-data--59f0302d-3360-460e-a084-4206950d210f",
"url--59f0302d-3360-460e-a084-4206950d210f",
"observed-data--59f03076-8f50-48f8-bcfc-cfec950d210f",
"url--59f03076-8f50-48f8-bcfc-cfec950d210f",
"x-misp-attribute--59f0308e-17ec-4f8b-bd0f-cedf950d210f",
"indicator--59f0320e-479c-4310-bc5e-4fd8950d210f",
"indicator--59f03356-4b14-4fd9-9f73-46c1950d210f",
"indicator--59f03356-2cbc-42bb-9224-4334950d210f",
"indicator--59f03356-a8a8-4fb7-8160-41ce950d210f",
"indicator--59f03356-9290-4a90-9d14-451d950d210f",
"indicator--59f03356-cc64-4953-a04d-428d950d210f",
"indicator--59f033ab-f264-47c0-aee0-4972950d210f",
"indicator--59f033ab-fd00-425a-97f5-4f81950d210f",
"indicator--59f033ab-3b14-498a-8168-4834950d210f",
"observed-data--59f033ab-647c-47ff-8796-42b4950d210f",
"url--59f033ab-647c-47ff-8796-42b4950d210f",
"observed-data--59f033ab-bbe8-4b76-a877-476a950d210f",
"url--59f033ab-bbe8-4b76-a877-476a950d210f",
"x-misp-attribute--59f038f1-d8c4-4107-af63-4e6e950d210f",
"x-misp-attribute--59f0391f-086c-4c02-b2e6-4f3d950d210f",
"indicator--59f04935-0254-49d7-bf1d-4d3002de0b81",
"indicator--59f04935-b928-456e-9e04-415f02de0b81",
"observed-data--59f04935-d22c-4e43-a971-4d9702de0b81",
"url--59f04935-d22c-4e43-a971-4d9702de0b81",
"indicator--59f04935-7f3c-4158-9531-415a02de0b81",
"indicator--59f04935-c6fc-417c-be71-4dd102de0b81",
"observed-data--59f04935-4dec-42ef-b732-4d4b02de0b81",
"url--59f04935-4dec-42ef-b732-4d4b02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"malware_classification:malware-category=\"Ransomware\"",
"misp-galaxy:ransomware=\"Bad Rabbit\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59f02fa9-e840-4096-972f-2ac2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"first_observed": "2017-10-25T08:20:05Z",
"last_observed": "2017-10-25T08:20:05Z",
"number_observed": 1,
"object_refs": [
"url--59f02fa9-e840-4096-972f-2ac2950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59f02fa9-e840-4096-972f-2ac2950d210f",
"value": "https://twitter.com/GossiTheDog/status/922834620869107712"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59f02fe5-5a48-48c4-8d61-48e9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"first_observed": "2017-10-25T08:20:05Z",
"last_observed": "2017-10-25T08:20:05Z",
"number_observed": 1,
"object_refs": [
"url--59f02fe5-5a48-48c4-8d61-48e9950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59f02fe5-5a48-48c4-8d61-48e9950d210f",
"value": "https://app.any.run/tasks/9198fd01-5898-4db9-8188-6ad2ad4f0af3"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59f0302d-f78c-4fd3-b246-485e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"first_observed": "2017-10-25T08:20:05Z",
"last_observed": "2017-10-25T08:20:05Z",
"number_observed": 1,
"object_refs": [
"url--59f0302d-f78c-4fd3-b246-485e950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59f0302d-f78c-4fd3-b246-485e950d210f",
"value": "https://twitter.com/IstaPee/status/922853317071593474"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59f0302d-3360-460e-a084-4206950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"first_observed": "2017-10-25T08:20:05Z",
"last_observed": "2017-10-25T08:20:05Z",
"number_observed": 1,
"object_refs": [
"url--59f0302d-3360-460e-a084-4206950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59f0302d-3360-460e-a084-4206950d210f",
"value": "https://www.virustotal.com/#/file/0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6/detection"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59f03076-8f50-48f8-bcfc-cfec950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"first_observed": "2017-10-25T08:20:05Z",
"last_observed": "2017-10-25T08:20:05Z",
"number_observed": 1,
"object_refs": [
"url--59f03076-8f50-48f8-bcfc-cfec950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59f03076-8f50-48f8-bcfc-cfec950d210f",
"value": "https://pastebin.com/CwZfyY2F"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59f0308e-17ec-4f8b-bd0f-cedf950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_comment": "File type encrypted",
"x_misp_type": "comment",
"x_misp_value": "#Bad-Rabbit encrypts following files:\r\n\r\n.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f0320e-479c-4310-bc5e-4fd8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"pattern": "[import \"pe\"\r\n \r\nrule sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 {\r\n meta:\r\n description = \"Bad Rabbit Ransomware\"\r\n author = \"Christiaan Beek\"\r\n reference = \"BadRabbit\"\r\n date = \"2017-10-24\"\r\n hash1 = \"8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93\"\r\n strings:\r\n $x1 = \"schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR \\\"%ws\\\" /ST %02d:%02d:00\" fullword wide\r\n $x2 = \"need to do is submit the payment and get the decryption password.\" fullword ascii\r\n $s3 = \"If you have already got the password, please enter it below.\" fullword ascii\r\n $s4 = \"dispci.exe\" fullword wide\r\n $s5 = \"\\\\\\\\.\\\\GLOBALROOT\\\\ArcName\\\\multi(0)disk(0)rdisk(0)partition(1)\" fullword wide\r\n $s6 = \"Run DECRYPT app at your desktop after system boot\" fullword ascii\r\n $s7 = \"Enter password#1: \" fullword wide\r\n $s8 = \"Enter password#2: \" fullword wide\r\n $s9 = \"C:\\\\Windows\\\\cscc.dat\" fullword wide\r\n $s10 = \"schtasks /Delete /F /TN %ws\" fullword wide\r\n $s11 = \"Password#1: \" fullword ascii\r\n $s12 = \"\\\\AppData\" fullword wide\r\n $s13 = \"Readme.txt\" fullword wide\r\n $s14 = \"Disk decryption completed\" fullword wide\r\n $s15 = \"Files decryption completed\" fullword wide\r\n $s16 = \"http://diskcryptor.net/\" fullword wide\r\n $s17 = \"Your personal installation key#1:\" fullword ascii\r\n $s18 = \".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.\" wide\r\n $s19 = \"Disable your anti-virus and anti-malware programs\" fullword wide\r\n $s20 = \"bootable partition not mounted\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x5a4d and\r\n filesize < 400KB and\r\n pe.imphash() == \"94f57453c539227031b918edd52fc7f1\" and\r\n ( 1 of ($x*) or 4 of them )\r\n ) or ( all of them )\r\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:20:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f03356-4b14-4fd9-9f73-46c1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.61.37.209']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:20:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f03356-2cbc-42bb-9224-4334950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"pattern": "[domain-name:value = '1dnscontrol.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:20:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f03356-a8a8-4fb7-8160-41ce950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"pattern": "[url:value = '1dnscontrol.com/flash_install.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:20:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f03356-9290-4a90-9d14-451d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"pattern": "[domain-name:value = 'fastmonitor1.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:20:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f03356-cc64-4953-a04d-428d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"pattern": "[domain-name:value = 'caforssztxqzf2nm.onion']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:20:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f033ab-f264-47c0-aee0-4972950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"pattern": "[file:hashes.SHA256 = '630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:20:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f033ab-fd00-425a-97f5-4f81950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"pattern": "[file:hashes.SHA256 = '8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:20:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f033ab-3b14-498a-8168-4834950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"pattern": "[file:name = '\\\\%WINDIR\\\\%\\\\infpub.dat']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:20:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59f033ab-647c-47ff-8796-42b4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"first_observed": "2017-10-25T08:20:05Z",
"last_observed": "2017-10-25T08:20:05Z",
"number_observed": 1,
"object_refs": [
"url--59f033ab-647c-47ff-8796-42b4950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59f033ab-647c-47ff-8796-42b4950d210f",
"value": "https://www.virustotal.com/en/file/630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da/analysis/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59f033ab-bbe8-4b76-a877-476a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"first_observed": "2017-10-25T08:20:05Z",
"last_observed": "2017-10-25T08:20:05Z",
"number_observed": 1,
"object_refs": [
"url--59f033ab-bbe8-4b76-a877-476a950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59f033ab-bbe8-4b76-a877-476a950d210f",
"value": "https://www.virustotal.com/en/file/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93/analysis/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59f038f1-d8c4-4107-af63-4e6e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Payload installation\""
],
"x_misp_category": "Payload installation",
"x_misp_comment": "Command line to start encryption",
"x_misp_type": "text",
"x_misp_value": "%WINDIR%\\system32\\rundll32.exe %WINDIR%\\infpub.dat,#1 15"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59f0391f-086c-4c02-b2e6-4f3d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Payload installation\""
],
"x_misp_category": "Payload installation",
"x_misp_comment": "Scheduled Shutdown Task: drogon",
"x_misp_type": "text",
"x_misp_value": "%WINDIR%\\system32\\shutdown.exe /r /t 0 /f"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04935-0254-49d7-bf1d-4d3002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"description": "- Xchecked via VT: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93",
"pattern": "[file:hashes.SHA1 = 'afeee8b4acff87bc469a6f0364a81ae5d60a2add']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:20:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04935-b928-456e-9e04-415f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"description": "- Xchecked via VT: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93",
"pattern": "[file:hashes.MD5 = 'b14d8faf7f0cbcfad051cefe5f39645f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:20:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59f04935-d22c-4e43-a971-4d9702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"first_observed": "2017-10-25T08:20:05Z",
"last_observed": "2017-10-25T08:20:05Z",
"number_observed": 1,
"object_refs": [
"url--59f04935-d22c-4e43-a971-4d9702de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59f04935-d22c-4e43-a971-4d9702de0b81",
"value": "https://www.virustotal.com/file/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93/analysis/1508918221/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04935-7f3c-4158-9531-415a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"description": "- Xchecked via VT: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da",
"pattern": "[file:hashes.SHA1 = 'de5c8d858e6e41da715dca1c019df0bfb92d32c0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:20:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04935-c6fc-417c-be71-4dd102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"description": "- Xchecked via VT: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da",
"pattern": "[file:hashes.MD5 = 'fbbdc39af1139aebba4da004475e8839']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:20:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59f04935-4dec-42ef-b732-4d4b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:20:05.000Z",
"modified": "2017-10-25T08:20:05.000Z",
"first_observed": "2017-10-25T08:20:05Z",
"last_observed": "2017-10-25T08:20:05Z",
"number_observed": 1,
"object_refs": [
"url--59f04935-4dec-42ef-b732-4d4b02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59f04935-4dec-42ef-b732-4d4b02de0b81",
"value": "https://www.virustotal.com/file/630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da/analysis/1508918202/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}