971 lines
No EOL
41 KiB
JSON
971 lines
No EOL
41 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--54aea268-ffc4-47e8-b09a-9c33950d210b",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-08T00:28:45.000Z",
|
|
"modified": "2016-03-08T00:28:45.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--54aea268-ffc4-47e8-b09a-9c33950d210b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-08T00:28:45.000Z",
|
|
"modified": "2016-03-08T00:28:45.000Z",
|
|
"name": "OSINT - The Connections Between MiniDuke, CosmicDuke and OnionDuke",
|
|
"published": "2015-01-15T16:21:51Z",
|
|
"object_refs": [
|
|
"indicator--54aea2d0-6040-41b3-ba1c-4dc8950d210b",
|
|
"indicator--54aea2d0-93f8-4876-a48b-4279950d210b",
|
|
"indicator--54aea2ff-204c-42e2-97f4-ba76950d210b",
|
|
"indicator--54aea321-b058-4dc6-8192-4284950d210b",
|
|
"indicator--54aea34f-f028-4b6c-8269-4afb950d210b",
|
|
"indicator--54aea36d-a54c-4e1a-9564-4450950d210b",
|
|
"indicator--54aea393-e95c-4571-a5a4-9c33950d210b",
|
|
"indicator--54aea3da-68dc-42be-93df-d60e950d210b",
|
|
"indicator--54aea3fb-fd1c-40a0-a65e-44c2950d210b",
|
|
"indicator--54aea423-dd08-485e-ba92-4156950d210b",
|
|
"indicator--54aea44f-1f04-4abd-9576-9c33950d210b",
|
|
"x-misp-attribute--54aea46f-776c-4176-b698-ba76950d210b",
|
|
"x-misp-attribute--54aea46f-fb0c-41f3-8f12-ba76950d210b",
|
|
"x-misp-attribute--54aea46f-3da8-4b16-ba39-ba76950d210b",
|
|
"indicator--54aea4a3-4680-4942-9f1a-4d6c950d210b",
|
|
"x-misp-attribute--54b6261c-ac2c-402c-87af-d563950d210b",
|
|
"x-misp-attribute--54b6261c-bee8-4cbe-8ae2-d563950d210b",
|
|
"x-misp-attribute--54b6261c-c028-4c69-a879-d563950d210b",
|
|
"indicator--56de1cbd-0be0-4f54-b7c6-4f2e02de0b81",
|
|
"indicator--56de1cbd-7bb8-424b-9eec-492902de0b81",
|
|
"observed-data--56de1cbe-6240-4b66-91c6-443502de0b81",
|
|
"url--56de1cbe-6240-4b66-91c6-443502de0b81",
|
|
"indicator--56de1cbe-0240-44bb-9c0c-408202de0b81",
|
|
"indicator--56de1cbe-0374-4437-ab8d-467302de0b81",
|
|
"observed-data--56de1cbe-33ac-4535-b0d6-475602de0b81",
|
|
"url--56de1cbe-33ac-4535-b0d6-475602de0b81",
|
|
"indicator--56de1cbf-f5cc-41bc-80f9-4b0902de0b81",
|
|
"indicator--56de1cbf-8058-40b1-9b4c-469c02de0b81",
|
|
"observed-data--56de1cbf-6e7c-43df-b933-4c7902de0b81",
|
|
"url--56de1cbf-6e7c-43df-b933-4c7902de0b81",
|
|
"indicator--56de1cc0-b0a4-4846-84a1-452802de0b81",
|
|
"indicator--56de1cc0-c030-4e51-adef-475302de0b81",
|
|
"observed-data--56de1cc0-1810-4b1d-ac3e-4d0f02de0b81",
|
|
"url--56de1cc0-1810-4b1d-ac3e-4d0f02de0b81",
|
|
"indicator--56de1cc0-16b8-4f7e-9436-458e02de0b81",
|
|
"indicator--56de1cc1-9628-4ff0-9fd0-4fcf02de0b81",
|
|
"observed-data--56de1cc1-841c-4ad8-9191-482302de0b81",
|
|
"url--56de1cc1-841c-4ad8-9191-482302de0b81",
|
|
"indicator--56de1cc1-1540-456c-96d7-448f02de0b81",
|
|
"indicator--56de1cc2-68a8-4157-8101-475b02de0b81",
|
|
"observed-data--56de1cc2-f9c0-42d4-8042-48e102de0b81",
|
|
"url--56de1cc2-f9c0-42d4-8042-48e102de0b81",
|
|
"indicator--56de1cc2-9bbc-44f3-beb1-4ddc02de0b81",
|
|
"indicator--56de1cc2-9d48-4e9d-8e59-49bc02de0b81",
|
|
"observed-data--56de1cc3-85c0-4fb8-acac-448b02de0b81",
|
|
"url--56de1cc3-85c0-4fb8-acac-448b02de0b81"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"type:OSINT"
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--54aea2d0-6040-41b3-ba1c-4dc8950d210b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2015-01-08T15:31:28.000Z",
|
|
"modified": "2015-01-08T15:31:28.000Z",
|
|
"pattern": "[file:name = '\u00e2\u20ac\u0153EU sanctions against Russia over Ukraine crisis\u00e2\u20ac\u0153.docm' AND file:hashes.SHA1 = '82448eb23ea9eb3939b6f24df46789bf7f2d43e3']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-01-08T15:31:28Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename|sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--54aea2d0-93f8-4876-a48b-4279950d210b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2015-01-08T15:31:28.000Z",
|
|
"modified": "2015-01-08T15:31:28.000Z",
|
|
"pattern": "[file:name = '\u00e2\u20ac\u0153A Scottish \u00e2\u20ac\u02dcYes\u00e2\u20ac\u2122 to independence\u00e2\u20ac\u0153 .docm' AND file:hashes.SHA1 = 'c86b13378ba2a41684e1f93b4c20e05fc5d3d5a3']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-01-08T15:31:28Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename|sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--54aea2ff-204c-42e2-97f4-ba76950d210b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2015-01-08T15:32:15.000Z",
|
|
"modified": "2015-01-08T15:32:15.000Z",
|
|
"description": "32-bit dropper",
|
|
"pattern": "[file:hashes.SHA1 = '241075fc1493172c47d881bcbfbf21cfa4daa42d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-01-08T15:32:15Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--54aea321-b058-4dc6-8192-4284950d210b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2015-01-08T15:32:49.000Z",
|
|
"modified": "2015-01-08T15:32:49.000Z",
|
|
"description": "64-bit dropper",
|
|
"pattern": "[file:hashes.SHA1 = '51ac683df63ff71a0003ca17e640bbeaaa14d0aa']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-01-08T15:32:49Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--54aea34f-f028-4b6c-8269-4afb950d210b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2015-01-08T15:33:35.000Z",
|
|
"modified": "2015-01-08T15:33:35.000Z",
|
|
"description": "CosmicDuke-MiniDuke combo",
|
|
"pattern": "[file:hashes.SHA1 = '7ad1bef0ba61dbed98d76d4207676d08c893fc13']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-01-08T15:33:35Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--54aea36d-a54c-4e1a-9564-4450950d210b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2015-01-08T15:34:05.000Z",
|
|
"modified": "2015-01-08T15:34:05.000Z",
|
|
"description": "OnionDuke limited backdoor",
|
|
"pattern": "[file:hashes.SHA1 = 'b491c14d8cfb48636f6095b7b16555e9a575d57f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-01-08T15:34:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--54aea393-e95c-4571-a5a4-9c33950d210b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2015-01-08T15:34:43.000Z",
|
|
"modified": "2015-01-08T15:34:43.000Z",
|
|
"description": "OnionDuke full backdoor",
|
|
"pattern": "[file:hashes.SHA1 = 'd433f281cf56015941a1c2cb87066ca62ea1db37']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-01-08T15:34:43Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--54aea3da-68dc-42be-93df-d60e950d210b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2015-01-08T15:35:54.000Z",
|
|
"modified": "2015-01-08T15:35:54.000Z",
|
|
"description": "Expansion",
|
|
"pattern": "[email-message:from_ref.value = 'uibo.lembit@mail.ee']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-01-08T15:35:54Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-src\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--54aea3fb-fd1c-40a0-a65e-44c2950d210b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2015-01-08T15:36:27.000Z",
|
|
"modified": "2015-01-08T15:36:27.000Z",
|
|
"description": "Expansion",
|
|
"pattern": "[email-message:to_refs[*].value = 'uibo.lembit@mail.ee']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-01-08T15:36:27Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-dst\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--54aea423-dd08-485e-ba92-4156950d210b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2015-01-08T15:37:07.000Z",
|
|
"modified": "2015-01-08T15:37:07.000Z",
|
|
"description": "Expansion",
|
|
"pattern": "[email-message:subject = 'EU sanctions against Russia over Ukraine crisis (Estonia\\'s opinion)']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-01-08T15:37:07Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-subject\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--54aea44f-1f04-4abd-9576-9c33950d210b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2015-01-08T15:37:51.000Z",
|
|
"modified": "2015-01-08T15:37:51.000Z",
|
|
"description": "Expansion",
|
|
"pattern": "[email-message:body_multipart[*].body_raw_ref.name = '=?UTF-8?Q?[rep]estonia.doc?=']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-01-08T15:37:51Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-attachment\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--54aea46f-776c-4176-b698-ba76950d210b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2015-01-08T15:38:23.000Z",
|
|
"modified": "2015-01-08T15:38:23.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"Other\""
|
|
],
|
|
"x_misp_category": "Other",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "MiniDuke"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--54aea46f-fb0c-41f3-8f12-ba76950d210b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2015-01-08T15:38:23.000Z",
|
|
"modified": "2015-01-08T15:38:23.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"Other\""
|
|
],
|
|
"x_misp_category": "Other",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "OnionDuke"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--54aea46f-3da8-4b16-ba39-ba76950d210b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2015-01-08T15:38:23.000Z",
|
|
"modified": "2015-01-08T15:38:23.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"Other\""
|
|
],
|
|
"x_misp_category": "Other",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "CosmicDuke"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--54aea4a3-4680-4942-9f1a-4d6c950d210b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2015-01-08T15:39:15.000Z",
|
|
"modified": "2015-01-08T15:39:15.000Z",
|
|
"pattern": "[email-message:body_multipart[*].body_raw_ref.name = 'World News Digest.docx']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-01-08T15:39:15Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-attachment\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--54b6261c-ac2c-402c-87af-d563950d210b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2015-01-14T08:17:32.000Z",
|
|
"modified": "2015-01-14T08:17:32.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "Onion Duke"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--54b6261c-bee8-4cbe-8ae2-d563950d210b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2015-01-14T08:17:32.000Z",
|
|
"modified": "2015-01-14T08:17:32.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "Cosmic Duke"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--54b6261c-c028-4c69-a879-d563950d210b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2015-01-14T08:17:32.000Z",
|
|
"modified": "2015-01-14T08:17:32.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "Mini Duke"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--56de1cbd-0be0-4f54-b7c6-4f2e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-08T00:28:45.000Z",
|
|
"modified": "2016-03-08T00:28:45.000Z",
|
|
"description": "32-bit dropper - Xchecked via VT: 241075fc1493172c47d881bcbfbf21cfa4daa42d",
|
|
"pattern": "[file:hashes.SHA256 = '2b15581baf7d69cd3c65a86f20eff813b4cbb9bae7a0362f97e76e21364dabca']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-03-08T00:28:45Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--56de1cbd-7bb8-424b-9eec-492902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-08T00:28:45.000Z",
|
|
"modified": "2016-03-08T00:28:45.000Z",
|
|
"description": "32-bit dropper - Xchecked via VT: 241075fc1493172c47d881bcbfbf21cfa4daa42d",
|
|
"pattern": "[file:hashes.MD5 = '01400499ecc7fa6a50cc860179273a7f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-03-08T00:28:45Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--56de1cbe-6240-4b66-91c6-443502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-08T00:28:46.000Z",
|
|
"modified": "2016-03-08T00:28:46.000Z",
|
|
"first_observed": "2016-03-08T00:28:46Z",
|
|
"last_observed": "2016-03-08T00:28:46Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--56de1cbe-6240-4b66-91c6-443502de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--56de1cbe-6240-4b66-91c6-443502de0b81",
|
|
"value": "https://www.virustotal.com/file/2b15581baf7d69cd3c65a86f20eff813b4cbb9bae7a0362f97e76e21364dabca/analysis/1445916566/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--56de1cbe-0240-44bb-9c0c-408202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-08T00:28:46.000Z",
|
|
"modified": "2016-03-08T00:28:46.000Z",
|
|
"description": "64-bit dropper - Xchecked via VT: 51ac683df63ff71a0003ca17e640bbeaaa14d0aa",
|
|
"pattern": "[file:hashes.SHA256 = '71cad7cc4e23d1e03c5d03cd9b48e32126b6bf7374841735ad642b62e2745a2c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-03-08T00:28:46Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--56de1cbe-0374-4437-ab8d-467302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-08T00:28:46.000Z",
|
|
"modified": "2016-03-08T00:28:46.000Z",
|
|
"description": "64-bit dropper - Xchecked via VT: 51ac683df63ff71a0003ca17e640bbeaaa14d0aa",
|
|
"pattern": "[file:hashes.MD5 = 'eb48ff76cc7dd24b519c93a0aa250d27']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-03-08T00:28:46Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--56de1cbe-33ac-4535-b0d6-475602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-08T00:28:46.000Z",
|
|
"modified": "2016-03-08T00:28:46.000Z",
|
|
"first_observed": "2016-03-08T00:28:46Z",
|
|
"last_observed": "2016-03-08T00:28:46Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--56de1cbe-33ac-4535-b0d6-475602de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--56de1cbe-33ac-4535-b0d6-475602de0b81",
|
|
"value": "https://www.virustotal.com/file/71cad7cc4e23d1e03c5d03cd9b48e32126b6bf7374841735ad642b62e2745a2c/analysis/1445916567/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--56de1cbf-f5cc-41bc-80f9-4b0902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-08T00:28:47.000Z",
|
|
"modified": "2016-03-08T00:28:47.000Z",
|
|
"description": "CosmicDuke-MiniDuke combo - Xchecked via VT: 7ad1bef0ba61dbed98d76d4207676d08c893fc13",
|
|
"pattern": "[file:hashes.SHA256 = '29585bb17b28e8b15b2a250be9516f416fa7cac84cc24aa4e004f6987323147e']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-03-08T00:28:47Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--56de1cbf-8058-40b1-9b4c-469c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-08T00:28:47.000Z",
|
|
"modified": "2016-03-08T00:28:47.000Z",
|
|
"description": "CosmicDuke-MiniDuke combo - Xchecked via VT: 7ad1bef0ba61dbed98d76d4207676d08c893fc13",
|
|
"pattern": "[file:hashes.MD5 = '925b37a936304a5914941ac4584e346c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-03-08T00:28:47Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--56de1cbf-6e7c-43df-b933-4c7902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-08T00:28:47.000Z",
|
|
"modified": "2016-03-08T00:28:47.000Z",
|
|
"first_observed": "2016-03-08T00:28:47Z",
|
|
"last_observed": "2016-03-08T00:28:47Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--56de1cbf-6e7c-43df-b933-4c7902de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--56de1cbf-6e7c-43df-b933-4c7902de0b81",
|
|
"value": "https://www.virustotal.com/file/29585bb17b28e8b15b2a250be9516f416fa7cac84cc24aa4e004f6987323147e/analysis/1452769402/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--56de1cc0-b0a4-4846-84a1-452802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-08T00:28:48.000Z",
|
|
"modified": "2016-03-08T00:28:48.000Z",
|
|
"description": "OnionDuke limited backdoor - Xchecked via VT: b491c14d8cfb48636f6095b7b16555e9a575d57f",
|
|
"pattern": "[file:hashes.SHA256 = '366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-03-08T00:28:48Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--56de1cc0-c030-4e51-adef-475302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-08T00:28:48.000Z",
|
|
"modified": "2016-03-08T00:28:48.000Z",
|
|
"description": "OnionDuke limited backdoor - Xchecked via VT: b491c14d8cfb48636f6095b7b16555e9a575d57f",
|
|
"pattern": "[file:hashes.MD5 = 'c8eb6040fd02d77660d19057a38ff769']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-03-08T00:28:48Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--56de1cc0-1810-4b1d-ac3e-4d0f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-08T00:28:48.000Z",
|
|
"modified": "2016-03-08T00:28:48.000Z",
|
|
"first_observed": "2016-03-08T00:28:48Z",
|
|
"last_observed": "2016-03-08T00:28:48Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--56de1cc0-1810-4b1d-ac3e-4d0f02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--56de1cc0-1810-4b1d-ac3e-4d0f02de0b81",
|
|
"value": "https://www.virustotal.com/file/366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b/analysis/1456819261/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--56de1cc0-16b8-4f7e-9436-458e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-08T00:28:48.000Z",
|
|
"modified": "2016-03-08T00:28:48.000Z",
|
|
"description": "OnionDuke full backdoor - Xchecked via VT: d433f281cf56015941a1c2cb87066ca62ea1db37",
|
|
"pattern": "[file:hashes.SHA256 = '0102777ec0357655c4313419be3a15c4ca17c4f9cb4a440bfb16195239905ade']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-03-08T00:28:48Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--56de1cc1-9628-4ff0-9fd0-4fcf02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-08T00:28:49.000Z",
|
|
"modified": "2016-03-08T00:28:49.000Z",
|
|
"description": "OnionDuke full backdoor - Xchecked via VT: d433f281cf56015941a1c2cb87066ca62ea1db37",
|
|
"pattern": "[file:hashes.MD5 = 'd1ce79089578da2d41f1ad901f7b1014']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-03-08T00:28:49Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--56de1cc1-841c-4ad8-9191-482302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-08T00:28:49.000Z",
|
|
"modified": "2016-03-08T00:28:49.000Z",
|
|
"first_observed": "2016-03-08T00:28:49Z",
|
|
"last_observed": "2016-03-08T00:28:49Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--56de1cc1-841c-4ad8-9191-482302de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--56de1cc1-841c-4ad8-9191-482302de0b81",
|
|
"value": "https://www.virustotal.com/file/0102777ec0357655c4313419be3a15c4ca17c4f9cb4a440bfb16195239905ade/analysis/1456923691/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--56de1cc1-1540-456c-96d7-448f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-08T00:28:49.000Z",
|
|
"modified": "2016-03-08T00:28:49.000Z",
|
|
"description": "- Xchecked via VT: 82448eb23ea9eb3939b6f24df46789bf7f2d43e3",
|
|
"pattern": "[file:hashes.SHA256 = 'abcaf6044d4d591a50ac3328ed8c8ab3ec91929d2f0d7e3bea1ed0cfc92e811d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-03-08T00:28:49Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--56de1cc2-68a8-4157-8101-475b02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-08T00:28:50.000Z",
|
|
"modified": "2016-03-08T00:28:50.000Z",
|
|
"description": "- Xchecked via VT: 82448eb23ea9eb3939b6f24df46789bf7f2d43e3",
|
|
"pattern": "[file:hashes.MD5 = 'f27ffc3d3ff7a2ddc6728d9495427ee5']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-03-08T00:28:50Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--56de1cc2-f9c0-42d4-8042-48e102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-08T00:28:50.000Z",
|
|
"modified": "2016-03-08T00:28:50.000Z",
|
|
"first_observed": "2016-03-08T00:28:50Z",
|
|
"last_observed": "2016-03-08T00:28:50Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--56de1cc2-f9c0-42d4-8042-48e102de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--56de1cc2-f9c0-42d4-8042-48e102de0b81",
|
|
"value": "https://www.virustotal.com/file/abcaf6044d4d591a50ac3328ed8c8ab3ec91929d2f0d7e3bea1ed0cfc92e811d/analysis/1444969477/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--56de1cc2-9bbc-44f3-beb1-4ddc02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-08T00:28:50.000Z",
|
|
"modified": "2016-03-08T00:28:50.000Z",
|
|
"description": "- Xchecked via VT: c86b13378ba2a41684e1f93b4c20e05fc5d3d5a3",
|
|
"pattern": "[file:hashes.SHA256 = '1a981bd49b9869a1c81e767ba7418254138272b005dab5c83f3798906ca86570']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-03-08T00:28:50Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--56de1cc2-9d48-4e9d-8e59-49bc02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-08T00:28:50.000Z",
|
|
"modified": "2016-03-08T00:28:50.000Z",
|
|
"description": "- Xchecked via VT: c86b13378ba2a41684e1f93b4c20e05fc5d3d5a3",
|
|
"pattern": "[file:hashes.MD5 = 'ed463d501c23db34e27bd32902971081']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-03-08T00:28:50Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--56de1cc3-85c0-4fb8-acac-448b02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-08T00:28:51.000Z",
|
|
"modified": "2016-03-08T00:28:51.000Z",
|
|
"first_observed": "2016-03-08T00:28:51Z",
|
|
"last_observed": "2016-03-08T00:28:51Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--56de1cc3-85c0-4fb8-acac-448b02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--56de1cc3-85c0-4fb8-acac-448b02de0b81",
|
|
"value": "https://www.virustotal.com/file/1a981bd49b9869a1c81e767ba7418254138272b005dab5c83f3798906ca86570/analysis/1425845303/"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:GREEN",
|
|
"definition": {
|
|
"tlp": "green"
|
|
}
|
|
}
|
|
]
|
|
} |