610 lines
No EOL
26 KiB
JSON
610 lines
No EOL
26 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--570c9b9a-dc20-448a-8f24-443f950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-12T06:59:41.000Z",
|
|
"modified": "2016-04-12T06:59:41.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--570c9b9a-dc20-448a-8f24-443f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-12T06:59:41.000Z",
|
|
"modified": "2016-04-12T06:59:41.000Z",
|
|
"name": "Rokku Ransomware shows possible link with Chimera",
|
|
"published": "2016-04-12T07:01:12Z",
|
|
"object_refs": [
|
|
"x-misp-attribute--570c9bbc-3e44-4a98-b0d3-4aea950d210f",
|
|
"observed-data--570c9bc8-fcd0-4608-b703-4848950d210f",
|
|
"url--570c9bc8-fcd0-4608-b703-4848950d210f",
|
|
"indicator--570c9c0d-b684-4990-8b90-4dcc950d210f",
|
|
"indicator--570c9c0d-bc48-4fc6-b1dc-4f17950d210f",
|
|
"indicator--570c9c0d-addc-4cd3-85fd-4956950d210f",
|
|
"indicator--570c9c4b-6ad4-427e-8c07-489e950d210f",
|
|
"indicator--570c9c4b-53c4-464c-9303-4c91950d210f",
|
|
"x-misp-attribute--570c9c84-3d14-4715-b999-48cf950d210f",
|
|
"indicator--570c9cdd-39d8-4f9e-802c-402702de0b81",
|
|
"indicator--570c9cdd-79fc-450e-86b0-486a02de0b81",
|
|
"observed-data--570c9cde-1aac-4cde-b159-451302de0b81",
|
|
"url--570c9cde-1aac-4cde-b159-451302de0b81",
|
|
"indicator--570c9cde-b944-4147-a64c-42fd02de0b81",
|
|
"indicator--570c9cde-06ac-4ace-8186-4ff702de0b81",
|
|
"observed-data--570c9cdf-4e74-4cf3-b93a-4e9c02de0b81",
|
|
"url--570c9cdf-4e74-4cf3-b93a-4e9c02de0b81",
|
|
"indicator--570c9cdf-7d2c-4580-bef9-44be02de0b81",
|
|
"indicator--570c9cdf-e470-4fbf-b638-46eb02de0b81",
|
|
"observed-data--570c9ce0-0140-46c7-b4b9-4a6402de0b81",
|
|
"url--570c9ce0-0140-46c7-b4b9-4a6402de0b81",
|
|
"indicator--570c9ce0-f1b0-4d89-b14f-4ff202de0b81",
|
|
"indicator--570c9ce0-92c4-4f1c-a35c-403102de0b81",
|
|
"observed-data--570c9ce1-ac20-4b2a-8b30-44e702de0b81",
|
|
"url--570c9ce1-ac20-4b2a-8b30-44e702de0b81",
|
|
"indicator--570c9ce1-c698-48aa-b27a-46e602de0b81",
|
|
"indicator--570c9ce1-5af8-482a-a990-46c702de0b81",
|
|
"observed-data--570c9ce1-6d14-459a-8a69-4f7502de0b81",
|
|
"url--570c9ce1-6d14-459a-8a69-4f7502de0b81"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"type:OSINT"
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--570c9bbc-3e44-4a98-b0d3-4aea950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-12T06:54:52.000Z",
|
|
"modified": "2016-04-12T06:54:52.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "Rokku is yet another ransomware, discovered in recent weeks. Currently, it\u00e2\u20ac\u2122s most common distribution method is spam where a malicious executable is dropped by a VB script belonging to the e-mail\u00e2\u20ac\u2122s attachment.\r\n\r\nThe building blocks of Rokku reminded us of the Chimera ransomware. That\u00e2\u20ac\u2122s why we decided to take a closer look, not only at the internal structure of this malware but also at the similarities and differences between these two products."
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--570c9bc8-fcd0-4608-b703-4848950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-12T06:55:04.000Z",
|
|
"modified": "2016-04-12T06:55:04.000Z",
|
|
"first_observed": "2016-04-12T06:55:04Z",
|
|
"last_observed": "2016-04-12T06:55:04Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--570c9bc8-fcd0-4608-b703-4848950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--570c9bc8-fcd0-4608-b703-4848950d210f",
|
|
"value": "https://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--570c9c0d-b684-4990-8b90-4dcc950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-12T06:56:13.000Z",
|
|
"modified": "2016-04-12T06:56:13.000Z",
|
|
"description": "original executable (malware)",
|
|
"pattern": "[file:hashes.MD5 = '97512f4617019c907cd0f88193039e7c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-12T06:56:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--570c9c0d-bc48-4fc6-b1dc-4f17950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-12T06:56:13.000Z",
|
|
"modified": "2016-04-12T06:56:13.000Z",
|
|
"description": "UPX layer removed (malware)",
|
|
"pattern": "[file:hashes.MD5 = '5a0e3a6e3106e754381bd1cc3295c97f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-12T06:56:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--570c9c0d-addc-4cd3-85fd-4956950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-12T06:56:13.000Z",
|
|
"modified": "2016-04-12T06:56:13.000Z",
|
|
"description": "payload: encryptor.dll (malware) - the analysis",
|
|
"pattern": "[file:hashes.MD5 = 'be6552aed5e7509b3b539cef8a965131']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-12T06:56:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--570c9c4b-6ad4-427e-8c07-489e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-12T06:57:15.000Z",
|
|
"modified": "2016-04-12T06:57:15.000Z",
|
|
"description": "original executable: decryptor.exe (decryptor)",
|
|
"pattern": "[file:hashes.MD5 = '82fea20bb4c96050b4cf55f83de0f3e6']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-12T06:57:15Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--570c9c4b-53c4-464c-9303-4c91950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-12T06:57:15.000Z",
|
|
"modified": "2016-04-12T06:57:15.000Z",
|
|
"description": "UPX layer removed (decryptor)",
|
|
"pattern": "[file:hashes.MD5 = '1be4a0932a66ebdb9ede56214d8ccdf9']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-12T06:57:15Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--570c9c84-3d14-4715-b999-48cf950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-12T06:58:12.000Z",
|
|
"modified": "2016-04-12T06:58:12.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"Artifacts dropped\""
|
|
],
|
|
"x_misp_category": "Artifacts dropped",
|
|
"x_misp_comment": "Finally, removing backups and stopping backup services is performed \u00e2\u20ac\u201c by execution of the following commands:",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "wmic shadowcopy delete /nointeractive\r\nvssadmin delete shadows /all /quiet\r\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\services\\VSS\" /v Start /t REG_DWORD /d 4 /f\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" /v DisableSR /t REG_DWORD /d 1 /f\r\nnet stop vss\r\nnet stop swprv\r\nnet stop srservice"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--570c9cdd-39d8-4f9e-802c-402702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-12T06:59:41.000Z",
|
|
"modified": "2016-04-12T06:59:41.000Z",
|
|
"description": "UPX layer removed (decryptor) - Xchecked via VT: 1be4a0932a66ebdb9ede56214d8ccdf9",
|
|
"pattern": "[file:hashes.SHA256 = '09eecd70914e38a1ee83295db5834cfdf848bab987a51afa6ed1c3b2dff027fc']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-12T06:59:41Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--570c9cdd-79fc-450e-86b0-486a02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-12T06:59:41.000Z",
|
|
"modified": "2016-04-12T06:59:41.000Z",
|
|
"description": "UPX layer removed (decryptor) - Xchecked via VT: 1be4a0932a66ebdb9ede56214d8ccdf9",
|
|
"pattern": "[file:hashes.SHA1 = '27e46208f348de4df378c8646c14f499d2290793']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-12T06:59:41Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--570c9cde-1aac-4cde-b159-451302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-12T06:59:42.000Z",
|
|
"modified": "2016-04-12T06:59:42.000Z",
|
|
"first_observed": "2016-04-12T06:59:42Z",
|
|
"last_observed": "2016-04-12T06:59:42Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--570c9cde-1aac-4cde-b159-451302de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--570c9cde-1aac-4cde-b159-451302de0b81",
|
|
"value": "https://www.virustotal.com/file/09eecd70914e38a1ee83295db5834cfdf848bab987a51afa6ed1c3b2dff027fc/analysis/1459878434/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--570c9cde-b944-4147-a64c-42fd02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-12T06:59:42.000Z",
|
|
"modified": "2016-04-12T06:59:42.000Z",
|
|
"description": "original executable: decryptor.exe (decryptor) - Xchecked via VT: 82fea20bb4c96050b4cf55f83de0f3e6",
|
|
"pattern": "[file:hashes.SHA256 = 'e477e3337636b44477bb2feaf4016a0d2ad9eca273b0c2ef9b55ccb2c9902d87']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-12T06:59:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--570c9cde-06ac-4ace-8186-4ff702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-12T06:59:42.000Z",
|
|
"modified": "2016-04-12T06:59:42.000Z",
|
|
"description": "original executable: decryptor.exe (decryptor) - Xchecked via VT: 82fea20bb4c96050b4cf55f83de0f3e6",
|
|
"pattern": "[file:hashes.SHA1 = '035af05addaf8cf9c103bbb27b355477ce336cc1']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-12T06:59:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--570c9cdf-4e74-4cf3-b93a-4e9c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-12T06:59:43.000Z",
|
|
"modified": "2016-04-12T06:59:43.000Z",
|
|
"first_observed": "2016-04-12T06:59:43Z",
|
|
"last_observed": "2016-04-12T06:59:43Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--570c9cdf-4e74-4cf3-b93a-4e9c02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--570c9cdf-4e74-4cf3-b93a-4e9c02de0b81",
|
|
"value": "https://www.virustotal.com/file/e477e3337636b44477bb2feaf4016a0d2ad9eca273b0c2ef9b55ccb2c9902d87/analysis/1459878217/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--570c9cdf-7d2c-4580-bef9-44be02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-12T06:59:43.000Z",
|
|
"modified": "2016-04-12T06:59:43.000Z",
|
|
"description": "payload: encryptor.dll (malware) - the analysis - Xchecked via VT: be6552aed5e7509b3b539cef8a965131",
|
|
"pattern": "[file:hashes.SHA256 = '186073cd4539725cbc26f8dac867c97e21d4c88836305a16acf50a70d6121f51']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-12T06:59:43Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--570c9cdf-e470-4fbf-b638-46eb02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-12T06:59:43.000Z",
|
|
"modified": "2016-04-12T06:59:43.000Z",
|
|
"description": "payload: encryptor.dll (malware) - the analysis - Xchecked via VT: be6552aed5e7509b3b539cef8a965131",
|
|
"pattern": "[file:hashes.SHA1 = 'da1ad69f282ae49a0af6aa7bef190f434ac18c7b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-12T06:59:43Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--570c9ce0-0140-46c7-b4b9-4a6402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-12T06:59:44.000Z",
|
|
"modified": "2016-04-12T06:59:44.000Z",
|
|
"first_observed": "2016-04-12T06:59:44Z",
|
|
"last_observed": "2016-04-12T06:59:44Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--570c9ce0-0140-46c7-b4b9-4a6402de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--570c9ce0-0140-46c7-b4b9-4a6402de0b81",
|
|
"value": "https://www.virustotal.com/file/186073cd4539725cbc26f8dac867c97e21d4c88836305a16acf50a70d6121f51/analysis/1459758054/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--570c9ce0-f1b0-4d89-b14f-4ff202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-12T06:59:44.000Z",
|
|
"modified": "2016-04-12T06:59:44.000Z",
|
|
"description": "UPX layer removed (malware) - Xchecked via VT: 5a0e3a6e3106e754381bd1cc3295c97f",
|
|
"pattern": "[file:hashes.SHA256 = '1c40b5c96d13580f1dfa38f59f177502349aa1c962ff95559e0ec805155eb983']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-12T06:59:44Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--570c9ce0-92c4-4f1c-a35c-403102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-12T06:59:44.000Z",
|
|
"modified": "2016-04-12T06:59:44.000Z",
|
|
"description": "UPX layer removed (malware) - Xchecked via VT: 5a0e3a6e3106e754381bd1cc3295c97f",
|
|
"pattern": "[file:hashes.SHA1 = '49239500b0510ce7643c48ebfaf6c9e35aa1cce5']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-12T06:59:44Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--570c9ce1-ac20-4b2a-8b30-44e702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-12T06:59:45.000Z",
|
|
"modified": "2016-04-12T06:59:45.000Z",
|
|
"first_observed": "2016-04-12T06:59:45Z",
|
|
"last_observed": "2016-04-12T06:59:45Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--570c9ce1-ac20-4b2a-8b30-44e702de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--570c9ce1-ac20-4b2a-8b30-44e702de0b81",
|
|
"value": "https://www.virustotal.com/file/1c40b5c96d13580f1dfa38f59f177502349aa1c962ff95559e0ec805155eb983/analysis/1459828258/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--570c9ce1-c698-48aa-b27a-46e602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-12T06:59:45.000Z",
|
|
"modified": "2016-04-12T06:59:45.000Z",
|
|
"description": "original executable (malware) - Xchecked via VT: 97512f4617019c907cd0f88193039e7c",
|
|
"pattern": "[file:hashes.SHA256 = '438888ef36bad1079af79daf152db443b4472c5715a7b3da0ba24cc757c53499']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-12T06:59:45Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--570c9ce1-5af8-482a-a990-46c702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-12T06:59:45.000Z",
|
|
"modified": "2016-04-12T06:59:45.000Z",
|
|
"description": "original executable (malware) - Xchecked via VT: 97512f4617019c907cd0f88193039e7c",
|
|
"pattern": "[file:hashes.SHA1 = '24cfa261ee30f697e7d1e2215eee1c21eebf4579']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-12T06:59:45Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--570c9ce1-6d14-459a-8a69-4f7502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-12T06:59:45.000Z",
|
|
"modified": "2016-04-12T06:59:45.000Z",
|
|
"first_observed": "2016-04-12T06:59:45Z",
|
|
"last_observed": "2016-04-12T06:59:45Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--570c9ce1-6d14-459a-8a69-4f7502de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--570c9ce1-6d14-459a-8a69-4f7502de0b81",
|
|
"value": "https://www.virustotal.com/file/438888ef36bad1079af79daf152db443b4472c5715a7b3da0ba24cc757c53499/analysis/1459900992/"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |