919 lines
No EOL
39 KiB
JSON
919 lines
No EOL
39 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5720669e-55ac-42ef-bc40-4b78950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:25:21.000Z",
|
|
"modified": "2016-04-27T07:25:21.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--5720669e-55ac-42ef-bc40-4b78950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:25:21.000Z",
|
|
"modified": "2016-04-27T07:25:21.000Z",
|
|
"name": "OSINT - New Poison Ivy Activity Targeting Myanmar, Asian Countries",
|
|
"published": "2016-04-27T07:26:12Z",
|
|
"object_refs": [
|
|
"indicator--5720672e-e3ec-4191-bec0-475a950d210f",
|
|
"indicator--5720672e-28d4-4158-b7ff-4cde950d210f",
|
|
"indicator--5720672e-d8ac-43c2-b401-47c9950d210f",
|
|
"indicator--5720672f-5cc0-45f3-8335-45ba950d210f",
|
|
"indicator--5720672f-64ac-42fa-8431-4f09950d210f",
|
|
"indicator--57206839-7adc-45ad-b90c-4393950d210f",
|
|
"indicator--57206839-2274-4fa4-91a2-4aee950d210f",
|
|
"indicator--5720683a-a1dc-4777-9b22-40e3950d210f",
|
|
"indicator--5720683a-de00-499a-9963-4a6b950d210f",
|
|
"indicator--5720683a-70c4-4d63-a8f0-460f950d210f",
|
|
"indicator--5720683b-c4a4-4f2f-91d6-42d5950d210f",
|
|
"indicator--5720683b-f100-4756-a65f-489c950d210f",
|
|
"indicator--5720683c-6890-438f-b766-4576950d210f",
|
|
"indicator--57206879-b23c-4749-95c9-433902de0b81",
|
|
"indicator--5720687a-4cfc-4c96-913d-4feb02de0b81",
|
|
"observed-data--5720687a-9bd0-46be-bf8f-42b402de0b81",
|
|
"url--5720687a-9bd0-46be-bf8f-42b402de0b81",
|
|
"indicator--5720687b-2e58-467a-b6c5-4a1a02de0b81",
|
|
"indicator--5720687b-b328-4db6-8d52-473a02de0b81",
|
|
"observed-data--5720687b-3670-4619-9690-4b7502de0b81",
|
|
"url--5720687b-3670-4619-9690-4b7502de0b81",
|
|
"indicator--5720687c-a6d0-4a40-81da-462102de0b81",
|
|
"indicator--5720687c-d4b0-4045-9f80-473602de0b81",
|
|
"observed-data--5720687d-c874-4e64-b207-48ba02de0b81",
|
|
"url--5720687d-c874-4e64-b207-48ba02de0b81",
|
|
"indicator--5720687d-9bd4-45c1-ae92-4a7402de0b81",
|
|
"indicator--5720687d-a41c-47f7-999b-48b002de0b81",
|
|
"observed-data--5720687e-b544-490f-9475-47b402de0b81",
|
|
"url--5720687e-b544-490f-9475-47b402de0b81",
|
|
"indicator--5720687e-58ac-4dda-b11d-4d5f02de0b81",
|
|
"indicator--5720687e-69f0-4e06-bfb6-497602de0b81",
|
|
"observed-data--5720687f-da04-4f1c-b759-499b02de0b81",
|
|
"url--5720687f-da04-4f1c-b759-499b02de0b81",
|
|
"indicator--5720687f-8180-47c8-8cda-46fb02de0b81",
|
|
"indicator--5720687f-16bc-45d0-be6a-467f02de0b81",
|
|
"observed-data--57206880-44e4-47a5-97c7-4b4802de0b81",
|
|
"url--57206880-44e4-47a5-97c7-4b4802de0b81",
|
|
"indicator--57206880-7a7c-425b-9987-4f9302de0b81",
|
|
"indicator--57206881-a5c4-44cd-a3a5-49e302de0b81",
|
|
"observed-data--57206881-88f4-44b5-942d-4dc102de0b81",
|
|
"url--57206881-88f4-44b5-942d-4dc102de0b81",
|
|
"x-misp-attribute--57206961-530c-481e-a074-4466950d210f"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"type:OSINT"
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5720672e-e3ec-4191-bec0-475a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:15:58.000Z",
|
|
"modified": "2016-04-27T07:15:58.000Z",
|
|
"description": "Unique C2 Hostnames",
|
|
"pattern": "[domain-name:value = 'news.tibetgroupworks.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:15:58Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5720672e-28d4-4158-b7ff-4cde950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:15:58.000Z",
|
|
"modified": "2016-04-27T07:15:58.000Z",
|
|
"description": "Unique C2 Hostnames",
|
|
"pattern": "[domain-name:value = 'web.microsoftdefence.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:15:58Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5720672e-d8ac-43c2-b401-47c9950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:15:58.000Z",
|
|
"modified": "2016-04-27T07:15:58.000Z",
|
|
"description": "Unique C2 Hostnames",
|
|
"pattern": "[domain-name:value = 'admin.nslookupdns.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:15:58Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5720672f-5cc0-45f3-8335-45ba950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:15:59.000Z",
|
|
"modified": "2016-04-27T07:15:59.000Z",
|
|
"description": "Unique C2 Hostnames",
|
|
"pattern": "[domain-name:value = 'jackhex.md5c.net']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:15:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5720672f-64ac-42fa-8431-4f09950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:15:59.000Z",
|
|
"modified": "2016-04-27T07:15:59.000Z",
|
|
"description": "Unique C2 Hostnames",
|
|
"pattern": "[domain-name:value = 'webserver.servehttp.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:15:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57206839-7adc-45ad-b90c-4393950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:20:25.000Z",
|
|
"modified": "2016-04-27T07:20:25.000Z",
|
|
"description": "Malware sample",
|
|
"pattern": "[file:hashes.SHA1 = '63e00dbf45961ad11bd1eb55dff9c2771c2916a6']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:20:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57206839-2274-4fa4-91a2-4aee950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:20:25.000Z",
|
|
"modified": "2016-04-27T07:20:25.000Z",
|
|
"description": "Malware sample",
|
|
"pattern": "[file:hashes.SHA1 = '675a3247f4c0e1105a41c685f4c2fb606e5b1eac']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:20:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5720683a-a1dc-4777-9b22-40e3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:20:26.000Z",
|
|
"modified": "2016-04-27T07:20:26.000Z",
|
|
"description": "Malware sample",
|
|
"pattern": "[file:hashes.SHA1 = '49e36de6d757ca44c43d5670d497bd8738c1d2a4']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:20:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5720683a-de00-499a-9963-4a6b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:20:26.000Z",
|
|
"modified": "2016-04-27T07:20:26.000Z",
|
|
"description": "Malware sample",
|
|
"pattern": "[file:hashes.SHA1 = 'cbbfc3b5ff08de14fdb2316f3b14886dfe5504ef']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:20:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5720683a-70c4-4d63-a8f0-460f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:20:26.000Z",
|
|
"modified": "2016-04-27T07:20:26.000Z",
|
|
"description": "Malware sample",
|
|
"pattern": "[file:hashes.SHA1 = 'a7d206791b1cdec616e9b18ae6fa1548ca96a321']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:20:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5720683b-c4a4-4f2f-91d6-42d5950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:20:27.000Z",
|
|
"modified": "2016-04-27T07:20:27.000Z",
|
|
"description": "Malware sample",
|
|
"pattern": "[file:hashes.SHA1 = 'ec646c57f9ac5e56230a17aeca6523a4532ff472']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:20:27Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5720683b-f100-4756-a65f-489c950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:20:27.000Z",
|
|
"modified": "2016-04-27T07:20:27.000Z",
|
|
"description": "Malware sample",
|
|
"pattern": "[file:hashes.SHA1 = 'ef2618d58bd50fa232a19f9bcf3983d1e2dff266']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:20:27Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5720683c-6890-438f-b766-4576950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:20:28.000Z",
|
|
"modified": "2016-04-27T07:20:28.000Z",
|
|
"description": "Malware sample",
|
|
"pattern": "[file:hashes.SHA1 = 'f389e1c970b2ca28112a30a8cfef1f3973fa82ea']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:20:28Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57206879-b23c-4749-95c9-433902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:21:29.000Z",
|
|
"modified": "2016-04-27T07:21:29.000Z",
|
|
"description": "Malware sample - Xchecked via VT: ef2618d58bd50fa232a19f9bcf3983d1e2dff266",
|
|
"pattern": "[file:hashes.SHA256 = '02362ac6b456d3538b4a7ddd48690cabfaa466d346c72401a1286d28ddc6b04c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:21:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5720687a-4cfc-4c96-913d-4feb02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:21:30.000Z",
|
|
"modified": "2016-04-27T07:21:30.000Z",
|
|
"description": "Malware sample - Xchecked via VT: ef2618d58bd50fa232a19f9bcf3983d1e2dff266",
|
|
"pattern": "[file:hashes.MD5 = '277f3ada5fc43284b84b3b0e0e10a413']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:21:30Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5720687a-9bd0-46be-bf8f-42b402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:21:30.000Z",
|
|
"modified": "2016-04-27T07:21:30.000Z",
|
|
"first_observed": "2016-04-27T07:21:30Z",
|
|
"last_observed": "2016-04-27T07:21:30Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5720687a-9bd0-46be-bf8f-42b402de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5720687a-9bd0-46be-bf8f-42b402de0b81",
|
|
"value": "https://www.virustotal.com/file/02362ac6b456d3538b4a7ddd48690cabfaa466d346c72401a1286d28ddc6b04c/analysis/1457540291/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5720687b-2e58-467a-b6c5-4a1a02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:21:31.000Z",
|
|
"modified": "2016-04-27T07:21:31.000Z",
|
|
"description": "Malware sample - Xchecked via VT: ec646c57f9ac5e56230a17aeca6523a4532ff472",
|
|
"pattern": "[file:hashes.SHA256 = '3a9ab623c8a0a9f6c65e108e83c90da7620d2d6b22192c857556117587d0d038']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:21:31Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5720687b-b328-4db6-8d52-473a02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:21:31.000Z",
|
|
"modified": "2016-04-27T07:21:31.000Z",
|
|
"description": "Malware sample - Xchecked via VT: ec646c57f9ac5e56230a17aeca6523a4532ff472",
|
|
"pattern": "[file:hashes.MD5 = '11eccf2c247dd4f9df730354b3e0947d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:21:31Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5720687b-3670-4619-9690-4b7502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:21:31.000Z",
|
|
"modified": "2016-04-27T07:21:31.000Z",
|
|
"first_observed": "2016-04-27T07:21:31Z",
|
|
"last_observed": "2016-04-27T07:21:31Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5720687b-3670-4619-9690-4b7502de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5720687b-3670-4619-9690-4b7502de0b81",
|
|
"value": "https://www.virustotal.com/file/3a9ab623c8a0a9f6c65e108e83c90da7620d2d6b22192c857556117587d0d038/analysis/1459493835/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5720687c-a6d0-4a40-81da-462102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:21:32.000Z",
|
|
"modified": "2016-04-27T07:21:32.000Z",
|
|
"description": "Malware sample - Xchecked via VT: a7d206791b1cdec616e9b18ae6fa1548ca96a321",
|
|
"pattern": "[file:hashes.SHA256 = '81c07c15dd725f02f48859b6d493cd4b08f0a0939a57a7b2a869a8d71a3a1950']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:21:32Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5720687c-d4b0-4045-9f80-473602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:21:32.000Z",
|
|
"modified": "2016-04-27T07:21:32.000Z",
|
|
"description": "Malware sample - Xchecked via VT: a7d206791b1cdec616e9b18ae6fa1548ca96a321",
|
|
"pattern": "[file:hashes.MD5 = 'd2a4c1f91b2535cfe20c486fcdad907b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:21:32Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5720687d-c874-4e64-b207-48ba02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:21:33.000Z",
|
|
"modified": "2016-04-27T07:21:33.000Z",
|
|
"first_observed": "2016-04-27T07:21:33Z",
|
|
"last_observed": "2016-04-27T07:21:33Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5720687d-c874-4e64-b207-48ba02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5720687d-c874-4e64-b207-48ba02de0b81",
|
|
"value": "https://www.virustotal.com/file/81c07c15dd725f02f48859b6d493cd4b08f0a0939a57a7b2a869a8d71a3a1950/analysis/1451297533/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5720687d-9bd4-45c1-ae92-4a7402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:21:33.000Z",
|
|
"modified": "2016-04-27T07:21:33.000Z",
|
|
"description": "Malware sample - Xchecked via VT: cbbfc3b5ff08de14fdb2316f3b14886dfe5504ef",
|
|
"pattern": "[file:hashes.SHA256 = 'f7e667bc5d7d7e961f6afd880f979f4dfe52585e3379c5746a384d2a23b9fdf5']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:21:33Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5720687d-a41c-47f7-999b-48b002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:21:33.000Z",
|
|
"modified": "2016-04-27T07:21:33.000Z",
|
|
"description": "Malware sample - Xchecked via VT: cbbfc3b5ff08de14fdb2316f3b14886dfe5504ef",
|
|
"pattern": "[file:hashes.MD5 = '241e30dd81588222c7f1ff92a53cc312']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:21:33Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5720687e-b544-490f-9475-47b402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:21:34.000Z",
|
|
"modified": "2016-04-27T07:21:34.000Z",
|
|
"first_observed": "2016-04-27T07:21:34Z",
|
|
"last_observed": "2016-04-27T07:21:34Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5720687e-b544-490f-9475-47b402de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5720687e-b544-490f-9475-47b402de0b81",
|
|
"value": "https://www.virustotal.com/file/f7e667bc5d7d7e961f6afd880f979f4dfe52585e3379c5746a384d2a23b9fdf5/analysis/1460040916/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5720687e-58ac-4dda-b11d-4d5f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:21:34.000Z",
|
|
"modified": "2016-04-27T07:21:34.000Z",
|
|
"description": "Malware sample - Xchecked via VT: 49e36de6d757ca44c43d5670d497bd8738c1d2a4",
|
|
"pattern": "[file:hashes.SHA256 = '8a013fad26ea7c6a710c1646716c8e09d044598d25683470775b0da6048542a8']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:21:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5720687e-69f0-4e06-bfb6-497602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:21:34.000Z",
|
|
"modified": "2016-04-27T07:21:34.000Z",
|
|
"description": "Malware sample - Xchecked via VT: 49e36de6d757ca44c43d5670d497bd8738c1d2a4",
|
|
"pattern": "[file:hashes.MD5 = '96bff6ef607bbe07c49357d0c58714a5']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:21:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5720687f-da04-4f1c-b759-499b02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:21:35.000Z",
|
|
"modified": "2016-04-27T07:21:35.000Z",
|
|
"first_observed": "2016-04-27T07:21:35Z",
|
|
"last_observed": "2016-04-27T07:21:35Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5720687f-da04-4f1c-b759-499b02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5720687f-da04-4f1c-b759-499b02de0b81",
|
|
"value": "https://www.virustotal.com/file/8a013fad26ea7c6a710c1646716c8e09d044598d25683470775b0da6048542a8/analysis/1459494481/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5720687f-8180-47c8-8cda-46fb02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:21:35.000Z",
|
|
"modified": "2016-04-27T07:21:35.000Z",
|
|
"description": "Malware sample - Xchecked via VT: 675a3247f4c0e1105a41c685f4c2fb606e5b1eac",
|
|
"pattern": "[file:hashes.SHA256 = '1e2543e364217d9f48bf963709299fa54c381c6d583a419171d12e30d6e078e9']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:21:35Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5720687f-16bc-45d0-be6a-467f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:21:35.000Z",
|
|
"modified": "2016-04-27T07:21:35.000Z",
|
|
"description": "Malware sample - Xchecked via VT: 675a3247f4c0e1105a41c685f4c2fb606e5b1eac",
|
|
"pattern": "[file:hashes.MD5 = 'be06e2f28143abdbaf61819e1746dfbe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:21:35Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57206880-44e4-47a5-97c7-4b4802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:21:36.000Z",
|
|
"modified": "2016-04-27T07:21:36.000Z",
|
|
"first_observed": "2016-04-27T07:21:36Z",
|
|
"last_observed": "2016-04-27T07:21:36Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57206880-44e4-47a5-97c7-4b4802de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57206880-44e4-47a5-97c7-4b4802de0b81",
|
|
"value": "https://www.virustotal.com/file/1e2543e364217d9f48bf963709299fa54c381c6d583a419171d12e30d6e078e9/analysis/1460373004/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57206880-7a7c-425b-9987-4f9302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:21:36.000Z",
|
|
"modified": "2016-04-27T07:21:36.000Z",
|
|
"description": "Malware sample - Xchecked via VT: 63e00dbf45961ad11bd1eb55dff9c2771c2916a6",
|
|
"pattern": "[file:hashes.SHA256 = 'ac8fc264c7ec3cf70836e1bb21f9a20174b04ad49731b8797d7d8bb95cb353e2']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:21:36Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57206881-a5c4-44cd-a3a5-49e302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:21:37.000Z",
|
|
"modified": "2016-04-27T07:21:37.000Z",
|
|
"description": "Malware sample - Xchecked via VT: 63e00dbf45961ad11bd1eb55dff9c2771c2916a6",
|
|
"pattern": "[file:hashes.MD5 = '9dd6fb40a7ace992bedc283dee79f50b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-04-27T07:21:37Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57206881-88f4-44b5-942d-4dc102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:21:37.000Z",
|
|
"modified": "2016-04-27T07:21:37.000Z",
|
|
"first_observed": "2016-04-27T07:21:37Z",
|
|
"last_observed": "2016-04-27T07:21:37Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57206881-88f4-44b5-942d-4dc102de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57206881-88f4-44b5-942d-4dc102de0b81",
|
|
"value": "https://www.virustotal.com/file/ac8fc264c7ec3cf70836e1bb21f9a20174b04ad49731b8797d7d8bb95cb353e2/analysis/1461585828/"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--57206961-530c-481e-a074-4466950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-04-27T07:25:21.000Z",
|
|
"modified": "2016-04-27T07:25:21.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "The infamous Remote Access Trojan (RAT) Poison Ivy (hereafter referred to as PIVY) has resurfaced recently, and exhibits some new behaviors. PIVY has been observed targeting a number of Asian countries for various purposes over the past year. Palo Alto Networks\u00e2\u20ac\u2122 Unit 42 recently blogged about a new Poison Ivy variant targeting Hong Kong activists dubbed SPIVY that uses DLL sideloading and operates quite differently from a variant recently observed by ASERT that has been active for at least the past 12 months."
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |