adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/57a88345-5254-4c97-954d-4ff8950d210f.json

1718 lines
No EOL
74 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--57a88345-5254-4c97-954d-4ff8950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-09T13:57:10.000Z",
"modified": "2016-08-09T13:57:10.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--57a88345-5254-4c97-954d-4ff8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-09T13:57:10.000Z",
"modified": "2016-08-09T13:57:10.000Z",
"name": "OSINT - Strider: Cyberespionage group turns eye of Sauron on targets",
"published": "2016-08-09T13:57:21Z",
"object_refs": [
"observed-data--57a88352-7acc-4ad7-be40-453d950d210f",
"url--57a88352-7acc-4ad7-be40-453d950d210f",
"x-misp-attribute--57a8837a-a450-4ced-b08e-4905950d210f",
"x-misp-attribute--57a883b4-fabc-4936-8e65-41c8950d210f",
"x-misp-attribute--57a88419-1900-403e-845c-47da950d210f",
"x-misp-attribute--57a8841a-455c-4b87-96a5-4325950d210f",
"x-misp-attribute--57a8841a-a3cc-457b-9a54-4e8c950d210f",
"x-misp-attribute--57a8841a-f964-41c4-81a5-43e4950d210f",
"indicator--57a88454-b0c4-432b-ae28-4558950d210f",
"observed-data--57a885bc-1614-4e58-8e17-4457950d210f",
"url--57a885bc-1614-4e58-8e17-4457950d210f",
"indicator--57a885fd-10f8-46fe-8f9d-44ca950d210f",
"indicator--57a88670-859c-439a-bd1d-4e63950d210f",
"indicator--57a886ca-69c8-45d6-80ed-41fb950d210f",
"indicator--57a88713-13ec-49db-a8cf-4ccb950d210f",
"indicator--57a88713-03d0-4507-a60c-4d2f950d210f",
"indicator--57a88726-e6ec-4913-926b-44f102de0b81",
"indicator--57a88727-5970-4226-a94e-412602de0b81",
"observed-data--57a88727-6cfc-4135-9911-471d02de0b81",
"url--57a88727-6cfc-4135-9911-471d02de0b81",
"indicator--57a88728-93e0-497c-b71b-438402de0b81",
"indicator--57a88728-fd5c-4297-be69-470b02de0b81",
"observed-data--57a88729-dd00-4f3f-8a83-4f6602de0b81",
"url--57a88729-dd00-4f3f-8a83-4f6602de0b81",
"indicator--57a88830-f1b4-4a1e-b841-4c5c950d210f",
"indicator--57a8886b-ba78-49a2-aadb-48cd950d210f",
"indicator--57a888a3-e1b0-4996-a918-4eca950d210f",
"indicator--57a888f0-ad44-4490-9f2f-4486950d210f",
"indicator--57a88918-641c-44a7-8ab9-453b950d210f",
"indicator--57a88918-cf7c-4e27-8853-4557950d210f",
"indicator--57a88918-57d0-44b7-88a5-4a1b950d210f",
"indicator--57a88918-6ac0-43b5-a57a-485e950d210f",
"indicator--57a88919-2298-4047-9466-4583950d210f",
"indicator--57a88919-8ba4-40f1-99fa-4e7b950d210f",
"indicator--57a88919-a6bc-4fea-910b-4aad950d210f",
"indicator--57a8892e-d428-466b-b840-469c02de0b81",
"indicator--57a8892e-7f90-4990-85ac-49ae02de0b81",
"observed-data--57a8892e-ef88-415d-80e0-498e02de0b81",
"url--57a8892e-ef88-415d-80e0-498e02de0b81",
"indicator--57a8892f-cc04-4152-9128-4b7302de0b81",
"indicator--57a8892f-711c-446a-80a1-497e02de0b81",
"observed-data--57a8892f-24c4-458c-bc44-45d802de0b81",
"url--57a8892f-24c4-458c-bc44-45d802de0b81",
"indicator--57a8892f-c620-4e9f-915d-4c2b02de0b81",
"indicator--57a8892f-3c50-45a8-a921-4c8102de0b81",
"observed-data--57a88930-d4d4-49f5-8125-433502de0b81",
"url--57a88930-d4d4-49f5-8125-433502de0b81",
"indicator--57a88930-0918-4973-8a8e-454b02de0b81",
"indicator--57a88930-cfa4-41f9-96bd-40e802de0b81",
"observed-data--57a88930-0520-41f5-adf5-4ba602de0b81",
"url--57a88930-0520-41f5-adf5-4ba602de0b81",
"indicator--57a88931-8c58-4ed9-9396-471902de0b81",
"indicator--57a88931-ad84-4ded-b269-4cc802de0b81",
"observed-data--57a88931-d260-41f7-97d5-462202de0b81",
"url--57a88931-d260-41f7-97d5-462202de0b81",
"indicator--57a88931-c5f0-4ac8-8a8d-4dda02de0b81",
"indicator--57a88931-6a54-4009-af93-4c9002de0b81",
"observed-data--57a88932-3ecc-484f-ab05-472002de0b81",
"url--57a88932-3ecc-484f-ab05-472002de0b81",
"indicator--57a88932-98c0-474a-aaae-442002de0b81",
"indicator--57a88932-6780-42a7-8138-4d6402de0b81",
"observed-data--57a88932-72cc-46fd-b6ec-4cae02de0b81",
"url--57a88932-72cc-46fd-b6ec-4cae02de0b81",
"indicator--57a88ce8-5518-4f78-880b-4338950d210f",
"indicator--57a88d46-5be8-43a8-a8f5-4214950d210f",
"indicator--57a88d47-6e64-4001-8edd-42cf950d210f",
"indicator--57a88d47-85a0-4b82-aa20-4c86950d210f",
"indicator--57a88d47-4ed8-406d-9b7a-4a15950d210f",
"indicator--57a88d47-781c-4701-b87b-4227950d210f",
"indicator--57a88d47-8d90-4087-a16e-4007950d210f",
"indicator--57a88de1-7928-481d-8410-492e950d210f",
"indicator--57a88e05-98f4-47fc-8b65-4444950d210f",
"indicator--57a88e85-d6e8-46eb-9415-4da0950d210f",
"indicator--57a88ec8-3460-42bf-adf3-4cb8950d210f",
"indicator--57a8914a-a938-4f12-a6d0-48e0950d210f",
"indicator--57a8914a-dde8-4147-a826-4cea950d210f",
"indicator--57a8915d-b784-457f-9ad3-45b7950d210f",
"indicator--57a8919a-b2a4-4d94-be0d-4e42950d210f",
"indicator--57a891ea-2728-4d10-bb9d-4a80950d210f",
"indicator--57a89eb7-8f40-4ab7-a7a4-4fe6950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57a88352-7acc-4ad7-be40-453d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:04:18.000Z",
"modified": "2016-08-08T13:04:18.000Z",
"first_observed": "2016-08-08T13:04:18Z",
"last_observed": "2016-08-08T13:04:18Z",
"number_observed": 1,
"object_refs": [
"url--57a88352-7acc-4ad7-be40-453d950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57a88352-7acc-4ad7-be40-453d950d210f",
"value": "http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--57a8837a-a450-4ced-b08e-4905950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:04:58.000Z",
"modified": "2016-08-08T13:04:58.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "A previously unknown group called Strider has been conducting cyberespionage-style attacks against selected targets in Russia, China, Sweden, and Belgium. The group uses an advanced piece of malware known as Remsec (Backdoor.Remsec) to conduct its attacks. Remsec is a stealthy tool that appears to be primarily designed for spying purposes. Its code contains a reference to Sauron, the all-seeing antagonist in Lord of the Rings.\r\n\r\nStrider\u00e2\u20ac\u2122s attacks have tentative links with a previously uncovered group, Flamer. The use of Lua modules, which we\u00e2\u20ac\u2122ll discuss later, is a technique that has previously been used by Flamer. One of Strider\u00e2\u20ac\u2122s targets had also previously been infected by Regin."
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--57a883b4-fabc-4936-8e65-41c8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:05:56.000Z",
"modified": "2016-08-08T13:05:56.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Antivirus detection\""
],
"x_misp_category": "Antivirus detection",
"x_misp_type": "text",
"x_misp_value": "Backdoor.Remsec"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--57a88419-1900-403e-845c-47da950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:07:37.000Z",
"modified": "2016-08-08T13:07:37.000Z",
"labels": [
"misp:type=\"target-location\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_comment": "Only a small number of organizations in four countries are impacted by Strider",
"x_misp_type": "target-location",
"x_misp_value": "Belgium"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--57a8841a-455c-4b87-96a5-4325950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:07:38.000Z",
"modified": "2016-08-08T13:07:38.000Z",
"labels": [
"misp:type=\"target-location\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_comment": "Only a small number of organizations in four countries are impacted by Strider",
"x_misp_type": "target-location",
"x_misp_value": "Sweden"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--57a8841a-a3cc-457b-9a54-4e8c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:07:38.000Z",
"modified": "2016-08-08T13:07:38.000Z",
"labels": [
"misp:type=\"target-location\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_comment": "Only a small number of organizations in four countries are impacted by Strider",
"x_misp_type": "target-location",
"x_misp_value": "Russia"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--57a8841a-f964-41c4-81a5-43e4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:07:38.000Z",
"modified": "2016-08-08T13:07:38.000Z",
"labels": [
"misp:type=\"target-location\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_comment": "Only a small number of organizations in four countries are impacted by Strider",
"x_misp_type": "target-location",
"x_misp_value": "China"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88454-b0c4-432b-ae28-4558950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:08:36.000Z",
"modified": "2016-08-08T13:08:36.000Z",
"pattern": "[file:name = 'MSAOSSPC.DLL']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:08:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57a885bc-1614-4e58-8e17-4457950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:14:36.000Z",
"modified": "2016-08-08T13:14:36.000Z",
"first_observed": "2016-08-08T13:14:36Z",
"last_observed": "2016-08-08T13:14:36Z",
"number_observed": 1,
"object_refs": [
"url--57a885bc-1614-4e58-8e17-4457950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57a885bc-1614-4e58-8e17-4457950d210f",
"value": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a885fd-10f8-46fe-8f9d-44ca950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:15:41.000Z",
"modified": "2016-08-08T13:15:41.000Z",
"pattern": "[file:name = 'MSAOSSPC.DLL' AND file:hashes.MD5 = '2a8785bf45f4f03c10cd929bb0685c2d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:15:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"filename|md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88670-859c-439a-bd1d-4e63950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:17:36.000Z",
"modified": "2016-08-08T13:17:36.000Z",
"description": "The loaded executable blobs may be retrieved from the following path",
"pattern": "[file:name = 'c:\\\\System Volume Information\\\\_restore{ED650925-A32C-4E9C-8A73-8E6F0509309A}\\\\RP0\\\\A0000002.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:17:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a886ca-69c8-45d6-80ed-41fb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:19:06.000Z",
"modified": "2016-08-08T13:19:06.000Z",
"description": "is to receive executable modules from remote attackers and run them from memory on the local computer . (Network loader)",
"pattern": "[file:hashes.MD5 = '90b4b5f0a475f3a028be2f71409e6d1a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:19:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88713-13ec-49db-a8cf-4ccb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:20:19.000Z",
"modified": "2016-08-08T13:20:19.000Z",
"description": "Host loader",
"pattern": "[file:hashes.MD5 = '7261230a43a40bb29227a169c2c8e1be']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:20:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88713-03d0-4507-a60c-4d2f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:20:19.000Z",
"modified": "2016-08-08T13:20:19.000Z",
"description": "Host loader",
"pattern": "[file:hashes.MD5 = '48d0c8faaee08fc51346925090af89aa']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:20:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88726-e6ec-4913-926b-44f102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:20:38.000Z",
"modified": "2016-08-08T13:20:38.000Z",
"description": "- Xchecked via VT: 2a8785bf45f4f03c10cd929bb0685c2d",
"pattern": "[file:hashes.SHA256 = '6c8c93069831a1b60279d2b316fd36bffa0d4c407068dbef81b8e2fe8fd8e8cd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:20:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88727-5970-4226-a94e-412602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:20:39.000Z",
"modified": "2016-08-08T13:20:39.000Z",
"description": "- Xchecked via VT: 2a8785bf45f4f03c10cd929bb0685c2d",
"pattern": "[file:hashes.SHA1 = 'd18792a187d7567f3f31908c05a8b8a2647d365f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:20:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57a88727-6cfc-4135-9911-471d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:20:39.000Z",
"modified": "2016-08-08T13:20:39.000Z",
"first_observed": "2016-08-08T13:20:39Z",
"last_observed": "2016-08-08T13:20:39Z",
"number_observed": 1,
"object_refs": [
"url--57a88727-6cfc-4135-9911-471d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57a88727-6cfc-4135-9911-471d02de0b81",
"value": "https://www.virustotal.com/file/6c8c93069831a1b60279d2b316fd36bffa0d4c407068dbef81b8e2fe8fd8e8cd/analysis/1470296379/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88728-93e0-497c-b71b-438402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:20:40.000Z",
"modified": "2016-08-08T13:20:40.000Z",
"description": "Host loader - Xchecked via VT: 7261230a43a40bb29227a169c2c8e1be",
"pattern": "[file:hashes.SHA256 = 'd737644d612e5051f66fb97a34ec592b3508be06e33f743a2fdb31cdf6bd2718']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:20:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88728-fd5c-4297-be69-470b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:20:40.000Z",
"modified": "2016-08-08T13:20:40.000Z",
"description": "Host loader - Xchecked via VT: 7261230a43a40bb29227a169c2c8e1be",
"pattern": "[file:hashes.SHA1 = '1bb7614bb7c3042796c8dc7befdd8042197f222d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:20:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57a88729-dd00-4f3f-8a83-4f6602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:20:41.000Z",
"modified": "2016-08-08T13:20:41.000Z",
"first_observed": "2016-08-08T13:20:41Z",
"last_observed": "2016-08-08T13:20:41Z",
"number_observed": 1,
"object_refs": [
"url--57a88729-dd00-4f3f-8a83-4f6602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57a88729-dd00-4f3f-8a83-4f6602de0b81",
"value": "https://www.virustotal.com/file/d737644d612e5051f66fb97a34ec592b3508be06e33f743a2fdb31cdf6bd2718/analysis/1470649331/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88830-f1b4-4a1e-b841-4c5c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:25:04.000Z",
"modified": "2016-08-08T13:25:04.000Z",
"description": "The keylogger logs data to the following location",
"pattern": "[file:name = '\\\\%WINDIR\\\\%\\\\\\\\temp\\\\\\\\bka*.da']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:25:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a8886b-ba78-49a2-aadb-48cd950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:26:03.000Z",
"modified": "2016-08-08T13:26:03.000Z",
"description": "The keylogger logs data to the following location",
"pattern": "[file:name = '\\\\%WINDIR\\\\%\\\\\\\\temp\\\\\\\\bka*.dat']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:26:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a888a3-e1b0-4996-a918-4eca950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:26:59.000Z",
"modified": "2016-08-08T13:26:59.000Z",
"description": "The keylogger logs data to the following location",
"pattern": "[file:name = 'C:\\\\\\\\System Volume Information\\\\\\\\_restore{ED650925-A32C-4E9C-8A73-8E6F0509309A}\\\\\\\\RP0\\\\\\\\change.log']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:26:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a888f0-ad44-4490-9f2f-4486950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:28:16.000Z",
"modified": "2016-08-08T13:28:16.000Z",
"description": "The keylogger logs data to the following location",
"pattern": "[file:name = 'C:\\\\\\\\System Volume Information\\\\\\\\_restore{ED650925-A32C-4E9C-8A73-8E6F0509309A}\\\\\\\\RP1\\\\\\\\A*']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:28:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88918-641c-44a7-8ab9-453b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:28:56.000Z",
"modified": "2016-08-08T13:28:56.000Z",
"description": "Network listeners",
"pattern": "[file:hashes.MD5 = '0a0948d871ef5a3006c0ab2997ad330e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:28:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88918-cf7c-4e27-8853-4557950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:28:56.000Z",
"modified": "2016-08-08T13:28:56.000Z",
"description": "Network listeners",
"pattern": "[file:hashes.MD5 = '113050c3e3140bf631d186d78d4b1dc0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:28:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88918-57d0-44b7-88a5-4a1b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:28:56.000Z",
"modified": "2016-08-08T13:28:56.000Z",
"description": "Network listeners",
"pattern": "[file:hashes.MD5 = '1d9d7d05ab7c68bdc257afb1c086fb88']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:28:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88918-6ac0-43b5-a57a-485e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:28:56.000Z",
"modified": "2016-08-08T13:28:56.000Z",
"description": "Network listeners",
"pattern": "[file:hashes.MD5 = '1f316e14e773ca0f468d0d160b5d0307']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:28:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88919-2298-4047-9466-4583950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:28:57.000Z",
"modified": "2016-08-08T13:28:57.000Z",
"description": "Network listeners",
"pattern": "[file:hashes.MD5 = '7b8a3bf6fd266593db96eddaa3fae6f9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:28:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88919-8ba4-40f1-99fa-4e7b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:28:57.000Z",
"modified": "2016-08-08T13:28:57.000Z",
"description": "Network listeners",
"pattern": "[file:hashes.MD5 = 'cf6c049bd7cd9e04cc365b73f3f6098e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:28:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88919-a6bc-4fea-910b-4aad950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:28:57.000Z",
"modified": "2016-08-08T13:28:57.000Z",
"description": "Network listeners",
"pattern": "[file:hashes.MD5 = '7c3eecfb5174ca5cb1e03b8bf4b06f19']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:28:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a8892e-d428-466b-b840-469c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:29:18.000Z",
"modified": "2016-08-08T13:29:18.000Z",
"description": "Network listeners - Xchecked via VT: 7c3eecfb5174ca5cb1e03b8bf4b06f19",
"pattern": "[file:hashes.SHA256 = '02a9b52c88199e5611871d634b6188c35a174944f75f6d8a2110b5b1c5e60a48']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:29:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a8892e-7f90-4990-85ac-49ae02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:29:18.000Z",
"modified": "2016-08-08T13:29:18.000Z",
"description": "Network listeners - Xchecked via VT: 7c3eecfb5174ca5cb1e03b8bf4b06f19",
"pattern": "[file:hashes.SHA1 = 'b5fbba3182ef25b20fecfc537effeeede977a2fc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:29:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57a8892e-ef88-415d-80e0-498e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:29:18.000Z",
"modified": "2016-08-08T13:29:18.000Z",
"first_observed": "2016-08-08T13:29:18Z",
"last_observed": "2016-08-08T13:29:18Z",
"number_observed": 1,
"object_refs": [
"url--57a8892e-ef88-415d-80e0-498e02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57a8892e-ef88-415d-80e0-498e02de0b81",
"value": "https://www.virustotal.com/file/02a9b52c88199e5611871d634b6188c35a174944f75f6d8a2110b5b1c5e60a48/analysis/1470649329/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a8892f-cc04-4152-9128-4b7302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:29:19.000Z",
"modified": "2016-08-08T13:29:19.000Z",
"description": "Network listeners - Xchecked via VT: cf6c049bd7cd9e04cc365b73f3f6098e",
"pattern": "[file:hashes.SHA256 = '6b06522f803437d51c15832dbd6b91d8d8b244440b4d2f09bd952f335351b06d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:29:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a8892f-711c-446a-80a1-497e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:29:19.000Z",
"modified": "2016-08-08T13:29:19.000Z",
"description": "Network listeners - Xchecked via VT: cf6c049bd7cd9e04cc365b73f3f6098e",
"pattern": "[file:hashes.SHA1 = '90bead07f7c6c92c6ca2b34406c5ea516307ee4e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:29:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57a8892f-24c4-458c-bc44-45d802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:29:19.000Z",
"modified": "2016-08-08T13:29:19.000Z",
"first_observed": "2016-08-08T13:29:19Z",
"last_observed": "2016-08-08T13:29:19Z",
"number_observed": 1,
"object_refs": [
"url--57a8892f-24c4-458c-bc44-45d802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57a8892f-24c4-458c-bc44-45d802de0b81",
"value": "https://www.virustotal.com/file/6b06522f803437d51c15832dbd6b91d8d8b244440b4d2f09bd952f335351b06d/analysis/1470649331/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a8892f-c620-4e9f-915d-4c2b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:29:19.000Z",
"modified": "2016-08-08T13:29:19.000Z",
"description": "Network listeners - Xchecked via VT: 7b8a3bf6fd266593db96eddaa3fae6f9",
"pattern": "[file:hashes.SHA256 = '3782b63d7f6f688a5ccb1b72be89a6a98bb722218c9f22402709af97a41973c8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:29:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a8892f-3c50-45a8-a921-4c8102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:29:19.000Z",
"modified": "2016-08-08T13:29:19.000Z",
"description": "Network listeners - Xchecked via VT: 7b8a3bf6fd266593db96eddaa3fae6f9",
"pattern": "[file:hashes.SHA1 = 'd18df80316160535aa798303b6f02b6ae8e04388']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:29:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57a88930-d4d4-49f5-8125-433502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:29:20.000Z",
"modified": "2016-08-08T13:29:20.000Z",
"first_observed": "2016-08-08T13:29:20Z",
"last_observed": "2016-08-08T13:29:20Z",
"number_observed": 1,
"object_refs": [
"url--57a88930-d4d4-49f5-8125-433502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57a88930-d4d4-49f5-8125-433502de0b81",
"value": "https://www.virustotal.com/file/3782b63d7f6f688a5ccb1b72be89a6a98bb722218c9f22402709af97a41973c8/analysis/1470653929/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88930-0918-4973-8a8e-454b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:29:20.000Z",
"modified": "2016-08-08T13:29:20.000Z",
"description": "Network listeners - Xchecked via VT: 1f316e14e773ca0f468d0d160b5d0307",
"pattern": "[file:hashes.SHA256 = '9572624b6026311a0e122835bcd7200eca396802000d0777dba118afaaf9f2a9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:29:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88930-cfa4-41f9-96bd-40e802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:29:20.000Z",
"modified": "2016-08-08T13:29:20.000Z",
"description": "Network listeners - Xchecked via VT: 1f316e14e773ca0f468d0d160b5d0307",
"pattern": "[file:hashes.SHA1 = '4bf1fd9c721d13b74a1aa18d4bf1981558697fc7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:29:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57a88930-0520-41f5-adf5-4ba602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:29:20.000Z",
"modified": "2016-08-08T13:29:20.000Z",
"first_observed": "2016-08-08T13:29:20Z",
"last_observed": "2016-08-08T13:29:20Z",
"number_observed": 1,
"object_refs": [
"url--57a88930-0520-41f5-adf5-4ba602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57a88930-0520-41f5-adf5-4ba602de0b81",
"value": "https://www.virustotal.com/file/9572624b6026311a0e122835bcd7200eca396802000d0777dba118afaaf9f2a9/analysis/1470653936/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88931-8c58-4ed9-9396-471902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:29:21.000Z",
"modified": "2016-08-08T13:29:21.000Z",
"description": "Network listeners - Xchecked via VT: 1d9d7d05ab7c68bdc257afb1c086fb88",
"pattern": "[file:hashes.SHA256 = 'c8f95bf8a76ff124cc1d7a8439beff360d0eb9c0972d42a8684c3bd4e91c6600']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:29:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88931-ad84-4ded-b269-4cc802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:29:21.000Z",
"modified": "2016-08-08T13:29:21.000Z",
"description": "Network listeners - Xchecked via VT: 1d9d7d05ab7c68bdc257afb1c086fb88",
"pattern": "[file:hashes.SHA1 = '63b579b9671b45478b42a5f96110c9d4234f7c82']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:29:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57a88931-d260-41f7-97d5-462202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:29:21.000Z",
"modified": "2016-08-08T13:29:21.000Z",
"first_observed": "2016-08-08T13:29:21Z",
"last_observed": "2016-08-08T13:29:21Z",
"number_observed": 1,
"object_refs": [
"url--57a88931-d260-41f7-97d5-462202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57a88931-d260-41f7-97d5-462202de0b81",
"value": "https://www.virustotal.com/file/c8f95bf8a76ff124cc1d7a8439beff360d0eb9c0972d42a8684c3bd4e91c6600/analysis/1470653946/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88931-c5f0-4ac8-8a8d-4dda02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:29:21.000Z",
"modified": "2016-08-08T13:29:21.000Z",
"description": "Network listeners - Xchecked via VT: 113050c3e3140bf631d186d78d4b1dc0",
"pattern": "[file:hashes.SHA256 = 'bde264ceb211089f6a9c8cfbaf3974bf3d7bf4843d22186684464152c432f8a5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:29:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88931-6a54-4009-af93-4c9002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:29:21.000Z",
"modified": "2016-08-08T13:29:21.000Z",
"description": "Network listeners - Xchecked via VT: 113050c3e3140bf631d186d78d4b1dc0",
"pattern": "[file:hashes.SHA1 = '3ae2cafb053009c16dbec057184c6250b450b914']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:29:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57a88932-3ecc-484f-ab05-472002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:29:22.000Z",
"modified": "2016-08-08T13:29:22.000Z",
"first_observed": "2016-08-08T13:29:22Z",
"last_observed": "2016-08-08T13:29:22Z",
"number_observed": 1,
"object_refs": [
"url--57a88932-3ecc-484f-ab05-472002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57a88932-3ecc-484f-ab05-472002de0b81",
"value": "https://www.virustotal.com/file/bde264ceb211089f6a9c8cfbaf3974bf3d7bf4843d22186684464152c432f8a5/analysis/1470173246/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88932-98c0-474a-aaae-442002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:29:22.000Z",
"modified": "2016-08-08T13:29:22.000Z",
"description": "Network listeners - Xchecked via VT: 0a0948d871ef5a3006c0ab2997ad330e",
"pattern": "[file:hashes.SHA256 = 'ab8181ae5cc205f1d3cae00d8b34011e47b735a553bd5a4f079f03052b74a06d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:29:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88932-6780-42a7-8138-4d6402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:29:22.000Z",
"modified": "2016-08-08T13:29:22.000Z",
"description": "Network listeners - Xchecked via VT: 0a0948d871ef5a3006c0ab2997ad330e",
"pattern": "[file:hashes.SHA1 = 'ee9eccad334b3bd8874b7259555a93ccb23f7e59']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:29:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57a88932-72cc-46fd-b6ec-4cae02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:29:22.000Z",
"modified": "2016-08-08T13:29:22.000Z",
"first_observed": "2016-08-08T13:29:22Z",
"last_observed": "2016-08-08T13:29:22Z",
"number_observed": 1,
"object_refs": [
"url--57a88932-72cc-46fd-b6ec-4cae02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57a88932-72cc-46fd-b6ec-4cae02de0b81",
"value": "https://www.virustotal.com/file/ab8181ae5cc205f1d3cae00d8b34011e47b735a553bd5a4f079f03052b74a06d/analysis/1470649324/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88ce8-5518-4f78-880b-4338950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:45:12.000Z",
"modified": "2016-08-08T13:45:12.000Z",
"description": "Backdoor. Remsec",
"pattern": "[file:hashes.SHA256 = '6189b94c9f3982ce15015d68f280f5d7a87074b829edb87825cadab6ec1c7ec2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:45:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88d46-5be8-43a8-a8f5-4214950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:46:46.000Z",
"modified": "2016-08-08T13:46:46.000Z",
"description": "Imported via the Freetext Import Tool",
"pattern": "[url:value = 'http://flowershop22.110mb.com/flowers.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:46:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88d47-6e64-4001-8edd-42cf950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:46:47.000Z",
"modified": "2016-08-08T13:46:47.000Z",
"description": "Imported via the Freetext Import Tool",
"pattern": "[url:value = 'http://flowershop22.110mb.com/shop.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:46:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88d47-85a0-4b82-aa20-4c86950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:46:47.000Z",
"modified": "2016-08-08T13:46:47.000Z",
"description": "Imported via the Freetext Import Tool",
"pattern": "[url:value = 'http://wildhorses.awardspace.info/hindex.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:46:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88d47-4ed8-406d-9b7a-4a15950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:46:47.000Z",
"modified": "2016-08-08T13:46:47.000Z",
"description": "Imported via the Freetext Import Tool",
"pattern": "[url:value = 'http://wildhorses.awardspace.info/horses.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:46:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88d47-781c-4701-b87b-4227950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:46:47.000Z",
"modified": "2016-08-08T13:46:47.000Z",
"description": "Imported via the Freetext Import Tool",
"pattern": "[url:value = 'http://www.myhomemusic.com/music.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:46:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88d47-8d90-4087-a16e-4007950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:46:47.000Z",
"modified": "2016-08-08T13:46:47.000Z",
"description": "Imported via the Freetext Import Tool",
"pattern": "[url:value = 'http://www.myhomemusic.com/mymusic.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T13:46:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88de1-7928-481d-8410-492e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:49:21.000Z",
"modified": "2016-08-08T13:49:21.000Z",
"pattern": "[rule remsec_encrypted_api\r\n{\r\nmeta:\r\ncopyright = \"Symantec\"\r\nstrings:\r\n$open_process =\r\n/*\r\n\"OpenProcess\\x00\" in encrypted form\r\n*/\r\n{ 91 9A 8F B0 9C 90 8D AF 8C 8C 9A FF }\r\ncondition:\r\nall of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-08-08T13:49:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88e05-98f4-47fc-8b65-4444950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:49:57.000Z",
"modified": "2016-08-08T13:49:57.000Z",
"pattern": "[rule remsec_packer_A\r\n{\r\nmeta:\r\ncopyright = \"Symantec\"\r\nstrings:\r\n$code =\r\n/*\r\n69 ?? AB 00 00 00\r\nimul\r\nr0, 0ABh\r\n81 C? CD 2B 00 00\r\nadd\r\nr0, 2BCDh\r\nF7 E?\r\nmul\r\nr0\r\nC1 E? 0D\r\nshr\r\nr1, 0Dh\r\n69 ?? 85 CF 00 00\r\nimul\r\nr1, 0CF85h\r\n2B\r\nsub\r\nr0, r1\r\n*/\r\n{\r\n69 ( C? | D? | E? | F? ) AB 00 00 00\r\n( 81 | 41 81 ) C? CD 2B 00 00\r\n( F7 | 41 F7 ) E?\r\n( C1 | 41 C1 ) E? 0D\r\n( 69 | 45 69 ) ( C? | D? | E? | F? ) 85 CF 00 00\r\n( 29 | 41 29 | 44 29 | 45 29 | 2B | 41 2B | 44 2B | 45 2B )\r\n}\r\ncondition:\r\nall of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-08-08T13:49:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88e85-d6e8-46eb-9415-4da0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:52:05.000Z",
"modified": "2016-08-08T13:52:05.000Z",
"pattern": "[rule remsec_packer_B\r\n{\r\nmeta:\r\ncopyright = \"Symantec\"\r\nstrings:\r\n$code =\r\n{\r\n48 8B 05 ?? ?? ?? ??\r\n48 89 44 24 ??\r\n48 8B 05 ?? ?? ?? ??\r\n48 8D 4C 24 ??\r\n48 89 44 24 ??\r\n48 8D ( 45 ?? | 84 24 ?? ?? 00 00 )\r\n( 44 88 6? 24 ?? | C6 44 24 ?? 00 )\r\n48 89 44 24 ??\r\n48 8D ( 45 ?? | 84 24 ?? ?? 00 00 )\r\nC7 44 24 ?? 0? 00 00 00\r\n2B ?8\r\n48 89 ?C 24 ??\r\n44 89 6? 24 ??\r\n83 C? 08\r\n89 ?C 24 ??\r\n( FF | 41 FF ) D?\r\n( 05 | 8D 88 ) 00 00 00 3A\r\n}\r\ncondition:\r\nall of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-08-08T13:52:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a88ec8-3460-42bf-adf3-4cb8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T13:53:12.000Z",
"modified": "2016-08-08T13:53:12.000Z",
"pattern": "[rule remsec_executable_blob_32\r\n{\r\nmeta:\r\ncopyright = \"Symantec\"\r\nstrings:\r\n$code =\r\n{\r\n31 06\r\n83 C6 04\r\nD1 E8\r\n73 05\r\n35 01 00 00 D0\r\nE2 F0\r\n}\r\ncondition:\r\nall of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2016-08-08T13:53:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a8914a-a938-4f12-a6d0-48e0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T14:03:54.000Z",
"modified": "2016-08-08T14:03:54.000Z",
"pattern": "[domain-name:value = 'flowershop22.110mb.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T14:03:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a8914a-dde8-4147-a826-4cea950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T14:03:54.000Z",
"modified": "2016-08-08T14:03:54.000Z",
"pattern": "[domain-name:value = 'wildhorses.awardspace.info']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T14:03:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a8915d-b784-457f-9ad3-45b7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T14:04:13.000Z",
"modified": "2016-08-08T14:04:13.000Z",
"pattern": "[domain-name:value = 'myhomemusic.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T14:04:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a8919a-b2a4-4d94-be0d-4e42950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T14:05:14.000Z",
"modified": "2016-08-08T14:05:14.000Z",
"description": "Configuration data for host loader (version with MD5: 7261230a43a40bb29227a169c2c8e1be)",
"pattern": "[file:name = 'c:\\\\\\\\System Volume Information\\\\\\\\{aa112c99-f343-4107-8ba1-22951714a641}']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T14:05:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a891ea-2728-4d10-bb9d-4a80950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-08T14:06:34.000Z",
"modified": "2016-08-08T14:06:34.000Z",
"description": "Configuration data for host loader (version with MD5: 7261230a43a40bb29227a169c2c8e1be)",
"pattern": "[file:name = 'c:\\\\\\\\System Volume Information\\\\\\\\{951841cb-d1a4-4d7c-b44e-2c3d25996e37}']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-08T14:06:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57a89eb7-8f40-4ab7-a7a4-4fe6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-09T13:57:10.000Z",
"modified": "2016-08-09T13:57:10.000Z",
"pattern": "[mutex:name = 'Global\\\\\\\\{b3898039-f3d8-4965-b618-a8a0d031cc5a}']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-09T13:57:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"mutex\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink