adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/59861ab3-3ef8-4683-ad19-9533950d210f.json

1650 lines
No EOL
70 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--59861ab3-3ef8-4683-ad19-9533950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:37:21.000Z",
"modified": "2017-08-05T19:37:21.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--59861ab3-3ef8-4683-ad19-9533950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:37:21.000Z",
"modified": "2017-08-05T19:37:21.000Z",
"name": "OSINT - TwoFace Webshell: Persistent Access Point for Lateral Movement",
"published": "2017-08-05T19:38:07Z",
"object_refs": [
"x-misp-attribute--59861af0-25a4-49f9-bf01-4f2c950d210f",
"observed-data--59861b17-1cbc-4813-965b-4fa3950d210f",
"url--59861b17-1cbc-4813-965b-4fa3950d210f",
"indicator--59861b70-3c18-4ad8-a631-4262950d210f",
"indicator--59861b70-0bf0-4044-8432-4ade950d210f",
"indicator--59861b70-f498-42f2-89ca-45e9950d210f",
"indicator--59861b70-8370-478b-8ad6-4c50950d210f",
"indicator--59861b87-9d74-4493-96ab-4d85950d210f",
"indicator--59861b87-fb2c-425a-85df-4f5d950d210f",
"indicator--59861ba3-3e74-4e1e-8e9c-4528950d210f",
"indicator--59861ba3-4fb8-4eb0-b43e-4528950d210f",
"indicator--59861ba3-ff20-4384-8bb4-4528950d210f",
"indicator--59861ba3-cd24-4f0d-90c7-4528950d210f",
"indicator--59861ba3-d38c-4274-9ef2-4528950d210f",
"indicator--59861ba3-d3b4-4c45-bc66-4528950d210f",
"indicator--59861ba3-dcd8-49d9-919c-4528950d210f",
"indicator--59861ba3-fd08-431f-b42e-4528950d210f",
"indicator--59861bc6-0238-4656-8840-9533950d210f",
"indicator--59861bc6-dc24-4ccf-bb7b-9533950d210f",
"indicator--59861bfb-a1cc-4996-8368-4245950d210f",
"indicator--59861c39-89f0-4b18-b602-475702de0b81",
"indicator--59861c39-db1c-4926-9bc9-4cb502de0b81",
"observed-data--59861c39-8ce8-498a-9f27-4b7a02de0b81",
"url--59861c39-8ce8-498a-9f27-4b7a02de0b81",
"indicator--59861c39-f138-4f70-9226-47b702de0b81",
"indicator--59861c39-09c0-4478-812f-4dbf02de0b81",
"observed-data--59861c39-a73c-4f9c-9e37-4cf802de0b81",
"url--59861c39-a73c-4f9c-9e37-4cf802de0b81",
"indicator--59861c39-3c84-4bd2-a0e9-412102de0b81",
"indicator--59861c39-cc70-4028-916c-459f02de0b81",
"observed-data--59861c39-5664-4e0a-8d88-4e5202de0b81",
"url--59861c39-5664-4e0a-8d88-4e5202de0b81",
"indicator--59861c39-f1ec-4cd9-ab7a-4dab02de0b81",
"indicator--59861c39-75bc-4043-a143-49c802de0b81",
"observed-data--59861c39-ac3c-41b3-b1b3-495c02de0b81",
"url--59861c39-ac3c-41b3-b1b3-495c02de0b81",
"indicator--59861c39-97a8-49a8-866c-4ffe02de0b81",
"indicator--59861c39-d250-46e9-b502-451502de0b81",
"observed-data--59861c39-63b0-4a13-a446-493802de0b81",
"url--59861c39-63b0-4a13-a446-493802de0b81",
"indicator--59861c39-bff0-4078-ba6c-4f8602de0b81",
"indicator--59861c39-0884-4dc6-ae42-4fcc02de0b81",
"observed-data--59861c39-84a8-4d66-9785-49e602de0b81",
"url--59861c39-84a8-4d66-9785-49e602de0b81",
"indicator--59861c39-c338-4b2b-91cc-4c9c02de0b81",
"indicator--59861c39-e778-459f-ac0b-46da02de0b81",
"observed-data--59861c39-7d64-4635-9b3e-405302de0b81",
"url--59861c39-7d64-4635-9b3e-405302de0b81",
"indicator--59861c39-f2dc-4158-bcbf-4b1b02de0b81",
"indicator--59861c39-f030-4c07-9afb-44d002de0b81",
"observed-data--59861c39-4ff4-4c9f-bc50-413702de0b81",
"url--59861c39-4ff4-4c9f-bc50-413702de0b81",
"indicator--59861c39-8884-4f11-a6fe-412602de0b81",
"indicator--59861c39-d110-41d3-9ee1-4bf202de0b81",
"observed-data--59861c39-8980-4e01-b5ac-4b7602de0b81",
"url--59861c39-8980-4e01-b5ac-4b7602de0b81",
"indicator--59861c39-0b80-4353-a6dc-491602de0b81",
"indicator--59861c39-d3d0-4f7c-ba66-404002de0b81",
"observed-data--59861c39-953c-4d87-871e-414302de0b81",
"url--59861c39-953c-4d87-871e-414302de0b81",
"indicator--59861c39-a978-48c5-8c2d-4a4102de0b81",
"indicator--59861c39-4220-433c-83ef-45b002de0b81",
"observed-data--59861c39-bfd4-40f0-b115-488102de0b81",
"url--59861c39-bfd4-40f0-b115-488102de0b81",
"indicator--59861c39-3dec-4985-9014-439e02de0b81",
"indicator--59861c39-c2b8-4764-90d5-47d002de0b81",
"observed-data--59861c39-f954-450e-a2d4-417602de0b81",
"url--59861c39-f954-450e-a2d4-417602de0b81",
"observed-data--59861e71-d65c-4eed-8a99-4aae950d210f",
"file--59861e71-d65c-4eed-8a99-4aae950d210f",
"observed-data--59861e71-ebe0-471d-b47c-4f97950d210f",
"file--59861e71-ebe0-471d-b47c-4f97950d210f",
"observed-data--59861e71-8dcc-46fb-a973-4597950d210f",
"file--59861e71-8dcc-46fb-a973-4597950d210f",
"observed-data--59861e71-4bbc-4cb5-9349-4e65950d210f",
"file--59861e71-4bbc-4cb5-9349-4e65950d210f",
"observed-data--59861e71-c574-4ca7-8d0e-44ac950d210f",
"file--59861e71-c574-4ca7-8d0e-44ac950d210f",
"observed-data--59861e71-eb0c-4230-aa9a-4ca4950d210f",
"file--59861e71-eb0c-4230-aa9a-4ca4950d210f",
"observed-data--59861e71-1754-46ee-9b2c-4459950d210f",
"file--59861e71-1754-46ee-9b2c-4459950d210f",
"observed-data--59861e71-7c58-4271-abbd-4c5d950d210f",
"file--59861e71-7c58-4271-abbd-4c5d950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59861af0-25a4-49f9-bf01-4f2c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:52.000Z",
"modified": "2017-08-05T19:27:52.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "While investigating a recent security incident, Unit 42 found a webshell that we believe was used by the threat actor to remotely access the network of a targeted Middle Eastern organization. The construction of the webshell was interesting by itself, as it was actually two separate webshells: an initial webshell that was responsible for saving and loading the second fully functional webshell. It is this second webshell that enabled the threat actor to run a variety of commands on the compromised server. Due to these two layers, we use the name TwoFace to track this webshell.\r\n\r\nDuring our analysis, we extracted the commands executed by the TwoFace webshell from the server logs on the compromised server. Our analysis shows that the commands issued by the threat actor date back to June 2016; this suggests that the actor had access to this shell for almost an entire year. The commands issued show the actor was interested in gathering credentials from the compromised server using the Mimikatz tool. We also saw the attacker using the TwoFace webshell to move laterally through the network by copying itself and other webshells to other servers."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59861b17-1cbc-4813-965b-4fa3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:52.000Z",
"modified": "2017-08-05T19:27:52.000Z",
"first_observed": "2017-08-05T19:27:52Z",
"last_observed": "2017-08-05T19:27:52Z",
"number_observed": 1,
"object_refs": [
"url--59861b17-1cbc-4813-965b-4fa3950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59861b17-1cbc-4813-965b-4fa3950d210f",
"value": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861b70-3c18-4ad8-a631-4262950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:52.000Z",
"modified": "2017-08-05T19:27:52.000Z",
"description": "TwoFace Loader",
"pattern": "[file:hashes.SHA256 = 'ed684062f43d34834c4a87fdb68f4536568caf16c34a0ea451e6f25cf1532d51']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861b70-0bf0-4044-8432-4ade950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:52.000Z",
"modified": "2017-08-05T19:27:52.000Z",
"description": "TwoFace Loader",
"pattern": "[file:hashes.SHA256 = 'f4da5cb72246434decb8cf676758da410f6ddc20196dfd484f513aa3b6bc4ac5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861b70-f498-42f2-89ca-45e9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:52.000Z",
"modified": "2017-08-05T19:27:52.000Z",
"description": "TwoFace Loader",
"pattern": "[file:hashes.SHA256 = '9a361019f6fbd4a246b96545868dcb7908c611934c41166b9aa93519504ac813']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861b70-8370-478b-8ad6-4c50950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:52.000Z",
"modified": "2017-08-05T19:27:52.000Z",
"description": "TwoFace Loader",
"pattern": "[file:hashes.SHA256 = 'd0ffd613b1b285b15e2d6c038b0bd4951eb40eb802617cf6eb4f56cda4b023e3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861b87-9d74-4493-96ab-4d85950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:52.000Z",
"modified": "2017-08-05T19:27:52.000Z",
"description": "TwoFace++ Loader",
"pattern": "[file:hashes.SHA256 = 'bca01f14fb3cb4cfbe7f240156feebc55abac73a6c96b9f75da2f9df580101ef']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861b87-fb2c-425a-85df-4f5d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:52.000Z",
"modified": "2017-08-05T19:27:52.000Z",
"description": "TwoFace++ Loader",
"pattern": "[file:hashes.SHA256 = '8d178b9730e09e35c071526bfb91ce72f876797ebc4e81f0bc05e7bb8ad1734e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861ba3-3e74-4e1e-8e9c-4528950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:52.000Z",
"modified": "2017-08-05T19:27:52.000Z",
"description": "TwoFace Payload",
"pattern": "[file:hashes.SHA256 = '8f0419493da5ba201429503e53c9ccb8f8170ab73141bdc6ae6b9771512ad84b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861ba3-4fb8-4eb0-b43e-4528950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:52.000Z",
"modified": "2017-08-05T19:27:52.000Z",
"description": "TwoFace Payload",
"pattern": "[file:hashes.SHA256 = '0a77e28e6d0d7bd057167ca8a63da867397f1619a38d5c713027ebb22b784d4f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861ba3-ff20-4384-8bb4-4528950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:52.000Z",
"modified": "2017-08-05T19:27:52.000Z",
"description": "TwoFace Payload",
"pattern": "[file:hashes.SHA256 = '54c8bfa0be1d1419bf0770d49e937b284b52df212df19551576f73653a7d061f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861ba3-cd24-4f0d-90c7-4528950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:52.000Z",
"modified": "2017-08-05T19:27:52.000Z",
"description": "TwoFace Payload",
"pattern": "[file:hashes.SHA256 = '818ac924fd8f7bc1b6062a8ef456226a47c4c59d2f9e38eda89fff463253942f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861ba3-d38c-4274-9ef2-4528950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:52.000Z",
"modified": "2017-08-05T19:27:52.000Z",
"description": "TwoFace Payload",
"pattern": "[file:hashes.SHA256 = 'fd47825d75e3da3e43dc84f425178d6e834a900d6b2fd850ee1083dbb1e5b113']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861ba3-d3b4-4c45-bc66-4528950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:52.000Z",
"modified": "2017-08-05T19:27:52.000Z",
"description": "TwoFace Payload",
"pattern": "[file:hashes.SHA256 = '79c9a2a2b596f8270b32f30f3e03882b00b87102e65de00a325b64d30051da4e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861ba3-dcd8-49d9-919c-4528950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:52.000Z",
"modified": "2017-08-05T19:27:52.000Z",
"description": "TwoFace Payload",
"pattern": "[file:hashes.SHA256 = 'e33096ab328949af19c290809819034d196445b8ed0406206e7418ec96f66b68']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861ba3-fd08-431f-b42e-4528950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:52.000Z",
"modified": "2017-08-05T19:27:52.000Z",
"description": "TwoFace Payload",
"pattern": "[file:hashes.SHA256 = 'c116f078a0b9ea25c5fdb2e72914c3446c46f22d9f2b37c582600162ed711b69']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861bc6-0238-4656-8840-9533950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:52.000Z",
"modified": "2017-08-05T19:27:52.000Z",
"description": "IntrudingDivisor Shell",
"pattern": "[file:hashes.SHA256 = 'e342d6bf07de1257e82f4ea19e9f08c9e11a43d9ad576cd799782f6e968914b8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861bc6-dc24-4ccf-bb7b-9533950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:52.000Z",
"modified": "2017-08-05T19:27:52.000Z",
"description": "IntrudingDivisor Shell",
"pattern": "[file:hashes.SHA256 = '49f43f2caaea89bd3bb137f4228e543783ef265abbdc84e3743d93a7d30b0a7e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861bfb-a1cc-4996-8368-4245950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:52.000Z",
"modified": "2017-08-05T19:27:52.000Z",
"description": "Mimikatz",
"pattern": "[file:hashes.SHA256 = 'f17272d146f4d46dda5dc2791836bfa783bdc09ca062f33447e4f3a26f26f4e0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861c39-89f0-4b18-b602-475702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"description": "Mimikatz - Xchecked via VT: f17272d146f4d46dda5dc2791836bfa783bdc09ca062f33447e4f3a26f26f4e0",
"pattern": "[file:hashes.SHA1 = '28e2b56ee6ca16d84bc05f01dd6abeb12ef52e77']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861c39-db1c-4926-9bc9-4cb502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"description": "Mimikatz - Xchecked via VT: f17272d146f4d46dda5dc2791836bfa783bdc09ca062f33447e4f3a26f26f4e0",
"pattern": "[file:hashes.MD5 = 'cb567013f063019f5f57fa8240caa3dc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59861c39-8ce8-498a-9f27-4b7a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"first_observed": "2017-08-05T19:27:53Z",
"last_observed": "2017-08-05T19:27:53Z",
"number_observed": 1,
"object_refs": [
"url--59861c39-8ce8-498a-9f27-4b7a02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59861c39-8ce8-498a-9f27-4b7a02de0b81",
"value": "https://www.virustotal.com/file/f17272d146f4d46dda5dc2791836bfa783bdc09ca062f33447e4f3a26f26f4e0/analysis/1501873561/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861c39-f138-4f70-9226-47b702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"description": "IntrudingDivisor Shell - Xchecked via VT: 49f43f2caaea89bd3bb137f4228e543783ef265abbdc84e3743d93a7d30b0a7e",
"pattern": "[file:hashes.SHA1 = 'e4ac7454be74994e5b32e4a2aedd21b077417a4c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861c39-09c0-4478-812f-4dbf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"description": "IntrudingDivisor Shell - Xchecked via VT: 49f43f2caaea89bd3bb137f4228e543783ef265abbdc84e3743d93a7d30b0a7e",
"pattern": "[file:hashes.MD5 = '872df1b1889f34a6479952d258c73ccb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59861c39-a73c-4f9c-9e37-4cf802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"first_observed": "2017-08-05T19:27:53Z",
"last_observed": "2017-08-05T19:27:53Z",
"number_observed": 1,
"object_refs": [
"url--59861c39-a73c-4f9c-9e37-4cf802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59861c39-a73c-4f9c-9e37-4cf802de0b81",
"value": "https://www.virustotal.com/file/49f43f2caaea89bd3bb137f4228e543783ef265abbdc84e3743d93a7d30b0a7e/analysis/1501873544/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861c39-3c84-4bd2-a0e9-412102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"description": "TwoFace Payload - Xchecked via VT: fd47825d75e3da3e43dc84f425178d6e834a900d6b2fd850ee1083dbb1e5b113",
"pattern": "[file:hashes.SHA1 = '1a9b15800c570997191ec1613ac5816c280d8283']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861c39-cc70-4028-916c-459f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"description": "TwoFace Payload - Xchecked via VT: fd47825d75e3da3e43dc84f425178d6e834a900d6b2fd850ee1083dbb1e5b113",
"pattern": "[file:hashes.MD5 = '154354bbb42ff8326fff9b86ce22e1a9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59861c39-5664-4e0a-8d88-4e5202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"first_observed": "2017-08-05T19:27:53Z",
"last_observed": "2017-08-05T19:27:53Z",
"number_observed": 1,
"object_refs": [
"url--59861c39-5664-4e0a-8d88-4e5202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59861c39-5664-4e0a-8d88-4e5202de0b81",
"value": "https://www.virustotal.com/file/fd47825d75e3da3e43dc84f425178d6e834a900d6b2fd850ee1083dbb1e5b113/analysis/1501873497/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861c39-f1ec-4cd9-ab7a-4dab02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"description": "TwoFace Payload - Xchecked via VT: 818ac924fd8f7bc1b6062a8ef456226a47c4c59d2f9e38eda89fff463253942f",
"pattern": "[file:hashes.SHA1 = '5260114801ddd07f721fa04607c722d2add0fa32']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861c39-75bc-4043-a143-49c802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"description": "TwoFace Payload - Xchecked via VT: 818ac924fd8f7bc1b6062a8ef456226a47c4c59d2f9e38eda89fff463253942f",
"pattern": "[file:hashes.MD5 = '7d8766edf1680bdb12ff4b71a2e53edf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59861c39-ac3c-41b3-b1b3-495c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"first_observed": "2017-08-05T19:27:53Z",
"last_observed": "2017-08-05T19:27:53Z",
"number_observed": 1,
"object_refs": [
"url--59861c39-ac3c-41b3-b1b3-495c02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59861c39-ac3c-41b3-b1b3-495c02de0b81",
"value": "https://www.virustotal.com/file/818ac924fd8f7bc1b6062a8ef456226a47c4c59d2f9e38eda89fff463253942f/analysis/1501873479/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861c39-97a8-49a8-866c-4ffe02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"description": "TwoFace Payload - Xchecked via VT: 54c8bfa0be1d1419bf0770d49e937b284b52df212df19551576f73653a7d061f",
"pattern": "[file:hashes.SHA1 = 'a406513a493e2ee9fa0db8f1d9871cb982906a48']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861c39-d250-46e9-b502-451502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"description": "TwoFace Payload - Xchecked via VT: 54c8bfa0be1d1419bf0770d49e937b284b52df212df19551576f73653a7d061f",
"pattern": "[file:hashes.MD5 = 'c2dcbd7b96d363b84cf655648cd6b59e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59861c39-63b0-4a13-a446-493802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"first_observed": "2017-08-05T19:27:53Z",
"last_observed": "2017-08-05T19:27:53Z",
"number_observed": 1,
"object_refs": [
"url--59861c39-63b0-4a13-a446-493802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59861c39-63b0-4a13-a446-493802de0b81",
"value": "https://www.virustotal.com/file/54c8bfa0be1d1419bf0770d49e937b284b52df212df19551576f73653a7d061f/analysis/1501873465/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861c39-bff0-4078-ba6c-4f8602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"description": "TwoFace Payload - Xchecked via VT: 0a77e28e6d0d7bd057167ca8a63da867397f1619a38d5c713027ebb22b784d4f",
"pattern": "[file:hashes.SHA1 = 'e2446d181c54d3883a3613404cfbba666bb04106']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861c39-0884-4dc6-ae42-4fcc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"description": "TwoFace Payload - Xchecked via VT: 0a77e28e6d0d7bd057167ca8a63da867397f1619a38d5c713027ebb22b784d4f",
"pattern": "[file:hashes.MD5 = 'fb5aa6b2dae48602ad5db408800b908e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59861c39-84a8-4d66-9785-49e602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"first_observed": "2017-08-05T19:27:53Z",
"last_observed": "2017-08-05T19:27:53Z",
"number_observed": 1,
"object_refs": [
"url--59861c39-84a8-4d66-9785-49e602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59861c39-84a8-4d66-9785-49e602de0b81",
"value": "https://www.virustotal.com/file/0a77e28e6d0d7bd057167ca8a63da867397f1619a38d5c713027ebb22b784d4f/analysis/1501954505/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861c39-c338-4b2b-91cc-4c9c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"description": "TwoFace Payload - Xchecked via VT: 8f0419493da5ba201429503e53c9ccb8f8170ab73141bdc6ae6b9771512ad84b",
"pattern": "[file:hashes.SHA1 = '9cc0e7f80ca9dce6976bda0660885825a1f1afbf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861c39-e778-459f-ac0b-46da02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"description": "TwoFace Payload - Xchecked via VT: 8f0419493da5ba201429503e53c9ccb8f8170ab73141bdc6ae6b9771512ad84b",
"pattern": "[file:hashes.MD5 = 'aff218b56ae622a3b3376996a33287ad']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59861c39-7d64-4635-9b3e-405302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"first_observed": "2017-08-05T19:27:53Z",
"last_observed": "2017-08-05T19:27:53Z",
"number_observed": 1,
"object_refs": [
"url--59861c39-7d64-4635-9b3e-405302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59861c39-7d64-4635-9b3e-405302de0b81",
"value": "https://www.virustotal.com/file/8f0419493da5ba201429503e53c9ccb8f8170ab73141bdc6ae6b9771512ad84b/analysis/1501873416/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861c39-f2dc-4158-bcbf-4b1b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"description": "TwoFace++ Loader - Xchecked via VT: 8d178b9730e09e35c071526bfb91ce72f876797ebc4e81f0bc05e7bb8ad1734e",
"pattern": "[file:hashes.SHA1 = '8d82ea31ce64e262c834ceed49ea97a53f8302e4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861c39-f030-4c07-9afb-44d002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"description": "TwoFace++ Loader - Xchecked via VT: 8d178b9730e09e35c071526bfb91ce72f876797ebc4e81f0bc05e7bb8ad1734e",
"pattern": "[file:hashes.MD5 = '142b659975be77dd125fd3432c95e5de']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59861c39-4ff4-4c9f-bc50-413702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"first_observed": "2017-08-05T19:27:53Z",
"last_observed": "2017-08-05T19:27:53Z",
"number_observed": 1,
"object_refs": [
"url--59861c39-4ff4-4c9f-bc50-413702de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59861c39-4ff4-4c9f-bc50-413702de0b81",
"value": "https://www.virustotal.com/file/8d178b9730e09e35c071526bfb91ce72f876797ebc4e81f0bc05e7bb8ad1734e/analysis/1501873395/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861c39-8884-4f11-a6fe-412602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"description": "TwoFace++ Loader - Xchecked via VT: bca01f14fb3cb4cfbe7f240156feebc55abac73a6c96b9f75da2f9df580101ef",
"pattern": "[file:hashes.SHA1 = '75890380e99448e612530871f2c65b27c9a401ec']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861c39-d110-41d3-9ee1-4bf202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"description": "TwoFace++ Loader - Xchecked via VT: bca01f14fb3cb4cfbe7f240156feebc55abac73a6c96b9f75da2f9df580101ef",
"pattern": "[file:hashes.MD5 = '6ca2818f6cce5b5fc484c3557b59a003']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59861c39-8980-4e01-b5ac-4b7602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"first_observed": "2017-08-05T19:27:53Z",
"last_observed": "2017-08-05T19:27:53Z",
"number_observed": 1,
"object_refs": [
"url--59861c39-8980-4e01-b5ac-4b7602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59861c39-8980-4e01-b5ac-4b7602de0b81",
"value": "https://www.virustotal.com/file/bca01f14fb3cb4cfbe7f240156feebc55abac73a6c96b9f75da2f9df580101ef/analysis/1501873378/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861c39-0b80-4353-a6dc-491602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"description": "TwoFace Loader - Xchecked via VT: d0ffd613b1b285b15e2d6c038b0bd4951eb40eb802617cf6eb4f56cda4b023e3",
"pattern": "[file:hashes.SHA1 = '418fb8a86d3a9ce0b32ef338de2fa4b3a4cffc6f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861c39-d3d0-4f7c-ba66-404002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"description": "TwoFace Loader - Xchecked via VT: d0ffd613b1b285b15e2d6c038b0bd4951eb40eb802617cf6eb4f56cda4b023e3",
"pattern": "[file:hashes.MD5 = 'abb7f1eefdc2a539cfe541f416f22407']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59861c39-953c-4d87-871e-414302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"first_observed": "2017-08-05T19:27:53Z",
"last_observed": "2017-08-05T19:27:53Z",
"number_observed": 1,
"object_refs": [
"url--59861c39-953c-4d87-871e-414302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59861c39-953c-4d87-871e-414302de0b81",
"value": "https://www.virustotal.com/file/d0ffd613b1b285b15e2d6c038b0bd4951eb40eb802617cf6eb4f56cda4b023e3/analysis/1501873357/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861c39-a978-48c5-8c2d-4a4102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"description": "TwoFace Loader - Xchecked via VT: 9a361019f6fbd4a246b96545868dcb7908c611934c41166b9aa93519504ac813",
"pattern": "[file:hashes.SHA1 = 'a238ac53363f8a4b65271a1f380c21ceacd9c0b3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861c39-4220-433c-83ef-45b002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"description": "TwoFace Loader - Xchecked via VT: 9a361019f6fbd4a246b96545868dcb7908c611934c41166b9aa93519504ac813",
"pattern": "[file:hashes.MD5 = 'c0e62672fab65be9ecf54a64730323b8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59861c39-bfd4-40f0-b115-488102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"first_observed": "2017-08-05T19:27:53Z",
"last_observed": "2017-08-05T19:27:53Z",
"number_observed": 1,
"object_refs": [
"url--59861c39-bfd4-40f0-b115-488102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59861c39-bfd4-40f0-b115-488102de0b81",
"value": "https://www.virustotal.com/file/9a361019f6fbd4a246b96545868dcb7908c611934c41166b9aa93519504ac813/analysis/1501873330/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861c39-3dec-4985-9014-439e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"description": "TwoFace Loader - Xchecked via VT: f4da5cb72246434decb8cf676758da410f6ddc20196dfd484f513aa3b6bc4ac5",
"pattern": "[file:hashes.SHA1 = 'da78d71fce08e809f114bfb931daa9a5ec7eea33']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59861c39-c2b8-4764-90d5-47d002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"description": "TwoFace Loader - Xchecked via VT: f4da5cb72246434decb8cf676758da410f6ddc20196dfd484f513aa3b6bc4ac5",
"pattern": "[file:hashes.MD5 = '6c6567b4ccf9c650c4ae80b516881164']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-05T19:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59861c39-f954-450e-a2d4-417602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:27:53.000Z",
"modified": "2017-08-05T19:27:53.000Z",
"first_observed": "2017-08-05T19:27:53Z",
"last_observed": "2017-08-05T19:27:53Z",
"number_observed": 1,
"object_refs": [
"url--59861c39-f954-450e-a2d4-417602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59861c39-f954-450e-a2d4-417602de0b81",
"value": "https://www.virustotal.com/file/f4da5cb72246434decb8cf676758da410f6ddc20196dfd484f513aa3b6bc4ac5/analysis/1501873300/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59861e71-d65c-4eed-8a99-4aae950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:37:21.000Z",
"modified": "2017-08-05T19:37:21.000Z",
"first_observed": "2017-08-05T19:37:21Z",
"last_observed": "2017-08-05T19:37:21Z",
"number_observed": 1,
"object_refs": [
"file--59861e71-d65c-4eed-8a99-4aae950d210f"
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--59861e71-d65c-4eed-8a99-4aae950d210f",
"hashes": {
"SHA-1": "a2c9afd6adac242827adb00d76c20c491b2d2247"
}
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59861e71-ebe0-471d-b47c-4f97950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:37:21.000Z",
"modified": "2017-08-05T19:37:21.000Z",
"first_observed": "2017-08-05T19:37:21Z",
"last_observed": "2017-08-05T19:37:21Z",
"number_observed": 1,
"object_refs": [
"file--59861e71-ebe0-471d-b47c-4f97950d210f"
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--59861e71-ebe0-471d-b47c-4f97950d210f",
"hashes": {
"SHA-1": "6a0e681586988388d4a0690b6fb686715d92d069"
}
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59861e71-8dcc-46fb-a973-4597950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:37:21.000Z",
"modified": "2017-08-05T19:37:21.000Z",
"first_observed": "2017-08-05T19:37:21Z",
"last_observed": "2017-08-05T19:37:21Z",
"number_observed": 1,
"object_refs": [
"file--59861e71-8dcc-46fb-a973-4597950d210f"
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--59861e71-8dcc-46fb-a973-4597950d210f",
"hashes": {
"SHA-1": "5e1c37bf3bd8a7567d46db63ed9b0aeed53e57fe"
}
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59861e71-4bbc-4cb5-9349-4e65950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:37:21.000Z",
"modified": "2017-08-05T19:37:21.000Z",
"first_observed": "2017-08-05T19:37:21Z",
"last_observed": "2017-08-05T19:37:21Z",
"number_observed": 1,
"object_refs": [
"file--59861e71-4bbc-4cb5-9349-4e65950d210f"
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--59861e71-4bbc-4cb5-9349-4e65950d210f",
"hashes": {
"SHA-1": "37ada887553cf48715cc19131b8e661ac43718e9"
}
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59861e71-c574-4ca7-8d0e-44ac950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:37:21.000Z",
"modified": "2017-08-05T19:37:21.000Z",
"first_observed": "2017-08-05T19:37:21Z",
"last_observed": "2017-08-05T19:37:21Z",
"number_observed": 1,
"object_refs": [
"file--59861e71-c574-4ca7-8d0e-44ac950d210f"
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--59861e71-c574-4ca7-8d0e-44ac950d210f",
"hashes": {
"SHA-1": "9789b5c0c13fb58c423bce5577873d413d9494be"
}
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59861e71-eb0c-4230-aa9a-4ca4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:37:21.000Z",
"modified": "2017-08-05T19:37:21.000Z",
"first_observed": "2017-08-05T19:37:21Z",
"last_observed": "2017-08-05T19:37:21Z",
"number_observed": 1,
"object_refs": [
"file--59861e71-eb0c-4230-aa9a-4ca4950d210f"
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--59861e71-eb0c-4230-aa9a-4ca4950d210f",
"hashes": {
"SHA-1": "c56bc0d331a825fdea01c5437877d5e9e1cda2c4"
}
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59861e71-1754-46ee-9b2c-4459950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:37:21.000Z",
"modified": "2017-08-05T19:37:21.000Z",
"first_observed": "2017-08-05T19:37:21Z",
"last_observed": "2017-08-05T19:37:21Z",
"number_observed": 1,
"object_refs": [
"file--59861e71-1754-46ee-9b2c-4459950d210f"
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--59861e71-1754-46ee-9b2c-4459950d210f",
"hashes": {
"SHA-1": "9f4e10484f4ceac34878d4f621a1ad8e580fd02a"
}
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59861e71-7c58-4271-abbd-4c5d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-05T19:37:21.000Z",
"modified": "2017-08-05T19:37:21.000Z",
"first_observed": "2017-08-05T19:37:21Z",
"last_observed": "2017-08-05T19:37:21Z",
"number_observed": 1,
"object_refs": [
"file--59861e71-7c58-4271-abbd-4c5d950d210f"
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--59861e71-7c58-4271-abbd-4c5d950d210f",
"hashes": {
"SHA-1": "57dd9721f9837ebd24dea55a90a2a9e3e6ad6f1e"
}
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink