misp-circl-feed/feeds/circl/stix-2.1/5bf7ba12-bec4-4d01-8330-4373950d210f.json

722 lines
No EOL
37 KiB
JSON

{
"type": "bundle",
"id": "bundle--5bf7ba12-bec4-4d01-8330-4373950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T15:34:40.000Z",
"modified": "2018-11-23T15:34:40.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5bf7ba12-bec4-4d01-8330-4373950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T15:34:40.000Z",
"modified": "2018-11-23T15:34:40.000Z",
"name": "OSINT - Turla PNG Dropper is back",
"published": "2018-11-23T15:34:53Z",
"object_refs": [
"observed-data--5bf7bb5f-ad9c-4e3d-b6da-4e83950d210f",
"url--5bf7bb5f-ad9c-4e3d-b6da-4e83950d210f",
"x-misp-attribute--5bf7bb86-3374-4ece-8226-4383950d210f",
"observed-data--5bf7bf20-cd9c-48b1-aeb1-4e5b950d210f",
"url--5bf7bf20-cd9c-48b1-aeb1-4e5b950d210f",
"indicator--5bf7d798-4a08-48f1-9e9c-4744950d210f",
"indicator--5bf7d7ce-2514-4e61-ac16-6b24950d210f",
"observed-data--5bf7db6d-d5c0-4a23-8aa8-60c4950d210f",
"url--5bf7db6d-d5c0-4a23-8aa8-60c4950d210f",
"indicator--5bf7df1a-f8d4-46d6-837e-446b950d210f",
"indicator--5bf7dad4-098c-4666-9e4d-4958950d210f",
"indicator--5bf7db2a-2440-4ed3-ae21-6b24950d210f",
"indicator--5bf7e05b-4018-4130-afed-4d90950d210f",
"indicator--5bf7e069-2af4-442f-a0c4-4cd4950d210f",
"indicator--5bf7e0cb-7f0c-4eef-a610-f5d5950d210f",
"indicator--5bf7e0e2-94c8-47df-a0ae-4620950d210f",
"indicator--5bf7e123-cbfc-4f9c-a8c0-4064950d210f",
"indicator--5bf7e186-6c94-4a68-90a1-493a950d210f",
"indicator--5bf7e1c8-5f30-420c-b9e1-f5d5950d210f",
"indicator--5bf7e202-29a4-4f46-94cc-fb4f950d210f",
"indicator--5bf7e210-29f8-4e5c-964e-37a2950d210f",
"indicator--370ee35f-2e62-4fa1-87de-59a36b9ad817",
"x-misp-object--003ceafa-e652-4272-89f0-356846947659",
"indicator--672a1c55-bfa8-497f-8a1e-a9cbbbe31dd6",
"x-misp-object--ebf1d2c1-c387-463f-ac79-5573cec56447",
"indicator--07a6a6dc-9c22-4773-8432-cdd60d62f8bc",
"x-misp-object--dfee9eb0-06b6-4817-aa43-a2d63f0a49f2",
"indicator--b12e81db-47cb-482e-8deb-e6c98261d878",
"x-misp-object--cf0b0660-5bc6-4da8-816b-f6133511fbf0"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:threat-actor=\"Turla Group\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5bf7bb5f-ad9c-4e3d-b6da-4e83950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T08:37:10.000Z",
"modified": "2018-11-23T08:37:10.000Z",
"first_observed": "2018-11-23T08:37:10Z",
"last_observed": "2018-11-23T08:37:10Z",
"number_observed": 1,
"object_refs": [
"url--5bf7bb5f-ad9c-4e3d-b6da-4e83950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5bf7bb5f-ad9c-4e3d-b6da-4e83950d210f",
"value": "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5bf7bb86-3374-4ece-8226-4383950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T08:37:08.000Z",
"modified": "2018-11-23T08:37:08.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "This is a short blog post on the PNG Dropper malware that has been developed and used by the Turla Group. The PNG Dropper was first discovered back in August 2017 by Carbon Black researchers. Back in 2017 it was being used to distribute Snake, but recently NCC Group researchers have uncovered samples with a new payload that we have internally named RegRunnerSvc.\r\n\r\nIt\u00e2\u20ac\u2122s worth noting at this point that there are other components to this infection that we have not managed to obtain. There will be a first stage dropper that will drop and install the PNG Dropper/RegRunnerSvc. Nevertheless, we think that this it is worth documenting this new use of the PNG Dropper."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5bf7bf20-cd9c-48b1-aeb1-4e5b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T08:49:36.000Z",
"modified": "2018-11-23T08:49:36.000Z",
"first_observed": "2018-11-23T08:49:36Z",
"last_observed": "2018-11-23T08:49:36Z",
"number_observed": 1,
"object_refs": [
"url--5bf7bf20-cd9c-48b1-aeb1-4e5b950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5bf7bf20-cd9c-48b1-aeb1-4e5b950d210f",
"value": "https://www.carbonblack.com/2017/08/18/threat-analysis-carbon-black-threat-research-dissects-png-dropper/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bf7d798-4a08-48f1-9e9c-4744950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T10:34:00.000Z",
"modified": "2018-11-23T10:34:00.000Z",
"pattern": "[rule turla_png_dropper {\r\n meta:\r\n author = \"Ben Humphrey\"\r\n description = \"Detects the PNG Dropper used by the Turla group\"\r\n sha256 = \r\n\"6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27\"\r\n\r\n strings:\r\n $api0 = \"GdiplusStartup\"\r\n $api1 = \"GdipAlloc\"\r\n $api2 = \"GdipCreateBitmapFromStreamICM\"\r\n $api3 = \"GdipBitmapLockBits\"\r\n $api4 = \"GdipGetImageWidth\"\r\n $api5 = \"GdipGetImageHeight\"\r\n $api6 = \"GdiplusShutdown\"\r\n\r\n $code32 = {\r\n 8B 46 3C // mov eax, [esi+3Ch]\r\n B9 0B 01 00 00 // mov ecx, 10Bh\r\n 66 39 4C 30 18 // cmp [eax+esi+18h], cx\r\n 8B 44 30 28 // mov eax, [eax+esi+28h]\r\n 6A 00 // push 0\r\n B9 AF BE AD DE // mov ecx, 0DEADBEAFh\r\n 51 // push ecx\r\n 51 // push ecx\r\n 03 C6 // add eax, esi\r\n 56 // push esi\r\n FF D0 // call eax\r\n }\r\n\r\n $code64 = {\r\n 48 63 43 3C // movsxd rax, dword ptr [rbx+3Ch]\r\n B9 0B 01 00 00 // mov ecx, 10Bh\r\n BA AF BE AD DE // mov edx, 0DEADBEAFh\r\n 66 39 4C 18 18 // cmp [rax+rbx+18h], cx\r\n 8B 44 18 28 // mov eax, [rax+rbx+28h]\r\n 45 33 C9 // xor r9d, r9d\r\n 44 8B C2 // mov r8d, edx\r\n 48 8B CB // mov rcx, rbx\r\n 48 03 C3 // add rax, rbx\r\n FF D0 // call rax\r\n }\r\n\r\n condition:\r\n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and\r\n all of ($api*) and \r\n 1 of ($code*)\r\n}]",
"pattern_type": "yara",
"valid_from": "2018-11-23T10:34:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bf7d7ce-2514-4e61-ac16-6b24950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T10:34:54.000Z",
"modified": "2018-11-23T10:34:54.000Z",
"pattern": "[rule turla_png_reg_enum_payload {\r\n meta:\r\n author = \"Ben Humphrey\"\r\n description = \"Payload that has most recently been dropped by the\r\nTurla PNG Dropper\"\r\n shas256 =\r\n\"fea27eb2e939e930c8617dcf64366d1649988f30555f6ee9cd09fe54e4bc22b3\"\r\n\r\n strings:\r\n $crypt00 = \"Microsoft Software Key Storage Provider\" wide\r\n $crypt01 = \"ChainingModeCBC\" wide\r\n $crypt02 = \"AES\" wide\r\n\r\n condition:\r\n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and\r\n pe.imports(\"advapi32.dll\", \"StartServiceCtrlDispatcherA\") and \r\n pe.imports(\"advapi32.dll\", \"RegEnumValueA\") and \r\n pe.imports(\"advapi32.dll\", \"RegEnumKeyExA\") and \r\n pe.imports(\"ncrypt.dll\", \"NCryptOpenStorageProvider\") and \r\n pe.imports(\"ncrypt.dll\", \"NCryptEnumKeys\") and \r\n pe.imports(\"ncrypt.dll\", \"NCryptOpenKey\") and \r\n pe.imports(\"ncrypt.dll\", \"NCryptDecrypt\") and\r\n pe.imports(\"ncrypt.dll\", \"BCryptGenerateSymmetricKey\") and \r\n pe.imports(\"ncrypt.dll\", \"BCryptGetProperty\") and \r\n pe.imports(\"ncrypt.dll\", \"BCryptDecrypt\") and \r\n pe.imports(\"ncrypt.dll\", \"BCryptEncrypt\") and \r\n all of them\r\n}]",
"pattern_type": "yara",
"valid_from": "2018-11-23T10:34:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5bf7db6d-d5c0-4a23-8aa8-60c4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T10:50:21.000Z",
"modified": "2018-11-23T10:50:21.000Z",
"first_observed": "2018-11-23T10:50:21Z",
"last_observed": "2018-11-23T10:50:21Z",
"number_observed": 1,
"object_refs": [
"url--5bf7db6d-d5c0-4a23-8aa8-60c4950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5bf7db6d-d5c0-4a23-8aa8-60c4950d210f",
"value": "https://github.com/carbonblack/threat-research-tools/tree/master/png_extract"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bf7df1a-f8d4-46d6-837e-446b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T11:06:02.000Z",
"modified": "2018-11-23T11:06:02.000Z",
"pattern": "[rule PNG_dropper:RU TR APT\r\n\r\n{\r\n\r\n meta:\r\n\r\n author = \u00e2\u20ac\u0153CarbonBlack Threat Research\u00e2\u20ac\u009d\r\n\r\n date = \u00e2\u20ac\u01532017-June-11\u00e2\u20ac\u009d\r\n\r\n description = \u00e2\u20ac\u0153Dropper tool that extracts payload from PNG resources\u00e2\u20ac\u009d\r\n\r\n yara_version = \u00e2\u20ac\u01533.5.0\u00e2\u20ac\u009d\r\n\r\n exemplar_hashes = \u00e2\u20ac\u01533a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3, 69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290, eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158 \u00e2\u20ac\u0153\r\n\r\n strings:\r\n\r\n$s1 = \u00e2\u20ac\u0153GdipGetImageWidth\u00e2\u20ac\u009d\r\n\r\n$s2 = \u00e2\u20ac\u0153GdipGetImageHeight\u00e2\u20ac\u009d\r\n\r\n$s3 = \u00e2\u20ac\u0153GdipCreateBitmapFromStream\u00e2\u20ac\u009d\r\n\r\n$s4 = \u00e2\u20ac\u0153GdipCreateBitmapFromStreamICM\u00e2\u20ac\u009d\r\n\r\n$s5 = \u00e2\u20ac\u0153GdipBitmapLockBits\u00e2\u20ac\u009d\r\n\r\n$s6 = \u00e2\u20ac\u0153GdipBitmapUnlockBits\u00e2\u20ac\u009d\r\n\r\n$s7 = \u00e2\u20ac\u0153LockResource\u00e2\u20ac\u009d\r\n\r\n$s8 = \u00e2\u20ac\u0153LoadResource\u00e2\u20ac\u009d\r\n\r\n$s9 = \u00e2\u20ac\u0153ExpandEnvironmentStringsW\u00e2\u20ac\u009d\r\n\r\n$s10 = \u00e2\u20ac\u0153SetFileTime\u00e2\u20ac\u009d\r\n\r\n$s11 = \u00e2\u20ac\u0153memcmp\u00e2\u20ac\u009d\r\n\r\n$s12 = \u00e2\u20ac\u0153strlen\u00e2\u20ac\u009d\r\n\r\n$s13 = \u00e2\u20ac\u0153memcpy\u00e2\u20ac\u009d\r\n\r\n$s14 = \u00e2\u20ac\u0153memchr\u00e2\u20ac\u009d\r\n\r\n$s15 = \u00e2\u20ac\u0153memmove\u00e2\u20ac\u009d\r\n\r\n$s16 = \u00e2\u20ac\u0153ZwQueryValueKey\u00e2\u20ac\u009d\r\n\r\n$s17 = \u00e2\u20ac\u0153ZwQueryInformationProcess\u00e2\u20ac\u009d\r\n\r\n$s18 = \u00e2\u20ac\u0153FindNextFile\u00e2\u20ac\u009d\r\n\r\n$s19 = \u00e2\u20ac\u0153GetModuleHandle\u00e2\u20ac\u009d\r\n\r\n$s20 = \u00e2\u20ac\u0153VirtualFree\u00e2\u20ac\u009d\r\n\r\n$PNG1 = {89 50 4E 47 [8] 49 48 44 52} //PNG Header\r\n\r\n$bin32_bit1 = {50 68 07 10 06 00 6A 07 8?} //BitmapLockBits_x86\r\n\r\n$bin64_bit1 = {41 B? 07 10 06 00} //BitmapLockBits_x64\r\n\r\n$bin64_bit2 = {41 B? 07 00 00 00}//BitmapLockBits_x64\r\n\r\n$bin32_virt1 = {6A 40 68 00 10 00 00 50 53} //VirtualAlloc_x86\r\n\r\n$bin64_virt1 = {40 41 B? 00 10 00 00}//VirtualAlloc_x64\r\n\r\n \r\n\r\n condition:\r\n\r\n uint16(0) == 0x5A4D and// MZ header check\r\n\r\n filesize < 6MB and\r\n\r\n 18 of ($s*) and\r\n\r\n (#PNG1 > 7) and\r\n\r\n//checks for multiple PNG headers\r\n\r\n ((#bin32_bit1 > 1 and $bin32_virt1) or\r\n\r\n//More than 1 of $bin32_bit and $bi32_virt1\r\n\r\n (for 1 of ($bin64_bit*) : (# > 2) and $bin64_virt1))\r\n\r\n//1 of $bin64_bit \u00e2\u20ac\u201c present more that 2 times and $bin64_Virt1\r\n\r\n}]",
"pattern_type": "yara",
"valid_from": "2018-11-23T11:06:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bf7dad4-098c-4666-9e4d-4958950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T10:47:48.000Z",
"modified": "2018-11-23T10:47:48.000Z",
"description": "PNG Dropper",
"pattern": "[file:hashes.SHA256 = '6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-11-23T10:47:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bf7db2a-2440-4ed3-ae21-6b24950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T10:49:14.000Z",
"modified": "2018-11-23T10:49:14.000Z",
"description": "Payload contained in the PNG dropper",
"pattern": "[file:hashes.SHA256 = 'fea27eb2e939e930c8617dcf64366d1649988f30555f6ee9cd09fe54e4bc22b3' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-11-23T10:49:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bf7e05b-4018-4130-afed-4d90950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T11:11:23.000Z",
"modified": "2018-11-23T11:11:23.000Z",
"pattern": "[file:hashes.MD5 = 'f84aa30676d2c05ed290b43c4c1e2d4c' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-11-23T11:11:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bf7e069-2af4-442f-a0c4-4cd4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T11:11:37.000Z",
"modified": "2018-11-23T11:11:37.000Z",
"pattern": "[file:hashes.MD5 = 'ae2ec6d8e455c674d5486ce198d4d46e' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-11-23T11:11:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bf7e0cb-7f0c-4eef-a610-f5d5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T11:13:15.000Z",
"modified": "2018-11-23T11:13:15.000Z",
"pattern": "[file:hashes.MD5 = '7a1a174dd24d3f88454615102a074600' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-11-23T11:13:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bf7e0e2-94c8-47df-a0ae-4620950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T11:13:38.000Z",
"modified": "2018-11-23T11:13:38.000Z",
"pattern": "[file:hashes.SHA1 = '645985805780510670092469b7627a23803eefd1' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-11-23T11:13:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bf7e123-cbfc-4f9c-a8c0-4064950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T11:14:43.000Z",
"modified": "2018-11-23T11:14:43.000Z",
"pattern": "[file:hashes.SHA1 = '17941a20d86c9518c168c7f765785095a57246a3' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-11-23T11:14:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bf7e186-6c94-4a68-90a1-493a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T11:16:22.000Z",
"modified": "2018-11-23T11:16:22.000Z",
"pattern": "[file:hashes.SHA1 = 'ba221b85c1923866ce2ec3cd0824970216052c82' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-11-23T11:16:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bf7e1c8-5f30-420c-b9e1-f5d5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T11:17:28.000Z",
"modified": "2018-11-23T11:17:28.000Z",
"pattern": "[file:hashes.SHA256 = 'eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-11-23T11:17:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bf7e202-29a4-4f46-94cc-fb4f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T11:18:26.000Z",
"modified": "2018-11-23T11:18:26.000Z",
"pattern": "[file:hashes.SHA256 = '69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-11-23T11:18:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bf7e210-29f8-4e5c-964e-37a2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T11:18:40.000Z",
"modified": "2018-11-23T11:18:40.000Z",
"pattern": "[file:hashes.SHA256 = '3a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-11-23T11:18:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--370ee35f-2e62-4fa1-87de-59a36b9ad817",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T15:34:07.000Z",
"modified": "2018-11-23T15:34:07.000Z",
"pattern": "[file:hashes.MD5 = '7a1a174dd24d3f88454615102a074600' AND file:hashes.SHA1 = '645985805780510670092469b7627a23803eefd1' AND file:hashes.SHA256 = 'eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-11-23T15:34:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--003ceafa-e652-4272-89f0-356846947659",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T15:34:09.000Z",
"modified": "2018-11-23T15:34:09.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-10-17T23:41:05",
"category": "Other",
"uuid": "ded701b7-f8e5-4a51-94eb-9509c5a5f6c7"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158/analysis/1539819665/",
"category": "External analysis",
"uuid": "2b06642b-d74e-4910-9a74-980fdb5cebb3"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "48/67",
"category": "Other",
"uuid": "2a5f6f23-8854-48fd-bb7c-dda116812263"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--672a1c55-bfa8-497f-8a1e-a9cbbbe31dd6",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T15:34:10.000Z",
"modified": "2018-11-23T15:34:10.000Z",
"pattern": "[file:hashes.MD5 = 'f84aa30676d2c05ed290b43c4c1e2d4c' AND file:hashes.SHA1 = '17941a20d86c9518c168c7f765785095a57246a3' AND file:hashes.SHA256 = '69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-11-23T15:34:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--ebf1d2c1-c387-463f-ac79-5573cec56447",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T15:34:11.000Z",
"modified": "2018-11-23T15:34:11.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-09-27T23:11:14",
"category": "Other",
"uuid": "6443cb5d-0517-4dda-b7b7-7eb5d39ae7fa"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290/analysis/1538089874/",
"category": "External analysis",
"uuid": "3e316cfb-ba54-4612-9ee6-20204adc750d"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "24/68",
"category": "Other",
"uuid": "e2c20e0f-18f6-4fbf-86ad-f0d025f17266"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--07a6a6dc-9c22-4773-8432-cdd60d62f8bc",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T15:34:12.000Z",
"modified": "2018-11-23T15:34:12.000Z",
"pattern": "[file:hashes.MD5 = 'ae2ec6d8e455c674d5486ce198d4d46e' AND file:hashes.SHA1 = 'ba221b85c1923866ce2ec3cd0824970216052c82' AND file:hashes.SHA256 = '3a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-11-23T15:34:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--dfee9eb0-06b6-4817-aa43-a2d63f0a49f2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T15:34:14.000Z",
"modified": "2018-11-23T15:34:14.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-10-17T04:41:54",
"category": "Other",
"uuid": "a4daa13a-1374-4259-af44-d8c88ea2cc58"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/3a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3/analysis/1539751314/",
"category": "External analysis",
"uuid": "a305ca88-cd28-4233-af68-b4def8e76110"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "45/67",
"category": "Other",
"uuid": "ad12f987-16cf-453d-8e0f-bd6d3758823d"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b12e81db-47cb-482e-8deb-e6c98261d878",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T15:34:15.000Z",
"modified": "2018-11-23T15:34:15.000Z",
"pattern": "[file:hashes.MD5 = 'd2e8e75c30dccd98a95d25b218ba7d2e' AND file:hashes.SHA1 = '72997e699d6c7cd5a2409535bfdef58695ed46fa' AND file:hashes.SHA256 = '6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-11-23T15:34:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--cf0b0660-5bc6-4da8-816b-f6133511fbf0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-23T15:34:16.000Z",
"modified": "2018-11-23T15:34:16.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-11-23T13:40:06",
"category": "Other",
"uuid": "9797ab40-8d7c-4a60-ab23-f6f99e9492b0"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27/analysis/1542980406/",
"category": "External analysis",
"uuid": "2817750f-5b18-463e-baa8-19fba2fb0765"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "47/69",
"category": "Other",
"uuid": "164f9a1b-2a21-40de-be22-762bb37ab16e"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}