adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/5cacf210-9ecc-4a53-90a5-4c6a02de0b81.json

990 lines
No EOL
48 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--5cacf210-9ecc-4a53-90a5-4c6a02de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-10T09:38:25.000Z",
"modified": "2019-04-10T09:38:25.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--5cacf210-9ecc-4a53-90a5-4c6a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-10T09:38:25.000Z",
"modified": "2019-04-10T09:38:25.000Z",
"name": "OSINT - Flame 2.0: Risen from the Ashes",
"context": "suspicious-activity",
"object_refs": [
"observed-data--5cacf25c-be88-4f49-9371-486d02de0b81",
"url--5cacf25c-be88-4f49-9371-486d02de0b81",
"x-misp-attribute--5cacf275-91f8-48f8-86b3-4a6602de0b81",
"indicator--5cacf524-c7cc-4a00-bcf6-0c6a02de0b81",
"indicator--5cacf2d6-8170-4ec2-8fa9-42a202de0b81",
"indicator--5cacf361-d240-4b8b-89c1-479e02de0b81",
"indicator--5cacf3a6-2794-4cca-b073-4d0102de0b81",
"indicator--5cacf3d5-4984-4241-beef-4ecd02de0b81",
"indicator--5cacf425-1e2c-467f-b0d9-4b9a02de0b81",
"indicator--5cacf45c-a150-42cc-91d0-472b02de0b81",
"indicator--5cacf4a2-992c-465c-b7e7-470f02de0b81",
"indicator--5cacf4eb-ea8c-4cef-bbf0-4f8b02de0b81",
"indicator--3ebf26f8-6710-4b32-a4a0-15d339e5350f",
"x-misp-object--019aaeec-55dd-4ce1-b20a-d92710b6b041",
"indicator--8697b11b-da93-4d4f-b701-a09aab24cb0d",
"x-misp-object--e44af2bf-950a-474b-8042-113d217e5f63",
"indicator--48fb1669-d25d-4800-a4bd-443720406f95",
"x-misp-object--be651b15-0ff4-4119-9a0a-de4730dc814d",
"indicator--7cc0330c-8e97-4662-8588-c4d54f58407c",
"x-misp-object--5cf63775-757f-43f1-94ea-a33377e12cd1",
"indicator--c301c4d8-3408-4e94-ac87-70c6b3f8d7a7",
"x-misp-object--d0ff9ea2-f4ed-4174-b077-308b005ae017",
"indicator--8c4f64e3-e346-40b6-b06f-8575a9ce1a83",
"x-misp-object--9a473378-5c49-4dc1-a58b-38b7ac011d49",
"indicator--287dff0c-5d73-4dca-badb-6de37ea6e766",
"x-misp-object--6e6742a5-13ab-483f-a968-22170d66e6e2",
"indicator--8403c5f0-33ff-475b-b1f1-aa1df43eff9d",
"x-misp-object--13e40b04-1b14-4396-9507-786fb8ee0191",
"x-misp-object--5cad948e-7a68-4202-ac52-46ea950d210f",
"relationship--526b397d-be04-4325-ba14-adf9d1f99675",
"relationship--abd1cb46-6e92-4303-83fc-cafd87f826e4",
"relationship--e78d36b7-c448-4f37-8994-b8548b1012c1",
"relationship--3ca3b98e-df79-42df-ad1b-f6e7c7a77c62",
"relationship--804020d9-e5b9-491d-82ce-479956a14447",
"relationship--e311abd0-c4b9-44b0-aa58-c7a476493971",
"relationship--13cf93d5-602e-4f14-ad15-0a7052dfeab1",
"relationship--30af4bb0-872f-4e52-a4b6-02681aee9aa7"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:mitre-enterprise-attack-malware=\"Flame\"",
"misp-galaxy:tool=\"Flame\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5cacf25c-be88-4f49-9371-486d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:28:28.000Z",
"modified": "2019-04-09T19:28:28.000Z",
"first_observed": "2019-04-09T19:28:28Z",
"last_observed": "2019-04-09T19:28:28Z",
"number_observed": 1,
"object_refs": [
"url--5cacf25c-be88-4f49-9371-486d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5cacf25c-be88-4f49-9371-486d02de0b81",
"value": "https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5cacf275-91f8-48f8-86b3-4a6602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:28:53.000Z",
"modified": "2019-04-09T19:28:53.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Our investigation into the GOSSIPGIRL Supra Threat Actor (STA) started with a REPLICANTFARM signature name that tentatively links the cryptonym GOSSIPGIRL to Flame. From there,1we investigated MiniFlame and Gauss \u2013two families related to the Flame platform\u2013 withoutfinding any indication of succession to Flame\u2019s operations. Our investigation continued ontoStuxnet and Duqu but the altogether disappearance of Flame never sat right with us."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacf524-c7cc-4a00-bcf6-0c6a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:40:20.000Z",
"modified": "2019-04-09T19:40:20.000Z",
"pattern": "[import\u200b \u200b\"pe\"import\u200b \u200b\"hash\"rule FLAME2_Orchestrator{meta:desc \u200b=\u200b \u200b\"Encrypted resources in Flame2.0 Orchestrators\"author \u200b=\u200b \u200b\"turla @ Uppercase\"hash1 \u200b=\"15a9b1d233c02d1fdf80071797ff9077f6ac374958f7d0f2b6e84b8d487c9cd1\"hash2 \u200b=\"426aa55d2afb9eb08b601d373671594f39a1d9d9a73639c4a64f17d674ca9a82\"hash3 \u200b=\"af8ccd0294530c659580f522fcc8492d92c2296dc068f9a42474d52b2b2f16e4\"condition:for\u200b any i \u200bin\u200b \u200b(\u200b0.\u200b.\u200bpe\u200b.\u200bnumber_of_resources \u200b-\u200b \u200b1\u200b):(\u200b(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"53b19d9863d8ff8cde8e4358d1b57c04\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"4849cc439e524ef6a9964a3666dddb13\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"62bfe21a8eb76fd07e22326c0073fef5\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"dfed2c71749b04dad46d0ce52834492c\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"9119aa701b39242a98be118d9c237ecc\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"b69d168e29fba6c88ad4e670949815aa\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"4849cc439e524ef6a9964a3666dddb13\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"1933a1e254b1657a6a2eb8ad1fbe6fa3\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"dfed2c71749b04dad46d0ce52834492c\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"9119aa701b39242a98be118d9c237ecc\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"b69d168e29fba6c88ad4e670949815aa\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"17c794f7056349cb82889b5e5b030d15\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"e15187f79b6916cb6763d29d215623c1\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"923963bb24f2e2ceac9f9759071dba88\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"9a2766aba7f2a56ef1ab24cf171ee0ed\"\u200b)\u200b \u200bor(\u200bhash\u200b.\u200bmd5\u200b(\u200bpe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200boffset\u200b,\u200b pe\u200b.\u200bresources\u200b[\u200bi\u200b].\u200blength\u200b)\u200b \u200b==\"ebe15bfb5a3944ea4952ddf0f73aa6e8\")\u200b)}]",
"pattern_type": "yara",
"valid_from": "2019-04-09T19:40:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacf2d6-8170-4ec2-8fa9-42a202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:30:30.000Z",
"modified": "2019-04-09T19:30:30.000Z",
"pattern": "[file:hashes.SHA256 = '15a9b1d233c02d1fdf80071797ff9077f6ac374958f7d0f2b6e84b8d487c9cd1' AND file:name = 'sensrsvcs.dll' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:30:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacf361-d240-4b8b-89c1-479e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:32:49.000Z",
"modified": "2019-04-09T19:32:49.000Z",
"pattern": "[file:hashes.SHA256 = '426aa55d2afb9eb08b601d373671594f39a1d9d9a73639c4a64f17d674ca9a82' AND file:name = 'sensrsvcs.dll' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:32:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacf3a6-2794-4cca-b073-4d0102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:33:58.000Z",
"modified": "2019-04-09T19:33:58.000Z",
"pattern": "[file:hashes.SHA256 = 'af8ccd0294530c659580f522fcc8492d92c2296dc068f9a42474d52b2b2f16e4' AND file:name = 'sensrsvr.dll' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:33:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacf3d5-4984-4241-beef-4ecd02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:34:45.000Z",
"modified": "2019-04-09T19:34:45.000Z",
"pattern": "[file:hashes.SHA256 = '69227d046ad108e5729e6bfaecc4e05a0da30d8e7e87769d9d3bbf17b4366e64' AND file:name = 'sensrsvr.dll' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:34:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacf425-1e2c-467f-b0d9-4b9a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:36:05.000Z",
"modified": "2019-04-09T19:36:05.000Z",
"pattern": "[file:hashes.SHA256 = '0039eb194f00b975145a35ede6b48d9c1ea87a6b2e61ac015b3d38e7e46aecbb' AND file:name = 'wmisvcs64.dll' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:36:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacf45c-a150-42cc-91d0-472b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:37:00.000Z",
"modified": "2019-04-09T19:37:00.000Z",
"pattern": "[file:hashes.SHA256 = '8cb78327bd69fda61afac9393187ad5533a63d43ebf74c0f9800bedb814b20ad' AND file:name = 'wmisvcs64.dll' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:37:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacf4a2-992c-465c-b7e7-470f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:38:10.000Z",
"modified": "2019-04-09T19:38:10.000Z",
"pattern": "[file:hashes.SHA256 = 'b61c62724421d38a13c58877f31298bd663c1c8f8c3fe7d108eb9c8fe5ad0362' AND file:name = 'wmihost64.dll' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:38:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cacf4eb-ea8c-4cef-bbf0-4f8b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:39:23.000Z",
"modified": "2019-04-09T19:39:23.000Z",
"pattern": "[file:hashes.SHA256 = '134849f697ab5f31ffb043b06e9ca1c9b98ffebba8af8ccdedd036a6263bf3a4' AND file:name = 'wmihost.dll' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:39:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3ebf26f8-6710-4b32-a4a0-15d339e5350f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:40:47.000Z",
"modified": "2019-04-09T19:40:47.000Z",
"pattern": "[file:hashes.MD5 = '2529ecdd21ad9854d52ab737306bee59' AND file:hashes.SHA1 = 'b144c68108d9a9208accb562b141d8b8a15550d7' AND file:hashes.SHA256 = '69227d046ad108e5729e6bfaecc4e05a0da30d8e7e87769d9d3bbf17b4366e64']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:40:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--019aaeec-55dd-4ce1-b20a-d92710b6b041",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:40:47.000Z",
"modified": "2019-04-09T19:40:47.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09 19:25:12",
"category": "Other",
"uuid": "cda2bde6-b763-42f6-a894-5fd2298cec87"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/69227d046ad108e5729e6bfaecc4e05a0da30d8e7e87769d9d3bbf17b4366e64/analysis/1554837912/",
"category": "Payload delivery",
"uuid": "f12fd4ac-1d89-4c87-ab7f-8981d9e12f24"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "4/70",
"category": "Payload delivery",
"uuid": "d7f96a43-c836-49fa-9a47-c9c7b955509d"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8697b11b-da93-4d4f-b701-a09aab24cb0d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:40:47.000Z",
"modified": "2019-04-09T19:40:47.000Z",
"pattern": "[file:hashes.MD5 = '2a2614756387176845187a7de247a98a' AND file:hashes.SHA1 = 'ef2f8fca2a010f49ab4080a6439651320b95e44f' AND file:hashes.SHA256 = '15a9b1d233c02d1fdf80071797ff9077f6ac374958f7d0f2b6e84b8d487c9cd1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:40:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--e44af2bf-950a-474b-8042-113d217e5f63",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:40:47.000Z",
"modified": "2019-04-09T19:40:47.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09 19:37:57",
"category": "Other",
"uuid": "23b15a5c-28e3-447a-b7a1-0cd24b6cf23f"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/15a9b1d233c02d1fdf80071797ff9077f6ac374958f7d0f2b6e84b8d487c9cd1/analysis/1554838677/",
"category": "Payload delivery",
"uuid": "e1f5cd2c-1b4b-4a24-9bc5-35d4794acab5"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "6/66",
"category": "Payload delivery",
"uuid": "93a80e3b-e83c-4712-82e1-31c4e053ea2d"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--48fb1669-d25d-4800-a4bd-443720406f95",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:40:47.000Z",
"modified": "2019-04-09T19:40:47.000Z",
"pattern": "[file:hashes.MD5 = '7ab1c0c5e7d1ed834bccdfcafb5b07f2' AND file:hashes.SHA1 = '21d3d7c33f63def5aed98d54dac5de218c49a35f' AND file:hashes.SHA256 = '426aa55d2afb9eb08b601d373671594f39a1d9d9a73639c4a64f17d674ca9a82']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:40:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--be651b15-0ff4-4119-9a0a-de4730dc814d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:40:47.000Z",
"modified": "2019-04-09T19:40:47.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09 19:23:23",
"category": "Other",
"uuid": "912c83ff-cdc9-4485-a904-2384fb9e195c"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/426aa55d2afb9eb08b601d373671594f39a1d9d9a73639c4a64f17d674ca9a82/analysis/1554837803/",
"category": "Payload delivery",
"uuid": "fbc9682d-7d72-44c9-9b9d-2666493b4c12"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "7/66",
"category": "Payload delivery",
"uuid": "03ee7243-f176-46d0-a04f-f34ae5ea6ddc"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--7cc0330c-8e97-4662-8588-c4d54f58407c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:40:48.000Z",
"modified": "2019-04-09T19:40:48.000Z",
"pattern": "[file:hashes.MD5 = '15a0b9948d60e6bc6f60d7226caa923f' AND file:hashes.SHA1 = '16a02af1746adbc173a5dc5a16012468133777c5' AND file:hashes.SHA256 = '0039eb194f00b975145a35ede6b48d9c1ea87a6b2e61ac015b3d38e7e46aecbb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:40:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5cf63775-757f-43f1-94ea-a33377e12cd1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:40:48.000Z",
"modified": "2019-04-09T19:40:48.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09 19:37:54",
"category": "Other",
"uuid": "1e091e6a-ebe5-4c3b-9b5f-c9cb6a375015"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/0039eb194f00b975145a35ede6b48d9c1ea87a6b2e61ac015b3d38e7e46aecbb/analysis/1554838674/",
"category": "Payload delivery",
"uuid": "8962d991-4022-46cd-b23b-ac1b66118e2e"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "6/69",
"category": "Payload delivery",
"uuid": "15ef209b-969d-49a7-8eff-cd865725bfc8"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c301c4d8-3408-4e94-ac87-70c6b3f8d7a7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:40:48.000Z",
"modified": "2019-04-09T19:40:48.000Z",
"pattern": "[file:hashes.MD5 = '98303a3a424c407a3e27ab818066811c' AND file:hashes.SHA1 = '5ab8b1ac11789606333ff94066cae6048a335ac5' AND file:hashes.SHA256 = 'af8ccd0294530c659580f522fcc8492d92c2296dc068f9a42474d52b2b2f16e4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:40:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--d0ff9ea2-f4ed-4174-b077-308b005ae017",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:40:48.000Z",
"modified": "2019-04-09T19:40:48.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09 19:28:00",
"category": "Other",
"uuid": "a56f74da-1eb6-4b0e-9946-f4f64bfaa448"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/af8ccd0294530c659580f522fcc8492d92c2296dc068f9a42474d52b2b2f16e4/analysis/1554838080/",
"category": "Payload delivery",
"uuid": "5ddc77d8-25bf-48b8-ba1e-a3e473a00edf"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "10/67",
"category": "Payload delivery",
"uuid": "425ae711-425a-4400-bdea-ca8ccb8e9021"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8c4f64e3-e346-40b6-b06f-8575a9ce1a83",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:40:48.000Z",
"modified": "2019-04-09T19:40:48.000Z",
"pattern": "[file:hashes.MD5 = '6ce0a12d7461f3267af7fa835a0b5677' AND file:hashes.SHA1 = '941195b52f5ea4eb60027c3aeb67cd72e95f4c8e' AND file:hashes.SHA256 = 'b61c62724421d38a13c58877f31298bd663c1c8f8c3fe7d108eb9c8fe5ad0362']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:40:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--9a473378-5c49-4dc1-a58b-38b7ac011d49",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:40:48.000Z",
"modified": "2019-04-09T19:40:48.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09 19:16:19",
"category": "Other",
"uuid": "2294d851-edaf-4560-93de-6a3163cca0b4"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/b61c62724421d38a13c58877f31298bd663c1c8f8c3fe7d108eb9c8fe5ad0362/analysis/1554837379/",
"category": "Payload delivery",
"uuid": "086df5b9-0480-41c0-8d26-10c5e04a6d41"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "5/68",
"category": "Payload delivery",
"uuid": "a9717401-7206-494d-983b-0f029dcf4c2a"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--287dff0c-5d73-4dca-badb-6de37ea6e766",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:40:48.000Z",
"modified": "2019-04-09T19:40:48.000Z",
"pattern": "[file:hashes.MD5 = '883034ba4657ba4765a20f680721d0ea' AND file:hashes.SHA1 = 'eafb4e041587f4204c2dda9bbb91622ce34421f0' AND file:hashes.SHA256 = '8cb78327bd69fda61afac9393187ad5533a63d43ebf74c0f9800bedb814b20ad']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:40:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--6e6742a5-13ab-483f-a968-22170d66e6e2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:40:48.000Z",
"modified": "2019-04-09T19:40:48.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09 17:37:57",
"category": "Other",
"uuid": "12cc2922-c79a-47cd-9c00-a1c9edb9b3e8"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/8cb78327bd69fda61afac9393187ad5533a63d43ebf74c0f9800bedb814b20ad/analysis/1554831477/",
"category": "Payload delivery",
"uuid": "1cb396f5-1a48-470f-acd5-72a4ee4a577d"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "3/70",
"category": "Payload delivery",
"uuid": "9dececda-d7d7-428b-aeb1-294204d06505"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8403c5f0-33ff-475b-b1f1-aa1df43eff9d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:40:48.000Z",
"modified": "2019-04-09T19:40:48.000Z",
"pattern": "[file:hashes.MD5 = '294be9caf93116430f7a8007a202e9fd' AND file:hashes.SHA1 = '45f348b46a745c1f45e4eac0185d73cc4e65edc3' AND file:hashes.SHA256 = '134849f697ab5f31ffb043b06e9ca1c9b98ffebba8af8ccdedd036a6263bf3a4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-09T19:40:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--13e40b04-1b14-4396-9507-786fb8ee0191",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-09T19:40:49.000Z",
"modified": "2019-04-09T19:40:49.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-09 19:26:22",
"category": "Other",
"uuid": "6d627e0b-8860-4c24-b070-3147b81c8326"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/134849f697ab5f31ffb043b06e9ca1c9b98ffebba8af8ccdedd036a6263bf3a4/analysis/1554837982/",
"category": "Payload delivery",
"uuid": "a47abd4b-72f6-4b58-89c9-210de35edc1c"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "7/69",
"category": "Payload delivery",
"uuid": "39dce544-f7ac-41b8-82d1-512fb42eb17b"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5cad948e-7a68-4202-ac52-46ea950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-10T07:00:30.000Z",
"modified": "2019-04-10T07:00:30.000Z",
"labels": [
"misp:name=\"microblog\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "post",
"value": "@juanandres_gs\r\n and @silascutler\r\n released research into FLAME 2.0 Risen from the Ashes at #TheSAS2019 (link: https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0) medium.com/chronicle-blog\u2026 #yara rules included in the technical report (link: https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf) storage.googleapis.com/chronicle-rese\u2026",
"category": "Other",
"uuid": "5cad948e-7698-48e9-b3e4-4e8a950d210f"
},
{
"type": "text",
"object_relation": "type",
"value": "Twitter",
"category": "Other",
"uuid": "5cad948e-6674-469c-b14a-4206950d210f"
},
{
"type": "url",
"object_relation": "url",
"value": "https://mobile.twitter.com/markus_neis/status/1115478572116742144",
"category": "Network activity",
"to_ids": true,
"uuid": "5cad948e-1124-4eda-a29c-4d75950d210f"
},
{
"type": "text",
"object_relation": "username-quoted",
"value": "@juanandres_gs",
"category": "Other",
"uuid": "5cad948e-ff3c-4461-bdc9-4e64950d210f"
},
{
"type": "text",
"object_relation": "username-quoted",
"value": "@silascutler",
"category": "Other",
"uuid": "5cad948e-7ee4-4ce8-9b4f-4c13950d210f"
},
{
"type": "url",
"object_relation": "link",
"value": "https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf",
"category": "Network activity",
"to_ids": true,
"uuid": "5cad948e-52d0-4f79-8ea3-4674950d210f"
},
{
"type": "url",
"object_relation": "link",
"value": "https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0",
"category": "Network activity",
"to_ids": true,
"uuid": "5cad948e-5a4c-43c9-94df-4e0a950d210f"
},
{
"type": "url",
"object_relation": "link",
"value": "https://t.co/E2b4nT2Xcl?amp=1",
"category": "Network activity",
"to_ids": true,
"uuid": "5cad948e-daa0-4671-bad1-46b3950d210f"
},
{
"type": "url",
"object_relation": "link",
"value": "https://t.co/TajWhD5Bhq?amp=1",
"category": "Network activity",
"to_ids": true,
"uuid": "5cad948e-65c0-457c-85bc-4152950d210f"
},
{
"type": "datetime",
"object_relation": "creation-date",
"value": "Apr 9, 2019 6:56 AM",
"category": "Other",
"uuid": "5cad948e-5738-46b0-8c2a-49fa950d210f"
},
{
"type": "text",
"object_relation": "username",
"value": "markus_neis",
"category": "Other",
"uuid": "5cad948e-326c-435c-be57-4450950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "microblog"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--526b397d-be04-4325-ba14-adf9d1f99675",
"created": "2019-04-09T19:40:49.000Z",
"modified": "2019-04-09T19:40:49.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--3ebf26f8-6710-4b32-a4a0-15d339e5350f",
"target_ref": "x-misp-object--019aaeec-55dd-4ce1-b20a-d92710b6b041"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--abd1cb46-6e92-4303-83fc-cafd87f826e4",
"created": "2019-04-09T19:40:49.000Z",
"modified": "2019-04-09T19:40:49.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--8697b11b-da93-4d4f-b701-a09aab24cb0d",
"target_ref": "x-misp-object--e44af2bf-950a-474b-8042-113d217e5f63"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e78d36b7-c448-4f37-8994-b8548b1012c1",
"created": "2019-04-09T19:40:49.000Z",
"modified": "2019-04-09T19:40:49.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--48fb1669-d25d-4800-a4bd-443720406f95",
"target_ref": "x-misp-object--be651b15-0ff4-4119-9a0a-de4730dc814d"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--3ca3b98e-df79-42df-ad1b-f6e7c7a77c62",
"created": "2019-04-09T19:40:49.000Z",
"modified": "2019-04-09T19:40:49.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--7cc0330c-8e97-4662-8588-c4d54f58407c",
"target_ref": "x-misp-object--5cf63775-757f-43f1-94ea-a33377e12cd1"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--804020d9-e5b9-491d-82ce-479956a14447",
"created": "2019-04-09T19:40:49.000Z",
"modified": "2019-04-09T19:40:49.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--c301c4d8-3408-4e94-ac87-70c6b3f8d7a7",
"target_ref": "x-misp-object--d0ff9ea2-f4ed-4174-b077-308b005ae017"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e311abd0-c4b9-44b0-aa58-c7a476493971",
"created": "2019-04-09T19:40:49.000Z",
"modified": "2019-04-09T19:40:49.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--8c4f64e3-e346-40b6-b06f-8575a9ce1a83",
"target_ref": "x-misp-object--9a473378-5c49-4dc1-a58b-38b7ac011d49"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--13cf93d5-602e-4f14-ad15-0a7052dfeab1",
"created": "2019-04-09T19:40:49.000Z",
"modified": "2019-04-09T19:40:49.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--287dff0c-5d73-4dca-badb-6de37ea6e766",
"target_ref": "x-misp-object--6e6742a5-13ab-483f-a968-22170d66e6e2"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--30af4bb0-872f-4e52-a4b6-02681aee9aa7",
"created": "2019-04-09T19:40:49.000Z",
"modified": "2019-04-09T19:40:49.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--8403c5f0-33ff-475b-b1f1-aa1df43eff9d",
"target_ref": "x-misp-object--13e40b04-1b14-4396-9507-786fb8ee0191"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink