767 lines
No EOL
34 KiB
JSON
767 lines
No EOL
34 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5a390de6-4a58-4a19-89fb-4620950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-21T03:00:39.000Z",
|
|
"modified": "2017-12-21T03:00:39.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--5a390de6-4a58-4a19-89fb-4620950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-21T03:00:39.000Z",
|
|
"modified": "2017-12-21T03:00:39.000Z",
|
|
"name": "OSINT - Zeus Panda Banking Trojan Targets Online Holiday Shoppers",
|
|
"published": "2017-12-28T13:33:53Z",
|
|
"object_refs": [
|
|
"observed-data--5a390e33-a644-4e3a-957d-1606950d210f",
|
|
"url--5a390e33-a644-4e3a-957d-1606950d210f",
|
|
"x-misp-attribute--5a390e5c-090c-4b23-83f0-1714950d210f",
|
|
"indicator--5a390ecd-e0a8-4c1e-95bc-498c950d210f",
|
|
"indicator--5a390eec-3874-4509-a0dd-1708950d210f",
|
|
"indicator--5a390efa-6134-40fc-901a-1713950d210f",
|
|
"indicator--5a390f86-f3c8-4662-96dd-1690950d210f",
|
|
"indicator--5a390f86-06c8-4a7b-a2de-1690950d210f",
|
|
"indicator--5a390f87-2be4-4d90-b4b6-1690950d210f",
|
|
"indicator--5a390f87-208c-477f-a436-1690950d210f",
|
|
"indicator--5a390f87-7364-456f-9669-1690950d210f",
|
|
"indicator--5a390f87-7528-4d33-a029-1690950d210f",
|
|
"indicator--5a3910b0-33e0-4ba5-b4e3-18e3950d210f",
|
|
"indicator--5a3910b0-2350-40f6-bf70-18e3950d210f",
|
|
"observed-data--5a390eac-8b20-4401-83c1-169e950d210f",
|
|
"email-message--5a390eac-8b20-4401-83c1-169e950d210f",
|
|
"indicator--5a390f46-b670-4975-842a-473d950d210f",
|
|
"indicator--5a3910e8-d3fc-421d-a96b-1690950d210f",
|
|
"indicator--5a39110d-413c-4ff2-b531-bfd8950d210f",
|
|
"indicator--85fc2ee8-1979-4b2b-8a01-a6e86992950e",
|
|
"x-misp-object--6ef84376-1a21-41b0-8079-fe58470e8a3b",
|
|
"indicator--cd87750f-ad31-466c-8256-6bb5c496c7e8",
|
|
"x-misp-object--8e8856ca-85ff-4643-9b60-708617003213",
|
|
"indicator--23b939ba-58a7-4265-acbb-12945bdaf96f",
|
|
"x-misp-object--1b72a2c1-dda3-4770-9bfd-a29f36fbb9b9",
|
|
"indicator--c299d343-7fb7-4bda-bc3c-578213b2333d",
|
|
"x-misp-object--5d0428a2-0eaa-4719-89c9-c696ddf72dfa",
|
|
"relationship--b963c1bf-84e3-49a6-951e-b2dd9bff0aa8",
|
|
"relationship--53dcf184-6c70-4db1-8d5e-d825eb813c33",
|
|
"relationship--bc1d6df1-3ff2-44e2-a072-860f06871377",
|
|
"relationship--a9893aac-6421-4843-a401-9b7e0217cbf1"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"misp-galaxy:banker=\"Panda Banker\"",
|
|
"type:OSINT",
|
|
"osint:source-type=\"blog-post\"",
|
|
"ms-caro-malware-full:malware-family=\"Banker\"",
|
|
"malware_classification:malware-category=\"Trojan\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5a390e33-a644-4e3a-957d-1606950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-20T09:11:54.000Z",
|
|
"modified": "2017-12-20T09:11:54.000Z",
|
|
"first_observed": "2017-12-20T09:11:54Z",
|
|
"last_observed": "2017-12-20T09:11:54Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5a390e33-a644-4e3a-957d-1606950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5a390e33-a644-4e3a-957d-1606950d210f",
|
|
"value": "https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--5a390e5c-090c-4b23-83f0-1714950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-20T09:11:54.000Z",
|
|
"modified": "2017-12-20T09:11:54.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "Banking Trojans work by injecting code into web pages as they are viewed on infected machines, allowing the malware to harvest banking credentials and credit card information as victims interact with legitimate sites. Most often, the injects -- the code that actually performs the man-in-the-browser attacks -- are configured for region-specific banking sites. More recently, we have seen injects for online payment sites, casinos, retailers, and more appearing in banking Trojan campaigns.\r\n\r\nSince November -- a period of time that includes Thanksgiving, Black Friday, Cyber Monday and now leading up to Christmas -- we have observed Zeus Panda banking Trojan campaigns that have an increasing focus on non-banking targets with an extensive list of injects clearly designed to capitalize on holiday shopping and activities.\r\n\r\nMore specifically, these Zeus Panda (aka Panda Banker) campaigns expanded their injects to a variety of online shopping sites for brick and mortar retailers like Zara, specialty online retailers, travel sites, and video streaming sites, among others. The vast majority of these new targets will potentially see higher-than-normal numbers of credit card transactions for the holidays. While Zeus Panda can be configured to steal a variety of information, these injects collected the credit card number, address, phone number, DOB, SSN, and security question-related information such as mother\u00e2\u20ac\u2122s maiden name."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a390ecd-e0a8-4c1e-95bc-498c950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-19T13:06:21.000Z",
|
|
"modified": "2017-12-19T13:06:21.000Z",
|
|
"pattern": "[file:name = 'receipt-package-5a0a062cae04a.doc']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-19T13:06:21Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a390eec-3874-4509-a0dd-1708950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-20T09:11:54.000Z",
|
|
"modified": "2017-12-20T09:11:54.000Z",
|
|
"description": "Landing page redirection",
|
|
"pattern": "[url:value = 'https://canadapost-packagecenter.com/']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-20T09:11:54Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a390efa-6134-40fc-901a-1713950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-20T09:11:54.000Z",
|
|
"modified": "2017-12-20T09:11:54.000Z",
|
|
"pattern": "[file:name = 'resume.doc']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-20T09:11:54Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a390f86-f3c8-4662-96dd-1690950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-20T09:11:54.000Z",
|
|
"modified": "2017-12-20T09:11:54.000Z",
|
|
"description": "Document payload",
|
|
"pattern": "[url:value = 'http://80.82.67.217/moo.jpg']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-20T09:11:54Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a390f86-06c8-4a7b-a2de-1690950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-19T13:09:26.000Z",
|
|
"modified": "2017-12-19T13:09:26.000Z",
|
|
"description": "Panda",
|
|
"pattern": "[file:hashes.SHA256 = '5f7a1b02d5b2904554e65bd01a12f1fa5ff2121eef53f3942c4e9e29c46bdce3']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-19T13:09:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a390f87-2be4-4d90-b4b6-1690950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-20T09:11:54.000Z",
|
|
"modified": "2017-12-20T09:11:54.000Z",
|
|
"description": "Panda C&C",
|
|
"pattern": "[domain-name:value = 'gromnes.top']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-20T09:11:54Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a390f87-208c-477f-a436-1690950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-20T09:11:54.000Z",
|
|
"modified": "2017-12-20T09:11:54.000Z",
|
|
"description": "Panda C&C",
|
|
"pattern": "[domain-name:value = 'aklexim.top']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-20T09:11:54Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a390f87-7364-456f-9669-1690950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-20T09:11:54.000Z",
|
|
"modified": "2017-12-20T09:11:54.000Z",
|
|
"description": "Panda C&C",
|
|
"pattern": "[domain-name:value = 'kichamyn.top']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-20T09:11:54Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a390f87-7528-4d33-a029-1690950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-19T13:09:27.000Z",
|
|
"modified": "2017-12-19T13:09:27.000Z",
|
|
"description": "Attachment",
|
|
"pattern": "[file:hashes.SHA256 = 'e13594d83f2a573627e742baf33298b9eeec1ebb8c7955304b8c35559e5f23dc']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-19T13:09:27Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a3910b0-33e0-4ba5-b4e3-18e3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-20T09:11:54.000Z",
|
|
"modified": "2017-12-20T09:11:54.000Z",
|
|
"description": "Malicious URL in email",
|
|
"pattern": "[url:value = 'http://www.nfk-trading.com/analyticsmmrxbctq/redirect/0849e22e843170e1600c1910df8cf9da-id-qblozsmn-to-package-awaiting']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-20T09:11:54Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a3910b0-2350-40f6-bf70-18e3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-20T09:11:54.000Z",
|
|
"modified": "2017-12-20T09:11:54.000Z",
|
|
"description": "Document payload",
|
|
"pattern": "[url:value = 'http://89.248.169.136/bigmac.jpg']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-20T09:11:54Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5a390eac-8b20-4401-83c1-169e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-19T13:05:48.000Z",
|
|
"modified": "2017-12-19T13:05:48.000Z",
|
|
"first_observed": "2017-12-19T13:05:48Z",
|
|
"last_observed": "2017-12-19T13:05:48Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"email-message--5a390eac-8b20-4401-83c1-169e950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:name=\"email\"",
|
|
"misp:meta-category=\"network\"",
|
|
"misp:to_ids=\"False\""
|
|
]
|
|
},
|
|
{
|
|
"type": "email-message",
|
|
"spec_version": "2.1",
|
|
"id": "email-message--5a390eac-8b20-4401-83c1-169e950d210f",
|
|
"is_multipart": false,
|
|
"date": "2017-11-13T00:00:00Z",
|
|
"subject": "Your package is ready to be picked up\u00e2\u20ac\u009d"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a390f46-b670-4975-842a-473d950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-19T13:08:22.000Z",
|
|
"modified": "2017-12-19T13:08:22.000Z",
|
|
"pattern": "[email-message:date = '2017-12-11T00:00:00' AND email-message:subject = 'Application submitted from Gumtree Jobs by [First Last Names] for Field Sales Consultant - Status: Emailed' AND email-message:body_multipart[0].body_raw_ref.name = 'resume.doc' AND email-message:body_multipart[0].content_disposition = 'attachment']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-19T13:08:22Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "network"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"email\"",
|
|
"misp:meta-category=\"network\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a3910e8-d3fc-421d-a96b-1690950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-19T13:15:20.000Z",
|
|
"modified": "2017-12-19T13:15:20.000Z",
|
|
"pattern": "[file:hashes.SHA256 = '2514dbf1549b517692e415af85baa6e5eca926cdedb526d2e255b5943501d98b' AND file:name = 'receipt-package-5a0a062cae04a.doc' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-19T13:15:20Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a39110d-413c-4ff2-b531-bfd8950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-19T13:15:57.000Z",
|
|
"modified": "2017-12-19T13:15:57.000Z",
|
|
"description": "Panda executable",
|
|
"pattern": "[file:hashes.SHA256 = 'ae92a4a5bc64db6af23219d7fa2d8bce98a5d7eb2eff7193e4f49698e3e5650d' AND file:name = 'Bigmac.jpg' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-19T13:15:57Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--85fc2ee8-1979-4b2b-8a01-a6e86992950e",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-20T09:11:57.000Z",
|
|
"modified": "2017-12-20T09:11:57.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'a02d6ca05cbc89a317d82945bcb6b15b' AND file:hashes.SHA1 = '2cacb877c487b6dae47fb16fdd1dc7b05595125b' AND file:hashes.SHA256 = 'ae92a4a5bc64db6af23219d7fa2d8bce98a5d7eb2eff7193e4f49698e3e5650d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-20T09:11:57Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--6ef84376-1a21-41b0-8079-fe58470e8a3b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-20T09:11:54.000Z",
|
|
"modified": "2017-12-20T09:11:54.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/ae92a4a5bc64db6af23219d7fa2d8bce98a5d7eb2eff7193e4f49698e3e5650d/analysis/1513357351/",
|
|
"category": "External analysis",
|
|
"uuid": "5a3a295b-b3fc-4cce-92cd-431402de0b81"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "53/67",
|
|
"category": "Other",
|
|
"uuid": "5a3a295b-18c0-4bed-af46-433102de0b81"
|
|
},
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2017-12-15T17:02:31",
|
|
"category": "Other",
|
|
"uuid": "5a3a295b-6208-4950-9d19-4b6a02de0b81"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--cd87750f-ad31-466c-8256-6bb5c496c7e8",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-20T09:11:58.000Z",
|
|
"modified": "2017-12-20T09:11:58.000Z",
|
|
"pattern": "[file:hashes.MD5 = '52b053886cc0ca44df86cba91de968fa' AND file:hashes.SHA1 = 'ef22bcec61cb2aea85cd93cede6af5f4b27e011b' AND file:hashes.SHA256 = '5f7a1b02d5b2904554e65bd01a12f1fa5ff2121eef53f3942c4e9e29c46bdce3']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-20T09:11:58Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--8e8856ca-85ff-4643-9b60-708617003213",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-20T09:11:55.000Z",
|
|
"modified": "2017-12-20T09:11:55.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/5f7a1b02d5b2904554e65bd01a12f1fa5ff2121eef53f3942c4e9e29c46bdce3/analysis/1513686510/",
|
|
"category": "External analysis",
|
|
"comment": "Panda",
|
|
"uuid": "5a3a295b-c948-41f7-9f3c-4eb802de0b81"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "44/66",
|
|
"category": "Other",
|
|
"comment": "Panda",
|
|
"uuid": "5a3a295b-1164-44e5-a7fb-4bc902de0b81"
|
|
},
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2017-12-19T12:28:30",
|
|
"category": "Other",
|
|
"comment": "Panda",
|
|
"uuid": "5a3a295b-f134-4097-aaad-481602de0b81"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--23b939ba-58a7-4265-acbb-12945bdaf96f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-20T09:11:58.000Z",
|
|
"modified": "2017-12-20T09:11:58.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'b2a6ec17f49740ddc699640fb19f951d' AND file:hashes.SHA1 = '00d8ef79f6fe532815c0325fb6d7165cdae98548' AND file:hashes.SHA256 = 'e13594d83f2a573627e742baf33298b9eeec1ebb8c7955304b8c35559e5f23dc']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-20T09:11:58Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--1b72a2c1-dda3-4770-9bfd-a29f36fbb9b9",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-20T09:11:55.000Z",
|
|
"modified": "2017-12-20T09:11:55.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/e13594d83f2a573627e742baf33298b9eeec1ebb8c7955304b8c35559e5f23dc/analysis/1513686599/",
|
|
"category": "External analysis",
|
|
"comment": "Attachment",
|
|
"uuid": "5a3a295b-9dd4-4202-b6ac-44e102de0b81"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "27/58",
|
|
"category": "Other",
|
|
"comment": "Attachment",
|
|
"uuid": "5a3a295b-bb18-4c9d-b107-418e02de0b81"
|
|
},
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2017-12-19T12:29:59",
|
|
"category": "Other",
|
|
"comment": "Attachment",
|
|
"uuid": "5a3a295b-30fc-4206-af56-438802de0b81"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--c299d343-7fb7-4bda-bc3c-578213b2333d",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-20T09:11:58.000Z",
|
|
"modified": "2017-12-20T09:11:58.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'bcac60105cb24fdbcc03c1d52d09bfd1' AND file:hashes.SHA1 = '8eab9d3dfe6ac35a3624e916bb3cdc6d390a83d2' AND file:hashes.SHA256 = '2514dbf1549b517692e415af85baa6e5eca926cdedb526d2e255b5943501d98b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-20T09:11:58Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--5d0428a2-0eaa-4719-89c9-c696ddf72dfa",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-20T09:11:55.000Z",
|
|
"modified": "2017-12-20T09:11:55.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/2514dbf1549b517692e415af85baa6e5eca926cdedb526d2e255b5943501d98b/analysis/1513686655/",
|
|
"category": "External analysis",
|
|
"uuid": "5a3a295b-efcc-4b80-b82d-4cb402de0b81"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "33/58",
|
|
"category": "Other",
|
|
"uuid": "5a3a295b-3e4c-474f-8b74-480c02de0b81"
|
|
},
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2017-12-19T12:30:55",
|
|
"category": "Other",
|
|
"uuid": "5a3a295b-f240-48da-adee-467702de0b81"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--b963c1bf-84e3-49a6-951e-b2dd9bff0aa8",
|
|
"created": "2017-12-28T13:33:53.000Z",
|
|
"modified": "2017-12-28T13:33:53.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--85fc2ee8-1979-4b2b-8a01-a6e86992950e",
|
|
"target_ref": "x-misp-object--6ef84376-1a21-41b0-8079-fe58470e8a3b"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--53dcf184-6c70-4db1-8d5e-d825eb813c33",
|
|
"created": "2017-12-28T13:33:53.000Z",
|
|
"modified": "2017-12-28T13:33:53.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--cd87750f-ad31-466c-8256-6bb5c496c7e8",
|
|
"target_ref": "x-misp-object--8e8856ca-85ff-4643-9b60-708617003213"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--bc1d6df1-3ff2-44e2-a072-860f06871377",
|
|
"created": "2017-12-28T13:33:53.000Z",
|
|
"modified": "2017-12-28T13:33:53.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--23b939ba-58a7-4265-acbb-12945bdaf96f",
|
|
"target_ref": "x-misp-object--1b72a2c1-dda3-4770-9bfd-a29f36fbb9b9"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--a9893aac-6421-4843-a401-9b7e0217cbf1",
|
|
"created": "2017-12-28T13:33:53.000Z",
|
|
"modified": "2017-12-28T13:33:53.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--c299d343-7fb7-4bda-bc3c-578213b2333d",
|
|
"target_ref": "x-misp-object--5d0428a2-0eaa-4719-89c9-c696ddf72dfa"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |