1280 lines
No EOL
55 KiB
JSON
1280 lines
No EOL
55 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5c4458f2-6270-4c17-8fe2-992402de0b81",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-02-28T09:18:28.000Z",
|
|
"modified": "2019-02-28T09:18:28.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "grouping",
|
|
"spec_version": "2.1",
|
|
"id": "grouping--5c4458f2-6270-4c17-8fe2-992402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-02-28T09:18:28.000Z",
|
|
"modified": "2019-02-28T09:18:28.000Z",
|
|
"name": "OSINT - BitterRAT PATCHWORK",
|
|
"context": "suspicious-activity",
|
|
"object_refs": [
|
|
"indicator--5c4459da-6374-4f25-9bb6-a83202de0b81",
|
|
"indicator--5c4459db-214c-4cf3-8bfc-a83202de0b81",
|
|
"indicator--5c4459db-4f5c-4f63-8d30-a83202de0b81",
|
|
"observed-data--5c445ae0-8b4c-44cf-973f-98d302de0b81",
|
|
"url--5c445ae0-8b4c-44cf-973f-98d302de0b81",
|
|
"observed-data--5c445ae0-af98-460b-b37c-98d302de0b81",
|
|
"url--5c445ae0-af98-460b-b37c-98d302de0b81",
|
|
"observed-data--5c445ae0-86f0-40ca-a041-98d302de0b81",
|
|
"url--5c445ae0-86f0-40ca-a041-98d302de0b81",
|
|
"indicator--5c445b0a-f430-49fb-9097-468002de0b81",
|
|
"indicator--5c445b0a-ae24-4bed-8e2d-416e02de0b81",
|
|
"indicator--5c445b0b-8f78-4d23-8027-46ab02de0b81",
|
|
"indicator--5c445b0b-01d8-4b1d-81bb-472f02de0b81",
|
|
"indicator--5c445b2d-b2ec-4067-8891-98d302de0b81",
|
|
"indicator--5c445b2e-1280-4f6b-a51f-98d302de0b81",
|
|
"indicator--5c445b54-b390-4847-8585-4c9802de0b81",
|
|
"indicator--5c445b55-eff0-4fe7-aaff-427c02de0b81",
|
|
"observed-data--5c445b83-6b80-43b2-a950-44b0e387cbd9",
|
|
"network-traffic--5c445b83-6b80-43b2-a950-44b0e387cbd9",
|
|
"ipv4-addr--5c445b83-6b80-43b2-a950-44b0e387cbd9",
|
|
"observed-data--5c445b84-c18c-404c-8f53-4cf3e387cbd9",
|
|
"network-traffic--5c445b84-c18c-404c-8f53-4cf3e387cbd9",
|
|
"ipv4-addr--5c445b84-c18c-404c-8f53-4cf3e387cbd9",
|
|
"indicator--5c76b08c-f724-4322-a531-418e02de0b81",
|
|
"indicator--5c77a701-6ed0-4e6b-a497-47cb02de0b81",
|
|
"indicator--5c77a724-a98c-43d6-9335-452402de0b81",
|
|
"x-misp-object--5c445998-17e4-4411-ac90-4c8902de0b81",
|
|
"indicator--8cb15f0f-006b-4400-8fd1-e4ac9586b92e",
|
|
"x-misp-object--b29e2cdc-6709-40b3-b08b-227aacd7503c",
|
|
"indicator--9a14aeab-1cc6-4fad-b1db-007f193da4aa",
|
|
"x-misp-object--baeb4e2d-2b52-4f76-a2d8-ffd3f8fbf96f",
|
|
"indicator--645535fc-0fe5-4f38-a8b0-a247d8f46d87",
|
|
"x-misp-object--7cf96e54-0bab-47c1-a06a-6c3ea9173676",
|
|
"indicator--5c445a91-96e4-4a76-81bf-4bb302de0b81",
|
|
"indicator--db8c563d-74f7-492a-ab64-12d646b305ef",
|
|
"x-misp-object--573e5323-af68-46ff-bf63-ab4367951a1a",
|
|
"indicator--b30ed68b-1525-4bc7-a433-4ead4df9845c",
|
|
"x-misp-object--d9e9def6-73c0-4b65-b2d3-1d382d809e1b",
|
|
"indicator--80cdfaf6-8bf3-4374-9f68-992799ed3b70",
|
|
"x-misp-object--6da3bd65-82d7-45c7-9a90-417575cca55d",
|
|
"indicator--e1137dbb-bedf-4093-8391-b598b22d0a87",
|
|
"x-misp-object--7df872cb-7f5d-4df9-b654-92c03908f4af",
|
|
"indicator--57bc77e0-6e6a-4ac3-a678-4d620ca79902",
|
|
"x-misp-object--be750522-8ad5-4911-8601-070557f5b9b2",
|
|
"indicator--5a403b39-3b33-41e6-852f-277fe242197e",
|
|
"x-misp-object--61c4a2cb-234e-4428-9dd5-e214916b1536",
|
|
"relationship--309ab662-f2b4-45df-bfc5-d81a77dad967",
|
|
"relationship--3080d8d7-f47e-43a4-9cfd-bc3d22905bdf",
|
|
"relationship--93954583-42b7-4047-9c66-d72a56b5823e",
|
|
"relationship--1406f5ff-9c9c-47d8-afc7-93cb51c6d726",
|
|
"relationship--69dd0ae2-f1b3-4675-8902-977696351c48",
|
|
"relationship--3de2b026-d682-44f2-bbcf-00824da2d5d9",
|
|
"relationship--c59ea47a-d710-49c1-ba74-894ccc2437e5",
|
|
"relationship--9d956722-7e50-4b88-8e5f-142622876984",
|
|
"relationship--b8eaac98-a4b0-48a4-9677-e5f2d37cb3f9"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Patchwork\"",
|
|
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Patchwork - G0040\"",
|
|
"type:OSINT",
|
|
"osint:lifetime=\"perpetual\"",
|
|
"osint:certainty=\"50\"",
|
|
"misp-galaxy:threat-actor=\"Dropping Elephant\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c4459da-6374-4f25-9bb6-a83202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:22:02.000Z",
|
|
"modified": "2019-01-20T11:22:02.000Z",
|
|
"description": "While digging into a sample that @thor_scanner fired for #BitterRAT #PATCHWORK on @virustotal I confirmed that the following samples are from the same group.",
|
|
"pattern": "[file:hashes.MD5 = '7845d817e021db8cde06a8437693b3b2']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-20T11:22:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c4459db-214c-4cf3-8bfc-a83202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:22:03.000Z",
|
|
"modified": "2019-01-20T11:22:03.000Z",
|
|
"description": "While digging into a sample that @thor_scanner fired for #BitterRAT #PATCHWORK on @virustotal I confirmed that the following samples are from the same group.",
|
|
"pattern": "[file:hashes.MD5 = 'd34fc3a5df544d90ed1933b79deb1868']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-20T11:22:03Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c4459db-4f5c-4f63-8d30-a83202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:22:03.000Z",
|
|
"modified": "2019-01-20T11:22:03.000Z",
|
|
"description": "While digging into a sample that @thor_scanner fired for #BitterRAT #PATCHWORK on @virustotal I confirmed that the following samples are from the same group.",
|
|
"pattern": "[file:hashes.MD5 = '59ca69647eeceab0193d88b8b72e3d60']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-20T11:22:03Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5c445ae0-8b4c-44cf-973f-98d302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:26:24.000Z",
|
|
"modified": "2019-01-20T11:26:24.000Z",
|
|
"first_observed": "2019-01-20T11:26:24Z",
|
|
"last_observed": "2019-01-20T11:26:24Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5c445ae0-8b4c-44cf-973f-98d302de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5c445ae0-8b4c-44cf-973f-98d302de0b81",
|
|
"value": "https://analyze.intezer.com/#/analyses/314c7fb5-7d2e-4e3c-93d8-84c2064672d3"
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5c445ae0-af98-460b-b37c-98d302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:26:24.000Z",
|
|
"modified": "2019-01-20T11:26:24.000Z",
|
|
"first_observed": "2019-01-20T11:26:24Z",
|
|
"last_observed": "2019-01-20T11:26:24Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5c445ae0-af98-460b-b37c-98d302de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5c445ae0-af98-460b-b37c-98d302de0b81",
|
|
"value": "https://analyze.intezer.com/#/analyses/5dcad879-8bf6-45ed-a10f-53313aaf32a0"
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5c445ae0-86f0-40ca-a041-98d302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:26:24.000Z",
|
|
"modified": "2019-01-20T11:26:24.000Z",
|
|
"first_observed": "2019-01-20T11:26:24Z",
|
|
"last_observed": "2019-01-20T11:26:24Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5c445ae0-86f0-40ca-a041-98d302de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5c445ae0-86f0-40ca-a041-98d302de0b81",
|
|
"value": "https://analyze.intezer.com/#/analyses/5dcad879-8bf6-45ed-a10f-53313aaf32a0"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c445b0a-f430-49fb-9097-468002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:27:06.000Z",
|
|
"modified": "2019-01-20T11:27:06.000Z",
|
|
"description": "RTF file",
|
|
"pattern": "[file:hashes.MD5 = 'e4abdd40f7d1adb3f139940438484695']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-20T11:27:06Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c445b0a-ae24-4bed-8e2d-416e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:27:06.000Z",
|
|
"modified": "2019-01-20T11:27:06.000Z",
|
|
"description": "Payload",
|
|
"pattern": "[file:hashes.MD5 = 'a098d91f04eb259bf27432e81a9c523b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-20T11:27:06Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c445b0b-8f78-4d23-8027-46ab02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:27:07.000Z",
|
|
"modified": "2019-01-20T11:27:07.000Z",
|
|
"description": "Payload",
|
|
"pattern": "[file:hashes.MD5 = '53d6ed9a3e56785ccbee9b73b14ec62c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-20T11:27:07Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c445b0b-01d8-4b1d-81bb-472f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:27:07.000Z",
|
|
"modified": "2019-01-20T11:27:07.000Z",
|
|
"description": "Payload",
|
|
"pattern": "[file:hashes.MD5 = '26d175ac27b4554885b5c3d2ec9c6769']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-20T11:27:07Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c445b2d-b2ec-4067-8891-98d302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:27:41.000Z",
|
|
"modified": "2019-01-20T11:27:41.000Z",
|
|
"description": "Additional Payload can also be seen in the below screenshot. Looks like the threat actors have a pattern of sequentially naming folders.",
|
|
"pattern": "[file:hashes.MD5 = '3dcc9ac06cd5318f247be0d73c8c1d1d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-20T11:27:41Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c445b2e-1280-4f6b-a51f-98d302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:27:42.000Z",
|
|
"modified": "2019-01-20T11:27:42.000Z",
|
|
"description": "Additional Payload can also be seen in the below screenshot. Looks like the threat actors have a pattern of sequentially naming folders.",
|
|
"pattern": "[domain-name:value = 'wcnsservice.ddns.net']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-20T11:27:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c445b54-b390-4847-8585-4c9802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:28:20.000Z",
|
|
"modified": "2019-01-20T11:28:20.000Z",
|
|
"description": "Additional URL - Couldn't find it in any writeups:",
|
|
"pattern": "[url:value = 'rmmun.org.pk/svch']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-20T11:28:20Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c445b55-eff0-4fe7-aaff-427c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:28:21.000Z",
|
|
"modified": "2019-01-20T11:28:21.000Z",
|
|
"description": "Additional URL - Couldn't find it in any writeups:",
|
|
"pattern": "[file:hashes.MD5 = 'b694f3b1ef7ff302c339a51c3f0f50f3']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-20T11:28:21Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5c445b83-6b80-43b2-a950-44b0e387cbd9",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:29:07.000Z",
|
|
"modified": "2019-01-20T11:29:07.000Z",
|
|
"first_observed": "2019-01-20T11:29:07Z",
|
|
"last_observed": "2019-01-20T11:29:07Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"network-traffic--5c445b83-6b80-43b2-a950-44b0e387cbd9",
|
|
"ipv4-addr--5c445b83-6b80-43b2-a950-44b0e387cbd9"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-src\"",
|
|
"misp:category=\"Network activity\""
|
|
]
|
|
},
|
|
{
|
|
"type": "network-traffic",
|
|
"spec_version": "2.1",
|
|
"id": "network-traffic--5c445b83-6b80-43b2-a950-44b0e387cbd9",
|
|
"src_ref": "ipv4-addr--5c445b83-6b80-43b2-a950-44b0e387cbd9",
|
|
"protocols": [
|
|
"tcp"
|
|
]
|
|
},
|
|
{
|
|
"type": "ipv4-addr",
|
|
"spec_version": "2.1",
|
|
"id": "ipv4-addr--5c445b83-6b80-43b2-a950-44b0e387cbd9",
|
|
"value": "185.45.193.10"
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5c445b84-c18c-404c-8f53-4cf3e387cbd9",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:29:08.000Z",
|
|
"modified": "2019-01-20T11:29:08.000Z",
|
|
"first_observed": "2019-01-20T11:29:08Z",
|
|
"last_observed": "2019-01-20T11:29:08Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"network-traffic--5c445b84-c18c-404c-8f53-4cf3e387cbd9",
|
|
"ipv4-addr--5c445b84-c18c-404c-8f53-4cf3e387cbd9"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-src\"",
|
|
"misp:category=\"Network activity\""
|
|
]
|
|
},
|
|
{
|
|
"type": "network-traffic",
|
|
"spec_version": "2.1",
|
|
"id": "network-traffic--5c445b84-c18c-404c-8f53-4cf3e387cbd9",
|
|
"src_ref": "ipv4-addr--5c445b84-c18c-404c-8f53-4cf3e387cbd9",
|
|
"protocols": [
|
|
"tcp"
|
|
]
|
|
},
|
|
{
|
|
"type": "ipv4-addr",
|
|
"spec_version": "2.1",
|
|
"id": "ipv4-addr--5c445b84-c18c-404c-8f53-4cf3e387cbd9",
|
|
"value": "185.121.139.53"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c76b08c-f724-4322-a531-418e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-02-27T15:45:16.000Z",
|
|
"modified": "2019-02-27T15:45:16.000Z",
|
|
"description": "rtf exploit",
|
|
"pattern": "[rule dropper_elephant {\r\n\tstrings:\r\n\t\t$head = \"{\\\\rt\"\r\n\t\t$water = { 33 35 33 32 33 34 36 36 36 31 33 36 33 33 36 31 33 35 33 30 30 30}\r\n\tcondition:\r\n\t\t$head at 0 and $water \r\n\r\n}]",
|
|
"pattern_type": "yara",
|
|
"valid_from": "2019-02-27T15:45:16Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"yara\"",
|
|
"misp:category=\"Artifacts dropped\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c77a701-6ed0-4e6b-a497-47cb02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-02-28T09:16:49.000Z",
|
|
"modified": "2019-02-28T09:16:49.000Z",
|
|
"description": "rtf file",
|
|
"pattern": "[file:hashes.SHA256 = 'd3122d94a7fde33bc1f35ab49f56408a19a46847cce3686ff40c7a5f2ff71ca1']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-02-28T09:16:49Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c77a724-a98c-43d6-9335-452402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-02-28T09:17:24.000Z",
|
|
"modified": "2019-02-28T09:17:24.000Z",
|
|
"description": "rtf file",
|
|
"pattern": "[file:hashes.SHA256 = '52c10f300f15e6b4f7e3e1989a35c7d2719217f4d3d64fe0afcf83bb922ec61f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-02-28T09:17:24Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--5c445998-17e4-4411-ac90-4c8902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:20:56.000Z",
|
|
"modified": "2019-01-20T11:20:56.000Z",
|
|
"labels": [
|
|
"misp:name=\"microblog\"",
|
|
"misp:meta-category=\"misc\"",
|
|
"osint:source-type=\"microblog-post\"",
|
|
"osint:certainty=\"93\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "post",
|
|
"value": "While digging into a sample that @thor_scanner fired for #BitterRAT #PATCHWORK on @virustotal I confirmed that the following samples are from the same group. Hashes: 7845d817e021db8cde06a8437693b3b2 d34fc3a5df544d90ed1933b79deb1868 59ca69647eeceab0193d88b8b72e3d60",
|
|
"category": "Other",
|
|
"uuid": "5c445998-bcb8-4f80-8d60-437002de0b81"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "type",
|
|
"value": "Twitter",
|
|
"category": "Other",
|
|
"uuid": "5c445998-e110-4f97-917a-4f0802de0b81"
|
|
},
|
|
{
|
|
"type": "url",
|
|
"object_relation": "url",
|
|
"value": "https://twitter.com/shotgunner101/status/1086792700114948096",
|
|
"category": "Network activity",
|
|
"to_ids": true,
|
|
"uuid": "5c445998-ea68-4dae-a03e-492f02de0b81"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "username",
|
|
"value": "shotgunner101",
|
|
"category": "Other",
|
|
"uuid": "5c445999-3450-4150-8196-459102de0b81"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "microblog"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--8cb15f0f-006b-4400-8fd1-e4ac9586b92e",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:22:32.000Z",
|
|
"modified": "2019-01-20T11:22:32.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'd34fc3a5df544d90ed1933b79deb1868' AND file:hashes.SHA1 = '6c5d2012f58ee390500c515506f67e43e491818f' AND file:hashes.SHA256 = '386350a786e325844875dfffa5286f904a3ecce22845f3d3685e2abf68d79b55']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-20T11:22:32Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--b29e2cdc-6709-40b3-b08b-227aacd7503c",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:22:34.000Z",
|
|
"modified": "2019-01-20T11:22:34.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-12-17 11:42:39",
|
|
"category": "Other",
|
|
"uuid": "cd5abe05-07bc-49f1-834b-984f412fd69b"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/386350a786e325844875dfffa5286f904a3ecce22845f3d3685e2abf68d79b55/analysis/1545046959/",
|
|
"category": "External analysis",
|
|
"uuid": "b46db101-5b99-4641-bacc-c1488b6b1c13"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "40/70",
|
|
"category": "Other",
|
|
"uuid": "7e191cc5-c4b9-41b7-9370-30af876f9087"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--9a14aeab-1cc6-4fad-b1db-007f193da4aa",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:22:35.000Z",
|
|
"modified": "2019-01-20T11:22:35.000Z",
|
|
"pattern": "[file:hashes.MD5 = '59ca69647eeceab0193d88b8b72e3d60' AND file:hashes.SHA1 = '4d441ba024b5fba0c2d02a30c00cd1ba63aaa1f0' AND file:hashes.SHA256 = '80cc095d582ee7e7a370b1967c4ad0b336622a2f4f4a04c515b014bc3be78377']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-20T11:22:35Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--baeb4e2d-2b52-4f76-a2d8-ffd3f8fbf96f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:22:37.000Z",
|
|
"modified": "2019-01-20T11:22:37.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-01-20 05:28:41",
|
|
"category": "Other",
|
|
"uuid": "b6767065-40ce-4769-b41d-d80c76e36f6b"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/80cc095d582ee7e7a370b1967c4ad0b336622a2f4f4a04c515b014bc3be78377/analysis/1547962121/",
|
|
"category": "External analysis",
|
|
"uuid": "dd19c19d-8f28-4860-9592-8899a91a9f44"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "42/67",
|
|
"category": "Other",
|
|
"uuid": "a5e53653-a585-48dc-a595-12b67dae1846"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--645535fc-0fe5-4f38-a8b0-a247d8f46d87",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:22:38.000Z",
|
|
"modified": "2019-01-20T11:22:38.000Z",
|
|
"pattern": "[file:hashes.MD5 = '7845d817e021db8cde06a8437693b3b2' AND file:hashes.SHA1 = 'bdb21b57c572744b58f8dc4f4020e32e1787f46d' AND file:hashes.SHA256 = '57fb48d43f5363798aee52635e0bbc393141940e60dbc0fda298898984556a8e']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-20T11:22:38Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--7cf96e54-0bab-47c1-a06a-6c3ea9173676",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:22:40.000Z",
|
|
"modified": "2019-01-20T11:22:40.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-01-20 05:31:17",
|
|
"category": "Other",
|
|
"uuid": "263b4bfc-fee6-4604-8ad6-3e718c0bbd60"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/57fb48d43f5363798aee52635e0bbc393141940e60dbc0fda298898984556a8e/analysis/1547962277/",
|
|
"category": "External analysis",
|
|
"uuid": "2a347a59-cf7a-4973-bd1c-5fb4c1b1488d"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "32/70",
|
|
"category": "Other",
|
|
"uuid": "6fb014a0-3fbe-4f2a-9ab4-e54bf354e276"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c445a91-96e4-4a76-81bf-4bb302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:25:05.000Z",
|
|
"modified": "2019-01-20T11:25:05.000Z",
|
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.45.193.10') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'netwareservice.ddns.net') AND network-traffic:x_misp_text = 'There is also another domain and IP Address that I couldn\\'t find linked with any PATCHWORK/Bitter RAT reports.']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-20T11:25:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "network"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"ip-port\"",
|
|
"misp:meta-category=\"network\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--db8c563d-74f7-492a-ab64-12d646b305ef",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:28:30.000Z",
|
|
"modified": "2019-01-20T11:28:30.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'a098d91f04eb259bf27432e81a9c523b' AND file:hashes.SHA1 = 'a359d15c1055fe8574eb0a68f429c6ee4f0894ff' AND file:hashes.SHA256 = 'b0d974b590a67ff642a60033b1acdbec37f9dc13b3bf49aead70bd3ef96a0d42']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-20T11:28:30Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--573e5323-af68-46ff-bf63-ab4367951a1a",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:28:32.000Z",
|
|
"modified": "2019-01-20T11:28:32.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-01-10 01:04:42",
|
|
"category": "Other",
|
|
"uuid": "a044a306-15d0-435d-aeec-dd77d24f9e2e"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/b0d974b590a67ff642a60033b1acdbec37f9dc13b3bf49aead70bd3ef96a0d42/analysis/1547082282/",
|
|
"category": "External analysis",
|
|
"uuid": "50958fd2-c56f-44ea-999e-03c8428dc48b"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "43/70",
|
|
"category": "Other",
|
|
"uuid": "cc0dce63-893d-4ba6-ba93-d620445ebc17"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--b30ed68b-1525-4bc7-a433-4ead4df9845c",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:28:33.000Z",
|
|
"modified": "2019-01-20T11:28:33.000Z",
|
|
"pattern": "[file:hashes.MD5 = '26d175ac27b4554885b5c3d2ec9c6769' AND file:hashes.SHA1 = '205e77e7f708b5c2f3f6370547255ae4c6b61b5b' AND file:hashes.SHA256 = '4d5290e7e30ef25b7cb265784b1507f756b938af3a4d915225b708e5e44a5ed4']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-20T11:28:33Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--d9e9def6-73c0-4b65-b2d3-1d382d809e1b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:28:34.000Z",
|
|
"modified": "2019-01-20T11:28:34.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-12-26 06:32:20",
|
|
"category": "Other",
|
|
"uuid": "13e649fd-ebb4-4f6e-a7e5-4cd02ab8e4df"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/4d5290e7e30ef25b7cb265784b1507f756b938af3a4d915225b708e5e44a5ed4/analysis/1545805940/",
|
|
"category": "External analysis",
|
|
"uuid": "ab8369e4-bd22-4d44-9904-59d1520d6b88"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "42/69",
|
|
"category": "Other",
|
|
"uuid": "4aaec601-7d0d-45f8-9c5f-6018bb4cf450"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--80cdfaf6-8bf3-4374-9f68-992799ed3b70",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:28:37.000Z",
|
|
"modified": "2019-01-20T11:28:37.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'b694f3b1ef7ff302c339a51c3f0f50f3' AND file:hashes.SHA1 = '02a5aaa1956b437f1066a4793cc079201c02603b' AND file:hashes.SHA256 = '523a17f6892c2558ac4765959df4af938e56a94fa6ed39636b8b7315def3a1b4']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-20T11:28:37Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--6da3bd65-82d7-45c7-9a90-417575cca55d",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:28:38.000Z",
|
|
"modified": "2019-01-20T11:28:38.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-12-20 20:38:41",
|
|
"category": "Other",
|
|
"uuid": "bd626c6a-66b1-41d4-9803-d7be0957d811"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/523a17f6892c2558ac4765959df4af938e56a94fa6ed39636b8b7315def3a1b4/analysis/1545338321/",
|
|
"category": "External analysis",
|
|
"uuid": "542b3ccc-7a07-4b00-9213-a1287036339e"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "46/70",
|
|
"category": "Other",
|
|
"uuid": "f69ec892-9c22-4f81-9fba-9c59c550efab"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--e1137dbb-bedf-4093-8391-b598b22d0a87",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:28:39.000Z",
|
|
"modified": "2019-01-20T11:28:39.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'e4abdd40f7d1adb3f139940438484695' AND file:hashes.SHA1 = 'fddfb467c6d04f7333206591a2105881be985d5c' AND file:hashes.SHA256 = 'e835280daa9d93f38ef7707a2672912515669f971c8e994754486d40524371db']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-20T11:28:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--7df872cb-7f5d-4df9-b654-92c03908f4af",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:28:41.000Z",
|
|
"modified": "2019-01-20T11:28:41.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-01-17 11:33:07",
|
|
"category": "Other",
|
|
"uuid": "4800929b-92d6-42d9-a7e0-a3390c4f821e"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/e835280daa9d93f38ef7707a2672912515669f971c8e994754486d40524371db/analysis/1547724787/",
|
|
"category": "External analysis",
|
|
"uuid": "294505dc-8126-4e47-9eef-3721f0086fbf"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "25/57",
|
|
"category": "Other",
|
|
"uuid": "e83fe184-6c74-4558-97de-f741bc1b94ba"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57bc77e0-6e6a-4ac3-a678-4d620ca79902",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:28:42.000Z",
|
|
"modified": "2019-01-20T11:28:42.000Z",
|
|
"pattern": "[file:hashes.MD5 = '53d6ed9a3e56785ccbee9b73b14ec62c' AND file:hashes.SHA1 = '2075cddc453492a349de81e4aae309a376c1147a' AND file:hashes.SHA256 = 'aa0e4216867d68fca3e6b0bafcabd871657abda9820aaee0c72d89f365163d75']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-20T11:28:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--be750522-8ad5-4911-8601-070557f5b9b2",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:28:43.000Z",
|
|
"modified": "2019-01-20T11:28:43.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-01-20 05:27:08",
|
|
"category": "Other",
|
|
"uuid": "ce177d9a-fdaf-447f-9628-969f55f142eb"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/aa0e4216867d68fca3e6b0bafcabd871657abda9820aaee0c72d89f365163d75/analysis/1547962028/",
|
|
"category": "External analysis",
|
|
"uuid": "41820a0e-61aa-4b65-8672-b2985cdf6a1a"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "38/66",
|
|
"category": "Other",
|
|
"uuid": "88ad0b3d-a8ab-45f8-b782-228493b9ad39"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a403b39-3b33-41e6-852f-277fe242197e",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:28:45.000Z",
|
|
"modified": "2019-01-20T11:28:45.000Z",
|
|
"pattern": "[file:hashes.MD5 = '3dcc9ac06cd5318f247be0d73c8c1d1d' AND file:hashes.SHA1 = '969fc7f9b770215ce2ad3fe38451d286fda4e7cb' AND file:hashes.SHA256 = '5ea68ecd5e68a83b3c1a1249f8ca895ad107a4c780d9d3c3430fcc4d3007a299']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-20T11:28:45Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--61c4a2cb-234e-4428-9dd5-e214916b1536",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-20T11:28:47.000Z",
|
|
"modified": "2019-01-20T11:28:47.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-01-18 18:25:53",
|
|
"category": "Other",
|
|
"uuid": "896b9522-f5fa-4ffd-8ef2-76826c41225b"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/5ea68ecd5e68a83b3c1a1249f8ca895ad107a4c780d9d3c3430fcc4d3007a299/analysis/1547835953/",
|
|
"category": "External analysis",
|
|
"uuid": "cfa6606b-9b09-4da3-8675-1f1e9b067030"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "16/70",
|
|
"category": "Other",
|
|
"uuid": "6269f302-e585-4ca1-8cab-bed4ad17f06b"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--309ab662-f2b4-45df-bfc5-d81a77dad967",
|
|
"created": "2019-01-20T11:22:41.000Z",
|
|
"modified": "2019-01-20T11:22:41.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--8cb15f0f-006b-4400-8fd1-e4ac9586b92e",
|
|
"target_ref": "x-misp-object--b29e2cdc-6709-40b3-b08b-227aacd7503c"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--3080d8d7-f47e-43a4-9cfd-bc3d22905bdf",
|
|
"created": "2019-01-20T11:22:41.000Z",
|
|
"modified": "2019-01-20T11:22:41.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--9a14aeab-1cc6-4fad-b1db-007f193da4aa",
|
|
"target_ref": "x-misp-object--baeb4e2d-2b52-4f76-a2d8-ffd3f8fbf96f"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--93954583-42b7-4047-9c66-d72a56b5823e",
|
|
"created": "2019-01-20T11:22:41.000Z",
|
|
"modified": "2019-01-20T11:22:41.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--645535fc-0fe5-4f38-a8b0-a247d8f46d87",
|
|
"target_ref": "x-misp-object--7cf96e54-0bab-47c1-a06a-6c3ea9173676"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--1406f5ff-9c9c-47d8-afc7-93cb51c6d726",
|
|
"created": "2019-01-20T11:28:48.000Z",
|
|
"modified": "2019-01-20T11:28:48.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--db8c563d-74f7-492a-ab64-12d646b305ef",
|
|
"target_ref": "x-misp-object--573e5323-af68-46ff-bf63-ab4367951a1a"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--69dd0ae2-f1b3-4675-8902-977696351c48",
|
|
"created": "2019-01-20T11:28:48.000Z",
|
|
"modified": "2019-01-20T11:28:48.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--b30ed68b-1525-4bc7-a433-4ead4df9845c",
|
|
"target_ref": "x-misp-object--d9e9def6-73c0-4b65-b2d3-1d382d809e1b"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--3de2b026-d682-44f2-bbcf-00824da2d5d9",
|
|
"created": "2019-01-20T11:28:48.000Z",
|
|
"modified": "2019-01-20T11:28:48.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--80cdfaf6-8bf3-4374-9f68-992799ed3b70",
|
|
"target_ref": "x-misp-object--6da3bd65-82d7-45c7-9a90-417575cca55d"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--c59ea47a-d710-49c1-ba74-894ccc2437e5",
|
|
"created": "2019-01-20T11:28:48.000Z",
|
|
"modified": "2019-01-20T11:28:48.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--e1137dbb-bedf-4093-8391-b598b22d0a87",
|
|
"target_ref": "x-misp-object--7df872cb-7f5d-4df9-b654-92c03908f4af"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--9d956722-7e50-4b88-8e5f-142622876984",
|
|
"created": "2019-01-20T11:28:48.000Z",
|
|
"modified": "2019-01-20T11:28:48.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--57bc77e0-6e6a-4ac3-a678-4d620ca79902",
|
|
"target_ref": "x-misp-object--be750522-8ad5-4911-8601-070557f5b9b2"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--b8eaac98-a4b0-48a4-9677-e5f2d37cb3f9",
|
|
"created": "2019-01-20T11:28:48.000Z",
|
|
"modified": "2019-01-20T11:28:48.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--5a403b39-3b33-41e6-852f-277fe242197e",
|
|
"target_ref": "x-misp-object--61c4a2cb-234e-4428-9dd5-e214916b1536"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |