misp-circl-feed/feeds/circl/stix-2.1/5b9123c0-1480-4e09-877e-4783950d210f.json

797 lines
No EOL
35 KiB
JSON

{
"type": "bundle",
"id": "bundle--5b9123c0-1480-4e09-877e-4783950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-12T12:36:30.000Z",
"modified": "2018-09-12T12:36:30.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5b9123c0-1480-4e09-877e-4783950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-12T12:36:30.000Z",
"modified": "2018-09-12T12:36:30.000Z",
"name": "OSINT - Sigma Ransomware Being Distributed Using Fake Craigslist Malspam",
"published": "2018-09-12T12:38:00Z",
"object_refs": [
"x-misp-attribute--5b912411-f738-46fc-b27c-4ada950d210f",
"observed-data--5b912433-50b0-4e96-8d7a-44b1950d210f",
"url--5b912433-50b0-4e96-8d7a-44b1950d210f",
"indicator--5b912ca6-7264-48c8-afca-40e4950d210f",
"indicator--5b927c00-c9c8-4780-84da-abc4950d210f",
"indicator--5b912b9e-67d4-45ad-b17d-4020950d210f",
"indicator--af63c140-7e55-4ae2-a261-9f126f0195ab",
"x-misp-object--6241958e-2b1b-4ccf-8aa5-0aee9e179e50",
"indicator--5b927884-8d5c-4a6c-af30-4daa950d210f",
"indicator--5b9279c2-40a4-4823-840a-4c03950d210f",
"indicator--5b927cc5-d5ac-46df-ace4-4cf8950d210f",
"indicator--5b927d28-edcc-445d-869b-42ae950d210f",
"indicator--5b927d3b-9628-4e2f-83b3-4cb8950d210f",
"indicator--5b927d4a-5334-448b-84e9-4545950d210f",
"indicator--5b927edc-e5a4-47e1-86a6-4a0f950d210f",
"indicator--5b927f07-0ebc-45ea-9a4c-4791950d210f",
"indicator--5b927f19-af00-4e57-bc93-49e9950d210f",
"indicator--5b927f4d-5914-4be0-bc7e-4da1950d210f",
"indicator--5b927f5e-50ac-4596-b3cb-474b950d210f",
"indicator--5b927f6b-0430-4a52-b692-4dba950d210f",
"indicator--5b927f7c-32c8-4e30-b9d5-421f950d210f",
"indicator--5b927fee-1590-49f2-a2f6-44ca950d210f",
"indicator--5b92809a-b468-47e6-a7c7-47c9950d210f",
"indicator--5b9280aa-969c-4c3e-ad03-4011950d210f",
"indicator--5b9280b9-be58-4c21-a4d2-49ca950d210f",
"indicator--5b9280c4-17b4-4114-8017-44e0950d210f",
"indicator--5b9280d0-1874-4711-87ed-4299950d210f",
"indicator--5b9280db-dfe0-41f0-9f42-44c7950d210f",
"indicator--5b9280ea-e38c-41f1-8453-47b9950d210f",
"x-misp-object--f04b2156-46a7-4ffe-a470-b0d0ac7ef70e",
"relationship--7745aa48-d1f4-472c-9d36-90292c15da66",
"relationship--3f11d816-d969-4ec0-af28-3de39fa63a22"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"malware_classification:malware-category=\"Ransomware\"",
"osint:source-type=\"blog-post\"",
"misp-galaxy:ransomware=\"Sigma Ransomware\"",
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Link - T1192\"",
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Attachment - T1193\"",
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"User Execution - T1204\"",
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Scripting - T1064\"",
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Obfuscated Files or Information - T1027\"",
"monarc-threat:unauthorised-actions=\"corruption-of-data\"",
"monarc-threat:compromise-of-information=\"malware-infection\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b912411-f738-46fc-b27c-4ada950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-07T14:06:53.000Z",
"modified": "2018-09-07T14:06:53.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Today one of our volunteers, Aura, told me about a new new malspam campaign pretending to be from Craigslist that is under way and distributing the Sigma Ransomware. These spam emails contain password protected Word or RTF documents that download the Sigma Ransomware executable from a remote site and install it on a recipients computer."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b912433-50b0-4e96-8d7a-44b1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-07T14:07:02.000Z",
"modified": "2018-09-07T14:07:02.000Z",
"first_observed": "2018-09-07T14:07:02Z",
"last_observed": "2018-09-07T14:07:02Z",
"number_observed": 1,
"object_refs": [
"url--5b912433-50b0-4e96-8d7a-44b1950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5b912433-50b0-4e96-8d7a-44b1950d210f",
"value": "https://www.bleepingcomputer.com/news/security/sigma-ransomware-being-distributed-using-fake-craigslist-malspam/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b912ca6-7264-48c8-afca-40e4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-06T13:33:26.000Z",
"modified": "2018-09-06T13:33:26.000Z",
"pattern": "[url:value = 'http://185.121.139.229/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-06T13:33:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b927c00-c9c8-4780-84da-abc4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-07T13:24:16.000Z",
"modified": "2018-09-07T13:24:16.000Z",
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\taskwgr.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-07T13:24:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b912b9e-67d4-45ad-b17d-4020950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-06T13:29:02.000Z",
"modified": "2018-09-06T13:29:02.000Z",
"pattern": "[file:hashes.SHA256 = 'b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-06T13:29:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--af63c140-7e55-4ae2-a261-9f126f0195ab",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-12T12:28:55.000Z",
"modified": "2018-09-12T12:28:55.000Z",
"pattern": "[file:hashes.MD5 = '9afa3302527608a30408958bc48019fc' AND file:hashes.SHA1 = '0d34add7d61e26583dc54e7b89b6d4056d6bf201' AND file:hashes.SHA256 = 'b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-12T12:28:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--6241958e-2b1b-4ccf-8aa5-0aee9e179e50",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-07T06:48:13.000Z",
"modified": "2018-09-07T06:48:13.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-08-28T00:23:39",
"category": "Other",
"uuid": "8d5b54cd-1dfc-435b-8e19-cc4eda5b2288"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864/analysis/1535415819/",
"category": "External analysis",
"uuid": "18055e03-5add-4a61-9465-9afc972b1cb3"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "45/67",
"category": "Other",
"uuid": "e911d120-fdf4-4110-8272-ddb11eedd9ec"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b927884-8d5c-4a6c-af30-4daa950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-07T13:09:24.000Z",
"modified": "2018-09-07T13:09:24.000Z",
"pattern": "[file:name = 'ReadMe.txt' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-07T13:09:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b9279c2-40a4-4823-840a-4c03950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-07T13:15:06.000Z",
"modified": "2018-09-07T13:15:06.000Z",
"pattern": "[windows-registry-key:key = '\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\chrome' AND windows-registry-key:values[0].data_type = 'REG_NONE' AND windows-registry-key:values[0].name = 'Rundll32.exe SHELL32.DLL,ShellExec_RunDLL' AND windows-registry-key:x_misp_root_keys = 'HKCU']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-07T13:15:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"registry-key\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b927cc5-d5ac-46df-ace4-4cf8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-07T13:27:33.000Z",
"modified": "2018-09-07T13:27:33.000Z",
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Data\\\\Tor\\\\geoip' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-07T13:27:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b927d28-edcc-445d-869b-42ae950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-07T13:29:12.000Z",
"modified": "2018-09-07T13:29:12.000Z",
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Data\\\\Tor\\\\geoip6' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-07T13:29:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b927d3b-9628-4e2f-83b3-4cb8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-07T13:29:31.000Z",
"modified": "2018-09-07T13:29:31.000Z",
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\test1.bmp' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-07T13:29:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b927d4a-5334-448b-84e9-4545950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-07T13:29:46.000Z",
"modified": "2018-09-07T13:29:46.000Z",
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\libeay32.dll' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-07T13:29:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b927edc-e5a4-47e1-86a6-4a0f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-07T13:36:28.000Z",
"modified": "2018-09-07T13:36:28.000Z",
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\libevent_core-2-0-5.dll' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-07T13:36:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b927f07-0ebc-45ea-9a4c-4791950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-07T13:37:11.000Z",
"modified": "2018-09-07T13:37:11.000Z",
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\cached-certs' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-07T13:37:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b927f19-af00-4e57-bc93-49e9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-07T13:37:29.000Z",
"modified": "2018-09-07T13:37:29.000Z",
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\cached-microdesc-consensus' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-07T13:37:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b927f4d-5914-4be0-bc7e-4da1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-07T13:38:21.000Z",
"modified": "2018-09-07T13:38:21.000Z",
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\libssp-0.dll' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-07T13:38:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b927f5e-50ac-4596-b3cb-474b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-07T13:38:38.000Z",
"modified": "2018-09-07T13:38:38.000Z",
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\tor-gencert.exe' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-07T13:38:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b927f6b-0430-4a52-b692-4dba950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-07T13:38:51.000Z",
"modified": "2018-09-07T13:38:51.000Z",
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\svchost.exe' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-07T13:38:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b927f7c-32c8-4e30-b9d5-421f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-07T13:39:08.000Z",
"modified": "2018-09-07T13:39:08.000Z",
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\zlib1.dll' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-07T13:39:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b927fee-1590-49f2-a2f6-44ca950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-07T13:41:02.000Z",
"modified": "2018-09-07T13:41:02.000Z",
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\cached-microdescs.new' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-07T13:41:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b92809a-b468-47e6-a7c7-47c9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-07T13:43:54.000Z",
"modified": "2018-09-07T13:43:54.000Z",
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\libevent-2-0-5.dll' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-07T13:43:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b9280aa-969c-4c3e-ad03-4011950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-07T13:44:09.000Z",
"modified": "2018-09-07T13:44:09.000Z",
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\ssleay32.dll' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-07T13:44:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b9280b9-be58-4c21-a4d2-49ca950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-07T13:44:25.000Z",
"modified": "2018-09-07T13:44:25.000Z",
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\state' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-07T13:44:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b9280c4-17b4-4114-8017-44e0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-07T13:44:36.000Z",
"modified": "2018-09-07T13:44:36.000Z",
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\Desktop\\\\ReadMe.html' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-07T13:44:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b9280d0-1874-4711-87ed-4299950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-07T13:44:48.000Z",
"modified": "2018-09-07T13:44:48.000Z",
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\libgcc_s_sjlj-1.dll' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-07T13:44:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b9280db-dfe0-41f0-9f42-44c7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-07T13:44:59.000Z",
"modified": "2018-09-07T13:44:59.000Z",
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\libevent_extra-2-0-5.dll' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-07T13:44:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b9280ea-e38c-41f1-8453-47b9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-07T13:45:14.000Z",
"modified": "2018-09-07T13:45:14.000Z",
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\lock' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-09-07T13:45:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--f04b2156-46a7-4ffe-a470-b0d0ac7ef70e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-12T12:28:55.000Z",
"modified": "2018-09-12T12:28:55.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-08-28T00:23:39",
"category": "Other",
"uuid": "bff3beea-deb5-49b8-a2be-334a5603e8ac"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864/analysis/1535415819/",
"category": "External analysis",
"uuid": "505d7436-7769-4279-9d1a-b95934d0edc8"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "45/67",
"category": "Other",
"uuid": "00c8704b-05af-405d-a5ce-13f8167612d4"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--7745aa48-d1f4-472c-9d36-90292c15da66",
"created": "2018-09-07T06:48:21.000Z",
"modified": "2018-09-07T06:48:21.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--af63c140-7e55-4ae2-a261-9f126f0195ab",
"target_ref": "x-misp-object--6241958e-2b1b-4ccf-8aa5-0aee9e179e50"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--3f11d816-d969-4ec0-af28-3de39fa63a22",
"created": "2018-09-12T12:29:05.000Z",
"modified": "2018-09-12T12:29:05.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--af63c140-7e55-4ae2-a261-9f126f0195ab",
"target_ref": "x-misp-object--f04b2156-46a7-4ffe-a470-b0d0ac7ef70e"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}