misp-circl-feed/feeds/circl/misp/551e7bc4-ed74-4ff2-aef7-1888950d210b.json

1348 lines
No EOL
63 KiB
JSON

{
"type": "bundle",
"id": "bundle--551e7bc4-ed74-4ff2-aef7-1888950d210b",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T19:56:10.000Z",
"modified": "2015-04-03T19:56:10.000Z",
"name": "CthulhuSPRL.be",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--551e7bc4-ed74-4ff2-aef7-1888950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T19:56:10.000Z",
"modified": "2015-04-03T19:56:10.000Z",
"name": "OSINT Additional yara rules for Equation Drug by Florian Roth",
"published": "2016-02-22T14:20:57Z",
"object_refs": [
"x-misp-attribute--551e7bd5-a208-44a8-9173-1a0e950d210b",
"observed-data--551e7bf0-2c14-45cb-8ef2-1879950d210b",
"url--551e7bf0-2c14-45cb-8ef2-1879950d210b",
"observed-data--551e7bf0-d148-470e-8c28-1879950d210b",
"url--551e7bf0-d148-470e-8c28-1879950d210b",
"observed-data--551e7c27-fa3c-4646-a4b1-948e950d210b",
"url--551e7c27-fa3c-4646-a4b1-948e950d210b",
"x-misp-attribute--551e7c3d-1d24-422b-996f-9144950d210b",
"x-misp-attribute--551e7c3d-09e4-4a83-ab3a-9144950d210b",
"indicator--551e7c52-33e8-448c-9e48-13b6950d210b",
"indicator--551e7c60-0274-44b9-b508-1888950d210b",
"indicator--551e7c6d-def0-43c3-86fb-7455950d210b",
"indicator--551e7c7d-cce8-4854-8048-948e950d210b",
"indicator--551e7c91-544c-4776-95f9-0d4d950d210b",
"indicator--551e7ca5-b9a4-4ef2-84f1-9144950d210b",
"indicator--551e7cb5-5f8c-45d5-be4b-4dc2950d210b",
"indicator--551e7cc5-36b8-465f-bc94-8c54950d210b",
"indicator--551e7cd9-b65c-4be1-959b-13b6950d210b",
"indicator--551e7ce9-b7c0-4bf8-97c3-948e950d210b",
"indicator--551e7cfd-bd28-489c-a56a-7455950d210b",
"indicator--551e7d0c-9254-4e05-8fb7-13b6950d210b",
"indicator--551e7d9f-449c-4b11-b116-1a0e950d210b",
"indicator--551e7d9f-90b4-495d-a76f-1a0e950d210b",
"indicator--551e7d9f-e820-4991-a88b-1a0e950d210b",
"indicator--551e7da0-6554-48c1-9789-1a0e950d210b",
"indicator--551e7da0-2538-4b10-9773-1a0e950d210b",
"indicator--551e7da0-ed30-41a0-b60e-1a0e950d210b",
"indicator--551e7da0-fa2c-4124-bc52-1a0e950d210b",
"indicator--551e7da0-e87c-460b-8a4d-1a0e950d210b",
"indicator--551e7da0-cb54-4d83-bd6f-1a0e950d210b",
"indicator--551e7da0-5eb4-4489-98a0-1a0e950d210b",
"indicator--551e7da0-5a10-440a-a4ce-1a0e950d210b",
"indicator--551e7da0-b430-43bf-b5fa-1a0e950d210b",
"indicator--56c65911-1c7c-4ca9-860f-59a1950d210f",
"indicator--56c65913-45f0-437c-afe4-59a2950d210f",
"indicator--56c65915-1a88-47c3-a14f-59a4950d210f",
"indicator--56c65917-cb64-415e-a117-599e950d210f",
"indicator--56c65919-a364-49c2-8632-c650950d210f",
"indicator--56c6591b-ec0c-4ef9-a84c-599d950d210f",
"indicator--56c6591d-a640-4716-8bf4-5f51950d210f",
"indicator--56c6591f-28dc-40be-9925-c654950d210f",
"indicator--56c65921-3ee8-4e94-b03a-c651950d210f",
"indicator--56c65922-3ac8-4f0c-b172-432f950d210f",
"indicator--56c65924-bc08-4ddc-b84a-c653950d210f",
"indicator--56c65927-6c14-408b-81bb-599c950d210f",
"indicator--56c65912-dab8-4b67-aa47-5f51950d210f",
"indicator--56c65914-4cb0-4ff7-84e0-c653950d210f",
"indicator--56c65916-6540-4e43-a359-4dfb950d210f",
"indicator--56c65918-64ac-4501-bbe1-5f51950d210f",
"indicator--56c6591a-e1f0-4015-a784-c651950d210f",
"indicator--56c6591b-0f40-4f75-819b-4aed950d210f",
"indicator--56c6591e-7c58-4732-8dcf-c650950d210f",
"indicator--56c65920-d184-482b-99e8-59a3950d210f",
"indicator--56c65922-8c08-40ea-b58c-599f950d210f",
"indicator--56c65923-7868-4115-8eaf-49ed950d210f",
"indicator--56c65925-b8b8-4f8c-9be2-5f51950d210f",
"indicator--56c65928-b2d8-4247-924b-59a4950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--551e7bd5-a208-44a8-9173-1a0e950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:39:01.000Z",
"modified": "2015-04-03T11:39:01.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Equation Drug"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--551e7bf0-2c14-45cb-8ef2-1879950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:39:28.000Z",
"modified": "2015-04-03T11:39:28.000Z",
"first_observed": "2015-04-03T11:39:28Z",
"last_observed": "2015-04-03T11:39:28Z",
"number_observed": 1,
"object_refs": [
"url--551e7bf0-2c14-45cb-8ef2-1879950d210b"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--551e7bf0-2c14-45cb-8ef2-1879950d210b",
"value": "https://github.com/Neo23x0/Loki/blob/master/signatures/spy_equation_fiveeyes.yar"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--551e7bf0-d148-470e-8c28-1879950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:39:28.000Z",
"modified": "2015-04-03T11:39:28.000Z",
"first_observed": "2015-04-03T11:39:28Z",
"last_observed": "2015-04-03T11:39:28Z",
"number_observed": 1,
"object_refs": [
"url--551e7bf0-d148-470e-8c28-1879950d210b"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--551e7bf0-d148-470e-8c28-1879950d210b",
"value": "https://github.com/Neo23x0/Loki/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--551e7c27-fa3c-4646-a4b1-948e950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:40:23.000Z",
"modified": "2015-04-03T11:40:23.000Z",
"first_observed": "2015-04-03T11:40:23Z",
"last_observed": "2015-04-03T11:40:23Z",
"number_observed": 1,
"object_refs": [
"url--551e7c27-fa3c-4646-a4b1-948e950d210b"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--551e7c27-fa3c-4646-a4b1-948e950d210b",
"value": "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--551e7c3d-1d24-422b-996f-9144950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:40:45.000Z",
"modified": "2015-04-03T11:40:45.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "EquationGroup"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--551e7c3d-09e4-4a83-ab3a-9144950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:40:45.000Z",
"modified": "2015-04-03T11:40:45.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Equation Group"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--551e7c52-33e8-448c-9e48-13b6950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:41:06.000Z",
"modified": "2015-04-03T11:41:06.000Z",
"pattern": "[rule EquationDrug_NetworkSniffer1 {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Backdoor driven by network sniffer - mstcp32.sys, fat32.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"26e787997a338d8111d96c9a4c103cf8ff0201ce\"\r\n\tstrings:\r\n\t\t$s0 = \"Microsoft(R) Windows (TM) Operating System\" fullword wide\r\n\t\t$s1 = \"\\\\Registry\\\\User\\\\CurrentUser\\\\\" fullword wide\r\n\t\t$s3 = \"sys\\\\mstcp32.dbg\" fullword ascii\r\n\t\t$s7 = \"mstcp32.sys\" fullword wide\r\n\t\t$s8 = \"p32.sys\" fullword ascii\r\n\t\t$s9 = \"\\\\Device\\\\%ws_%ws\" fullword wide\r\n\t\t$s10 = \"\\\\DosDevices\\\\%ws\" fullword wide\r\n\t\t$s11 = \"\\\\Device\\\\%ws\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2015-04-03T11:41:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--551e7c60-0274-44b9-b508-1888950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:41:20.000Z",
"modified": "2015-04-03T11:41:20.000Z",
"pattern": "[rule EquationDrug_CompatLayer_UnilayDLL {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Unilay.DLL\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"a3a31937956f161beba8acac35b96cb74241cd0f\"\r\n\tstrings:\r\n\t\t$mz = { 4d 5a }\r\n\t\t$s0 = \"unilay.dll\" fullword ascii\r\n\tcondition:\r\n\t\t( $mz at 0 ) and $s0\r\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2015-04-03T11:41:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--551e7c6d-def0-43c3-86fb-7455950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:41:33.000Z",
"modified": "2015-04-03T11:41:33.000Z",
"pattern": "[rule EquationDrug_HDDSSD_Op {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - HDD/SSD firmware operation - nls_933w.dll\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"ff2b50f371eb26f22eb8a2118e9ab0e015081500\"\r\n\tstrings:\r\n\t\t$s0 = \"nls_933w.dll\" fullword ascii\r\n\tcondition:\r\n\t\tall of them\r\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2015-04-03T11:41:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--551e7c7d-cce8-4854-8048-948e950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:41:49.000Z",
"modified": "2015-04-03T11:41:49.000Z",
"pattern": "[rule EquationDrug_NetworkSniffer2 {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Network Sniffer - tdip.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"7e3cd36875c0e5ccb076eb74855d627ae8d4627f\"\r\n\tstrings:\r\n\t\t$s0 = \"Microsoft(R) Windows (TM) Operating System\" fullword wide\r\n\t\t$s1 = \"IP Transport Driver\" fullword wide\r\n\t\t$s2 = \"tdip.sys\" fullword wide\r\n\t\t$s3 = \"sys\\\\tdip.dbg\" fullword ascii\r\n\t\t$s4 = \"dip.sys\" fullword ascii\r\n\t\t$s5 = \"\\\\Device\\\\%ws_%ws\" fullword wide\r\n\t\t$s6 = \"\\\\DosDevices\\\\%ws\" fullword wide\r\n\t\t$s7 = \"\\\\Device\\\\%ws\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2015-04-03T11:41:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--551e7c91-544c-4776-95f9-0d4d950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:42:09.000Z",
"modified": "2015-04-03T11:42:09.000Z",
"pattern": "[rule EquationDrug_NetworkSniffer3 {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Network Sniffer - tdip.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"14599516381a9646cd978cf962c4f92386371040\"\r\n\tstrings:\r\n\t\t$s0 = \"Corporation. All rights reserved.\" fullword wide\r\n\t\t$s1 = \"IP Transport Driver\" fullword wide\r\n\t\t$s2 = \"tdip.sys\" fullword wide\r\n\t\t$s3 = \"tdip.pdb\" fullword ascii\r\n\tcondition:\r\n\t\tall of them\r\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2015-04-03T11:42:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--551e7ca5-b9a4-4ef2-84f1-9144950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:42:29.000Z",
"modified": "2015-04-03T11:42:29.000Z",
"pattern": "[rule EquationDrug_VolRec_Driver {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Collector plugin for Volrec - msrstd.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"ee2b504ad502dc3fed62d6483d93d9b1221cdd6c\"\r\n\tstrings:\r\n\t\t$s0 = \"msrstd.sys\" fullword wide\r\n\t\t$s1 = \"msrstd.pdb\" fullword ascii\r\n\t\t$s2 = \"msrstd driver\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2015-04-03T11:42:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--551e7cb5-5f8c-45d5-be4b-4dc2950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:42:45.000Z",
"modified": "2015-04-03T11:42:45.000Z",
"pattern": "[rule EquationDrug_KernelRootkit {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Kernel mode stage 0 and rootkit (Windows 2000 and above) - msndsrv.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"597715224249e9fb77dc733b2e4d507f0cc41af6\"\r\n\tstrings:\r\n\t\t$s0 = \"Microsoft(R) Windows (TM) Operating System\" fullword wide\r\n\t\t$s1 = \"Parmsndsrv.dbg\" fullword ascii\r\n\t\t$s2 = \"\\\\Registry\\\\User\\\\CurrentUser\\\\\" fullword wide\r\n\t\t$s3 = \"msndsrv.sys\" fullword wide\r\n\t\t$s5 = \"\\\\REGISTRY\\\\MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Windows\" fullword wide\r\n\t\t$s6 = \"\\\\Device\\\\%ws_%ws\" fullword wide\r\n\t\t$s7 = \"\\\\DosDevices\\\\%ws\" fullword wide\r\n\t\t$s9 = \"\\\\Device\\\\%ws\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2015-04-03T11:42:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--551e7cc5-36b8-465f-bc94-8c54950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:43:01.000Z",
"modified": "2015-04-03T11:43:01.000Z",
"pattern": "[rule EquationDrug_Keylogger {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Key/clipboard logger driver - msrtvd.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"b93aa17b19575a6e4962d224c5801fb78e9a7bb5\"\r\n\tstrings:\r\n\t\t$s0 = \"\\\\registry\\\\machine\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\" fullword wide\r\n\t\t$s2 = \"\\\\registry\\\\machine\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Session Manager\\\\En\" wide\r\n\t\t$s3 = \"\\\\DosDevices\\\\Gk\" fullword wide\r\n\t\t$s5 = \"\\\\Device\\\\Gk0\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2015-04-03T11:43:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--551e7cd9-b65c-4be1-959b-13b6950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:43:21.000Z",
"modified": "2015-04-03T11:43:21.000Z",
"pattern": "[rule EquationDrug_NetworkSniffer4 {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Network-sniffer/patcher - atmdkdrv.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"cace40965f8600a24a2457f7792efba3bd84d9ba\"\r\n\tstrings:\r\n\t\t$s0 = \"Copyright 1999 RAVISENT Technologies Inc.\" fullword wide\r\n\t\t$s1 = \"\\\\systemroot\\\\\" fullword ascii\r\n\t\t$s2 = \"RAVISENT Technologies Inc.\" fullword wide\r\n\t\t$s3 = \"Created by VIONA Development\" fullword wide\r\n\t\t$s4 = \"\\\\Registry\\\\User\\\\CurrentUser\\\\\" fullword wide\r\n\t\t$s5 = \"\\\\device\\\\harddiskvolume\" fullword wide\r\n\t\t$s7 = \"ATMDKDRV.SYS\" fullword wide\r\n\t\t$s8 = \"\\\\Device\\\\%ws_%ws\" fullword wide\r\n\t\t$s9 = \"\\\\DosDevices\\\\%ws\" fullword wide\r\n\t\t$s10 = \"CineMaster C 1.1 WDM Main Driver\" fullword wide\r\n\t\t$s11 = \"\\\\Device\\\\%ws\" fullword wide\r\n\t\t$s13 = \"CineMaster C 1.1 WDM\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2015-04-03T11:43:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--551e7ce9-b7c0-4bf8-97c3-948e950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:43:37.000Z",
"modified": "2015-04-03T11:43:37.000Z",
"pattern": "[rule EquationDrug_PlatformOrchestrator {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Platform orchestrator - mscfg32.dll, svchost32.dll\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"febc4f30786db7804008dc9bc1cebdc26993e240\"\r\n\tstrings:\r\n\t\t$s0 = \"SERVICES.EXE\" fullword wide\r\n\t\t$s1 = \"\\\\command.com\" fullword wide\r\n\t\t$s2 = \"Microsoft(R) Windows (TM) Operating System\" fullword wide\r\n\t\t$s3 = \"LSASS.EXE\" fullword wide\r\n\t\t$s4 = \"Windows Configuration Services\" fullword wide\r\n\t\t$s8 = \"unilay.dll\" fullword ascii\r\n\tcondition:\r\n\t\tall of them\r\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2015-04-03T11:43:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--551e7cfd-bd28-489c-a56a-7455950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:43:57.000Z",
"modified": "2015-04-03T11:43:57.000Z",
"pattern": "[rule EquationDrug_NetworkSniffer5 {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Network-sniffer/patcher - atmdkdrv.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"09399b9bd600d4516db37307a457bc55eedcbd17\"\r\n\tstrings:\r\n\t\t$s0 = \"Microsoft(R) Windows (TM) Operating System\" fullword wide\r\n\t\t$s1 = \"\\\\Registry\\\\User\\\\CurrentUser\\\\\" fullword wide\r\n\t\t$s2 = \"atmdkdrv.sys\" fullword wide\r\n\t\t$s4 = \"\\\\Device\\\\%ws_%ws\" fullword wide\r\n\t\t$s5 = \"\\\\DosDevices\\\\%ws\" fullword wide\r\n\t\t$s6 = \"\\\\Device\\\\%ws\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2015-04-03T11:43:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--551e7d0c-9254-4e05-8fb7-13b6950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:44:12.000Z",
"modified": "2015-04-03T11:44:12.000Z",
"pattern": "[rule EquationDrug_FileSystem_Filter {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Filesystem filter driver \u00e2\u20ac\u201c volrec.sys, scsi2mgr.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"57fa4a1abbf39f4899ea76543ebd3688dcc11e13\"\r\n\tstrings:\r\n\t\t$s0 = \"volrec.sys\" fullword wide\r\n\t\t$s1 = \"volrec.pdb\" fullword ascii\r\n\t\t$s2 = \"Volume recognizer driver\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2015-04-03T11:44:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--551e7d9f-449c-4b11-b116-1a0e950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:46:39.000Z",
"modified": "2015-04-03T11:46:39.000Z",
"pattern": "[file:hashes.SHA1 = '26e787997a338d8111d96c9a4c103cf8ff0201ce']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-03T11:46:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--551e7d9f-90b4-495d-a76f-1a0e950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:46:39.000Z",
"modified": "2015-04-03T11:46:39.000Z",
"pattern": "[file:hashes.SHA1 = 'a3a31937956f161beba8acac35b96cb74241cd0f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-03T11:46:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--551e7d9f-e820-4991-a88b-1a0e950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:46:39.000Z",
"modified": "2015-04-03T11:46:39.000Z",
"pattern": "[file:hashes.SHA1 = 'ff2b50f371eb26f22eb8a2118e9ab0e015081500']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-03T11:46:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--551e7da0-6554-48c1-9789-1a0e950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:46:40.000Z",
"modified": "2015-04-03T11:46:40.000Z",
"pattern": "[file:hashes.SHA1 = '7e3cd36875c0e5ccb076eb74855d627ae8d4627f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-03T11:46:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--551e7da0-2538-4b10-9773-1a0e950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:46:40.000Z",
"modified": "2015-04-03T11:46:40.000Z",
"pattern": "[file:hashes.SHA1 = '14599516381a9646cd978cf962c4f92386371040']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-03T11:46:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--551e7da0-ed30-41a0-b60e-1a0e950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:46:40.000Z",
"modified": "2015-04-03T11:46:40.000Z",
"pattern": "[file:hashes.SHA1 = 'ee2b504ad502dc3fed62d6483d93d9b1221cdd6c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-03T11:46:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--551e7da0-fa2c-4124-bc52-1a0e950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:46:40.000Z",
"modified": "2015-04-03T11:46:40.000Z",
"pattern": "[file:hashes.SHA1 = '597715224249e9fb77dc733b2e4d507f0cc41af6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-03T11:46:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--551e7da0-e87c-460b-8a4d-1a0e950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:46:40.000Z",
"modified": "2015-04-03T11:46:40.000Z",
"pattern": "[file:hashes.SHA1 = 'b93aa17b19575a6e4962d224c5801fb78e9a7bb5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-03T11:46:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--551e7da0-cb54-4d83-bd6f-1a0e950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:46:40.000Z",
"modified": "2015-04-03T11:46:40.000Z",
"pattern": "[file:hashes.SHA1 = 'cace40965f8600a24a2457f7792efba3bd84d9ba']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-03T11:46:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--551e7da0-5eb4-4489-98a0-1a0e950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:46:40.000Z",
"modified": "2015-04-03T11:46:40.000Z",
"pattern": "[file:hashes.SHA1 = 'febc4f30786db7804008dc9bc1cebdc26993e240']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-03T11:46:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--551e7da0-5a10-440a-a4ce-1a0e950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:46:40.000Z",
"modified": "2015-04-03T11:46:40.000Z",
"pattern": "[file:hashes.SHA1 = '09399b9bd600d4516db37307a457bc55eedcbd17']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-03T11:46:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--551e7da0-b430-43bf-b5fa-1a0e950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-03T11:46:40.000Z",
"modified": "2015-04-03T11:46:40.000Z",
"pattern": "[file:hashes.SHA1 = '57fa4a1abbf39f4899ea76543ebd3688dcc11e13']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-03T11:46:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c65911-1c7c-4ca9-860f-59a1950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:51:45.000Z",
"modified": "2016-02-18T23:51:45.000Z",
"description": "Automatically added (via 26e787997a338d8111d96c9a4c103cf8ff0201ce)",
"pattern": "[file:hashes.MD5 = '74de13b5ea68b3da24addc009f84baee']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:51:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c65913-45f0-437c-afe4-59a2950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:51:47.000Z",
"modified": "2016-02-18T23:51:47.000Z",
"description": "Automatically added (via a3a31937956f161beba8acac35b96cb74241cd0f)",
"pattern": "[file:hashes.MD5 = 'ef4405930e6071ae1f7f6fa7d4f3397d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:51:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c65915-1a88-47c3-a14f-59a4950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:51:49.000Z",
"modified": "2016-02-18T23:51:49.000Z",
"description": "Automatically added (via ff2b50f371eb26f22eb8a2118e9ab0e015081500)",
"pattern": "[file:hashes.MD5 = '11fb08b9126cdb4668b3f5135cf7a6c5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:51:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c65917-cb64-415e-a117-599e950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:51:51.000Z",
"modified": "2016-02-18T23:51:51.000Z",
"description": "Automatically added (via 7e3cd36875c0e5ccb076eb74855d627ae8d4627f)",
"pattern": "[file:hashes.MD5 = '20506375665a6a62f7d9dd22d1cc9870']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:51:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c65919-a364-49c2-8632-c650950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:51:53.000Z",
"modified": "2016-02-18T23:51:53.000Z",
"description": "Automatically added (via 14599516381a9646cd978cf962c4f92386371040)",
"pattern": "[file:hashes.MD5 = '60dab5bb319281747c5863b44c5ac60d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:51:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c6591b-ec0c-4ef9-a84c-599d950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:51:55.000Z",
"modified": "2016-02-18T23:51:55.000Z",
"description": "Automatically added (via ee2b504ad502dc3fed62d6483d93d9b1221cdd6c)",
"pattern": "[file:hashes.MD5 = '15d39578460e878dd89e8911180494ff']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:51:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c6591d-a640-4716-8bf4-5f51950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:51:57.000Z",
"modified": "2016-02-18T23:51:57.000Z",
"description": "Automatically added (via 597715224249e9fb77dc733b2e4d507f0cc41af6)",
"pattern": "[file:hashes.MD5 = 'c4f8671c1f00dab30f5f88d684af1927']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:51:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c6591f-28dc-40be-9925-c654950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:51:59.000Z",
"modified": "2016-02-18T23:51:59.000Z",
"description": "Automatically added (via b93aa17b19575a6e4962d224c5801fb78e9a7bb5)",
"pattern": "[file:hashes.MD5 = 'f6bf3ed3bcd466e5fd1cbaf6ba658716']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:51:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c65921-3ee8-4e94-b03a-c651950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:52:01.000Z",
"modified": "2016-02-18T23:52:01.000Z",
"description": "Automatically added (via cace40965f8600a24a2457f7792efba3bd84d9ba)",
"pattern": "[file:hashes.MD5 = '214f7a2c95bdc265888fbcd24e3587da']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:52:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c65922-3ac8-4f0c-b172-432f950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:52:02.000Z",
"modified": "2016-02-18T23:52:02.000Z",
"description": "Automatically added (via febc4f30786db7804008dc9bc1cebdc26993e240)",
"pattern": "[file:hashes.MD5 = '5767b9d851d0c24e13eca1bfd16ea424']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:52:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c65924-bc08-4ddc-b84a-c653950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:52:04.000Z",
"modified": "2016-02-18T23:52:04.000Z",
"description": "Automatically added (via 09399b9bd600d4516db37307a457bc55eedcbd17)",
"pattern": "[file:hashes.MD5 = '8d87a1845122bf090b3d8656dc9d60a8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:52:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c65927-6c14-408b-81bb-599c950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:52:07.000Z",
"modified": "2016-02-18T23:52:07.000Z",
"description": "Automatically added (via 57fa4a1abbf39f4899ea76543ebd3688dcc11e13)",
"pattern": "[file:hashes.MD5 = 'c17e16a54916d3838f63d208ebab9879']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:52:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c65912-dab8-4b67-aa47-5f51950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:51:46.000Z",
"modified": "2016-02-18T23:51:46.000Z",
"description": "Automatically added (via 26e787997a338d8111d96c9a4c103cf8ff0201ce)",
"pattern": "[file:hashes.SHA256 = '26215bc56dc31d2466d72f1f4e1b6388e62606e9949bc41c28968fcb9a9d60a6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:51:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c65914-4cb0-4ff7-84e0-c653950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:51:48.000Z",
"modified": "2016-02-18T23:51:48.000Z",
"description": "Automatically added (via a3a31937956f161beba8acac35b96cb74241cd0f)",
"pattern": "[file:hashes.SHA256 = '1c376452b451e05363dd39c56994bd3414e02ffecf89dbc40461eb6e2fe9e51e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:51:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c65916-6540-4e43-a359-4dfb950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:51:50.000Z",
"modified": "2016-02-18T23:51:50.000Z",
"description": "Automatically added (via ff2b50f371eb26f22eb8a2118e9ab0e015081500)",
"pattern": "[file:hashes.SHA256 = '83d14ce2dcfc852791d20cd78066ba5a2b39eb503e12e33f2ef0b1a46c68de73']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:51:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c65918-64ac-4501-bbe1-5f51950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:51:52.000Z",
"modified": "2016-02-18T23:51:52.000Z",
"description": "Automatically added (via 7e3cd36875c0e5ccb076eb74855d627ae8d4627f)",
"pattern": "[file:hashes.SHA256 = 'a5ec4d102d802ada7c5083af53fd9d3c9b5aa83be9de58dbb4fac7876faf6d29']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:51:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c6591a-e1f0-4015-a784-c651950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:51:54.000Z",
"modified": "2016-02-18T23:51:54.000Z",
"description": "Automatically added (via 14599516381a9646cd978cf962c4f92386371040)",
"pattern": "[file:hashes.SHA256 = '318bb5ca29ac1f647f78a5cf1124d6849fadf52e5bc7193fa05922d36a8db4e5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:51:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c6591b-0f40-4f75-819b-4aed950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:51:55.000Z",
"modified": "2016-02-18T23:51:55.000Z",
"description": "Automatically added (via ee2b504ad502dc3fed62d6483d93d9b1221cdd6c)",
"pattern": "[file:hashes.SHA256 = 'c3f92c8b2b11c170879fafa29b698d76a5ea4ed37e01674848c63a911d76bece']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:51:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c6591e-7c58-4732-8dcf-c650950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:51:58.000Z",
"modified": "2016-02-18T23:51:58.000Z",
"description": "Automatically added (via 597715224249e9fb77dc733b2e4d507f0cc41af6)",
"pattern": "[file:hashes.SHA256 = '9f1b82e6c2e9760284c53c5377a054d6cfcb2bd5e36329e0f7c395aa02d79d0d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:51:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c65920-d184-482b-99e8-59a3950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:52:00.000Z",
"modified": "2016-02-18T23:52:00.000Z",
"description": "Automatically added (via b93aa17b19575a6e4962d224c5801fb78e9a7bb5)",
"pattern": "[file:hashes.SHA256 = '63a3b1d2e234481bcee6d95ff8e4d7ebf1967009e32fda35a675bffbd8e4c4aa']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:52:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c65922-8c08-40ea-b58c-599f950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:52:02.000Z",
"modified": "2016-02-18T23:52:02.000Z",
"description": "Automatically added (via cace40965f8600a24a2457f7792efba3bd84d9ba)",
"pattern": "[file:hashes.SHA256 = 'd0a4b7d09d36459b07552c0269eeed450fb016a1192088bfb13cf50fba7f92cf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:52:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c65923-7868-4115-8eaf-49ed950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:52:03.000Z",
"modified": "2016-02-18T23:52:03.000Z",
"description": "Automatically added (via febc4f30786db7804008dc9bc1cebdc26993e240)",
"pattern": "[file:hashes.SHA256 = '9df733c565cf3c98878911af11ff17f8788c06e56466db6eaab81f8fa80344e4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:52:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c65925-b8b8-4f8c-9be2-5f51950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:52:05.000Z",
"modified": "2016-02-18T23:52:05.000Z",
"description": "Automatically added (via 09399b9bd600d4516db37307a457bc55eedcbd17)",
"pattern": "[file:hashes.SHA256 = '897489999ff2c360678cdba9a40a6613fc042f346ccfb325fdc0fa46ac42d00e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:52:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c65928-b2d8-4247-924b-59a4950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:52:08.000Z",
"modified": "2016-02-18T23:52:08.000Z",
"description": "Automatically added (via 57fa4a1abbf39f4899ea76543ebd3688dcc11e13)",
"pattern": "[file:hashes.SHA256 = '355e5643c5a04c18d831b942ef65a21d1cdb1d93ea328b0203a38876cef3f93e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:52:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}