misp-circl-feed/feeds/circl/misp/56e177ef-38cc-441b-a398-4f66950d210f.json

885 lines
No EOL
38 KiB
JSON

{
"type": "bundle",
"id": "bundle--56e177ef-38cc-441b-a398-4f66950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:58:30.000Z",
"modified": "2016-03-10T13:58:30.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--56e177ef-38cc-441b-a398-4f66950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:58:30.000Z",
"modified": "2016-03-10T13:58:30.000Z",
"name": "OSINT - Shifting Tactics: Tracking changes in years-long espionage campaign against Tibetans",
"published": "2016-03-10T14:12:32Z",
"object_refs": [
"observed-data--56e1780d-270c-4cc7-ac76-4a92950d210f",
"url--56e1780d-270c-4cc7-ac76-4a92950d210f",
"x-misp-attribute--56e1781e-46c4-4d39-b770-413c950d210f",
"indicator--56e17844-e498-42ac-a6ea-4c13950d210f",
"indicator--56e17844-a20c-48a2-939f-4f67950d210f",
"indicator--56e17844-51dc-4556-a088-46c4950d210f",
"indicator--56e17845-d6f0-429c-b890-4079950d210f",
"indicator--56e17845-8224-4308-a3a6-4702950d210f",
"indicator--56e17845-8ef0-479b-944d-41b3950d210f",
"indicator--56e178e3-cf8c-4f0e-8dc4-4fae950d210f",
"indicator--56e17a4a-dee8-461f-9d0d-4594950d210f",
"indicator--56e17a4a-0678-4fc2-985c-4912950d210f",
"indicator--56e17ace-1a58-46e1-ba4a-4f89950d210f",
"indicator--56e17ace-007c-4f0d-b564-4166950d210f",
"indicator--56e17acf-a6e0-4daf-97e5-422e950d210f",
"indicator--56e17b8c-398c-450a-bd76-498b950d210f",
"indicator--56e17b8d-449c-446a-bbcb-4d96950d210f",
"indicator--56e17c47-9ca0-4037-afb1-4c8d950d210f",
"indicator--56e17caa-2740-4d49-8b47-4c56950d210f",
"indicator--56e17d3a-44d4-47f9-aa6d-4722950d210f",
"indicator--56e17d86-0c10-4c04-b412-4e6a02de0b81",
"indicator--56e17d87-9904-442d-bfe2-4dc902de0b81",
"observed-data--56e17d87-3b08-44c5-9dfb-486202de0b81",
"url--56e17d87-3b08-44c5-9dfb-486202de0b81",
"indicator--56e17d87-a608-4e4c-bdb2-443502de0b81",
"indicator--56e17d88-deb8-4f0a-a0cd-4f3902de0b81",
"observed-data--56e17d88-f460-4120-ad15-4ea802de0b81",
"url--56e17d88-f460-4120-ad15-4ea802de0b81",
"indicator--56e17d88-9390-4464-b901-466f02de0b81",
"indicator--56e17d89-f498-448c-bad0-4d4802de0b81",
"observed-data--56e17d89-a69c-40a0-9352-45f002de0b81",
"url--56e17d89-a69c-40a0-9352-45f002de0b81",
"indicator--56e17d89-4d84-4ac6-80a5-47de02de0b81",
"indicator--56e17d8a-0c60-4f56-87bf-448f02de0b81",
"observed-data--56e17d8a-d9c0-4638-9158-4de502de0b81",
"url--56e17d8a-d9c0-4638-9158-4de502de0b81",
"indicator--56e17d8a-4294-4c3e-80c9-48d102de0b81",
"indicator--56e17d8a-414c-4f93-8496-40c002de0b81",
"observed-data--56e17d8b-231c-4363-8006-4b5202de0b81",
"url--56e17d8b-231c-4363-8006-4b5202de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56e1780d-270c-4cc7-ac76-4a92950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:35:09.000Z",
"modified": "2016-03-10T13:35:09.000Z",
"first_observed": "2016-03-10T13:35:09Z",
"last_observed": "2016-03-10T13:35:09Z",
"number_observed": 1,
"object_refs": [
"url--56e1780d-270c-4cc7-ac76-4a92950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56e1780d-270c-4cc7-ac76-4a92950d210f",
"value": "https://citizenlab.org/2016/03/shifting-tactics/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--56e1781e-46c4-4d39-b770-413c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:35:26.000Z",
"modified": "2016-03-10T13:35:26.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "This report describes the latest iteration in a long-running espionage campaign against the Tibetan community. We detail how the attackers continuously adapt their campaigns to their targets, shifting tactics from document-based malware to conventional phishing that draws on \u00e2\u20ac\u0153inside\u00e2\u20ac\u009d knowledge of community activities. This adaptation appears to track changes in security behaviors within the Tibetan community, which has been promoting a move from sharing attachments via e-mail to using cloud-based file sharing alternatives such as Google Drive.\r\n\r\nWe connect the attack group\u00e2\u20ac\u2122s infrastructure and techniques to a group previously identified by Palo Alto Networks, which they named Scarlet Mimic. We provide further context on Scarlet Mimic\u00e2\u20ac\u2122s targeting and tactics, and the intended victims of their attack campaigns. In addition, while Scarlet Mimic may be conducting malware attacks using other infrastructure, we analyze how the attackers re-purposed a cluster of their malware Command and Control (C2) infrastructure to mount the recent phishing campaign.\r\n\r\nThis move is only the latest development in the ongoing cat and mouse game between attack groups like Scarlet Mimic and the Tibetan community. The speed and ease with which attackers continue to adapt highlights the challenges faced by Tibetans who are trying to remain safe online."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17844-e498-42ac-a6ea-4c13950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:36:04.000Z",
"modified": "2016-03-10T13:36:04.000Z",
"description": "Phishing campaign infrastructure",
"pattern": "[domain-name:value = 'filegoogle.firewall-gateway.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:36:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17844-a20c-48a2-939f-4f67950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:36:04.000Z",
"modified": "2016-03-10T13:36:04.000Z",
"description": "Phishing campaign infrastructure",
"pattern": "[domain-name:value = 'accountgoogle.firewall-gateway.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:36:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17844-51dc-4556-a088-46c4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:36:04.000Z",
"modified": "2016-03-10T13:36:04.000Z",
"description": "Phishing campaign infrastructure",
"pattern": "[domain-name:value = 'detail43.myfirewall.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:36:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17845-d6f0-429c-b890-4079950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:36:05.000Z",
"modified": "2016-03-10T13:36:05.000Z",
"description": "Phishing campaign infrastructure",
"pattern": "[url:value = 'http://filegoogle.firewall-gateway.com/servicelogin']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:36:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17845-8224-4308-a3a6-4702950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:36:05.000Z",
"modified": "2016-03-10T13:36:05.000Z",
"description": "Phishing campaign infrastructure",
"pattern": "[url:value = 'http://accountgoogle.firewall-gateway.com/serviclogin']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:36:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17845-8ef0-479b-944d-41b3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:36:05.000Z",
"modified": "2016-03-10T13:36:05.000Z",
"description": "Phishing campaign infrastructure",
"pattern": "[url:value = 'http://accountgoogle.firewall-gateway.com/servicclogin']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:36:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e178e3-cf8c-4f0e-8dc4-4fae950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:38:43.000Z",
"modified": "2016-03-10T13:38:43.000Z",
"description": "Command and Control Servers",
"pattern": "[domain-name:value = 'sys.firewall-gateway.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:38:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17a4a-dee8-461f-9d0d-4594950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:44:42.000Z",
"modified": "2016-03-10T13:44:42.000Z",
"pattern": "[file:name = 'uroyh.exe' AND file:hashes.MD5 = 'ea45265fe98b25e719d5a9cc3b412d66']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:44:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17a4a-0678-4fc2-985c-4912950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:44:42.000Z",
"modified": "2016-03-10T13:44:42.000Z",
"pattern": "[file:name = 'uroyh-unpacked.exe' AND file:hashes.MD5 = '5c030802ad411fea059cc9cc4c118125']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:44:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17ace-1a58-46e1-ba4a-4f89950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:46:54.000Z",
"modified": "2016-03-10T13:46:54.000Z",
"pattern": "[file:name = 'Reappraisal_of_India_Tibet_Policy.doc' AND file:hashes.MD5 = '7735e571d0450e2a31e97e4f8e0f66fa']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:46:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17ace-007c-4f0d-b564-4166950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:46:54.000Z",
"modified": "2016-03-10T13:46:54.000Z",
"pattern": "[file:name = 'Genuine autonomy or complete independance.doc' AND file:hashes.MD5 = '7735e571d0450e2a31e97e4f8e0f66fa']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:46:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17acf-a6e0-4daf-97e5-422e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:46:55.000Z",
"modified": "2016-03-10T13:46:55.000Z",
"pattern": "[file:name = 'Application for Mentee.doc' AND file:hashes.MD5 = '7735e571d0450e2a31e97e4f8e0f66fa']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:46:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17b8c-398c-450a-bd76-498b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:50:04.000Z",
"modified": "2016-03-10T13:50:04.000Z",
"pattern": "[file:name = 'iph.bat' AND file:hashes.MD5 = 'd2e9412428c3bcf3ec98dba8a78adb7b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:50:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"filename|md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17b8d-449c-446a-bbcb-4d96950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:50:05.000Z",
"modified": "2016-03-10T13:50:05.000Z",
"pattern": "[file:name = 'cghnt.exe' AND file:hashes.MD5 = '1bf438b5744db73eea58379a3b9f30e5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:50:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"filename|md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17c47-9ca0-4037-afb1-4c8d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:53:11.000Z",
"modified": "2016-03-10T13:53:11.000Z",
"pattern": "[file:name = '20140317144336097.DOC' AND file:hashes.MD5 = '3b869c8e23d66ad0527882fc79ff7237']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:53:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17caa-2740-4d49-8b47-4c56950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:54:50.000Z",
"modified": "2016-03-10T13:54:50.000Z",
"description": "Command and Control Servers",
"pattern": "[domain-name:value = 'news.firewall-gateway.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:54:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17d3a-44d4-47f9-aa6d-4722950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:57:14.000Z",
"modified": "2016-03-10T13:57:14.000Z",
"description": "Scarlet Mimic Malware Campaign 1",
"pattern": "[file:hashes.MD5 = 'fef27f432e0ae8218143bc410fda340e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:57:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17d86-0c10-4c04-b412-4e6a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:58:30.000Z",
"modified": "2016-03-10T13:58:30.000Z",
"description": "- Xchecked via VT: 1bf438b5744db73eea58379a3b9f30e5",
"pattern": "[file:hashes.SHA256 = 'df9872d1dc1dbb101bf83c7e7d689d2d6df09966481a365f92cd451ef55f047d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:58:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17d87-9904-442d-bfe2-4dc902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:58:31.000Z",
"modified": "2016-03-10T13:58:31.000Z",
"description": "- Xchecked via VT: 1bf438b5744db73eea58379a3b9f30e5",
"pattern": "[file:hashes.SHA1 = '67762474fb66217bf2594ede3d15abe12ac4d9e7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:58:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56e17d87-3b08-44c5-9dfb-486202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:58:31.000Z",
"modified": "2016-03-10T13:58:31.000Z",
"first_observed": "2016-03-10T13:58:31Z",
"last_observed": "2016-03-10T13:58:31Z",
"number_observed": 1,
"object_refs": [
"url--56e17d87-3b08-44c5-9dfb-486202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56e17d87-3b08-44c5-9dfb-486202de0b81",
"value": "https://www.virustotal.com/file/df9872d1dc1dbb101bf83c7e7d689d2d6df09966481a365f92cd451ef55f047d/analysis/1453744608/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17d87-a608-4e4c-bdb2-443502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:58:31.000Z",
"modified": "2016-03-10T13:58:31.000Z",
"description": "Scarlet Mimic Malware Campaign 1 - Xchecked via VT: fef27f432e0ae8218143bc410fda340e",
"pattern": "[file:hashes.SHA256 = 'caf76e19a2681dd000c96d8389afc749e774c083aef09f023d4f42fbc49d4d3d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:58:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17d88-deb8-4f0a-a0cd-4f3902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:58:32.000Z",
"modified": "2016-03-10T13:58:32.000Z",
"description": "Scarlet Mimic Malware Campaign 1 - Xchecked via VT: fef27f432e0ae8218143bc410fda340e",
"pattern": "[file:hashes.SHA1 = '6d81d2ad1acfd707a2ea35672bdd76948889d16b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:58:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56e17d88-f460-4120-ad15-4ea802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:58:32.000Z",
"modified": "2016-03-10T13:58:32.000Z",
"first_observed": "2016-03-10T13:58:32Z",
"last_observed": "2016-03-10T13:58:32Z",
"number_observed": 1,
"object_refs": [
"url--56e17d88-f460-4120-ad15-4ea802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56e17d88-f460-4120-ad15-4ea802de0b81",
"value": "https://www.virustotal.com/file/caf76e19a2681dd000c96d8389afc749e774c083aef09f023d4f42fbc49d4d3d/analysis/1453903417/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17d88-9390-4464-b901-466f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:58:32.000Z",
"modified": "2016-03-10T13:58:32.000Z",
"description": "- Xchecked via VT: 3b869c8e23d66ad0527882fc79ff7237",
"pattern": "[file:hashes.SHA256 = 'cc8936507438fcf8757ff40309c6057aa780c394b158723b7e8fb07e09793344']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:58:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17d89-f498-448c-bad0-4d4802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:58:33.000Z",
"modified": "2016-03-10T13:58:33.000Z",
"description": "- Xchecked via VT: 3b869c8e23d66ad0527882fc79ff7237",
"pattern": "[file:hashes.SHA1 = 'a7e90928e96a44b5223053fd0c1b96d9a3a36e01']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:58:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56e17d89-a69c-40a0-9352-45f002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:58:33.000Z",
"modified": "2016-03-10T13:58:33.000Z",
"first_observed": "2016-03-10T13:58:33Z",
"last_observed": "2016-03-10T13:58:33Z",
"number_observed": 1,
"object_refs": [
"url--56e17d89-a69c-40a0-9352-45f002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56e17d89-a69c-40a0-9352-45f002de0b81",
"value": "https://www.virustotal.com/file/cc8936507438fcf8757ff40309c6057aa780c394b158723b7e8fb07e09793344/analysis/1398640507/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17d89-4d84-4ac6-80a5-47de02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:58:33.000Z",
"modified": "2016-03-10T13:58:33.000Z",
"description": "- Xchecked via VT: 7735e571d0450e2a31e97e4f8e0f66fa",
"pattern": "[file:hashes.SHA256 = '8d98155283c4d8373d2cf2c7b8a79302251a0ce76d227a8a2abdc2a244fc550e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:58:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17d8a-0c60-4f56-87bf-448f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:58:34.000Z",
"modified": "2016-03-10T13:58:34.000Z",
"description": "- Xchecked via VT: 7735e571d0450e2a31e97e4f8e0f66fa",
"pattern": "[file:hashes.SHA1 = 'e2126ebc4910ea0308a150466f70534854ec201d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:58:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56e17d8a-d9c0-4638-9158-4de502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:58:34.000Z",
"modified": "2016-03-10T13:58:34.000Z",
"first_observed": "2016-03-10T13:58:34Z",
"last_observed": "2016-03-10T13:58:34Z",
"number_observed": 1,
"object_refs": [
"url--56e17d8a-d9c0-4638-9158-4de502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56e17d8a-d9c0-4638-9158-4de502de0b81",
"value": "https://www.virustotal.com/file/8d98155283c4d8373d2cf2c7b8a79302251a0ce76d227a8a2abdc2a244fc550e/analysis/1437647138/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17d8a-4294-4c3e-80c9-48d102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:58:34.000Z",
"modified": "2016-03-10T13:58:34.000Z",
"description": "- Xchecked via VT: ea45265fe98b25e719d5a9cc3b412d66",
"pattern": "[file:hashes.SHA256 = '3d9bd26f5bd5401efa17690357f40054a3d7b438ce8c91367dbf469f0d9bd520']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:58:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e17d8a-414c-4f93-8496-40c002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:58:34.000Z",
"modified": "2016-03-10T13:58:34.000Z",
"description": "- Xchecked via VT: ea45265fe98b25e719d5a9cc3b412d66",
"pattern": "[file:hashes.SHA1 = '95cecef175012f145df2e0f8255fe92f55f10414']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-10T13:58:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56e17d8b-231c-4363-8006-4b5202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-10T13:58:35.000Z",
"modified": "2016-03-10T13:58:35.000Z",
"first_observed": "2016-03-10T13:58:35Z",
"last_observed": "2016-03-10T13:58:35Z",
"number_observed": 1,
"object_refs": [
"url--56e17d8b-231c-4363-8006-4b5202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56e17d8b-231c-4363-8006-4b5202de0b81",
"value": "https://www.virustotal.com/file/3d9bd26f5bd5401efa17690357f40054a3d7b438ce8c91367dbf469f0d9bd520/analysis/1453744600/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}