misp-circl-feed/feeds/circl/misp/582dd48e-66bc-40c1-ae49-6fe8d56c6cd2.json

2013 lines
No EOL
90 KiB
JSON

{
"type": "bundle",
"id": "bundle--582dd48e-66bc-40c1-ae49-6fe8d56c6cd2",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2020-04-28T10:12:02.000Z",
"modified": "2020-04-28T10:12:02.000Z",
"name": "CiviCERT",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--582dd48e-66bc-40c1-ae49-6fe8d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2020-04-28T10:12:02.000Z",
"modified": "2020-04-28T10:12:02.000Z",
"name": "It\u2019s Parliamentary: KeyBoy and the targeting of the Tibetan Community",
"published": "2020-10-10T09:42:52Z",
"object_refs": [
"observed-data--582dd725-1a84-4454-b86e-7007d56c6cd2",
"file--582dd725-1a84-4454-b86e-7007d56c6cd2",
"indicator--582dd740-b944-4070-9b70-0692d56c6cd2",
"indicator--582dd74f-c72c-4221-bc3f-6fe8d56c6cd2",
"indicator--582dd75d-7a3c-4990-883d-0696d56c6cd2",
"indicator--582dd76d-b590-4d21-9ff6-7005d56c6cd2",
"indicator--582dd77a-cda4-42a0-9b86-7008d56c6cd2",
"indicator--582dd78b-1198-4b24-b6d3-7006d56c6cd2",
"indicator--582dd79a-c36c-4329-952c-7007d56c6cd2",
"observed-data--582dd7b3-3fec-4380-b6a1-6ff1d56c6cd2",
"file--582dd7b3-3fec-4380-b6a1-6ff1d56c6cd2",
"indicator--582dd7c2-7434-4d28-af67-7007d56c6cd2",
"indicator--582dd7d3-3800-473b-b088-7006d56c6cd2",
"indicator--582dd7e1-7bcc-4b5c-b6ef-6ff0d56c6cd2",
"indicator--582dd7ed-ff54-4450-9f8a-7008d56c6cd2",
"indicator--582dd7f9-5180-4a45-baff-7005d56c6cd2",
"indicator--582dd80c-aa34-453f-9a06-6fe8d56c6cd2",
"indicator--582dd817-deac-4afa-a4a9-0696d56c6cd2",
"indicator--582dd82e-469c-4a22-8669-6ff1d56c6cd2",
"indicator--582dd83b-0524-4fed-a9e3-700dd56c6cd2",
"observed-data--582dd9f5-639c-4a10-8ced-6ff0d56c6cd2",
"url--582dd9f5-639c-4a10-8ced-6ff0d56c6cd2",
"indicator--582dd859-da30-4ad9-9118-7005d56c6cd2",
"indicator--582dd873-7d5c-4433-9e36-6ff0d56c6cd2",
"indicator--582dd873-ef48-4fe2-8f27-6ff0d56c6cd2",
"indicator--582dd873-7f8c-4373-aa0d-6ff0d56c6cd2",
"indicator--582dd890-d548-436f-bd0a-6ff2d56c6cd2",
"indicator--582dd890-e77c-48ef-b609-6ff2d56c6cd2",
"indicator--582dd891-0d3c-41a2-9385-6ff2d56c6cd2",
"indicator--582dd891-0e90-4e82-bfba-6ff2d56c6cd2",
"indicator--582dd8ab-850c-4a68-812b-7007d56c6cd2",
"indicator--582dd8ac-097c-45be-8370-7007d56c6cd2",
"indicator--582dd8c1-9ec0-4fa4-8d06-700fd56c6cd2",
"indicator--582dd8ed-34cc-49c9-9ae4-700fd56c6cd2",
"indicator--582dd904-3f68-4706-b596-0696d56c6cd2",
"indicator--582dd918-13bc-44e9-9b8d-6ff2d56c6cd2",
"indicator--582dd924-6350-4beb-bc4d-700dd56c6cd2",
"indicator--582dd932-aac0-48ba-8235-7006d56c6cd2",
"indicator--582dd940-4910-478c-a8f6-700ed56c6cd2",
"indicator--582dd94c-9948-4f28-a0a8-6ff1d56c6cd2",
"indicator--582dd958-b8e4-47e1-b3bd-6ff0d56c6cd2",
"indicator--582dd965-41f0-4ca5-a4f6-700fd56c6cd2",
"indicator--582dd971-87dc-4fa4-a22b-7007d56c6cd2",
"indicator--582dd982-e0b0-4f79-bab1-0696d56c6cd2",
"indicator--582dd992-c5ac-438a-8737-7005d56c6cd2",
"vulnerability--582dd9ad-23d0-45dd-9bee-6ff2d56c6cd2",
"vulnerability--582dd9ad-a8e4-4cd1-b839-6ff2d56c6cd2",
"vulnerability--582dd9ad-8e60-429f-b92c-6ff2d56c6cd2",
"indicator--582dd9be-541c-40c0-875a-700dd56c6cd2",
"indicator--582dd9cd-5bf4-40a1-9f79-700ed56c6cd2",
"x-misp-attribute--582dd9d6-8564-46ea-9b4e-700ed56c6cd2",
"indicator--5832bd46-65f0-4dad-892b-426702de0b81",
"observed-data--5832bd47-c064-429b-bb2f-467302de0b81",
"url--5832bd47-c064-429b-bb2f-467302de0b81",
"indicator--5832bd47-9600-41f5-896c-4e8b02de0b81",
"observed-data--5832bd48-b104-49f7-ae8e-436e02de0b81",
"url--5832bd48-b104-49f7-ae8e-436e02de0b81",
"indicator--5832bd48-3de0-4688-8add-48f502de0b81",
"observed-data--5832bd49-a008-4fd1-bc69-4cd102de0b81",
"url--5832bd49-a008-4fd1-bc69-4cd102de0b81",
"indicator--5832bd49-19b0-4338-af0d-47c402de0b81",
"observed-data--5832bd4a-8608-4468-9038-447602de0b81",
"url--5832bd4a-8608-4468-9038-447602de0b81",
"observed-data--5832bd4a-dd54-4a76-bf57-4b9c02de0b81",
"file--5832bd4a-dd54-4a76-bf57-4b9c02de0b81",
"observed-data--5832bd4b-25c4-4edb-8ab9-436502de0b81",
"url--5832bd4b-25c4-4edb-8ab9-436502de0b81",
"indicator--5832bd4c-0190-4a6f-9c4f-472202de0b81",
"indicator--5832bd4c-d698-4f11-b5c9-476202de0b81",
"observed-data--5832bd4d-e058-48a1-9e0a-483f02de0b81",
"url--5832bd4d-e058-48a1-9e0a-483f02de0b81",
"indicator--5832bd4d-c198-40bf-83ca-4c7002de0b81",
"indicator--5832bd4e-dab8-4936-ac41-489e02de0b81",
"observed-data--5832bd4e-88e0-452b-9d0b-47f602de0b81",
"url--5832bd4e-88e0-452b-9d0b-47f602de0b81",
"indicator--5832bd4f-f9d0-48f9-a3dc-4f2902de0b81",
"indicator--5832bd4f-48d0-4d0b-9719-439d02de0b81",
"observed-data--5832bd50-1ff0-44dd-b44d-401d02de0b81",
"url--5832bd50-1ff0-44dd-b44d-401d02de0b81",
"indicator--5832bd50-8af8-4d7a-bf57-4c1702de0b81",
"indicator--5832bd51-76b0-4f37-860b-4b3802de0b81",
"observed-data--5832bd51-1400-4733-9436-4f7902de0b81",
"url--5832bd51-1400-4733-9436-4f7902de0b81",
"indicator--5832bd52-5310-486b-876f-4b0e02de0b81",
"indicator--5832bd52-2228-4453-b38e-41b102de0b81",
"observed-data--5832bd53-a558-4ea4-957d-4e7202de0b81",
"url--5832bd53-a558-4ea4-957d-4e7202de0b81",
"indicator--5832bd53-d3f0-4c64-80cf-469402de0b81",
"indicator--5832bd54-87e0-49a7-8971-480e02de0b81",
"observed-data--5832bd54-0efc-4f4a-b342-4a8e02de0b81",
"url--5832bd54-0efc-4f4a-b342-4a8e02de0b81",
"indicator--5832bd55-6890-47d5-b97c-4a6402de0b81",
"indicator--5832bd55-f334-44ed-81f9-401602de0b81",
"observed-data--5832bd55-7e88-4e84-98fa-44ea02de0b81",
"url--5832bd55-7e88-4e84-98fa-44ea02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"circl:incident-classification=\"phishing\"",
"osint:source-type=\"blog-post\"",
"misp-galaxy:tool=\"KeyBoy\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--582dd725-1a84-4454-b86e-7007d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:13:25.000Z",
"modified": "2016-11-17T16:13:25.000Z",
"first_observed": "2016-11-17T16:13:25Z",
"last_observed": "2016-11-17T16:13:25Z",
"number_observed": 1,
"object_refs": [
"file--582dd725-1a84-4454-b86e-7007d56c6cd2"
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--582dd725-1a84-4454-b86e-7007d56c6cd2",
"hashes": {
"MD5": "8f08609e4e0b3d26814b3073a42df415"
}
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd740-b944-4070-9b70-0692d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:13:51.000Z",
"modified": "2016-11-17T16:13:51.000Z",
"description": "Wab32res.dll payload, KeyBoy 20160509",
"pattern": "[file:hashes.MD5 = '495adb1b9777002ecfe22aaf52fcee93']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:13:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd74f-c72c-4221-bc3f-6fe8d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:14:07.000Z",
"modified": "2016-11-17T16:14:07.000Z",
"description": "Payload KeyBoy P_20150313",
"pattern": "[file:hashes.MD5 = '0c7e55509e0b6d4277b3facf864af018']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:14:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd75d-7a3c-4990-883d-0696d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:14:21.000Z",
"modified": "2016-11-17T16:14:21.000Z",
"description": "Payload KeyBoy 20151108",
"pattern": "[file:hashes.MD5 = '98977426d544bd145979f65f0322ae30']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:14:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd76d-b590-4d21-9ff6-7005d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:14:37.000Z",
"modified": "2016-11-17T16:14:37.000Z",
"description": "Payload KeyBoy 20151108",
"pattern": "[file:hashes.MD5 = 'c5b5f01ba24d6c02636388809f44472e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:14:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd77a-cda4-42a0-9b86-7008d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:14:50.000Z",
"modified": "2016-11-17T16:14:50.000Z",
"description": "64b KeyBoy payload 20151108",
"pattern": "[file:hashes.MD5 = '371bc132499f455f06fa80696db0df27']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:14:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd78b-1198-4b24-b6d3-7006d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2020-04-28T10:12:02.000Z",
"modified": "2020-04-28T10:12:02.000Z",
"description": "wab32res.dll, agewkassif version",
"pattern": "[file:hashes.MD5 = '087bffa8a570079948310dc9731c5709']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-04-28T10:12:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd79a-c36c-4329-952c-7007d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:15:22.000Z",
"modified": "2016-11-17T16:15:22.000Z",
"description": "Contains the Keyboy version",
"pattern": "[windows-registry-key:key = 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\ZoneMap\\\\Ver']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:15:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"regkey\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--582dd7b3-3fec-4380-b6a1-6ff1d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:15:47.000Z",
"modified": "2016-11-17T16:15:47.000Z",
"first_observed": "2016-11-17T16:15:47Z",
"last_observed": "2016-11-17T16:15:47Z",
"number_observed": 1,
"object_refs": [
"file--582dd7b3-3fec-4380-b6a1-6ff1d56c6cd2"
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--582dd7b3-3fec-4380-b6a1-6ff1d56c6cd2",
"hashes": {
"SHA-256": "58105e9772f6befbc319c147a97faded4fbacf839947b34fe3695ae72771da5d"
}
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd7c2-7434-4d28-af67-7007d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:16:02.000Z",
"modified": "2016-11-17T16:16:02.000Z",
"description": "Wab32res.dll payload, KeyBoy 20160509",
"pattern": "[file:hashes.SHA256 = '9a55577d357922711ab0821bf5379289293c8517ae1d94d48c389f306af57a04']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:16:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd7d3-3800-473b-b088-7006d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:16:19.000Z",
"modified": "2016-11-17T16:16:19.000Z",
"description": "Wab32res.dll payload, KeyBoy agewkassif version",
"pattern": "[file:hashes.SHA256 = '5da2f14c382d7cac8dfa6c86e528a646a81f0b40cfee9611c8cfb4b5d589aa88']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:16:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd7e1-7bcc-4b5c-b6ef-6ff0d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:16:33.000Z",
"modified": "2016-11-17T16:16:33.000Z",
"pattern": "[import \"pe\"\r\nrule new_keyboy_export\r\n{\r\nmeta:\r\nauthor = \"Matt Brooks, @cmatthewbrooks\"\r\ndesc = \"Matches the new 2016 sample's export\"\r\ndate = \"2016-08-28\"\r\nmd5 = \"495adb1b9777002ecfe22aaf52fcee93\"\r\n\r\ncondition:\r\n//MZ header\r\nuint16(0) == 0x5A4D and\r\n\r\n//PE signature\r\nuint32(uint32(0x3C)) == 0x00004550 and\r\n\r\n\r\nfilesize < 200KB and\r\n\r\n\r\n//The malware family seems to share many exports\r\n//but this is the new kid on the block.\r\npe.exports(\"cfsUpdate\")\r\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:16:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd7ed-ff54-4450-9f8a-7008d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:16:45.000Z",
"modified": "2016-11-17T16:16:45.000Z",
"pattern": "[rule new_keyboy_header_codes\r\n{\r\nmeta:\r\nauthor = \"Matt Brooks, @cmatthewbrooks\"\r\ndesc = \"Matches the 2016 sample's header codes\"\r\ndate = \"2016-08-28\"\r\nmd5 = \"495adb1b9777002ecfe22aaf52fcee93\"\r\n\r\nstrings:\r\n$s1 = \"*l*\" wide fullword\r\n$s2 = \"*a*\" wide fullword\r\n$s3 = \"*s*\" wide fullword\r\n$s4 = \"*d*\" wide fullword\r\n$s5 = \"*f*\" wide fullword\r\n$s6 = \"*g*\" wide fullword\r\n$s7 = \"*h*\" wide fullword\r\n\r\ncondition:\r\n//MZ header\r\nuint16(0) == 0x5A4D and\r\n\r\n//PE signature\r\nuint32(uint32(0x3C)) == 0x00004550 and\r\nfilesize < 200KB and\r\nall of them\r\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:16:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd7f9-5180-4a45-baff-7005d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:16:57.000Z",
"modified": "2016-11-17T16:16:57.000Z",
"pattern": "[rule keyboy_commands\r\n{\r\nmeta:\r\nauthor = \"Matt Brooks, @cmatthewbrooks\"\r\ndesc = \"Matches the 2016 sample's sent and received commands\"\r\ndate = \"2016-08-28\"\r\nmd5 = \"495adb1b9777002ecfe22aaf52fcee93\"\r\n\r\nstrings:\r\n$s1 = \"Update\" wide fullword\r\n$s2 = \"UpdateAndRun\" wide fullword\r\n$s3 = \"Refresh\" wide fullword\r\n$s4 = \"OnLine\" wide fullword\r\n$s5 = \"Disconnect\" wide fullword\r\n$s6 = \"Pw_Error\" wide fullword\r\n$s7 = \"Pw_OK\" wide fullword\r\n$s8 = \"Sysinfo\" wide fullword\r\n$s9 = \"Download\" wide fullword\r\n$s10 = \"UploadFileOk\" wide fullword\r\n$s11 = \"RemoteRun\" wide fullword\r\n$s12 = \"FileManager\" wide fullword\r\n\r\ncondition:\r\n//MZ header\r\nuint16(0) == 0x5A4D and\r\n\r\n//PE signature\r\nuint32(uint32(0x3C)) == 0x00004550 and\r\nfilesize < 200KB and\r\n6 of them\r\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:16:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd80c-aa34-453f-9a06-6fe8d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:17:16.000Z",
"modified": "2016-11-17T16:17:16.000Z",
"pattern": "[rule keyboy_errors\r\n{\r\nmeta:\r\nauthor = \"Matt Brooks, @cmatthewbrooks\"\r\ndesc = \"Matches the sample's shell error2 log statements\"\r\ndate = \"2016-08-28\"\r\nmd5 = \"495adb1b9777002ecfe22aaf52fcee93\"\r\n\r\nstrings:\r\n//These strings are in ASCII pre-2015 and UNICODE in 2016\r\n$error = \"Error2\" ascii wide\r\n//2016 specific:\r\n$s1 = \"Can't find [%s]!Check the file name and try again!\" ascii wide\r\n$s2 = \"Open [%s] error! %d\" ascii wide\r\n$s3 = \"The Size of [%s] is zero!\" ascii wide\r\n$s4 = \"CreateThread DownloadFile[%s] Error!\" ascii wide\r\n$s5 = \"UploadFile [%s] Error:Connect Server Failed!\" ascii wide\r\n$s6 = \"Receive [%s] Error(Recved[%d] != Send[%d])!\" ascii wide\r\n$s7 = \"Receive [%s] ok! Use %2.2f seconds, Average speed %2.2f k/s\" ascii wide\r\n$s8 = \"CreateThread UploadFile[%s] Error!\" ascii wide\r\n//Pre-2016:\r\n$s9 = \"Ready Download [%s] ok!\" ascii wide\r\n$s10 = \"Get ControlInfo from FileClient error!\" ascii wide\r\n$s11 = \"FileClient has a error!\" ascii wide\r\n$s12 = \"VirtualAlloc SendBuff Error(%d)\" ascii wide\r\n$s13 = \"ReadFile [%s] Error(%d)...\" ascii wide\r\n$s14 = \"ReadFile [%s] Data[Readed(%d) != FileSize(%d)] Error...\" ascii wide\r\n$s15 = \"CreateThread DownloadFile[%s] Error!\" ascii wide\r\n$s16 = \"RecvData MyRecv_Info Size Error!\" ascii wide\r\n$s17 = \"RecvData MyRecv_Info Tag Error!\" ascii wide\r\n$s18 = \"SendData szControlInfo_1 Error!\" ascii wide\r\n$s19 = \"SendData szControlInfo_3 Error!\" ascii wide\r\n$s20 = \"VirtualAlloc RecvBuff Error(%d)\" ascii wide\r\n$s21 = \"RecvData Error!\" ascii wide\r\n$s22 = \"WriteFile [%s} Error(%d)...\" ascii wide\r\n\r\ncondition:\r\n//MZ header\r\nuint16(0) == 0x5A4D and\r\n\r\n//PE signature\r\nuint32(uint32(0x3C)) == 0x00004550 and\r\nfilesize < 200KB and\r\n$error and 3 of ($s*)\r\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:17:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd817-deac-4afa-a4a9-0696d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:17:39.000Z",
"modified": "2016-11-17T16:17:39.000Z",
"pattern": "[rule keyboy_systeminfo\r\n{\r\nmeta:\r\nauthor = \"Matt Brooks, @cmatthewbrooks\"\r\ndesc = \"Matches the system information format before sending to C2\"\r\ndate = \"2016-08-28\"\r\nmd5 = \"495adb1b9777002ecfe22aaf52fcee93\"\r\n\r\nstrings:\r\n//These strings are ASCII pre-2015 and UNICODE in 2016\r\n$s1 = \"SystemVersion: %s\" ascii wide\r\n$s2 = \"Product ID: %s\" ascii wide\r\n$s3 = \"InstallPath: %s\" ascii wide\r\n$s4 = \"InstallTime: %d-%d-%d, %02d:%02d:%02d\" ascii wide\r\n$s5 = \"ResgisterGroup: %s\" ascii wide\r\n$s6 = \"RegisterUser: %s\" ascii wide\r\n$s7 = \"ComputerName: %s\" ascii wide\r\n$s8 = \"WindowsDirectory: %s\" ascii wide\r\n$s9 = \"System Directory: %s\" ascii wide\r\n$s10 = \"Number of Processors: %d\" ascii wide\r\n$s11 = \"CPU[%d]: %s: %sMHz\" ascii wide\r\n$s12 = \"RAM: %dMB Total, %dMB Free.\" ascii wide\r\n$s13 = \"DisplayMode: %d x %d, %dHz, %dbit\" ascii wide\r\n$s14 = \"Uptime: %d Days %02u:%02u:%02u\" ascii wide\r\n\r\ncondition:\r\n//MZ header\r\nuint16(0) == 0x5A4D and\r\n\r\n//PE signature\r\nuint32(uint32(0x3C)) == 0x00004550 and\r\nfilesize < 200KB and\r\n7 of them\r\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:17:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd82e-469c-4a22-8669-6ff1d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2020-04-28T10:11:57.000Z",
"modified": "2020-04-28T10:11:57.000Z",
"pattern": "[import \"pe\"\nrule keyboy_related_exports\n{\nmeta:\nauthor = \"Matt Brooks, @cmatthewbrooks\"\ndesc = \"Matches the new 2016 sample's export\"\ndate = \"2016-08-28\"\nmd5 = \"495adb1b9777002ecfe22aaf52fcee93\"\n\ncondition:\n//MZ header\nuint16(0) == 0x5A4D and\n\n//PE signature\nuint32(uint32(0x3C)) == 0x00004550 and\n\n\nfilesize < 200KB and\n\n\n//The malware family seems to share many exports\n//but this is the new kid on the block.\npe.exports(\"Embedding\") or\npe.exports(\"SSSS\") or\npe.exports(\"GetUP\")\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2020-04-28T10:11:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd83b-0524-4fed-a9e3-700dd56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:18:03.000Z",
"modified": "2016-11-17T16:18:03.000Z",
"pattern": "[import \"pe\"\r\nrule keyboy_init_config_section\r\n{\r\nmeta:\r\nauthor = \"Matt Brooks, @cmatthewbrooks\"\r\ndesc = \"Matches the Init section where the config is stored\"\r\ndate = \"2016-08-28\"\r\n\r\ncondition:\r\n//MZ header\r\nuint16(0) == 0x5A4D and\r\n\r\n//PE signature\r\nuint32(uint32(0x3C)) == 0x00004550 and\r\n\r\n//Payloads are normally smaller but the new dropper we spotted\r\n//is a bit larger.\r\nfilesize < 300KB and\r\n\r\n//Observed virtual sizes of the .Init section vary but they've\r\n//always been 1024, 2048, or 4096 bytes.\r\nfor any i in (0..pe.number_of_sections - 1):\r\n(\r\npe.sections[i].name == \".Init\" and\r\npe.sections[i].virtual_size % 1024 == 0\r\n)\r\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:18:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--582dd9f5-639c-4a10-8ced-6ff0d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:25:25.000Z",
"modified": "2016-11-17T16:25:25.000Z",
"first_observed": "2016-11-17T16:25:25Z",
"last_observed": "2016-11-17T16:25:25Z",
"number_observed": 1,
"object_refs": [
"url--582dd9f5-639c-4a10-8ced-6ff0d56c6cd2"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--582dd9f5-639c-4a10-8ced-6ff0d56c6cd2",
"value": "https://citizenlab.org/2016/11/parliament-keyboy/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd859-da30-4ad9-9118-7005d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:18:33.000Z",
"modified": "2016-11-17T16:18:33.000Z",
"description": "domain linked to one of the C2 IPs",
"pattern": "[domain-name:value = 'tibetvoices.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:18:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd873-7d5c-4433-9e36-6ff0d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:18:58.000Z",
"modified": "2016-11-17T16:18:58.000Z",
"description": "C2 domains",
"pattern": "[domain-name:value = 'www.about.jkub.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:18:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd873-ef48-4fe2-8f27-6ff0d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:18:59.000Z",
"modified": "2016-11-17T16:18:59.000Z",
"description": "C2 domains",
"pattern": "[domain-name:value = 'www.eleven.mypop3.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:18:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd873-7f8c-4373-aa0d-6ff0d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:18:59.000Z",
"modified": "2016-11-17T16:18:59.000Z",
"description": "C2 domains",
"pattern": "[domain-name:value = 'www.backus.myftp.name']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:18:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd890-d548-436f-bd0a-6ff2d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:19:28.000Z",
"modified": "2016-11-17T16:19:28.000Z",
"description": "C2 IP",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.125.12.147']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:19:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd890-e77c-48ef-b609-6ff2d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:19:28.000Z",
"modified": "2016-11-17T16:19:28.000Z",
"description": "C2 IP",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.40.102.233']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:19:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd891-0d3c-41a2-9385-6ff2d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:19:29.000Z",
"modified": "2016-11-17T16:19:29.000Z",
"description": "C2 IP",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '116.193.154.69']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:19:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd891-0e90-4e82-bfba-6ff2d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:19:29.000Z",
"modified": "2016-11-17T16:19:29.000Z",
"description": "C2 IP",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.242.134.243']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:19:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd8ab-850c-4a68-812b-7007d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:19:55.000Z",
"modified": "2016-11-17T16:19:55.000Z",
"description": "IPs for C2 Host: www.about.jkub.com",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.32.47.148']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:19:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd8ac-097c-45be-8370-7007d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:19:56.000Z",
"modified": "2016-11-17T16:19:56.000Z",
"description": "IPs for C2 Host: www.about.jkub.com",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '157.7.84.81']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:19:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd8c1-9ec0-4fa4-8d06-700fd56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:20:17.000Z",
"modified": "2016-11-17T16:20:17.000Z",
"description": "IP behind C2 Host: www.backus.myftp[.]name",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.241.149.43']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:20:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd8ed-34cc-49c9-9ae4-700fd56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:21:01.000Z",
"modified": "2016-11-17T16:21:01.000Z",
"description": "Other IP hosting tibetvoices.com",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '112.10.117.47']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:21:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd904-3f68-4706-b596-0696d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:21:24.000Z",
"modified": "2016-11-17T16:21:24.000Z",
"description": "Source of phishing emails",
"pattern": "[email-message:from_ref.value = 'tibetanparliarnent@yahoo.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:21:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd918-13bc-44e9-9b8d-6ff2d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2020-04-28T10:11:08.000Z",
"modified": "2020-04-28T10:11:08.000Z",
"description": "theme of the conference.doc",
"pattern": "[file:hashes.MD5 = '8307e444cad98b1b59568ad2eba5f201']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-04-28T10:11:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd924-6350-4beb-bc4d-700dd56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2020-04-28T10:11:06.000Z",
"modified": "2020-04-28T10:11:06.000Z",
"description": "Dw20.exe dropper",
"pattern": "[file:hashes.MD5 = '0b4d45db323f68b465ae052d3a872068']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-04-28T10:11:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd932-aac0-48ba-8235-7006d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2020-04-28T10:11:33.000Z",
"modified": "2020-04-28T10:11:33.000Z",
"description": "Other similar doc",
"pattern": "[file:hashes.MD5 = 'beadf21b923600554b0ce54df42e78f5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-04-28T10:11:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd940-4910-478c-a8f6-700ed56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:22:24.000Z",
"modified": "2016-11-17T16:22:24.000Z",
"description": "Dw20.exe dropper",
"pattern": "[file:hashes.MD5 = '69df3d3df4d99bc6045d073d89c68697']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:22:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd94c-9948-4f28-a0a8-6ff1d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2020-04-28T10:11:17.000Z",
"modified": "2020-04-28T10:11:17.000Z",
"description": "Malicious doc with CVE-2014-4114 vulnerability",
"pattern": "[file:hashes.MD5 = '05b5cf94f07fee666eb086c91182ad25']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-04-28T10:11:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd958-b8e4-47e1-b3bd-6ff0d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2020-04-28T10:11:15.000Z",
"modified": "2020-04-28T10:11:15.000Z",
"description": "Doc exploiting CVE-2012-0158",
"pattern": "[file:hashes.MD5 = '8846d109b457a2ee44ddbf54d1cf7944']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-04-28T10:11:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd965-41f0-4ca5-a4f6-700fd56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2020-04-28T10:11:22.000Z",
"modified": "2020-04-28T10:11:22.000Z",
"description": "Attached file urgent action larung gar buddhist academy.rtf (CVE-2015-1641)",
"pattern": "[file:hashes.MD5 = '913b82ff8f090670fc6387e3a7bea12d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-04-28T10:11:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd971-87dc-4fa4-a22b-7007d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2020-04-28T10:11:25.000Z",
"modified": "2020-04-28T10:11:25.000Z",
"description": "dropper of 'agewkassif' version",
"pattern": "[file:hashes.MD5 = '23d284245e53ae4fe05c517d807ffccf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-04-28T10:11:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd982-e0b0-4f79-bab1-0696d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2020-04-28T10:11:27.000Z",
"modified": "2020-04-28T10:11:27.000Z",
"description": "dw20.exe dropper",
"pattern": "[file:hashes.SHA256 = '5f24a5ee9ecfd4a8e5f967ffcf24580a83942cd7b09d310b9525962ed2614a49']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-04-28T10:11:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd992-c5ac-438a-8737-7005d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2020-04-28T10:11:31.000Z",
"modified": "2020-04-28T10:11:31.000Z",
"description": "dropper of 'agewkassif' sample",
"pattern": "[file:hashes.SHA256 = '542c85fda8df8510c1b66a122e459aac8c0919f1fe9fa2c43fd87899cffa05bf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-04-28T10:11:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--582dd9ad-23d0-45dd-9bee-6ff2d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:24:13.000Z",
"modified": "2016-11-17T16:24:13.000Z",
"name": "CVE-2012-0158",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload delivery\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2012-0158"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--582dd9ad-a8e4-4cd1-b839-6ff2d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:24:13.000Z",
"modified": "2016-11-17T16:24:13.000Z",
"name": "CVE-2014-4114",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload delivery\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2014-4114"
}
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--582dd9ad-8e60-429f-b92c-6ff2d56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:24:13.000Z",
"modified": "2016-11-17T16:24:13.000Z",
"name": "CVE-2015-1641",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload delivery\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2015-1641"
}
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd9be-541c-40c0-875a-700dd56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:24:30.000Z",
"modified": "2016-11-17T16:24:30.000Z",
"pattern": "[rule CVE_2012_0158_KeyBoy {\r\nmeta:\r\nauthor = \"Etienne Maynier <etienne@citizenlab.ca>\"\r\ndescription = \"CVE-2012-0158 variant\"\r\nfile = \"8307e444cad98b1b59568ad2eba5f201\"\r\n\r\nstrings:\r\n$a = \"d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff09000600000000000000000000000100000001\" nocase // OLE header\r\n$b = \"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\" nocase // junk data\r\n$c = /5(\\{\\\\b0\\}|)[ ]*2006F00(\\{\\\\b0\\}|)[ ]*6F007(\\{\\\\b0\\}|)[ ]*400200045(\\{\\\\b0\\}|)[ ]*006(\\{\\\\b0\\}|)[ ]*E007(\\{\\\\b0\\}|)[ ]*400720079/ nocase\r\n$d = \"MSComctlLib.ListViewCtrl.2\"\r\n$e = \"ac38c874503c307405347aaaebf2ac2c31ebf6e8e3\" nocase //decoding shellcode\r\n\r\ncondition:\r\nall of them\r\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:24:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--582dd9cd-5bf4-40a1-9f79-700ed56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-17T16:24:45.000Z",
"modified": "2016-11-17T16:24:45.000Z",
"pattern": "[rule keyboy_exploit_doc_meta{\r\nmeta:\r\nauthor = \"Matt Brooks, @cmatthewbrooks\"\r\ndesc = \"Matches the meta associated with these exploit docs\"\r\ndate = \"2016-09-30\"\r\n\r\nstrings:\r\n$role = \"{\\\\author Master}{\\\\operator Master}\"\r\n$creatim = \"{\\\\creatim\\\\yr2015\\\\mo10\\\\dy16\\\\hr11\\\\min37}\"\r\n$revtim = \"{\\\\revtim\\\\yr2015\\\\mo10\\\\dy16\\\\hr13\\\\min54}\"\r\n\r\ncondition:\r\nuint32be(0) == 0x7B5C7274 and\r\nfilesize < 1MB and\r\nall of them\r\n}]",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2016-11-17T16:24:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--582dd9d6-8564-46ea-9b4e-700ed56c6cd2",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2020-04-28T10:10:55.000Z",
"modified": "2020-04-28T10:10:55.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Payload type\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Payload type",
"x_misp_type": "text",
"x_misp_value": "KeyBoy"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5832bd46-65f0-4dad-892b-426702de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2020-04-28T10:10:57.000Z",
"modified": "2020-04-28T10:10:57.000Z",
"description": "dropper of 'agewkassif' sample - Xchecked via VT: 542c85fda8df8510c1b66a122e459aac8c0919f1fe9fa2c43fd87899cffa05bf",
"pattern": "[file:hashes.SHA1 = '3afd1071b8c05d743be976468f36663c22d57311']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-04-28T10:10:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5832bd47-c064-429b-bb2f-467302de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-21T09:24:23.000Z",
"modified": "2016-11-21T09:24:23.000Z",
"first_observed": "2016-11-21T09:24:23Z",
"last_observed": "2016-11-21T09:24:23Z",
"number_observed": 1,
"object_refs": [
"url--5832bd47-c064-429b-bb2f-467302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5832bd47-c064-429b-bb2f-467302de0b81",
"value": "https://www.virustotal.com/file/542c85fda8df8510c1b66a122e459aac8c0919f1fe9fa2c43fd87899cffa05bf/analysis/1479643747/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5832bd47-9600-41f5-896c-4e8b02de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2020-04-28T10:10:59.000Z",
"modified": "2020-04-28T10:10:59.000Z",
"description": "dw20.exe dropper - Xchecked via VT: 5f24a5ee9ecfd4a8e5f967ffcf24580a83942cd7b09d310b9525962ed2614a49",
"pattern": "[file:hashes.SHA1 = 'c4611aff5e05ee92398b8700b878e016f4ff6113']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-04-28T10:10:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5832bd48-b104-49f7-ae8e-436e02de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-21T09:24:24.000Z",
"modified": "2016-11-21T09:24:24.000Z",
"first_observed": "2016-11-21T09:24:24Z",
"last_observed": "2016-11-21T09:24:24Z",
"number_observed": 1,
"object_refs": [
"url--5832bd48-b104-49f7-ae8e-436e02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5832bd48-b104-49f7-ae8e-436e02de0b81",
"value": "https://www.virustotal.com/file/5f24a5ee9ecfd4a8e5f967ffcf24580a83942cd7b09d310b9525962ed2614a49/analysis/1479643732/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5832bd48-3de0-4688-8add-48f502de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-21T09:24:24.000Z",
"modified": "2016-11-21T09:24:24.000Z",
"description": "Wab32res.dll payload, KeyBoy agewkassif version - Xchecked via VT: 5da2f14c382d7cac8dfa6c86e528a646a81f0b40cfee9611c8cfb4b5d589aa88",
"pattern": "[file:hashes.SHA1 = 'c97b12039e324721130d58d127c4e6f356e3f6e8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-21T09:24:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5832bd49-a008-4fd1-bc69-4cd102de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-21T09:24:25.000Z",
"modified": "2016-11-21T09:24:25.000Z",
"first_observed": "2016-11-21T09:24:25Z",
"last_observed": "2016-11-21T09:24:25Z",
"number_observed": 1,
"object_refs": [
"url--5832bd49-a008-4fd1-bc69-4cd102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5832bd49-a008-4fd1-bc69-4cd102de0b81",
"value": "https://www.virustotal.com/file/5da2f14c382d7cac8dfa6c86e528a646a81f0b40cfee9611c8cfb4b5d589aa88/analysis/1479643740/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5832bd49-19b0-4338-af0d-47c402de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-21T09:24:25.000Z",
"modified": "2016-11-21T09:24:25.000Z",
"description": "Wab32res.dll payload, KeyBoy 20160509 - Xchecked via VT: 9a55577d357922711ab0821bf5379289293c8517ae1d94d48c389f306af57a04",
"pattern": "[file:hashes.SHA1 = '5bc42d475fa35e00e2584a4142c2767a4707019b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-21T09:24:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5832bd4a-8608-4468-9038-447602de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-21T09:24:26.000Z",
"modified": "2016-11-21T09:24:26.000Z",
"first_observed": "2016-11-21T09:24:26Z",
"last_observed": "2016-11-21T09:24:26Z",
"number_observed": 1,
"object_refs": [
"url--5832bd4a-8608-4468-9038-447602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5832bd4a-8608-4468-9038-447602de0b81",
"value": "https://www.virustotal.com/file/9a55577d357922711ab0821bf5379289293c8517ae1d94d48c389f306af57a04/analysis/1479499742/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5832bd4a-dd54-4a76-bf57-4b9c02de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-21T09:24:26.000Z",
"modified": "2016-11-21T09:24:26.000Z",
"first_observed": "2016-11-21T09:24:26Z",
"last_observed": "2016-11-21T09:24:26Z",
"number_observed": 1,
"object_refs": [
"file--5832bd4a-dd54-4a76-bf57-4b9c02de0b81"
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5832bd4a-dd54-4a76-bf57-4b9c02de0b81",
"hashes": {
"SHA-1": "280dd67bbdfadaac0a4eb7a1c770387c216f3b8b"
}
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5832bd4b-25c4-4edb-8ab9-436502de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-21T09:24:27.000Z",
"modified": "2016-11-21T09:24:27.000Z",
"first_observed": "2016-11-21T09:24:27Z",
"last_observed": "2016-11-21T09:24:27Z",
"number_observed": 1,
"object_refs": [
"url--5832bd4b-25c4-4edb-8ab9-436502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5832bd4b-25c4-4edb-8ab9-436502de0b81",
"value": "https://www.virustotal.com/file/58105e9772f6befbc319c147a97faded4fbacf839947b34fe3695ae72771da5d/analysis/1478876071/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5832bd4c-0190-4a6f-9c4f-472202de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2020-04-28T10:11:42.000Z",
"modified": "2020-04-28T10:11:42.000Z",
"description": "Doc exploiting CVE-2012-0158 - Xchecked via VT: 8846d109b457a2ee44ddbf54d1cf7944",
"pattern": "[file:hashes.SHA256 = 'ba442907f3218c8664bbecb47f915c4469340219e0f05af8f2d108d72659ff0f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-04-28T10:11:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5832bd4c-d698-4f11-b5c9-476202de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2020-04-28T10:11:41.000Z",
"modified": "2020-04-28T10:11:41.000Z",
"description": "Doc exploiting CVE-2012-0158 - Xchecked via VT: 8846d109b457a2ee44ddbf54d1cf7944",
"pattern": "[file:hashes.SHA1 = 'ba57bc840bc8fa5b7a235b2d2cff47af610aa14a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-04-28T10:11:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5832bd4d-e058-48a1-9e0a-483f02de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-21T09:24:29.000Z",
"modified": "2016-11-21T09:24:29.000Z",
"first_observed": "2016-11-21T09:24:29Z",
"last_observed": "2016-11-21T09:24:29Z",
"number_observed": 1,
"object_refs": [
"url--5832bd4d-e058-48a1-9e0a-483f02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5832bd4d-e058-48a1-9e0a-483f02de0b81",
"value": "https://www.virustotal.com/file/ba442907f3218c8664bbecb47f915c4469340219e0f05af8f2d108d72659ff0f/analysis/1479483627/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5832bd4d-c198-40bf-83ca-4c7002de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2020-04-28T10:11:39.000Z",
"modified": "2020-04-28T10:11:39.000Z",
"description": "Malicious doc with CVE-2014-4114 vulnerability - Xchecked via VT: 05b5cf94f07fee666eb086c91182ad25",
"pattern": "[file:hashes.SHA256 = '442e5d3d46330e814b4fdc5640b06732de69a08a574d92cd9a0df5eea62d88ed']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-04-28T10:11:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5832bd4e-dab8-4936-ac41-489e02de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2020-04-28T10:11:37.000Z",
"modified": "2020-04-28T10:11:37.000Z",
"description": "Malicious doc with CVE-2014-4114 vulnerability - Xchecked via VT: 05b5cf94f07fee666eb086c91182ad25",
"pattern": "[file:hashes.SHA1 = '7631a0682a1a6423c95fd1b80263b8470717f0f8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-04-28T10:11:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5832bd4e-88e0-452b-9d0b-47f602de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-21T09:24:30.000Z",
"modified": "2016-11-21T09:24:30.000Z",
"first_observed": "2016-11-21T09:24:30Z",
"last_observed": "2016-11-21T09:24:30Z",
"number_observed": 1,
"object_refs": [
"url--5832bd4e-88e0-452b-9d0b-47f602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5832bd4e-88e0-452b-9d0b-47f602de0b81",
"value": "https://www.virustotal.com/file/442e5d3d46330e814b4fdc5640b06732de69a08a574d92cd9a0df5eea62d88ed/analysis/1479484054/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5832bd4f-f9d0-48f9-a3dc-4f2902de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2020-04-28T10:11:44.000Z",
"modified": "2020-04-28T10:11:44.000Z",
"description": "Other similar doc - Xchecked via VT: beadf21b923600554b0ce54df42e78f5",
"pattern": "[file:hashes.SHA256 = 'b1d1b8fa9c104309fe27b3405d3572ac44d8401efba4868f743d45ed797d444b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-04-28T10:11:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5832bd4f-48d0-4d0b-9719-439d02de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2020-04-28T10:11:45.000Z",
"modified": "2020-04-28T10:11:45.000Z",
"description": "Other similar doc - Xchecked via VT: beadf21b923600554b0ce54df42e78f5",
"pattern": "[file:hashes.SHA1 = 'd2bf4b04d05f398b4101e91873e71d5b0e121aeb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-04-28T10:11:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5832bd50-1ff0-44dd-b44d-401d02de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-21T09:24:32.000Z",
"modified": "2016-11-21T09:24:32.000Z",
"first_observed": "2016-11-21T09:24:32Z",
"last_observed": "2016-11-21T09:24:32Z",
"number_observed": 1,
"object_refs": [
"url--5832bd50-1ff0-44dd-b44d-401d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5832bd50-1ff0-44dd-b44d-401d02de0b81",
"value": "https://www.virustotal.com/file/b1d1b8fa9c104309fe27b3405d3572ac44d8401efba4868f743d45ed797d444b/analysis/1479485679/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5832bd50-8af8-4d7a-bf57-4c1702de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-21T09:24:32.000Z",
"modified": "2016-11-21T09:24:32.000Z",
"description": "64b KeyBoy payload 20151108 - Xchecked via VT: 371bc132499f455f06fa80696db0df27",
"pattern": "[file:hashes.SHA256 = '4c9bf4ffbd7047f46035f89e6f7f4c63b8597ac63097577d467c157e3aa7ab4d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-21T09:24:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5832bd51-76b0-4f37-860b-4b3802de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-21T09:24:33.000Z",
"modified": "2016-11-21T09:24:33.000Z",
"description": "64b KeyBoy payload 20151108 - Xchecked via VT: 371bc132499f455f06fa80696db0df27",
"pattern": "[file:hashes.SHA1 = 'aec5001d91673d052e9a0793aea0ebaea1a96e3d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-21T09:24:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5832bd51-1400-4733-9436-4f7902de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-21T09:24:33.000Z",
"modified": "2016-11-21T09:24:33.000Z",
"first_observed": "2016-11-21T09:24:33Z",
"last_observed": "2016-11-21T09:24:33Z",
"number_observed": 1,
"object_refs": [
"url--5832bd51-1400-4733-9436-4f7902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5832bd51-1400-4733-9436-4f7902de0b81",
"value": "https://www.virustotal.com/file/4c9bf4ffbd7047f46035f89e6f7f4c63b8597ac63097577d467c157e3aa7ab4d/analysis/1479643752/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5832bd52-5310-486b-876f-4b0e02de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-21T09:24:34.000Z",
"modified": "2016-11-21T09:24:34.000Z",
"description": "Payload KeyBoy 20151108 - Xchecked via VT: c5b5f01ba24d6c02636388809f44472e",
"pattern": "[file:hashes.SHA256 = 'e6fdcf64d7e7d59366ba23c68332167dfc569b6acc71a03498d4a925ce9c1e0a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-21T09:24:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5832bd52-2228-4453-b38e-41b102de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-21T09:24:34.000Z",
"modified": "2016-11-21T09:24:34.000Z",
"description": "Payload KeyBoy 20151108 - Xchecked via VT: c5b5f01ba24d6c02636388809f44472e",
"pattern": "[file:hashes.SHA1 = 'bbeacc746b6ddb61a3be7613bb155aa2b1ac422a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-21T09:24:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5832bd53-a558-4ea4-957d-4e7202de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-21T09:24:35.000Z",
"modified": "2016-11-21T09:24:35.000Z",
"first_observed": "2016-11-21T09:24:35Z",
"last_observed": "2016-11-21T09:24:35Z",
"number_observed": 1,
"object_refs": [
"url--5832bd53-a558-4ea4-957d-4e7202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5832bd53-a558-4ea4-957d-4e7202de0b81",
"value": "https://www.virustotal.com/file/e6fdcf64d7e7d59366ba23c68332167dfc569b6acc71a03498d4a925ce9c1e0a/analysis/1479481835/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5832bd53-d3f0-4c64-80cf-469402de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-21T09:24:35.000Z",
"modified": "2016-11-21T09:24:35.000Z",
"description": "Payload KeyBoy 20151108 - Xchecked via VT: 98977426d544bd145979f65f0322ae30",
"pattern": "[file:hashes.SHA256 = '082da7874d6c0bfbe8f2d954c8a47f25a90ef83bda89c8495101dc95986d7977']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-21T09:24:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5832bd54-87e0-49a7-8971-480e02de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-21T09:24:36.000Z",
"modified": "2016-11-21T09:24:36.000Z",
"description": "Payload KeyBoy 20151108 - Xchecked via VT: 98977426d544bd145979f65f0322ae30",
"pattern": "[file:hashes.SHA1 = 'edad39839bd60bcc1426df9c68df7de169cd062f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-21T09:24:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5832bd54-0efc-4f4a-b342-4a8e02de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-21T09:24:36.000Z",
"modified": "2016-11-21T09:24:36.000Z",
"first_observed": "2016-11-21T09:24:36Z",
"last_observed": "2016-11-21T09:24:36Z",
"number_observed": 1,
"object_refs": [
"url--5832bd54-0efc-4f4a-b342-4a8e02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5832bd54-0efc-4f4a-b342-4a8e02de0b81",
"value": "https://www.virustotal.com/file/082da7874d6c0bfbe8f2d954c8a47f25a90ef83bda89c8495101dc95986d7977/analysis/1479643737/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5832bd55-6890-47d5-b97c-4a6402de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-21T09:24:37.000Z",
"modified": "2016-11-21T09:24:37.000Z",
"description": "Payload KeyBoy P_20150313 - Xchecked via VT: 0c7e55509e0b6d4277b3facf864af018",
"pattern": "[file:hashes.SHA256 = '5395f709ef1ca64c57be367f9795b66b5775b6e73f57089386a85925cc0ec596']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-21T09:24:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5832bd55-f334-44ed-81f9-401602de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-21T09:24:37.000Z",
"modified": "2016-11-21T09:24:37.000Z",
"description": "Payload KeyBoy P_20150313 - Xchecked via VT: 0c7e55509e0b6d4277b3facf864af018",
"pattern": "[file:hashes.SHA1 = 'a3655df2811069ea7a818517c9e9f11561fce3e8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-21T09:24:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5832bd55-7e88-4e84-98fa-44ea02de0b81",
"created_by_ref": "identity--56743359-c860-4361-b1dc-7b65d56c6cd2",
"created": "2016-11-21T09:24:37.000Z",
"modified": "2016-11-21T09:24:37.000Z",
"first_observed": "2016-11-21T09:24:37Z",
"last_observed": "2016-11-21T09:24:37Z",
"number_observed": 1,
"object_refs": [
"url--5832bd55-7e88-4e84-98fa-44ea02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5832bd55-7e88-4e84-98fa-44ea02de0b81",
"value": "https://www.virustotal.com/file/5395f709ef1ca64c57be367f9795b66b5775b6e73f57089386a85925cc0ec596/analysis/1431473021/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}