misp-circl-feed/feeds/circl/misp/58dbc5ad-10a4-4da9-9e7e-4b97950d210f.json

1119 lines
No EOL
49 KiB
JSON

{
"type": "bundle",
"id": "bundle--58dbc5ad-10a4-4da9-9e7e-4b97950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:18:41.000Z",
"modified": "2017-03-29T20:18:41.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--58dbc5ad-10a4-4da9-9e7e-4b97950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:18:41.000Z",
"modified": "2017-03-29T20:18:41.000Z",
"name": "OSINT - Trojanized Adobe Installer used to Install DragonOK\u00e2\u20ac\u2122s New Custom Backdoor",
"published": "2017-03-29T20:20:18Z",
"object_refs": [
"observed-data--58dbc5d4-5f34-4f5e-b2e3-4664950d210f",
"url--58dbc5d4-5f34-4f5e-b2e3-4664950d210f",
"x-misp-attribute--58dbc5ef-6c24-4801-86c5-4944950d210f",
"indicator--58dc159d-b54c-4e52-9ee3-4b1d02de0b81",
"indicator--58dc159e-6a80-44ee-94fd-456702de0b81",
"indicator--58dc159f-5910-4d6d-b3c1-4e0602de0b81",
"indicator--58dc15a0-80f0-4d65-973b-40b302de0b81",
"indicator--58dc15c1-cf94-482f-9ee5-418802de0b81",
"indicator--58dc15c2-649c-473f-9045-4ee202de0b81",
"indicator--58dc15c3-bb6c-4d2e-a33c-428802de0b81",
"indicator--58dc15c4-cd04-4b0d-b884-473d02de0b81",
"indicator--58dc1635-62b4-4b6b-adc9-453f02de0b81",
"indicator--58dc1636-6c58-4d65-8fdd-402902de0b81",
"vulnerability--58dc1637-eaa4-46be-91b3-413702de0b81",
"indicator--58dc1637-6314-4a40-87bf-421502de0b81",
"indicator--58dc1638-d968-4a8c-bbc9-454802de0b81",
"indicator--58dc1639-f108-4f79-bbe8-420902de0b81",
"indicator--58dc16b0-ca90-4d27-baf8-485402de0b81",
"indicator--58dc16b1-e6b4-4ed3-ba45-421602de0b81",
"observed-data--58dc16b2-9a68-4d13-a606-4c7a02de0b81",
"url--58dc16b2-9a68-4d13-a606-4c7a02de0b81",
"indicator--58dc16b3-b000-483c-aa79-4a4702de0b81",
"indicator--58dc16b3-a060-437a-a68a-4dc102de0b81",
"observed-data--58dc16b4-5908-4e49-9f32-469e02de0b81",
"url--58dc16b4-5908-4e49-9f32-469e02de0b81",
"indicator--58dc16b5-e74c-4858-b681-41bc02de0b81",
"indicator--58dc16b6-1b2c-45a2-8f5b-4e4c02de0b81",
"observed-data--58dc16b7-4fd4-42d2-8141-45ab02de0b81",
"url--58dc16b7-4fd4-42d2-8141-45ab02de0b81",
"indicator--58dc16b8-2fe8-41a4-aba2-445c02de0b81",
"indicator--58dc16b9-d638-40f0-a691-420602de0b81",
"observed-data--58dc16ba-fae0-49ff-9c9a-4f3502de0b81",
"url--58dc16ba-fae0-49ff-9c9a-4f3502de0b81",
"indicator--58dc16bb-2338-471e-a37e-4c7002de0b81",
"indicator--58dc16bc-4508-47e8-82d3-4a7c02de0b81",
"observed-data--58dc16bd-4788-4ad3-b66b-430102de0b81",
"url--58dc16bd-4788-4ad3-b66b-430102de0b81",
"indicator--58dc16be-d024-4e8c-b92a-4fd002de0b81",
"indicator--58dc16bf-c7dc-4064-8375-4c3102de0b81",
"observed-data--58dc16c0-3678-4c8f-8f5d-44d902de0b81",
"url--58dc16c0-3678-4c8f-8f5d-44d902de0b81",
"indicator--58dc16c1-a448-4d35-b828-4f1102de0b81",
"indicator--58dc16c2-2a20-456e-972f-4bd602de0b81",
"observed-data--58dc16c3-3474-468a-8d3a-49c502de0b81",
"url--58dc16c3-3474-468a-8d3a-49c502de0b81",
"indicator--58dc16c4-b198-4843-8b67-427f02de0b81",
"indicator--58dc16c5-9344-4378-8cd6-49b302de0b81",
"observed-data--58dc16c6-3f00-45de-8e32-475902de0b81",
"url--58dc16c6-3f00-45de-8e32-475902de0b81",
"indicator--58dc16c7-de10-424e-87f1-48ad02de0b81",
"indicator--58dc16c7-fa90-4207-bc4e-452302de0b81",
"observed-data--58dc16c8-4a68-42c6-9f2f-438302de0b81",
"url--58dc16c8-4a68-42c6-9f2f-438302de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:tool=\"KHRAT\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58dbc5d4-5f34-4f5e-b2e3-4664950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:18:41.000Z",
"modified": "2017-03-29T20:18:41.000Z",
"first_observed": "2017-03-29T20:18:41Z",
"last_observed": "2017-03-29T20:18:41Z",
"number_observed": 1,
"object_refs": [
"url--58dbc5d4-5f34-4f5e-b2e3-4664950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58dbc5d4-5f34-4f5e-b2e3-4664950d210f",
"value": "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58dbc5ef-6c24-4801-86c5-4944950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:18:41.000Z",
"modified": "2017-03-29T20:18:41.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Since January of this year, Forcepoint Security Labs\u00e2\u201e\u00a2 have observed that the DragonOK campaign have started to target political parties in Cambodia. DragonOK is an active targeted attack that was first discovered in 2014. It is known to target organizations from Taiwan, Japan, Tibet and Russia with spear-phishing emails containing malicious attachments. \r\n\r\nThe latest dropper they used is disguised as an Adobe Reader installer and installs yet another new custom remote access tool (RAT). We have named this RAT \u00e2\u20ac\u0153KHRAT\u00e2\u20ac\u009d based on one of the command and control servers used, kh[.]inter-ctrip[.]com, which pertained to Cambodia\u00e2\u20ac\u2122s country code."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc159d-b54c-4e52-9ee3-4b1d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:18:41.000Z",
"modified": "2017-03-29T20:18:41.000Z",
"description": "Compilation 05/01/2017 05:37",
"pattern": "[file:hashes.SHA256 = '17a07b1f5e573899c846edba801f1606ce8f77c2f52e3298d2d2b066730b0bf0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:18:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc159e-6a80-44ee-94fd-456702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:18:41.000Z",
"modified": "2017-03-29T20:18:41.000Z",
"description": "Compilation 05/01/2017 05:37",
"pattern": "[file:hashes.SHA256 = 'a5a9598e1d33331f5aeabb277122549d4a7cf1ddbfa00d50e272b57934a6696f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:18:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc159f-5910-4d6d-b3c1-4e0602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:18:41.000Z",
"modified": "2017-03-29T20:18:41.000Z",
"description": "Compilation 16/02/2017 03:53",
"pattern": "[file:hashes.SHA256 = '540d6dd720514cf01a02b516a85d8f761d77fa90f0d05f06bfb90ed66beb235b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:18:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc15a0-80f0-4d65-973b-40b302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:18:41.000Z",
"modified": "2017-03-29T20:18:41.000Z",
"description": "Compilation 08/03/2017 01:43",
"pattern": "[file:hashes.SHA256 = 'ffc0ebad7c1888cc4a3f5cd86a5942014b9e15a833e575614cd01a0bb6f5de2e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:18:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc15c1-cf94-482f-9ee5-418802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:18:41.000Z",
"modified": "2017-03-29T20:18:41.000Z",
"description": "KHRAT C2s",
"pattern": "[domain-name:value = 'cookie.inter-ctrip.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:18:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc15c2-649c-473f-9045-4ee202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:18:41.000Z",
"modified": "2017-03-29T20:18:41.000Z",
"description": "KHRAT C2s",
"pattern": "[domain-name:value = 'help.inter-ctrip.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:18:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc15c3-bb6c-4d2e-a33c-428802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:18:41.000Z",
"modified": "2017-03-29T20:18:41.000Z",
"description": "KHRAT C2s",
"pattern": "[domain-name:value = 'bit.inter-ctrip.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:18:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc15c4-cd04-4b0d-b884-473d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:18:41.000Z",
"modified": "2017-03-29T20:18:41.000Z",
"description": "KHRAT C2s",
"pattern": "[domain-name:value = 'kh.inter-ctrip.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:18:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc1635-62b4-4b6b-adc9-453f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:18:41.000Z",
"modified": "2017-03-29T20:18:41.000Z",
"description": "(\"reader112_en_ha_install.exe\", dropper)",
"pattern": "[file:hashes.SHA256 = 'bba604effa42399ed6e91c271b78b442d01d36d1570a9574acacfc870e09dce2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:18:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc1636-6c58-4d65-8fdd-402902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:18:41.000Z",
"modified": "2017-03-29T20:18:41.000Z",
"description": "(RTF dropper with CVE-2015-1641 exploit, unknown filename)",
"pattern": "[file:hashes.SHA256 = '9cdebd98b7889d9a57e5b7ea584d7e03d8ba67c02519b587373204cae0603df0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:18:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--58dc1637-eaa4-46be-91b3-413702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:18:41.000Z",
"modified": "2017-03-29T20:18:41.000Z",
"name": "CVE-2015-1641",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"External analysis\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2015-1641"
}
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc1637-6314-4a40-87bf-421502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:18:41.000Z",
"modified": "2017-03-29T20:18:41.000Z",
"description": "(\u00e2\u20ac\u0153KFC.exe\u00e2\u20ac\u009d, KHRAT loader)",
"pattern": "[file:hashes.SHA256 = 'd9ce24d627edb170145fb78e6acb5ea3cb44a87cd06c05842d78f4fc9b732ec5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:18:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc1638-d968-4a8c-bbc9-454802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:18:41.000Z",
"modified": "2017-03-29T20:18:41.000Z",
"description": "(\u00e2\u20ac\u0153The plan CPP split CNRP!.doc.exe\u00e2\u20ac\u009d, dropper)",
"pattern": "[file:hashes.SHA256 = 'a6e22dfe21993678c6f1b0892c2db085bb8c4342bdf78628456f562d5db1181b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:18:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc1639-f108-4f79-bbe8-420902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:18:41.000Z",
"modified": "2017-03-29T20:18:41.000Z",
"description": "(\u00e2\u20ac\u0153KFC.com\u00e2\u20ac\u009d, KHRAT loader)",
"pattern": "[file:hashes.SHA256 = '77354141d22998d7166fd80a12d9b913199137b4725495bd9168beb5365f69e7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:18:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc16b0-ca90-4d27-baf8-485402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:18:56.000Z",
"modified": "2017-03-29T20:18:56.000Z",
"description": "(\u00e2\u20ac\u0153KFC.com\u00e2\u20ac\u009d, KHRAT loader) - Xchecked via VT: 77354141d22998d7166fd80a12d9b913199137b4725495bd9168beb5365f69e7",
"pattern": "[file:hashes.SHA1 = '02c7e31f90ec4bb77dc68c32e626f7ed9a22c1e9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:18:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc16b1-e6b4-4ed3-ba45-421602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:18:57.000Z",
"modified": "2017-03-29T20:18:57.000Z",
"description": "(\u00e2\u20ac\u0153KFC.com\u00e2\u20ac\u009d, KHRAT loader) - Xchecked via VT: 77354141d22998d7166fd80a12d9b913199137b4725495bd9168beb5365f69e7",
"pattern": "[file:hashes.MD5 = 'aea2d5b5e72c0432904039316efa1bd2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:18:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58dc16b2-9a68-4d13-a606-4c7a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:18:58.000Z",
"modified": "2017-03-29T20:18:58.000Z",
"first_observed": "2017-03-29T20:18:58Z",
"last_observed": "2017-03-29T20:18:58Z",
"number_observed": 1,
"object_refs": [
"url--58dc16b2-9a68-4d13-a606-4c7a02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58dc16b2-9a68-4d13-a606-4c7a02de0b81",
"value": "https://www.virustotal.com/file/77354141d22998d7166fd80a12d9b913199137b4725495bd9168beb5365f69e7/analysis/1490651490/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc16b3-b000-483c-aa79-4a4702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:18:59.000Z",
"modified": "2017-03-29T20:18:59.000Z",
"description": "(\u00e2\u20ac\u0153The plan CPP split CNRP!.doc.exe\u00e2\u20ac\u009d, dropper) - Xchecked via VT: a6e22dfe21993678c6f1b0892c2db085bb8c4342bdf78628456f562d5db1181b",
"pattern": "[file:hashes.SHA1 = '8a3a1f879dc0d6ad274223d0cecc471164f67dfe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:18:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc16b3-a060-437a-a68a-4dc102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:18:59.000Z",
"modified": "2017-03-29T20:18:59.000Z",
"description": "(\u00e2\u20ac\u0153The plan CPP split CNRP!.doc.exe\u00e2\u20ac\u009d, dropper) - Xchecked via VT: a6e22dfe21993678c6f1b0892c2db085bb8c4342bdf78628456f562d5db1181b",
"pattern": "[file:hashes.MD5 = '4772aaf68a7a408fa2a344fdef1bd167']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:18:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58dc16b4-5908-4e49-9f32-469e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:19:00.000Z",
"modified": "2017-03-29T20:19:00.000Z",
"first_observed": "2017-03-29T20:19:00Z",
"last_observed": "2017-03-29T20:19:00Z",
"number_observed": 1,
"object_refs": [
"url--58dc16b4-5908-4e49-9f32-469e02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58dc16b4-5908-4e49-9f32-469e02de0b81",
"value": "https://www.virustotal.com/file/a6e22dfe21993678c6f1b0892c2db085bb8c4342bdf78628456f562d5db1181b/analysis/1490681567/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc16b5-e74c-4858-b681-41bc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:19:01.000Z",
"modified": "2017-03-29T20:19:01.000Z",
"description": "(\u00e2\u20ac\u0153KFC.exe\u00e2\u20ac\u009d, KHRAT loader) - Xchecked via VT: d9ce24d627edb170145fb78e6acb5ea3cb44a87cd06c05842d78f4fc9b732ec5",
"pattern": "[file:hashes.SHA1 = 'bffefb8f7d0ec8048e5180e5fb68b327c44dfd25']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:19:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc16b6-1b2c-45a2-8f5b-4e4c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:19:02.000Z",
"modified": "2017-03-29T20:19:02.000Z",
"description": "(\u00e2\u20ac\u0153KFC.exe\u00e2\u20ac\u009d, KHRAT loader) - Xchecked via VT: d9ce24d627edb170145fb78e6acb5ea3cb44a87cd06c05842d78f4fc9b732ec5",
"pattern": "[file:hashes.MD5 = 'e9e5af639641b50d5d1747d43a5fd648']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:19:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58dc16b7-4fd4-42d2-8141-45ab02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:19:03.000Z",
"modified": "2017-03-29T20:19:03.000Z",
"first_observed": "2017-03-29T20:19:03Z",
"last_observed": "2017-03-29T20:19:03Z",
"number_observed": 1,
"object_refs": [
"url--58dc16b7-4fd4-42d2-8141-45ab02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58dc16b7-4fd4-42d2-8141-45ab02de0b81",
"value": "https://www.virustotal.com/file/d9ce24d627edb170145fb78e6acb5ea3cb44a87cd06c05842d78f4fc9b732ec5/analysis/1490681777/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc16b8-2fe8-41a4-aba2-445c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:19:04.000Z",
"modified": "2017-03-29T20:19:04.000Z",
"description": "(RTF dropper with CVE-2015-1641 exploit, unknown filename) - Xchecked via VT: 9cdebd98b7889d9a57e5b7ea584d7e03d8ba67c02519b587373204cae0603df0",
"pattern": "[file:hashes.SHA1 = 'e73047c30c30152b0b52bc82a0f109154c9d444a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:19:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc16b9-d638-40f0-a691-420602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:19:05.000Z",
"modified": "2017-03-29T20:19:05.000Z",
"description": "(RTF dropper with CVE-2015-1641 exploit, unknown filename) - Xchecked via VT: 9cdebd98b7889d9a57e5b7ea584d7e03d8ba67c02519b587373204cae0603df0",
"pattern": "[file:hashes.MD5 = 'bb70e1711b7474944b8487b5849dc8de']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:19:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58dc16ba-fae0-49ff-9c9a-4f3502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:19:06.000Z",
"modified": "2017-03-29T20:19:06.000Z",
"first_observed": "2017-03-29T20:19:06Z",
"last_observed": "2017-03-29T20:19:06Z",
"number_observed": 1,
"object_refs": [
"url--58dc16ba-fae0-49ff-9c9a-4f3502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58dc16ba-fae0-49ff-9c9a-4f3502de0b81",
"value": "https://www.virustotal.com/file/9cdebd98b7889d9a57e5b7ea584d7e03d8ba67c02519b587373204cae0603df0/analysis/1490622667/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc16bb-2338-471e-a37e-4c7002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:19:07.000Z",
"modified": "2017-03-29T20:19:07.000Z",
"description": "(\"reader112_en_ha_install.exe\", dropper) - Xchecked via VT: bba604effa42399ed6e91c271b78b442d01d36d1570a9574acacfc870e09dce2",
"pattern": "[file:hashes.SHA1 = '760c1e68f7fdc633bdd0cf4a14f0f8f2a1048fa7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:19:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc16bc-4508-47e8-82d3-4a7c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:19:08.000Z",
"modified": "2017-03-29T20:19:08.000Z",
"description": "(\"reader112_en_ha_install.exe\", dropper) - Xchecked via VT: bba604effa42399ed6e91c271b78b442d01d36d1570a9574acacfc870e09dce2",
"pattern": "[file:hashes.MD5 = 'e8a702d15148d8dbe9b0d87c71b6c93e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:19:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58dc16bd-4788-4ad3-b66b-430102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:19:09.000Z",
"modified": "2017-03-29T20:19:09.000Z",
"first_observed": "2017-03-29T20:19:09Z",
"last_observed": "2017-03-29T20:19:09Z",
"number_observed": 1,
"object_refs": [
"url--58dc16bd-4788-4ad3-b66b-430102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58dc16bd-4788-4ad3-b66b-430102de0b81",
"value": "https://www.virustotal.com/file/bba604effa42399ed6e91c271b78b442d01d36d1570a9574acacfc870e09dce2/analysis/1490617814/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc16be-d024-4e8c-b92a-4fd002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:19:10.000Z",
"modified": "2017-03-29T20:19:10.000Z",
"description": "Compilation 08/03/2017 01:43 - Xchecked via VT: ffc0ebad7c1888cc4a3f5cd86a5942014b9e15a833e575614cd01a0bb6f5de2e",
"pattern": "[file:hashes.SHA1 = 'bf0522bd5ff0b4583bb23c6c5f88a7c69196b025']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:19:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc16bf-c7dc-4064-8375-4c3102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:19:11.000Z",
"modified": "2017-03-29T20:19:11.000Z",
"description": "Compilation 08/03/2017 01:43 - Xchecked via VT: ffc0ebad7c1888cc4a3f5cd86a5942014b9e15a833e575614cd01a0bb6f5de2e",
"pattern": "[file:hashes.MD5 = 'dabbdb8ca7bc3454bc0c682e18569062']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:19:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58dc16c0-3678-4c8f-8f5d-44d902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:19:12.000Z",
"modified": "2017-03-29T20:19:12.000Z",
"first_observed": "2017-03-29T20:19:12Z",
"last_observed": "2017-03-29T20:19:12Z",
"number_observed": 1,
"object_refs": [
"url--58dc16c0-3678-4c8f-8f5d-44d902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58dc16c0-3678-4c8f-8f5d-44d902de0b81",
"value": "https://www.virustotal.com/file/ffc0ebad7c1888cc4a3f5cd86a5942014b9e15a833e575614cd01a0bb6f5de2e/analysis/1490617887/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc16c1-a448-4d35-b828-4f1102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:19:13.000Z",
"modified": "2017-03-29T20:19:13.000Z",
"description": "Compilation 16/02/2017 03:53 - Xchecked via VT: 540d6dd720514cf01a02b516a85d8f761d77fa90f0d05f06bfb90ed66beb235b",
"pattern": "[file:hashes.SHA1 = '7b2faee6e1c2b9d81775aab0d41c89e8ff36d5cf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:19:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc16c2-2a20-456e-972f-4bd602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:19:14.000Z",
"modified": "2017-03-29T20:19:14.000Z",
"description": "Compilation 16/02/2017 03:53 - Xchecked via VT: 540d6dd720514cf01a02b516a85d8f761d77fa90f0d05f06bfb90ed66beb235b",
"pattern": "[file:hashes.MD5 = 'cd6f95f767b26b1fcac8ad33d25131c7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:19:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58dc16c3-3474-468a-8d3a-49c502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:19:15.000Z",
"modified": "2017-03-29T20:19:15.000Z",
"first_observed": "2017-03-29T20:19:15Z",
"last_observed": "2017-03-29T20:19:15Z",
"number_observed": 1,
"object_refs": [
"url--58dc16c3-3474-468a-8d3a-49c502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58dc16c3-3474-468a-8d3a-49c502de0b81",
"value": "https://www.virustotal.com/file/540d6dd720514cf01a02b516a85d8f761d77fa90f0d05f06bfb90ed66beb235b/analysis/1490778691/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc16c4-b198-4843-8b67-427f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:19:16.000Z",
"modified": "2017-03-29T20:19:16.000Z",
"description": "Compilation 05/01/2017 05:37 - Xchecked via VT: a5a9598e1d33331f5aeabb277122549d4a7cf1ddbfa00d50e272b57934a6696f",
"pattern": "[file:hashes.SHA1 = 'ba4f2368178b6a12b05c6373fbbe8506e4cfe935']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:19:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc16c5-9344-4378-8cd6-49b302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:19:17.000Z",
"modified": "2017-03-29T20:19:17.000Z",
"description": "Compilation 05/01/2017 05:37 - Xchecked via VT: a5a9598e1d33331f5aeabb277122549d4a7cf1ddbfa00d50e272b57934a6696f",
"pattern": "[file:hashes.MD5 = '156da506f2a89c6cc2c418ffcbbc7ae7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:19:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58dc16c6-3f00-45de-8e32-475902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:19:18.000Z",
"modified": "2017-03-29T20:19:18.000Z",
"first_observed": "2017-03-29T20:19:18Z",
"last_observed": "2017-03-29T20:19:18Z",
"number_observed": 1,
"object_refs": [
"url--58dc16c6-3f00-45de-8e32-475902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58dc16c6-3f00-45de-8e32-475902de0b81",
"value": "https://www.virustotal.com/file/a5a9598e1d33331f5aeabb277122549d4a7cf1ddbfa00d50e272b57934a6696f/analysis/1490778652/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc16c7-de10-424e-87f1-48ad02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:19:19.000Z",
"modified": "2017-03-29T20:19:19.000Z",
"description": "Compilation 05/01/2017 05:37 - Xchecked via VT: 17a07b1f5e573899c846edba801f1606ce8f77c2f52e3298d2d2b066730b0bf0",
"pattern": "[file:hashes.SHA1 = 'c1e2032469155b2299782fb94004379718c2fd8e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:19:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58dc16c7-fa90-4207-bc4e-452302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:19:19.000Z",
"modified": "2017-03-29T20:19:19.000Z",
"description": "Compilation 05/01/2017 05:37 - Xchecked via VT: 17a07b1f5e573899c846edba801f1606ce8f77c2f52e3298d2d2b066730b0bf0",
"pattern": "[file:hashes.MD5 = '18fc1ed27e04309fe7f62e4221c5a459']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-29T20:19:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58dc16c8-4a68-42c6-9f2f-438302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-29T20:19:20.000Z",
"modified": "2017-03-29T20:19:20.000Z",
"first_observed": "2017-03-29T20:19:20Z",
"last_observed": "2017-03-29T20:19:20Z",
"number_observed": 1,
"object_refs": [
"url--58dc16c8-4a68-42c6-9f2f-438302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58dc16c8-4a68-42c6-9f2f-438302de0b81",
"value": "https://www.virustotal.com/file/17a07b1f5e573899c846edba801f1606ce8f77c2f52e3298d2d2b066730b0bf0/analysis/1490681838/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}