misp-circl-feed/feeds/circl/misp/59934c13-6410-44a8-9ebe-47fe02de0b81.json

920 lines
No EOL
41 KiB
JSON

{
"type": "bundle",
"id": "bundle--59934c13-6410-44a8-9ebe-47fe02de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:39:56.000Z",
"modified": "2017-08-15T19:39:56.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--59934c13-6410-44a8-9ebe-47fe02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:39:56.000Z",
"modified": "2017-08-15T19:39:56.000Z",
"name": "OSINT - ShadowPad in corporate networks",
"published": "2017-08-15T19:42:15Z",
"object_refs": [
"x-misp-attribute--59934c36-41d8-4d52-aa5d-43b502de0b81",
"observed-data--59934c51-9914-4a59-b2ca-4dd202de0b81",
"url--59934c51-9914-4a59-b2ca-4dd202de0b81",
"indicator--59934ccf-6608-4565-a513-4f4b02de0b81",
"indicator--59934cd1-0600-4800-af98-440202de0b81",
"indicator--59934cd1-b9dc-4c8c-b11c-4ea502de0b81",
"indicator--59934cd1-aba4-4af5-8d8d-474202de0b81",
"indicator--59934cd1-fab0-4d52-a3b8-4c1102de0b81",
"indicator--59934cd1-3418-4574-bc50-4e5502de0b81",
"indicator--59934cd1-5f94-4101-a615-42ef02de0b81",
"indicator--59934cd1-f618-4dd6-aa48-41bf02de0b81",
"indicator--59934cd1-32e0-4bca-b864-432c02de0b81",
"indicator--59934cd1-22b4-49a0-9af1-42b102de0b81",
"indicator--59934cd1-a5f0-4a0d-9ac1-448a02de0b81",
"indicator--59934d66-6380-4d47-9753-501002de0b81",
"indicator--59934d66-001c-4fac-97dd-501002de0b81",
"indicator--59934d66-5734-4d95-a1d4-501002de0b81",
"indicator--59934d66-905c-4a7e-a42e-501002de0b81",
"indicator--59934d66-8de4-4c4a-a0b4-501002de0b81",
"indicator--59934d66-9788-4334-bde5-501002de0b81",
"indicator--59934d66-7760-4e8a-91a0-501002de0b81",
"indicator--59934d66-6b88-49d1-bcc5-501002de0b81",
"indicator--59934d66-93a4-4adb-a334-501002de0b81",
"indicator--59934d66-0e90-417f-8f4e-501002de0b81",
"indicator--59934d73-9500-4b35-acd5-464902de0b81",
"observed-data--59934d73-32f8-4316-8850-422202de0b81",
"url--59934d73-32f8-4316-8850-422202de0b81",
"indicator--59934d73-62a4-44ac-9b4f-476302de0b81",
"observed-data--59934d73-be10-498b-95f7-4b9502de0b81",
"url--59934d73-be10-498b-95f7-4b9502de0b81",
"indicator--59934d73-3960-4f48-905b-409902de0b81",
"observed-data--59934d73-04a8-427a-b49a-41a402de0b81",
"url--59934d73-04a8-427a-b49a-41a402de0b81",
"indicator--59934d73-383c-4d55-a4b7-488f02de0b81",
"observed-data--59934d73-d378-4f01-af77-4a0502de0b81",
"url--59934d73-d378-4f01-af77-4a0502de0b81",
"indicator--59934d74-c52c-4683-b648-421d02de0b81",
"observed-data--59934d74-9970-4994-a9fd-4ac402de0b81",
"url--59934d74-9970-4994-a9fd-4ac402de0b81",
"indicator--59934de3-97c8-4fb9-916e-542c02de0b81",
"observed-data--59934e0c-5e2c-4020-a4ee-507102de0b81",
"url--59934e0c-5e2c-4020-a4ee-507102de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59934c36-41d8-4d52-aa5d-43b502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:38:02.000Z",
"modified": "2017-08-15T19:38:02.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "In July 2017, during an investigation, suspicious DNS requests were identified in a partner\u00e2\u20ac\u2122s network. The partner, which is a financial institution, discovered the requests originating on systems involved in the processing of financial transactions.\r\n\r\nFurther investigation showed that the source of the suspicious DNS queries was a software package produced by NetSarang. Founded in 1997, NetSarang Computer, Inc. develops, markets and supports secure connectivity solutions and specializes in the development of server management tools for large corporate networks. The company maintains headquarters in the United States and South Korea."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59934c51-9914-4a59-b2ca-4dd202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:38:02.000Z",
"modified": "2017-08-15T19:38:02.000Z",
"first_observed": "2017-08-15T19:38:02Z",
"last_observed": "2017-08-15T19:38:02Z",
"number_observed": 1,
"object_refs": [
"url--59934c51-9914-4a59-b2ca-4dd202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59934c51-9914-4a59-b2ca-4dd202de0b81",
"value": "https://securelist.com/shadowpad-in-corporate-networks/81432/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934ccf-6608-4565-a513-4f4b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"description": "All Kaspersky Labs products detect and cure this threat as Backdoor.Win32.Shadowpad.a. If for some reason you can\u00e2\u20ac\u2122t use an antimalware solution you can check if there were DNS requests from your organization to these domains:",
"pattern": "[domain-name:value = 'ribotqtonut.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934cd1-0600-4800-af98-440202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"description": "All Kaspersky Labs products detect and cure this threat as Backdoor.Win32.Shadowpad.a. If for some reason you can\u00e2\u20ac\u2122t use an antimalware solution you can check if there were DNS requests from your organization to these domains:",
"pattern": "[domain-name:value = 'nylalobghyhirgh.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934cd1-b9dc-4c8c-b11c-4ea502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"description": "All Kaspersky Labs products detect and cure this threat as Backdoor.Win32.Shadowpad.a. If for some reason you can\u00e2\u20ac\u2122t use an antimalware solution you can check if there were DNS requests from your organization to these domains:",
"pattern": "[domain-name:value = 'jkvmdmjyfcvkf.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934cd1-aba4-4af5-8d8d-474202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"description": "All Kaspersky Labs products detect and cure this threat as Backdoor.Win32.Shadowpad.a. If for some reason you can\u00e2\u20ac\u2122t use an antimalware solution you can check if there were DNS requests from your organization to these domains:",
"pattern": "[domain-name:value = 'bafyvoruzgjitwr.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934cd1-fab0-4d52-a3b8-4c1102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"description": "All Kaspersky Labs products detect and cure this threat as Backdoor.Win32.Shadowpad.a. If for some reason you can\u00e2\u20ac\u2122t use an antimalware solution you can check if there were DNS requests from your organization to these domains:",
"pattern": "[domain-name:value = 'xmponmzmxkxkh.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934cd1-3418-4574-bc50-4e5502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"description": "All Kaspersky Labs products detect and cure this threat as Backdoor.Win32.Shadowpad.a. If for some reason you can\u00e2\u20ac\u2122t use an antimalware solution you can check if there were DNS requests from your organization to these domains:",
"pattern": "[domain-name:value = 'tczafklirkl.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934cd1-5f94-4101-a615-42ef02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"description": "All Kaspersky Labs products detect and cure this threat as Backdoor.Win32.Shadowpad.a. If for some reason you can\u00e2\u20ac\u2122t use an antimalware solution you can check if there were DNS requests from your organization to these domains:",
"pattern": "[domain-name:value = 'notped.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934cd1-f618-4dd6-aa48-41bf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"description": "All Kaspersky Labs products detect and cure this threat as Backdoor.Win32.Shadowpad.a. If for some reason you can\u00e2\u20ac\u2122t use an antimalware solution you can check if there were DNS requests from your organization to these domains:",
"pattern": "[domain-name:value = 'dnsgogle.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934cd1-32e0-4bca-b864-432c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"description": "All Kaspersky Labs products detect and cure this threat as Backdoor.Win32.Shadowpad.a. If for some reason you can\u00e2\u20ac\u2122t use an antimalware solution you can check if there were DNS requests from your organization to these domains:",
"pattern": "[domain-name:value = 'operatingbox.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934cd1-22b4-49a0-9af1-42b102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"description": "All Kaspersky Labs products detect and cure this threat as Backdoor.Win32.Shadowpad.a. If for some reason you can\u00e2\u20ac\u2122t use an antimalware solution you can check if there were DNS requests from your organization to these domains:",
"pattern": "[domain-name:value = 'paniesx.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934cd1-a5f0-4a0d-9ac1-448a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"description": "All Kaspersky Labs products detect and cure this threat as Backdoor.Win32.Shadowpad.a. If for some reason you can\u00e2\u20ac\u2122t use an antimalware solution you can check if there were DNS requests from your organization to these domains:",
"pattern": "[domain-name:value = 'techniciantext.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934d66-6380-4d47-9753-501002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"description": "Xmanager Enterprise 5 Build 1232\t Xme5.exe, Jul 17 2017, 55.08 MB",
"pattern": "[file:hashes.MD5 = '0009f4b9972660eeb23ff3a9dccd8d86']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934d66-001c-4fac-97dd-501002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"description": "Xmanager Enterprise 5 Build 1232\t Xme5.exe, Jul 17 2017, 55.08 MB",
"pattern": "[file:hashes.SHA1 = '12180ff028c1c38d99e8375dd6d01f47f6711b97']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934d66-5734-4d95-a1d4-501002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"description": "Xmanager 5 Build 1045\t Xmgr5.exe, Jul 17 2017, 46.2 MB",
"pattern": "[file:hashes.MD5 = 'b69ab19614ef15aa75baf26c869c9cdd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934d66-905c-4a7e-a42e-501002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"description": "Xmanager 5 Build 1045\t Xmgr5.exe, Jul 17 2017, 46.2 MB",
"pattern": "[file:hashes.SHA1 = '35c9dae68c129ebb7e7f65511b3a804ddbe4cf1d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934d66-8de4-4c4a-a0b4-501002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"description": "Xshell 5 Build 1322\t Xshell5.exe, Jul 17 2017, 31.58 MB",
"pattern": "[file:hashes.MD5 = 'b2c302537ce8fbbcff0d45968cc0a826']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934d66-9788-4334-bde5-501002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"description": "Xshell 5 Build 1322\t Xshell5.exe, Jul 17 2017, 31.58 MB",
"pattern": "[file:hashes.SHA1 = '7cf07efe04fe0012ed8beaa2dec5420a9b5561d6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934d66-7760-4e8a-91a0-501002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"description": "Xftp 5 Build 1218\t Xftp5.exe, Jul 17 2017, 30.7 MB",
"pattern": "[file:hashes.MD5 = '78321ad1deefce193c8172ec982ddad1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934d66-6b88-49d1-bcc5-501002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"description": "Xftp 5 Build 1218\t Xftp5.exe, Jul 17 2017, 30.7 MB",
"pattern": "[file:hashes.SHA1 = '08a67be4a4c5629ac3d12f0fdd1efc20aa4bdb2b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934d66-93a4-4adb-a334-501002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"description": "Xlpd 5 Build 1220\t Xlpd5.exe, Jul 17 2017, 30.22 MB",
"pattern": "[file:hashes.MD5 = '28228f337fdbe3ab34316a7132123c49']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934d66-0e90-417f-8f4e-501002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"description": "Xlpd 5 Build 1220\t Xlpd5.exe, Jul 17 2017, 30.22 MB",
"pattern": "[file:hashes.SHA1 = '3d69fdd4e29ad65799be33ae812fe278b2b2dabe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934d73-9500-4b35-acd5-464902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"description": "Xlpd 5 Build 1220\t Xlpd5.exe, Jul 17 2017, 30.22 MB - Xchecked via VT: 3d69fdd4e29ad65799be33ae812fe278b2b2dabe",
"pattern": "[file:hashes.SHA256 = '7049bad2755ae8b8a6945a1f323b1bc14551c9ee664b8573910ffbbe6bba97c8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59934d73-32f8-4316-8850-422202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"first_observed": "2017-08-15T19:37:23Z",
"last_observed": "2017-08-15T19:37:23Z",
"number_observed": 1,
"object_refs": [
"url--59934d73-32f8-4316-8850-422202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59934d73-32f8-4316-8850-422202de0b81",
"value": "https://www.virustotal.com/file/7049bad2755ae8b8a6945a1f323b1bc14551c9ee664b8573910ffbbe6bba97c8/analysis/1502291882/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934d73-62a4-44ac-9b4f-476302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"description": "Xftp 5 Build 1218\t Xftp5.exe, Jul 17 2017, 30.7 MB - Xchecked via VT: 08a67be4a4c5629ac3d12f0fdd1efc20aa4bdb2b",
"pattern": "[file:hashes.SHA256 = 'ee41a4a58114ccdcbef0c424176ed267b10fc137136185b07d7710770d4dea27']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59934d73-be10-498b-95f7-4b9502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"first_observed": "2017-08-15T19:37:23Z",
"last_observed": "2017-08-15T19:37:23Z",
"number_observed": 1,
"object_refs": [
"url--59934d73-be10-498b-95f7-4b9502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59934d73-be10-498b-95f7-4b9502de0b81",
"value": "https://www.virustotal.com/file/ee41a4a58114ccdcbef0c424176ed267b10fc137136185b07d7710770d4dea27/analysis/1502398416/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934d73-3960-4f48-905b-409902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"description": "Xshell 5 Build 1322\t Xshell5.exe, Jul 17 2017, 31.58 MB - Xchecked via VT: 7cf07efe04fe0012ed8beaa2dec5420a9b5561d6",
"pattern": "[file:hashes.SHA256 = 'f86fa8fc2f2428ed145e782894ef3be32b9ea8d60b68b805d8fbd1c5e7af427c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59934d73-04a8-427a-b49a-41a402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"first_observed": "2017-08-15T19:37:23Z",
"last_observed": "2017-08-15T19:37:23Z",
"number_observed": 1,
"object_refs": [
"url--59934d73-04a8-427a-b49a-41a402de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59934d73-04a8-427a-b49a-41a402de0b81",
"value": "https://www.virustotal.com/file/f86fa8fc2f2428ed145e782894ef3be32b9ea8d60b68b805d8fbd1c5e7af427c/analysis/1502688340/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934d73-383c-4d55-a4b7-488f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"description": "Xmanager 5 Build 1045\t Xmgr5.exe, Jul 17 2017, 46.2 MB - Xchecked via VT: 35c9dae68c129ebb7e7f65511b3a804ddbe4cf1d",
"pattern": "[file:hashes.SHA256 = 'b4a07a3218fe80b8da2f0f470ab327cc3622155adeef8a3d1fd0c43dff4aa130']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59934d73-d378-4f01-af77-4a0502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:23.000Z",
"modified": "2017-08-15T19:37:23.000Z",
"first_observed": "2017-08-15T19:37:23Z",
"last_observed": "2017-08-15T19:37:23Z",
"number_observed": 1,
"object_refs": [
"url--59934d73-d378-4f01-af77-4a0502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59934d73-d378-4f01-af77-4a0502de0b81",
"value": "https://www.virustotal.com/file/b4a07a3218fe80b8da2f0f470ab327cc3622155adeef8a3d1fd0c43dff4aa130/analysis/1502291895/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934d74-c52c-4683-b648-421d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:24.000Z",
"modified": "2017-08-15T19:37:24.000Z",
"description": "Xmanager Enterprise 5 Build 1232\t Xme5.exe, Jul 17 2017, 55.08 MB - Xchecked via VT: 12180ff028c1c38d99e8375dd6d01f47f6711b97",
"pattern": "[file:hashes.SHA256 = 'd484b9b8c44558c18ef6147c6ca8276a462fccf2acb2863be4ee9bf37942f11e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:37:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59934d74-9970-4994-a9fd-4ac402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:37:24.000Z",
"modified": "2017-08-15T19:37:24.000Z",
"first_observed": "2017-08-15T19:37:24Z",
"last_observed": "2017-08-15T19:37:24Z",
"number_observed": 1,
"object_refs": [
"url--59934d74-9970-4994-a9fd-4ac402de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59934d74-9970-4994-a9fd-4ac402de0b81",
"value": "https://www.virustotal.com/file/d484b9b8c44558c18ef6147c6ca8276a462fccf2acb2863be4ee9bf37942f11e/analysis/1502481033/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59934de3-97c8-4fb9-916e-542c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:39:15.000Z",
"modified": "2017-08-15T19:39:15.000Z",
"description": "DLL with the encrypted payload:",
"pattern": "[file:hashes.MD5 = '97363d50a279492fda14cbab53429e75']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-15T19:39:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59934e0c-5e2c-4020-a4ee-507102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-15T19:39:56.000Z",
"modified": "2017-08-15T19:39:56.000Z",
"first_observed": "2017-08-15T19:39:56Z",
"last_observed": "2017-08-15T19:39:56Z",
"number_observed": 1,
"object_refs": [
"url--59934e0c-5e2c-4020-a4ee-507102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59934e0c-5e2c-4020-a4ee-507102de0b81",
"value": "https://www.netsarang.com/news/security_exploit_in_july_18_2017_build.html"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}