misp-circl-feed/feeds/circl/misp/59a1a900-0714-4bcc-be9f-447c02de0b81.json

1475 lines
No EOL
63 KiB
JSON

{
"type": "bundle",
"id": "bundle--59a1a900-0714-4bcc-be9f-447c02de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--59a1a900-0714-4bcc-be9f-447c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"name": "OSINT - Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures",
"published": "2017-08-26T19:39:55Z",
"object_refs": [
"observed-data--59a1a90c-8e04-4fc8-bf0e-447d02de0b81",
"url--59a1a90c-8e04-4fc8-bf0e-447d02de0b81",
"x-misp-attribute--59a1a91a-f438-4135-a500-ae1a02de0b81",
"indicator--59a1ce0d-af54-429a-9a56-408d02de0b81",
"indicator--59a1ce0d-c274-4745-8395-46ca02de0b81",
"indicator--59a1ce0d-f620-4573-be85-427202de0b81",
"indicator--59a1ce0d-c218-45cc-b7fe-415f02de0b81",
"indicator--59a1ce0d-d6b8-43fd-affa-428b02de0b81",
"indicator--59a1ce0d-0560-46d0-9d6a-4eb102de0b81",
"indicator--59a1ce0d-2dac-490c-a7d4-459102de0b81",
"indicator--59a1ce0d-30b8-4c6d-9066-4ae002de0b81",
"indicator--59a1ce0d-4ca8-4322-ad44-4f1a02de0b81",
"indicator--59a1ce0d-eef8-48eb-b77a-495702de0b81",
"indicator--59a1ce0d-f94c-4cb2-92b6-47c602de0b81",
"indicator--59a1ce0d-2624-4905-896e-43a702de0b81",
"indicator--59a1ce0d-7d98-42d8-b7bc-488f02de0b81",
"indicator--59a1ce0d-df10-451e-94bb-40d602de0b81",
"indicator--59a1ce0d-9e24-4465-939f-462f02de0b81",
"indicator--59a1ce0d-b9b0-4eb2-a26a-4b9102de0b81",
"indicator--59a1ce0d-c1d0-48d8-a50b-487b02de0b81",
"indicator--59a1ce0d-c3d4-44ca-9a77-4b1602de0b81",
"observed-data--59a1ce3e-2f44-4cd3-8e28-add202de0b81",
"url--59a1ce3e-2f44-4cd3-8e28-add202de0b81",
"observed-data--59a1ce3e-d3f0-4f4f-aa69-add202de0b81",
"url--59a1ce3e-d3f0-4f4f-aa69-add202de0b81",
"observed-data--59a1ce3e-8710-4479-8ad0-add202de0b81",
"url--59a1ce3e-8710-4479-8ad0-add202de0b81",
"observed-data--59a1ce3f-7ddc-43eb-aae7-add202de0b81",
"url--59a1ce3f-7ddc-43eb-aae7-add202de0b81",
"observed-data--59a1ce3f-e8d8-4ba8-82e2-add202de0b81",
"url--59a1ce3f-e8d8-4ba8-82e2-add202de0b81",
"observed-data--59a1ce3f-f950-4a5c-a1c6-add202de0b81",
"url--59a1ce3f-f950-4a5c-a1c6-add202de0b81",
"observed-data--59a1ce3f-8bb8-46d8-9e93-add202de0b81",
"url--59a1ce3f-8bb8-46d8-9e93-add202de0b81",
"indicator--59a1ce7c-bbdc-4f01-ad34-4af202de0b81",
"indicator--59a1ce7c-3e08-4941-8a7c-4fe102de0b81",
"observed-data--59a1ce7c-71fc-46a8-8deb-414302de0b81",
"url--59a1ce7c-71fc-46a8-8deb-414302de0b81",
"indicator--59a1ce7c-5b34-423e-98a4-48af02de0b81",
"indicator--59a1ce7c-2fb8-4784-9876-490002de0b81",
"observed-data--59a1ce7c-c558-42cf-989b-4b9f02de0b81",
"url--59a1ce7c-c558-42cf-989b-4b9f02de0b81",
"indicator--59a1ce7c-16f0-4356-a71d-477302de0b81",
"indicator--59a1ce7c-b4ac-4c0e-ab92-4bf302de0b81",
"observed-data--59a1ce7c-c8a8-4982-be1c-489702de0b81",
"url--59a1ce7c-c8a8-4982-be1c-489702de0b81",
"indicator--59a1ce7c-3518-4970-b6c7-4bc002de0b81",
"indicator--59a1ce7c-3570-4889-a5ba-427702de0b81",
"observed-data--59a1ce7c-1ed8-47df-a9b9-425402de0b81",
"url--59a1ce7c-1ed8-47df-a9b9-425402de0b81",
"indicator--59a1ce7c-f688-48e0-9763-4b1e02de0b81",
"indicator--59a1ce7c-68f8-44db-9bb5-409e02de0b81",
"observed-data--59a1ce7c-8e60-4246-a504-443802de0b81",
"url--59a1ce7c-8e60-4246-a504-443802de0b81",
"indicator--59a1ce7c-6334-4439-bc93-44f502de0b81",
"indicator--59a1ce7c-96b8-475f-be09-48c102de0b81",
"observed-data--59a1ce7c-d6fc-416b-9324-43f502de0b81",
"url--59a1ce7c-d6fc-416b-9324-43f502de0b81",
"indicator--59a1ce7c-1950-43f5-893e-4f6402de0b81",
"indicator--59a1ce7c-2eb8-4bc7-aeb6-455d02de0b81",
"observed-data--59a1ce7c-8008-4639-bce8-4b7a02de0b81",
"url--59a1ce7c-8008-4639-bce8-4b7a02de0b81",
"indicator--59a1ce7c-cbbc-4984-8e85-419b02de0b81",
"indicator--59a1ce7c-ade4-4b9c-b213-46a002de0b81",
"observed-data--59a1ce7c-d288-48a4-a173-4f6002de0b81",
"url--59a1ce7c-d288-48a4-a173-4f6002de0b81",
"indicator--59a1ce7c-b694-4d38-8305-4e0d02de0b81",
"indicator--59a1ce7c-48bc-4081-9523-41a602de0b81",
"observed-data--59a1ce7c-624c-408b-8fb8-42e902de0b81",
"url--59a1ce7c-624c-408b-8fb8-42e902de0b81",
"indicator--59a1ce7c-cc38-4ce4-a3c9-471702de0b81",
"indicator--59a1ce7c-d0b0-4f83-8433-4dfe02de0b81",
"observed-data--59a1ce7c-b7b8-474b-bd23-455c02de0b81",
"url--59a1ce7c-b7b8-474b-bd23-455c02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a1a90c-8e04-4fc8-bf0e-447d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"first_observed": "2017-08-26T19:39:39Z",
"last_observed": "2017-08-26T19:39:39Z",
"number_observed": 1,
"object_refs": [
"url--59a1a90c-8e04-4fc8-bf0e-447d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a1a90c-8e04-4fc8-bf0e-447d02de0b81",
"value": "https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59a1a91a-f438-4135-a500-ae1a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Proofpoint recently observed a targeted email campaign attempting a spearphishing attack using a Game of Thrones lure. The malicious attachment, which offered salacious spoilers and video clips, attempted to install a \u00e2\u20ac\u01539002\u00e2\u20ac\u009d remote access Trojan (RAT) historically used by state-sponsored actors. Previous attacks involving the 9002 RAT include:\r\n\r\nOperation Aurora, an attack on companies such as Google, widely attributed to the Chinese government [1,2]\r\nOperation Ephemeral Hydra, a strategic website compromise utilizing an Internet Explorer zero-day [3], which FireEye attributed to an APT actor without a country attribution\r\nAttacks on Asian countries described by Palo Alto [4]\r\nOnce installed, the 9002 RAT provides attackers with extensive data exfiltration capabilities."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce0d-af54-429a-9a56-408d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"pattern": "[url:value = 'http://27.255.83.3/x/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce0d-c274-4745-8395-46ca02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"pattern": "[url:value = 'http://27.255.83.3/y/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce0d-f620-4573-be85-427202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.255.83.3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce0d-c218-45cc-b7fe-415f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"pattern": "[file:hashes.SHA256 = '9e49d214e2325597b6d648780cf8980f4cc16811b21f586308e3e9866f40d1cd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce0d-d6b8-43fd-affa-428b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"description": "%APPDATA%\\y.jpg",
"pattern": "[file:hashes.SHA256 = '5a678529aea9195b787be8c788ef4bb03e38e425ad6d0c9fafd44ed03aa46b65']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce0d-0560-46d0-9d6a-4eb102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"pattern": "[file:hashes.SHA256 = 'efdb6351ac3902b18535fcd30432e98ffa2d8bc4224bdb3aba7f8ca0f44cec79']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce0d-2dac-490c-a7d4-459102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"description": "Party_photos_201612.zip",
"pattern": "[file:hashes.SHA256 = 'bdd695363117ba9fb23a7cbcd484d79e7a469c11ab9a6e2ad9a50c678097f100']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce0d-30b8-4c6d-9066-4ae002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"description": "need help.docx",
"pattern": "[file:hashes.SHA256 = '192e8925589fa9a7f64cba04817c180e6f26ad080bf0f966a63a3280766b066a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce0d-4ca8-4322-ad44-4f1a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"description": "Party-001.jpg.lnk",
"pattern": "[file:hashes.SHA256 = '774acdc37157e7560eca4a167558780e1cc2f5dfd203cbcb795ec05373d46fe0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce0d-eef8-48eb-b77a-495702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"description": "Photos20140214.zip",
"pattern": "[file:hashes.SHA256 = '56dda2ed3cd67cadc53f4b9e493c4601e45c5112772ade5b0c36b61858ab7852']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce0d-f94c-4cb2-92b6-47c602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"description": "Party-pics-201304.zip",
"pattern": "[file:hashes.SHA256 = '83151fe6980a39eeda961c6a8f0baba13b6da853661ccbf5c7d9a97ec73d1b70']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce0d-2624-4905-896e-43a702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"description": "Party_Photos_Packed.zip",
"pattern": "[file:hashes.SHA256 = 'b54d547e33b0ea6ba161ac4ce06a50076f1e55a3bc592a0fb56bbc34dc96fd43']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce0d-7d98-42d8-b7bc-488f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"description": "Photos20140215.zip",
"pattern": "[file:hashes.SHA256 = 'db6b67704b77d271e40e0259a68ce2224504081545619d33b4909e6e6a385ec6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce0d-df10-451e-94bb-40d602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"description": "PartyPics.7z",
"pattern": "[file:hashes.SHA256 = 'fb8eff8dcf41a4cfd0b5775327a607b76269b725f1b46dc5dd04b1f5e2433ee7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce0d-9e24-4465-939f-462f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"description": "PhotoShow.jar",
"pattern": "[file:hashes.SHA256 = '559c0f2948d1d3179420eecd78b1e7c36c4960ec5d110c63bf6c853d30f1b308']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce0d-b9b0-4eb2-a26a-4b9102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"description": "Upins_tmp.exe (dropped by PhotoShow.jar)",
"pattern": "[file:hashes.SHA256 = '0b7613e0f739eb63fd5ed9e99934d54a38e56c558ab8d1a4f586a7c88d37a428']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce0d-c1d0-48d8-a50b-487b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"pattern": "[domain-name:value = 'mn1.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce0d-c3d4-44ca-9a77-4b1602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"pattern": "[domain-name:value = 'mx.i26.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a1ce3e-2f44-4cd3-8e28-add202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"first_observed": "2017-08-26T19:39:39Z",
"last_observed": "2017-08-26T19:39:39Z",
"number_observed": 1,
"object_refs": [
"url--59a1ce3e-2f44-4cd3-8e28-add202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a1ce3e-2f44-4cd3-8e28-add202de0b81",
"value": "https://community.saas.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/228686#.WaBdzB9ifW8"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a1ce3e-d3f0-4f4f-aa69-add202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"first_observed": "2017-08-26T19:39:39Z",
"last_observed": "2017-08-26T19:39:39Z",
"number_observed": 1,
"object_refs": [
"url--59a1ce3e-d3f0-4f4f-aa69-add202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a1ce3e-d3f0-4f4f-aa69-add202de0b81",
"value": "http://www.washingtontimes.com/news/2010/mar/24/cyber-attack-on-us-firms-google-traced-to-chinese/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a1ce3e-8710-4479-8ad0-add202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"first_observed": "2017-08-26T19:39:39Z",
"last_observed": "2017-08-26T19:39:39Z",
"number_observed": 1,
"object_refs": [
"url--59a1ce3e-8710-4479-8ad0-add202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a1ce3e-8710-4479-8ad0-add202de0b81",
"value": "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a1ce3f-7ddc-43eb-aae7-add202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"first_observed": "2017-08-26T19:39:39Z",
"last_observed": "2017-08-26T19:39:39Z",
"number_observed": 1,
"object_refs": [
"url--59a1ce3f-7ddc-43eb-aae7-add202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a1ce3f-7ddc-43eb-aae7-add202de0b81",
"value": "https://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a1ce3f-e8d8-4ba8-82e2-add202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"first_observed": "2017-08-26T19:39:39Z",
"last_observed": "2017-08-26T19:39:39Z",
"number_observed": 1,
"object_refs": [
"url--59a1ce3f-e8d8-4ba8-82e2-add202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a1ce3f-e8d8-4ba8-82e2-add202de0b81",
"value": "https://github.com/EmpireProject/Empire/blob/master/data/module_source/code_execution/Invoke-Shellcode.ps1"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a1ce3f-f950-4a5c-a1c6-add202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"first_observed": "2017-08-26T19:39:39Z",
"last_observed": "2017-08-26T19:39:39Z",
"number_observed": 1,
"object_refs": [
"url--59a1ce3f-f950-4a5c-a1c6-add202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a1ce3f-f950-4a5c-a1c6-add202de0b81",
"value": "http://security-is-just-an-illusion.blogspot.nl/2013/02/45-x-antivirus-software-fail-again-java.html"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a1ce3f-8bb8-46d8-9e93-add202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:39.000Z",
"modified": "2017-08-26T19:39:39.000Z",
"first_observed": "2017-08-26T19:39:39Z",
"last_observed": "2017-08-26T19:39:39Z",
"number_observed": 1,
"object_refs": [
"url--59a1ce3f-8bb8-46d8-9e93-add202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a1ce3f-8bb8-46d8-9e93-add202de0b81",
"value": "https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce7c-bbdc-4f01-ad34-4af202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"description": "PhotoShow.jar - Xchecked via VT: 559c0f2948d1d3179420eecd78b1e7c36c4960ec5d110c63bf6c853d30f1b308",
"pattern": "[file:hashes.SHA1 = 'fb262cae70ea79b831b6b4e049d03fb27ba93b10']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce7c-3e08-4941-8a7c-4fe102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"description": "PhotoShow.jar - Xchecked via VT: 559c0f2948d1d3179420eecd78b1e7c36c4960ec5d110c63bf6c853d30f1b308",
"pattern": "[file:hashes.MD5 = '300eb3eb70e30332cc339487f19c1123']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a1ce7c-71fc-46a8-8deb-414302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"first_observed": "2017-08-26T19:39:40Z",
"last_observed": "2017-08-26T19:39:40Z",
"number_observed": 1,
"object_refs": [
"url--59a1ce7c-71fc-46a8-8deb-414302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a1ce7c-71fc-46a8-8deb-414302de0b81",
"value": "https://www.virustotal.com/file/559c0f2948d1d3179420eecd78b1e7c36c4960ec5d110c63bf6c853d30f1b308/analysis/1399034900/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce7c-5b34-423e-98a4-48af02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"description": "PartyPics.7z - Xchecked via VT: fb8eff8dcf41a4cfd0b5775327a607b76269b725f1b46dc5dd04b1f5e2433ee7",
"pattern": "[file:hashes.SHA1 = '6b323d58163f0feb4b3c351f00fac34df048f618']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce7c-2fb8-4784-9876-490002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"description": "PartyPics.7z - Xchecked via VT: fb8eff8dcf41a4cfd0b5775327a607b76269b725f1b46dc5dd04b1f5e2433ee7",
"pattern": "[file:hashes.MD5 = '4fa9e1ee1943edbfc1f47abec1e166a6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a1ce7c-c558-42cf-989b-4b9f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"first_observed": "2017-08-26T19:39:40Z",
"last_observed": "2017-08-26T19:39:40Z",
"number_observed": 1,
"object_refs": [
"url--59a1ce7c-c558-42cf-989b-4b9f02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a1ce7c-c558-42cf-989b-4b9f02de0b81",
"value": "https://www.virustotal.com/file/fb8eff8dcf41a4cfd0b5775327a607b76269b725f1b46dc5dd04b1f5e2433ee7/analysis/1397745647/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce7c-16f0-4356-a71d-477302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"description": "Photos20140215.zip - Xchecked via VT: db6b67704b77d271e40e0259a68ce2224504081545619d33b4909e6e6a385ec6",
"pattern": "[file:hashes.SHA1 = 'f6fdfc3bd51b6ddb317e6920d8bf43bb06b84e7d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce7c-b4ac-4c0e-ab92-4bf302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"description": "Photos20140215.zip - Xchecked via VT: db6b67704b77d271e40e0259a68ce2224504081545619d33b4909e6e6a385ec6",
"pattern": "[file:hashes.MD5 = 'be0324f6b62794a0cc2d836ae3d3ca4d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a1ce7c-c8a8-4982-be1c-489702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"first_observed": "2017-08-26T19:39:40Z",
"last_observed": "2017-08-26T19:39:40Z",
"number_observed": 1,
"object_refs": [
"url--59a1ce7c-c8a8-4982-be1c-489702de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a1ce7c-c8a8-4982-be1c-489702de0b81",
"value": "https://www.virustotal.com/file/db6b67704b77d271e40e0259a68ce2224504081545619d33b4909e6e6a385ec6/analysis/1397835917/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce7c-3518-4970-b6c7-4bc002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"description": "Party_Photos_Packed.zip - Xchecked via VT: b54d547e33b0ea6ba161ac4ce06a50076f1e55a3bc592a0fb56bbc34dc96fd43",
"pattern": "[file:hashes.SHA1 = '0e532e856e5d8e9ed7497a04709a69375bce52c5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce7c-3570-4889-a5ba-427702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"description": "Party_Photos_Packed.zip - Xchecked via VT: b54d547e33b0ea6ba161ac4ce06a50076f1e55a3bc592a0fb56bbc34dc96fd43",
"pattern": "[file:hashes.MD5 = 'ae61b4f25bd0101d39eb925e36082802']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a1ce7c-1ed8-47df-a9b9-425402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"first_observed": "2017-08-26T19:39:40Z",
"last_observed": "2017-08-26T19:39:40Z",
"number_observed": 1,
"object_refs": [
"url--59a1ce7c-1ed8-47df-a9b9-425402de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a1ce7c-1ed8-47df-a9b9-425402de0b81",
"value": "https://www.virustotal.com/file/b54d547e33b0ea6ba161ac4ce06a50076f1e55a3bc592a0fb56bbc34dc96fd43/analysis/1421863355/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce7c-f688-48e0-9763-4b1e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"description": "Party-pics-201304.zip - Xchecked via VT: 83151fe6980a39eeda961c6a8f0baba13b6da853661ccbf5c7d9a97ec73d1b70",
"pattern": "[file:hashes.SHA1 = '4d5c9a03af619caae4dbeb7dca0a739c2e4babb2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce7c-68f8-44db-9bb5-409e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"description": "Party-pics-201304.zip - Xchecked via VT: 83151fe6980a39eeda961c6a8f0baba13b6da853661ccbf5c7d9a97ec73d1b70",
"pattern": "[file:hashes.MD5 = 'cbbadbb5eab890d10ee48853fe9e7781']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a1ce7c-8e60-4246-a504-443802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"first_observed": "2017-08-26T19:39:40Z",
"last_observed": "2017-08-26T19:39:40Z",
"number_observed": 1,
"object_refs": [
"url--59a1ce7c-8e60-4246-a504-443802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a1ce7c-8e60-4246-a504-443802de0b81",
"value": "https://www.virustotal.com/file/83151fe6980a39eeda961c6a8f0baba13b6da853661ccbf5c7d9a97ec73d1b70/analysis/1400689562/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce7c-6334-4439-bc93-44f502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"description": "Photos20140214.zip - Xchecked via VT: 56dda2ed3cd67cadc53f4b9e493c4601e45c5112772ade5b0c36b61858ab7852",
"pattern": "[file:hashes.SHA1 = '8c1e699ef25443cf8857b6eb4c8eb5618186377a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce7c-96b8-475f-be09-48c102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"description": "Photos20140214.zip - Xchecked via VT: 56dda2ed3cd67cadc53f4b9e493c4601e45c5112772ade5b0c36b61858ab7852",
"pattern": "[file:hashes.MD5 = '2c77abcc72475c7e0f446f807e14b22a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a1ce7c-d6fc-416b-9324-43f502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"first_observed": "2017-08-26T19:39:40Z",
"last_observed": "2017-08-26T19:39:40Z",
"number_observed": 1,
"object_refs": [
"url--59a1ce7c-d6fc-416b-9324-43f502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a1ce7c-d6fc-416b-9324-43f502de0b81",
"value": "https://www.virustotal.com/file/56dda2ed3cd67cadc53f4b9e493c4601e45c5112772ade5b0c36b61858ab7852/analysis/1397837529/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce7c-1950-43f5-893e-4f6402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"description": "Party-001.jpg.lnk - Xchecked via VT: 774acdc37157e7560eca4a167558780e1cc2f5dfd203cbcb795ec05373d46fe0",
"pattern": "[file:hashes.SHA1 = 'c7becef454d23d2e6b77add4925fed36d38f24c8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce7c-2eb8-4bc7-aeb6-455d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"description": "Party-001.jpg.lnk - Xchecked via VT: 774acdc37157e7560eca4a167558780e1cc2f5dfd203cbcb795ec05373d46fe0",
"pattern": "[file:hashes.MD5 = '1ec3ec4af040b71eda4eb1c30116b1a3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a1ce7c-8008-4639-bce8-4b7a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"first_observed": "2017-08-26T19:39:40Z",
"last_observed": "2017-08-26T19:39:40Z",
"number_observed": 1,
"object_refs": [
"url--59a1ce7c-8008-4639-bce8-4b7a02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a1ce7c-8008-4639-bce8-4b7a02de0b81",
"value": "https://www.virustotal.com/file/774acdc37157e7560eca4a167558780e1cc2f5dfd203cbcb795ec05373d46fe0/analysis/1426834440/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce7c-cbbc-4984-8e85-419b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"description": "need help.docx - Xchecked via VT: 192e8925589fa9a7f64cba04817c180e6f26ad080bf0f966a63a3280766b066a",
"pattern": "[file:hashes.SHA1 = '34e2667c67c9ff2ca30c35b03c6acc7a6ad84471']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce7c-ade4-4b9c-b213-46a002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"description": "need help.docx - Xchecked via VT: 192e8925589fa9a7f64cba04817c180e6f26ad080bf0f966a63a3280766b066a",
"pattern": "[file:hashes.MD5 = '325be1a107e0e20748c19bb243a26b13']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a1ce7c-d288-48a4-a173-4f6002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"first_observed": "2017-08-26T19:39:40Z",
"last_observed": "2017-08-26T19:39:40Z",
"number_observed": 1,
"object_refs": [
"url--59a1ce7c-d288-48a4-a173-4f6002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a1ce7c-d288-48a4-a173-4f6002de0b81",
"value": "https://www.virustotal.com/file/192e8925589fa9a7f64cba04817c180e6f26ad080bf0f966a63a3280766b066a/analysis/1503662047/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce7c-b694-4d38-8305-4e0d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"description": "Party_photos_201612.zip - Xchecked via VT: bdd695363117ba9fb23a7cbcd484d79e7a469c11ab9a6e2ad9a50c678097f100",
"pattern": "[file:hashes.SHA1 = 'cfef71b39afb7b73f33f514a20b5c5b32b5f1012']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce7c-48bc-4081-9523-41a602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"description": "Party_photos_201612.zip - Xchecked via VT: bdd695363117ba9fb23a7cbcd484d79e7a469c11ab9a6e2ad9a50c678097f100",
"pattern": "[file:hashes.MD5 = '5b3733bfa52e6af1520ad53f93789737']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a1ce7c-624c-408b-8fb8-42e902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"first_observed": "2017-08-26T19:39:40Z",
"last_observed": "2017-08-26T19:39:40Z",
"number_observed": 1,
"object_refs": [
"url--59a1ce7c-624c-408b-8fb8-42e902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a1ce7c-624c-408b-8fb8-42e902de0b81",
"value": "https://www.virustotal.com/file/bdd695363117ba9fb23a7cbcd484d79e7a469c11ab9a6e2ad9a50c678097f100/analysis/1499332325/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce7c-cc38-4ce4-a3c9-471702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"description": "- Xchecked via VT: 9e49d214e2325597b6d648780cf8980f4cc16811b21f586308e3e9866f40d1cd",
"pattern": "[file:hashes.SHA1 = '644a3b395f8d7baaa4aae65e80363bf955698a79']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a1ce7c-d0b0-4f83-8433-4dfe02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"description": "- Xchecked via VT: 9e49d214e2325597b6d648780cf8980f4cc16811b21f586308e3e9866f40d1cd",
"pattern": "[file:hashes.MD5 = '7e8bc04a964d33a375c2c970f0697908']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-26T19:39:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a1ce7c-b7b8-474b-bd23-455c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-26T19:39:40.000Z",
"modified": "2017-08-26T19:39:40.000Z",
"first_observed": "2017-08-26T19:39:40Z",
"last_observed": "2017-08-26T19:39:40Z",
"number_observed": 1,
"object_refs": [
"url--59a1ce7c-b7b8-474b-bd23-455c02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a1ce7c-b7b8-474b-bd23-455c02de0b81",
"value": "https://www.virustotal.com/file/9e49d214e2325597b6d648780cf8980f4cc16811b21f586308e3e9866f40d1cd/analysis/1499333974/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}