adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/59bf8143-8b5c-4146-b820-91d9950d210f.json

729 lines
No EOL
31 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--59bf8143-8b5c-4146-b820-91d9950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-21T02:54:33.000Z",
"modified": "2017-09-21T02:54:33.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--59bf8143-8b5c-4146-b820-91d9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-21T02:54:33.000Z",
"modified": "2017-09-21T02:54:33.000Z",
"name": "OSINT - CCleanup: A Vast Number of Machines at Risk",
"context": "suspicious-activity",
"object_refs": [
"x-misp-attribute--59bf81ab-1a68-4034-b35b-b063950d210f",
"observed-data--59bf81de-a514-4989-8f8b-ade3950d210f",
"url--59bf81de-a514-4989-8f8b-ade3950d210f",
"indicator--59bf830e-cec0-41ad-9c89-ade8950d210f",
"indicator--59bf830e-2ab0-4d84-896f-ade8950d210f",
"indicator--59bf830e-c370-4a85-ac14-ade8950d210f",
"indicator--59bf830e-842c-46ac-8d67-ade8950d210f",
"indicator--59bf830e-a268-44fa-9f3e-ade8950d210f",
"indicator--59bf830e-c93c-4bb2-acb8-ade8950d210f",
"indicator--59bf830e-2594-4ffc-a14c-ade8950d210f",
"indicator--59bf830e-6c70-405f-84bd-ade8950d210f",
"indicator--59bf830e-a8c0-4da4-a47e-ade8950d210f",
"indicator--59bf830e-795c-4960-b8e6-ade8950d210f",
"indicator--59bf830e-5a3c-4520-90b5-ade8950d210f",
"indicator--59bf8363-93b8-4e18-99c4-91da950d210f",
"indicator--59bf8363-5410-4f41-8314-91da950d210f",
"indicator--59bf8363-3ab4-4a1d-8a29-91da950d210f",
"indicator--59bf8370-9638-404c-a472-91d1950d210f",
"x-misp-attribute--59bf83c5-7b64-4222-a750-9958950d210f",
"indicator--59bf83e1-bca0-4960-95c0-aa4b02de0b81",
"indicator--59bf83e1-e588-4e74-bbb8-aa4b02de0b81",
"observed-data--59bf83e1-fbdc-4959-bb43-aa4b02de0b81",
"url--59bf83e1-fbdc-4959-bb43-aa4b02de0b81",
"indicator--59bf83e1-02ac-466e-b8b5-aa4b02de0b81",
"indicator--59bf83e1-8704-45b8-b901-aa4b02de0b81",
"observed-data--59bf83e1-1814-4c13-9596-aa4b02de0b81",
"url--59bf83e1-1814-4c13-9596-aa4b02de0b81",
"indicator--59bf83e1-f5b4-41d8-a784-aa4b02de0b81",
"indicator--59bf83e1-0e98-412b-9ecc-aa4b02de0b81",
"observed-data--59bf83e1-68f0-4473-8a28-aa4b02de0b81",
"url--59bf83e1-68f0-4473-8a28-aa4b02de0b81",
"indicator--59bf846d-9af0-4582-ab2c-aa4b950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59bf81ab-1a68-4034-b35b-b063950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:20.000Z",
"modified": "2017-09-18T08:29:20.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Supply chain attacks are a very effective way to distribute malicious software into target organizations. This is because with supply chain attacks, the attackers are relying on the trust relationship between a manufacturer or supplier and a customer. This trust relationship is then abused to attack organizations and individuals and may be performed for a number of different reasons. The Nyetya worm that was released into the wild earlier in 2017 showed just how potent these types of attacks can be. Frequently, as with Nyetya, the initial infection vector can remain elusive for quite some time. Luckily with tools like AMP the additional visibility can usually help direct attention to the initial vector. \r\n\r\nTalos recently observed a case where the download servers used by software vendor to distribute a legitimate software package were leveraged to deliver malware to unsuspecting victims. For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner. CCleaner boasted over 2 billion total downloads by November of 2016 with a growth rate of 5 million additional users per week. Given the potential damage that could be caused by a network of infected computers even a tiny fraction of this size we decided to move quickly. On September 13, 2017 Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities. The following sections will discuss the specific details regarding this attack."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59bf81de-a514-4989-8f8b-ade3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:20.000Z",
"modified": "2017-09-18T08:29:20.000Z",
"first_observed": "2017-09-18T08:29:20Z",
"last_observed": "2017-09-18T08:29:20Z",
"number_observed": 1,
"object_refs": [
"url--59bf81de-a514-4989-8f8b-ade3950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59bf81de-a514-4989-8f8b-ade3950d210f",
"value": "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59bf830e-cec0-41ad-9c89-ade8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:20.000Z",
"modified": "2017-09-18T08:29:20.000Z",
"description": "DGA Domain",
"pattern": "[domain-name:value = 'ab6d54340c1a.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-18T08:29:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59bf830e-2ab0-4d84-896f-ade8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:20.000Z",
"modified": "2017-09-18T08:29:20.000Z",
"description": "DGA Domain",
"pattern": "[domain-name:value = 'aba9a949bc1d.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-18T08:29:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59bf830e-c370-4a85-ac14-ade8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:20.000Z",
"modified": "2017-09-18T08:29:20.000Z",
"description": "DGA Domain",
"pattern": "[domain-name:value = 'ab2da3d400c20.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-18T08:29:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59bf830e-842c-46ac-8d67-ade8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:20.000Z",
"modified": "2017-09-18T08:29:20.000Z",
"description": "DGA Domain",
"pattern": "[domain-name:value = 'ab3520430c23.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-18T08:29:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59bf830e-a268-44fa-9f3e-ade8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:20.000Z",
"modified": "2017-09-18T08:29:20.000Z",
"description": "DGA Domain",
"pattern": "[domain-name:value = 'ab1c403220c27.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-18T08:29:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59bf830e-c93c-4bb2-acb8-ade8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:20.000Z",
"modified": "2017-09-18T08:29:20.000Z",
"description": "DGA Domain",
"pattern": "[domain-name:value = 'ab1abad1d0c2a.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-18T08:29:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59bf830e-2594-4ffc-a14c-ade8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:20.000Z",
"modified": "2017-09-18T08:29:20.000Z",
"description": "DGA Domain",
"pattern": "[domain-name:value = 'ab8cee60c2d.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-18T08:29:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59bf830e-6c70-405f-84bd-ade8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:20.000Z",
"modified": "2017-09-18T08:29:20.000Z",
"description": "DGA Domain",
"pattern": "[domain-name:value = 'ab1145b758c30.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-18T08:29:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59bf830e-a8c0-4da4-a47e-ade8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:20.000Z",
"modified": "2017-09-18T08:29:20.000Z",
"description": "DGA Domain",
"pattern": "[domain-name:value = 'ab890e964c34.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-18T08:29:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59bf830e-795c-4960-b8e6-ade8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:20.000Z",
"modified": "2017-09-18T08:29:20.000Z",
"description": "DGA Domain",
"pattern": "[domain-name:value = 'ab3d685a0c37.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-18T08:29:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59bf830e-5a3c-4520-90b5-ade8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:20.000Z",
"modified": "2017-09-18T08:29:20.000Z",
"description": "DGA Domain",
"pattern": "[domain-name:value = 'ab70a139cc3a.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-18T08:29:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59bf8363-93b8-4e18-99c4-91da950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:20.000Z",
"modified": "2017-09-18T08:29:20.000Z",
"pattern": "[file:hashes.SHA256 = '6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-18T08:29:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59bf8363-5410-4f41-8314-91da950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:20.000Z",
"modified": "2017-09-18T08:29:20.000Z",
"pattern": "[file:hashes.SHA256 = '1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-18T08:29:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59bf8363-3ab4-4a1d-8a29-91da950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:20.000Z",
"modified": "2017-09-18T08:29:20.000Z",
"pattern": "[file:hashes.SHA256 = '36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-18T08:29:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59bf8370-9638-404c-a472-91d1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:20.000Z",
"modified": "2017-09-18T08:29:20.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '216.126.225.148']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-18T08:29:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59bf83c5-7b64-4222-a750-9958950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:20.000Z",
"modified": "2017-09-18T08:29:20.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_type": "pdb",
"x_misp_value": "S:\\workspace\\ccleaner\\branches\\v5.33\\bin\\CCleaner\\Release\\CCleaner.pdb"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59bf83e1-bca0-4960-95c0-aa4b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:21.000Z",
"modified": "2017-09-18T08:29:21.000Z",
"description": "- Xchecked via VT: 36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9",
"pattern": "[file:hashes.SHA1 = '7e9cfa3cca5000fe56e4cf5c660f7939487e531a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-18T08:29:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59bf83e1-e588-4e74-bbb8-aa4b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:21.000Z",
"modified": "2017-09-18T08:29:21.000Z",
"description": "- Xchecked via VT: 36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9",
"pattern": "[file:hashes.MD5 = 'd488e4b61c233293bec2ee09553d3a2f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-18T08:29:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59bf83e1-fbdc-4959-bb43-aa4b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:21.000Z",
"modified": "2017-09-18T08:29:21.000Z",
"first_observed": "2017-09-18T08:29:21Z",
"last_observed": "2017-09-18T08:29:21Z",
"number_observed": 1,
"object_refs": [
"url--59bf83e1-fbdc-4959-bb43-aa4b02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59bf83e1-fbdc-4959-bb43-aa4b02de0b81",
"value": "https://www.virustotal.com/file/36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9/analysis/1505722714/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59bf83e1-02ac-466e-b8b5-aa4b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:21.000Z",
"modified": "2017-09-18T08:29:21.000Z",
"description": "- Xchecked via VT: 1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff",
"pattern": "[file:hashes.SHA1 = 'c705c0b0210ebda6a3301c6ca9c6091b2ee11d5b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-18T08:29:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59bf83e1-8704-45b8-b901-aa4b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:21.000Z",
"modified": "2017-09-18T08:29:21.000Z",
"description": "- Xchecked via VT: 1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff",
"pattern": "[file:hashes.MD5 = '75735db7291a19329190757437bdb847']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-18T08:29:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59bf83e1-1814-4c13-9596-aa4b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:21.000Z",
"modified": "2017-09-18T08:29:21.000Z",
"first_observed": "2017-09-18T08:29:21Z",
"last_observed": "2017-09-18T08:29:21Z",
"number_observed": 1,
"object_refs": [
"url--59bf83e1-1814-4c13-9596-aa4b02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59bf83e1-1814-4c13-9596-aa4b02de0b81",
"value": "https://www.virustotal.com/file/1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff/analysis/1505723218/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59bf83e1-f5b4-41d8-a784-aa4b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:21.000Z",
"modified": "2017-09-18T08:29:21.000Z",
"description": "- Xchecked via VT: 6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9",
"pattern": "[file:hashes.SHA1 = '8983a49172af96178458266f93d65fa193eaaef2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-18T08:29:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59bf83e1-0e98-412b-9ecc-aa4b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:21.000Z",
"modified": "2017-09-18T08:29:21.000Z",
"description": "- Xchecked via VT: 6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9",
"pattern": "[file:hashes.MD5 = 'ef694b89ad7addb9a16bb6f26f1efaf7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-18T08:29:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59bf83e1-68f0-4473-8a28-aa4b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:29:21.000Z",
"modified": "2017-09-18T08:29:21.000Z",
"first_observed": "2017-09-18T08:29:21Z",
"last_observed": "2017-09-18T08:29:21Z",
"number_observed": 1,
"object_refs": [
"url--59bf83e1-68f0-4473-8a28-aa4b02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59bf83e1-68f0-4473-8a28-aa4b02de0b81",
"value": "https://www.virustotal.com/file/6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9/analysis/1505722818/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59bf846d-9af0-4582-ab2c-aa4b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-18T08:31:41.000Z",
"modified": "2017-09-18T08:31:41.000Z",
"pattern": "[windows-registry-key:key = 'HKLM\\\\SOFTWARE\\\\Piriform\\\\Agomo']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-18T08:31:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"regkey\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink