misp-circl-feed/feeds/circl/misp/5a37c286-b27c-49e7-8c79-ed2e950d210f.json

744 lines
No EOL
31 KiB
JSON

{
"type": "bundle",
"id": "bundle--5a37c286-b27c-49e7-8c79-ed2e950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:57:37.000Z",
"modified": "2017-12-18T13:57:37.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--5a37c286-b27c-49e7-8c79-ed2e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:57:37.000Z",
"modified": "2017-12-18T13:57:37.000Z",
"name": "OSINT - Rehashed RAT Used in APT Campaign Against Vietnamese Organizations",
"context": "suspicious-activity",
"object_refs": [
"x-misp-attribute--5a37c310-fe98-4e0c-8a85-ed7e950d210f",
"observed-data--5a37c320-10e0-40fe-b101-41be950d210f",
"url--5a37c320-10e0-40fe-b101-41be950d210f",
"indicator--5a37c39a-e51c-4e94-aa70-4624950d210f",
"indicator--5a37c39a-94b4-4e3c-9920-487e950d210f",
"indicator--5a37c39a-0990-4dee-807d-412e950d210f",
"indicator--5a37c39a-11b0-4a56-ad0d-4a9b950d210f",
"indicator--5a37c39a-2b88-49d7-9d70-4995950d210f",
"indicator--5a37c39a-2b98-44e8-b2a8-40de950d210f",
"indicator--5a37c39a-e7a4-4601-8090-44dd950d210f",
"indicator--5a37c39a-a58c-4d47-a1c7-4ab0950d210f",
"indicator--5a37c39a-4848-4c04-bedb-42e4950d210f",
"indicator--5a37c39a-b858-4a24-b196-4ec8950d210f",
"indicator--5a37c3ae-68e8-4c93-8990-ed2e950d210f",
"indicator--5a37c3ae-8fd8-4d9e-b951-ed2e950d210f",
"indicator--5a37c3c2-1348-469b-9f4c-4697950d210f",
"indicator--5a37c3c2-e3dc-46a1-869d-4bf5950d210f",
"indicator--5a37c3c2-9f14-4ffd-8bcc-4955950d210f",
"indicator--5a37c3d8-006c-4fd8-b4f9-4ce0950d210f",
"indicator--5a37c3ed-1a24-4906-89b8-48eb950d210f",
"indicator--5a37c3ed-05a0-407e-9c80-4ed0950d210f",
"indicator--5a37c3ed-eedc-4f84-8374-4da3950d210f",
"indicator--5a37c838-6cf4-4379-ab05-46c3950d210f",
"indicator--5a37c838-7e94-443d-ac6c-442c950d210f",
"indicator--5a37c838-2f18-4d4c-bb82-447a950d210f",
"indicator--5a37c838-99e0-407b-b49f-45b6950d210f",
"indicator--5a37c838-b1a0-4941-a998-44b7950d210f",
"indicator--5a37c838-ac4c-48db-8a98-49d8950d210f",
"indicator--5a37c838-0394-4a48-878b-4a60950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:rat=\"NewCore\"",
"type:OSINT",
"osint:source-type=\"blog-post\"",
"workflow:todo=\"expansion\"",
"enisa:nefarious-activity-abuse=\"remote-access-tool\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5a37c310-fe98-4e0c-8a85-ed7e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:31:26.000Z",
"modified": "2017-12-18T13:31:26.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Recently, FortiGuard Labs came across several malicious documents that exploit the vulnerability CVE-2012-0158. To evade suspicion from the victim, these RTF files drop decoy documents containing politically themed texts about a variety of Vietnamese government-related information. It was believed in a recent report that the hacking campaign where these documents were used was led by the Chinese hacking group 1937CN. The link to the group was found through malicious domains used as command and control servers by the attacker. In this blog, we will delve into the malware used in this campaign and will try to provide more clues as to the instigator of this campaign."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a37c320-10e0-40fe-b101-41be950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:31:19.000Z",
"modified": "2017-12-18T13:31:19.000Z",
"first_observed": "2017-12-18T13:31:19Z",
"last_observed": "2017-12-18T13:31:19Z",
"number_observed": 1,
"object_refs": [
"url--5a37c320-10e0-40fe-b101-41be950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5a37c320-10e0-40fe-b101-41be950d210f",
"value": "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c39a-e51c-4e94-aa70-4624950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:14.000Z",
"modified": "2017-12-18T13:33:14.000Z",
"description": "Lure",
"pattern": "[file:hashes.SHA256 = '2a4e8ae006be3a5ed2327b6422c4c6f8f274cfa9385c4a540bc617bff6a0f060']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c39a-94b4-4e3c-9920-487e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:14.000Z",
"modified": "2017-12-18T13:33:14.000Z",
"description": "Lure",
"pattern": "[file:hashes.SHA256 = '3faacef20002f9deb1305c43ea75b8422fd29a1559c0cf01cf1cee6a1b94fc0e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c39a-0990-4dee-807d-412e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:14.000Z",
"modified": "2017-12-18T13:33:14.000Z",
"description": "Lure",
"pattern": "[file:hashes.SHA256 = '5bdbf536e12c9150d15ae4af2d825ff2ec432d5147b0c3404c5d24655d9ebe52']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c39a-11b0-4a56-ad0d-4a9b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:14.000Z",
"modified": "2017-12-18T13:33:14.000Z",
"description": "Lure",
"pattern": "[file:hashes.SHA256 = '14b4d8f787d11c7d72f66231e80997ef6ffa1d868d9d8f964bea36871e1c2ff2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c39a-2b88-49d7-9d70-4995950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:14.000Z",
"modified": "2017-12-18T13:33:14.000Z",
"description": "Lure",
"pattern": "[file:hashes.SHA256 = '637c156508949c881763c019d2dca7c912da9ec63f01e3d3ba604f31b36e52ab']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c39a-2b98-44e8-b2a8-40de950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:14.000Z",
"modified": "2017-12-18T13:33:14.000Z",
"description": "Lure",
"pattern": "[file:hashes.SHA256 = '5573f6ec22026b0c00945eec177f04212492bb05c33b4b80f73c65ce7fe5119a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c39a-e7a4-4601-8090-44dd950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:14.000Z",
"modified": "2017-12-18T13:33:14.000Z",
"description": "Lure",
"pattern": "[file:hashes.SHA256 = '00466938836129a634b573d2b57311200ab04aba7252cfbf6b77f435612ca6c6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c39a-a58c-4d47-a1c7-4ab0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:14.000Z",
"modified": "2017-12-18T13:33:14.000Z",
"description": "Lure",
"pattern": "[file:hashes.SHA256 = 'c375946ba8abee48948f79a89ea5b4f823d8287c2feb3515755b22ba5bd8849d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c39a-4848-4c04-bedb-42e4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:14.000Z",
"modified": "2017-12-18T13:33:14.000Z",
"description": "Lure",
"pattern": "[file:hashes.SHA256 = 'f6a4bab7d5664d7802f1007daa04ae71e0e2b829cd06faa9b93a465546837eb4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c39a-b858-4a24-b196-4ec8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:14.000Z",
"modified": "2017-12-18T13:33:14.000Z",
"description": "Lure",
"pattern": "[file:hashes.SHA256 = 'fabf4debacb7950d403a84f4af25c084d0b576783006d334052ebf7ea432196e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c3ae-68e8-4c93-8990-ed2e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:34.000Z",
"modified": "2017-12-18T13:33:34.000Z",
"description": "Loader",
"pattern": "[file:hashes.SHA256 = '9cebae97a067cd7c2be50d7fd8afe5e9cf935c11914a1ab5ff59e91c1e7e5fc4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c3ae-8fd8-4d9e-b951-ed2e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:34.000Z",
"modified": "2017-12-18T13:33:34.000Z",
"description": "Loader",
"pattern": "[file:hashes.SHA256 = 'ea5b3320c5bbe2331fa3c0bd0adb3ec91f0aed97709e1b869b79f6a604ba002f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c3c2-1348-469b-9f4c-4697950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:54.000Z",
"modified": "2017-12-18T13:33:54.000Z",
"description": "Trojan Downloader",
"pattern": "[file:hashes.SHA256 = 'edbcc384b8ae0a2f52f239e2e599c3d2053f98cc1f4bc91548ec420bec063be6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c3c2-e3dc-46a1-869d-4bf5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:54.000Z",
"modified": "2017-12-18T13:33:54.000Z",
"description": "Trojan Downloader",
"pattern": "[file:hashes.SHA256 = '49efab1dedc6fffe5a8f980688a5ebefce1be3d0d180d5dd035f02ce396c9966']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c3c2-9f14-4ffd-8bcc-4955950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:33:54.000Z",
"modified": "2017-12-18T13:33:54.000Z",
"description": "Trojan Downloader",
"pattern": "[file:hashes.SHA256 = 'df8475669a14a335c46c802f642dd5569c52f915093a680175c30cc9f28aacdb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c3d8-006c-4fd8-b4f9-4ce0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:34:16.000Z",
"modified": "2017-12-18T13:34:16.000Z",
"description": "NewCore RAT",
"pattern": "[file:hashes.SHA256 = '37bd97779e854ea2fc43486ddb831a5acfd19cf89f06823c9fd3b20134cb1c35']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:34:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c3ed-1a24-4906-89b8-48eb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:34:37.000Z",
"modified": "2017-12-18T13:34:37.000Z",
"description": "Command and Control Servers",
"pattern": "[domain-name:value = 'web.thoitietvietnam.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:34:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c3ed-05a0-407e-9c80-4ed0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:34:37.000Z",
"modified": "2017-12-18T13:34:37.000Z",
"description": "Command and Control Servers",
"pattern": "[domain-name:value = 'dalat.dulichovietnam.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:34:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c3ed-eedc-4f84-8374-4da3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:34:37.000Z",
"modified": "2017-12-18T13:34:37.000Z",
"description": "Command and Control Servers",
"pattern": "[domain-name:value = 'halong.dulichculao.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:34:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c838-6cf4-4379-ab05-46c3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:52:56.000Z",
"modified": "2017-12-18T13:52:56.000Z",
"description": "signed legitimate GoogleUpdate.exe version 1.3.33.5",
"pattern": "[file:name = 'Taskeng.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:52:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c838-7e94-443d-ac6c-442c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:52:56.000Z",
"modified": "2017-12-18T13:52:56.000Z",
"description": "encrypted blob containing malware file",
"pattern": "[file:name = 'Psisrndrx.ebd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:52:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c838-2f18-4d4c-bb82-447a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:52:56.000Z",
"modified": "2017-12-18T13:52:56.000Z",
"description": "decrypter and loader of malware file",
"pattern": "[file:name = 'Goopdate.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:52:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c838-99e0-407b-b49f-45b6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:52:56.000Z",
"modified": "2017-12-18T13:52:56.000Z",
"description": "signed legitimate McAfee AV application",
"pattern": "[file:name = 'SC&Cfg.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:52:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c838-b1a0-4941-a998-44b7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:52:56.000Z",
"modified": "2017-12-18T13:52:56.000Z",
"description": "contains the malware file",
"pattern": "[file:name = 'Vsodscpl.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:52:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c838-ac4c-48db-8a98-49d8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:52:56.000Z",
"modified": "2017-12-18T13:52:56.000Z",
"description": "signed legitimate GoogleUpdate.exe version 1.3.30.3",
"pattern": "[file:name = 'Systemm.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:52:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a37c838-0394-4a48-878b-4a60950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T13:52:56.000Z",
"modified": "2017-12-18T13:52:56.000Z",
"description": "encrypted blob containing malware file",
"pattern": "[file:name = 'Systemsfb.ebd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T13:52:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}