misp-circl-feed/feeds/circl/misp/5a3c2fcd-8328-42bb-a95e-4f4402de0b81.json

1714 lines
No EOL
73 KiB
JSON

{
"type": "bundle",
"id": "bundle--5a3c2fcd-8328-42bb-a95e-4f4402de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T13:17:25.000Z",
"modified": "2017-12-22T13:17:25.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--5a3c2fcd-8328-42bb-a95e-4f4402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T13:17:25.000Z",
"modified": "2017-12-22T13:17:25.000Z",
"name": "OSINT - Sednit update: How Fancy Bear Spent the Year",
"context": "suspicious-activity",
"object_refs": [
"observed-data--5a3c2fda-78f4-44b7-8366-46da02de0b81",
"url--5a3c2fda-78f4-44b7-8366-46da02de0b81",
"x-misp-attribute--5a3c2fee-7c8c-438a-8f7f-465402de0b81",
"indicator--5a3c3045-ab0c-4d38-8efe-459002de0b81",
"indicator--5a3c3045-61dc-495c-ae8a-471e02de0b81",
"indicator--5a3c3045-e354-4978-a6b4-49ad02de0b81",
"indicator--5a3c3045-968c-4572-9f64-491502de0b81",
"indicator--5a3c3045-eb44-433f-a13a-44b902de0b81",
"indicator--5a3c3045-6a88-479d-b799-4d3d02de0b81",
"indicator--5a3c3045-7480-4831-a5c4-48c802de0b81",
"indicator--5a3cd5b6-9568-4342-b2ab-4c62950d210f",
"indicator--5a3cd604-e11c-4de5-bbbf-c170950d210f",
"indicator--5a3cd693-fd9c-4fcf-b69a-439c950d210f",
"indicator--5a3cd6c2-d290-4787-910f-4e6d950d210f",
"indicator--5a3cd74e-1504-40ff-9a28-4501950d210f",
"indicator--5a3cd775-e4cc-44bb-89b6-4c5a950d210f",
"indicator--5a3cd82f-2788-4561-bbeb-5165950d210f",
"indicator--5a3cd847-b5a0-42f7-ac4b-5165950d210f",
"indicator--5a3cd861-65c0-4b69-9429-4f37950d210f",
"indicator--5a3cd87d-f514-4071-a5f7-4ec2950d210f",
"indicator--5a3cd896-f6cc-4e52-bcb2-442c950d210f",
"indicator--5a3cd8ae-54d0-46bb-adbb-4c5a950d210f",
"indicator--5a3cd8bb-a704-4f1d-a235-444e950d210f",
"indicator--5a3cd8c9-6568-406a-853c-4862950d210f",
"indicator--5a3cd8db-2838-4466-a986-4afb950d210f",
"indicator--5a3cd8fb-cd14-4b00-9710-430c950d210f",
"indicator--5a3cd90e-538c-4b7e-95dc-5276950d210f",
"indicator--5a3cd927-e410-489c-abfc-4b63950d210f",
"indicator--5a3cd93c-716c-4918-a00f-4671950d210f",
"indicator--5a3cda96-85c4-45a1-82ea-c5ed950d210f",
"indicator--5a3cdbc7-dbec-4b8c-8ba3-4c5a950d210f",
"indicator--5a3cdbf6-f814-491f-9f93-4c59950d210f",
"indicator--5a3cdc09-6fbc-4ca1-bfaa-c5ed950d210f",
"indicator--5a3cdc21-856c-48bd-a757-4f4b950d210f",
"indicator--5a3cdc37-89e8-4a2d-823a-4af8950d210f",
"indicator--5a3cdc48-b9a0-4775-a03f-5156950d210f",
"indicator--5a3cdc5a-8760-4efa-949a-4c5a950d210f",
"indicator--5a3cdc72-1538-4c66-af46-427b950d210f",
"indicator--5a3ce3a9-f070-4403-a1f6-4b8c950d210f",
"indicator--5a3ce3c3-34b4-4e1f-b238-4399950d210f",
"indicator--5a3ce3d4-07bc-4af3-90fc-4798950d210f",
"indicator--5a3ce3ea-580c-477c-9b73-4e57950d210f",
"indicator--5a3ce404-efc0-4f15-864e-55ea950d210f",
"indicator--5a3ce417-7cd4-4c36-8a73-55ea950d210f",
"indicator--5a3ce42b-2e0c-4a26-b6c8-47a3950d210f",
"indicator--5a3ce43a-5478-4f65-95b2-4e1e950d210f",
"indicator--5a3ce44a-ce70-42b7-80b8-c328950d210f",
"indicator--5a3ce58a-3198-4cb8-9d51-44e5950d210f",
"indicator--5a3ce5f8-3418-4f7b-ae41-4bca950d210f",
"indicator--5a3ce60a-6db8-4212-b194-4339950d210f",
"indicator--5a3ce61a-c1f0-4c7c-b815-4fa9950d210f",
"indicator--5a3ce63e-0240-46f5-b9ed-4759950d210f",
"indicator--5a3ce64e-8bf8-4dc6-be49-437f950d210f",
"indicator--5a3ce65c-fc40-4585-817e-4ca3950d210f",
"indicator--5a3ce66e-70b4-47e7-b965-46f6950d210f",
"indicator--5a3ce680-90d4-478d-95db-48a6950d210f",
"indicator--5a3ce68d-1940-4ea6-becd-44fe950d210f",
"indicator--5a3ce6a1-3f1c-4d5d-bac7-406d950d210f",
"indicator--5a3ce6ae-98d8-4270-b88f-47f2950d210f",
"relationship--8bbe006d-57cf-40fe-845d-fa6330a07dd4",
"relationship--d34ef0ac-f579-4028-b079-6134c3ba9609",
"relationship--c31cd3b2-3b2b-403a-ace6-294d07474b98",
"relationship--112c8c22-3623-4e1d-9864-e990eb1964af",
"relationship--6ebde123-e714-4076-bddd-463d27bcbb48",
"relationship--9136d15f-db48-49a3-8ac0-f611558d0a15",
"relationship--0349b68f-4bc2-46a2-af6e-d36fd83042a5",
"relationship--12289648-d342-46bb-ab67-e67e22292e6b",
"relationship--fd8d907f-f705-443c-ac13-7059c40a8963",
"relationship--c20b12ee-2e2d-4a6c-b651-c30f80c57ac4",
"relationship--056502e1-7ae7-4a88-a801-947f6c020230",
"relationship--21954809-85a5-4958-b8db-ddc1b5603014",
"relationship--8b6bd872-0695-4f02-a580-5024f4aede8c",
"relationship--da7770c3-3a14-4d56-826e-396797850e4b",
"relationship--9a8fb7c8-e1c6-448d-85e8-fdc378ff8530",
"relationship--7f1eddde-f9ae-4bb3-ab94-0eb54c2b94f7",
"relationship--247e9e63-7e96-4ea0-8254-d89aa0925d94",
"relationship--bba0da91-0ded-4e20-ad99-9fc3bcac3d49",
"relationship--2a42c10f-2d53-4165-883f-9e25a55e6dc5",
"relationship--131bea11-05b9-4f82-a54a-39096838d5e6"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"workflow:state=\"incomplete\"",
"workflow:todo=\"create-missing-misp-galaxy-cluster-values\"",
"workflow:todo=\"create-missing-misp-galaxy-cluster\"",
"misp-galaxy:threat-actor=\"Sofacy\"",
"misp-galaxy:exploit-kit=\"Sednit EK\"",
"misp-galaxy:tool=\"GAMEFISH\"",
"misp-galaxy:mitre-malware=\"JHUHUGIT\"",
"misp-galaxy:tool=\"X-Tunnel\"",
"misp-galaxy:mitre-malware=\"XTunnel\"",
"misp-galaxy:mitre-malware=\"ADVSTORESHELL\"",
"misp-galaxy:tool=\"EVILTOSS\"",
"misp-galaxy:mitre-malware=\"USBStealer\"",
"misp-galaxy:tool=\"X-Agent\"",
"misp-galaxy:mitre-malware=\"XAgentOSX\"",
"misp-galaxy:mitre-malware=\"CHOPSTICK\"",
"misp-galaxy:exploit-kit=\"DealersChoice\"",
"misp-galaxy:mitre-malware=\"Downdelph\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a3c2fda-78f4-44b7-8366-46da02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-21T22:05:21.000Z",
"modified": "2017-12-21T22:05:21.000Z",
"first_observed": "2017-12-21T22:05:21Z",
"last_observed": "2017-12-21T22:05:21Z",
"number_observed": 1,
"object_refs": [
"url--5a3c2fda-78f4-44b7-8366-46da02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"osint:certainty=\"93\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5a3c2fda-78f4-44b7-8366-46da02de0b81",
"value": "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5a3c2fee-7c8c-438a-8f7f-465402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-21T22:05:21.000Z",
"modified": "2017-12-21T22:05:21.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"osint:certainty=\"93\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "The Sednit group \u2014 also known as Strontium, APT28, Fancy Bear or Sofacy\u2009\u2014\u2009is a group of attackers operating since 2004, if not earlier, and whose main objective is to steal confidential information from specific targets.\r\n\r\nThis article is a follow-up to ESET\u2019s presentation at BlueHat in November 2017. Late in 2016 we published a white paper covering Sednit activity between 2014 and 2016. Since then, we have continued to actively track Sednit\u2019s operations, and today we are publishing a brief overview of what our tracking uncovered in terms of the group\u2019s activities and updates to their toolset. The first section covers the update of their attack methodology: namely, the ways in which this group tries to compromise their targets systems. The second section covers the evolution of their tools, with a particular emphasis on a detailed analysis of a new version of their flagship malware: Xagent."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3c3045-ab0c-4d38-8efe-459002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-21T22:05:57.000Z",
"modified": "2017-12-21T22:05:57.000Z",
"description": "Xagent Samples",
"pattern": "[domain-name:value = 'movieultimate.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-21T22:05:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3c3045-61dc-495c-ae8a-471e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-21T22:05:57.000Z",
"modified": "2017-12-21T22:05:57.000Z",
"description": "Xagent Samples",
"pattern": "[domain-name:value = 'meteost.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-21T22:05:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3c3045-e354-4978-a6b4-49ad02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-21T22:05:57.000Z",
"modified": "2017-12-21T22:05:57.000Z",
"description": "Xagent Samples",
"pattern": "[domain-name:value = 'faststoragefiles.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-21T22:05:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3c3045-968c-4572-9f64-491502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-21T22:05:57.000Z",
"modified": "2017-12-21T22:05:57.000Z",
"description": "Xagent Samples",
"pattern": "[domain-name:value = 'nethostnet.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-21T22:05:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3c3045-eb44-433f-a13a-44b902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-21T22:05:57.000Z",
"modified": "2017-12-21T22:05:57.000Z",
"description": "Xagent Samples",
"pattern": "[domain-name:value = 'fsportal.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-21T22:05:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3c3045-6a88-479d-b799-4d3d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-21T22:05:57.000Z",
"modified": "2017-12-21T22:05:57.000Z",
"description": "Xagent Samples",
"pattern": "[domain-name:value = 'fastdataexchange.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-21T22:05:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3c3045-7480-4831-a5c4-48c802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-21T22:05:57.000Z",
"modified": "2017-12-21T22:05:57.000Z",
"description": "Xagent Samples",
"pattern": "[domain-name:value = 'newfilmts.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-21T22:05:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cd5b6-9568-4342-b2ab-4c62950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T09:51:50.000Z",
"modified": "2017-12-22T09:51:50.000Z",
"description": "Win32/Sednit.AX",
"pattern": "[file:hashes.SHA1 = '68064fc152e23d56e541714af52651cb4ba81aaf' AND file:name = 'Bulletin.doc' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T09:51:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cd604-e11c-4de5-bbbf-c170950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T09:53:08.000Z",
"modified": "2017-12-22T09:53:08.000Z",
"description": "Win32/Exploit.CVE-2016-4117.A",
"pattern": "[file:hashes.SHA1 = 'f3805382ae2e23ff1147301d131a06e00e4ff75f' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T09:53:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cd693-fd9c-4fcf-b69a-439c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T09:55:31.000Z",
"modified": "2017-12-22T09:55:31.000Z",
"description": "Win32/Exploit.Agent.NUB",
"pattern": "[file:hashes.SHA1 = '512bdfe937314ac3f195c462c395feeb36932971' AND file:name = 'OC_PSO_2017.doc' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T09:55:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cd6c2-d290-4787-910f-4e6d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T09:56:18.000Z",
"modified": "2017-12-22T09:56:18.000Z",
"description": "Win32/Exploit.Agent.NTR",
"pattern": "[file:hashes.SHA1 = '30b3e8c0f3f3cf200daa21c267ffab3cad64e68b' AND file:name = 'NASAMS.doc' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T09:56:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cd74e-1504-40ff-9a28-4501950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T09:58:38.000Z",
"modified": "2017-12-22T09:58:38.000Z",
"description": "Win32/Exploit.Agent.NTO",
"pattern": "[file:hashes.SHA1 = '4173b29a251cd9c1cab135f67cb60acab4ace0c5' AND file:name = 'Programm_Details.doc' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T09:58:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cd775-e4cc-44bb-89b6-4c5a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T09:59:17.000Z",
"modified": "2017-12-22T09:59:17.000Z",
"description": "Win32/Exploit.Agent.NTR",
"pattern": "[file:hashes.SHA1 = '12a37cfdd3f3671074dd5b0f354269cec028fb52' AND file:name = 'Operation_in_Mosul.rtf' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T09:59:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cd82f-2788-4561-bbeb-5165950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T10:02:23.000Z",
"modified": "2017-12-22T10:02:23.000Z",
"description": "SWF/Agent.L",
"pattern": "[file:hashes.SHA1 = '15201766bd964b7c405aeb11db81457220c31e46' AND file:name = 'ARM-NATO_ENGLISH_30_NOV_2016.doc' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T10:02:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cd847-b5a0-42f7-ac4b-5165950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T10:02:47.000Z",
"modified": "2017-12-22T10:02:47.000Z",
"description": "Win32/Exploit.Agent.BL",
"pattern": "[file:hashes.SHA1 = '8078e411fbe33864dfd8f87ad5105cc1fd26d62e' AND file:name = 'Olympic-Agenda-2020-20-20-Recommendations.doc' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T10:02:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cd861-65c0-4b69-9429-4f37950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T10:03:13.000Z",
"modified": "2017-12-22T10:03:13.000Z",
"description": "Win32/Exploit.Agent.NUG",
"pattern": "[file:hashes.SHA1 = '33447383379ca99083442b852589111296f0c603' AND file:name = 'Merry_Christmas!.docx' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T10:03:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cd87d-f514-4071-a5f7-4ec2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T10:03:41.000Z",
"modified": "2017-12-22T10:03:41.000Z",
"description": "Win32/Exploit.Agent.NWZ",
"pattern": "[file:hashes.SHA1 = 'd5235d136cfcadbef431eea7253d80bde414db9d' AND file:name = 'Trump\u2019s_Attack_on_Syria_English.docx' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T10:03:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cd896-f6cc-4e52-bcb2-442c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T10:04:06.000Z",
"modified": "2017-12-22T10:04:06.000Z",
"description": "Win32/Sednit.BN",
"pattern": "[file:hashes.SHA1 = 'f293a2bfb728060c54efeeb03c5323893b5c80df' AND file:name = 'Hotel_Reservation_Form.doc' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T10:04:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cd8ae-54d0-46bb-adbb-4c5a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T10:04:30.000Z",
"modified": "2017-12-22T10:04:30.000Z",
"description": "Win32/Sednit.BN",
"pattern": "[file:hashes.SHA1 = 'bb10ed5d59672fbc6178e35d0feac0562513e9f0' AND file:name = 'SB_Doc_2017-3_Implementation_of_Key_Taskings_and_Next_Steps.doc' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T10:04:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cd8bb-a704-4f1d-a235-444e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T10:04:43.000Z",
"modified": "2017-12-22T10:04:43.000Z",
"pattern": "[file:hashes.SHA1 = '4873bafe44cff06845faa0ce7c270c4ce3c9f7b9' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T10:04:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cd8c9-6568-406a-853c-4862950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T10:04:57.000Z",
"modified": "2017-12-22T10:04:57.000Z",
"pattern": "[file:hashes.SHA1 = '169c8f3e3d22e192c108bc95164d362ce5437465' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T10:04:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cd8db-2838-4466-a986-4afb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T10:05:15.000Z",
"modified": "2017-12-22T10:05:15.000Z",
"description": "Win32/Sednit.BN",
"pattern": "[file:hashes.SHA1 = 'cc7607015cd7a1a4452acd3d87adabdd7e005bd7' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T10:05:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cd8fb-cd14-4b00-9710-430c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T10:05:47.000Z",
"modified": "2017-12-22T10:05:47.000Z",
"description": "Win32/Exploit.Agent.NTM",
"pattern": "[file:hashes.SHA1 = '5d2c7d87995cc5b8184baba2c7a1900a48b2f42d' AND file:name = 'Caucasian_Eagle_ENG.docx' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T10:05:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cd90e-538c-4b7e-95dc-5276950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T10:06:06.000Z",
"modified": "2017-12-22T10:06:06.000Z",
"description": "SWF/Exploit.CVE-2017-11292.A",
"pattern": "[file:hashes.SHA1 = '7aada8bcc0d1ab8ffb1f0fae4757789c6f5546a3' AND file:name = 'World War3.docx' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T10:06:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cd927-e410-489c-abfc-4b63950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T10:06:31.000Z",
"modified": "2017-12-22T10:06:31.000Z",
"description": "VBA/DDE.E",
"pattern": "[file:hashes.SHA1 = '68c2809560c7623d2307d8797691abf3eafe319a' AND file:name = 'SaberGuardian2017.docx' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T10:06:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cd93c-716c-4918-a00f-4671950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T10:06:52.000Z",
"modified": "2017-12-22T10:06:52.000Z",
"description": "VBA/DDE.L",
"pattern": "[file:hashes.SHA1 = '1c6c700ceebfbe799e115582665105caa03c5c9e' AND file:name = 'IsisAttackInNewYork.docx' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T10:06:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cda96-85c4-45a1-82ea-c5ed950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T10:17:09.000Z",
"modified": "2017-12-22T10:17:09.000Z",
"description": "Win64/Sednit.Z",
"pattern": "[file:hashes.SHA1 = '6f0fc0ebba3e4c8b26a69cdf519edf8d1aa2f4bb' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T10:17:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cdbc7-dbec-4b8c-8ba3-4c5a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T10:21:34.000Z",
"modified": "2017-12-22T10:21:34.000Z",
"description": "Win64/Sednit.Z",
"pattern": "[file:hashes.SHA1 = 'e19f753e514f6adec8f81bcdefb9117979e69627' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T10:21:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cdbf6-f814-491f-9f93-4c59950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T10:23:33.000Z",
"modified": "2017-12-22T10:23:33.000Z",
"description": "Win32/Sednit.BO",
"pattern": "[file:hashes.SHA1 = '961468ddd3d0fa25beb8210c81ba620f9170ed30' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T10:23:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cdc09-6fbc-4ca1-bfaa-c5ed950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T10:22:52.000Z",
"modified": "2017-12-22T10:22:52.000Z",
"description": "Win32/Sednit.BO",
"pattern": "[file:hashes.SHA1 = 'a0719b50265505c8432616c0a4e14ed206981e95' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T10:22:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cdc21-856c-48bd-a757-4f4b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T10:23:49.000Z",
"modified": "2017-12-22T10:23:49.000Z",
"description": "Win64/Sednit.Y",
"pattern": "[file:hashes.SHA1 = '2cf6436b99d11d9d1e0c488af518e35162ecbc9c' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T10:23:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cdc37-89e8-4a2d-823a-4af8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T10:23:13.000Z",
"modified": "2017-12-22T10:23:13.000Z",
"description": "Win64/Sednit.Y",
"pattern": "[file:hashes.SHA1 = 'fec29b4f4dccc59770c65c128dfe4564d7c13d33' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T10:23:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cdc48-b9a0-4775-a03f-5156950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T10:22:12.000Z",
"modified": "2017-12-22T10:22:12.000Z",
"description": "Win64/Sednit.Z",
"pattern": "[file:hashes.SHA1 = '57d7f3d31c491f8aef4665ca4dd905c3c8a98795' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T10:22:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cdc5a-8760-4efa-949a-4c5a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T10:24:43.000Z",
"modified": "2017-12-22T10:24:43.000Z",
"description": "Win32/Sednit.BO",
"pattern": "[file:hashes.SHA1 = 'a3bf5b5cf5a5ef438a198a6f61f7225c0a4a7138' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T10:24:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3cdc72-1538-4c66-af46-427b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T10:24:27.000Z",
"modified": "2017-12-22T10:24:27.000Z",
"description": "Win32/Sednit.BO",
"pattern": "[file:hashes.SHA1 = '1958e722afd0dba266576922abc98aa505cf5f9a' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T10:24:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3ce3a9-f070-4403-a1f6-4b8c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T13:17:25.000Z",
"modified": "2017-12-22T13:17:25.000Z",
"description": "Win32/Sednit.AX\t",
"pattern": "[file:hashes.SHA1 = '9f6bed7d7f4728490117cbc85819c2e6c494251b' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T13:17:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3ce3c3-34b4-4e1f-b238-4399950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T13:15:38.000Z",
"modified": "2017-12-22T13:15:38.000Z",
"description": "Win32/Sednit.BS",
"pattern": "[file:hashes.SHA1 = '4bc722a9b0492a50bd86a1341f02c74c0d773db7' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T13:15:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3ce3d4-07bc-4af3-90fc-4798950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T13:16:40.000Z",
"modified": "2017-12-22T13:16:40.000Z",
"description": "Win32/Sednit.BS",
"pattern": "[file:hashes.SHA1 = 'ab354807e687993fbeb1b325eb6e4ab38d428a1e' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T13:16:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3ce3ea-580c-477c-9b73-4e57950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T13:17:09.000Z",
"modified": "2017-12-22T13:17:09.000Z",
"description": "Win32/Sednit.BR",
"pattern": "[file:hashes.SHA1 = '9c47ca3883196b3a84d67676a804ff50e22b0a9f' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T13:17:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3ce404-efc0-4f15-864e-55ea950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T13:07:56.000Z",
"modified": "2017-12-22T13:07:56.000Z",
"description": "Win32/Sednit.BN",
"pattern": "[file:hashes.SHA1 = '8a68f26d01372114f660e32ac4c9117e5d0577f1' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T13:07:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3ce417-7cd4-4c36-8a73-55ea950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T13:15:01.000Z",
"modified": "2017-12-22T13:15:01.000Z",
"description": "Win32/Sednit.BN",
"pattern": "[file:hashes.SHA1 = '476fc1d31722ac26b46154cbf0c631d60268b28a' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T13:15:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3ce42b-2e0c-4a26-b6c8-47a3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T13:08:51.000Z",
"modified": "2017-12-22T13:08:51.000Z",
"description": "Win32/Sednit.BN",
"pattern": "[file:hashes.SHA1 = 'f9fd3f1d8da4ffd6a494228b934549d09e3c59d1' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T13:08:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3ce43a-5478-4f65-95b2-4e1e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T13:12:22.000Z",
"modified": "2017-12-22T13:12:22.000Z",
"description": "Win32/Sednit.BG",
"pattern": "[file:hashes.SHA1 = 'e338d49c270baf64363879e5eecb8fa6bdde8ad9' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T13:12:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3ce44a-ce70-42b7-80b8-c328950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T11:05:56.000Z",
"modified": "2017-12-22T11:05:56.000Z",
"description": "Win32/Sednit.BG",
"pattern": "[file:hashes.SHA1 = '6e167da3c5d887fa2e58da848a2245d11b6c5ad6' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T11:05:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3ce58a-3198-4cb8-9d51-44e5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T10:59:22.000Z",
"modified": "2017-12-22T10:59:22.000Z",
"pattern": "[domain-name:value = 'servicecdp.com' AND domain-name:resolves_to_refs[*].value = '87.236.211.182']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T10:59:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3ce5f8-3418-4f7b-ae41-4bca950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T11:01:12.000Z",
"modified": "2017-12-22T11:01:12.000Z",
"pattern": "[domain-name:value = 'wmdmediacodecs.com' AND domain-name:resolves_to_refs[*].value = '95.215.45.43']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T11:01:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3ce60a-6db8-4212-b194-4339950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T11:01:30.000Z",
"modified": "2017-12-22T11:01:30.000Z",
"pattern": "[domain-name:value = 'mvband.net' AND domain-name:resolves_to_refs[*].value = '89.45.67.144']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T11:01:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3ce61a-c1f0-4c7c-b815-4fa9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T11:01:46.000Z",
"modified": "2017-12-22T11:01:46.000Z",
"pattern": "[domain-name:value = 'mvtband.net' AND domain-name:resolves_to_refs[*].value = '89.33.246.117']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T11:01:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3ce63e-0240-46f5-b9ed-4759950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T11:02:22.000Z",
"modified": "2017-12-22T11:02:22.000Z",
"pattern": "[domain-name:value = 'servicecdp.com' AND domain-name:resolves_to_refs[*].value = '87.236.211.182']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T11:02:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3ce64e-8bf8-4dc6-be49-437f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T11:02:38.000Z",
"modified": "2017-12-22T11:02:38.000Z",
"pattern": "[domain-name:value = 'runvercheck.com' AND domain-name:resolves_to_refs[*].value = '185.156.173.70']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T11:02:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3ce65c-fc40-4585-817e-4ca3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T11:02:52.000Z",
"modified": "2017-12-22T11:02:52.000Z",
"pattern": "[domain-name:value = 'remsupport.org' AND domain-name:resolves_to_refs[*].value = '191.101.31.96']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T11:02:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3ce66e-70b4-47e7-b965-46f6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T11:03:10.000Z",
"modified": "2017-12-22T11:03:10.000Z",
"pattern": "[domain-name:value = 'viters.org' AND domain-name:resolves_to_refs[*].value = '89.187.150.44']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T11:03:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3ce680-90d4-478d-95db-48a6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T11:03:28.000Z",
"modified": "2017-12-22T11:03:28.000Z",
"pattern": "[domain-name:value = 'myinvestgroup.com' AND domain-name:resolves_to_refs[*].value = '146.185.253.132']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T11:03:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3ce68d-1940-4ea6-becd-44fe950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T11:03:41.000Z",
"modified": "2017-12-22T11:03:41.000Z",
"pattern": "[domain-name:value = 'space-delivery.com' AND domain-name:resolves_to_refs[*].value = '86.106.131.141']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T11:03:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3ce6a1-3f1c-4d5d-bac7-406d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T11:04:01.000Z",
"modified": "2017-12-22T11:04:01.000Z",
"pattern": "[domain-name:value = 'satellitedeluxpanorama.com' AND domain-name:resolves_to_refs[*].value = '89.34.111.160']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T11:04:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3ce6ae-98d8-4270-b88f-47f2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-22T11:04:14.000Z",
"modified": "2017-12-22T11:04:14.000Z",
"pattern": "[domain-name:value = 'webviewres.net' AND domain-name:resolves_to_refs[*].value = '185.216.35.26']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-22T11:04:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--8bbe006d-57cf-40fe-845d-fa6330a07dd4",
"created": "2017-12-22T10:17:06.000Z",
"modified": "2017-12-22T10:17:06.000Z",
"relationship_type": "communicates-with",
"source_ref": "indicator--5a3cda96-85c4-45a1-82ea-c5ed950d210f",
"target_ref": "indicator--5a3c3045-ab0c-4d38-8efe-459002de0b81"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--d34ef0ac-f579-4028-b079-6134c3ba9609",
"created": "2017-12-22T10:21:31.000Z",
"modified": "2017-12-22T10:21:31.000Z",
"relationship_type": "communicates-with",
"source_ref": "indicator--5a3cdbc7-dbec-4b8c-8ba3-4c5a950d210f",
"target_ref": "indicator--5a3c3045-61dc-495c-ae8a-471e02de0b81"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c31cd3b2-3b2b-403a-ace6-294d07474b98",
"created": "2017-12-22T10:23:30.000Z",
"modified": "2017-12-22T10:23:30.000Z",
"relationship_type": "communicates-with",
"source_ref": "indicator--5a3cdbf6-f814-491f-9f93-4c59950d210f",
"target_ref": "indicator--5a3c3045-e354-4978-a6b4-49ad02de0b81"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--112c8c22-3623-4e1d-9864-e990eb1964af",
"created": "2017-12-22T10:22:49.000Z",
"modified": "2017-12-22T10:22:49.000Z",
"relationship_type": "communicates-with",
"source_ref": "indicator--5a3cdc09-6fbc-4ca1-bfaa-c5ed950d210f",
"target_ref": "indicator--5a3c3045-968c-4572-9f64-491502de0b81"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--6ebde123-e714-4076-bddd-463d27bcbb48",
"created": "2017-12-22T10:23:46.000Z",
"modified": "2017-12-22T10:23:46.000Z",
"relationship_type": "communicates-with",
"source_ref": "indicator--5a3cdc21-856c-48bd-a757-4f4b950d210f",
"target_ref": "indicator--5a3c3045-e354-4978-a6b4-49ad02de0b81"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9136d15f-db48-49a3-8ac0-f611558d0a15",
"created": "2017-12-22T10:23:09.000Z",
"modified": "2017-12-22T10:23:09.000Z",
"relationship_type": "communicates-with",
"source_ref": "indicator--5a3cdc37-89e8-4a2d-823a-4af8950d210f",
"target_ref": "indicator--5a3c3045-eb44-433f-a13a-44b902de0b81"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--0349b68f-4bc2-46a2-af6e-d36fd83042a5",
"created": "2017-12-22T10:22:09.000Z",
"modified": "2017-12-22T10:22:09.000Z",
"relationship_type": "communicates-with",
"source_ref": "indicator--5a3cdc48-b9a0-4775-a03f-5156950d210f",
"target_ref": "indicator--5a3c3045-6a88-479d-b799-4d3d02de0b81"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--12289648-d342-46bb-ab67-e67e22292e6b",
"created": "2017-12-22T10:24:40.000Z",
"modified": "2017-12-22T10:24:40.000Z",
"relationship_type": "communicates-with",
"source_ref": "indicator--5a3cdc5a-8760-4efa-949a-4c5a950d210f",
"target_ref": "indicator--5a3c3045-7480-4831-a5c4-48c802de0b81"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--fd8d907f-f705-443c-ac13-7059c40a8963",
"created": "2017-12-22T10:24:24.000Z",
"modified": "2017-12-22T10:24:24.000Z",
"relationship_type": "communicates-with",
"source_ref": "indicator--5a3cdc72-1538-4c66-af46-427b950d210f",
"target_ref": "indicator--5a3c3045-7480-4831-a5c4-48c802de0b81"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c20b12ee-2e2d-4a6c-b651-c30f80c57ac4",
"created": "2017-12-22T12:57:39.000Z",
"modified": "2017-12-22T12:57:39.000Z",
"relationship_type": "communicates-with",
"source_ref": "indicator--5a3ce3a9-f070-4403-a1f6-4b8c950d210f",
"target_ref": "indicator--5a3ce58a-3198-4cb8-9d51-44e5950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--056502e1-7ae7-4a88-a801-947f6c020230",
"created": "2017-12-22T13:15:18.000Z",
"modified": "2017-12-22T13:15:18.000Z",
"relationship_type": "communicates-with",
"source_ref": "indicator--5a3ce3c3-34b4-4e1f-b238-4399950d210f",
"target_ref": "indicator--5a3ce6ae-98d8-4270-b88f-47f2950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--21954809-85a5-4958-b8db-ddc1b5603014",
"created": "2017-12-22T13:15:28.000Z",
"modified": "2017-12-22T13:15:28.000Z",
"relationship_type": "communicates-with",
"source_ref": "indicator--5a3ce3d4-07bc-4af3-90fc-4798950d210f",
"target_ref": "indicator--5a3ce6a1-3f1c-4d5d-bac7-406d950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--8b6bd872-0695-4f02-a580-5024f4aede8c",
"created": "2017-12-22T13:16:54.000Z",
"modified": "2017-12-22T13:16:54.000Z",
"relationship_type": "communicates-with",
"source_ref": "indicator--5a3ce3ea-580c-477c-9b73-4e57950d210f",
"target_ref": "indicator--5a3ce68d-1940-4ea6-becd-44fe950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--da7770c3-3a14-4d56-826e-396797850e4b",
"created": "2017-12-22T13:07:24.000Z",
"modified": "2017-12-22T13:07:24.000Z",
"relationship_type": "communicates-with",
"source_ref": "indicator--5a3ce404-efc0-4f15-864e-55ea950d210f",
"target_ref": "indicator--5a3ce680-90d4-478d-95db-48a6950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9a8fb7c8-e1c6-448d-85e8-fdc378ff8530",
"created": "2017-12-22T13:14:43.000Z",
"modified": "2017-12-22T13:14:43.000Z",
"relationship_type": "communicates-with",
"source_ref": "indicator--5a3ce417-7cd4-4c36-8a73-55ea950d210f",
"target_ref": "indicator--5a3ce66e-70b4-47e7-b965-46f6950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--7f1eddde-f9ae-4bb3-ab94-0eb54c2b94f7",
"created": "2017-12-22T13:08:26.000Z",
"modified": "2017-12-22T13:08:26.000Z",
"relationship_type": "communicates-with",
"source_ref": "indicator--5a3ce42b-2e0c-4a26-b6c8-47a3950d210f",
"target_ref": "indicator--5a3ce60a-6db8-4212-b194-4339950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--247e9e63-7e96-4ea0-8254-d89aa0925d94",
"created": "2017-12-22T13:08:37.000Z",
"modified": "2017-12-22T13:08:37.000Z",
"relationship_type": "communicates-with",
"source_ref": "indicator--5a3ce42b-2e0c-4a26-b6c8-47a3950d210f",
"target_ref": "indicator--5a3ce61a-c1f0-4c7c-b815-4fa9950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--bba0da91-0ded-4e20-ad99-9fc3bcac3d49",
"created": "2017-12-22T13:12:00.000Z",
"modified": "2017-12-22T13:12:00.000Z",
"relationship_type": "communicates-with",
"source_ref": "indicator--5a3ce43a-5478-4f65-95b2-4e1e950d210f",
"target_ref": "indicator--5a3ce5f8-3418-4f7b-ae41-4bca950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--2a42c10f-2d53-4165-883f-9e25a55e6dc5",
"created": "2017-12-22T11:05:34.000Z",
"modified": "2017-12-22T11:05:34.000Z",
"relationship_type": "communicates-with",
"source_ref": "indicator--5a3ce44a-ce70-42b7-80b8-c328950d210f",
"target_ref": "indicator--5a3ce64e-8bf8-4dc6-be49-437f950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--131bea11-05b9-4f82-a54a-39096838d5e6",
"created": "2017-12-22T11:05:53.000Z",
"modified": "2017-12-22T11:05:53.000Z",
"relationship_type": "communicates-with",
"source_ref": "indicator--5a3ce44a-ce70-42b7-80b8-c328950d210f",
"target_ref": "indicator--5a3ce65c-fc40-4585-817e-4ca3950d210f"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}