misp-circl-feed/feeds/circl/misp/5894f679-33c8-4642-8e51-8cd902de0b81.json

2839 lines
No EOL
126 KiB
JSON

{
"type": "bundle",
"id": "bundle--5894f679-33c8-4642-8e51-8cd902de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:42:04.000Z",
"modified": "2017-02-03T21:42:04.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5894f679-33c8-4642-8e51-8cd902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:42:04.000Z",
"modified": "2017-02-03T21:42:04.000Z",
"name": "OSINT - Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX",
"published": "2017-02-03T21:42:45Z",
"object_refs": [
"observed-data--5894f698-4df4-47de-b058-46c802de0b81",
"url--5894f698-4df4-47de-b058-46c802de0b81",
"x-misp-attribute--5894f6c6-9b98-41eb-b759-8c2302de0b81",
"indicator--5894f6e9-7698-4db5-a2eb-0e7202de0b81",
"indicator--5894f6ea-77c0-486b-8d81-0e7202de0b81",
"indicator--5894f6eb-9078-49f1-b87a-0e7202de0b81",
"indicator--5894f6ec-097c-4ee6-8414-0e7202de0b81",
"indicator--5894f6f9-2cdc-41c8-ab62-0e7202de0b81",
"indicator--5894f6f9-a598-441c-a2aa-0e7202de0b81",
"indicator--5894f6fa-0710-41ae-9c18-0e7202de0b81",
"indicator--5894f706-d434-43d7-9e92-7dba02de0b81",
"indicator--5894f723-62b8-46b9-afb1-46f902de0b81",
"indicator--5894f724-9ac4-45a9-a528-49d502de0b81",
"indicator--5894f725-8180-42cc-984f-4bf402de0b81",
"indicator--5894f725-24a0-42bc-8861-4c4e02de0b81",
"indicator--5894f726-3c9c-4193-97b1-4aeb02de0b81",
"indicator--5894f727-1fc0-4264-89e3-486002de0b81",
"indicator--5894f727-35dc-4fd4-af4e-480702de0b81",
"indicator--5894f728-2060-4201-bb24-445802de0b81",
"indicator--5894f729-c338-490f-87b2-4c6f02de0b81",
"indicator--5894f72a-8a18-4468-b070-45d802de0b81",
"indicator--5894f72a-e3e4-4456-99ee-4c0b02de0b81",
"indicator--5894f72b-b238-4c1f-bc46-493402de0b81",
"indicator--5894f72c-24ec-4712-88ac-4db202de0b81",
"indicator--5894f72d-7a14-48bb-b228-477a02de0b81",
"indicator--5894f72d-e640-46be-87db-49f402de0b81",
"indicator--5894f72e-a43c-407a-90dc-4c1002de0b81",
"indicator--5894f73c-e224-4212-8b2a-451802de0b81",
"indicator--5894f73d-5e10-469f-96a3-469e02de0b81",
"indicator--5894f73d-256c-4459-9e24-474e02de0b81",
"indicator--5894f74a-0890-451d-b6bc-4bfb02de0b81",
"indicator--5894f74b-66dc-4ac3-90d3-40ed02de0b81",
"indicator--5894f74c-b294-41b6-932a-4c8c02de0b81",
"indicator--5894f75d-0acc-47e4-95c8-8cd702de0b81",
"indicator--5894f75e-13d0-4093-8d7b-8cd702de0b81",
"indicator--5894f76e-ebe4-4ea0-aea4-4fe002de0b81",
"indicator--5894f76e-29f0-4a49-bdf5-44dd02de0b81",
"x-misp-attribute--5894f78e-8c64-40bf-8132-8cd902de0b81",
"indicator--5894f7a4-f394-4ffe-9c10-874d02de0b81",
"indicator--5894f7a4-201c-49b5-b4f9-874d02de0b81",
"observed-data--5894f7a5-f100-47d2-84f6-874d02de0b81",
"url--5894f7a5-f100-47d2-84f6-874d02de0b81",
"indicator--5894f7a6-0548-474e-9571-874d02de0b81",
"indicator--5894f7a7-22f4-4785-87ce-874d02de0b81",
"observed-data--5894f7a7-1b30-4134-a970-874d02de0b81",
"url--5894f7a7-1b30-4134-a970-874d02de0b81",
"indicator--5894f7a8-a7b8-4ba8-974b-874d02de0b81",
"indicator--5894f7a9-6a58-4577-8ed7-874d02de0b81",
"observed-data--5894f7aa-8818-40c8-816c-874d02de0b81",
"url--5894f7aa-8818-40c8-816c-874d02de0b81",
"indicator--5894f7ab-3024-4e0e-be6b-874d02de0b81",
"indicator--5894f7ac-b12c-461e-9e7d-874d02de0b81",
"observed-data--5894f7ac-767c-4d03-8433-874d02de0b81",
"url--5894f7ac-767c-4d03-8433-874d02de0b81",
"indicator--5894f7ad-b52c-4b44-b537-874d02de0b81",
"indicator--5894f7ae-4d58-447b-8832-874d02de0b81",
"observed-data--5894f7af-f3d0-48fd-b5da-874d02de0b81",
"url--5894f7af-f3d0-48fd-b5da-874d02de0b81",
"indicator--5894f7af-5cd4-48a3-aa87-874d02de0b81",
"indicator--5894f7b0-cf18-49f4-bf02-874d02de0b81",
"observed-data--5894f7b1-f3b4-46dc-bc97-874d02de0b81",
"url--5894f7b1-f3b4-46dc-bc97-874d02de0b81",
"indicator--5894f7b2-495c-4bb6-ae90-874d02de0b81",
"indicator--5894f7b3-42e4-482d-bbdc-874d02de0b81",
"observed-data--5894f7b3-5d58-4632-a725-874d02de0b81",
"url--5894f7b3-5d58-4632-a725-874d02de0b81",
"indicator--5894f7b4-399c-4bb3-9bc3-874d02de0b81",
"indicator--5894f7b5-f100-42f2-8f76-874d02de0b81",
"observed-data--5894f7b6-9ba4-4b30-9289-874d02de0b81",
"url--5894f7b6-9ba4-4b30-9289-874d02de0b81",
"indicator--5894f7b7-45e4-4820-95f9-874d02de0b81",
"indicator--5894f7b7-4fec-43df-946b-874d02de0b81",
"observed-data--5894f7b8-b570-45da-849c-874d02de0b81",
"url--5894f7b8-b570-45da-849c-874d02de0b81",
"indicator--5894f7b9-2e88-4ddc-80cc-874d02de0b81",
"indicator--5894f7ba-6218-4476-8b6a-874d02de0b81",
"observed-data--5894f7bb-4cc4-4cdb-af81-874d02de0b81",
"url--5894f7bb-4cc4-4cdb-af81-874d02de0b81",
"indicator--5894f7bb-8cd4-4351-87ea-874d02de0b81",
"indicator--5894f7bc-f890-45eb-97c1-874d02de0b81",
"observed-data--5894f7bd-267c-49fa-9bc8-874d02de0b81",
"url--5894f7bd-267c-49fa-9bc8-874d02de0b81",
"indicator--5894f7be-9a98-410c-89b1-874d02de0b81",
"indicator--5894f7be-f7c8-49e9-b21b-874d02de0b81",
"observed-data--5894f7bf-05a0-4442-a42c-874d02de0b81",
"url--5894f7bf-05a0-4442-a42c-874d02de0b81",
"indicator--5894f7c0-8550-4723-97db-874d02de0b81",
"indicator--5894f7c1-0ac8-487d-8ce2-874d02de0b81",
"observed-data--5894f7c1-3fd0-45f4-9dd3-874d02de0b81",
"url--5894f7c1-3fd0-45f4-9dd3-874d02de0b81",
"indicator--5894f7c2-966c-4b2f-8bd8-874d02de0b81",
"indicator--5894f7c3-0314-4673-86b4-874d02de0b81",
"observed-data--5894f7c4-1b28-4ff0-98ea-874d02de0b81",
"url--5894f7c4-1b28-4ff0-98ea-874d02de0b81",
"indicator--5894f7c4-8ce0-4857-810d-874d02de0b81",
"indicator--5894f7c5-95c8-4da7-8c5d-874d02de0b81",
"observed-data--5894f7c6-d09c-4b4c-ad3b-874d02de0b81",
"url--5894f7c6-d09c-4b4c-ad3b-874d02de0b81",
"indicator--5894f7c6-6274-4788-ab7c-874d02de0b81",
"indicator--5894f7c7-073c-4308-a20e-874d02de0b81",
"observed-data--5894f7c8-f694-487b-8647-874d02de0b81",
"url--5894f7c8-f694-487b-8647-874d02de0b81",
"indicator--5894f7c9-35bc-46bd-8b25-874d02de0b81",
"indicator--5894f7ca-5fa4-4da5-a064-874d02de0b81",
"observed-data--5894f7cb-6d18-4303-ac70-874d02de0b81",
"url--5894f7cb-6d18-4303-ac70-874d02de0b81",
"indicator--5894f7cc-0218-4f9d-bf11-874d02de0b81",
"indicator--5894f7cd-6124-481c-a7a6-874d02de0b81",
"observed-data--5894f7cd-b09c-43b5-976f-874d02de0b81",
"url--5894f7cd-b09c-43b5-976f-874d02de0b81",
"indicator--5894f7ce-f1fc-46b6-8ead-874d02de0b81",
"indicator--5894f7cf-43bc-4b5f-a376-874d02de0b81",
"observed-data--5894f7cf-fe64-4c55-a629-874d02de0b81",
"url--5894f7cf-fe64-4c55-a629-874d02de0b81",
"indicator--5894f7d0-7268-45dd-99ea-874d02de0b81",
"indicator--5894f7d1-b6c4-46c5-b719-874d02de0b81",
"observed-data--5894f7d2-da64-4b71-9c5f-874d02de0b81",
"url--5894f7d2-da64-4b71-9c5f-874d02de0b81",
"indicator--5894f7d3-69c0-40e2-985d-874d02de0b81",
"indicator--5894f7d3-bd40-4342-a53f-874d02de0b81",
"observed-data--5894f7d4-856c-4159-9e00-874d02de0b81",
"url--5894f7d4-856c-4159-9e00-874d02de0b81",
"indicator--5894f7d5-3984-430e-9e61-874d02de0b81",
"indicator--5894f7d6-9608-4941-85f5-874d02de0b81",
"observed-data--5894f7d6-8534-4c0f-b126-874d02de0b81",
"url--5894f7d6-8534-4c0f-b126-874d02de0b81",
"indicator--5894f7d7-e764-48d6-898c-874d02de0b81",
"indicator--5894f7d8-7d10-403d-b3fa-874d02de0b81",
"observed-data--5894f7d9-afd0-47c3-bfdf-874d02de0b81",
"url--5894f7d9-afd0-47c3-bfdf-874d02de0b81",
"observed-data--5894f8d2-d7e0-4225-834c-874d02de0b81",
"url--5894f8d2-d7e0-4225-834c-874d02de0b81",
"observed-data--5894f8d2-f494-476c-a034-874d02de0b81",
"url--5894f8d2-f494-476c-a034-874d02de0b81",
"observed-data--5894f8d3-6008-437d-bec0-874d02de0b81",
"url--5894f8d3-6008-437d-bec0-874d02de0b81",
"observed-data--5894f8d4-7700-4a87-8aa3-874d02de0b81",
"url--5894f8d4-7700-4a87-8aa3-874d02de0b81",
"observed-data--5894f8d5-a2c4-41d4-b4b7-874d02de0b81",
"url--5894f8d5-a2c4-41d4-b4b7-874d02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:tool=\"PlugX\"",
"misp-galaxy:tool=\"ZeroT\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f698-4df4-47de-b058-46c802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:31:25.000Z",
"modified": "2017-02-03T21:31:25.000Z",
"first_observed": "2017-02-03T21:31:25Z",
"last_observed": "2017-02-03T21:31:25Z",
"number_observed": 1,
"object_refs": [
"url--5894f698-4df4-47de-b058-46c802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"admiralty-scale:source-reliability=\"b\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f698-4df4-47de-b058-46c802de0b81",
"value": "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5894f6c6-9b98-41eb-b759-8c2302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:31:50.000Z",
"modified": "2017-02-03T21:31:50.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Although state-sponsored attacks against the United States by Chinese threat actors have decreased dramatically since the signing of the US-China Cyber Agreement in 2016, Proofpoint researchers have continued to observe advanced persistent threat (APT) activity associated with Chinese actors targeting other regions. We have previously written about related activity [2][3] in which a particular China-based attack group used PlugX and NetTraveler Trojans for espionage in Europe, Russia, Mongolia, Belarus, and other neighboring countries. Most recently, we have observed the same group targeting military and aerospace interests in Russia and Belarus. Since the summer of 2016, this group began using a new downloader known as ZeroT to install the PlugX remote access Trojan (RAT) and added Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-phishing emails.\r\n\r\nThis blog details the function of the new malware, provides delivery details for elements of the APT activity, and describes additional changes in tactics, techniques, and procedures (TTPs) associated with this group."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f6e9-7698-4db5-a2eb-0e7202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:32:25.000Z",
"modified": "2017-02-03T21:32:25.000Z",
"description": "RAR / 7-Zip archives",
"pattern": "[file:hashes.SHA256 = '38566230e5f19d2fd151eaf1744ef2aef946e17873924b91bbeaede0fbfb38cf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:32:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f6ea-77c0-486b-8d81-0e7202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:32:26.000Z",
"modified": "2017-02-03T21:32:26.000Z",
"description": "RAR / 7-Zip archives",
"pattern": "[file:hashes.SHA256 = 'ee81c939eec30bf9351c9246ecfdc39a2fed78be08cc9923d48781f6c9bd7097']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:32:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f6eb-9078-49f1-b87a-0e7202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:32:27.000Z",
"modified": "2017-02-03T21:32:27.000Z",
"description": "RAR / 7-Zip archives",
"pattern": "[file:hashes.SHA256 = 'ec3405e058b3be958a1d3db410dd438fba7b8a8c28355939c2319e2e2a338462']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:32:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f6ec-097c-4ee6-8414-0e7202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:32:28.000Z",
"modified": "2017-02-03T21:32:28.000Z",
"description": "RAR / 7-Zip archives",
"pattern": "[file:hashes.SHA256 = 'f2b6f7e0fcf4611cb25f9a24f002ba104ee5cf84528769b2ab82c63ba4476168']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:32:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f6f9-2cdc-41c8-ab62-0e7202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:32:41.000Z",
"modified": "2017-02-03T21:32:41.000Z",
"description": "CHM droppers",
"pattern": "[file:hashes.SHA256 = '4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:32:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f6f9-a598-441c-a2aa-0e7202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:32:41.000Z",
"modified": "2017-02-03T21:32:41.000Z",
"description": "CHM droppers",
"pattern": "[file:hashes.SHA256 = 'ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:32:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f6fa-0710-41ae-9c18-0e7202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:32:42.000Z",
"modified": "2017-02-03T21:32:42.000Z",
"description": "CHM droppers",
"pattern": "[file:hashes.SHA256 = '74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:32:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f706-d434-43d7-9e92-7dba02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:32:54.000Z",
"modified": "2017-02-03T21:32:54.000Z",
"description": "Word Exploit documents",
"pattern": "[file:hashes.SHA256 = '9dd730f615824a7992a67400fce754df6eaa770f643ad7e425ff252324671b58']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:32:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f723-62b8-46b9-afb1-46f902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:33:23.000Z",
"modified": "2017-02-03T21:33:23.000Z",
"description": "ZeroT",
"pattern": "[file:hashes.SHA256 = '09061c603a32ac99b664f7434febfc8c1f9fd7b6469be289bb130a635a6c47c0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:33:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f724-9ac4-45a9-a528-49d502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:33:24.000Z",
"modified": "2017-02-03T21:33:24.000Z",
"description": "ZeroT",
"pattern": "[file:hashes.SHA256 = '1e25a8bd1ac2df82d4f6d280af0ecd57d5e4aef88298a2f14414df76db54bcc4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:33:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f725-8180-42cc-984f-4bf402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:33:25.000Z",
"modified": "2017-02-03T21:33:25.000Z",
"description": "ZeroT",
"pattern": "[file:hashes.SHA256 = '399693f48a457d77530ab88d4763cbd9d3f73606bd860adc0638f36b811bf343']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:33:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f725-24a0-42bc-8861-4c4e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:33:25.000Z",
"modified": "2017-02-03T21:33:25.000Z",
"description": "ZeroT",
"pattern": "[file:hashes.SHA256 = '3be2e226cd477138d03428f6046a216103ba9fa5597ec407e542ab2f86c37425']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:33:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f726-3c9c-4193-97b1-4aeb02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:33:26.000Z",
"modified": "2017-02-03T21:33:26.000Z",
"description": "ZeroT",
"pattern": "[file:hashes.SHA256 = '67693ddb6236d3ef790059409ae240212c47acfd8c1c76d65c3ef19096fdf43b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:33:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f727-1fc0-4264-89e3-486002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:33:27.000Z",
"modified": "2017-02-03T21:33:27.000Z",
"description": "ZeroT",
"pattern": "[file:hashes.SHA256 = '74eb592ef7f5967b14794acdc916686e061a43169f06e5be4dca70811b9815df']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:33:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f727-35dc-4fd4-af4e-480702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:33:27.000Z",
"modified": "2017-02-03T21:33:27.000Z",
"description": "ZeroT",
"pattern": "[file:hashes.SHA256 = 'a16078c6d09fcfc9d6ff7a91e39e6d72e2d6d6ab6080930e1e2169ec002b37d3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:33:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f728-2060-4201-bb24-445802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:33:28.000Z",
"modified": "2017-02-03T21:33:28.000Z",
"description": "ZeroT",
"pattern": "[file:hashes.SHA256 = 'a685cf4dca6a58213e67d041bba637dca9cb3ea6bb9ad3eae3ba85229118bce0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:33:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f729-c338-490f-87b2-4c6f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:33:29.000Z",
"modified": "2017-02-03T21:33:29.000Z",
"description": "ZeroT",
"pattern": "[file:hashes.SHA256 = 'a9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:33:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f72a-8a18-4468-b070-45d802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:33:30.000Z",
"modified": "2017-02-03T21:33:30.000Z",
"description": "ZeroT",
"pattern": "[file:hashes.SHA256 = 'aa7810862ef43d4ef6bec463266b7eb169dbf3f7f953ef955e380e4269137267']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:33:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f72a-e3e4-4456-99ee-4c0b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:33:30.000Z",
"modified": "2017-02-03T21:33:30.000Z",
"description": "ZeroT",
"pattern": "[file:hashes.SHA256 = 'b7ee556d1d1b83c5ce6b0c903244c1d3b79654cb950105b2c03996cdd4a70be8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:33:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f72b-b238-4c1f-bc46-493402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:33:31.000Z",
"modified": "2017-02-03T21:33:31.000Z",
"description": "ZeroT",
"pattern": "[file:hashes.SHA256 = 'c15255b9a55e7a025cf36aca85eb6cc48571d0b997a93d4dfa4eacb49001cc8d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:33:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f72c-24ec-4712-88ac-4db202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:33:32.000Z",
"modified": "2017-02-03T21:33:32.000Z",
"description": "ZeroT",
"pattern": "[file:hashes.SHA256 = 'c5d022f0815aeaa27afb8f1efbce2771d95914be881d288b0841713dbbbeda1a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:33:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f72d-7a14-48bb-b228-477a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:33:33.000Z",
"modified": "2017-02-03T21:33:33.000Z",
"description": "ZeroT",
"pattern": "[file:hashes.SHA256 = 'd1c4a51064aeec4c11a8f90f80a3b60a36c07cce2dde0756c114e477d63ce375']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:33:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f72d-e640-46be-87db-49f402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:33:33.000Z",
"modified": "2017-02-03T21:33:33.000Z",
"description": "ZeroT",
"pattern": "[file:hashes.SHA256 = 'fc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:33:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f72e-a43c-407a-90dc-4c1002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:33:34.000Z",
"modified": "2017-02-03T21:33:34.000Z",
"description": "ZeroT",
"pattern": "[file:hashes.SHA256 = '97016593c53c7eeecd9d3a2788199f6473899ca8f07fafcd4173464f38ee0ab4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:33:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f73c-e224-4212-8b2a-451802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:33:48.000Z",
"modified": "2017-02-03T21:33:48.000Z",
"description": "PlugX",
"pattern": "[file:hashes.SHA256 = 'b185401a8562614ef42a84bc29f6c21aca31b7811c2c0e680f455b061229a77f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:33:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f73d-5e10-469f-96a3-469e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:33:49.000Z",
"modified": "2017-02-03T21:33:49.000Z",
"description": "PlugX",
"pattern": "[file:hashes.SHA256 = '3149fb0ddd89b77ecfb797c4ab4676c63d157a6b22ba4c8f98e8478c24104dfa']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:33:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f73d-256c-4459-9e24-474e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:33:49.000Z",
"modified": "2017-02-03T21:33:49.000Z",
"description": "PlugX",
"pattern": "[file:hashes.SHA256 = '07343a069dd2340a63bc04ba2e5c6fad4f9e3cf8a6226eb2a82eb4edc4926f67']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:33:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f74a-0890-451d-b6bc-4bfb02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:34:02.000Z",
"modified": "2017-02-03T21:34:02.000Z",
"description": "ZeroT C&C",
"pattern": "[domain-name:value = 'www.tassnews.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:34:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f74b-66dc-4ac3-90d3-40ed02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:34:03.000Z",
"modified": "2017-02-03T21:34:03.000Z",
"description": "ZeroT C&C",
"pattern": "[domain-name:value = 'www.versig.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:34:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f74c-b294-41b6-932a-4c8c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:34:04.000Z",
"modified": "2017-02-03T21:34:04.000Z",
"description": "ZeroT C&C",
"pattern": "[domain-name:value = 'www.riaru.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:34:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f75d-0acc-47e4-95c8-8cd702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:34:21.000Z",
"modified": "2017-02-03T21:34:21.000Z",
"description": "PlugX C&C",
"pattern": "[domain-name:value = 'www.micrnet.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:34:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f75e-13d0-4093-8d7b-8cd702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:34:22.000Z",
"modified": "2017-02-03T21:34:22.000Z",
"description": "PlugX C&C",
"pattern": "[domain-name:value = 'www.dicemention.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:34:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f76e-ebe4-4ea0-aea4-4fe002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:34:38.000Z",
"modified": "2017-02-03T21:34:38.000Z",
"description": "Likely Related C&C",
"pattern": "[domain-name:value = 'www.rumiany.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:34:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f76e-29f0-4a49-bdf5-44dd02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:34:38.000Z",
"modified": "2017-02-03T21:34:38.000Z",
"description": "Likely Related C&C",
"pattern": "[domain-name:value = 'www.yandcx.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:34:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5894f78e-8c64-40bf-8132-8cd902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:10.000Z",
"modified": "2017-02-03T21:35:10.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Appendix A: Example PlugX Configuration\r\n\r\nSample hash: 07343a069dd2340a63bc04ba2e5c6fad4f9e3cf8a6226eb2a82eb4edc4926f67\r\n\r\nPlugX Config (0x36a4 bytes):\r\n\r\n Hide Dll: 0\r\n\r\n Keylogger: -1\r\n\r\n Sleep1: 167772160\r\n\r\n Sleep2: 0\r\n\r\n Cnc: www.micrnet[.]net:80 (HTTP / UDP)\r\n\r\n Cnc: www.micrnet[.]net:80 (TCP / HTTP)\r\n\r\n Cnc: www.micrnet[.]net:80 (UDP)\r\n\r\n Cnc: www.micrnet[.]net:443 (HTTP / UDP)\r\n\r\n Cnc: www.micrnet[.]net:443 (TCP / HTTP)\r\n\r\n Cnc: www.micrnet[.]net:443 (UDP)\r\n\r\n Cnc: www.micrnet[.]net:53 (HTTP / UDP)\r\n\r\n Cnc: www.micrnet[.]net:53 (TCP / HTTP)\r\n\r\n Cnc: www.micrnet[.]net:53 (UDP)\r\n\r\n Persistence: Run key\r\n\r\n Install Folder: %AUTO%\\TCMyXfeFAd\r\n\r\n Service Name: pQwEPnz\r\n\r\n Service Display Name: pQwEPnz\r\n\r\n Service Des%WINDIR%\\pQwEPnz Service\r\n\r\n Reg Hive: HKCU\r\n\r\n Reg Key: Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\r\n Reg Value: mJqyCsNGBsge\r\n\r\n Injection: 1\r\n\r\n Inject Process: %windir%\\explorer.exe\r\n\r\n Inject Process: %ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe\r\n\r\n Inject Process: %windir%\\system32\\svchost.exe\r\n\r\n Uac Bypass Injection: 1\r\n\r\n Uac Bypass Inject: %windir%\\explorer.exe\r\n\r\n Uac Bypass Inject: %windir%\\system32\\rundll32.exe\r\n\r\n Uac Bypass Inject: %windir%\\system32\\dllhost.exe\r\n\r\n Uac Bypass Inject: %windir%\\system32\\msiexec.exe\r\n\r\n Plugx Auth Str: TEST\r\n\r\n Cnc Auth Str: DuICS\r\n\r\n Mutex: Global\\WtMKAPYYxoWMoWW\r\n\r\n Screenshots: 0\r\n\r\n Screenshots Sec: 10\r\n\r\n Screenshots Zoom: 50\r\n\r\n Screenshots Bits: 16\r\n\r\n Screenshots Qual: 50\r\n\r\n Screenshots Keep: 3\r\n\r\n Screenshot Folder: %AUTO%\\FS\\screen\r\n\r\n Enable Tcp P2P: 1\r\n\r\n Tcp P2P Port: 1357\r\n\r\n Enable Udp P2P: 1\r\n\r\n Udp P2P Port: 1357\r\n\r\n Enable Icmp P2P: 1\r\n\r\n Icmp P2P Port: 1357\r\n\r\n Enable Ipproto P2P: 1\r\n\r\n Ipproto P2P Port: 1357\r\n\r\n Enable P2P Scan: 1\r\n\r\n P2P Start Scan1: 0.0.0.0\r\n\r\n P2P Start Scan2: 0.0.0.0\r\n\r\n P2P Start Scan3: 0.0.0.0\r\n\r\n P2P Start Scan4: 0.0.0.0\r\n\r\n P2P End Scan1: 0.0.0.0\r\n\r\n P2P End Scan2: 0.0.0.0\r\n\r\n P2P End Scan3: 0.0.0.0\r\n\r\n P2P End Scan4: 0.0.0.0\r\n\r\n Mac Disable: 00:00:00:00:00:00\r\n\r\nAppendix B: Example PlugX Configuration\r\n\r\nSample hash: 3149fb0ddd89b77ecfb797c4ab4676c63d157a6b22ba4c8f98e8478c24104dfa\r\n\r\nProcess: fsguidll.exe (3980)\r\n\r\nPlugX Config (0x36a4 bytes):\r\n\r\n Hide Dll: 0\r\n\r\n Keylogger: -1\r\n\r\n Sleep1: 167772160\r\n\r\n Sleep2: 0\r\n\r\n Cnc: www.dicemention[.]com:80 (HTTP / UDP)\r\n\r\n Cnc: www.dicemention[.]com:443 (HTTP / UDP)\r\n\r\n Cnc: www.dicemention[.]com:25 (HTTP / UDP)\r\n\r\n Cnc: www.dicemention[.]com:80 (TCP / HTTP)\r\n\r\n Cnc: www.dicemention[.]com:443 (TCP / HTTP)\r\n\r\n Cnc: www.dicemention[.]com:25 (TCP / HTTP)\r\n\r\n Cnc: www.dicemention[.]com:80 (UDP)\r\n\r\n Cnc: www.dicemention[.]com:443 (UDP)\r\n\r\n Cnc: www.dicemention[.]com:25 (UDP)\r\n\r\n Persistence: Service + Run Key\r\n\r\n Install Folder: %AUTO%\\IZBpIciif\r\n\r\n Service Name: yAjUgUdMGHuvGaZ\r\n\r\n Service Display Name: yAjUgUdMGHuvGaZ\r\n\r\n Service Des%WINDIR%\\yAjUgUdMGHuvGaZ Service\r\n\r\n Reg Hive: HKCU\r\n\r\n Reg Key: Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\r\n Reg Value: RqdFqFSYaBx\r\n\r\n Injection: 1\r\n\r\n Inject Process: %windir%\\system32\\svchost.exe\r\n\r\n Inject Process: %windir%\\explorer.exe\r\n\r\n Inject Process: %ProgramFiles%\\Internet Explorer\\iexplore.exe\r\n\r\n Inject Process: %ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe\r\n\r\n Uac Bypass Injection: 1\r\n\r\n Uac Bypass Inject: %windir%\\system32\\msiexec.exe\r\n\r\n Uac Bypass Inject: %windir%\\explorer.exe\r\n\r\n Uac Bypass Inject: %windir%\\system32\\rundll32.exe\r\n\r\n Uac Bypass Inject: %windir%\\system32\\dllhost.exe\r\n\r\n Plugx Auth Str: TEST\r\n\r\n Cnc Auth Str: NBz\r\n\r\n Mutex: Global\\ksMoQGOTIBJXumYclXtcsAnx\r\n\r\n Screenshots: 0\r\n\r\n Screenshots Sec: 10\r\n\r\n Screenshots Zoom: 50\r\n\r\n Screenshots Bits: 16\r\n\r\n Screenshots Qual: 50\r\n\r\n Screenshots Keep: 3\r\n\r\n Screenshot Folder: %AUTO%\\FS\\screen\r\n\r\n Enable Tcp P2P: 1\r\n\r\n Tcp P2P Port: 1357\r\n\r\n Enable Udp P2P: 1\r\n\r\n Udp P2P Port: 1357\r\n\r\n Enable Icmp P2P: 1\r\n\r\n Icmp P2P Port: 1357\r\n\r\n Enable Ipproto P2P: 1\r\n\r\n Ipproto P2P Port: 1357\r\n\r\n Enable P2P Scan: 1\r\n\r\n P2P Start Scan1: 0.0.0.0\r\n\r\n P2P Start Scan2: 0.0.0.0\r\n\r\n P2P Start Scan3: 0.0.0.0\r\n\r\n P2P Start Scan4: 0.0.0.0\r\n\r\n P2P End Scan1: 0.0.0.0\r\n\r\n P2P End Scan2: 0.0.0.0\r\n\r\n P2P End Scan3: 0.0.0.0\r\n\r\n P2P End Scan4: 0.0.0.0\r\n\r\n Mac Disable: 00:00:00:00:00:00"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7a4-f394-4ffe-9c10-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:31.000Z",
"modified": "2017-02-03T21:35:31.000Z",
"description": "ZeroT - Xchecked via VT: 97016593c53c7eeecd9d3a2788199f6473899ca8f07fafcd4173464f38ee0ab4",
"pattern": "[file:hashes.SHA1 = 'ddd643d447e6ff3af7298c2a1858b52f86fcd0ef']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:35:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7a4-201c-49b5-b4f9-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:32.000Z",
"modified": "2017-02-03T21:35:32.000Z",
"description": "ZeroT - Xchecked via VT: 97016593c53c7eeecd9d3a2788199f6473899ca8f07fafcd4173464f38ee0ab4",
"pattern": "[file:hashes.MD5 = 'c7a4292834dd2f75577af3a1fcaaf7b4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:35:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f7a5-f100-47d2-84f6-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:33.000Z",
"modified": "2017-02-03T21:35:33.000Z",
"first_observed": "2017-02-03T21:35:33Z",
"last_observed": "2017-02-03T21:35:33Z",
"number_observed": 1,
"object_refs": [
"url--5894f7a5-f100-47d2-84f6-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f7a5-f100-47d2-84f6-874d02de0b81",
"value": "https://www.virustotal.com/file/97016593c53c7eeecd9d3a2788199f6473899ca8f07fafcd4173464f38ee0ab4/analysis/1481642491/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7a6-0548-474e-9571-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:34.000Z",
"modified": "2017-02-03T21:35:34.000Z",
"description": "ZeroT - Xchecked via VT: fc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478",
"pattern": "[file:hashes.SHA1 = '4b7088444def62d77c00efd11c3a16e0f26c54c9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:35:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7a7-22f4-4785-87ce-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:35.000Z",
"modified": "2017-02-03T21:35:35.000Z",
"description": "ZeroT - Xchecked via VT: fc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478",
"pattern": "[file:hashes.MD5 = '0892d0e0cf63d50a8ea8d55baea4ea33']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:35:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f7a7-1b30-4134-a970-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:35.000Z",
"modified": "2017-02-03T21:35:35.000Z",
"first_observed": "2017-02-03T21:35:35Z",
"last_observed": "2017-02-03T21:35:35Z",
"number_observed": 1,
"object_refs": [
"url--5894f7a7-1b30-4134-a970-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f7a7-1b30-4134-a970-874d02de0b81",
"value": "https://www.virustotal.com/file/fc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478/analysis/1469547952/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7a8-a7b8-4ba8-974b-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:36.000Z",
"modified": "2017-02-03T21:35:36.000Z",
"description": "ZeroT - Xchecked via VT: d1c4a51064aeec4c11a8f90f80a3b60a36c07cce2dde0756c114e477d63ce375",
"pattern": "[file:hashes.SHA1 = 'fd33857fdc9f88c258920a1d53bfcd5f79ecabb7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:35:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7a9-6a58-4577-8ed7-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:37.000Z",
"modified": "2017-02-03T21:35:37.000Z",
"description": "ZeroT - Xchecked via VT: d1c4a51064aeec4c11a8f90f80a3b60a36c07cce2dde0756c114e477d63ce375",
"pattern": "[file:hashes.MD5 = '0b227712315620cd737809f288a32f2b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:35:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f7aa-8818-40c8-816c-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:38.000Z",
"modified": "2017-02-03T21:35:38.000Z",
"first_observed": "2017-02-03T21:35:38Z",
"last_observed": "2017-02-03T21:35:38Z",
"number_observed": 1,
"object_refs": [
"url--5894f7aa-8818-40c8-816c-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f7aa-8818-40c8-816c-874d02de0b81",
"value": "https://www.virustotal.com/file/d1c4a51064aeec4c11a8f90f80a3b60a36c07cce2dde0756c114e477d63ce375/analysis/1479838803/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7ab-3024-4e0e-be6b-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:39.000Z",
"modified": "2017-02-03T21:35:39.000Z",
"description": "ZeroT - Xchecked via VT: c15255b9a55e7a025cf36aca85eb6cc48571d0b997a93d4dfa4eacb49001cc8d",
"pattern": "[file:hashes.SHA1 = 'f4425e0a543e3efda38378c0884d8e2200d2821a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:35:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7ac-b12c-461e-9e7d-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:40.000Z",
"modified": "2017-02-03T21:35:40.000Z",
"description": "ZeroT - Xchecked via VT: c15255b9a55e7a025cf36aca85eb6cc48571d0b997a93d4dfa4eacb49001cc8d",
"pattern": "[file:hashes.MD5 = '0530c718660fa2d1b4679570c7d0ae97']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:35:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f7ac-767c-4d03-8433-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:40.000Z",
"modified": "2017-02-03T21:35:40.000Z",
"first_observed": "2017-02-03T21:35:40Z",
"last_observed": "2017-02-03T21:35:40Z",
"number_observed": 1,
"object_refs": [
"url--5894f7ac-767c-4d03-8433-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f7ac-767c-4d03-8433-874d02de0b81",
"value": "https://www.virustotal.com/file/c15255b9a55e7a025cf36aca85eb6cc48571d0b997a93d4dfa4eacb49001cc8d/analysis/1477322459/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7ad-b52c-4b44-b537-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:41.000Z",
"modified": "2017-02-03T21:35:41.000Z",
"description": "ZeroT - Xchecked via VT: b7ee556d1d1b83c5ce6b0c903244c1d3b79654cb950105b2c03996cdd4a70be8",
"pattern": "[file:hashes.SHA1 = '935d02e4e5077c14df649b9887722b9cddcca4b7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:35:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7ae-4d58-447b-8832-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:42.000Z",
"modified": "2017-02-03T21:35:42.000Z",
"description": "ZeroT - Xchecked via VT: b7ee556d1d1b83c5ce6b0c903244c1d3b79654cb950105b2c03996cdd4a70be8",
"pattern": "[file:hashes.MD5 = 'b1b4b54dfa4b57885a74ef1c4a7cb6d6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:35:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f7af-f3d0-48fd-b5da-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:43.000Z",
"modified": "2017-02-03T21:35:43.000Z",
"first_observed": "2017-02-03T21:35:43Z",
"last_observed": "2017-02-03T21:35:43Z",
"number_observed": 1,
"object_refs": [
"url--5894f7af-f3d0-48fd-b5da-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f7af-f3d0-48fd-b5da-874d02de0b81",
"value": "https://www.virustotal.com/file/b7ee556d1d1b83c5ce6b0c903244c1d3b79654cb950105b2c03996cdd4a70be8/analysis/1486130149/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7af-5cd4-48a3-aa87-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:43.000Z",
"modified": "2017-02-03T21:35:43.000Z",
"description": "ZeroT - Xchecked via VT: aa7810862ef43d4ef6bec463266b7eb169dbf3f7f953ef955e380e4269137267",
"pattern": "[file:hashes.SHA1 = '16ca9dc8a8d35f4e7cbbeda2bf337e8e1c9b7a1f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:35:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7b0-cf18-49f4-bf02-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:44.000Z",
"modified": "2017-02-03T21:35:44.000Z",
"description": "ZeroT - Xchecked via VT: aa7810862ef43d4ef6bec463266b7eb169dbf3f7f953ef955e380e4269137267",
"pattern": "[file:hashes.MD5 = 'df2a485a3eb76b3243ce7d25b5893b40']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:35:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f7b1-f3b4-46dc-bc97-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:45.000Z",
"modified": "2017-02-03T21:35:45.000Z",
"first_observed": "2017-02-03T21:35:45Z",
"last_observed": "2017-02-03T21:35:45Z",
"number_observed": 1,
"object_refs": [
"url--5894f7b1-f3b4-46dc-bc97-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f7b1-f3b4-46dc-bc97-874d02de0b81",
"value": "https://www.virustotal.com/file/aa7810862ef43d4ef6bec463266b7eb169dbf3f7f953ef955e380e4269137267/analysis/1476267631/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7b2-495c-4bb6-ae90-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:46.000Z",
"modified": "2017-02-03T21:35:46.000Z",
"description": "ZeroT - Xchecked via VT: a9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8",
"pattern": "[file:hashes.SHA1 = 'e06fce249eefd4c65b57e2dd1300b0e40d417563']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:35:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7b3-42e4-482d-bbdc-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:47.000Z",
"modified": "2017-02-03T21:35:47.000Z",
"description": "ZeroT - Xchecked via VT: a9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8",
"pattern": "[file:hashes.MD5 = 'aea45c19234d85f31881eddd24dfe88f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:35:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f7b3-5d58-4632-a725-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:47.000Z",
"modified": "2017-02-03T21:35:47.000Z",
"first_observed": "2017-02-03T21:35:47Z",
"last_observed": "2017-02-03T21:35:47Z",
"number_observed": 1,
"object_refs": [
"url--5894f7b3-5d58-4632-a725-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f7b3-5d58-4632-a725-874d02de0b81",
"value": "https://www.virustotal.com/file/a9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8/analysis/1486145225/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7b4-399c-4bb3-9bc3-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:48.000Z",
"modified": "2017-02-03T21:35:48.000Z",
"description": "ZeroT - Xchecked via VT: a685cf4dca6a58213e67d041bba637dca9cb3ea6bb9ad3eae3ba85229118bce0",
"pattern": "[file:hashes.SHA1 = 'ae4cf0457505fb774df04d7ba2f8fc1c891328a9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:35:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7b5-f100-42f2-8f76-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:49.000Z",
"modified": "2017-02-03T21:35:49.000Z",
"description": "ZeroT - Xchecked via VT: a685cf4dca6a58213e67d041bba637dca9cb3ea6bb9ad3eae3ba85229118bce0",
"pattern": "[file:hashes.MD5 = 'a3c41c9cace716707c629dc8087af371']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:35:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f7b6-9ba4-4b30-9289-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:50.000Z",
"modified": "2017-02-03T21:35:50.000Z",
"first_observed": "2017-02-03T21:35:50Z",
"last_observed": "2017-02-03T21:35:50Z",
"number_observed": 1,
"object_refs": [
"url--5894f7b6-9ba4-4b30-9289-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f7b6-9ba4-4b30-9289-874d02de0b81",
"value": "https://www.virustotal.com/file/a685cf4dca6a58213e67d041bba637dca9cb3ea6bb9ad3eae3ba85229118bce0/analysis/1486130149/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7b7-45e4-4820-95f9-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:51.000Z",
"modified": "2017-02-03T21:35:51.000Z",
"description": "ZeroT - Xchecked via VT: a16078c6d09fcfc9d6ff7a91e39e6d72e2d6d6ab6080930e1e2169ec002b37d3",
"pattern": "[file:hashes.SHA1 = 'b6718ed9a64857e13b2894f5c50669a4306195ba']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:35:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7b7-4fec-43df-946b-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:51.000Z",
"modified": "2017-02-03T21:35:51.000Z",
"description": "ZeroT - Xchecked via VT: a16078c6d09fcfc9d6ff7a91e39e6d72e2d6d6ab6080930e1e2169ec002b37d3",
"pattern": "[file:hashes.MD5 = '4a49a5358e6841ba625956fac62483ca']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:35:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f7b8-b570-45da-849c-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:52.000Z",
"modified": "2017-02-03T21:35:52.000Z",
"first_observed": "2017-02-03T21:35:52Z",
"last_observed": "2017-02-03T21:35:52Z",
"number_observed": 1,
"object_refs": [
"url--5894f7b8-b570-45da-849c-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f7b8-b570-45da-849c-874d02de0b81",
"value": "https://www.virustotal.com/file/a16078c6d09fcfc9d6ff7a91e39e6d72e2d6d6ab6080930e1e2169ec002b37d3/analysis/1486130148/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7b9-2e88-4ddc-80cc-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:53.000Z",
"modified": "2017-02-03T21:35:53.000Z",
"description": "ZeroT - Xchecked via VT: 74eb592ef7f5967b14794acdc916686e061a43169f06e5be4dca70811b9815df",
"pattern": "[file:hashes.SHA1 = 'b66c11c8ecd3d5c064f7ada4e84e50ef0f4f6b4e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:35:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7ba-6218-4476-8b6a-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:54.000Z",
"modified": "2017-02-03T21:35:54.000Z",
"description": "ZeroT - Xchecked via VT: 74eb592ef7f5967b14794acdc916686e061a43169f06e5be4dca70811b9815df",
"pattern": "[file:hashes.MD5 = '3cff0e45be3bc3d8904151499da5a354']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:35:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f7bb-4cc4-4cdb-af81-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:55.000Z",
"modified": "2017-02-03T21:35:55.000Z",
"first_observed": "2017-02-03T21:35:55Z",
"last_observed": "2017-02-03T21:35:55Z",
"number_observed": 1,
"object_refs": [
"url--5894f7bb-4cc4-4cdb-af81-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f7bb-4cc4-4cdb-af81-874d02de0b81",
"value": "https://www.virustotal.com/file/74eb592ef7f5967b14794acdc916686e061a43169f06e5be4dca70811b9815df/analysis/1486130147/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7bb-8cd4-4351-87ea-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:55.000Z",
"modified": "2017-02-03T21:35:55.000Z",
"description": "ZeroT - Xchecked via VT: 67693ddb6236d3ef790059409ae240212c47acfd8c1c76d65c3ef19096fdf43b",
"pattern": "[file:hashes.SHA1 = '39094640c5d3eb6d2b43282d724d792c81706a20']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:35:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7bc-f890-45eb-97c1-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:56.000Z",
"modified": "2017-02-03T21:35:56.000Z",
"description": "ZeroT - Xchecked via VT: 67693ddb6236d3ef790059409ae240212c47acfd8c1c76d65c3ef19096fdf43b",
"pattern": "[file:hashes.MD5 = 'b0b7e48f76bf7cabd46bd23be6a044c3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:35:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f7bd-267c-49fa-9bc8-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:57.000Z",
"modified": "2017-02-03T21:35:57.000Z",
"first_observed": "2017-02-03T21:35:57Z",
"last_observed": "2017-02-03T21:35:57Z",
"number_observed": 1,
"object_refs": [
"url--5894f7bd-267c-49fa-9bc8-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f7bd-267c-49fa-9bc8-874d02de0b81",
"value": "https://www.virustotal.com/file/67693ddb6236d3ef790059409ae240212c47acfd8c1c76d65c3ef19096fdf43b/analysis/1486130147/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7be-9a98-410c-89b1-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:58.000Z",
"modified": "2017-02-03T21:35:58.000Z",
"description": "ZeroT - Xchecked via VT: 3be2e226cd477138d03428f6046a216103ba9fa5597ec407e542ab2f86c37425",
"pattern": "[file:hashes.SHA1 = '462e09c090d48fe4c7d9c5bab37666cb25a787f4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:35:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7be-f7c8-49e9-b21b-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:58.000Z",
"modified": "2017-02-03T21:35:58.000Z",
"description": "ZeroT - Xchecked via VT: 3be2e226cd477138d03428f6046a216103ba9fa5597ec407e542ab2f86c37425",
"pattern": "[file:hashes.MD5 = 'f973c23d96ff11b593068b06c727a94c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:35:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f7bf-05a0-4442-a42c-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:35:59.000Z",
"modified": "2017-02-03T21:35:59.000Z",
"first_observed": "2017-02-03T21:35:59Z",
"last_observed": "2017-02-03T21:35:59Z",
"number_observed": 1,
"object_refs": [
"url--5894f7bf-05a0-4442-a42c-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f7bf-05a0-4442-a42c-874d02de0b81",
"value": "https://www.virustotal.com/file/3be2e226cd477138d03428f6046a216103ba9fa5597ec407e542ab2f86c37425/analysis/1486130147/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7c0-8550-4723-97db-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:00.000Z",
"modified": "2017-02-03T21:36:00.000Z",
"description": "ZeroT - Xchecked via VT: 399693f48a457d77530ab88d4763cbd9d3f73606bd860adc0638f36b811bf343",
"pattern": "[file:hashes.SHA1 = '15f5f735dd60d295b826c0bebfca9625ffce725d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:36:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7c1-0ac8-487d-8ce2-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:01.000Z",
"modified": "2017-02-03T21:36:01.000Z",
"description": "ZeroT - Xchecked via VT: 399693f48a457d77530ab88d4763cbd9d3f73606bd860adc0638f36b811bf343",
"pattern": "[file:hashes.MD5 = '4abb9a2b65ecd19b952e7b5ea0c2a854']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:36:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f7c1-3fd0-45f4-9dd3-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:01.000Z",
"modified": "2017-02-03T21:36:01.000Z",
"first_observed": "2017-02-03T21:36:01Z",
"last_observed": "2017-02-03T21:36:01Z",
"number_observed": 1,
"object_refs": [
"url--5894f7c1-3fd0-45f4-9dd3-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f7c1-3fd0-45f4-9dd3-874d02de0b81",
"value": "https://www.virustotal.com/file/399693f48a457d77530ab88d4763cbd9d3f73606bd860adc0638f36b811bf343/analysis/1486130147/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7c2-966c-4b2f-8bd8-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:02.000Z",
"modified": "2017-02-03T21:36:02.000Z",
"description": "ZeroT - Xchecked via VT: 1e25a8bd1ac2df82d4f6d280af0ecd57d5e4aef88298a2f14414df76db54bcc4",
"pattern": "[file:hashes.SHA1 = 'c15b209a8fcdc8a6c2b8fbc9eadc7a641cc771c5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:36:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7c3-0314-4673-86b4-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:03.000Z",
"modified": "2017-02-03T21:36:03.000Z",
"description": "ZeroT - Xchecked via VT: 1e25a8bd1ac2df82d4f6d280af0ecd57d5e4aef88298a2f14414df76db54bcc4",
"pattern": "[file:hashes.MD5 = '25b30aa5ab498408d46c1042f121df3f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:36:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f7c4-1b28-4ff0-98ea-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:04.000Z",
"modified": "2017-02-03T21:36:04.000Z",
"first_observed": "2017-02-03T21:36:04Z",
"last_observed": "2017-02-03T21:36:04Z",
"number_observed": 1,
"object_refs": [
"url--5894f7c4-1b28-4ff0-98ea-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f7c4-1b28-4ff0-98ea-874d02de0b81",
"value": "https://www.virustotal.com/file/1e25a8bd1ac2df82d4f6d280af0ecd57d5e4aef88298a2f14414df76db54bcc4/analysis/1486130146/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7c4-8ce0-4857-810d-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:04.000Z",
"modified": "2017-02-03T21:36:04.000Z",
"description": "ZeroT - Xchecked via VT: 09061c603a32ac99b664f7434febfc8c1f9fd7b6469be289bb130a635a6c47c0",
"pattern": "[file:hashes.SHA1 = '1b86e4ead3ac8421ac83d9a39412f07706b6dd2e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:36:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7c5-95c8-4da7-8c5d-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:05.000Z",
"modified": "2017-02-03T21:36:05.000Z",
"description": "ZeroT - Xchecked via VT: 09061c603a32ac99b664f7434febfc8c1f9fd7b6469be289bb130a635a6c47c0",
"pattern": "[file:hashes.MD5 = '47ff1d275bd63bb2e0b4820b121485c3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:36:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f7c6-d09c-4b4c-ad3b-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:06.000Z",
"modified": "2017-02-03T21:36:06.000Z",
"first_observed": "2017-02-03T21:36:06Z",
"last_observed": "2017-02-03T21:36:06Z",
"number_observed": 1,
"object_refs": [
"url--5894f7c6-d09c-4b4c-ad3b-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f7c6-d09c-4b4c-ad3b-874d02de0b81",
"value": "https://www.virustotal.com/file/09061c603a32ac99b664f7434febfc8c1f9fd7b6469be289bb130a635a6c47c0/analysis/1486130146/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7c6-6274-4788-ab7c-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:06.000Z",
"modified": "2017-02-03T21:36:06.000Z",
"description": "Word Exploit documents - Xchecked via VT: 9dd730f615824a7992a67400fce754df6eaa770f643ad7e425ff252324671b58",
"pattern": "[file:hashes.SHA1 = '74f4086f2d93b8f40b8a011c10b8c26da7f35eb2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:36:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7c7-073c-4308-a20e-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:07.000Z",
"modified": "2017-02-03T21:36:07.000Z",
"description": "Word Exploit documents - Xchecked via VT: 9dd730f615824a7992a67400fce754df6eaa770f643ad7e425ff252324671b58",
"pattern": "[file:hashes.MD5 = '970369ddf7ffff8806aea81b1093a06a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:36:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f7c8-f694-487b-8647-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:08.000Z",
"modified": "2017-02-03T21:36:08.000Z",
"first_observed": "2017-02-03T21:36:08Z",
"last_observed": "2017-02-03T21:36:08Z",
"number_observed": 1,
"object_refs": [
"url--5894f7c8-f694-487b-8647-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f7c8-f694-487b-8647-874d02de0b81",
"value": "https://www.virustotal.com/file/9dd730f615824a7992a67400fce754df6eaa770f643ad7e425ff252324671b58/analysis/1482473568/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7c9-35bc-46bd-8b25-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:09.000Z",
"modified": "2017-02-03T21:36:09.000Z",
"description": "CHM droppers - Xchecked via VT: 74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d",
"pattern": "[file:hashes.SHA1 = 'd6ab70f6a889077a28c5f4a7dae096e223759ebf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:36:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7ca-5fa4-4da5-a064-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:10.000Z",
"modified": "2017-02-03T21:36:10.000Z",
"description": "CHM droppers - Xchecked via VT: 74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d",
"pattern": "[file:hashes.MD5 = 'da00090169a373606ef0707ea45cefa9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:36:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f7cb-6d18-4303-ac70-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:11.000Z",
"modified": "2017-02-03T21:36:11.000Z",
"first_observed": "2017-02-03T21:36:11Z",
"last_observed": "2017-02-03T21:36:11Z",
"number_observed": 1,
"object_refs": [
"url--5894f7cb-6d18-4303-ac70-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f7cb-6d18-4303-ac70-874d02de0b81",
"value": "https://www.virustotal.com/file/74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d/analysis/1481628229/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7cc-0218-4f9d-bf11-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:12.000Z",
"modified": "2017-02-03T21:36:12.000Z",
"description": "CHM droppers - Xchecked via VT: ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2",
"pattern": "[file:hashes.SHA1 = '65913c8ea66b1c7a516e52f3ce5d33e1fc36ae66']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:36:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7cd-6124-481c-a7a6-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:13.000Z",
"modified": "2017-02-03T21:36:13.000Z",
"description": "CHM droppers - Xchecked via VT: ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2",
"pattern": "[file:hashes.MD5 = 'e899619a5b12b9d90d07b87128a1430c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:36:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f7cd-b09c-43b5-976f-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:13.000Z",
"modified": "2017-02-03T21:36:13.000Z",
"first_observed": "2017-02-03T21:36:13Z",
"last_observed": "2017-02-03T21:36:13Z",
"number_observed": 1,
"object_refs": [
"url--5894f7cd-b09c-43b5-976f-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f7cd-b09c-43b5-976f-874d02de0b81",
"value": "https://www.virustotal.com/file/ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2/analysis/1477566896/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7ce-f1fc-46b6-8ead-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:14.000Z",
"modified": "2017-02-03T21:36:14.000Z",
"description": "CHM droppers - Xchecked via VT: 4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff",
"pattern": "[file:hashes.SHA1 = '0a48de42d2ba2f3c9536c7646eeeb8e279e25cfd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:36:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7cf-43bc-4b5f-a376-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:15.000Z",
"modified": "2017-02-03T21:36:15.000Z",
"description": "CHM droppers - Xchecked via VT: 4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff",
"pattern": "[file:hashes.MD5 = '2d9a3057512a6bca6aeecd124068471f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:36:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f7cf-fe64-4c55-a629-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:15.000Z",
"modified": "2017-02-03T21:36:15.000Z",
"first_observed": "2017-02-03T21:36:15Z",
"last_observed": "2017-02-03T21:36:15Z",
"number_observed": 1,
"object_refs": [
"url--5894f7cf-fe64-4c55-a629-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f7cf-fe64-4c55-a629-874d02de0b81",
"value": "https://www.virustotal.com/file/4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff/analysis/1486130147/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7d0-7268-45dd-99ea-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:16.000Z",
"modified": "2017-02-03T21:36:16.000Z",
"description": "RAR / 7-Zip archives - Xchecked via VT: f2b6f7e0fcf4611cb25f9a24f002ba104ee5cf84528769b2ab82c63ba4476168",
"pattern": "[file:hashes.SHA1 = 'b005a426a17d32694c9cf224350e72a777d7d62c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:36:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7d1-b6c4-46c5-b719-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:17.000Z",
"modified": "2017-02-03T21:36:17.000Z",
"description": "RAR / 7-Zip archives - Xchecked via VT: f2b6f7e0fcf4611cb25f9a24f002ba104ee5cf84528769b2ab82c63ba4476168",
"pattern": "[file:hashes.MD5 = 'bc96303c24aaa86c8acfbf2162b43e90']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:36:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f7d2-da64-4b71-9c5f-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:18.000Z",
"modified": "2017-02-03T21:36:18.000Z",
"first_observed": "2017-02-03T21:36:18Z",
"last_observed": "2017-02-03T21:36:18Z",
"number_observed": 1,
"object_refs": [
"url--5894f7d2-da64-4b71-9c5f-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f7d2-da64-4b71-9c5f-874d02de0b81",
"value": "https://www.virustotal.com/file/f2b6f7e0fcf4611cb25f9a24f002ba104ee5cf84528769b2ab82c63ba4476168/analysis/1486130146/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7d3-69c0-40e2-985d-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:19.000Z",
"modified": "2017-02-03T21:36:19.000Z",
"description": "RAR / 7-Zip archives - Xchecked via VT: ec3405e058b3be958a1d3db410dd438fba7b8a8c28355939c2319e2e2a338462",
"pattern": "[file:hashes.SHA1 = '83f57b2910627cba851b01be3b4c316873252e73']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:36:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7d3-bd40-4342-a53f-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:19.000Z",
"modified": "2017-02-03T21:36:19.000Z",
"description": "RAR / 7-Zip archives - Xchecked via VT: ec3405e058b3be958a1d3db410dd438fba7b8a8c28355939c2319e2e2a338462",
"pattern": "[file:hashes.MD5 = '55fd25ef423da52ba60b76a27650f485']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:36:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f7d4-856c-4159-9e00-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:20.000Z",
"modified": "2017-02-03T21:36:20.000Z",
"first_observed": "2017-02-03T21:36:20Z",
"last_observed": "2017-02-03T21:36:20Z",
"number_observed": 1,
"object_refs": [
"url--5894f7d4-856c-4159-9e00-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f7d4-856c-4159-9e00-874d02de0b81",
"value": "https://www.virustotal.com/file/ec3405e058b3be958a1d3db410dd438fba7b8a8c28355939c2319e2e2a338462/analysis/1486130151/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7d5-3984-430e-9e61-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:21.000Z",
"modified": "2017-02-03T21:36:21.000Z",
"description": "RAR / 7-Zip archives - Xchecked via VT: ee81c939eec30bf9351c9246ecfdc39a2fed78be08cc9923d48781f6c9bd7097",
"pattern": "[file:hashes.SHA1 = 'cdc08d31a935e66e5ae6a3ba2b39cd2f506cc8fb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:36:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7d6-9608-4941-85f5-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:22.000Z",
"modified": "2017-02-03T21:36:22.000Z",
"description": "RAR / 7-Zip archives - Xchecked via VT: ee81c939eec30bf9351c9246ecfdc39a2fed78be08cc9923d48781f6c9bd7097",
"pattern": "[file:hashes.MD5 = '2be3003e464b3e56bc678cd182aac73d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:36:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f7d6-8534-4c0f-b126-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:22.000Z",
"modified": "2017-02-03T21:36:22.000Z",
"first_observed": "2017-02-03T21:36:22Z",
"last_observed": "2017-02-03T21:36:22Z",
"number_observed": 1,
"object_refs": [
"url--5894f7d6-8534-4c0f-b126-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f7d6-8534-4c0f-b126-874d02de0b81",
"value": "https://www.virustotal.com/file/ee81c939eec30bf9351c9246ecfdc39a2fed78be08cc9923d48781f6c9bd7097/analysis/1486130150/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7d7-e764-48d6-898c-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:23.000Z",
"modified": "2017-02-03T21:36:23.000Z",
"description": "RAR / 7-Zip archives - Xchecked via VT: 38566230e5f19d2fd151eaf1744ef2aef946e17873924b91bbeaede0fbfb38cf",
"pattern": "[file:hashes.SHA1 = 'b35fc02b19f331f78e83d44b40116a2bf6f1252e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:36:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5894f7d8-7d10-403d-b3fa-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:24.000Z",
"modified": "2017-02-03T21:36:24.000Z",
"description": "RAR / 7-Zip archives - Xchecked via VT: 38566230e5f19d2fd151eaf1744ef2aef946e17873924b91bbeaede0fbfb38cf",
"pattern": "[file:hashes.MD5 = '4fa0bff0626ebe8253c04fd33462b5fc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-03T21:36:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f7d9-afd0-47c3-bfdf-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:36:25.000Z",
"modified": "2017-02-03T21:36:25.000Z",
"first_observed": "2017-02-03T21:36:25Z",
"last_observed": "2017-02-03T21:36:25Z",
"number_observed": 1,
"object_refs": [
"url--5894f7d9-afd0-47c3-bfdf-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f7d9-afd0-47c3-bfdf-874d02de0b81",
"value": "https://www.virustotal.com/file/38566230e5f19d2fd151eaf1744ef2aef946e17873924b91bbeaede0fbfb38cf/analysis/1486130150/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f8d2-d7e0-4225-834c-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:40:34.000Z",
"modified": "2017-02-03T21:40:34.000Z",
"first_observed": "2017-02-03T21:40:34Z",
"last_observed": "2017-02-03T21:40:34Z",
"number_observed": 1,
"object_refs": [
"url--5894f8d2-d7e0-4225-834c-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f8d2-d7e0-4225-834c-874d02de0b81",
"value": "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f8d2-f494-476c-a034-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:41:23.000Z",
"modified": "2017-02-03T21:41:23.000Z",
"first_observed": "2017-02-03T21:41:23Z",
"last_observed": "2017-02-03T21:41:23Z",
"number_observed": 1,
"object_refs": [
"url--5894f8d2-f494-476c-a034-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f8d2-f494-476c-a034-874d02de0b81",
"value": "https://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f8d3-6008-437d-bec0-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:41:16.000Z",
"modified": "2017-02-03T21:41:16.000Z",
"first_observed": "2017-02-03T21:41:16Z",
"last_observed": "2017-02-03T21:41:16Z",
"number_observed": 1,
"object_refs": [
"url--5894f8d3-6008-437d-bec0-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f8d3-6008-437d-bec0-874d02de0b81",
"value": "https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f8d4-7700-4a87-8aa3-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:41:45.000Z",
"modified": "2017-02-03T21:41:45.000Z",
"first_observed": "2017-02-03T21:41:45Z",
"last_observed": "2017-02-03T21:41:45Z",
"number_observed": 1,
"object_refs": [
"url--5894f8d4-7700-4a87-8aa3-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f8d4-7700-4a87-8aa3-874d02de0b81",
"value": "http://researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5894f8d5-a2c4-41d4-b4b7-874d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-03T21:41:53.000Z",
"modified": "2017-02-03T21:41:53.000Z",
"first_observed": "2017-02-03T21:41:53Z",
"last_observed": "2017-02-03T21:41:53Z",
"number_observed": 1,
"object_refs": [
"url--5894f8d5-a2c4-41d4-b4b7-874d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"technical-report\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5894f8d5-a2c4-41d4-b4b7-874d02de0b81",
"value": "https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-office-exploit-generators-szappanos.pdf"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}