misp-circl-feed/feeds/circl/misp/5aa670db-6ef0-4d81-8e90-9476950d210f.json

825 lines
No EOL
35 KiB
JSON

{
"type": "bundle",
"id": "bundle--5aa670db-6ef0-4d81-8e90-9476950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:28:45.000Z",
"modified": "2018-03-12T12:28:45.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5aa670db-6ef0-4d81-8e90-9476950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:28:45.000Z",
"modified": "2018-03-12T12:28:45.000Z",
"name": "OSINT - APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS",
"published": "2018-03-12T12:28:53Z",
"object_refs": [
"indicator--5aa670f5-39b4-4382-9f91-0fa3950d210f",
"indicator--5aa670f6-d5ac-4682-9a04-0fa3950d210f",
"indicator--5aa670f6-d5d4-4202-9a37-0fa3950d210f",
"indicator--5aa670f7-0014-4df2-a56f-0fa3950d210f",
"indicator--5aa670f7-6a48-4bdf-8746-0fa3950d210f",
"indicator--5aa67102-ced4-4a30-b0d7-0fa3950d210f",
"indicator--5aa6710e-52b4-40af-ac3b-0fa3950d210f",
"indicator--5aa6710f-fe88-4d3d-96a7-0fa3950d210f",
"indicator--5aa6710f-50d0-4454-860d-0fa3950d210f",
"indicator--5aa6711b-a1c4-40d1-92b7-0fa3950d210f",
"indicator--5aa6711b-f3b8-4787-b246-0fa3950d210f",
"indicator--5aa67145-28d0-47cb-927a-d9cd950d210f",
"indicator--5aa67145-68d0-4b05-a406-d9cd950d210f",
"indicator--5aa67146-a2d0-4ed0-968e-d9cd950d210f",
"indicator--5aa67146-e6a4-40d8-a37c-d9cd950d210f",
"indicator--5aa67146-1288-4aa0-9671-d9cd950d210f",
"x-misp-attribute--5aa67163-e99c-4bf6-9649-d928950d210f",
"x-misp-attribute--5aa67177-ac60-43db-9bd5-4053950d210f",
"x-misp-attribute--5aa671e4-c8f4-4d39-ad4b-9394950d210f",
"observed-data--5aa67218-06ac-49e7-baa9-d9cd950d210f",
"url--5aa67218-06ac-49e7-baa9-d9cd950d210f",
"indicator--0e812898-7fc4-40f8-ac95-7a23e22438de",
"x-misp-object--bf2e6e7d-19c6-4341-94b9-8f15b563b0b3",
"indicator--06f1e0a0-004c-4356-9f89-380b53274f42",
"x-misp-object--326d28d2-bc18-4205-945a-2b3ef2cfa9fa",
"indicator--f1bdc5bc-932a-4efa-9855-e8e3981fbd2f",
"x-misp-object--3d28abc7-0edd-438c-bd55-54bfbf90e295",
"indicator--c752a171-4c3d-403e-bb4a-5dae51f2993f",
"x-misp-object--8840afc4-669d-4a92-8a3e-a104c2994436",
"relationship--b5fafc21-a214-4f68-8bc9-865ef1f52067",
"relationship--1dc4dd03-ba72-49f1-814e-730ddcf57005",
"relationship--cffdafa5-6b5b-4003-a057-e7472e03dec5",
"relationship--514b783e-6113-4c69-985c-61e2c3dee17f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:threat-actor=\"Mirage\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5aa670f5-39b4-4382-9f91-0fa3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:27:51.000Z",
"modified": "2018-03-12T12:27:51.000Z",
"description": "Possible linked APT15 domains include:",
"pattern": "[domain-name:value = 'micakiz.wikaba.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-03-12T12:27:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5aa670f6-d5ac-4682-9a04-0fa3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:27:51.000Z",
"modified": "2018-03-12T12:27:51.000Z",
"description": "Possible linked APT15 domains include:",
"pattern": "[domain-name:value = 'cavanic9.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-03-12T12:27:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5aa670f6-d5d4-4202-9a37-0fa3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:27:52.000Z",
"modified": "2018-03-12T12:27:52.000Z",
"description": "Possible linked APT15 domains include:",
"pattern": "[domain-name:value = 'ridingduck.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-03-12T12:27:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5aa670f7-0014-4df2-a56f-0fa3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:27:52.000Z",
"modified": "2018-03-12T12:27:52.000Z",
"description": "Possible linked APT15 domains include:",
"pattern": "[domain-name:value = 'zipcodeterm.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-03-12T12:27:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5aa670f7-6a48-4bdf-8746-0fa3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:27:52.000Z",
"modified": "2018-03-12T12:27:52.000Z",
"description": "Possible linked APT15 domains include:",
"pattern": "[domain-name:value = 'dnsapp.info']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-03-12T12:27:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5aa67102-ced4-4a30-b0d7-0fa3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:27:53.000Z",
"modified": "2018-03-12T12:27:53.000Z",
"description": "RoyalDNS backdoor was seen communicating to the domain:",
"pattern": "[domain-name:value = 'andspurs.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-03-12T12:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5aa6710e-52b4-40af-ac3b-0fa3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:27:53.000Z",
"modified": "2018-03-12T12:27:53.000Z",
"description": "The BS2005 backdoor utilised the following domains for C2:",
"pattern": "[domain-name:value = 'run.linodepower.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-03-12T12:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5aa6710f-fe88-4d3d-96a7-0fa3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:27:53.000Z",
"modified": "2018-03-12T12:27:53.000Z",
"description": "The BS2005 backdoor utilised the following domains for C2:",
"pattern": "[domain-name:value = 'singa.linodepower.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-03-12T12:27:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5aa6710f-50d0-4454-860d-0fa3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:27:54.000Z",
"modified": "2018-03-12T12:27:54.000Z",
"description": "The BS2005 backdoor utilised the following domains for C2:",
"pattern": "[domain-name:value = 'log.autocount.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-03-12T12:27:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5aa6711b-a1c4-40d1-92b7-0fa3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:27:54.000Z",
"modified": "2018-03-12T12:27:54.000Z",
"description": "The RoyalCli backdoor was attempting to communicate to the following domains:",
"pattern": "[domain-name:value = 'news.memozilla.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-03-12T12:27:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5aa6711b-f3b8-4787-b246-0fa3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:27:55.000Z",
"modified": "2018-03-12T12:27:55.000Z",
"description": "The RoyalCli backdoor was attempting to communicate to the following domains:",
"pattern": "[domain-name:value = 'video.memozilla.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-03-12T12:27:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5aa67145-28d0-47cb-927a-d9cd950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:23:33.000Z",
"modified": "2018-03-12T12:23:33.000Z",
"description": "Royal DNS",
"pattern": "[file:hashes.SHA256 = 'bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-03-12T12:23:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5aa67145-68d0-4b05-a406-d9cd950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:23:33.000Z",
"modified": "2018-03-12T12:23:33.000Z",
"description": "BS2005",
"pattern": "[file:hashes.SHA256 = '750d9eecd533f89b8aa13aeab173a1cf813b021b6824bc30e60f5db6fa7b950b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-03-12T12:23:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5aa67146-a2d0-4ed0-968e-d9cd950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:23:34.000Z",
"modified": "2018-03-12T12:23:34.000Z",
"description": "BS2005",
"pattern": "[file:hashes.SHA256 = '6ea9cc475d41ca07fa206eb84b10cf2bbd2392366890de5ae67241afa2f4269f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-03-12T12:23:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5aa67146-e6a4-40d8-a37c-d9cd950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:23:34.000Z",
"modified": "2018-03-12T12:23:34.000Z",
"description": "RoyalCli",
"pattern": "[file:hashes.SHA256 = '6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-03-12T12:23:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5aa67146-1288-4aa0-9671-d9cd950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:23:34.000Z",
"modified": "2018-03-12T12:23:34.000Z",
"description": "MS Exchange Tool",
"pattern": "[file:hashes.SHA256 = '16b868d1bef6be39f69b4e976595e7bd46b6c0595cf6bc482229dbb9e64f1bce']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-03-12T12:23:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5aa67163-e99c-4bf6-9649-d928950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:27:55.000Z",
"modified": "2018-03-12T12:27:55.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_type": "pdb",
"x_misp_value": "%USERPROFILE%\\documents\\visual studio 2010\\Projects\\RoyalCli\\Release\\RoyalCli.pdb"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5aa67177-ac60-43db-9bd5-4053950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:27:56.000Z",
"modified": "2018-03-12T12:27:56.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS\r\nIn May 2017, NCC Group's Incident Response team reacted to an ongoing incident where our client, which provides a range of services to UK Government, suffered a network compromise involving the advanced persistent threat group APT15.\r\n\r\nAPT15 is also known as, Ke3chang, Mirage, Vixen Panda GREF and Playful Dragon.\r\nA number of sensitive documents were stolen by the attackers during the incident and we believe APT15 was targeting information related to UK government departments and military technology."
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5aa671e4-c8f4-4d39-ad4b-9394950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:27:56.000Z",
"modified": "2018-03-12T12:27:56.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_type": "text",
"x_misp_value": "5aa64b62-8f2c-4081-a6f9-4480950d210f"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5aa67218-06ac-49e7-baa9-d9cd950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:27:56.000Z",
"modified": "2018-03-12T12:27:56.000Z",
"first_observed": "2018-03-12T12:27:56Z",
"last_observed": "2018-03-12T12:27:56Z",
"number_observed": 1,
"object_refs": [
"url--5aa67218-06ac-49e7-baa9-d9cd950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5aa67218-06ac-49e7-baa9-d9cd950d210f",
"value": "https://github.com/nccgroup/Royal_APT"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0e812898-7fc4-40f8-ac95-7a23e22438de",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:28:00.000Z",
"modified": "2018-03-12T12:28:00.000Z",
"pattern": "[file:hashes.MD5 = 'ed21ce2beee56f0a0b1c5a62a80c128b' AND file:hashes.SHA1 = '201e74fd33724a872ab89f8a002a560d1ce73e54' AND file:hashes.SHA256 = '750d9eecd533f89b8aa13aeab173a1cf813b021b6824bc30e60f5db6fa7b950b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-03-12T12:28:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--bf2e6e7d-19c6-4341-94b9-8f15b563b0b3",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:27:58.000Z",
"modified": "2018-03-12T12:27:58.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/750d9eecd533f89b8aa13aeab173a1cf813b021b6824bc30e60f5db6fa7b950b/analysis/1520793006/",
"category": "External analysis",
"comment": "BS2005",
"uuid": "5aa6724e-e14c-4ad9-ad8e-947502de0b81"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "44/67",
"category": "Other",
"comment": "BS2005",
"uuid": "5aa6724f-fd84-4c88-9a54-947502de0b81"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-03-11T18:30:06",
"category": "Other",
"comment": "BS2005",
"uuid": "5aa6724f-d5a8-4efc-b433-947502de0b81"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--06f1e0a0-004c-4356-9f89-380b53274f42",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:28:02.000Z",
"modified": "2018-03-12T12:28:02.000Z",
"pattern": "[file:hashes.MD5 = '941a4fc3d2a3289017cf9c56584d1168' AND file:hashes.SHA1 = '3d4ee6cbfaeb7890bb0b2d41547849f8e2d9243f' AND file:hashes.SHA256 = 'bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-03-12T12:28:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--326d28d2-bc18-4205-945a-2b3ef2cfa9fa",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:28:00.000Z",
"modified": "2018-03-12T12:28:00.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d/analysis/1520841997/",
"category": "External analysis",
"comment": "Royal DNS",
"uuid": "5aa67250-7bc8-45a9-b533-947502de0b81"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "7/65",
"category": "Other",
"comment": "Royal DNS",
"uuid": "5aa67251-59a4-4b15-9b43-947502de0b81"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-03-12T08:06:37",
"category": "Other",
"comment": "Royal DNS",
"uuid": "5aa67251-5338-45f7-a3c9-947502de0b81"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f1bdc5bc-932a-4efa-9855-e8e3981fbd2f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:28:04.000Z",
"modified": "2018-03-12T12:28:04.000Z",
"pattern": "[file:hashes.MD5 = '5e5c9e6e710f67f4886e4f4169d02b1d' AND file:hashes.SHA1 = 'a35297163ed0efcb71e63069a3115737d2fe2d1d' AND file:hashes.SHA256 = '6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-03-12T12:28:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--3d28abc7-0edd-438c-bd55-54bfbf90e295",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:28:03.000Z",
"modified": "2018-03-12T12:28:03.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785/analysis/1520793104/",
"category": "External analysis",
"comment": "RoyalCli",
"uuid": "5aa67253-ffe8-4691-9928-947502de0b81"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "45/67",
"category": "Other",
"comment": "RoyalCli",
"uuid": "5aa67253-2ca8-410a-914b-947502de0b81"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-03-11T18:31:44",
"category": "Other",
"comment": "RoyalCli",
"uuid": "5aa67253-568c-41df-8205-947502de0b81"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c752a171-4c3d-403e-bb4a-5dae51f2993f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:28:07.000Z",
"modified": "2018-03-12T12:28:07.000Z",
"pattern": "[file:hashes.MD5 = 'd21a7e349e796064ce10f2f6ede31c71' AND file:hashes.SHA1 = '63fbd3feb41c0b6de892b4a70a6241d123ec1e5a' AND file:hashes.SHA256 = '16b868d1bef6be39f69b4e976595e7bd46b6c0595cf6bc482229dbb9e64f1bce']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-03-12T12:28:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--8840afc4-669d-4a92-8a3e-a104c2994436",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-03-12T12:28:05.000Z",
"modified": "2018-03-12T12:28:05.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/16b868d1bef6be39f69b4e976595e7bd46b6c0595cf6bc482229dbb9e64f1bce/analysis/1520844201/",
"category": "External analysis",
"comment": "MS Exchange Tool",
"uuid": "5aa67255-56f0-4687-875c-947502de0b81"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "2/67",
"category": "Other",
"comment": "MS Exchange Tool",
"uuid": "5aa67255-5500-48d8-9364-947502de0b81"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-03-12T08:43:21",
"category": "Other",
"comment": "MS Exchange Tool",
"uuid": "5aa67255-bb78-4fff-b7bf-947502de0b81"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--b5fafc21-a214-4f68-8bc9-865ef1f52067",
"created": "2018-03-12T12:28:06.000Z",
"modified": "2018-03-12T12:28:06.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--0e812898-7fc4-40f8-ac95-7a23e22438de",
"target_ref": "x-misp-object--bf2e6e7d-19c6-4341-94b9-8f15b563b0b3"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1dc4dd03-ba72-49f1-814e-730ddcf57005",
"created": "2018-03-12T12:28:06.000Z",
"modified": "2018-03-12T12:28:06.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--06f1e0a0-004c-4356-9f89-380b53274f42",
"target_ref": "x-misp-object--326d28d2-bc18-4205-945a-2b3ef2cfa9fa"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--cffdafa5-6b5b-4003-a057-e7472e03dec5",
"created": "2018-03-12T12:28:06.000Z",
"modified": "2018-03-12T12:28:06.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--f1bdc5bc-932a-4efa-9855-e8e3981fbd2f",
"target_ref": "x-misp-object--3d28abc7-0edd-438c-bd55-54bfbf90e295"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--514b783e-6113-4c69-985c-61e2c3dee17f",
"created": "2018-03-12T12:28:07.000Z",
"modified": "2018-03-12T12:28:07.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--c752a171-4c3d-403e-bb4a-5dae51f2993f",
"target_ref": "x-misp-object--8840afc4-669d-4a92-8a3e-a104c2994436"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}