misp-circl-feed/feeds/circl/misp/5b43ce0c-47e8-476c-97d6-f56402de0b81.json

774 lines
No EOL
34 KiB
JSON

{
"type": "bundle",
"id": "bundle--5b43ce0c-47e8-476c-97d6-f56402de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-10T06:56:08.000Z",
"modified": "2018-07-10T06:56:08.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5b43ce0c-47e8-476c-97d6-f56402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-10T06:56:08.000Z",
"modified": "2018-07-10T06:56:08.000Z",
"name": "OSINT - APT Attack In the Middle East: The Big Bang",
"published": "2018-07-10T07:10:59Z",
"object_refs": [
"observed-data--5b43ce1c-edb4-491d-95c5-43fd02de0b81",
"url--5b43ce1c-edb4-491d-95c5-43fd02de0b81",
"indicator--5b43ce38-f8ec-46cf-a6e1-4c6502de0b81",
"indicator--5b43ce39-f540-4bca-96c8-472d02de0b81",
"indicator--5b43ce39-cb38-4f9d-85b0-420802de0b81",
"indicator--5b43ce3a-9dbc-485b-9b5b-483902de0b81",
"indicator--5b43ce3a-4c8c-4399-b52e-429e02de0b81",
"indicator--5b43ce3b-e330-4f8c-9fcd-4d4e02de0b81",
"indicator--5b43ce3b-b098-4156-9bb1-489002de0b81",
"indicator--5b43ce3b-a5bc-4932-9030-43d902de0b81",
"indicator--5b43ce3c-3a70-4e79-a245-404402de0b81",
"indicator--5b43ce3c-447c-4bcc-a5d7-452402de0b81",
"indicator--5b43ce3d-bcb0-4078-9fb7-486c02de0b81",
"indicator--5b43ce3d-8b4c-4b04-b52f-485602de0b81",
"indicator--5b43ce3e-5608-466a-962a-408902de0b81",
"x-misp-attribute--5b4454b3-ec70-438e-b9e3-4d7d950d210f",
"indicator--5f89b9d8-fb5e-455c-8d75-74f4ded612c2",
"x-misp-object--6ac23322-10a0-43c4-9004-c2c0991b2fb2",
"indicator--67b678dd-a046-4e24-bfee-0003c0b29ec8",
"x-misp-object--13a19efc-0f75-4608-a95b-b689504221ea",
"indicator--e84f13a0-0878-494a-b532-2946d911523e",
"x-misp-object--59ee6b52-0b6b-4f05-861c-ea6ded4e92f8",
"indicator--5c62dfe6-83e5-470f-9fb9-37872d575e76",
"x-misp-object--d7518f97-54c8-44e2-9bf8-db42b1a973c3",
"indicator--9468ee5c-a526-4bba-92a5-0ca6ffda79e4",
"x-misp-object--e694ba51-5a6f-4130-acf4-6b9dab32543a",
"relationship--87fbb91a-c445-43bd-81be-bebe12213c83",
"relationship--5db9d08a-7072-4ef2-85a3-b8bb9081218b",
"relationship--940e909c-a2dc-4267-a737-5b27169af361",
"relationship--63b01727-7f2f-4b0d-ab37-95332078b419",
"relationship--72eec492-60ec-4877-8f60-d9e7a1441cf3"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Attachment - T1193\"",
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Screen Capture - T1113\"",
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data from Information Repositories - T1213\"",
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Commonly Used Port - T1043\"",
"osint:source-type=\"blog-post\"",
"misp-galaxy:threat-actor=\"The Big Bang\"",
"osint:lifetime=\"perpetual\"",
"estimative-language:confidence-in-analytic-judgment=\"moderate\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b43ce1c-edb4-491d-95c5-43fd02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-10T06:56:05.000Z",
"modified": "2018-07-10T06:56:05.000Z",
"first_observed": "2018-07-10T06:56:05Z",
"last_observed": "2018-07-10T06:56:05Z",
"number_observed": 1,
"object_refs": [
"url--5b43ce1c-edb4-491d-95c5-43fd02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5b43ce1c-edb4-491d-95c5-43fd02de0b81",
"value": "https://research.checkpoint.com/apt-attack-middle-east-big-bang/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b43ce38-f8ec-46cf-a6e1-4c6502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-10T06:56:05.000Z",
"modified": "2018-07-10T06:56:05.000Z",
"pattern": "[file:hashes.SHA1 = 'a210ac6ea0406d81fa5682e86997be25c73e9d1b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-10T06:56:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b43ce39-f540-4bca-96c8-472d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-10T06:56:05.000Z",
"modified": "2018-07-10T06:56:05.000Z",
"pattern": "[file:hashes.SHA1 = '994ebbe444183e0d67b13f91d75b0f9bcfb011db']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-10T06:56:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b43ce39-cb38-4f9d-85b0-420802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-10T06:56:05.000Z",
"modified": "2018-07-10T06:56:05.000Z",
"pattern": "[file:hashes.SHA1 = '74ea60b4e269817168e107bdccc42b3a1193c1e6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-10T06:56:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b43ce3a-9dbc-485b-9b5b-483902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-10T06:56:05.000Z",
"modified": "2018-07-10T06:56:05.000Z",
"pattern": "[file:hashes.SHA1 = '511bec782be41e85a013cbea95725d5807e3c2f2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-10T06:56:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b43ce3a-4c8c-4399-b52e-429e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-10T06:56:05.000Z",
"modified": "2018-07-10T06:56:05.000Z",
"pattern": "[file:hashes.SHA1 = '9e093a5b34c4e5dea59e374b409173565dc3b05b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-10T06:56:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b43ce3b-e330-4f8c-9fcd-4d4e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-10T06:56:05.000Z",
"modified": "2018-07-10T06:56:05.000Z",
"pattern": "[domain-name:value = 'lindamullins.info']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-10T06:56:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b43ce3b-b098-4156-9bb1-489002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-10T06:56:05.000Z",
"modified": "2018-07-10T06:56:05.000Z",
"pattern": "[domain-name:value = 'spgbotup.club']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-10T06:56:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b43ce3b-a5bc-4932-9030-43d902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-10T06:56:05.000Z",
"modified": "2018-07-10T06:56:05.000Z",
"pattern": "[domain-name:value = 'namyyeatop.club']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-10T06:56:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b43ce3c-3a70-4e79-a245-404402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-10T06:56:05.000Z",
"modified": "2018-07-10T06:56:05.000Z",
"pattern": "[domain-name:value = 'namybotter.info']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-10T06:56:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b43ce3c-447c-4bcc-a5d7-452402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-10T06:56:05.000Z",
"modified": "2018-07-10T06:56:05.000Z",
"pattern": "[domain-name:value = 'sanjynono.website']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-10T06:56:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b43ce3d-bcb0-4078-9fb7-486c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-10T06:56:05.000Z",
"modified": "2018-07-10T06:56:05.000Z",
"pattern": "[domain-name:value = 'exvsnomy.club']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-10T06:56:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b43ce3d-8b4c-4b04-b52f-485602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-10T06:56:05.000Z",
"modified": "2018-07-10T06:56:05.000Z",
"pattern": "[domain-name:value = 'ezofiezo.website']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-10T06:56:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b43ce3e-5608-466a-962a-408902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-10T06:56:05.000Z",
"modified": "2018-07-10T06:56:05.000Z",
"pattern": "[domain-name:value = 'hitmesanjjoy.pro']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-10T06:56:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b4454b3-ec70-438e-b9e3-4d7d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-10T06:56:05.000Z",
"modified": "2018-07-10T06:56:05.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Over the last few weeks, the Check Point Threat Intelligence Team discovered the comeback of an APT surveillance attack against institutions across the Middle East, specifically the Palestinian Authority.\r\n\r\nThe attack begins with a phishing email sent to targets that includes an attachment of a self-extracting archive containing two files: a Word document and a malicious executable. Posing to be from the Palestinian Political and National Guidance Commission, the Word document serves as a decoy, distracting victims while the malware is installed in the background.\r\n\r\nThe malware has several modules, some of which are:\r\n\r\n Taking a screenshot of the infected machine and sending it to the C&C server.\r\n Sending a list of documents with file extensions including .doc, .odt, .xls, .ppt, .pdf and more.\r\n Logging details about the system.\r\n Rebooting the system.\r\n Self-destructing the executable.\r\n\r\nWhile it is not clear exactly what the attacker is looking for, what is clear is that once he finds it, a second stage of the attack awaits, fetching additional modules and/or malware from the Command and Control server. This then is a surveillance attack in progress and has been dubbed \u00e2\u20ac\u02dcBig Bang\u00e2\u20ac\u2122 due to the attacker\u00e2\u20ac\u2122s fondness for the \u00e2\u20ac\u02dcBig Bang Theory\u00e2\u20ac\u2122 TV show, after which some of the malware\u00e2\u20ac\u2122s modules are named.\r\n\r\nA previous campaign of this APT group was uncovered by Talos in June 2017, and since then very little of this operation was seen in the wild. The Big Bang campaign described below incorporates improved capabilities and offensive infrastructure, and seems to be even more targeted."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5f89b9d8-fb5e-455c-8d75-74f4ded612c2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-09T21:10:57.000Z",
"modified": "2018-07-09T21:10:57.000Z",
"pattern": "[file:hashes.MD5 = 'a3dc31c456508df7dfac8349eb0d2b65' AND file:hashes.SHA1 = '74ea60b4e269817168e107bdccc42b3a1193c1e6' AND file:hashes.SHA256 = '63a73cf005eb328f3c7e99f0d28da65980d9620b66d8c41939f6db023418c864']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-09T21:10:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--6ac23322-10a0-43c4-9004-c2c0991b2fb2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-09T21:10:55.000Z",
"modified": "2018-07-09T21:10:55.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-07-09T20:54:06",
"category": "Other",
"uuid": "d8dba617-c8c4-466d-99b9-0bc760fc64f6"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/63a73cf005eb328f3c7e99f0d28da65980d9620b66d8c41939f6db023418c864/analysis/1531169646/",
"category": "External analysis",
"uuid": "32da8334-bef5-4dd2-9c11-4bde99a3e834"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "0/58",
"category": "Other",
"uuid": "f06cc6f8-9d16-4237-9edf-f22bffa514f1"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--67b678dd-a046-4e24-bfee-0003c0b29ec8",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-09T21:10:59.000Z",
"modified": "2018-07-09T21:10:59.000Z",
"pattern": "[file:hashes.MD5 = 'fd8c8ae6a261b0e88df06236c5b70be6' AND file:hashes.SHA1 = '511bec782be41e85a013cbea95725d5807e3c2f2' AND file:hashes.SHA256 = 'ac6462e9e26362f711783b9874d46fefce198c4c3ca947a5d4df7842a6c51224']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-09T21:10:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--13a19efc-0f75-4608-a95b-b689504221ea",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-09T21:10:58.000Z",
"modified": "2018-07-09T21:10:58.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-07-09T10:06:12",
"category": "Other",
"uuid": "f6c73d92-dd22-4ecd-b81d-82dce73c212d"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/ac6462e9e26362f711783b9874d46fefce198c4c3ca947a5d4df7842a6c51224/analysis/1531130772/",
"category": "External analysis",
"uuid": "8f99dadd-67ca-4199-97e6-19277a85fcfb"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "41/67",
"category": "Other",
"uuid": "db260972-06f4-4105-8732-a2a5e05b2b36"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e84f13a0-0878-494a-b532-2946d911523e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-09T21:11:02.000Z",
"modified": "2018-07-09T21:11:02.000Z",
"pattern": "[file:hashes.MD5 = '18864d22331fc6503641f128226aaea8' AND file:hashes.SHA1 = '994ebbe444183e0d67b13f91d75b0f9bcfb011db' AND file:hashes.SHA256 = 'e1f52ea30d25289f7a4a5c9d15be97c8a4dfe10eb68ac9d031edcc7275c23dbc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-09T21:11:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--59ee6b52-0b6b-4f05-861c-ea6ded4e92f8",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-09T21:11:00.000Z",
"modified": "2018-07-09T21:11:00.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-07-09T10:06:11",
"category": "Other",
"uuid": "30bf9981-32fa-4aeb-b1a4-0f98d2e5f0c3"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/e1f52ea30d25289f7a4a5c9d15be97c8a4dfe10eb68ac9d031edcc7275c23dbc/analysis/1531130771/",
"category": "External analysis",
"uuid": "7130664a-5360-49d3-b551-c9dddafd4c17"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "47/68",
"category": "Other",
"uuid": "a2025a9a-ca8a-48a6-a3a4-a3118ec625f3"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c62dfe6-83e5-470f-9fb9-37872d575e76",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-09T21:11:04.000Z",
"modified": "2018-07-09T21:11:04.000Z",
"pattern": "[file:hashes.MD5 = '81881a0841deaa0ef1ea92c51d8c8845' AND file:hashes.SHA1 = '9e093a5b34c4e5dea59e374b409173565dc3b05b' AND file:hashes.SHA256 = '4db68522600f2d8aabd255e2da999a9d9c9f1f18491cfce9dadf2296269a172b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-09T21:11:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--d7518f97-54c8-44e2-9bf8-db42b1a973c3",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-09T21:11:03.000Z",
"modified": "2018-07-09T21:11:03.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-07-09T20:34:31",
"category": "Other",
"uuid": "cd137230-b3bb-4d53-b429-a0ccd6981c67"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/4db68522600f2d8aabd255e2da999a9d9c9f1f18491cfce9dadf2296269a172b/analysis/1531168471/",
"category": "External analysis",
"uuid": "b23e43db-c16a-4207-962e-3c2d632da209"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "42/67",
"category": "Other",
"uuid": "89eed594-20f3-4eff-a527-7b02e13a4eae"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9468ee5c-a526-4bba-92a5-0ca6ffda79e4",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-09T21:11:06.000Z",
"modified": "2018-07-09T21:11:06.000Z",
"pattern": "[file:hashes.MD5 = '2f8face85084bea8adacac36ee2f641f' AND file:hashes.SHA1 = 'a210ac6ea0406d81fa5682e86997be25c73e9d1b' AND file:hashes.SHA256 = '0ed777075d67d00720021e4703bde809900f4715ccf0a2d4383e285801dca5ba']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-09T21:11:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--e694ba51-5a6f-4130-acf4-6b9dab32543a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-09T21:11:05.000Z",
"modified": "2018-07-09T21:11:05.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-07-09T10:08:43",
"category": "Other",
"uuid": "d0f2ac63-e02e-4edb-beb2-73acd376f9ae"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/0ed777075d67d00720021e4703bde809900f4715ccf0a2d4383e285801dca5ba/analysis/1531130923/",
"category": "External analysis",
"uuid": "ea7e49cd-c2d2-4b91-bcb8-e57fd9782019"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "47/67",
"category": "Other",
"uuid": "2ce142ab-e375-46a2-bd2d-8118b5ce9054"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--87fbb91a-c445-43bd-81be-bebe12213c83",
"created": "2018-07-09T21:11:06.000Z",
"modified": "2018-07-09T21:11:06.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--5f89b9d8-fb5e-455c-8d75-74f4ded612c2",
"target_ref": "x-misp-object--6ac23322-10a0-43c4-9004-c2c0991b2fb2"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--5db9d08a-7072-4ef2-85a3-b8bb9081218b",
"created": "2018-07-09T21:11:06.000Z",
"modified": "2018-07-09T21:11:06.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--67b678dd-a046-4e24-bfee-0003c0b29ec8",
"target_ref": "x-misp-object--13a19efc-0f75-4608-a95b-b689504221ea"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--940e909c-a2dc-4267-a737-5b27169af361",
"created": "2018-07-09T21:11:07.000Z",
"modified": "2018-07-09T21:11:07.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--e84f13a0-0878-494a-b532-2946d911523e",
"target_ref": "x-misp-object--59ee6b52-0b6b-4f05-861c-ea6ded4e92f8"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--63b01727-7f2f-4b0d-ab37-95332078b419",
"created": "2018-07-09T21:11:07.000Z",
"modified": "2018-07-09T21:11:07.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--5c62dfe6-83e5-470f-9fb9-37872d575e76",
"target_ref": "x-misp-object--d7518f97-54c8-44e2-9bf8-db42b1a973c3"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--72eec492-60ec-4877-8f60-d9e7a1441cf3",
"created": "2018-07-09T21:11:07.000Z",
"modified": "2018-07-09T21:11:07.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--9468ee5c-a526-4bba-92a5-0ca6ffda79e4",
"target_ref": "x-misp-object--e694ba51-5a6f-4130-acf4-6b9dab32543a"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}