1228 lines
No EOL
53 KiB
JSON
1228 lines
No EOL
53 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5b597959-6310-43e8-80b2-4d30950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T13:13:44.000Z",
|
|
"modified": "2018-07-26T13:13:44.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--5b597959-6310-43e8-80b2-4d30950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T13:13:44.000Z",
|
|
"modified": "2018-07-26T13:13:44.000Z",
|
|
"name": "OSINT - Kronos Reborn",
|
|
"published": "2018-07-26T13:14:29Z",
|
|
"object_refs": [
|
|
"x-misp-attribute--5b597e9e-b88c-4bc1-8f11-af6a950d210f",
|
|
"observed-data--5b597ee4-7370-4258-88b5-b098950d210f",
|
|
"url--5b597ee4-7370-4258-88b5-b098950d210f",
|
|
"indicator--5b59c078-03e4-4a71-a48f-4503950d210f",
|
|
"indicator--5b59c078-3b9c-4f25-9aeb-4691950d210f",
|
|
"indicator--5b59c079-0180-477e-b041-457e950d210f",
|
|
"indicator--5b59c079-cd18-4e05-a267-451f950d210f",
|
|
"indicator--5b59c07a-1d28-454c-94ba-4f0f950d210f",
|
|
"indicator--5b59c07a-8cd8-4b86-ad8e-4635950d210f",
|
|
"indicator--5b59c07b-bb84-4c15-baa0-4135950d210f",
|
|
"indicator--5b59c07b-09f8-4fdd-b9f2-41f3950d210f",
|
|
"indicator--5b59c07c-c7fc-4ea5-9afe-4bd6950d210f",
|
|
"indicator--5b59c07c-1cc4-453a-8c26-495a950d210f",
|
|
"indicator--5b59c07d-f114-401d-af89-4f4e950d210f",
|
|
"indicator--5b59c07d-22e0-48c4-8b04-4ec0950d210f",
|
|
"indicator--5b59c07e-f9f4-4770-b1cc-428e950d210f",
|
|
"indicator--5b59c07e-d050-4843-9c9a-4cba950d210f",
|
|
"indicator--5b59c07f-d42c-469e-846a-4fa3950d210f",
|
|
"indicator--5b59c07f-732c-4cb6-adb4-4d48950d210f",
|
|
"indicator--5b59bea3-9a30-4e9f-b748-4239950d210f",
|
|
"indicator--5b59beb5-0e9c-4f68-85f4-4a77950d210f",
|
|
"indicator--5b59bef2-cdf8-40b2-8000-4298950d210f",
|
|
"indicator--5b59bf0c-5950-4f90-9596-43da950d210f",
|
|
"indicator--5b59bf19-3770-40b1-aa0e-4824950d210f",
|
|
"indicator--5b59bf31-2514-482c-9f84-4a20950d210f",
|
|
"indicator--5b59bf47-4fc4-44cc-b7bc-4967950d210f",
|
|
"indicator--5b59c3d7-c760-41e4-9afd-40b7950d210f",
|
|
"indicator--5b59c3e9-d500-4e86-9f7f-45f3950d210f",
|
|
"indicator--716245aa-e298-4be6-a638-f2073e0af588",
|
|
"x-misp-object--e3d7369a-27c2-41f0-96fc-d35aaa499890",
|
|
"indicator--a2a94c03-111d-4ec9-a615-dfff35bc1a0d",
|
|
"x-misp-object--823ec556-3163-4a3f-b1c2-a15ba60baee8",
|
|
"indicator--fb02d0e7-a2f6-4398-8968-619c6a329054",
|
|
"x-misp-object--5b3ad0ca-d0ae-4326-9bc1-889ddbafc549",
|
|
"indicator--e935fea1-ffe1-40eb-ba18-16cc432874f8",
|
|
"x-misp-object--df90c284-e467-445b-a51e-7837ec98db7a",
|
|
"indicator--2238785f-23bd-467b-b588-484fba9e78f9",
|
|
"x-misp-object--812d0386-43e0-4813-ac94-b8248cb565d5",
|
|
"indicator--dccb7ee7-e104-44bf-8971-0e90e34d244d",
|
|
"x-misp-object--8b19e923-dfa2-4dab-80ee-5a291ebe7b30",
|
|
"indicator--02c92c9e-6ed0-4a26-8913-4cb0b61c6eb1",
|
|
"x-misp-object--8c660602-2e65-4d92-82c1-9a70525e6c19",
|
|
"relationship--0f70a360-5625-486e-b614-40bf22b379d7",
|
|
"relationship--2649cac6-5fbf-48c6-bc67-31adf3c3c920",
|
|
"relationship--bb27dcbb-f3d4-4927-b0ca-011bd47262d4",
|
|
"relationship--00b7a473-d823-492d-a00d-bb69e1be276b",
|
|
"relationship--47a73a04-6303-4bad-90df-4b4b4fe46e9f",
|
|
"relationship--de160268-6c8a-4f6b-9523-fffaa4c6e595",
|
|
"relationship--03218fe6-500b-4dd1-bfb5-8fc9e1cacbbc"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"osint:source-type=\"blog-post\"",
|
|
"misp-galaxy:tool=\"Smoke Loader\"",
|
|
"misp-galaxy:mitre-enterprise-attack-malware=\"Smoke Loader - S0226\"",
|
|
"misp-galaxy:banker=\"Kronos\"",
|
|
"ms-caro-malware-full:malware-family=\"Banker\"",
|
|
"malware_classification:malware-category=\"Trojan\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--5b597e9e-b88c-4bc1-8f11-af6a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:20:53.000Z",
|
|
"modified": "2018-07-26T12:20:53.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "The Kronos banking Trojan was first discovered in 2014 and was a steady fixture in the threat landscape for a few years before largely disappearing. Now a new variant has appeared, with at least three distinct campaigns targeting Germany, Japan, and Poland respectively, to date.\r\n\r\nIn April 2018, the first samples of a new variant of the banking Trojan appeared in the wild. The most notable new feature is that the command and control (C&C) mechanism has been refactored to use the Tor anonymizing network. There is some speculation and circumstantial evidence suggesting that this new version of Kronos has been rebranded \u00e2\u20ac\u0153Osiris\u00e2\u20ac\u009d and is being sold on underground markets. In this blog, we present information on the German, Japanese, and Polish campaigns as well as a fourth campaign that looks to be a work in progress and still being tested."
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5b597ee4-7370-4258-88b5-b098950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:20:46.000Z",
|
|
"modified": "2018-07-26T12:20:46.000Z",
|
|
"first_observed": "2018-07-26T12:20:46Z",
|
|
"last_observed": "2018-07-26T12:20:46Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5b597ee4-7370-4258-88b5-b098950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5b597ee4-7370-4258-88b5-b098950d210f",
|
|
"value": "https://www.proofpoint.com/us/threat-insight/post/kronos-reborn"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b59c078-03e4-4a71-a48f-4503950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:37:12.000Z",
|
|
"modified": "2018-07-26T12:37:12.000Z",
|
|
"description": "Mahnung_9415171.doc payload used in German campaign",
|
|
"pattern": "[url:value = 'https://dkb-agbs.com/25062018.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T12:37:12Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b59c078-3b9c-4f25-9aeb-4691950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:37:12.000Z",
|
|
"modified": "2018-07-26T12:37:12.000Z",
|
|
"pattern": "[file:name = 'Mahnung_9415171.doc']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T12:37:12Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b59c079-0180-477e-b041-457e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:37:13.000Z",
|
|
"modified": "2018-07-26T12:37:13.000Z",
|
|
"description": "Kronos C&C used in German campaign",
|
|
"pattern": "[url:value = 'http://jhrppbnh4d674kzh.onion/kpanel/connect.php']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T12:37:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b59c079-cd18-4e05-a267-451f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:37:13.000Z",
|
|
"modified": "2018-07-26T12:37:13.000Z",
|
|
"description": "Webinject C&C used in the German campaign",
|
|
"pattern": "[url:value = 'https://startupbulawayo.website/d03ohi2e3232/']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T12:37:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b59c07a-1d28-454c-94ba-4f0f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:37:14.000Z",
|
|
"modified": "2018-07-26T12:37:14.000Z",
|
|
"description": "Contains malicious redirect to RIG EK used in the Japan campaign",
|
|
"pattern": "[url:value = 'http://envirodry.ca']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T12:37:14Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b59c07a-8cd8-4b86-ad8e-4635950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:37:14.000Z",
|
|
"modified": "2018-07-26T12:37:14.000Z",
|
|
"description": "RIG EK used in the Japan campaign",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.23.54.158']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T12:37:14Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b59c07b-bb84-4c15-baa0-4135950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:37:15.000Z",
|
|
"modified": "2018-07-26T12:37:15.000Z",
|
|
"description": "SmokeLoader C&C used in the Japan campaign",
|
|
"pattern": "[url:value = 'http://lionoi.adygeya.su']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T12:37:15Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b59c07b-09f8-4fdd-b9f2-41f3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:37:15.000Z",
|
|
"modified": "2018-07-26T12:37:15.000Z",
|
|
"description": "SmokeLoader C&C used in the Japan campaign",
|
|
"pattern": "[url:value = 'http://milliaoin.info']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T12:37:15Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b59c07c-c7fc-4ea5-9afe-4bd6950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:37:16.000Z",
|
|
"modified": "2018-07-26T12:37:16.000Z",
|
|
"description": "New version of Kronos download link used in the Japan campaign",
|
|
"pattern": "[url:value = 'http://fritsy83.website/Osiris.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T12:37:16Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b59c07c-1cc4-453a-8c26-495a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:37:16.000Z",
|
|
"modified": "2018-07-26T12:37:16.000Z",
|
|
"description": "New version of Kronos download link used in the Japan campaign",
|
|
"pattern": "[url:value = 'http://oo00mika84.website/Osiris_jmjp_auto2_noinj.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T12:37:16Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b59c07d-f114-401d-af89-4f4e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:37:17.000Z",
|
|
"modified": "2018-07-26T12:37:17.000Z",
|
|
"description": "Kronos C&C used in the Japan campaign",
|
|
"pattern": "[url:value = 'http://jmjp2l7yqgaj5xvv.onion/kpanel/connect.php']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T12:37:17Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b59c07d-22e0-48c4-8b04-4ec0950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:37:17.000Z",
|
|
"modified": "2018-07-26T12:37:17.000Z",
|
|
"description": "Webinject C&C used in the Japan campaign",
|
|
"pattern": "[url:value = 'https://kioxixu.abkhazia.su/']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T12:37:17Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b59c07e-f9f4-4770-b1cc-428e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:37:18.000Z",
|
|
"modified": "2018-07-26T12:37:18.000Z",
|
|
"description": "New version of Kronos download link used in the Poland campaign",
|
|
"pattern": "[url:value = 'http://mysit.space/123//v/0jLHzUW']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T12:37:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b59c07e-d050-4843-9c9a-4cba950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:37:18.000Z",
|
|
"modified": "2018-07-26T12:37:18.000Z",
|
|
"description": "Kronos C&C used in the Poland campaign",
|
|
"pattern": "[url:value = 'http://suzfjfguuis326qw.onion/kpanel/connect.php']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T12:37:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b59c07f-d42c-469e-846a-4fa3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:37:19.000Z",
|
|
"modified": "2018-07-26T12:37:19.000Z",
|
|
"description": "New version of Kronos download link used in \u00e2\u20ac\u0153Work in progress\u00e2\u20ac\u009d campaign",
|
|
"pattern": "[url:value = 'http://gameboosts.net/app/Player_v1.02.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T12:37:19Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b59c07f-732c-4cb6-adb4-4d48950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:37:19.000Z",
|
|
"modified": "2018-07-26T12:37:19.000Z",
|
|
"description": "Kronos C&C used in \u00e2\u20ac\u0153Work in progress\u00e2\u20ac\u009d campaign",
|
|
"pattern": "[url:value = 'http://mysmo35wlwhrkeez.onion/kpanel/connect.php']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T12:37:19Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b59bea3-9a30-4e9f-b748-4239950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:29:23.000Z",
|
|
"modified": "2018-07-26T12:29:23.000Z",
|
|
"description": "used in German campaign",
|
|
"pattern": "[file:hashes.SHA256 = 'bb308bf53944e0c7c74695095169363d1323fe9ce6c6117feda2ee429ebf530d' AND file:name = 'Mahnung_9415171.doc' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T12:29:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b59beb5-0e9c-4f68-85f4-4a77950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:29:41.000Z",
|
|
"modified": "2018-07-26T12:29:41.000Z",
|
|
"description": "New version of Kronos used in German campaign",
|
|
"pattern": "[file:hashes.SHA256 = '4af17e81e9badf3d03572e808e0a881f6c61969157052903cd68962b9e084177' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T12:29:41Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b59bef2-cdf8-40b2-8000-4298950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:30:42.000Z",
|
|
"modified": "2018-07-26T12:30:42.000Z",
|
|
"description": "SmokeLoader used in the Japan campaign",
|
|
"pattern": "[file:hashes.SHA256 = '3cc154a1ea3070d008c9210d31364246889a61b77ed92b733c5bf7f81e774c40' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T12:30:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b59bf0c-5950-4f90-9596-43da950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:31:08.000Z",
|
|
"modified": "2018-07-26T12:31:08.000Z",
|
|
"description": "\u00e2\u20ac\u0153Faktura 2018.07.16.doc\u00e2\u20ac\u009d used in the Poland campaign",
|
|
"pattern": "[file:hashes.SHA256 = '045acd6de0321223ff1f1c579c03ea47a6abd32b11d01874d1723b48525c9108' AND file:name = 'Faktura 2018.07.16.doc' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T12:31:08Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b59bf19-3770-40b1-aa0e-4824950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:31:21.000Z",
|
|
"modified": "2018-07-26T12:31:21.000Z",
|
|
"description": "New version of Kronos used in the Japan campaign",
|
|
"pattern": "[file:hashes.SHA256 = '3eb389ea6d4882b0d4a613dba89a04f4c454448ff7a60a282986bdded6750741' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T12:31:21Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b59bf31-2514-482c-9f84-4a20950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:31:45.000Z",
|
|
"modified": "2018-07-26T12:31:45.000Z",
|
|
"description": "New version of Kronos used in the Poland campaign",
|
|
"pattern": "[file:hashes.SHA256 = 'e7d3181ef643d77bb33fe328d1ea58f512b4f27c8e6ed71935a2e7548f2facc0' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T12:31:45Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b59bf47-4fc4-44cc-b7bc-4967950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:32:07.000Z",
|
|
"modified": "2018-07-26T12:32:07.000Z",
|
|
"description": "New version of Kronos used in \u00e2\u20ac\u0153Work in progress\u00e2\u20ac\u009d campaign",
|
|
"pattern": "[file:hashes.SHA256 = '93590cb4e88a5f779c5b062c9ade75f9a5239cd11b3deafb749346620c5e1218' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T12:32:07Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b59c3d7-c760-41e4-9afd-40b7950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:51:35.000Z",
|
|
"modified": "2018-07-26T12:51:35.000Z",
|
|
"pattern": "[file:name = 'agb_9415166.doc' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T12:51:35Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b59c3e9-d500-4e86-9f7f-45f3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T12:51:53.000Z",
|
|
"modified": "2018-07-26T12:51:53.000Z",
|
|
"pattern": "[file:name = 'Mahnung_9415167.doc' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T12:51:53Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--716245aa-e298-4be6-a638-f2073e0af588",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T13:13:19.000Z",
|
|
"modified": "2018-07-26T13:13:19.000Z",
|
|
"pattern": "[file:hashes.MD5 = '0248465d9edd866d7d8929af1f9685b4' AND file:hashes.SHA1 = '00135cbca3057dced3f9b6305a5645b92ba4cc0f' AND file:hashes.SHA256 = '3cc154a1ea3070d008c9210d31364246889a61b77ed92b733c5bf7f81e774c40']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T13:13:19Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--e3d7369a-27c2-41f0-96fc-d35aaa499890",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T13:13:18.000Z",
|
|
"modified": "2018-07-26T13:13:18.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-07-26T00:33:17",
|
|
"category": "Other",
|
|
"uuid": "51255631-b21f-4261-ada2-7ca685b3ed85"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/3cc154a1ea3070d008c9210d31364246889a61b77ed92b733c5bf7f81e774c40/analysis/1532565197/",
|
|
"category": "External analysis",
|
|
"uuid": "680b979e-19fc-4a05-b706-c9031fc50a65"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "51/67",
|
|
"category": "Other",
|
|
"uuid": "ade9ad59-02f1-438b-87c2-7d19be304bb6"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--a2a94c03-111d-4ec9-a615-dfff35bc1a0d",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T13:13:22.000Z",
|
|
"modified": "2018-07-26T13:13:22.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'a301ee7f1cdb9b1f71deda6c29bb0a32' AND file:hashes.SHA1 = '8d6bc587e3abfcfd6b4a771c85a8af90f528d2c7' AND file:hashes.SHA256 = '3eb389ea6d4882b0d4a613dba89a04f4c454448ff7a60a282986bdded6750741']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T13:13:22Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--823ec556-3163-4a3f-b1c2-a15ba60baee8",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T13:13:20.000Z",
|
|
"modified": "2018-07-26T13:13:20.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-07-26T00:37:33",
|
|
"category": "Other",
|
|
"uuid": "f224913c-b4e7-49e3-9834-f4faac6a3c75"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/3eb389ea6d4882b0d4a613dba89a04f4c454448ff7a60a282986bdded6750741/analysis/1532565453/",
|
|
"category": "External analysis",
|
|
"uuid": "4fa5dab3-b72e-4426-bea1-fb759d9aa71f"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "48/67",
|
|
"category": "Other",
|
|
"uuid": "b5e75892-ebc1-4a65-aa68-601fc9df3dcc"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--fb02d0e7-a2f6-4398-8968-619c6a329054",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T13:13:24.000Z",
|
|
"modified": "2018-07-26T13:13:24.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'b2ddd1a228db47234dad1fb164573d82' AND file:hashes.SHA1 = '7fd8631ab719eca44457630014674a95bc431b91' AND file:hashes.SHA256 = 'bb308bf53944e0c7c74695095169363d1323fe9ce6c6117feda2ee429ebf530d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T13:13:24Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--5b3ad0ca-d0ae-4326-9bc1-889ddbafc549",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T13:13:22.000Z",
|
|
"modified": "2018-07-26T13:13:22.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-07-26T01:29:15",
|
|
"category": "Other",
|
|
"uuid": "dff34f97-1b1d-491b-865e-64884359e723"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/bb308bf53944e0c7c74695095169363d1323fe9ce6c6117feda2ee429ebf530d/analysis/1532568555/",
|
|
"category": "External analysis",
|
|
"uuid": "3d44fe98-1dac-4ea3-b4d9-cd70307f0786"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "35/60",
|
|
"category": "Other",
|
|
"uuid": "202c5da7-96a7-42b0-a002-f403095b9dcb"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--e935fea1-ffe1-40eb-ba18-16cc432874f8",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T13:13:26.000Z",
|
|
"modified": "2018-07-26T13:13:26.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'd475c84d99c2bf461c294d75769b7707' AND file:hashes.SHA1 = 'aecaf84953641d835e7c754f559fc555169d8aec' AND file:hashes.SHA256 = '045acd6de0321223ff1f1c579c03ea47a6abd32b11d01874d1723b48525c9108']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T13:13:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--df90c284-e467-445b-a51e-7837ec98db7a",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T13:13:25.000Z",
|
|
"modified": "2018-07-26T13:13:25.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-07-26T00:38:31",
|
|
"category": "Other",
|
|
"uuid": "5678e189-dcf2-4434-8f88-9313120fd768"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/045acd6de0321223ff1f1c579c03ea47a6abd32b11d01874d1723b48525c9108/analysis/1532565511/",
|
|
"category": "External analysis",
|
|
"uuid": "b3f70f28-c3cd-41ef-88f6-36ce3cebe80c"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "35/60",
|
|
"category": "Other",
|
|
"uuid": "77caf24b-6b28-4ed6-8d35-e773b7793f1d"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--2238785f-23bd-467b-b588-484fba9e78f9",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T13:13:29.000Z",
|
|
"modified": "2018-07-26T13:13:29.000Z",
|
|
"pattern": "[file:hashes.MD5 = '5e6764534b3a1e4d3abacc4810b6985d' AND file:hashes.SHA1 = 'f10ad287f126f577f197070453812a7e88c2cc52' AND file:hashes.SHA256 = 'e7d3181ef643d77bb33fe328d1ea58f512b4f27c8e6ed71935a2e7548f2facc0']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T13:13:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--812d0386-43e0-4813-ac94-b8248cb565d5",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T13:13:27.000Z",
|
|
"modified": "2018-07-26T13:13:27.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-07-26T09:13:49",
|
|
"category": "Other",
|
|
"uuid": "b1d7c0e1-f10b-43cb-ace4-1ce0276e6da5"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/e7d3181ef643d77bb33fe328d1ea58f512b4f27c8e6ed71935a2e7548f2facc0/analysis/1532596429/",
|
|
"category": "External analysis",
|
|
"uuid": "63646768-523d-40d4-8ce0-4c25dd4bd7b6"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "46/66",
|
|
"category": "Other",
|
|
"uuid": "69d98df9-22d5-4184-bec4-65ab26cb4def"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--dccb7ee7-e104-44bf-8971-0e90e34d244d",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T13:13:31.000Z",
|
|
"modified": "2018-07-26T13:13:31.000Z",
|
|
"pattern": "[file:hashes.MD5 = '820d3fb49af10fa714c4bdd5745d865b' AND file:hashes.SHA1 = '49b42b7ed9c3db0b1a4d45e37e4a6bc2b8079ff6' AND file:hashes.SHA256 = '93590cb4e88a5f779c5b062c9ade75f9a5239cd11b3deafb749346620c5e1218']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T13:13:31Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--8b19e923-dfa2-4dab-80ee-5a291ebe7b30",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T13:13:30.000Z",
|
|
"modified": "2018-07-26T13:13:30.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-07-26T10:11:06",
|
|
"category": "Other",
|
|
"uuid": "5fa195bf-7dd4-44d9-afe7-37503dd49378"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/93590cb4e88a5f779c5b062c9ade75f9a5239cd11b3deafb749346620c5e1218/analysis/1532599866/",
|
|
"category": "External analysis",
|
|
"uuid": "2f69c414-6dbe-4eed-90b1-2737b06676eb"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "29/67",
|
|
"category": "Other",
|
|
"uuid": "702d3ac7-5146-4cc5-a11a-a4341696d973"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--02c92c9e-6ed0-4a26-8913-4cb0b61c6eb1",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T13:13:34.000Z",
|
|
"modified": "2018-07-26T13:13:34.000Z",
|
|
"pattern": "[file:hashes.MD5 = '17903c3d83125a5fc3e3f77d8a775bfe' AND file:hashes.SHA1 = '91da487143d931e00e935245e698ea2a582871e4' AND file:hashes.SHA256 = '4af17e81e9badf3d03572e808e0a881f6c61969157052903cd68962b9e084177']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-26T13:13:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--8c660602-2e65-4d92-82c1-9a70525e6c19",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-26T13:13:32.000Z",
|
|
"modified": "2018-07-26T13:13:32.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-07-26T07:37:11",
|
|
"category": "Other",
|
|
"uuid": "34bd7968-4830-4d15-8875-ddd51c4c740f"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/4af17e81e9badf3d03572e808e0a881f6c61969157052903cd68962b9e084177/analysis/1532590631/",
|
|
"category": "External analysis",
|
|
"uuid": "fcaa4c90-8b64-40b0-89ec-57b498f2aa8b"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "41/66",
|
|
"category": "Other",
|
|
"uuid": "f3ebb8a4-7d00-49ad-ae82-0d93cb2fd3e9"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--0f70a360-5625-486e-b614-40bf22b379d7",
|
|
"created": "2018-07-26T13:13:33.000Z",
|
|
"modified": "2018-07-26T13:13:33.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--716245aa-e298-4be6-a638-f2073e0af588",
|
|
"target_ref": "x-misp-object--e3d7369a-27c2-41f0-96fc-d35aaa499890"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--2649cac6-5fbf-48c6-bc67-31adf3c3c920",
|
|
"created": "2018-07-26T13:13:33.000Z",
|
|
"modified": "2018-07-26T13:13:33.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--a2a94c03-111d-4ec9-a615-dfff35bc1a0d",
|
|
"target_ref": "x-misp-object--823ec556-3163-4a3f-b1c2-a15ba60baee8"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--bb27dcbb-f3d4-4927-b0ca-011bd47262d4",
|
|
"created": "2018-07-26T13:13:33.000Z",
|
|
"modified": "2018-07-26T13:13:33.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--fb02d0e7-a2f6-4398-8968-619c6a329054",
|
|
"target_ref": "x-misp-object--5b3ad0ca-d0ae-4326-9bc1-889ddbafc549"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--00b7a473-d823-492d-a00d-bb69e1be276b",
|
|
"created": "2018-07-26T13:13:33.000Z",
|
|
"modified": "2018-07-26T13:13:33.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--e935fea1-ffe1-40eb-ba18-16cc432874f8",
|
|
"target_ref": "x-misp-object--df90c284-e467-445b-a51e-7837ec98db7a"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--47a73a04-6303-4bad-90df-4b4b4fe46e9f",
|
|
"created": "2018-07-26T13:13:33.000Z",
|
|
"modified": "2018-07-26T13:13:33.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--2238785f-23bd-467b-b588-484fba9e78f9",
|
|
"target_ref": "x-misp-object--812d0386-43e0-4813-ac94-b8248cb565d5"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--de160268-6c8a-4f6b-9523-fffaa4c6e595",
|
|
"created": "2018-07-26T13:13:33.000Z",
|
|
"modified": "2018-07-26T13:13:33.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--dccb7ee7-e104-44bf-8971-0e90e34d244d",
|
|
"target_ref": "x-misp-object--8b19e923-dfa2-4dab-80ee-5a291ebe7b30"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--03218fe6-500b-4dd1-bfb5-8fc9e1cacbbc",
|
|
"created": "2018-07-26T13:13:33.000Z",
|
|
"modified": "2018-07-26T13:13:33.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--02c92c9e-6ed0-4a26-8913-4cb0b61c6eb1",
|
|
"target_ref": "x-misp-object--8c660602-2e65-4d92-82c1-9a70525e6c19"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |