1294 lines
No EOL
57 KiB
JSON
1294 lines
No EOL
57 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5c38eb9d-a470-4466-8aa5-461802de0b81",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:34:14.000Z",
|
|
"modified": "2019-01-11T19:34:14.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--5c38eb9d-a470-4466-8aa5-461802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:34:14.000Z",
|
|
"modified": "2019-01-11T19:34:14.000Z",
|
|
"name": "ServHelper and FlawedGrace - New malware introduced by TA505",
|
|
"published": "2019-01-11T19:35:09Z",
|
|
"object_refs": [
|
|
"observed-data--5c38ebb5-2b1c-43f9-b582-4ce402de0b81",
|
|
"url--5c38ebb5-2b1c-43f9-b582-4ce402de0b81",
|
|
"x-misp-attribute--5c38ebd9-1e0c-47f9-b3de-4e5f02de0b81",
|
|
"indicator--5c38ec28-4288-404a-8d79-409502de0b81",
|
|
"indicator--5c38ec29-ca90-4d61-b587-483402de0b81",
|
|
"indicator--5c38ec29-cbcc-426b-a112-479a02de0b81",
|
|
"indicator--5c38ec81-8114-453f-a76f-462c02de0b81",
|
|
"indicator--5c38ec82-7328-43ae-a83c-4e0d02de0b81",
|
|
"indicator--5c38ec84-6238-4587-a4c2-47e802de0b81",
|
|
"indicator--5c38ecc6-ad9c-4c16-8b57-406702de0b81",
|
|
"indicator--5c38ecc7-3d94-48ef-86dd-4af602de0b81",
|
|
"indicator--5c38ecc8-9afc-4b51-a387-462b02de0b81",
|
|
"indicator--5c38ed48-9170-4e7a-9c80-457902de0b81",
|
|
"indicator--5c38ed49-f930-49d8-a74d-479002de0b81",
|
|
"indicator--5c38ed4b-94a4-4a0a-99ed-493702de0b81",
|
|
"indicator--5c38ed4c-1850-4b83-acff-41a902de0b81",
|
|
"indicator--5c38ed4d-4cfc-4dcb-9589-426502de0b81",
|
|
"indicator--5c38ed4e-a218-45c1-8b89-417302de0b81",
|
|
"indicator--5c38ed7b-e224-4af8-9dc7-42ee02de0b81",
|
|
"indicator--5c38ed7c-9934-48fb-bd11-468502de0b81",
|
|
"indicator--5c38ed7c-c294-4a13-8ca0-4a6c02de0b81",
|
|
"indicator--5c38ed7d-78a4-4209-9d86-487802de0b81",
|
|
"indicator--5c38ed7d-5044-42a1-ad79-448802de0b81",
|
|
"indicator--5c38eda9-e79c-4d21-81f8-f12202de0b81",
|
|
"indicator--5c38edaa-4f38-4119-9419-f12202de0b81",
|
|
"indicator--93f50fcd-264a-4734-b4c0-bfec7f37860f",
|
|
"x-misp-object--42ba88bf-bca8-4ff2-b33d-d23ce9877340",
|
|
"indicator--c14e45cb-8dfc-4140-b541-135402f6af96",
|
|
"x-misp-object--7d6c516a-90e2-4597-9b08-c10fa4cd2a81",
|
|
"indicator--35fdb030-5cd9-4621-b76c-2dfab467bc3b",
|
|
"x-misp-object--c8cbc23d-0f33-4643-977f-fe2fd3da8a19",
|
|
"indicator--0d6c7429-1495-4d3f-bfe1-d3834a273606",
|
|
"x-misp-object--9dd16ec7-f062-459f-968c-c5bb43d3a327",
|
|
"indicator--dc0e2eae-79dc-496c-8e6f-51c6a3f7b419",
|
|
"x-misp-object--8d3be9f6-584f-4b1d-bfbf-c9dff2c08ad7",
|
|
"indicator--9e493185-b642-4a33-9cc1-0b141391605d",
|
|
"x-misp-object--6624c405-ed32-4075-9501-29967d631716",
|
|
"indicator--40d64a11-4524-4a53-b736-9326233a65d9",
|
|
"x-misp-object--6a7c6829-6213-4f4a-9141-eb2394cd32a7",
|
|
"indicator--4170ad0b-e0f8-4246-8505-63d85a0e84bd",
|
|
"x-misp-object--8d4ff865-dbce-44b3-86ac-0e461519ea20",
|
|
"indicator--6ef8a2ea-6ae3-4fa0-afe7-bdb2e9607a56",
|
|
"x-misp-object--027e06a2-ba9d-4604-9a8d-5230c140eae8",
|
|
"relationship--89e136dd-db4a-4c06-bdaa-ce70d4d39715",
|
|
"relationship--677e52c4-b381-404b-b887-87b0cca37c4f",
|
|
"relationship--da6ab043-6b3b-4739-97f1-44aa21dfe915",
|
|
"relationship--074ff62d-3d98-4e51-ad77-c0b566c23fca",
|
|
"relationship--0c822c3a-9a81-4f83-af41-cfed6bbc4556",
|
|
"relationship--5de76799-ac18-4aad-bb24-182a88b8f460",
|
|
"relationship--a47d3d34-0167-4848-9cec-875067bdf9d4",
|
|
"relationship--bf2596c2-7147-4750-8458-7c78a16a2e9e",
|
|
"relationship--598354a1-fe07-4ce9-9705-eb1867cc047f"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5c38ebb5-2b1c-43f9-b582-4ce402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:17:09.000Z",
|
|
"modified": "2019-01-11T19:17:09.000Z",
|
|
"first_observed": "2019-01-11T19:17:09Z",
|
|
"last_observed": "2019-01-11T19:17:09Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5c38ebb5-2b1c-43f9-b582-4ce402de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5c38ebb5-2b1c-43f9-b582-4ce402de0b81",
|
|
"value": "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--5c38ebd9-1e0c-47f9-b3de-4e5f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:17:45.000Z",
|
|
"modified": "2019-01-11T19:17:45.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "For much of 2018, we observed threat actors increasingly distributing downloaders, backdoors, information stealers, remote access Trojans (RATs), and more as they abandoned ransomware as their primary payload. In November 2018, TA505, a prolific actor that has been at the forefront of this trend, began distributing a new backdoor we named \u00e2\u20ac\u0153ServHelper\u00e2\u20ac\u009d. ServHelper has two variants: one focused on remote desktop functions and a second that primarily functions as a downloader. Additionally we have observed the downloader variant download a malware we call \u00e2\u20ac\u0153FlawedGrace.\u00e2\u20ac\u009d FlawedGrace is a full-featured RAT that we first observed in November 2017. TA505 appears to be actively targeting banks, retail businesses, and restaurants as they distribute these malware families. This targeting falls in line with other activity we reported earlier in 2018.[1] [2]"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c38ec28-4288-404a-8d79-409502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:19:04.000Z",
|
|
"modified": "2019-01-11T19:19:04.000Z",
|
|
"description": "November 9 \u00e2\u20ac\u0153Tunnel\u00e2\u20ac\u009d campaign attachment",
|
|
"pattern": "[file:hashes.SHA256 = '52c72a9de2f6e892f07827add85ad913b0541cd5c8449aadc2722f8eb75e548c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:19:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c38ec29-ca90-4d61-b587-483402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:19:05.000Z",
|
|
"modified": "2019-01-11T19:19:05.000Z",
|
|
"description": "November 9 \u00e2\u20ac\u0153Tunnel\u00e2\u20ac\u009d campaign payload",
|
|
"pattern": "[url:value = 'http://officemysuppbox.com/staterepository']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:19:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c38ec29-cbcc-426b-a112-479a02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:19:05.000Z",
|
|
"modified": "2019-01-11T19:19:05.000Z",
|
|
"description": "November 9 \u00e2\u20ac\u0153Tunnel\u00e2\u20ac\u009d campaign ServHelper",
|
|
"pattern": "[file:hashes.SHA256 = '1b0859ddbdebcb9d2bb46de00d73aa21bc617614b8123054426556783b211bc8']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:19:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c38ec81-8114-453f-a76f-462c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:20:33.000Z",
|
|
"modified": "2019-01-11T19:20:33.000Z",
|
|
"description": "November 9 \u00e2\u20ac\u0153Tunnel\u00e2\u20ac\u009d campaign ServHelper C&C",
|
|
"pattern": "[url:value = 'https://checksolutions.pw/ghuae/huadh.php']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:20:33Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c38ec82-7328-43ae-a83c-4e0d02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:20:34.000Z",
|
|
"modified": "2019-01-11T19:20:34.000Z",
|
|
"description": "November 9 \u00e2\u20ac\u0153Tunnel\u00e2\u20ac\u009d campaign ServHelper C&C",
|
|
"pattern": "[url:value = 'https://rgoianrdfa.pw/ghuae/huadh.php']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:20:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c38ec84-6238-4587-a4c2-47e802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:20:36.000Z",
|
|
"modified": "2019-01-11T19:20:36.000Z",
|
|
"description": "November 9 \u00e2\u20ac\u0153Tunnel\u00e2\u20ac\u009d campaign ServHelper C&C",
|
|
"pattern": "[url:value = 'https://arhidsfderm.pw/ghuae/huadh.php']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:20:36Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c38ecc6-ad9c-4c16-8b57-406702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:21:42.000Z",
|
|
"modified": "2019-01-11T19:21:42.000Z",
|
|
"description": "November 15 \u00e2\u20ac\u0153Downloader\u00e2\u20ac\u009d campaign attachment",
|
|
"pattern": "[file:hashes.SHA256 = 'eb66ebb95a3dcecae64c61f611a9332fbf460d1b8039d3ab7e4f220104a4bec4']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:21:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c38ecc7-3d94-48ef-86dd-4af602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:21:43.000Z",
|
|
"modified": "2019-01-11T19:21:43.000Z",
|
|
"description": "November 15 \u00e2\u20ac\u0153Downloader\u00e2\u20ac\u009d campaign payload",
|
|
"pattern": "[url:value = 'http://offficebox.com/host32']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:21:43Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c38ecc8-9afc-4b51-a387-462b02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:21:44.000Z",
|
|
"modified": "2019-01-11T19:21:44.000Z",
|
|
"description": "November 15 \u00e2\u20ac\u0153Downloader\u00e2\u20ac\u009d campaign ServHelper",
|
|
"pattern": "[file:hashes.SHA256 = '3cd7e0a8321259e8446b2a9da775aae674715c74ff4923cfc8ec5102f380d41a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:21:44Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c38ed48-9170-4e7a-9c80-457902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:23:52.000Z",
|
|
"modified": "2019-01-11T19:23:52.000Z",
|
|
"description": "December 13 \u00e2\u20ac\u0153FlawedGrace\u00e2\u20ac\u009d campaign attachment",
|
|
"pattern": "[file:hashes.SHA256 = 'f4b9219f329803dd45afd5646351de456e608dd946830c961ec66c6c25e52cac']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:23:52Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c38ed49-f930-49d8-a74d-479002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:23:53.000Z",
|
|
"modified": "2019-01-11T19:23:53.000Z",
|
|
"description": "December 13 \u00e2\u20ac\u0153FlawedGrace\u00e2\u20ac\u009d campaign payload",
|
|
"pattern": "[url:value = 'http://office365onlinehome.com/host32']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:23:53Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c38ed4b-94a4-4a0a-99ed-493702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:23:55.000Z",
|
|
"modified": "2019-01-11T19:23:55.000Z",
|
|
"description": "December 13 \u00e2\u20ac\u0153FlawedGrace\u00e2\u20ac\u009d campaign ServHelper",
|
|
"pattern": "[file:hashes.SHA256 = 'd56429d6d0222022fe8f4cb35a28cd4fb83f87b666a186eb54d9785f01bb4b58']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:23:55Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c38ed4c-1850-4b83-acff-41a902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:23:56.000Z",
|
|
"modified": "2019-01-11T19:23:56.000Z",
|
|
"description": "December 13 \u00e2\u20ac\u0153FlawedGrace\u00e2\u20ac\u009d campaign ServHelper C&C",
|
|
"pattern": "[url:value = 'https://afgdhjkrm.pw/aggdst/Hasrt.php']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:23:56Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c38ed4d-4cfc-4dcb-9589-426502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:23:57.000Z",
|
|
"modified": "2019-01-11T19:23:57.000Z",
|
|
"description": "December 13 \u00e2\u20ac\u0153FlawedGrace\u00e2\u20ac\u009d campaign FlawedGrace",
|
|
"pattern": "[file:hashes.SHA256 = 'efcee275d23b6e71589452b1cb3095ff92b10ab68cd07957b2ad6be587647b74']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:23:57Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c38ed4e-a218-45c1-8b89-417302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:23:58.000Z",
|
|
"modified": "2019-01-11T19:23:58.000Z",
|
|
"description": "On port 443 - December 13 \u00e2\u20ac\u0153FlawedGrace\u00e2\u20ac\u009d campaign FlawedGrace C&C",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '46.161.27.241' AND network-traffic:dst_port = '443']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:23:58Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst|port\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c38ed7b-e224-4af8-9dc7-42ee02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:24:43.000Z",
|
|
"modified": "2019-01-11T19:24:43.000Z",
|
|
"description": "\u00e2\u20ac\u0153sethijack\u00e2\u20ac\u009d command ServHelper",
|
|
"pattern": "[file:hashes.SHA256 = '9fccd107bd0aee3a2f39ad76a49758309c95545d8154b808eec24d2b51dc4579']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:24:43Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c38ed7c-9934-48fb-bd11-468502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:24:44.000Z",
|
|
"modified": "2019-01-11T19:24:44.000Z",
|
|
"description": "\u00e2\u20ac\u0153sethijack\u00e2\u20ac\u009d command ServHelper",
|
|
"pattern": "[url:value = 'http://dedsolutions.bit/sav/s.php']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:24:44Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c38ed7c-c294-4a13-8ca0-4a6c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:24:44.000Z",
|
|
"modified": "2019-01-11T19:24:44.000Z",
|
|
"description": "\u00e2\u20ac\u0153sethijack\u00e2\u20ac\u009d command ServHelper",
|
|
"pattern": "[url:value = 'http://dedoshop.pw/sav/s.php']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:24:44Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c38ed7d-78a4-4209-9d86-487802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:24:45.000Z",
|
|
"modified": "2019-01-11T19:24:45.000Z",
|
|
"description": "\u00e2\u20ac\u0153sethijack\u00e2\u20ac\u009d command ServHelper",
|
|
"pattern": "[url:value = 'http://asgaage.pw/sav/s.php']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:24:45Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c38ed7d-5044-42a1-ad79-448802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:24:45.000Z",
|
|
"modified": "2019-01-11T19:24:45.000Z",
|
|
"description": "\u00e2\u20ac\u0153sethijack\u00e2\u20ac\u009d command ServHelper",
|
|
"pattern": "[url:value = 'http://sghee.pw/sav/s.php']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:24:45Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c38eda9-e79c-4d21-81f8-f12202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:25:29.000Z",
|
|
"modified": "2019-01-11T19:25:29.000Z",
|
|
"description": "\u00e2\u20ac\u0153loaddll\u00e2\u20ac\u009d command ServHelper",
|
|
"pattern": "[file:hashes.SHA256 = 'a9492312f1258567c3633ed077990fe053776cd576aa60ac7589c6bd7829d549']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:25:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c38edaa-4f38-4119-9419-f12202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:25:30.000Z",
|
|
"modified": "2019-01-11T19:25:30.000Z",
|
|
"description": "\u00e2\u20ac\u0153loaddll\u00e2\u20ac\u009d command ServHelper",
|
|
"pattern": "[url:value = 'https://vesecase.com/support/form.php']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:25:30Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--93f50fcd-264a-4734-b4c0-bfec7f37860f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:33:43.000Z",
|
|
"modified": "2019-01-11T19:33:43.000Z",
|
|
"pattern": "[file:hashes.MD5 = '4b9054475ff9aa15be35b42264715354' AND file:hashes.SHA1 = 'a088dfaee1779878353a1dc347a91a892e5dfd74' AND file:hashes.SHA256 = 'efcee275d23b6e71589452b1cb3095ff92b10ab68cd07957b2ad6be587647b74']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:33:43Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--42ba88bf-bca8-4ff2-b33d-d23ce9877340",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:33:44.000Z",
|
|
"modified": "2019-01-11T19:33:44.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-01-11T18:46:42",
|
|
"category": "Other",
|
|
"uuid": "8a72aaeb-4f03-47e2-a3e4-adb505a7051b"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/efcee275d23b6e71589452b1cb3095ff92b10ab68cd07957b2ad6be587647b74/analysis/1547232402/",
|
|
"category": "External analysis",
|
|
"uuid": "7156ecf8-44d3-4ea7-b9ea-f06a090614d6"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "27/63",
|
|
"category": "Other",
|
|
"uuid": "08a7810c-0763-4997-b152-80ddfc699815"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--c14e45cb-8dfc-4140-b541-135402f6af96",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:33:45.000Z",
|
|
"modified": "2019-01-11T19:33:45.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'daf7d35eeed3058c821bde464913f9ca' AND file:hashes.SHA1 = 'e2c8cb0d6a89b995a9ec77b2838863c08e33d6a5' AND file:hashes.SHA256 = '9fccd107bd0aee3a2f39ad76a49758309c95545d8154b808eec24d2b51dc4579']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:33:45Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--7d6c516a-90e2-4597-9b08-c10fa4cd2a81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:33:47.000Z",
|
|
"modified": "2019-01-11T19:33:47.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-01-11T09:15:15",
|
|
"category": "Other",
|
|
"uuid": "589de291-5218-445f-8af9-6b3e8e0d4cf1"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/9fccd107bd0aee3a2f39ad76a49758309c95545d8154b808eec24d2b51dc4579/analysis/1547198115/",
|
|
"category": "External analysis",
|
|
"uuid": "e9665877-4b83-4dcb-b524-c1ec6348aaa3"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "43/68",
|
|
"category": "Other",
|
|
"uuid": "0a6d3f73-b8f8-4f65-90ca-e98976f2b898"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--35fdb030-5cd9-4621-b76c-2dfab467bc3b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:33:48.000Z",
|
|
"modified": "2019-01-11T19:33:48.000Z",
|
|
"pattern": "[file:hashes.MD5 = '5cd4aecb962528166ad1a0b72f675c44' AND file:hashes.SHA1 = '1242dc4d1ece26ef15dc3bdb8ed13e8b04d6a178' AND file:hashes.SHA256 = '1b0859ddbdebcb9d2bb46de00d73aa21bc617614b8123054426556783b211bc8']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:33:48Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--c8cbc23d-0f33-4643-977f-fe2fd3da8a19",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:33:50.000Z",
|
|
"modified": "2019-01-11T19:33:50.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-01-11T09:32:27",
|
|
"category": "Other",
|
|
"uuid": "c41b5480-eac8-4ba5-b286-a39a2b93b45a"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/1b0859ddbdebcb9d2bb46de00d73aa21bc617614b8123054426556783b211bc8/analysis/1547199147/",
|
|
"category": "External analysis",
|
|
"uuid": "5e9a3b2e-2b50-4563-9093-17602afa0130"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "43/69",
|
|
"category": "Other",
|
|
"uuid": "69071e5c-1be3-4edf-b07b-f87e150428b7"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--0d6c7429-1495-4d3f-bfe1-d3834a273606",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:33:51.000Z",
|
|
"modified": "2019-01-11T19:33:51.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'db0b9554ef0c4b3004c2cdb43a9fb020' AND file:hashes.SHA1 = '2f760f967f042827cda567fa07713371d746aa11' AND file:hashes.SHA256 = '52c72a9de2f6e892f07827add85ad913b0541cd5c8449aadc2722f8eb75e548c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:33:51Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--9dd16ec7-f062-459f-968c-c5bb43d3a327",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:33:52.000Z",
|
|
"modified": "2019-01-11T19:33:52.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-01-11T09:02:13",
|
|
"category": "Other",
|
|
"uuid": "d4da3848-cf16-4df4-9301-83f9b703e5a0"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/52c72a9de2f6e892f07827add85ad913b0541cd5c8449aadc2722f8eb75e548c/analysis/1547197333/",
|
|
"category": "External analysis",
|
|
"uuid": "75d2b444-f984-4e6b-b32b-5f6588f4eb5c"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "37/58",
|
|
"category": "Other",
|
|
"uuid": "1d1f3b46-6c15-4450-9871-039ddc29078f"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--dc0e2eae-79dc-496c-8e6f-51c6a3f7b419",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:33:53.000Z",
|
|
"modified": "2019-01-11T19:33:53.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'a6563a927d925b1231deaa090403bc9a' AND file:hashes.SHA1 = 'e501be071953aa308faad656cfa2d73a3902d8a4' AND file:hashes.SHA256 = 'a9492312f1258567c3633ed077990fe053776cd576aa60ac7589c6bd7829d549']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:33:53Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--8d3be9f6-584f-4b1d-bfbf-c9dff2c08ad7",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:33:55.000Z",
|
|
"modified": "2019-01-11T19:33:55.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-01-11T09:12:29",
|
|
"category": "Other",
|
|
"uuid": "d0f5ecbe-6c20-4b4d-8170-ba4e93d94ebb"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/a9492312f1258567c3633ed077990fe053776cd576aa60ac7589c6bd7829d549/analysis/1547197949/",
|
|
"category": "External analysis",
|
|
"uuid": "cb9a7cb0-5e67-4e8d-a706-4ea332ac156e"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "30/70",
|
|
"category": "Other",
|
|
"uuid": "8c082351-3562-4c7e-b5bf-057e81fad3da"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--9e493185-b642-4a33-9cc1-0b141391605d",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:33:56.000Z",
|
|
"modified": "2019-01-11T19:33:56.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'bf4ea62bb7117b1d5f31873c84a95f5a' AND file:hashes.SHA1 = '3fc7d7f1d47b2ac971d778f580cf64a112127aa9' AND file:hashes.SHA256 = 'f4b9219f329803dd45afd5646351de456e608dd946830c961ec66c6c25e52cac']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:33:56Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--6624c405-ed32-4075-9501-29967d631716",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:33:57.000Z",
|
|
"modified": "2019-01-11T19:33:57.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-01-11T10:52:12",
|
|
"category": "Other",
|
|
"uuid": "f70d9f53-8238-4721-9518-5eddacb58d1b"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/f4b9219f329803dd45afd5646351de456e608dd946830c961ec66c6c25e52cac/analysis/1547203932/",
|
|
"category": "External analysis",
|
|
"uuid": "d34102bb-440b-4393-b738-9ae187d0fefe"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "9/58",
|
|
"category": "Other",
|
|
"uuid": "b35598ba-ea92-4b89-97ae-fe5379e4a3f7"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--40d64a11-4524-4a53-b736-9326233a65d9",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:33:58.000Z",
|
|
"modified": "2019-01-11T19:33:58.000Z",
|
|
"pattern": "[file:hashes.MD5 = '0f459932b21d0c6dfcc199951058c0a5' AND file:hashes.SHA1 = '9ff00fe5f0921a6a591b7db3a1838834348e123d' AND file:hashes.SHA256 = '3cd7e0a8321259e8446b2a9da775aae674715c74ff4923cfc8ec5102f380d41a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:33:58Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--6a7c6829-6213-4f4a-9141-eb2394cd32a7",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:34:01.000Z",
|
|
"modified": "2019-01-11T19:34:01.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-01-11T09:13:28",
|
|
"category": "Other",
|
|
"uuid": "a508cd3f-eb30-450e-82ea-6eac3d988f84"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/3cd7e0a8321259e8446b2a9da775aae674715c74ff4923cfc8ec5102f380d41a/analysis/1547198008/",
|
|
"category": "External analysis",
|
|
"uuid": "7138648d-6ba2-4f2d-aeca-1fe74de7801e"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "40/70",
|
|
"category": "Other",
|
|
"uuid": "5466e6ec-78e0-4762-bb46-3112333840a2"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--4170ad0b-e0f8-4246-8505-63d85a0e84bd",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:34:03.000Z",
|
|
"modified": "2019-01-11T19:34:03.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'b811a63eaa3f6a76d4176a64655c086f' AND file:hashes.SHA1 = '45f3b9f49d4c680de6fdede99427289a11317aa0' AND file:hashes.SHA256 = 'eb66ebb95a3dcecae64c61f611a9332fbf460d1b8039d3ab7e4f220104a4bec4']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:34:03Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--8d4ff865-dbce-44b3-86ac-0e461519ea20",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:34:07.000Z",
|
|
"modified": "2019-01-11T19:34:07.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-01-11T09:09:08",
|
|
"category": "Other",
|
|
"uuid": "c6f3b4ea-17b4-4132-99eb-5bcbd85146db"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/eb66ebb95a3dcecae64c61f611a9332fbf460d1b8039d3ab7e4f220104a4bec4/analysis/1547197748/",
|
|
"category": "External analysis",
|
|
"uuid": "5c4776a4-dbe9-4950-8a7e-81a4f9519100"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "35/58",
|
|
"category": "Other",
|
|
"uuid": "832ae984-cfdb-4ba3-a7d7-ce24471b9b48"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--6ef8a2ea-6ae3-4fa0-afe7-bdb2e9607a56",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:34:10.000Z",
|
|
"modified": "2019-01-11T19:34:10.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'c4a201a6f5e07136923f824bda4cd54f' AND file:hashes.SHA1 = 'a0bcdb0ce8999bfb75723236e15e4f557a784743' AND file:hashes.SHA256 = 'd56429d6d0222022fe8f4cb35a28cd4fb83f87b666a186eb54d9785f01bb4b58']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-11T19:34:10Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--027e06a2-ba9d-4604-9a8d-5230c140eae8",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-11T19:34:14.000Z",
|
|
"modified": "2019-01-11T19:34:14.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-01-11T10:52:31",
|
|
"category": "Other",
|
|
"uuid": "73a12bc5-bfd2-4c6d-b138-4b6258f0dd17"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/d56429d6d0222022fe8f4cb35a28cd4fb83f87b666a186eb54d9785f01bb4b58/analysis/1547203951/",
|
|
"category": "External analysis",
|
|
"uuid": "c043dc85-8fc5-4e39-abd0-c8237f97d111"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "33/69",
|
|
"category": "Other",
|
|
"uuid": "9213d232-6ae9-4629-8593-4d493d7007ac"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--89e136dd-db4a-4c06-bdaa-ce70d4d39715",
|
|
"created": "2019-01-11T19:34:17.000Z",
|
|
"modified": "2019-01-11T19:34:17.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--93f50fcd-264a-4734-b4c0-bfec7f37860f",
|
|
"target_ref": "x-misp-object--42ba88bf-bca8-4ff2-b33d-d23ce9877340"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--677e52c4-b381-404b-b887-87b0cca37c4f",
|
|
"created": "2019-01-11T19:34:17.000Z",
|
|
"modified": "2019-01-11T19:34:17.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--c14e45cb-8dfc-4140-b541-135402f6af96",
|
|
"target_ref": "x-misp-object--7d6c516a-90e2-4597-9b08-c10fa4cd2a81"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--da6ab043-6b3b-4739-97f1-44aa21dfe915",
|
|
"created": "2019-01-11T19:34:17.000Z",
|
|
"modified": "2019-01-11T19:34:17.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--35fdb030-5cd9-4621-b76c-2dfab467bc3b",
|
|
"target_ref": "x-misp-object--c8cbc23d-0f33-4643-977f-fe2fd3da8a19"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--074ff62d-3d98-4e51-ad77-c0b566c23fca",
|
|
"created": "2019-01-11T19:34:17.000Z",
|
|
"modified": "2019-01-11T19:34:17.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--0d6c7429-1495-4d3f-bfe1-d3834a273606",
|
|
"target_ref": "x-misp-object--9dd16ec7-f062-459f-968c-c5bb43d3a327"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--0c822c3a-9a81-4f83-af41-cfed6bbc4556",
|
|
"created": "2019-01-11T19:34:17.000Z",
|
|
"modified": "2019-01-11T19:34:17.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--dc0e2eae-79dc-496c-8e6f-51c6a3f7b419",
|
|
"target_ref": "x-misp-object--8d3be9f6-584f-4b1d-bfbf-c9dff2c08ad7"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--5de76799-ac18-4aad-bb24-182a88b8f460",
|
|
"created": "2019-01-11T19:34:17.000Z",
|
|
"modified": "2019-01-11T19:34:17.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--9e493185-b642-4a33-9cc1-0b141391605d",
|
|
"target_ref": "x-misp-object--6624c405-ed32-4075-9501-29967d631716"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--a47d3d34-0167-4848-9cec-875067bdf9d4",
|
|
"created": "2019-01-11T19:34:17.000Z",
|
|
"modified": "2019-01-11T19:34:17.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--40d64a11-4524-4a53-b736-9326233a65d9",
|
|
"target_ref": "x-misp-object--6a7c6829-6213-4f4a-9141-eb2394cd32a7"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--bf2596c2-7147-4750-8458-7c78a16a2e9e",
|
|
"created": "2019-01-11T19:34:17.000Z",
|
|
"modified": "2019-01-11T19:34:17.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--4170ad0b-e0f8-4246-8505-63d85a0e84bd",
|
|
"target_ref": "x-misp-object--8d4ff865-dbce-44b3-86ac-0e461519ea20"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--598354a1-fe07-4ce9-9705-eb1867cc047f",
|
|
"created": "2019-01-11T19:34:17.000Z",
|
|
"modified": "2019-01-11T19:34:17.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--6ef8a2ea-6ae3-4fa0-afe7-bdb2e9607a56",
|
|
"target_ref": "x-misp-object--027e06a2-ba9d-4604-9a8d-5230c140eae8"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |