4197 lines
No EOL
181 KiB
JSON
4197 lines
No EOL
181 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--57fddaac-da34-43f7-8844-4430950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T08:17:28.000Z",
|
|
"modified": "2016-10-12T08:17:28.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--57fddaac-da34-43f7-8844-4430950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T08:17:28.000Z",
|
|
"modified": "2016-10-12T08:17:28.000Z",
|
|
"name": "OSINT - Odinaff: New Trojan used in high level financial attacks",
|
|
"published": "2016-10-12T08:17:36Z",
|
|
"object_refs": [
|
|
"x-misp-attribute--57fdde4c-94e0-4df7-9483-4fdd950d210f",
|
|
"indicator--57fddf71-e4ec-4761-8086-400b950d210f",
|
|
"indicator--57fddf71-2ce0-462d-852c-4e0d950d210f",
|
|
"indicator--57fddf72-00e8-4312-ad2c-4bfc950d210f",
|
|
"indicator--57fddf72-bd10-4bb0-be12-4adc950d210f",
|
|
"indicator--57fddf72-8ed0-4368-9e0d-4786950d210f",
|
|
"indicator--57fddf73-9810-4caf-bab9-46cb950d210f",
|
|
"indicator--57fddf73-b1e8-4def-a8d0-4c34950d210f",
|
|
"indicator--57fddf73-97d8-4718-8a0c-47cc950d210f",
|
|
"indicator--57fddf73-0274-4cf4-b03c-4d63950d210f",
|
|
"indicator--57fddf73-7e40-48f5-bd90-4c79950d210f",
|
|
"indicator--57fddf74-ee28-401a-907f-4315950d210f",
|
|
"indicator--57fddf74-fed0-4b1d-8c2b-4f80950d210f",
|
|
"indicator--57fddf74-3950-4cc8-bc10-4885950d210f",
|
|
"indicator--57fddf74-7e44-4216-b895-4fad950d210f",
|
|
"indicator--57fddf74-fa54-4bf6-8241-4e2b950d210f",
|
|
"indicator--57fddf75-8ed8-476b-a1ba-4efa950d210f",
|
|
"indicator--57fddf75-7f04-48c7-9149-4cf9950d210f",
|
|
"indicator--57fddf75-1558-4803-a029-4df3950d210f",
|
|
"indicator--57fddf75-851c-445b-a531-46e5950d210f",
|
|
"indicator--57fddf75-3320-44fd-b747-4602950d210f",
|
|
"indicator--57fddf76-472c-4d24-a2f2-48ce950d210f",
|
|
"indicator--57fddf76-62b4-4241-88d4-468d950d210f",
|
|
"indicator--57fddf76-e494-4a66-a49b-499d950d210f",
|
|
"indicator--57fddf76-32bc-41f0-95d7-4d41950d210f",
|
|
"indicator--57fddf76-2254-458f-8a93-4dd3950d210f",
|
|
"indicator--57fddf77-e278-4d41-acd7-4438950d210f",
|
|
"indicator--57fddf77-b6a4-4dfc-b0d2-4a3b950d210f",
|
|
"indicator--57fddf77-07d0-47b7-b171-4889950d210f",
|
|
"indicator--57fddf77-ea98-44df-aeba-4e5b950d210f",
|
|
"indicator--57fddf78-3230-485d-b5be-49e3950d210f",
|
|
"indicator--57fddf78-53cc-4c39-ac80-44ee950d210f",
|
|
"indicator--57fddf78-4154-4ea6-8878-4590950d210f",
|
|
"indicator--57fddf78-7570-4b7a-8b6a-47dc950d210f",
|
|
"indicator--57fddf78-0db0-476d-845b-4fc5950d210f",
|
|
"indicator--57fddf79-a820-43b1-b9a4-4105950d210f",
|
|
"indicator--57fddf79-1288-4be7-b3c2-482d950d210f",
|
|
"indicator--57fddf79-6e6c-420b-bc38-4557950d210f",
|
|
"indicator--57fddf79-601c-414f-93e6-4700950d210f",
|
|
"indicator--57fddf79-2608-4a83-ba00-4392950d210f",
|
|
"indicator--57fddf7a-5db0-4d77-af58-4c17950d210f",
|
|
"indicator--57fddf7a-e494-44b1-9a11-4027950d210f",
|
|
"indicator--57fddf7a-ac7c-4bae-ba07-4ffd950d210f",
|
|
"x-misp-attribute--57fddfe1-51bc-4ff5-95e2-4932950d210f",
|
|
"indicator--57fde03d-56a4-47cc-84e9-441402de0b81",
|
|
"indicator--57fde03d-41a4-43cf-846d-42c802de0b81",
|
|
"observed-data--57fde03d-11bc-4656-a0c7-40da02de0b81",
|
|
"url--57fde03d-11bc-4656-a0c7-40da02de0b81",
|
|
"indicator--57fde03d-dc60-4ac4-86d6-453902de0b81",
|
|
"indicator--57fde03d-c4e4-496c-b206-4fd702de0b81",
|
|
"observed-data--57fde03e-68ec-408d-9fa0-47e302de0b81",
|
|
"url--57fde03e-68ec-408d-9fa0-47e302de0b81",
|
|
"indicator--57fde03e-f658-4a2f-b63a-44dd02de0b81",
|
|
"indicator--57fde03e-c798-42c0-b509-471a02de0b81",
|
|
"observed-data--57fde03e-7dac-497a-8d15-47c502de0b81",
|
|
"url--57fde03e-7dac-497a-8d15-47c502de0b81",
|
|
"indicator--57fde03e-9fd4-4395-a7d0-462202de0b81",
|
|
"indicator--57fde03f-d4c0-4eb4-b5ef-4e1702de0b81",
|
|
"observed-data--57fde03f-bc70-4d3b-b7b2-4a0702de0b81",
|
|
"url--57fde03f-bc70-4d3b-b7b2-4a0702de0b81",
|
|
"indicator--57fde03f-faa0-40ef-95ed-478602de0b81",
|
|
"indicator--57fde03f-7d30-43df-b4f5-441d02de0b81",
|
|
"observed-data--57fde03f-0794-4278-b254-45a302de0b81",
|
|
"url--57fde03f-0794-4278-b254-45a302de0b81",
|
|
"indicator--57fde040-c7e0-42cc-94ce-4df602de0b81",
|
|
"indicator--57fde040-e520-47ba-88f8-457e02de0b81",
|
|
"observed-data--57fde040-d378-4048-8ab0-447302de0b81",
|
|
"url--57fde040-d378-4048-8ab0-447302de0b81",
|
|
"indicator--57fde040-6648-439f-a4f6-4c7c02de0b81",
|
|
"indicator--57fde040-9ab0-4352-a9ee-456e02de0b81",
|
|
"observed-data--57fde041-004c-456d-ad30-4c1e02de0b81",
|
|
"url--57fde041-004c-456d-ad30-4c1e02de0b81",
|
|
"indicator--57fde041-0b0c-45d0-a8f0-441e02de0b81",
|
|
"indicator--57fde041-91c8-4069-9478-4e6902de0b81",
|
|
"observed-data--57fde041-4d38-4251-b2a1-48da02de0b81",
|
|
"url--57fde041-4d38-4251-b2a1-48da02de0b81",
|
|
"indicator--57fde042-da1c-4301-9d13-4bd002de0b81",
|
|
"indicator--57fde042-4bb0-4bd0-8f3c-406e02de0b81",
|
|
"observed-data--57fde042-8a74-4daf-88b4-4a9302de0b81",
|
|
"url--57fde042-8a74-4daf-88b4-4a9302de0b81",
|
|
"indicator--57fde042-de18-4a5f-a7cd-4aa202de0b81",
|
|
"indicator--57fde042-7dbc-4fa3-b2fb-49ed02de0b81",
|
|
"observed-data--57fde043-9b48-46e6-8323-486e02de0b81",
|
|
"url--57fde043-9b48-46e6-8323-486e02de0b81",
|
|
"indicator--57fde043-32ec-4f9f-b57c-440f02de0b81",
|
|
"indicator--57fde043-bea4-42bf-a355-4d5b02de0b81",
|
|
"observed-data--57fde043-0c68-49a0-a4c1-490702de0b81",
|
|
"url--57fde043-0c68-49a0-a4c1-490702de0b81",
|
|
"indicator--57fde043-eec0-4763-b546-45cb02de0b81",
|
|
"indicator--57fde044-c49c-4684-bc39-4e6002de0b81",
|
|
"observed-data--57fde044-6f74-4d4d-b8d4-465502de0b81",
|
|
"url--57fde044-6f74-4d4d-b8d4-465502de0b81",
|
|
"indicator--57fde044-d460-4adc-87fc-45bd02de0b81",
|
|
"indicator--57fde044-f26c-45eb-b08d-421a02de0b81",
|
|
"observed-data--57fde044-1498-4ac3-892c-487202de0b81",
|
|
"url--57fde044-1498-4ac3-892c-487202de0b81",
|
|
"indicator--57fde045-4624-4119-93fc-4b1e02de0b81",
|
|
"indicator--57fde045-5bc4-417e-bf93-4b5102de0b81",
|
|
"observed-data--57fde045-1870-433d-b771-496002de0b81",
|
|
"url--57fde045-1870-433d-b771-496002de0b81",
|
|
"indicator--57fde045-7b84-43b7-9cdb-4d4d02de0b81",
|
|
"indicator--57fde046-dd9c-4d99-bb17-45c302de0b81",
|
|
"observed-data--57fde046-5dac-4442-bc23-465902de0b81",
|
|
"url--57fde046-5dac-4442-bc23-465902de0b81",
|
|
"indicator--57fde046-245c-44eb-a7c2-495302de0b81",
|
|
"indicator--57fde046-dbb4-4fbf-ac48-425502de0b81",
|
|
"observed-data--57fde046-0f18-4adc-9b70-497e02de0b81",
|
|
"url--57fde046-0f18-4adc-9b70-497e02de0b81",
|
|
"indicator--57fde047-2214-4122-a2d7-421502de0b81",
|
|
"indicator--57fde047-298c-4606-9bd9-49f602de0b81",
|
|
"observed-data--57fde047-eca0-4e14-ab3c-40d502de0b81",
|
|
"url--57fde047-eca0-4e14-ab3c-40d502de0b81",
|
|
"indicator--57fde047-f254-4d6d-9372-4e1402de0b81",
|
|
"indicator--57fde047-e070-44de-8bf2-4bd302de0b81",
|
|
"observed-data--57fde048-0e48-4f1d-96a8-4f4502de0b81",
|
|
"url--57fde048-0e48-4f1d-96a8-4f4502de0b81",
|
|
"indicator--57fde048-ddb8-4cbf-ba19-495c02de0b81",
|
|
"indicator--57fde048-617c-4542-a355-4fae02de0b81",
|
|
"observed-data--57fde048-bb20-4954-b4a7-44ed02de0b81",
|
|
"url--57fde048-bb20-4954-b4a7-44ed02de0b81",
|
|
"indicator--57fde048-1490-42b6-842b-4bc702de0b81",
|
|
"indicator--57fde049-51f4-4881-b4a8-4ef202de0b81",
|
|
"observed-data--57fde049-8418-4226-8a72-414002de0b81",
|
|
"url--57fde049-8418-4226-8a72-414002de0b81",
|
|
"indicator--57fde049-7ef4-4fff-bc00-465502de0b81",
|
|
"indicator--57fde049-8b1c-4430-9e25-4ab002de0b81",
|
|
"observed-data--57fde04a-b590-4ec7-8adf-48a702de0b81",
|
|
"url--57fde04a-b590-4ec7-8adf-48a702de0b81",
|
|
"indicator--57fde04a-ec90-4ccf-87cc-473202de0b81",
|
|
"indicator--57fde04a-44b8-44ac-ac79-483102de0b81",
|
|
"observed-data--57fde04a-dac8-4b85-94e4-4fe702de0b81",
|
|
"url--57fde04a-dac8-4b85-94e4-4fe702de0b81",
|
|
"indicator--57fde04a-fcb0-4068-9015-451c02de0b81",
|
|
"indicator--57fde04b-f598-4f22-841d-448702de0b81",
|
|
"observed-data--57fde04b-73c4-4483-aef6-4f8f02de0b81",
|
|
"url--57fde04b-73c4-4483-aef6-4f8f02de0b81",
|
|
"indicator--57fde04b-4044-4d59-af0a-4bb302de0b81",
|
|
"indicator--57fde04b-1ea0-4353-89b5-4b2a02de0b81",
|
|
"observed-data--57fde04b-b4bc-4471-bfbc-4ee602de0b81",
|
|
"url--57fde04b-b4bc-4471-bfbc-4ee602de0b81",
|
|
"indicator--57fde04c-4188-4ef7-9927-488b02de0b81",
|
|
"indicator--57fde04c-bad0-4e18-90b3-427a02de0b81",
|
|
"observed-data--57fde04c-6ab8-4daf-9e46-4dc402de0b81",
|
|
"url--57fde04c-6ab8-4daf-9e46-4dc402de0b81",
|
|
"indicator--57fde04c-a668-442d-aa27-48a202de0b81",
|
|
"indicator--57fde04c-35ec-4314-8b01-409702de0b81",
|
|
"observed-data--57fde04d-7008-4a76-a1e5-461102de0b81",
|
|
"url--57fde04d-7008-4a76-a1e5-461102de0b81",
|
|
"indicator--57fde04d-8208-42b6-bdf1-4cc402de0b81",
|
|
"indicator--57fde04d-a474-4fcf-9c39-448002de0b81",
|
|
"observed-data--57fde04d-62d0-421c-a93a-48ab02de0b81",
|
|
"url--57fde04d-62d0-421c-a93a-48ab02de0b81",
|
|
"indicator--57fde04e-2250-4e88-afa0-41fd02de0b81",
|
|
"indicator--57fde04e-76b8-4e3a-8fde-4f5e02de0b81",
|
|
"observed-data--57fde04e-e7a4-4a18-b158-423b02de0b81",
|
|
"url--57fde04e-e7a4-4a18-b158-423b02de0b81",
|
|
"indicator--57fde04e-7aa8-4151-9d3b-4aa002de0b81",
|
|
"indicator--57fde04e-e334-4850-af7f-471802de0b81",
|
|
"observed-data--57fde04f-5340-42e2-a6d0-472e02de0b81",
|
|
"url--57fde04f-5340-42e2-a6d0-472e02de0b81",
|
|
"indicator--57fde04f-aab8-4d00-9c1d-41ef02de0b81",
|
|
"indicator--57fde04f-ee58-4ee9-96ac-4fef02de0b81",
|
|
"observed-data--57fde04f-9110-431a-bac5-469f02de0b81",
|
|
"url--57fde04f-9110-431a-bac5-469f02de0b81",
|
|
"indicator--57fde04f-74c4-4860-8436-4f2702de0b81",
|
|
"indicator--57fde050-7ff4-450e-95c6-4b0702de0b81",
|
|
"observed-data--57fde050-ba58-41e9-9dcf-404202de0b81",
|
|
"url--57fde050-ba58-41e9-9dcf-404202de0b81",
|
|
"indicator--57fde050-56e8-4208-b04a-4ff902de0b81",
|
|
"indicator--57fde050-c154-4baf-be74-42b902de0b81",
|
|
"observed-data--57fde050-1704-4d6b-9546-4c0c02de0b81",
|
|
"url--57fde050-1704-4d6b-9546-4c0c02de0b81",
|
|
"indicator--57fde051-1e78-4685-80e6-4cbe02de0b81",
|
|
"indicator--57fde051-6e4c-4510-b5ca-481202de0b81",
|
|
"observed-data--57fde051-5ac4-4296-ba39-44ed02de0b81",
|
|
"url--57fde051-5ac4-4296-ba39-44ed02de0b81",
|
|
"indicator--57fde051-0c38-4419-bdc2-4fb602de0b81",
|
|
"indicator--57fde051-7fec-485a-bf27-43ed02de0b81",
|
|
"observed-data--57fde052-079c-4c27-af94-45ca02de0b81",
|
|
"url--57fde052-079c-4c27-af94-45ca02de0b81",
|
|
"indicator--57fde052-d714-4fcf-9e34-4b3202de0b81",
|
|
"indicator--57fde052-634c-4ce1-8a44-450602de0b81",
|
|
"observed-data--57fde052-fcb0-462e-9d5d-46cc02de0b81",
|
|
"url--57fde052-fcb0-462e-9d5d-46cc02de0b81",
|
|
"indicator--57fde052-31ec-4597-b3d9-476f02de0b81",
|
|
"indicator--57fde053-d670-45e0-ad52-489402de0b81",
|
|
"observed-data--57fde053-227c-4b6a-a763-41fe02de0b81",
|
|
"url--57fde053-227c-4b6a-a763-41fe02de0b81",
|
|
"indicator--57fde053-8eec-40d3-91c6-4d0802de0b81",
|
|
"indicator--57fde053-1ac0-4357-92c8-443c02de0b81",
|
|
"observed-data--57fde054-38a4-464a-99a0-402a02de0b81",
|
|
"url--57fde054-38a4-464a-99a0-402a02de0b81",
|
|
"indicator--57fde054-5d58-4d93-8f12-49da02de0b81",
|
|
"indicator--57fde054-157c-4f68-9ecb-4bd702de0b81",
|
|
"observed-data--57fde054-a1f4-4f89-9d69-479502de0b81",
|
|
"url--57fde054-a1f4-4f89-9d69-479502de0b81",
|
|
"indicator--57fde055-cdb4-404d-80bd-4cc302de0b81",
|
|
"indicator--57fde055-2a2c-470d-9093-4d8b02de0b81",
|
|
"observed-data--57fde055-6d90-475b-837e-4e3002de0b81",
|
|
"url--57fde055-6d90-475b-837e-4e3002de0b81",
|
|
"indicator--57fde055-39b8-4c3b-a15c-4f9902de0b81",
|
|
"indicator--57fde055-4aac-4898-ab81-4f7502de0b81",
|
|
"observed-data--57fde056-b2d0-4e81-a161-454502de0b81",
|
|
"url--57fde056-b2d0-4e81-a161-454502de0b81",
|
|
"observed-data--57fdf198-5894-4cdf-9b84-4487950d210f",
|
|
"url--57fdf198-5894-4cdf-9b84-4487950d210f"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"circl:topic=\"finance\"",
|
|
"circl:incident-classification=\"malware\"",
|
|
"type:OSINT",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--57fdde4c-94e0-4df7-9483-4fdd950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T06:55:08.000Z",
|
|
"modified": "2016-10-12T06:55:08.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "Since January 2016, discreet campaigns involving malware called Trojan.Odinaff have targeted a number of financial organizations worldwide. These attacks appear to be extremely focused on organizations operating in the banking, securities, trading, and payroll sectors. Organizations who provide support services to these industries are also of interest.\r\n\r\nOdinaff is typically deployed in the first stage of an attack, to gain a foothold onto the network, providing a persistent presence and the ability to install additional tools onto the target network. These additional tools bear the hallmarks of a sophisticated attacker which has plagued the financial industry since at least 2013\u00e2\u20ac\u201cCarbanak. This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns.\r\n\r\nThese attacks require a large amount of hands on involvement, with methodical deployment of a range of lightweight back doors and purpose built tools onto computers of specific interest. There appears to be a heavy investment in the coordination, development, deployment, and operation of these tools during the attacks. Custom malware tools, purpose built for stealthy communications (Backdoor.Batel), network discovery, credential stealing, and monitoring of employee activity are deployed.\r\n\r\nAlthough difficult to perform, these kinds of attacks on banks can be highly lucrative. Estimates of total losses to Carbanak-linked attacks range from tens of millions to hundreds of millions of dollars."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf71-e4ec-4761-8086-400b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:01.000Z",
|
|
"modified": "2016-10-12T07:00:01.000Z",
|
|
"description": "Odinaff droppers",
|
|
"pattern": "[file:hashes.SHA256 = 'f7e4135a3d22c2c25e41f83bb9e4ccd12e9f8a0f11b7db21400152cd81e89bf5']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:01Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf71-2ce0-462d-852c-4e0d950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:01.000Z",
|
|
"modified": "2016-10-12T07:00:01.000Z",
|
|
"description": "Odinaff droppers",
|
|
"pattern": "[file:hashes.SHA256 = 'c122b285fbd2db543e23bc34bf956b9ff49e7519623817b94b2809c7f4d31d14']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:01Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf72-00e8-4312-ad2c-4bfc950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:02.000Z",
|
|
"modified": "2016-10-12T07:00:02.000Z",
|
|
"description": "Odinaff document droppers",
|
|
"pattern": "[file:hashes.SHA256 = '102158d75be5a8ef169bc91fefba5eb782d6fa2186bd6007019f7a61ed6ac990']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf72-bd10-4bb0-be12-4adc950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:02.000Z",
|
|
"modified": "2016-10-12T07:00:02.000Z",
|
|
"description": "Odinaff document droppers",
|
|
"pattern": "[file:hashes.SHA256 = '60ae0362b3f264981971672e7b48b2dda2ff61b5fde67ca354ec59dbf2f8efaa']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf72-8ed0-4368-9e0d-4786950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:02.000Z",
|
|
"modified": "2016-10-12T07:00:02.000Z",
|
|
"description": "Odinaff samples",
|
|
"pattern": "[file:hashes.SHA256 = '22be72632de9f64beca49bf4d17910de988f3a15d0299e8f94bcaeeb34bb8a96']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf73-9810-4caf-bab9-46cb950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:03.000Z",
|
|
"modified": "2016-10-12T07:00:03.000Z",
|
|
"description": "Odinaff samples",
|
|
"pattern": "[file:hashes.SHA256 = '2503bdaeaa264bfc67b3a3603ee48ddb7b964d6466fac0377885c6649209c098']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:03Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf73-b1e8-4def-a8d0-4c34950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:03.000Z",
|
|
"modified": "2016-10-12T07:00:03.000Z",
|
|
"description": "SWIFT log suppressors",
|
|
"pattern": "[file:hashes.SHA256 = '84d348eea1b424fe9f5fe8f6a485666289e39e4c8a0ff5a763e1fb91424cdfb8']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:03Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf73-97d8-4718-8a0c-47cc950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:03.000Z",
|
|
"modified": "2016-10-12T07:00:03.000Z",
|
|
"description": "Backdoor.Batel RTF document dropper",
|
|
"pattern": "[file:hashes.SHA256 = '21e897fbe23a9ff5f0e26e53be0f3b1747c3fc160e8e34fa913eb2afbcd1149f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:03Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf73-0274-4cf4-b03c-4d63950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:03.000Z",
|
|
"modified": "2016-10-12T07:00:03.000Z",
|
|
"description": "Backdoor.Batel stagers",
|
|
"pattern": "[file:hashes.SHA256 = '001221d6393007ca918bfb25abbb0497981f8e044e377377d51d82867783a746']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:03Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf73-7e40-48f5-bd90-4c79950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:03.000Z",
|
|
"modified": "2016-10-12T07:00:03.000Z",
|
|
"description": "Backdoor.Batel stagers",
|
|
"pattern": "[file:hashes.SHA256 = '1d9ded30af0f90bf61a685a3ee8eb9bc2ad36f82e824550e4781f7047163095a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:03Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf74-ee28-401a-907f-4315950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:04.000Z",
|
|
"modified": "2016-10-12T07:00:04.000Z",
|
|
"description": "Older Batel *.CPL droppers",
|
|
"pattern": "[file:hashes.SHA256 = '1710b33822842a4e5029af0a10029f8307381082da7727ffa9935e4eabc0134d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf74-fed0-4b1d-8c2b-4f80950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:04.000Z",
|
|
"modified": "2016-10-12T07:00:04.000Z",
|
|
"description": "Older Batel *.CPL droppers",
|
|
"pattern": "[file:hashes.SHA256 = '298d684694483257f12c63b33220e8825c383965780941f0d1961975e6f74ebd']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf74-3950-4cc8-bc10-4885950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:04.000Z",
|
|
"modified": "2016-10-12T07:00:04.000Z",
|
|
"description": "Cobalt Strike, possible ATM implants",
|
|
"pattern": "[file:hashes.SHA256 = '429bdf288f400392a9d3d6df120271ea20f5ea7d59fad745d7194130876e851e']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf74-7e44-4216-b895-4fad950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:04.000Z",
|
|
"modified": "2016-10-12T07:00:04.000Z",
|
|
"description": "Cobalt Strike, possible ATM implants",
|
|
"pattern": "[file:hashes.SHA256 = '44c783205220e95c1690ef41e3808cd72347242153e8bdbeb63c9b2850e4b579']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf74-fa54-4bf6-8241-4e2b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:04.000Z",
|
|
"modified": "2016-10-12T07:00:04.000Z",
|
|
"description": "Cobalt Strike implants",
|
|
"pattern": "[file:hashes.SHA256 = '1341bdf6485ed68ceba3fec9b806cc16327ab76d18c69ca5cd678fb19f1e0486']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf75-8ed8-476b-a1ba-4efa950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:05.000Z",
|
|
"modified": "2016-10-12T07:00:05.000Z",
|
|
"description": "Cobalt Strike implants",
|
|
"pattern": "[file:hashes.SHA256 = '48fb5e3c3dc17f549a76e1b1ce74c9fef5c94bfc29119a248ce1647644b125c7']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf75-7f04-48c7-9149-4cf9950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:05.000Z",
|
|
"modified": "2016-10-12T07:00:05.000Z",
|
|
"description": "Backdoor.Batel loaders",
|
|
"pattern": "[file:hashes.SHA256 = '0ffe521444415371e49c6526f66363eb062b4487a43c75f03279f5b58f68ed24']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf75-1558-4803-a029-4df3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:05.000Z",
|
|
"modified": "2016-10-12T07:00:05.000Z",
|
|
"description": "Backdoor.Batel loaders",
|
|
"pattern": "[file:hashes.SHA256 = '174236a0b4e4bc97e3af88e0ec82cced7eed026784d6b9d00cc56b01c480d4ed']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf75-851c-445b-a531-46e5950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:05.000Z",
|
|
"modified": "2016-10-12T07:00:05.000Z",
|
|
"description": "Stagers (MINGW)",
|
|
"pattern": "[file:hashes.SHA256 = 'd94d58bd5a25fde66a2e9b2e0cc9163c8898f439be5c0e7806d21897ba8e1455']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf75-3320-44fd-b747-4602950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:05.000Z",
|
|
"modified": "2016-10-12T07:00:05.000Z",
|
|
"description": "Stagers (MINGW)",
|
|
"pattern": "[file:hashes.SHA256 = '3cadacbb37d4a7f2767bc8b48db786810e7cdaffdef56a2c4eebbe6f2b68988e']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf76-472c-4d24-a2f2-48ce950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:06.000Z",
|
|
"modified": "2016-10-12T07:00:06.000Z",
|
|
"description": "Disk wipers",
|
|
"pattern": "[file:hashes.SHA256 = '72b4ef3058b31ac4bf12b373f1b9712c3a094b7d68e5f777ba71e9966062af17']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:06Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf76-62b4-4241-88d4-468d950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:06.000Z",
|
|
"modified": "2016-10-12T07:00:06.000Z",
|
|
"description": "Disk wipers",
|
|
"pattern": "[file:hashes.SHA256 = 'c361428d4977648abfb77c2aebc7eed5b2b59f4f837446719cb285e1714da6da']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:06Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf76-e494-4a66-a49b-499d950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:06.000Z",
|
|
"modified": "2016-10-12T07:00:06.000Z",
|
|
"description": "Keylogger",
|
|
"pattern": "[file:hashes.SHA256 = 'e07267bbfcbff72a9aff1872603ffbb630997c36a1d9a565843cb59bc5d97d90']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:06Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf76-32bc-41f0-95d7-4d41950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:06.000Z",
|
|
"modified": "2016-10-12T07:00:06.000Z",
|
|
"description": "Screengrabbers",
|
|
"pattern": "[file:hashes.SHA256 = 'a7c3f125c8b9ca732832d64db2334f07240294d74ba76bdc47ea9d4009381fdc']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:06Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf76-2254-458f-8a93-4dd3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:06.000Z",
|
|
"modified": "2016-10-12T07:00:06.000Z",
|
|
"description": "Screengrabbers",
|
|
"pattern": "[file:hashes.SHA256 = 'ae38884398fe3f26110bc3ca09e9103706d4da142276dbcdba0a9f176e0c275c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:06Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf77-e278-4d41-acd7-4438950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:07.000Z",
|
|
"modified": "2016-10-12T07:00:07.000Z",
|
|
"description": "Command shells",
|
|
"pattern": "[file:hashes.SHA256 = '9041e79658e3d212ece3360adda37d339d455568217173f1e66f291b5765b34a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:07Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf77-b6a4-4dfc-b0d2-4a3b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:07.000Z",
|
|
"modified": "2016-10-12T07:00:07.000Z",
|
|
"description": "Command shells",
|
|
"pattern": "[file:hashes.SHA256 = 'e1f30176e97a4f8b7e75d0cdf85d11cbb9a72b99620c8d54a520cecc29ea6f4a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:07Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf77-07d0-47b7-b171-4889950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:07.000Z",
|
|
"modified": "2016-10-12T07:00:07.000Z",
|
|
"description": "HTTP Backconnect",
|
|
"pattern": "[file:hashes.SHA256 = 'b25eee6b39f73367b22df8d7a410975a1f46e7489e2d0abbc8e5d388d8ea7bec']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:07Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf77-ea98-44df-aeba-4e5b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:07.000Z",
|
|
"modified": "2016-10-12T07:00:07.000Z",
|
|
"description": "Connection checkers",
|
|
"pattern": "[file:hashes.SHA256 = '28fba330560bcde299d0e174ca539153f8819a586579daf9463aa7f86e3ae3d5']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:07Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf78-3230-485d-b5be-49e3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:08.000Z",
|
|
"modified": "2016-10-12T07:00:08.000Z",
|
|
"description": "Connection checkers",
|
|
"pattern": "[file:hashes.SHA256 = 'd9af163220cc129bb722f2d80810585a645513e25ab6bc9cece4ed6b98f3c874']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:08Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf78-53cc-4c39-ac80-44ee950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:08.000Z",
|
|
"modified": "2016-10-12T07:00:08.000Z",
|
|
"description": "PoisonIvy loaders",
|
|
"pattern": "[file:hashes.SHA256 = '25ff64c263fb272f4543d024f0e64fbd113fed81b25d64635ed59f00ff2608da']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:08Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf78-4154-4ea6-8878-4590950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:08.000Z",
|
|
"modified": "2016-10-12T07:00:08.000Z",
|
|
"description": "PoisonIvy loaders",
|
|
"pattern": "[file:hashes.SHA256 = '91601e3fbbebcfdd7f94951e9b430608f7669eb80f983eceec3f6735de8f260c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:08Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf78-7570-4b7a-8b6a-47dc950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:08.000Z",
|
|
"modified": "2016-10-12T07:00:08.000Z",
|
|
"description": "Ammyy Admin remote administration tools",
|
|
"pattern": "[file:hashes.SHA256 = '0caaf7a461a54a19f3323a0d5b7ad2514457919c5af3c7e392a1e4b7222ef687']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:08Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf78-0db0-476d-845b-4fc5950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:08.000Z",
|
|
"modified": "2016-10-12T07:00:08.000Z",
|
|
"description": "Ammyy Admin remote administration tools",
|
|
"pattern": "[file:hashes.SHA256 = '295dd6f5bab13226a5a3d1027432a780de043d31b7e73d5414ae005a59923130']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:08Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf79-a820-43b1-b9a4-4105950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:09.000Z",
|
|
"modified": "2016-10-12T07:00:09.000Z",
|
|
"description": "Ammyy Admin, Trojanized",
|
|
"pattern": "[file:hashes.SHA256 = 'cce04fa1265cbfd61d6f4a8d989ee3c297bf337a9ee3abc164c9d51f3ef1689f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf79-1288-4be7-b3c2-482d950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:09.000Z",
|
|
"modified": "2016-10-12T07:00:09.000Z",
|
|
"description": "RemoteUtilities remote administration toolsRemoteUtilities remote administration tools",
|
|
"pattern": "[file:hashes.SHA256 = '2ba2a8e20481d8932900f9a084b733dd544aaa62b567932e76620628ebc5daf1']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf79-6e6c-420b-bc38-4557950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:09.000Z",
|
|
"modified": "2016-10-12T07:00:09.000Z",
|
|
"description": "RemoteUtilities remote administration tools",
|
|
"pattern": "[file:hashes.SHA256 = '3232c89d21f0b087786d2ba4f06714c7b357338daedffe0343db8a2d66b81b51']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf79-601c-414f-93e6-4700950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:09.000Z",
|
|
"modified": "2016-10-12T07:00:09.000Z",
|
|
"description": "Runas",
|
|
"pattern": "[file:hashes.SHA256 = '170282aa7f2cb84e023f08339ebac17d8fefa459f5f75f60bd6a4708aff11e20']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf79-2608-4a83-ba00-4392950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:09.000Z",
|
|
"modified": "2016-10-12T07:00:09.000Z",
|
|
"description": "Mimikatz",
|
|
"pattern": "[file:hashes.SHA256 = '7d7ca44d27aed4a2dc5ddb60f45e5ab8f2e00d5b57afb7c34c4e14abb78718d4']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf7a-5db0-4d77-af58-4c17950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:10.000Z",
|
|
"modified": "2016-10-12T07:00:10.000Z",
|
|
"description": "Mimikatz",
|
|
"pattern": "[file:hashes.SHA256 = 'e5a702d70186b537a7ae5c99db550c910073c93b8c82dd5f4a27a501c03bc7b6']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:10Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf7a-e494-44b1-9a11-4027950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:10.000Z",
|
|
"modified": "2016-10-12T07:00:10.000Z",
|
|
"description": "Kasidet",
|
|
"pattern": "[file:hashes.SHA256 = 'c1e797e156e12ace6d852e51d0b8aefef9c539502461efd8db563a722569e0d2']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:10Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fddf7a-ac7c-4bae-ba07-4ffd950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:00:10.000Z",
|
|
"modified": "2016-10-12T07:00:10.000Z",
|
|
"description": "Kasidet",
|
|
"pattern": "[file:hashes.SHA256 = 'cee2b6fa4e0acd06832527ffde20846bc583eb06801c6021ea4d6bb828bfe3ba']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:00:10Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--57fddfe1-51bc-4ff5-95e2-4932950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:01:53.000Z",
|
|
"modified": "2016-10-12T07:01:53.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"Antivirus detection\""
|
|
],
|
|
"x_misp_category": "Antivirus detection",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "Trojan.Odinaff"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde03d-56a4-47cc-84e9-441402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:25.000Z",
|
|
"modified": "2016-10-12T07:03:25.000Z",
|
|
"description": "Kasidet - Xchecked via VT: cee2b6fa4e0acd06832527ffde20846bc583eb06801c6021ea4d6bb828bfe3ba",
|
|
"pattern": "[file:hashes.SHA1 = 'ce46b856e77ed458db1846fa6f9e8df422d582b3']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde03d-41a4-43cf-846d-42c802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:25.000Z",
|
|
"modified": "2016-10-12T07:03:25.000Z",
|
|
"description": "Kasidet - Xchecked via VT: cee2b6fa4e0acd06832527ffde20846bc583eb06801c6021ea4d6bb828bfe3ba",
|
|
"pattern": "[file:hashes.MD5 = '074db802aa499ac108216e2c031657d0']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde03d-11bc-4656-a0c7-40da02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:25.000Z",
|
|
"modified": "2016-10-12T07:03:25.000Z",
|
|
"first_observed": "2016-10-12T07:03:25Z",
|
|
"last_observed": "2016-10-12T07:03:25Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde03d-11bc-4656-a0c7-40da02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde03d-11bc-4656-a0c7-40da02de0b81",
|
|
"value": "https://www.virustotal.com/file/cee2b6fa4e0acd06832527ffde20846bc583eb06801c6021ea4d6bb828bfe3ba/analysis/1464288443/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde03d-dc60-4ac4-86d6-453902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:25.000Z",
|
|
"modified": "2016-10-12T07:03:25.000Z",
|
|
"description": "Kasidet - Xchecked via VT: c1e797e156e12ace6d852e51d0b8aefef9c539502461efd8db563a722569e0d2",
|
|
"pattern": "[file:hashes.SHA1 = 'f7f5434539290ba88781237da086331030a4f051']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde03d-c4e4-496c-b206-4fd702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:25.000Z",
|
|
"modified": "2016-10-12T07:03:25.000Z",
|
|
"description": "Kasidet - Xchecked via VT: c1e797e156e12ace6d852e51d0b8aefef9c539502461efd8db563a722569e0d2",
|
|
"pattern": "[file:hashes.MD5 = 'ec84d9d8ce82455214d36f7ab6e3dc56']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde03e-68ec-408d-9fa0-47e302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:26.000Z",
|
|
"modified": "2016-10-12T07:03:26.000Z",
|
|
"first_observed": "2016-10-12T07:03:26Z",
|
|
"last_observed": "2016-10-12T07:03:26Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde03e-68ec-408d-9fa0-47e302de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde03e-68ec-408d-9fa0-47e302de0b81",
|
|
"value": "https://www.virustotal.com/file/c1e797e156e12ace6d852e51d0b8aefef9c539502461efd8db563a722569e0d2/analysis/1476234896/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde03e-f658-4a2f-b63a-44dd02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:26.000Z",
|
|
"modified": "2016-10-12T07:03:26.000Z",
|
|
"description": "Mimikatz - Xchecked via VT: e5a702d70186b537a7ae5c99db550c910073c93b8c82dd5f4a27a501c03bc7b6",
|
|
"pattern": "[file:hashes.SHA1 = 'fac724a7b6d1bdd6e2ca697c239d39dd4aa8a52b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde03e-c798-42c0-b509-471a02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:26.000Z",
|
|
"modified": "2016-10-12T07:03:26.000Z",
|
|
"description": "Mimikatz - Xchecked via VT: e5a702d70186b537a7ae5c99db550c910073c93b8c82dd5f4a27a501c03bc7b6",
|
|
"pattern": "[file:hashes.MD5 = '12613ac87e6e550057ab5eb770f98f35']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde03e-7dac-497a-8d15-47c502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:26.000Z",
|
|
"modified": "2016-10-12T07:03:26.000Z",
|
|
"first_observed": "2016-10-12T07:03:26Z",
|
|
"last_observed": "2016-10-12T07:03:26Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde03e-7dac-497a-8d15-47c502de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde03e-7dac-497a-8d15-47c502de0b81",
|
|
"value": "https://www.virustotal.com/file/e5a702d70186b537a7ae5c99db550c910073c93b8c82dd5f4a27a501c03bc7b6/analysis/1469035595/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde03e-9fd4-4395-a7d0-462202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:26.000Z",
|
|
"modified": "2016-10-12T07:03:26.000Z",
|
|
"description": "Mimikatz - Xchecked via VT: 7d7ca44d27aed4a2dc5ddb60f45e5ab8f2e00d5b57afb7c34c4e14abb78718d4",
|
|
"pattern": "[file:hashes.SHA1 = '052c8587aed8dbd775f179f670e822da4d2a1eb6']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde03f-d4c0-4eb4-b5ef-4e1702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:27.000Z",
|
|
"modified": "2016-10-12T07:03:27.000Z",
|
|
"description": "Mimikatz - Xchecked via VT: 7d7ca44d27aed4a2dc5ddb60f45e5ab8f2e00d5b57afb7c34c4e14abb78718d4",
|
|
"pattern": "[file:hashes.MD5 = 'db34ce686d2b911589667cbcae3a920c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:27Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde03f-bc70-4d3b-b7b2-4a0702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:27.000Z",
|
|
"modified": "2016-10-12T07:03:27.000Z",
|
|
"first_observed": "2016-10-12T07:03:27Z",
|
|
"last_observed": "2016-10-12T07:03:27Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde03f-bc70-4d3b-b7b2-4a0702de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde03f-bc70-4d3b-b7b2-4a0702de0b81",
|
|
"value": "https://www.virustotal.com/file/7d7ca44d27aed4a2dc5ddb60f45e5ab8f2e00d5b57afb7c34c4e14abb78718d4/analysis/1476213199/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde03f-faa0-40ef-95ed-478602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:27.000Z",
|
|
"modified": "2016-10-12T07:03:27.000Z",
|
|
"description": "Runas - Xchecked via VT: 170282aa7f2cb84e023f08339ebac17d8fefa459f5f75f60bd6a4708aff11e20",
|
|
"pattern": "[file:hashes.SHA1 = 'bd1d24f63f2f25a6eb4a7f6f3bc97a443e728b17']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:27Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde03f-7d30-43df-b4f5-441d02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:27.000Z",
|
|
"modified": "2016-10-12T07:03:27.000Z",
|
|
"description": "Runas - Xchecked via VT: 170282aa7f2cb84e023f08339ebac17d8fefa459f5f75f60bd6a4708aff11e20",
|
|
"pattern": "[file:hashes.MD5 = '424872148d3e84ed99cedd5bfbb8740c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:27Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde03f-0794-4278-b254-45a302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:27.000Z",
|
|
"modified": "2016-10-12T07:03:27.000Z",
|
|
"first_observed": "2016-10-12T07:03:27Z",
|
|
"last_observed": "2016-10-12T07:03:27Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde03f-0794-4278-b254-45a302de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde03f-0794-4278-b254-45a302de0b81",
|
|
"value": "https://www.virustotal.com/file/170282aa7f2cb84e023f08339ebac17d8fefa459f5f75f60bd6a4708aff11e20/analysis/1476195264/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde040-c7e0-42cc-94ce-4df602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:28.000Z",
|
|
"modified": "2016-10-12T07:03:28.000Z",
|
|
"description": "RemoteUtilities remote administration tools - Xchecked via VT: 3232c89d21f0b087786d2ba4f06714c7b357338daedffe0343db8a2d66b81b51",
|
|
"pattern": "[file:hashes.SHA1 = '88de72284fb04b40efda6b7edd8793a4a79f2f11']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:28Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde040-e520-47ba-88f8-457e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:28.000Z",
|
|
"modified": "2016-10-12T07:03:28.000Z",
|
|
"description": "RemoteUtilities remote administration tools - Xchecked via VT: 3232c89d21f0b087786d2ba4f06714c7b357338daedffe0343db8a2d66b81b51",
|
|
"pattern": "[file:hashes.MD5 = '5615449487df19589bd69207d7f2c6cd']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:28Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde040-d378-4048-8ab0-447302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:28.000Z",
|
|
"modified": "2016-10-12T07:03:28.000Z",
|
|
"first_observed": "2016-10-12T07:03:28Z",
|
|
"last_observed": "2016-10-12T07:03:28Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde040-d378-4048-8ab0-447302de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde040-d378-4048-8ab0-447302de0b81",
|
|
"value": "https://www.virustotal.com/file/3232c89d21f0b087786d2ba4f06714c7b357338daedffe0343db8a2d66b81b51/analysis/1476195266/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde040-6648-439f-a4f6-4c7c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:28.000Z",
|
|
"modified": "2016-10-12T07:03:28.000Z",
|
|
"description": "RemoteUtilities remote administration toolsRemoteUtilities remote administration tools - Xchecked via VT: 2ba2a8e20481d8932900f9a084b733dd544aaa62b567932e76620628ebc5daf1",
|
|
"pattern": "[file:hashes.SHA1 = 'b500c2f9310b28719383a8b5fdd78d0ff7fd5b80']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:28Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde040-9ab0-4352-a9ee-456e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:28.000Z",
|
|
"modified": "2016-10-12T07:03:28.000Z",
|
|
"description": "RemoteUtilities remote administration toolsRemoteUtilities remote administration tools - Xchecked via VT: 2ba2a8e20481d8932900f9a084b733dd544aaa62b567932e76620628ebc5daf1",
|
|
"pattern": "[file:hashes.MD5 = '42552c5ac5fb48975115fe8b020073f3']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:28Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde041-004c-456d-ad30-4c1e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:29.000Z",
|
|
"modified": "2016-10-12T07:03:29.000Z",
|
|
"first_observed": "2016-10-12T07:03:29Z",
|
|
"last_observed": "2016-10-12T07:03:29Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde041-004c-456d-ad30-4c1e02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde041-004c-456d-ad30-4c1e02de0b81",
|
|
"value": "https://www.virustotal.com/file/2ba2a8e20481d8932900f9a084b733dd544aaa62b567932e76620628ebc5daf1/analysis/1476195266/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde041-0b0c-45d0-a8f0-441e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:29.000Z",
|
|
"modified": "2016-10-12T07:03:29.000Z",
|
|
"description": "Ammyy Admin, Trojanized - Xchecked via VT: cce04fa1265cbfd61d6f4a8d989ee3c297bf337a9ee3abc164c9d51f3ef1689f",
|
|
"pattern": "[file:hashes.SHA1 = '01317404282c428b9d2a48ad5c542bd951b45268']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde041-91c8-4069-9478-4e6902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:29.000Z",
|
|
"modified": "2016-10-12T07:03:29.000Z",
|
|
"description": "Ammyy Admin, Trojanized - Xchecked via VT: cce04fa1265cbfd61d6f4a8d989ee3c297bf337a9ee3abc164c9d51f3ef1689f",
|
|
"pattern": "[file:hashes.MD5 = 'c7f1c6f20161ab9f703cc1c5d7498655']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde041-4d38-4251-b2a1-48da02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:29.000Z",
|
|
"modified": "2016-10-12T07:03:29.000Z",
|
|
"first_observed": "2016-10-12T07:03:29Z",
|
|
"last_observed": "2016-10-12T07:03:29Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde041-4d38-4251-b2a1-48da02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde041-4d38-4251-b2a1-48da02de0b81",
|
|
"value": "https://www.virustotal.com/file/cce04fa1265cbfd61d6f4a8d989ee3c297bf337a9ee3abc164c9d51f3ef1689f/analysis/1462449891/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde042-da1c-4301-9d13-4bd002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:30.000Z",
|
|
"modified": "2016-10-12T07:03:30.000Z",
|
|
"description": "Ammyy Admin remote administration tools - Xchecked via VT: 295dd6f5bab13226a5a3d1027432a780de043d31b7e73d5414ae005a59923130",
|
|
"pattern": "[file:hashes.SHA1 = 'cf4a4ea4be619856bd19cb63cdd15efdc23dcec8']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:30Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde042-4bb0-4bd0-8f3c-406e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:30.000Z",
|
|
"modified": "2016-10-12T07:03:30.000Z",
|
|
"description": "Ammyy Admin remote administration tools - Xchecked via VT: 295dd6f5bab13226a5a3d1027432a780de043d31b7e73d5414ae005a59923130",
|
|
"pattern": "[file:hashes.MD5 = '084df0be594c98d868377de12d74703c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:30Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde042-8a74-4daf-88b4-4a9302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:30.000Z",
|
|
"modified": "2016-10-12T07:03:30.000Z",
|
|
"first_observed": "2016-10-12T07:03:30Z",
|
|
"last_observed": "2016-10-12T07:03:30Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde042-8a74-4daf-88b4-4a9302de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde042-8a74-4daf-88b4-4a9302de0b81",
|
|
"value": "https://www.virustotal.com/file/295dd6f5bab13226a5a3d1027432a780de043d31b7e73d5414ae005a59923130/analysis/1476213496/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde042-de18-4a5f-a7cd-4aa202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:30.000Z",
|
|
"modified": "2016-10-12T07:03:30.000Z",
|
|
"description": "Ammyy Admin remote administration tools - Xchecked via VT: 0caaf7a461a54a19f3323a0d5b7ad2514457919c5af3c7e392a1e4b7222ef687",
|
|
"pattern": "[file:hashes.SHA1 = 'edcfcb4124dcc23bd75fcd69c2e7d8617a36554a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:30Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde042-7dbc-4fa3-b2fb-49ed02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:30.000Z",
|
|
"modified": "2016-10-12T07:03:30.000Z",
|
|
"description": "Ammyy Admin remote administration tools - Xchecked via VT: 0caaf7a461a54a19f3323a0d5b7ad2514457919c5af3c7e392a1e4b7222ef687",
|
|
"pattern": "[file:hashes.MD5 = '070b6925b020c92e7f1cb0ad2c553a54']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:30Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde043-9b48-46e6-8323-486e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:31.000Z",
|
|
"modified": "2016-10-12T07:03:31.000Z",
|
|
"first_observed": "2016-10-12T07:03:31Z",
|
|
"last_observed": "2016-10-12T07:03:31Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde043-9b48-46e6-8323-486e02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde043-9b48-46e6-8323-486e02de0b81",
|
|
"value": "https://www.virustotal.com/file/0caaf7a461a54a19f3323a0d5b7ad2514457919c5af3c7e392a1e4b7222ef687/analysis/1476252610/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde043-32ec-4f9f-b57c-440f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:31.000Z",
|
|
"modified": "2016-10-12T07:03:31.000Z",
|
|
"description": "PoisonIvy loaders - Xchecked via VT: 91601e3fbbebcfdd7f94951e9b430608f7669eb80f983eceec3f6735de8f260c",
|
|
"pattern": "[file:hashes.SHA1 = '4ec0b0f33afc35a59eca1efc37a74ff87d760d8c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:31Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde043-bea4-42bf-a355-4d5b02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:31.000Z",
|
|
"modified": "2016-10-12T07:03:31.000Z",
|
|
"description": "PoisonIvy loaders - Xchecked via VT: 91601e3fbbebcfdd7f94951e9b430608f7669eb80f983eceec3f6735de8f260c",
|
|
"pattern": "[file:hashes.MD5 = '5014f2c3850dedee06218e1585a7fc2d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:31Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde043-0c68-49a0-a4c1-490702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:31.000Z",
|
|
"modified": "2016-10-12T07:03:31.000Z",
|
|
"first_observed": "2016-10-12T07:03:31Z",
|
|
"last_observed": "2016-10-12T07:03:31Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde043-0c68-49a0-a4c1-490702de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde043-0c68-49a0-a4c1-490702de0b81",
|
|
"value": "https://www.virustotal.com/file/91601e3fbbebcfdd7f94951e9b430608f7669eb80f983eceec3f6735de8f260c/analysis/1476213746/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde043-eec0-4763-b546-45cb02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:31.000Z",
|
|
"modified": "2016-10-12T07:03:31.000Z",
|
|
"description": "PoisonIvy loaders - Xchecked via VT: 25ff64c263fb272f4543d024f0e64fbd113fed81b25d64635ed59f00ff2608da",
|
|
"pattern": "[file:hashes.SHA1 = 'b853c10fe548e8136ded8301586bc3c01b724bb0']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:31Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde044-c49c-4684-bc39-4e6002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:32.000Z",
|
|
"modified": "2016-10-12T07:03:32.000Z",
|
|
"description": "PoisonIvy loaders - Xchecked via VT: 25ff64c263fb272f4543d024f0e64fbd113fed81b25d64635ed59f00ff2608da",
|
|
"pattern": "[file:hashes.MD5 = '5cbee6f706d9c6ee96ce159cdf2c2967']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:32Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde044-6f74-4d4d-b8d4-465502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:32.000Z",
|
|
"modified": "2016-10-12T07:03:32.000Z",
|
|
"first_observed": "2016-10-12T07:03:32Z",
|
|
"last_observed": "2016-10-12T07:03:32Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde044-6f74-4d4d-b8d4-465502de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde044-6f74-4d4d-b8d4-465502de0b81",
|
|
"value": "https://www.virustotal.com/file/25ff64c263fb272f4543d024f0e64fbd113fed81b25d64635ed59f00ff2608da/analysis/1476195267/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde044-d460-4adc-87fc-45bd02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:32.000Z",
|
|
"modified": "2016-10-12T07:03:32.000Z",
|
|
"description": "Connection checkers - Xchecked via VT: d9af163220cc129bb722f2d80810585a645513e25ab6bc9cece4ed6b98f3c874",
|
|
"pattern": "[file:hashes.SHA1 = 'c01d318abcff123fd5561dbba1dfacc8aaa65ca8']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:32Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde044-f26c-45eb-b08d-421a02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:32.000Z",
|
|
"modified": "2016-10-12T07:03:32.000Z",
|
|
"description": "Connection checkers - Xchecked via VT: d9af163220cc129bb722f2d80810585a645513e25ab6bc9cece4ed6b98f3c874",
|
|
"pattern": "[file:hashes.MD5 = 'e1cd4de9afb99bee3568bb0bdc34e122']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:32Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde044-1498-4ac3-892c-487202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:32.000Z",
|
|
"modified": "2016-10-12T07:03:32.000Z",
|
|
"first_observed": "2016-10-12T07:03:32Z",
|
|
"last_observed": "2016-10-12T07:03:32Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde044-1498-4ac3-892c-487202de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde044-1498-4ac3-892c-487202de0b81",
|
|
"value": "https://www.virustotal.com/file/d9af163220cc129bb722f2d80810585a645513e25ab6bc9cece4ed6b98f3c874/analysis/1476195269/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde045-4624-4119-93fc-4b1e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:33.000Z",
|
|
"modified": "2016-10-12T07:03:33.000Z",
|
|
"description": "Connection checkers - Xchecked via VT: 28fba330560bcde299d0e174ca539153f8819a586579daf9463aa7f86e3ae3d5",
|
|
"pattern": "[file:hashes.SHA1 = '163ef2b5b25270934c967627c49225aed747f3f0']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:33Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde045-5bc4-417e-bf93-4b5102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:33.000Z",
|
|
"modified": "2016-10-12T07:03:33.000Z",
|
|
"description": "Connection checkers - Xchecked via VT: 28fba330560bcde299d0e174ca539153f8819a586579daf9463aa7f86e3ae3d5",
|
|
"pattern": "[file:hashes.MD5 = '2ff170c0da366c94351877e977546541']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:33Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde045-1870-433d-b771-496002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:33.000Z",
|
|
"modified": "2016-10-12T07:03:33.000Z",
|
|
"first_observed": "2016-10-12T07:03:33Z",
|
|
"last_observed": "2016-10-12T07:03:33Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde045-1870-433d-b771-496002de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde045-1870-433d-b771-496002de0b81",
|
|
"value": "https://www.virustotal.com/file/28fba330560bcde299d0e174ca539153f8819a586579daf9463aa7f86e3ae3d5/analysis/1476195265/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde045-7b84-43b7-9cdb-4d4d02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:33.000Z",
|
|
"modified": "2016-10-12T07:03:33.000Z",
|
|
"description": "HTTP Backconnect - Xchecked via VT: b25eee6b39f73367b22df8d7a410975a1f46e7489e2d0abbc8e5d388d8ea7bec",
|
|
"pattern": "[file:hashes.SHA1 = '9c5b16ad07e3e58de697dafc546f0af7b8fea08f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:33Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde046-dd9c-4d99-bb17-45c302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:34.000Z",
|
|
"modified": "2016-10-12T07:03:34.000Z",
|
|
"description": "HTTP Backconnect - Xchecked via VT: b25eee6b39f73367b22df8d7a410975a1f46e7489e2d0abbc8e5d388d8ea7bec",
|
|
"pattern": "[file:hashes.MD5 = '0aeabdd4e5fe8b181147f555bd02e5e9']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde046-5dac-4442-bc23-465902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:34.000Z",
|
|
"modified": "2016-10-12T07:03:34.000Z",
|
|
"first_observed": "2016-10-12T07:03:34Z",
|
|
"last_observed": "2016-10-12T07:03:34Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde046-5dac-4442-bc23-465902de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde046-5dac-4442-bc23-465902de0b81",
|
|
"value": "https://www.virustotal.com/file/b25eee6b39f73367b22df8d7a410975a1f46e7489e2d0abbc8e5d388d8ea7bec/analysis/1476218183/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde046-245c-44eb-a7c2-495302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:34.000Z",
|
|
"modified": "2016-10-12T07:03:34.000Z",
|
|
"description": "Command shells - Xchecked via VT: e1f30176e97a4f8b7e75d0cdf85d11cbb9a72b99620c8d54a520cecc29ea6f4a",
|
|
"pattern": "[file:hashes.SHA1 = '28a9c74d62d14909ab91ebbb8eef27776584cf27']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde046-dbb4-4fbf-ac48-425502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:34.000Z",
|
|
"modified": "2016-10-12T07:03:34.000Z",
|
|
"description": "Command shells - Xchecked via VT: e1f30176e97a4f8b7e75d0cdf85d11cbb9a72b99620c8d54a520cecc29ea6f4a",
|
|
"pattern": "[file:hashes.MD5 = '3bbc51cfc5c1c1d51a26f61f3c0182bf']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde046-0f18-4adc-9b70-497e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:34.000Z",
|
|
"modified": "2016-10-12T07:03:34.000Z",
|
|
"first_observed": "2016-10-12T07:03:34Z",
|
|
"last_observed": "2016-10-12T07:03:34Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde046-0f18-4adc-9b70-497e02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde046-0f18-4adc-9b70-497e02de0b81",
|
|
"value": "https://www.virustotal.com/file/e1f30176e97a4f8b7e75d0cdf85d11cbb9a72b99620c8d54a520cecc29ea6f4a/analysis/1476195269/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde047-2214-4122-a2d7-421502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:35.000Z",
|
|
"modified": "2016-10-12T07:03:35.000Z",
|
|
"description": "Command shells - Xchecked via VT: 9041e79658e3d212ece3360adda37d339d455568217173f1e66f291b5765b34a",
|
|
"pattern": "[file:hashes.SHA1 = '7b7a219c7539e173eb39acc6136a39359ad3db67']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:35Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde047-298c-4606-9bd9-49f602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:35.000Z",
|
|
"modified": "2016-10-12T07:03:35.000Z",
|
|
"description": "Command shells - Xchecked via VT: 9041e79658e3d212ece3360adda37d339d455568217173f1e66f291b5765b34a",
|
|
"pattern": "[file:hashes.MD5 = 'b77b8cde7ca6b6345caaf94bddbff9f1']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:35Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde047-eca0-4e14-ab3c-40d502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:35.000Z",
|
|
"modified": "2016-10-12T07:03:35.000Z",
|
|
"first_observed": "2016-10-12T07:03:35Z",
|
|
"last_observed": "2016-10-12T07:03:35Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde047-eca0-4e14-ab3c-40d502de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde047-eca0-4e14-ab3c-40d502de0b81",
|
|
"value": "https://www.virustotal.com/file/9041e79658e3d212ece3360adda37d339d455568217173f1e66f291b5765b34a/analysis/1472306542/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde047-f254-4d6d-9372-4e1402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:35.000Z",
|
|
"modified": "2016-10-12T07:03:35.000Z",
|
|
"description": "Screengrabbers - Xchecked via VT: ae38884398fe3f26110bc3ca09e9103706d4da142276dbcdba0a9f176e0c275c",
|
|
"pattern": "[file:hashes.SHA1 = 'abc6d05f9e4631deeaa06e4116f3907fc4135585']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:35Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde047-e070-44de-8bf2-4bd302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:35.000Z",
|
|
"modified": "2016-10-12T07:03:35.000Z",
|
|
"description": "Screengrabbers - Xchecked via VT: ae38884398fe3f26110bc3ca09e9103706d4da142276dbcdba0a9f176e0c275c",
|
|
"pattern": "[file:hashes.MD5 = '64b40780a94c4c4d1c1b4a0b12ce4b7d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:35Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde048-0e48-4f1d-96a8-4f4502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:36.000Z",
|
|
"modified": "2016-10-12T07:03:36.000Z",
|
|
"first_observed": "2016-10-12T07:03:36Z",
|
|
"last_observed": "2016-10-12T07:03:36Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde048-0e48-4f1d-96a8-4f4502de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde048-0e48-4f1d-96a8-4f4502de0b81",
|
|
"value": "https://www.virustotal.com/file/ae38884398fe3f26110bc3ca09e9103706d4da142276dbcdba0a9f176e0c275c/analysis/1469035651/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde048-ddb8-4cbf-ba19-495c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:36.000Z",
|
|
"modified": "2016-10-12T07:03:36.000Z",
|
|
"description": "Keylogger - Xchecked via VT: e07267bbfcbff72a9aff1872603ffbb630997c36a1d9a565843cb59bc5d97d90",
|
|
"pattern": "[file:hashes.SHA1 = '4a861db8310b2eb51818aea93238347f156fd4b6']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:36Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde048-617c-4542-a355-4fae02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:36.000Z",
|
|
"modified": "2016-10-12T07:03:36.000Z",
|
|
"description": "Keylogger - Xchecked via VT: e07267bbfcbff72a9aff1872603ffbb630997c36a1d9a565843cb59bc5d97d90",
|
|
"pattern": "[file:hashes.MD5 = 'e91fc5e15fa391d180779b47d511980b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:36Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde048-bb20-4954-b4a7-44ed02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:36.000Z",
|
|
"modified": "2016-10-12T07:03:36.000Z",
|
|
"first_observed": "2016-10-12T07:03:36Z",
|
|
"last_observed": "2016-10-12T07:03:36Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde048-bb20-4954-b4a7-44ed02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde048-bb20-4954-b4a7-44ed02de0b81",
|
|
"value": "https://www.virustotal.com/file/e07267bbfcbff72a9aff1872603ffbb630997c36a1d9a565843cb59bc5d97d90/analysis/1476195269/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde048-1490-42b6-842b-4bc702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:36.000Z",
|
|
"modified": "2016-10-12T07:03:36.000Z",
|
|
"description": "Disk wipers - Xchecked via VT: c361428d4977648abfb77c2aebc7eed5b2b59f4f837446719cb285e1714da6da",
|
|
"pattern": "[file:hashes.SHA1 = 'ffb9cda0584eb2d0663bc8c98d8c0be889179855']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:36Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde049-51f4-4881-b4a8-4ef202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:37.000Z",
|
|
"modified": "2016-10-12T07:03:37.000Z",
|
|
"description": "Disk wipers - Xchecked via VT: c361428d4977648abfb77c2aebc7eed5b2b59f4f837446719cb285e1714da6da",
|
|
"pattern": "[file:hashes.MD5 = '80bee18fba8db4ae56120ef860cf82a2']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:37Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde049-8418-4226-8a72-414002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:37.000Z",
|
|
"modified": "2016-10-12T07:03:37.000Z",
|
|
"first_observed": "2016-10-12T07:03:37Z",
|
|
"last_observed": "2016-10-12T07:03:37Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde049-8418-4226-8a72-414002de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde049-8418-4226-8a72-414002de0b81",
|
|
"value": "https://www.virustotal.com/file/c361428d4977648abfb77c2aebc7eed5b2b59f4f837446719cb285e1714da6da/analysis/1467353193/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde049-7ef4-4fff-bc00-465502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:37.000Z",
|
|
"modified": "2016-10-12T07:03:37.000Z",
|
|
"description": "Disk wipers - Xchecked via VT: 72b4ef3058b31ac4bf12b373f1b9712c3a094b7d68e5f777ba71e9966062af17",
|
|
"pattern": "[file:hashes.SHA1 = '63534363ccb1b8495599fb3056e6610ece49ac11']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:37Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde049-8b1c-4430-9e25-4ab002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:37.000Z",
|
|
"modified": "2016-10-12T07:03:37.000Z",
|
|
"description": "Disk wipers - Xchecked via VT: 72b4ef3058b31ac4bf12b373f1b9712c3a094b7d68e5f777ba71e9966062af17",
|
|
"pattern": "[file:hashes.MD5 = '32eae3a8fd4a06819466dd07ca363c4f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:37Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde04a-b590-4ec7-8adf-48a702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:38.000Z",
|
|
"modified": "2016-10-12T07:03:38.000Z",
|
|
"first_observed": "2016-10-12T07:03:38Z",
|
|
"last_observed": "2016-10-12T07:03:38Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde04a-b590-4ec7-8adf-48a702de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde04a-b590-4ec7-8adf-48a702de0b81",
|
|
"value": "https://www.virustotal.com/file/72b4ef3058b31ac4bf12b373f1b9712c3a094b7d68e5f777ba71e9966062af17/analysis/1470794579/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde04a-ec90-4ccf-87cc-473202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:38.000Z",
|
|
"modified": "2016-10-12T07:03:38.000Z",
|
|
"description": "Stagers (MINGW) - Xchecked via VT: 3cadacbb37d4a7f2767bc8b48db786810e7cdaffdef56a2c4eebbe6f2b68988e",
|
|
"pattern": "[file:hashes.SHA1 = 'e8903fb954896cb9db4dd5c3bc79c5cd8e20910d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:38Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde04a-44b8-44ac-ac79-483102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:38.000Z",
|
|
"modified": "2016-10-12T07:03:38.000Z",
|
|
"description": "Stagers (MINGW) - Xchecked via VT: 3cadacbb37d4a7f2767bc8b48db786810e7cdaffdef56a2c4eebbe6f2b68988e",
|
|
"pattern": "[file:hashes.MD5 = 'c61dc9d26ac2b0bebca00c9c1b8bb9b3']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:38Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde04a-dac8-4b85-94e4-4fe702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:38.000Z",
|
|
"modified": "2016-10-12T07:03:38.000Z",
|
|
"first_observed": "2016-10-12T07:03:38Z",
|
|
"last_observed": "2016-10-12T07:03:38Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde04a-dac8-4b85-94e4-4fe702de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde04a-dac8-4b85-94e4-4fe702de0b81",
|
|
"value": "https://www.virustotal.com/file/3cadacbb37d4a7f2767bc8b48db786810e7cdaffdef56a2c4eebbe6f2b68988e/analysis/1476208783/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde04a-fcb0-4068-9015-451c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:38.000Z",
|
|
"modified": "2016-10-12T07:03:38.000Z",
|
|
"description": "Stagers (MINGW) - Xchecked via VT: d94d58bd5a25fde66a2e9b2e0cc9163c8898f439be5c0e7806d21897ba8e1455",
|
|
"pattern": "[file:hashes.SHA1 = 'ec13e1fcd1731dcaf008d6b0394f016c7c2afbaf']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:38Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde04b-f598-4f22-841d-448702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:39.000Z",
|
|
"modified": "2016-10-12T07:03:39.000Z",
|
|
"description": "Stagers (MINGW) - Xchecked via VT: d94d58bd5a25fde66a2e9b2e0cc9163c8898f439be5c0e7806d21897ba8e1455",
|
|
"pattern": "[file:hashes.MD5 = '1c02c6b68025768d056805d26d33af4f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde04b-73c4-4483-aef6-4f8f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:39.000Z",
|
|
"modified": "2016-10-12T07:03:39.000Z",
|
|
"first_observed": "2016-10-12T07:03:39Z",
|
|
"last_observed": "2016-10-12T07:03:39Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde04b-73c4-4483-aef6-4f8f02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde04b-73c4-4483-aef6-4f8f02de0b81",
|
|
"value": "https://www.virustotal.com/file/d94d58bd5a25fde66a2e9b2e0cc9163c8898f439be5c0e7806d21897ba8e1455/analysis/1469556139/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde04b-4044-4d59-af0a-4bb302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:39.000Z",
|
|
"modified": "2016-10-12T07:03:39.000Z",
|
|
"description": "Backdoor.Batel loaders - Xchecked via VT: 174236a0b4e4bc97e3af88e0ec82cced7eed026784d6b9d00cc56b01c480d4ed",
|
|
"pattern": "[file:hashes.SHA1 = '384d80934a6efaba7c858891a2253b9dd1a1327b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde04b-1ea0-4353-89b5-4b2a02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:39.000Z",
|
|
"modified": "2016-10-12T07:03:39.000Z",
|
|
"description": "Backdoor.Batel loaders - Xchecked via VT: 174236a0b4e4bc97e3af88e0ec82cced7eed026784d6b9d00cc56b01c480d4ed",
|
|
"pattern": "[file:hashes.MD5 = '2cd6451bf78b588bb253acaf899f74f5']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde04b-b4bc-4471-bfbc-4ee602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:39.000Z",
|
|
"modified": "2016-10-12T07:03:39.000Z",
|
|
"first_observed": "2016-10-12T07:03:39Z",
|
|
"last_observed": "2016-10-12T07:03:39Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde04b-b4bc-4471-bfbc-4ee602de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde04b-b4bc-4471-bfbc-4ee602de0b81",
|
|
"value": "https://www.virustotal.com/file/174236a0b4e4bc97e3af88e0ec82cced7eed026784d6b9d00cc56b01c480d4ed/analysis/1475980072/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde04c-4188-4ef7-9927-488b02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:40.000Z",
|
|
"modified": "2016-10-12T07:03:40.000Z",
|
|
"description": "Backdoor.Batel loaders - Xchecked via VT: 0ffe521444415371e49c6526f66363eb062b4487a43c75f03279f5b58f68ed24",
|
|
"pattern": "[file:hashes.SHA1 = '544cab0b08f4d3992bfd9fa69abf5633ed29d0b8']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde04c-bad0-4e18-90b3-427a02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:40.000Z",
|
|
"modified": "2016-10-12T07:03:40.000Z",
|
|
"description": "Backdoor.Batel loaders - Xchecked via VT: 0ffe521444415371e49c6526f66363eb062b4487a43c75f03279f5b58f68ed24",
|
|
"pattern": "[file:hashes.MD5 = '5f95d9936344c9f294d5471ffd53d8aa']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde04c-6ab8-4daf-9e46-4dc402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:40.000Z",
|
|
"modified": "2016-10-12T07:03:40.000Z",
|
|
"first_observed": "2016-10-12T07:03:40Z",
|
|
"last_observed": "2016-10-12T07:03:40Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde04c-6ab8-4daf-9e46-4dc402de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde04c-6ab8-4daf-9e46-4dc402de0b81",
|
|
"value": "https://www.virustotal.com/file/0ffe521444415371e49c6526f66363eb062b4487a43c75f03279f5b58f68ed24/analysis/1476195269/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde04c-a668-442d-aa27-48a202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:40.000Z",
|
|
"modified": "2016-10-12T07:03:40.000Z",
|
|
"description": "Cobalt Strike implants - Xchecked via VT: 1341bdf6485ed68ceba3fec9b806cc16327ab76d18c69ca5cd678fb19f1e0486",
|
|
"pattern": "[file:hashes.SHA1 = 'a9c8a39e8000efa388d73c1d340e359738441170']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde04c-35ec-4314-8b01-409702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:40.000Z",
|
|
"modified": "2016-10-12T07:03:40.000Z",
|
|
"description": "Cobalt Strike implants - Xchecked via VT: 1341bdf6485ed68ceba3fec9b806cc16327ab76d18c69ca5cd678fb19f1e0486",
|
|
"pattern": "[file:hashes.MD5 = '03bead6a263c179e848f14bf81b6f038']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde04d-7008-4a76-a1e5-461102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:41.000Z",
|
|
"modified": "2016-10-12T07:03:41.000Z",
|
|
"first_observed": "2016-10-12T07:03:41Z",
|
|
"last_observed": "2016-10-12T07:03:41Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde04d-7008-4a76-a1e5-461102de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde04d-7008-4a76-a1e5-461102de0b81",
|
|
"value": "https://www.virustotal.com/file/1341bdf6485ed68ceba3fec9b806cc16327ab76d18c69ca5cd678fb19f1e0486/analysis/1469035649/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde04d-8208-42b6-bdf1-4cc402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:41.000Z",
|
|
"modified": "2016-10-12T07:03:41.000Z",
|
|
"description": "Cobalt Strike, possible ATM implants - Xchecked via VT: 44c783205220e95c1690ef41e3808cd72347242153e8bdbeb63c9b2850e4b579",
|
|
"pattern": "[file:hashes.SHA1 = 'c9661008ffb49964e12ec6ed331098afdf2394a9']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:41Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde04d-a474-4fcf-9c39-448002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:41.000Z",
|
|
"modified": "2016-10-12T07:03:41.000Z",
|
|
"description": "Cobalt Strike, possible ATM implants - Xchecked via VT: 44c783205220e95c1690ef41e3808cd72347242153e8bdbeb63c9b2850e4b579",
|
|
"pattern": "[file:hashes.MD5 = '59453862a00339305eb848a95fba4782']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:41Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde04d-62d0-421c-a93a-48ab02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:41.000Z",
|
|
"modified": "2016-10-12T07:03:41.000Z",
|
|
"first_observed": "2016-10-12T07:03:41Z",
|
|
"last_observed": "2016-10-12T07:03:41Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde04d-62d0-421c-a93a-48ab02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde04d-62d0-421c-a93a-48ab02de0b81",
|
|
"value": "https://www.virustotal.com/file/44c783205220e95c1690ef41e3808cd72347242153e8bdbeb63c9b2850e4b579/analysis/1476199268/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde04e-2250-4e88-afa0-41fd02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:42.000Z",
|
|
"modified": "2016-10-12T07:03:42.000Z",
|
|
"description": "Cobalt Strike, possible ATM implants - Xchecked via VT: 429bdf288f400392a9d3d6df120271ea20f5ea7d59fad745d7194130876e851e",
|
|
"pattern": "[file:hashes.SHA1 = '835e8f56faa46cc31a9964c46604076111ba2537']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde04e-76b8-4e3a-8fde-4f5e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:42.000Z",
|
|
"modified": "2016-10-12T07:03:42.000Z",
|
|
"description": "Cobalt Strike, possible ATM implants - Xchecked via VT: 429bdf288f400392a9d3d6df120271ea20f5ea7d59fad745d7194130876e851e",
|
|
"pattern": "[file:hashes.MD5 = '7acb0eeca94a6eb902ba516f465bcfc6']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde04e-e7a4-4a18-b158-423b02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:42.000Z",
|
|
"modified": "2016-10-12T07:03:42.000Z",
|
|
"first_observed": "2016-10-12T07:03:42Z",
|
|
"last_observed": "2016-10-12T07:03:42Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde04e-e7a4-4a18-b158-423b02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde04e-e7a4-4a18-b158-423b02de0b81",
|
|
"value": "https://www.virustotal.com/file/429bdf288f400392a9d3d6df120271ea20f5ea7d59fad745d7194130876e851e/analysis/1476214207/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde04e-7aa8-4151-9d3b-4aa002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:42.000Z",
|
|
"modified": "2016-10-12T07:03:42.000Z",
|
|
"description": "Older Batel *.CPL droppers - Xchecked via VT: 298d684694483257f12c63b33220e8825c383965780941f0d1961975e6f74ebd",
|
|
"pattern": "[file:hashes.SHA1 = '55af5e3c1c5fcee9aeccd19eb19768f268efba5d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde04e-e334-4850-af7f-471802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:42.000Z",
|
|
"modified": "2016-10-12T07:03:42.000Z",
|
|
"description": "Older Batel *.CPL droppers - Xchecked via VT: 298d684694483257f12c63b33220e8825c383965780941f0d1961975e6f74ebd",
|
|
"pattern": "[file:hashes.MD5 = '966d9e07d1a75fa6867bbf02748c4212']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde04f-5340-42e2-a6d0-472e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:43.000Z",
|
|
"modified": "2016-10-12T07:03:43.000Z",
|
|
"first_observed": "2016-10-12T07:03:43Z",
|
|
"last_observed": "2016-10-12T07:03:43Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde04f-5340-42e2-a6d0-472e02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde04f-5340-42e2-a6d0-472e02de0b81",
|
|
"value": "https://www.virustotal.com/file/298d684694483257f12c63b33220e8825c383965780941f0d1961975e6f74ebd/analysis/1476195265/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde04f-aab8-4d00-9c1d-41ef02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:43.000Z",
|
|
"modified": "2016-10-12T07:03:43.000Z",
|
|
"description": "Older Batel *.CPL droppers - Xchecked via VT: 1710b33822842a4e5029af0a10029f8307381082da7727ffa9935e4eabc0134d",
|
|
"pattern": "[file:hashes.SHA1 = '2cfc22acaa3fc6660eb058a13cab81b9bd07536a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:43Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde04f-ee58-4ee9-96ac-4fef02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:43.000Z",
|
|
"modified": "2016-10-12T07:03:43.000Z",
|
|
"description": "Older Batel *.CPL droppers - Xchecked via VT: 1710b33822842a4e5029af0a10029f8307381082da7727ffa9935e4eabc0134d",
|
|
"pattern": "[file:hashes.MD5 = '0cf14d472410589c920fb55a97adaab1']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:43Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde04f-9110-431a-bac5-469f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:43.000Z",
|
|
"modified": "2016-10-12T07:03:43.000Z",
|
|
"first_observed": "2016-10-12T07:03:43Z",
|
|
"last_observed": "2016-10-12T07:03:43Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde04f-9110-431a-bac5-469f02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde04f-9110-431a-bac5-469f02de0b81",
|
|
"value": "https://www.virustotal.com/file/1710b33822842a4e5029af0a10029f8307381082da7727ffa9935e4eabc0134d/analysis/1476213381/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde04f-74c4-4860-8436-4f2702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:43.000Z",
|
|
"modified": "2016-10-12T07:03:43.000Z",
|
|
"description": "Backdoor.Batel stagers - Xchecked via VT: 1d9ded30af0f90bf61a685a3ee8eb9bc2ad36f82e824550e4781f7047163095a",
|
|
"pattern": "[file:hashes.SHA1 = 'af062457e4dfbc5256fee58db6eb4873a2c649c1']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:43Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde050-7ff4-450e-95c6-4b0702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:44.000Z",
|
|
"modified": "2016-10-12T07:03:44.000Z",
|
|
"description": "Backdoor.Batel stagers - Xchecked via VT: 1d9ded30af0f90bf61a685a3ee8eb9bc2ad36f82e824550e4781f7047163095a",
|
|
"pattern": "[file:hashes.MD5 = '61054bdfd5220ecc37956c713f126d43']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:44Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde050-ba58-41e9-9dcf-404202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:44.000Z",
|
|
"modified": "2016-10-12T07:03:44.000Z",
|
|
"first_observed": "2016-10-12T07:03:44Z",
|
|
"last_observed": "2016-10-12T07:03:44Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde050-ba58-41e9-9dcf-404202de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde050-ba58-41e9-9dcf-404202de0b81",
|
|
"value": "https://www.virustotal.com/file/1d9ded30af0f90bf61a685a3ee8eb9bc2ad36f82e824550e4781f7047163095a/analysis/1475469967/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde050-56e8-4208-b04a-4ff902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:44.000Z",
|
|
"modified": "2016-10-12T07:03:44.000Z",
|
|
"description": "Backdoor.Batel stagers - Xchecked via VT: 001221d6393007ca918bfb25abbb0497981f8e044e377377d51d82867783a746",
|
|
"pattern": "[file:hashes.SHA1 = 'c510fc1e20bbf80390c7fce23863608fc2d843a2']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:44Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde050-c154-4baf-be74-42b902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:44.000Z",
|
|
"modified": "2016-10-12T07:03:44.000Z",
|
|
"description": "Backdoor.Batel stagers - Xchecked via VT: 001221d6393007ca918bfb25abbb0497981f8e044e377377d51d82867783a746",
|
|
"pattern": "[file:hashes.MD5 = 'd4c1af678b3afa099f21ab5c29065fca']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:44Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde050-1704-4d6b-9546-4c0c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:44.000Z",
|
|
"modified": "2016-10-12T07:03:44.000Z",
|
|
"first_observed": "2016-10-12T07:03:44Z",
|
|
"last_observed": "2016-10-12T07:03:44Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde050-1704-4d6b-9546-4c0c02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde050-1704-4d6b-9546-4c0c02de0b81",
|
|
"value": "https://www.virustotal.com/file/001221d6393007ca918bfb25abbb0497981f8e044e377377d51d82867783a746/analysis/1475586974/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde051-1e78-4685-80e6-4cbe02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:45.000Z",
|
|
"modified": "2016-10-12T07:03:45.000Z",
|
|
"description": "Backdoor.Batel RTF document dropper - Xchecked via VT: 21e897fbe23a9ff5f0e26e53be0f3b1747c3fc160e8e34fa913eb2afbcd1149f",
|
|
"pattern": "[file:hashes.SHA1 = 'bb607fec8569a0ec4eec30e37c3e2eeafafb5fab']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:45Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde051-6e4c-4510-b5ca-481202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:45.000Z",
|
|
"modified": "2016-10-12T07:03:45.000Z",
|
|
"description": "Backdoor.Batel RTF document dropper - Xchecked via VT: 21e897fbe23a9ff5f0e26e53be0f3b1747c3fc160e8e34fa913eb2afbcd1149f",
|
|
"pattern": "[file:hashes.MD5 = '1fa19e329bd5f2eaf933c39eba13d869']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:45Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde051-5ac4-4296-ba39-44ed02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:45.000Z",
|
|
"modified": "2016-10-12T07:03:45.000Z",
|
|
"first_observed": "2016-10-12T07:03:45Z",
|
|
"last_observed": "2016-10-12T07:03:45Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde051-5ac4-4296-ba39-44ed02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde051-5ac4-4296-ba39-44ed02de0b81",
|
|
"value": "https://www.virustotal.com/file/21e897fbe23a9ff5f0e26e53be0f3b1747c3fc160e8e34fa913eb2afbcd1149f/analysis/1471377471/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde051-0c38-4419-bdc2-4fb602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:45.000Z",
|
|
"modified": "2016-10-12T07:03:45.000Z",
|
|
"description": "SWIFT log suppressors - Xchecked via VT: 84d348eea1b424fe9f5fe8f6a485666289e39e4c8a0ff5a763e1fb91424cdfb8",
|
|
"pattern": "[file:hashes.SHA1 = 'c31d3002d9f1bebc85b41d4c55a87ea1b797d4d2']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:45Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde051-7fec-485a-bf27-43ed02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:45.000Z",
|
|
"modified": "2016-10-12T07:03:45.000Z",
|
|
"description": "SWIFT log suppressors - Xchecked via VT: 84d348eea1b424fe9f5fe8f6a485666289e39e4c8a0ff5a763e1fb91424cdfb8",
|
|
"pattern": "[file:hashes.MD5 = '6d355ffa06ae39fc8671cc8ac38f984e']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:45Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde052-079c-4c27-af94-45ca02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:46.000Z",
|
|
"modified": "2016-10-12T07:03:46.000Z",
|
|
"first_observed": "2016-10-12T07:03:46Z",
|
|
"last_observed": "2016-10-12T07:03:46Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde052-079c-4c27-af94-45ca02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde052-079c-4c27-af94-45ca02de0b81",
|
|
"value": "https://www.virustotal.com/file/84d348eea1b424fe9f5fe8f6a485666289e39e4c8a0ff5a763e1fb91424cdfb8/analysis/1476234908/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde052-d714-4fcf-9e34-4b3202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:46.000Z",
|
|
"modified": "2016-10-12T07:03:46.000Z",
|
|
"description": "Odinaff samples - Xchecked via VT: 2503bdaeaa264bfc67b3a3603ee48ddb7b964d6466fac0377885c6649209c098",
|
|
"pattern": "[file:hashes.SHA1 = 'dd913de9bf860b5f33d745413cc08f60d12d64b3']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:46Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde052-634c-4ce1-8a44-450602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:46.000Z",
|
|
"modified": "2016-10-12T07:03:46.000Z",
|
|
"description": "Odinaff samples - Xchecked via VT: 2503bdaeaa264bfc67b3a3603ee48ddb7b964d6466fac0377885c6649209c098",
|
|
"pattern": "[file:hashes.MD5 = '5a45366da2a8023464d7ea09fd80ba9f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:46Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde052-fcb0-462e-9d5d-46cc02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:46.000Z",
|
|
"modified": "2016-10-12T07:03:46.000Z",
|
|
"first_observed": "2016-10-12T07:03:46Z",
|
|
"last_observed": "2016-10-12T07:03:46Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde052-fcb0-462e-9d5d-46cc02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde052-fcb0-462e-9d5d-46cc02de0b81",
|
|
"value": "https://www.virustotal.com/file/2503bdaeaa264bfc67b3a3603ee48ddb7b964d6466fac0377885c6649209c098/analysis/1476251166/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde052-31ec-4597-b3d9-476f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:46.000Z",
|
|
"modified": "2016-10-12T07:03:46.000Z",
|
|
"description": "Odinaff samples - Xchecked via VT: 22be72632de9f64beca49bf4d17910de988f3a15d0299e8f94bcaeeb34bb8a96",
|
|
"pattern": "[file:hashes.SHA1 = 'd2951010b16e82c124ec8938f1968a4f3c141995']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:46Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde053-d670-45e0-ad52-489402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:47.000Z",
|
|
"modified": "2016-10-12T07:03:47.000Z",
|
|
"description": "Odinaff samples - Xchecked via VT: 22be72632de9f64beca49bf4d17910de988f3a15d0299e8f94bcaeeb34bb8a96",
|
|
"pattern": "[file:hashes.MD5 = '342652dab8a5fb7073a99438abd5d28a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:47Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde053-227c-4b6a-a763-41fe02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:47.000Z",
|
|
"modified": "2016-10-12T07:03:47.000Z",
|
|
"first_observed": "2016-10-12T07:03:47Z",
|
|
"last_observed": "2016-10-12T07:03:47Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde053-227c-4b6a-a763-41fe02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde053-227c-4b6a-a763-41fe02de0b81",
|
|
"value": "https://www.virustotal.com/file/22be72632de9f64beca49bf4d17910de988f3a15d0299e8f94bcaeeb34bb8a96/analysis/1476251715/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde053-8eec-40d3-91c6-4d0802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:47.000Z",
|
|
"modified": "2016-10-12T07:03:47.000Z",
|
|
"description": "Odinaff document droppers - Xchecked via VT: 60ae0362b3f264981971672e7b48b2dda2ff61b5fde67ca354ec59dbf2f8efaa",
|
|
"pattern": "[file:hashes.SHA1 = '325cf43226632978166765737d8858170d0a56b7']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:47Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde053-1ac0-4357-92c8-443c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:47.000Z",
|
|
"modified": "2016-10-12T07:03:47.000Z",
|
|
"description": "Odinaff document droppers - Xchecked via VT: 60ae0362b3f264981971672e7b48b2dda2ff61b5fde67ca354ec59dbf2f8efaa",
|
|
"pattern": "[file:hashes.MD5 = 'a19f48cae862d4e550ca2b54b3395374']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:47Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde054-38a4-464a-99a0-402a02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:48.000Z",
|
|
"modified": "2016-10-12T07:03:48.000Z",
|
|
"first_observed": "2016-10-12T07:03:48Z",
|
|
"last_observed": "2016-10-12T07:03:48Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde054-38a4-464a-99a0-402a02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde054-38a4-464a-99a0-402a02de0b81",
|
|
"value": "https://www.virustotal.com/file/60ae0362b3f264981971672e7b48b2dda2ff61b5fde67ca354ec59dbf2f8efaa/analysis/1473849020/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde054-5d58-4d93-8f12-49da02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:48.000Z",
|
|
"modified": "2016-10-12T07:03:48.000Z",
|
|
"description": "Odinaff document droppers - Xchecked via VT: 102158d75be5a8ef169bc91fefba5eb782d6fa2186bd6007019f7a61ed6ac990",
|
|
"pattern": "[file:hashes.SHA1 = 'f661d7d16b4b73f6dc8452b7b5a598b00a411037']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:48Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde054-157c-4f68-9ecb-4bd702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:48.000Z",
|
|
"modified": "2016-10-12T07:03:48.000Z",
|
|
"description": "Odinaff document droppers - Xchecked via VT: 102158d75be5a8ef169bc91fefba5eb782d6fa2186bd6007019f7a61ed6ac990",
|
|
"pattern": "[file:hashes.MD5 = '62659e1c3ab3b1feb85614ec15e1d701']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:48Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde054-a1f4-4f89-9d69-479502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:48.000Z",
|
|
"modified": "2016-10-12T07:03:48.000Z",
|
|
"first_observed": "2016-10-12T07:03:48Z",
|
|
"last_observed": "2016-10-12T07:03:48Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde054-a1f4-4f89-9d69-479502de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde054-a1f4-4f89-9d69-479502de0b81",
|
|
"value": "https://www.virustotal.com/file/102158d75be5a8ef169bc91fefba5eb782d6fa2186bd6007019f7a61ed6ac990/analysis/1476196967/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde055-cdb4-404d-80bd-4cc302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:49.000Z",
|
|
"modified": "2016-10-12T07:03:49.000Z",
|
|
"description": "Odinaff droppers - Xchecked via VT: c122b285fbd2db543e23bc34bf956b9ff49e7519623817b94b2809c7f4d31d14",
|
|
"pattern": "[file:hashes.SHA1 = '025dd881f20381357f96f1a3e802214a1168a78f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:49Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde055-2a2c-470d-9093-4d8b02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:49.000Z",
|
|
"modified": "2016-10-12T07:03:49.000Z",
|
|
"description": "Odinaff droppers - Xchecked via VT: c122b285fbd2db543e23bc34bf956b9ff49e7519623817b94b2809c7f4d31d14",
|
|
"pattern": "[file:hashes.MD5 = '88718cc6c00683af78a6f04e4d977bb9']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:49Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde055-6d90-475b-837e-4e3002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:49.000Z",
|
|
"modified": "2016-10-12T07:03:49.000Z",
|
|
"first_observed": "2016-10-12T07:03:49Z",
|
|
"last_observed": "2016-10-12T07:03:49Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde055-6d90-475b-837e-4e3002de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde055-6d90-475b-837e-4e3002de0b81",
|
|
"value": "https://www.virustotal.com/file/c122b285fbd2db543e23bc34bf956b9ff49e7519623817b94b2809c7f4d31d14/analysis/1466577613/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde055-39b8-4c3b-a15c-4f9902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:49.000Z",
|
|
"modified": "2016-10-12T07:03:49.000Z",
|
|
"description": "Odinaff droppers - Xchecked via VT: f7e4135a3d22c2c25e41f83bb9e4ccd12e9f8a0f11b7db21400152cd81e89bf5",
|
|
"pattern": "[file:hashes.SHA1 = '3151247681a1f220aafe11b70580fad7c92ef065']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:49Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57fde055-4aac-4898-ab81-4f7502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:49.000Z",
|
|
"modified": "2016-10-12T07:03:49.000Z",
|
|
"description": "Odinaff droppers - Xchecked via VT: f7e4135a3d22c2c25e41f83bb9e4ccd12e9f8a0f11b7db21400152cd81e89bf5",
|
|
"pattern": "[file:hashes.MD5 = 'f425e731d0cee5b49dc4d32b74156b80']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-10-12T07:03:49Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fde056-b2d0-4e81-a161-454502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T07:03:50.000Z",
|
|
"modified": "2016-10-12T07:03:50.000Z",
|
|
"first_observed": "2016-10-12T07:03:50Z",
|
|
"last_observed": "2016-10-12T07:03:50Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fde056-b2d0-4e81-a161-454502de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fde056-b2d0-4e81-a161-454502de0b81",
|
|
"value": "https://www.virustotal.com/file/f7e4135a3d22c2c25e41f83bb9e4ccd12e9f8a0f11b7db21400152cd81e89bf5/analysis/1476193606/"
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57fdf198-5894-4cdf-9b84-4487950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-10-12T08:17:28.000Z",
|
|
"modified": "2016-10-12T08:17:28.000Z",
|
|
"first_observed": "2016-10-12T08:17:28Z",
|
|
"last_observed": "2016-10-12T08:17:28Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57fdf198-5894-4cdf-9b84-4487950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57fdf198-5894-4cdf-9b84-4487950d210f",
|
|
"value": "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |