2557 lines
No EOL
110 KiB
JSON
2557 lines
No EOL
110 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--58dcfe62-ed84-4e5e-b293-4991950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-28T18:23:44.000Z",
|
|
"modified": "2017-04-28T18:23:44.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--58dcfe62-ed84-4e5e-b293-4991950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-28T18:23:44.000Z",
|
|
"modified": "2017-04-28T18:23:44.000Z",
|
|
"name": "OSINT - Carbon Paper: Peering into Turla\u00e2\u20ac\u2122s second stage backdoor",
|
|
"published": "2017-04-28T20:02:31Z",
|
|
"object_refs": [
|
|
"observed-data--58dcfe9d-297c-4342-9155-42b6950d210f",
|
|
"url--58dcfe9d-297c-4342-9155-42b6950d210f",
|
|
"x-misp-attribute--58dcfed4-9290-4b22-a5c4-4530950d210f",
|
|
"indicator--58dcfef9-5b0c-4d85-b0d8-4490950d210f",
|
|
"indicator--58dcfefa-f510-40f2-89a7-4b17950d210f",
|
|
"indicator--58dcfefa-25e0-413a-9a20-45b9950d210f",
|
|
"indicator--58dcfefb-62cc-407b-8f80-469b950d210f",
|
|
"indicator--58dcfefc-c1e0-45bc-8145-4d80950d210f",
|
|
"indicator--58dcfefd-d154-4651-8701-43e1950d210f",
|
|
"indicator--58dcfefe-4d10-40ba-b545-486f950d210f",
|
|
"indicator--58dcfeff-92dc-4bf1-93d7-4fb7950d210f",
|
|
"indicator--58dcfeff-6fac-4823-aab5-42c6950d210f",
|
|
"indicator--58dcff00-b88c-4883-808c-409b950d210f",
|
|
"indicator--58dcff01-9700-41b4-9edd-4ef4950d210f",
|
|
"indicator--58dcff02-93c4-4d80-8cf6-43f9950d210f",
|
|
"indicator--58dcff03-df24-4707-97e5-4199950d210f",
|
|
"indicator--58dcff04-7f1c-4262-9be6-4692950d210f",
|
|
"indicator--58dcff04-eb80-4341-85fb-44a7950d210f",
|
|
"indicator--58dcff05-ae78-4cf2-9304-4cdd950d210f",
|
|
"indicator--58dcff06-9a44-4ae6-847b-45ae950d210f",
|
|
"indicator--58dcff07-2680-4a30-b9d7-4011950d210f",
|
|
"indicator--58dcff08-1a34-4739-8962-4427950d210f",
|
|
"indicator--58dcff09-929c-4759-9bb9-41ea950d210f",
|
|
"indicator--58dcff09-ca80-4976-8dcc-402b950d210f",
|
|
"indicator--58dcff0a-1624-4412-a929-4c3a950d210f",
|
|
"indicator--58dcff0b-ee34-4335-909c-4b7e950d210f",
|
|
"indicator--58dcff6e-1954-4818-a306-44d9950d210f",
|
|
"indicator--58dcff6f-9334-4ff6-974f-41de950d210f",
|
|
"indicator--58dcff70-0fb0-4437-9781-4b6e950d210f",
|
|
"indicator--58dcff71-7df8-45e7-8147-43a9950d210f",
|
|
"indicator--58dcff72-f5c0-4a48-905e-449a950d210f",
|
|
"indicator--58dcff73-fb90-4c4e-9f60-4227950d210f",
|
|
"indicator--58dcffa3-f8f4-4c59-bbe4-4dc1950d210f",
|
|
"indicator--58dcffbe-0f98-439c-a916-4524950d210f",
|
|
"indicator--58dcffdf-e07c-4be4-b0af-4180950d210f",
|
|
"indicator--58dd0020-5a10-4542-bdee-436202de0b81",
|
|
"indicator--58dd0021-383c-416f-9302-4ba602de0b81",
|
|
"observed-data--58dd0021-2968-4da8-bfcb-481702de0b81",
|
|
"url--58dd0021-2968-4da8-bfcb-481702de0b81",
|
|
"indicator--58dd0022-213c-42a4-9fac-460602de0b81",
|
|
"indicator--58dd0023-17f4-444c-89ca-428302de0b81",
|
|
"observed-data--58dd0024-6ac8-434b-877c-430c02de0b81",
|
|
"url--58dd0024-6ac8-434b-877c-430c02de0b81",
|
|
"indicator--58dd0025-cec4-42ff-a43d-48ef02de0b81",
|
|
"indicator--58dd0026-146c-465b-acd3-434502de0b81",
|
|
"observed-data--58dd0027-e934-4d33-a983-412202de0b81",
|
|
"url--58dd0027-e934-4d33-a983-412202de0b81",
|
|
"indicator--58dd0028-37f4-473e-9d2f-4caf02de0b81",
|
|
"indicator--58dd0029-2d4c-47cb-ac4c-4beb02de0b81",
|
|
"observed-data--58dd002a-5acc-4d51-b75b-468e02de0b81",
|
|
"url--58dd002a-5acc-4d51-b75b-468e02de0b81",
|
|
"indicator--58dd002a-f7b4-4527-853e-4fa002de0b81",
|
|
"indicator--58dd002b-43c4-483a-b84e-4f0202de0b81",
|
|
"observed-data--58dd002c-2a44-4162-8831-449d02de0b81",
|
|
"url--58dd002c-2a44-4162-8831-449d02de0b81",
|
|
"indicator--58dd002d-ee14-4e08-83e8-468b02de0b81",
|
|
"indicator--58dd002e-38d0-496d-b553-488302de0b81",
|
|
"observed-data--58dd002f-e984-4cc5-93e2-427202de0b81",
|
|
"url--58dd002f-e984-4cc5-93e2-427202de0b81",
|
|
"indicator--58dd0030-18bc-45aa-9365-4a3502de0b81",
|
|
"indicator--58dd0030-6898-4767-9ad6-4ea602de0b81",
|
|
"observed-data--58dd0031-cac4-4c84-9ebc-4c4a02de0b81",
|
|
"url--58dd0031-cac4-4c84-9ebc-4c4a02de0b81",
|
|
"indicator--58dd0032-fa80-4125-adbb-4e6f02de0b81",
|
|
"indicator--58dd0033-60e0-4e52-b5ba-4e4902de0b81",
|
|
"observed-data--58dd0034-c460-4ba5-b29d-44c802de0b81",
|
|
"url--58dd0034-c460-4ba5-b29d-44c802de0b81",
|
|
"indicator--58dd0035-adb0-4116-8b7f-4a3d02de0b81",
|
|
"indicator--58dd0035-62f8-4558-9033-4e4302de0b81",
|
|
"observed-data--58dd0036-68cc-4f5f-a571-4a3802de0b81",
|
|
"url--58dd0036-68cc-4f5f-a571-4a3802de0b81",
|
|
"indicator--58dd0037-8088-49e9-944f-45ff02de0b81",
|
|
"indicator--58dd0038-5144-4ed3-adfe-4d3102de0b81",
|
|
"observed-data--58dd0039-0208-4066-bc11-4eb502de0b81",
|
|
"url--58dd0039-0208-4066-bc11-4eb502de0b81",
|
|
"indicator--58dd003a-b738-4acc-a32b-470c02de0b81",
|
|
"indicator--58dd003b-134c-47ef-9ec6-431402de0b81",
|
|
"observed-data--58dd003c-06e4-456b-b541-4a0302de0b81",
|
|
"url--58dd003c-06e4-456b-b541-4a0302de0b81",
|
|
"indicator--58dd003d-9d0c-4261-9263-492e02de0b81",
|
|
"indicator--58dd003d-866c-493e-ab08-42ad02de0b81",
|
|
"observed-data--58dd003e-eca8-4aaa-ae60-4cca02de0b81",
|
|
"url--58dd003e-eca8-4aaa-ae60-4cca02de0b81",
|
|
"indicator--58dd003f-e27c-4949-aab7-490c02de0b81",
|
|
"indicator--58dd0040-c27c-4ff6-bc0d-41d902de0b81",
|
|
"observed-data--58dd0041-f364-447a-82a3-423c02de0b81",
|
|
"url--58dd0041-f364-447a-82a3-423c02de0b81",
|
|
"indicator--58dd0042-ff94-4d44-8926-42b202de0b81",
|
|
"indicator--58dd0043-e258-4a82-b1cf-4f5b02de0b81",
|
|
"observed-data--58dd0044-5cfc-4f5d-bed1-42ec02de0b81",
|
|
"url--58dd0044-5cfc-4f5d-bed1-42ec02de0b81",
|
|
"indicator--58dd0045-00c8-447f-b23a-4da402de0b81",
|
|
"indicator--58dd0045-20e4-4b68-8b47-44a502de0b81",
|
|
"observed-data--58dd0046-5560-49b6-8f5d-428102de0b81",
|
|
"url--58dd0046-5560-49b6-8f5d-428102de0b81",
|
|
"indicator--58dd0047-efc8-49f9-8a9d-4bc502de0b81",
|
|
"indicator--58dd0048-f4bc-4507-9132-475902de0b81",
|
|
"observed-data--58dd0049-3be8-4d8a-8293-4d8d02de0b81",
|
|
"url--58dd0049-3be8-4d8a-8293-4d8d02de0b81",
|
|
"indicator--58dd004a-9f74-4c4d-94da-4c6802de0b81",
|
|
"indicator--58dd004b-5b70-47be-a686-4e3002de0b81",
|
|
"observed-data--58dd004b-4d28-44d7-9414-425902de0b81",
|
|
"url--58dd004b-4d28-44d7-9414-425902de0b81",
|
|
"indicator--58dd004c-71f0-4e9c-85c4-4a4d02de0b81",
|
|
"indicator--58dd004d-5b4c-46b6-8974-40c602de0b81",
|
|
"observed-data--58dd004e-33e8-45a4-825d-491d02de0b81",
|
|
"url--58dd004e-33e8-45a4-825d-491d02de0b81",
|
|
"indicator--58dd004f-1e20-4e75-8e21-477f02de0b81",
|
|
"indicator--58dd0050-d094-4d4f-86a3-4f4502de0b81",
|
|
"observed-data--58dd0051-ce8c-4059-9ecb-476902de0b81",
|
|
"url--58dd0051-ce8c-4059-9ecb-476902de0b81",
|
|
"indicator--58dd0052-8e84-4b91-908a-40af02de0b81",
|
|
"indicator--58dd0052-8680-469f-8cbb-4f3802de0b81",
|
|
"observed-data--58dd0053-5978-4766-94a4-468f02de0b81",
|
|
"url--58dd0053-5978-4766-94a4-468f02de0b81",
|
|
"indicator--58dd0054-7e04-4ad1-b86f-47d002de0b81",
|
|
"indicator--58dd0055-b800-4361-9aa0-47be02de0b81",
|
|
"observed-data--58dd0056-6e74-43d5-b58b-494802de0b81",
|
|
"url--58dd0056-6e74-43d5-b58b-494802de0b81",
|
|
"indicator--58dd0057-5a14-4f5d-884b-490202de0b81",
|
|
"indicator--58dd0057-cde0-4faa-a196-4a6302de0b81",
|
|
"observed-data--58dd0058-dcd4-4271-8e57-432702de0b81",
|
|
"url--58dd0058-dcd4-4271-8e57-432702de0b81"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"misp-galaxy:tool=\"Turla\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58dcfe9d-297c-4342-9155-42b6950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"first_observed": "2017-03-30T12:54:26Z",
|
|
"last_observed": "2017-03-30T12:54:26Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58dcfe9d-297c-4342-9155-42b6950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58dcfe9d-297c-4342-9155-42b6950d210f",
|
|
"value": "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--58dcfed4-9290-4b22-a5c4-4530950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "The Turla espionage group has been targeting various institutions for many years. Recently, we found several new versions of Carbon, a second stage backdoor in the Turla group arsenal. Last year, a technical analysis of this component was made by Swiss GovCERT.ch as part of their report detailing the attack that a defense firm owned by the Swiss government, RUAG, suffered in the past.\r\n\r\nThis blog post highlights the technical innovations that we found in the latest versions of Carbon we have discovered.\r\n\r\nLooking at the different versions numbers of Carbon we have, it is clear that it is still under active development. Through the internal versions embedded in the code, we see the new versions are pushed out regularly. The group is also known to change its tools once they are exposed. As such, we have seen that between two major versions, mutexes and file names are being changed."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcfef9-5b0c-4d85-b0d8-4490950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "Carbon sample",
|
|
"pattern": "[file:hashes.SHA1 = '7f3a60613a3bdb5f1f8616e6ca469d3b78b1b45b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcfefa-f510-40f2-89a7-4b17950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "Carbon sample",
|
|
"pattern": "[file:hashes.SHA1 = 'a08b8371ead1919500a4759c2f46553620d5a9d9']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcfefa-25e0-413a-9a20-45b9950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "Carbon sample",
|
|
"pattern": "[file:hashes.SHA1 = '4636dccac5acf1d95a474747bb7bcd9b1a506cc3']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcfefb-62cc-407b-8f80-469b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "Carbon sample",
|
|
"pattern": "[file:hashes.SHA1 = 'cbde204e7641830017bb84b89223131b2126bc46']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcfefc-c1e0-45bc-8145-4d80950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "Carbon sample",
|
|
"pattern": "[file:hashes.SHA1 = '1ad46547e3dc264f940bf62df455b26e65b0101f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcfefd-d154-4651-8701-43e1950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "Carbon sample",
|
|
"pattern": "[file:hashes.SHA1 = 'a28164de29e51f154be12d163ce5818fceb69233']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcfefe-4d10-40ba-b545-486f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "Carbon sample",
|
|
"pattern": "[file:hashes.SHA1 = '7c43f5df784bf50423620d8f1c96e43d8d9a9b28']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcfeff-92dc-4bf1-93d7-4fb7950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "Carbon sample",
|
|
"pattern": "[file:hashes.SHA1 = '7ce746bb988cb3b7e64f08174bdb02938555ea53']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcfeff-6fac-4823-aab5-42c6950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "Carbon sample",
|
|
"pattern": "[file:hashes.SHA1 = '20393222d4eb1ba72a6536f7e67e139aadfa47fe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcff00-b88c-4883-808c-409b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "Carbon sample",
|
|
"pattern": "[file:hashes.SHA1 = '1dbfcb9005abb2c83ffa6a3127257a009612798c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcff01-9700-41b4-9edd-4ef4950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "Carbon sample",
|
|
"pattern": "[file:hashes.SHA1 = '2f7e335e092e04f3f4734b60c5345003d10aa15d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcff02-93c4-4d80-8cf6-43f9950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "Carbon sample",
|
|
"pattern": "[file:hashes.SHA1 = '311f399c299741e80db8bec65bbf4b56109eedaf']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcff03-df24-4707-97e5-4199950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "Carbon sample",
|
|
"pattern": "[file:hashes.SHA1 = 'fbc43636e3c9378162f3b9712cb6d87bd48ddbd3']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcff04-7f1c-4262-9be6-4692950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "Carbon sample",
|
|
"pattern": "[file:hashes.SHA1 = '554f59c1578f4ee77dbba6a23507401359a59f23']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcff04-eb80-4341-85fb-44a7950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "Carbon sample",
|
|
"pattern": "[file:hashes.SHA1 = '2227fd6fc9d669a9b66c59593533750477669557']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcff05-ae78-4cf2-9304-4cdd950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "Carbon sample",
|
|
"pattern": "[file:hashes.SHA1 = '87d718f2d6e46c53490c6a22de399c13f05336f0']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcff06-9a44-4ae6-847b-45ae950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "Carbon sample",
|
|
"pattern": "[file:hashes.SHA1 = '1b233af41106d7915f6fa6fd1448b7f070b47eb3']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcff07-2680-4a30-b9d7-4011950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "Carbon sample",
|
|
"pattern": "[file:hashes.SHA1 = '851e538357598ed96f0123b47694e25c2d52552b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcff08-1a34-4739-8962-4427950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "Carbon sample",
|
|
"pattern": "[file:hashes.SHA1 = '744b43d8c0fe8b217acf0494ad992df6d5191ed9']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcff09-929c-4759-9bb9-41ea950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "Carbon sample",
|
|
"pattern": "[file:hashes.SHA1 = 'bcf52240cc7940185ce424224d39564257610340']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcff09-ca80-4976-8dcc-402b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "Carbon sample",
|
|
"pattern": "[file:hashes.SHA1 = '777e2695ae408e1578a16991373144333732c3f6']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcff0a-1624-4412-a929-4c3a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "Carbon sample",
|
|
"pattern": "[file:hashes.SHA1 = '56b5627debb93790fdbcc9ecbffc3260adeafbab']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcff0b-ee34-4335-909c-4b7e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "Carbon sample",
|
|
"pattern": "[file:hashes.SHA1 = '678d486e21b001deb58353ca0255e3e5678f9614']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcff6e-1954-4818-a306-44d9950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "C&C server addresses (hacked websites used as 1st level of proxies",
|
|
"pattern": "[url:value = 'http://soheylistore.ir:80:/modules/mod_feed/feed.php']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcff6f-9334-4ff6-974f-41de950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "C&C server addresses (hacked websites used as 1st level of proxies",
|
|
"pattern": "[url:value = 'http://tazohor.com:80:/wp-includes/feed-rss-comments.php']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcff70-0fb0-4437-9781-4b6e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "C&C server addresses (hacked websites used as 1st level of proxies",
|
|
"pattern": "[url:value = 'http://jucheafrica.com:80:/wp-includes/class-wp-edit.php']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcff71-7df8-45e7-8147-43a9950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "C&C server addresses (hacked websites used as 1st level of proxies",
|
|
"pattern": "[url:value = 'http://61paris.fr:80:/wp-includes/ms-set.php']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcff72-f5c0-4a48-905e-449a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "C&C server addresses (hacked websites used as 1st level of proxies",
|
|
"pattern": "[url:value = 'http://doctorshand.org:80:/wp-content/about/']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcff73-fb90-4c4e-9f60-4227950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"description": "C&C server addresses (hacked websites used as 1st level of proxies",
|
|
"pattern": "[url:value = 'http://www.lasac.eu:80:/credit_payment/url/']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcffa3-f8f4-4c59-bbe4-4dc1950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"pattern": "[rule carbon_metadata\r\n{\r\ncondition:\r\n(pe.version_info[\u00e2\u20ac\u0153InternalName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153SERVICE.EXE\u00e2\u20ac\u009d or\r\npe.version_info[\u00e2\u20ac\u0153InternalName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153MSIMGHLP.DLL\u00e2\u20ac\u009d or\r\npe.version_info[\u00e2\u20ac\u0153InternalName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153MSXIML.DLL\u00e2\u20ac\u009d)\r\nand pe.version_info[\u00e2\u20ac\u0153CompanyName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153Microsoft Corporation\u00e2\u20ac\u009d\r\n}]",
|
|
"pattern_type": "yara",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"yara\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcffbe-0f98-439c-a916-4524950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:26.000Z",
|
|
"modified": "2017-03-30T12:54:26.000Z",
|
|
"pattern": "[rule generic_carbon\r\n{\r\nstrings:\r\n$s1 = \u00e2\u20ac\u0153ModStart\u00e2\u20ac\u009d\r\n$s2 = \u00e2\u20ac\u0153ModuleStart\u00e2\u20ac\u009d\r\n$t1 = \u00e2\u20ac\u0153STOP|OK\u00e2\u20ac\u009d\r\n$t2 = \u00e2\u20ac\u0153STOP|KILL\u00e2\u20ac\u009d\r\ncondition:\r\n(uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*))\r\n}]",
|
|
"pattern_type": "yara",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"yara\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dcffdf-e07c-4be4-b0af-4180950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-28T18:23:44.000Z",
|
|
"modified": "2017-04-28T18:23:44.000Z",
|
|
"pattern": "[import \"pe\"\r\nimport \"hash\"\r\n\r\nrule generic_carbon\r\n{\r\nstrings:\r\n$s1 = \u00e2\u20ac\u0153ModStart\u00e2\u20ac\u009d\r\n$s2 = \u00e2\u20ac\u0153STOP|OK\u00e2\u20ac\u009d\r\n$s3 = \u00e2\u20ac\u0153STOP|KILL\u00e2\u20ac\u009d\r\ncondition:\r\n(uint16(0) == 0x5a4d) and all of them\r\n}\r\n\r\nrule carbon_metadata\r\n{\r\ncondition:\r\n(pe.version_info[\u00e2\u20ac\u0153InternalName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153SERVICE.EXE\u00e2\u20ac\u009d or\r\npe.version_info[\u00e2\u20ac\u0153InternalName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153MSIMGHLP.DLL\u00e2\u20ac\u009d or\r\npe.version_info[\u00e2\u20ac\u0153InternalName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153MSXIML.DLL\u00e2\u20ac\u009d)\r\nand pe.version_info[\u00e2\u20ac\u0153CompanyName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153Microsoft Corporation\u00e2\u20ac\u009d\r\nand not (tags contains \u00e2\u20ac\u0153signed\u00e2\u20ac\u009d)\r\n}\r\n\r\nrule carbon_2016_filenames\r\n{\r\ncondition:\r\nfile_name contains \u00e2\u20ac\u0153wkstrend.xml\u00e2\u20ac\u009d or\r\nfile_name contains \u00e2\u20ac\u0153cifrado.xml\u00e2\u20ac\u009d or\r\nfile_name contains \u00e2\u20ac\u0153fsbootfail.dat\u00e2\u20ac\u009d or\r\nfile_name contains \u00e2\u20ac\u0153encodebase.inf\u00e2\u20ac\u009d or\r\nfile_name contains \u00e2\u20ac\u0153zcerterror.png\u00e2\u20ac\u009d or\r\nfile_name contains \u00e2\u20ac\u0153mkfieldsec.dll\u00e2\u20ac\u009d\r\n}]",
|
|
"pattern_type": "yara",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-28T18:23:44Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"yara\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0020-5a10-4542-bdee-436202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:56.000Z",
|
|
"modified": "2017-03-30T12:54:56.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 56b5627debb93790fdbcc9ecbffc3260adeafbab",
|
|
"pattern": "[file:hashes.SHA256 = 'af0e455f640b621c50d5c11efc3c8649691a9a661fa1bcf658aae48c007ff3c4']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:56Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0021-383c-416f-9302-4ba602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:57.000Z",
|
|
"modified": "2017-03-30T12:54:57.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 56b5627debb93790fdbcc9ecbffc3260adeafbab",
|
|
"pattern": "[file:hashes.MD5 = '4085820a53a7f8dd58d4ba5ecf94e42b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:57Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58dd0021-2968-4da8-bfcb-481702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:57.000Z",
|
|
"modified": "2017-03-30T12:54:57.000Z",
|
|
"first_observed": "2017-03-30T12:54:57Z",
|
|
"last_observed": "2017-03-30T12:54:57Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58dd0021-2968-4da8-bfcb-481702de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58dd0021-2968-4da8-bfcb-481702de0b81",
|
|
"value": "https://www.virustotal.com/file/af0e455f640b621c50d5c11efc3c8649691a9a661fa1bcf658aae48c007ff3c4/analysis/1459899966/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0022-213c-42a4-9fac-460602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:58.000Z",
|
|
"modified": "2017-03-30T12:54:58.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 777e2695ae408e1578a16991373144333732c3f6",
|
|
"pattern": "[file:hashes.SHA256 = '050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:58Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0023-17f4-444c-89ca-428302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:54:59.000Z",
|
|
"modified": "2017-03-30T12:54:59.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 777e2695ae408e1578a16991373144333732c3f6",
|
|
"pattern": "[file:hashes.MD5 = '1fb407a20373f3970f08d3f3c086841d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:54:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58dd0024-6ac8-434b-877c-430c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:00.000Z",
|
|
"modified": "2017-03-30T12:55:00.000Z",
|
|
"first_observed": "2017-03-30T12:55:00Z",
|
|
"last_observed": "2017-03-30T12:55:00Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58dd0024-6ac8-434b-877c-430c02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58dd0024-6ac8-434b-877c-430c02de0b81",
|
|
"value": "https://www.virustotal.com/file/050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a/analysis/1487311234/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0025-cec4-42ff-a43d-48ef02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:01.000Z",
|
|
"modified": "2017-03-30T12:55:01.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: bcf52240cc7940185ce424224d39564257610340",
|
|
"pattern": "[file:hashes.SHA256 = '2dc0f9e08bde378e8fe4e408b1b5f4bbbeacb251901009f25189a5a41a53ab47']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:01Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0026-146c-465b-acd3-434502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:02.000Z",
|
|
"modified": "2017-03-30T12:55:02.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: bcf52240cc7940185ce424224d39564257610340",
|
|
"pattern": "[file:hashes.MD5 = '13a81d857610d05f387c1aa86b4b49b9']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58dd0027-e934-4d33-a983-412202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:03.000Z",
|
|
"modified": "2017-03-30T12:55:03.000Z",
|
|
"first_observed": "2017-03-30T12:55:03Z",
|
|
"last_observed": "2017-03-30T12:55:03Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58dd0027-e934-4d33-a983-412202de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58dd0027-e934-4d33-a983-412202de0b81",
|
|
"value": "https://www.virustotal.com/file/2dc0f9e08bde378e8fe4e408b1b5f4bbbeacb251901009f25189a5a41a53ab47/analysis/1460698324/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0028-37f4-473e-9d2f-4caf02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:04.000Z",
|
|
"modified": "2017-03-30T12:55:04.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 744b43d8c0fe8b217acf0494ad992df6d5191ed9",
|
|
"pattern": "[file:hashes.SHA256 = '995d2b3924d5f517a795c0acc392e3d47f07787f58c77bb42ac2248393533f16']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0029-2d4c-47cb-ac4c-4beb02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:05.000Z",
|
|
"modified": "2017-03-30T12:55:05.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 744b43d8c0fe8b217acf0494ad992df6d5191ed9",
|
|
"pattern": "[file:hashes.MD5 = '278e56c4b171d4d8799b9a77c31e4484']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58dd002a-5acc-4d51-b75b-468e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:06.000Z",
|
|
"modified": "2017-03-30T12:55:06.000Z",
|
|
"first_observed": "2017-03-30T12:55:06Z",
|
|
"last_observed": "2017-03-30T12:55:06Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58dd002a-5acc-4d51-b75b-468e02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58dd002a-5acc-4d51-b75b-468e02de0b81",
|
|
"value": "https://www.virustotal.com/file/995d2b3924d5f517a795c0acc392e3d47f07787f58c77bb42ac2248393533f16/analysis/1460698430/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd002a-f7b4-4527-853e-4fa002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:06.000Z",
|
|
"modified": "2017-03-30T12:55:06.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 851e538357598ed96f0123b47694e25c2d52552b",
|
|
"pattern": "[file:hashes.SHA256 = 'c3b85bc12c84b8d050e2b9f682df06d93ceaeb4a18480227358baa99f4989e47']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:06Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd002b-43c4-483a-b84e-4f0202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:07.000Z",
|
|
"modified": "2017-03-30T12:55:07.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 851e538357598ed96f0123b47694e25c2d52552b",
|
|
"pattern": "[file:hashes.MD5 = '3b28045c0636f455a3fdf75bd44256ba']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:07Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58dd002c-2a44-4162-8831-449d02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:08.000Z",
|
|
"modified": "2017-03-30T12:55:08.000Z",
|
|
"first_observed": "2017-03-30T12:55:08Z",
|
|
"last_observed": "2017-03-30T12:55:08Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58dd002c-2a44-4162-8831-449d02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58dd002c-2a44-4162-8831-449d02de0b81",
|
|
"value": "https://www.virustotal.com/file/c3b85bc12c84b8d050e2b9f682df06d93ceaeb4a18480227358baa99f4989e47/analysis/1460104267/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd002d-ee14-4e08-83e8-468b02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:09.000Z",
|
|
"modified": "2017-03-30T12:55:09.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 1b233af41106d7915f6fa6fd1448b7f070b47eb3",
|
|
"pattern": "[file:hashes.SHA256 = 'd581b95b43c16407305f5d52631f044936b354ed921cb2efe8dfc9257960d2db']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd002e-38d0-496d-b553-488302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:10.000Z",
|
|
"modified": "2017-03-30T12:55:10.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 1b233af41106d7915f6fa6fd1448b7f070b47eb3",
|
|
"pattern": "[file:hashes.MD5 = '1c84038a7aac6342894d5896a390913d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:10Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58dd002f-e984-4cc5-93e2-427202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:11.000Z",
|
|
"modified": "2017-03-30T12:55:11.000Z",
|
|
"first_observed": "2017-03-30T12:55:11Z",
|
|
"last_observed": "2017-03-30T12:55:11Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58dd002f-e984-4cc5-93e2-427202de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58dd002f-e984-4cc5-93e2-427202de0b81",
|
|
"value": "https://www.virustotal.com/file/d581b95b43c16407305f5d52631f044936b354ed921cb2efe8dfc9257960d2db/analysis/1463398122/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0030-18bc-45aa-9365-4a3502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:12.000Z",
|
|
"modified": "2017-03-30T12:55:12.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 87d718f2d6e46c53490c6a22de399c13f05336f0",
|
|
"pattern": "[file:hashes.SHA256 = '7a68a6357868f19f698dacd12dea49655f9651fb01e2de4042e8bbc97095c121']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:12Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0030-6898-4767-9ad6-4ea602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:12.000Z",
|
|
"modified": "2017-03-30T12:55:12.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 87d718f2d6e46c53490c6a22de399c13f05336f0",
|
|
"pattern": "[file:hashes.MD5 = 'ea23d67e41d1f0a7f7e7a8b59e7cb60f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:12Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58dd0031-cac4-4c84-9ebc-4c4a02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:13.000Z",
|
|
"modified": "2017-03-30T12:55:13.000Z",
|
|
"first_observed": "2017-03-30T12:55:13Z",
|
|
"last_observed": "2017-03-30T12:55:13Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58dd0031-cac4-4c84-9ebc-4c4a02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58dd0031-cac4-4c84-9ebc-4c4a02de0b81",
|
|
"value": "https://www.virustotal.com/file/7a68a6357868f19f698dacd12dea49655f9651fb01e2de4042e8bbc97095c121/analysis/1490735057/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0032-fa80-4125-adbb-4e6f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:14.000Z",
|
|
"modified": "2017-03-30T12:55:14.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 2227fd6fc9d669a9b66c59593533750477669557",
|
|
"pattern": "[file:hashes.SHA256 = '9184be433426f5c9fe8ce27e8df89d7849c6af61779a3835c89ad46815abe839']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:14Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0033-60e0-4e52-b5ba-4e4902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:15.000Z",
|
|
"modified": "2017-03-30T12:55:15.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 2227fd6fc9d669a9b66c59593533750477669557",
|
|
"pattern": "[file:hashes.MD5 = 'd115532ed6189b3f74569f8012efe110']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:15Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58dd0034-c460-4ba5-b29d-44c802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:16.000Z",
|
|
"modified": "2017-03-30T12:55:16.000Z",
|
|
"first_observed": "2017-03-30T12:55:16Z",
|
|
"last_observed": "2017-03-30T12:55:16Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58dd0034-c460-4ba5-b29d-44c802de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58dd0034-c460-4ba5-b29d-44c802de0b81",
|
|
"value": "https://www.virustotal.com/file/9184be433426f5c9fe8ce27e8df89d7849c6af61779a3835c89ad46815abe839/analysis/1463724060/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0035-adb0-4116-8b7f-4a3d02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:17.000Z",
|
|
"modified": "2017-03-30T12:55:17.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 554f59c1578f4ee77dbba6a23507401359a59f23",
|
|
"pattern": "[file:hashes.SHA256 = 'd1ad698567b04ea5ce8197c0316444ad8ee0350b46e0414f53f54c278b393a19']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:17Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0035-62f8-4558-9033-4e4302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:17.000Z",
|
|
"modified": "2017-03-30T12:55:17.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 554f59c1578f4ee77dbba6a23507401359a59f23",
|
|
"pattern": "[file:hashes.MD5 = '21802eb06e2b05b5db40381f296d67ad']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:17Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58dd0036-68cc-4f5f-a571-4a3802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:18.000Z",
|
|
"modified": "2017-03-30T12:55:18.000Z",
|
|
"first_observed": "2017-03-30T12:55:18Z",
|
|
"last_observed": "2017-03-30T12:55:18Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58dd0036-68cc-4f5f-a571-4a3802de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58dd0036-68cc-4f5f-a571-4a3802de0b81",
|
|
"value": "https://www.virustotal.com/file/d1ad698567b04ea5ce8197c0316444ad8ee0350b46e0414f53f54c278b393a19/analysis/1487239958/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0037-8088-49e9-944f-45ff02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:19.000Z",
|
|
"modified": "2017-03-30T12:55:19.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: fbc43636e3c9378162f3b9712cb6d87bd48ddbd3",
|
|
"pattern": "[file:hashes.SHA256 = 'e82d4b6d037568a4602e70f099005572b587c220793afd8f90c13cb7bbde61ed']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:19Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0038-5144-4ed3-adfe-4d3102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:20.000Z",
|
|
"modified": "2017-03-30T12:55:20.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: fbc43636e3c9378162f3b9712cb6d87bd48ddbd3",
|
|
"pattern": "[file:hashes.MD5 = 'b4096859121998c065896d3d19e46e50']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:20Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58dd0039-0208-4066-bc11-4eb502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:21.000Z",
|
|
"modified": "2017-03-30T12:55:21.000Z",
|
|
"first_observed": "2017-03-30T12:55:21Z",
|
|
"last_observed": "2017-03-30T12:55:21Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58dd0039-0208-4066-bc11-4eb502de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58dd0039-0208-4066-bc11-4eb502de0b81",
|
|
"value": "https://www.virustotal.com/file/e82d4b6d037568a4602e70f099005572b587c220793afd8f90c13cb7bbde61ed/analysis/1487240002/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd003a-b738-4acc-a32b-470c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:22.000Z",
|
|
"modified": "2017-03-30T12:55:22.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 311f399c299741e80db8bec65bbf4b56109eedaf",
|
|
"pattern": "[file:hashes.SHA256 = 'c58d57f5ce9ca7689e6b71d3dcb48b2caf41a9e7105bb68bae113218869dd6a0']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:22Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd003b-134c-47ef-9ec6-431402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:23.000Z",
|
|
"modified": "2017-03-30T12:55:23.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 311f399c299741e80db8bec65bbf4b56109eedaf",
|
|
"pattern": "[file:hashes.MD5 = '4ae7e6011b550372d2a73ab3b4d67096']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58dd003c-06e4-456b-b541-4a0302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:24.000Z",
|
|
"modified": "2017-03-30T12:55:24.000Z",
|
|
"first_observed": "2017-03-30T12:55:24Z",
|
|
"last_observed": "2017-03-30T12:55:24Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58dd003c-06e4-456b-b541-4a0302de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58dd003c-06e4-456b-b541-4a0302de0b81",
|
|
"value": "https://www.virustotal.com/file/c58d57f5ce9ca7689e6b71d3dcb48b2caf41a9e7105bb68bae113218869dd6a0/analysis/1472552183/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd003d-9d0c-4261-9263-492e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:25.000Z",
|
|
"modified": "2017-03-30T12:55:25.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 2f7e335e092e04f3f4734b60c5345003d10aa15d",
|
|
"pattern": "[file:hashes.SHA256 = '1311759943aabfe55ef2d42677432f14ed8fb549619473e5fb56f8a92d2daf72']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd003d-866c-493e-ab08-42ad02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:25.000Z",
|
|
"modified": "2017-03-30T12:55:25.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 2f7e335e092e04f3f4734b60c5345003d10aa15d",
|
|
"pattern": "[file:hashes.MD5 = '244505129d96be57134cb00f27d4359c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58dd003e-eca8-4aaa-ae60-4cca02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:26.000Z",
|
|
"modified": "2017-03-30T12:55:26.000Z",
|
|
"first_observed": "2017-03-30T12:55:26Z",
|
|
"last_observed": "2017-03-30T12:55:26Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58dd003e-eca8-4aaa-ae60-4cca02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58dd003e-eca8-4aaa-ae60-4cca02de0b81",
|
|
"value": "https://www.virustotal.com/file/1311759943aabfe55ef2d42677432f14ed8fb549619473e5fb56f8a92d2daf72/analysis/1472508860/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd003f-e27c-4949-aab7-490c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:27.000Z",
|
|
"modified": "2017-03-30T12:55:27.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 1dbfcb9005abb2c83ffa6a3127257a009612798c",
|
|
"pattern": "[file:hashes.SHA256 = '31b176b9906211c14ee5b9cff4c56f71866ec47d7f7c783aeb31692168d66566']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:27Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0040-c27c-4ff6-bc0d-41d902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:28.000Z",
|
|
"modified": "2017-03-30T12:55:28.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 1dbfcb9005abb2c83ffa6a3127257a009612798c",
|
|
"pattern": "[file:hashes.MD5 = '91a5594343b47462ebd6266a9c40abbe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:28Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58dd0041-f364-447a-82a3-423c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:29.000Z",
|
|
"modified": "2017-03-30T12:55:29.000Z",
|
|
"first_observed": "2017-03-30T12:55:29Z",
|
|
"last_observed": "2017-03-30T12:55:29Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58dd0041-f364-447a-82a3-423c02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58dd0041-f364-447a-82a3-423c02de0b81",
|
|
"value": "https://www.virustotal.com/file/31b176b9906211c14ee5b9cff4c56f71866ec47d7f7c783aeb31692168d66566/analysis/1487311644/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0042-ff94-4d44-8926-42b202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:30.000Z",
|
|
"modified": "2017-03-30T12:55:30.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 20393222d4eb1ba72a6536f7e67e139aadfa47fe",
|
|
"pattern": "[file:hashes.SHA256 = 'ba9a87ba0ad1a4f4e81583a1449b20bf703cdbee6b1a639c13f4cbcd1b9eb57f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:30Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0043-e258-4a82-b1cf-4f5b02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:31.000Z",
|
|
"modified": "2017-03-30T12:55:31.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 20393222d4eb1ba72a6536f7e67e139aadfa47fe",
|
|
"pattern": "[file:hashes.MD5 = 'df230db9bddf200b24d8744ad84d80e8']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:31Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58dd0044-5cfc-4f5d-bed1-42ec02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:32.000Z",
|
|
"modified": "2017-03-30T12:55:32.000Z",
|
|
"first_observed": "2017-03-30T12:55:32Z",
|
|
"last_observed": "2017-03-30T12:55:32Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58dd0044-5cfc-4f5d-bed1-42ec02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58dd0044-5cfc-4f5d-bed1-42ec02de0b81",
|
|
"value": "https://www.virustotal.com/file/ba9a87ba0ad1a4f4e81583a1449b20bf703cdbee6b1a639c13f4cbcd1b9eb57f/analysis/1482320204/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0045-00c8-447f-b23a-4da402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:33.000Z",
|
|
"modified": "2017-03-30T12:55:33.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 7ce746bb988cb3b7e64f08174bdb02938555ea53",
|
|
"pattern": "[file:hashes.SHA256 = '8d20dd4433821eaeb1b2bec5911ba3633e656ca56ae50b75d35b2d52ea55b2cb']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:33Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0045-20e4-4b68-8b47-44a502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:33.000Z",
|
|
"modified": "2017-03-30T12:55:33.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 7ce746bb988cb3b7e64f08174bdb02938555ea53",
|
|
"pattern": "[file:hashes.MD5 = '554450c1ecb925693fedbb9e56702646']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:33Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58dd0046-5560-49b6-8f5d-428102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:34.000Z",
|
|
"modified": "2017-03-30T12:55:34.000Z",
|
|
"first_observed": "2017-03-30T12:55:34Z",
|
|
"last_observed": "2017-03-30T12:55:34Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58dd0046-5560-49b6-8f5d-428102de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58dd0046-5560-49b6-8f5d-428102de0b81",
|
|
"value": "https://www.virustotal.com/file/8d20dd4433821eaeb1b2bec5911ba3633e656ca56ae50b75d35b2d52ea55b2cb/analysis/1472540442/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0047-efc8-49f9-8a9d-4bc502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:35.000Z",
|
|
"modified": "2017-03-30T12:55:35.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 7c43f5df784bf50423620d8f1c96e43d8d9a9b28",
|
|
"pattern": "[file:hashes.SHA256 = 'ffb0e35cfab750c8532f7d49deb8a71284fa420660710b8be632dacdd0a5cf45']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:35Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0048-f4bc-4507-9132-475902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:36.000Z",
|
|
"modified": "2017-03-30T12:55:36.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 7c43f5df784bf50423620d8f1c96e43d8d9a9b28",
|
|
"pattern": "[file:hashes.MD5 = 'e6d1dcc6c2601e592f2b03f35b06fa8f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:36Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58dd0049-3be8-4d8a-8293-4d8d02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:37.000Z",
|
|
"modified": "2017-03-30T12:55:37.000Z",
|
|
"first_observed": "2017-03-30T12:55:37Z",
|
|
"last_observed": "2017-03-30T12:55:37Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58dd0049-3be8-4d8a-8293-4d8d02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58dd0049-3be8-4d8a-8293-4d8d02de0b81",
|
|
"value": "https://www.virustotal.com/file/ffb0e35cfab750c8532f7d49deb8a71284fa420660710b8be632dacdd0a5cf45/analysis/1472563917/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd004a-9f74-4c4d-94da-4c6802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:38.000Z",
|
|
"modified": "2017-03-30T12:55:38.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: a28164de29e51f154be12d163ce5818fceb69233",
|
|
"pattern": "[file:hashes.SHA256 = '1a488c6824bd39f3568346b2aaf3f6666f41b1d4961a2d77360c7c65c7978b5e']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:38Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd004b-5b70-47be-a686-4e3002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:39.000Z",
|
|
"modified": "2017-03-30T12:55:39.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: a28164de29e51f154be12d163ce5818fceb69233",
|
|
"pattern": "[file:hashes.MD5 = '43e896ede6fe025ee90f7f27c6d376a4']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58dd004b-4d28-44d7-9414-425902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:39.000Z",
|
|
"modified": "2017-03-30T12:55:39.000Z",
|
|
"first_observed": "2017-03-30T12:55:39Z",
|
|
"last_observed": "2017-03-30T12:55:39Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58dd004b-4d28-44d7-9414-425902de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58dd004b-4d28-44d7-9414-425902de0b81",
|
|
"value": "https://www.virustotal.com/file/1a488c6824bd39f3568346b2aaf3f6666f41b1d4961a2d77360c7c65c7978b5e/analysis/1484282511/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd004c-71f0-4e9c-85c4-4a4d02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:40.000Z",
|
|
"modified": "2017-03-30T12:55:40.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 1ad46547e3dc264f940bf62df455b26e65b0101f",
|
|
"pattern": "[file:hashes.SHA256 = '02f9501cb01b375e752a9cc4aa5ee084a504944bdc853e1bdfc860dd76e0d198']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd004d-5b4c-46b6-8974-40c602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:41.000Z",
|
|
"modified": "2017-03-30T12:55:41.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 1ad46547e3dc264f940bf62df455b26e65b0101f",
|
|
"pattern": "[file:hashes.MD5 = '4c1017de62ea4788c7c8058a8f825a2d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:41Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58dd004e-33e8-45a4-825d-491d02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:42.000Z",
|
|
"modified": "2017-03-30T12:55:42.000Z",
|
|
"first_observed": "2017-03-30T12:55:42Z",
|
|
"last_observed": "2017-03-30T12:55:42Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58dd004e-33e8-45a4-825d-491d02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58dd004e-33e8-45a4-825d-491d02de0b81",
|
|
"value": "https://www.virustotal.com/file/02f9501cb01b375e752a9cc4aa5ee084a504944bdc853e1bdfc860dd76e0d198/analysis/1487306753/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd004f-1e20-4e75-8e21-477f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:43.000Z",
|
|
"modified": "2017-03-30T12:55:43.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: cbde204e7641830017bb84b89223131b2126bc46",
|
|
"pattern": "[file:hashes.SHA256 = '3b8bd0a0c6069f2d27d759340721b78fd289f92e0a13965262fea4e8907af122']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:43Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0050-d094-4d4f-86a3-4f4502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:44.000Z",
|
|
"modified": "2017-03-30T12:55:44.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: cbde204e7641830017bb84b89223131b2126bc46",
|
|
"pattern": "[file:hashes.MD5 = 'cb1b68d9971c2353c2d6a8119c49b51f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:44Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58dd0051-ce8c-4059-9ecb-476902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:45.000Z",
|
|
"modified": "2017-03-30T12:55:45.000Z",
|
|
"first_observed": "2017-03-30T12:55:45Z",
|
|
"last_observed": "2017-03-30T12:55:45Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58dd0051-ce8c-4059-9ecb-476902de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58dd0051-ce8c-4059-9ecb-476902de0b81",
|
|
"value": "https://www.virustotal.com/file/3b8bd0a0c6069f2d27d759340721b78fd289f92e0a13965262fea4e8907af122/analysis/1490734934/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0052-8e84-4b91-908a-40af02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:46.000Z",
|
|
"modified": "2017-03-30T12:55:46.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 4636dccac5acf1d95a474747bb7bcd9b1a506cc3",
|
|
"pattern": "[file:hashes.SHA256 = '0b90db3a69aa8cfab36a66cd5390f46c32e3d88d8fcaefce8cd9e00700e10b65']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:46Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0052-8680-469f-8cbb-4f3802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:46.000Z",
|
|
"modified": "2017-03-30T12:55:46.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 4636dccac5acf1d95a474747bb7bcd9b1a506cc3",
|
|
"pattern": "[file:hashes.MD5 = '7ddee9311d7ab2d548e9b252383863ef']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:46Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58dd0053-5978-4766-94a4-468f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:47.000Z",
|
|
"modified": "2017-03-30T12:55:47.000Z",
|
|
"first_observed": "2017-03-30T12:55:47Z",
|
|
"last_observed": "2017-03-30T12:55:47Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58dd0053-5978-4766-94a4-468f02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58dd0053-5978-4766-94a4-468f02de0b81",
|
|
"value": "https://www.virustotal.com/file/0b90db3a69aa8cfab36a66cd5390f46c32e3d88d8fcaefce8cd9e00700e10b65/analysis/1485875623/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0054-7e04-4ad1-b86f-47d002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:48.000Z",
|
|
"modified": "2017-03-30T12:55:48.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9",
|
|
"pattern": "[file:hashes.SHA256 = '7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:48Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0055-b800-4361-9aa0-47be02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:49.000Z",
|
|
"modified": "2017-03-30T12:55:49.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9",
|
|
"pattern": "[file:hashes.MD5 = 'e664b6f5f50d1a7991e254e5e81a683f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:49Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58dd0056-6e74-43d5-b58b-494802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:50.000Z",
|
|
"modified": "2017-03-30T12:55:50.000Z",
|
|
"first_observed": "2017-03-30T12:55:50Z",
|
|
"last_observed": "2017-03-30T12:55:50Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58dd0056-6e74-43d5-b58b-494802de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58dd0056-6e74-43d5-b58b-494802de0b81",
|
|
"value": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0057-5a14-4f5d-884b-490202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:51.000Z",
|
|
"modified": "2017-03-30T12:55:51.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 7f3a60613a3bdb5f1f8616e6ca469d3b78b1b45b",
|
|
"pattern": "[file:hashes.SHA256 = 'aaa2afe68852cb76bccf7dbb0b541a5d62b7f0b15e47f0a24e63f68f50af167c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:51Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58dd0057-cde0-4faa-a196-4a6302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:51.000Z",
|
|
"modified": "2017-03-30T12:55:51.000Z",
|
|
"description": "Carbon sample - Xchecked via VT: 7f3a60613a3bdb5f1f8616e6ca469d3b78b1b45b",
|
|
"pattern": "[file:hashes.MD5 = '213ca4db4c2abd3b631da00c299d75ef']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-30T12:55:51Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58dd0058-dcd4-4271-8e57-432702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-30T12:55:52.000Z",
|
|
"modified": "2017-03-30T12:55:52.000Z",
|
|
"first_observed": "2017-03-30T12:55:52Z",
|
|
"last_observed": "2017-03-30T12:55:52Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58dd0058-dcd4-4271-8e57-432702de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58dd0058-dcd4-4271-8e57-432702de0b81",
|
|
"value": "https://www.virustotal.com/file/aaa2afe68852cb76bccf7dbb0b541a5d62b7f0b15e47f0a24e63f68f50af167c/analysis/1487398090/"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |