3025 lines
No EOL
130 KiB
JSON
3025 lines
No EOL
130 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--59186a46-6d0c-4359-a644-c061950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--59186a46-6d0c-4359-a644-c061950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"name": "OSINT - Alert (TA17-132A) Indicators Associated With WannaCry Ransomware",
|
|
"published": "2017-05-14T14:52:38Z",
|
|
"object_refs": [
|
|
"observed-data--59186cef-0c9c-4b29-8570-449b950d210f",
|
|
"url--59186cef-0c9c-4b29-8570-449b950d210f",
|
|
"x-misp-attribute--59186d01-aff4-49f2-827e-453e950d210f",
|
|
"indicator--59186d3c-63ec-4821-ae62-40a4950d210f",
|
|
"indicator--59186d5d-6790-457e-ab13-4f20950d210f",
|
|
"indicator--59186e63-87a0-4e5b-981e-b099950d210f",
|
|
"indicator--59186e63-ccb8-4857-8b0d-b099950d210f",
|
|
"indicator--59186e63-24e4-4437-b94a-b099950d210f",
|
|
"indicator--59186e64-1bc8-4c8e-b7e4-b099950d210f",
|
|
"indicator--59186e64-dd30-4087-a0ef-b099950d210f",
|
|
"indicator--59186e65-36bc-49d2-b313-b099950d210f",
|
|
"indicator--59186e65-2668-4823-bf8d-b099950d210f",
|
|
"indicator--59186e66-8f64-4fc3-b5dc-b099950d210f",
|
|
"indicator--59186e66-89e0-4aee-bd3d-b099950d210f",
|
|
"indicator--59186e66-bb9c-43d3-884e-b099950d210f",
|
|
"indicator--59186e67-4310-4e07-bd67-b099950d210f",
|
|
"indicator--59186e67-bdc0-4c44-a075-b099950d210f",
|
|
"indicator--59186e68-b7b8-4f4e-b355-b099950d210f",
|
|
"indicator--59186e68-cad0-4d08-a8a4-b099950d210f",
|
|
"indicator--59186e69-fc34-4bde-b3e7-b099950d210f",
|
|
"indicator--59186e69-c830-43d6-bdf2-b099950d210f",
|
|
"indicator--59186e69-e734-4325-a178-b099950d210f",
|
|
"indicator--59186e6a-ebf8-4186-b88c-b099950d210f",
|
|
"indicator--59186e6a-5b98-4d19-9149-b099950d210f",
|
|
"indicator--59186e6b-dab8-440f-8123-b099950d210f",
|
|
"indicator--59186e6b-d830-41e6-ab27-b099950d210f",
|
|
"indicator--59186e6c-9764-4c73-80ce-b099950d210f",
|
|
"indicator--59186e6c-115c-44aa-ad3b-b099950d210f",
|
|
"indicator--59186e6d-5530-412a-a504-b099950d210f",
|
|
"indicator--59186e6d-eb54-46f4-a695-b099950d210f",
|
|
"indicator--59186e6e-34c0-4625-a0cb-b099950d210f",
|
|
"indicator--59186e6e-5354-4011-81b5-b099950d210f",
|
|
"indicator--59186e6e-6fec-4fc8-95af-b099950d210f",
|
|
"indicator--59186e6f-b5fc-40ac-af86-b099950d210f",
|
|
"indicator--59186e6f-f734-46f1-8960-b099950d210f",
|
|
"indicator--59186e70-80e4-414c-8fe6-b099950d210f",
|
|
"indicator--59186e70-d414-4776-af7e-b099950d210f",
|
|
"indicator--59186e71-0594-4d79-933c-b099950d210f",
|
|
"indicator--59186e71-ac38-40e5-a3e9-b099950d210f",
|
|
"indicator--59186e72-6038-480b-b334-b099950d210f",
|
|
"indicator--59186ed4-1b18-4604-bb07-4d0002de0b81",
|
|
"observed-data--59186ed4-c454-4db4-8fe0-470902de0b81",
|
|
"url--59186ed4-c454-4db4-8fe0-470902de0b81",
|
|
"indicator--59186ed5-87ac-451a-a49a-4b6b02de0b81",
|
|
"indicator--59186ed5-bfcc-434c-8711-452b02de0b81",
|
|
"observed-data--59186ed6-00bc-4f55-8c8b-474a02de0b81",
|
|
"url--59186ed6-00bc-4f55-8c8b-474a02de0b81",
|
|
"indicator--59186ed6-5fcc-4dd2-b252-47e602de0b81",
|
|
"indicator--59186ed6-6b10-4080-9597-424002de0b81",
|
|
"observed-data--59186ed7-90e8-4552-af83-48b502de0b81",
|
|
"url--59186ed7-90e8-4552-af83-48b502de0b81",
|
|
"indicator--59186ed7-c4e0-4a28-ba4c-4ec802de0b81",
|
|
"indicator--59186ed8-153c-4f8e-81a0-441802de0b81",
|
|
"observed-data--59186ed8-5e78-4c77-ac91-416502de0b81",
|
|
"url--59186ed8-5e78-4c77-ac91-416502de0b81",
|
|
"indicator--59186ed9-c890-4cc2-8ed5-4aec02de0b81",
|
|
"indicator--59186ed9-4754-410e-8c84-437302de0b81",
|
|
"observed-data--59186ed9-4ea8-449a-8747-487402de0b81",
|
|
"url--59186ed9-4ea8-449a-8747-487402de0b81",
|
|
"indicator--59186eda-9aec-44a7-842f-400502de0b81",
|
|
"indicator--59186eda-e5c4-49aa-9b79-46a802de0b81",
|
|
"observed-data--59186edb-6524-4f95-9404-44b202de0b81",
|
|
"url--59186edb-6524-4f95-9404-44b202de0b81",
|
|
"indicator--59186edb-fbac-475d-b132-404302de0b81",
|
|
"indicator--59186edc-a134-401d-85c6-4b2902de0b81",
|
|
"observed-data--59186edc-9a80-43d3-8760-447c02de0b81",
|
|
"url--59186edc-9a80-43d3-8760-447c02de0b81",
|
|
"indicator--59186edd-aebc-47d2-809a-4e6f02de0b81",
|
|
"indicator--59186edd-421c-4098-b5b6-4dc602de0b81",
|
|
"observed-data--59186edd-3cdc-4e95-8296-4a5b02de0b81",
|
|
"url--59186edd-3cdc-4e95-8296-4a5b02de0b81",
|
|
"indicator--59186ede-c150-4aba-b1ff-47e302de0b81",
|
|
"indicator--59186ede-cb7c-4978-b81a-420e02de0b81",
|
|
"observed-data--59186edf-ba58-4660-8a00-4b5502de0b81",
|
|
"url--59186edf-ba58-4660-8a00-4b5502de0b81",
|
|
"indicator--59186edf-d044-4037-a06e-495c02de0b81",
|
|
"indicator--59186ee0-aeac-4810-81e7-423802de0b81",
|
|
"observed-data--59186ee0-84cc-441e-999e-44b502de0b81",
|
|
"url--59186ee0-84cc-441e-999e-44b502de0b81",
|
|
"indicator--59186ee1-e194-405e-8599-4e2202de0b81",
|
|
"indicator--59186ee1-9e80-4370-b26b-494502de0b81",
|
|
"observed-data--59186ee1-eff0-4319-8b45-4b6c02de0b81",
|
|
"url--59186ee1-eff0-4319-8b45-4b6c02de0b81",
|
|
"indicator--59186ee2-6158-4c8d-ac13-402602de0b81",
|
|
"indicator--59186ee2-592c-4eb3-b66f-455702de0b81",
|
|
"observed-data--59186ee3-eca8-4b41-8634-4bc502de0b81",
|
|
"url--59186ee3-eca8-4b41-8634-4bc502de0b81",
|
|
"indicator--59186ee3-37c0-4002-a3a9-43f802de0b81",
|
|
"indicator--59186ee4-3700-4b2a-80b5-470102de0b81",
|
|
"observed-data--59186ee4-d7b8-4329-8551-424a02de0b81",
|
|
"url--59186ee4-d7b8-4329-8551-424a02de0b81",
|
|
"indicator--59186ee5-5b74-425b-85b0-4c2102de0b81",
|
|
"indicator--59186ee5-25b0-46c3-bb44-4c6502de0b81",
|
|
"observed-data--59186ee5-431c-44dc-9dce-42cf02de0b81",
|
|
"url--59186ee5-431c-44dc-9dce-42cf02de0b81",
|
|
"indicator--59186ee6-e3a8-4279-ae1c-42bd02de0b81",
|
|
"indicator--59186ee6-1010-4fe9-afef-418802de0b81",
|
|
"observed-data--59186ee7-924c-4790-ae15-4f7502de0b81",
|
|
"url--59186ee7-924c-4790-ae15-4f7502de0b81",
|
|
"indicator--59186ee7-f31c-4a5c-8b0a-465e02de0b81",
|
|
"indicator--59186ee8-6dc4-40ee-bf4c-480e02de0b81",
|
|
"observed-data--59186ee8-86d0-4f44-8d58-403402de0b81",
|
|
"url--59186ee8-86d0-4f44-8d58-403402de0b81",
|
|
"indicator--59186ee9-c5bc-4acc-8799-493d02de0b81",
|
|
"indicator--59186ee9-bfe0-4a09-8002-499702de0b81",
|
|
"observed-data--59186eea-ed70-4404-8146-4f7202de0b81",
|
|
"url--59186eea-ed70-4404-8146-4f7202de0b81",
|
|
"indicator--59186eea-2358-4fa3-937f-442c02de0b81",
|
|
"indicator--59186eea-1c70-41c6-8ab7-483902de0b81",
|
|
"observed-data--59186eeb-30bc-4bb3-a469-44a802de0b81",
|
|
"url--59186eeb-30bc-4bb3-a469-44a802de0b81",
|
|
"indicator--59186eeb-0650-4542-9687-4c1702de0b81",
|
|
"indicator--59186eec-0ff0-42f6-bba9-440002de0b81",
|
|
"observed-data--59186eec-d110-445f-b5b6-4c3302de0b81",
|
|
"url--59186eec-d110-445f-b5b6-4c3302de0b81",
|
|
"indicator--59186eed-443c-4e5e-951b-489b02de0b81",
|
|
"indicator--59186eed-758c-4fc3-bb0b-491d02de0b81",
|
|
"observed-data--59186eee-ab80-4589-ae8e-484002de0b81",
|
|
"url--59186eee-ab80-4589-ae8e-484002de0b81",
|
|
"indicator--59186eee-4158-4161-ab1b-4b1902de0b81",
|
|
"indicator--59186eef-41b0-4bf8-9cc7-44e402de0b81",
|
|
"observed-data--59186eef-8cd0-456d-935d-46f802de0b81",
|
|
"url--59186eef-8cd0-456d-935d-46f802de0b81",
|
|
"indicator--59186ef0-a37c-4071-89ab-4a2602de0b81",
|
|
"indicator--59186ef0-57b0-4ce6-a4da-4bfe02de0b81",
|
|
"observed-data--59186ef0-6ef8-4912-98f7-498102de0b81",
|
|
"url--59186ef0-6ef8-4912-98f7-498102de0b81",
|
|
"indicator--59186ef1-3398-4c29-a43a-44e302de0b81",
|
|
"indicator--59186ef1-6b28-4ad2-83a4-417502de0b81",
|
|
"observed-data--59186ef2-c8dc-4927-9a76-43aa02de0b81",
|
|
"url--59186ef2-c8dc-4927-9a76-43aa02de0b81",
|
|
"indicator--59186ef2-b3cc-4c54-b55c-4eaa02de0b81",
|
|
"indicator--59186ef3-e590-4c42-9210-448002de0b81",
|
|
"observed-data--59186ef3-9e58-4099-ae06-432102de0b81",
|
|
"url--59186ef3-9e58-4099-ae06-432102de0b81",
|
|
"indicator--59186ef3-a424-4bd3-b26a-4b0202de0b81",
|
|
"indicator--59186ef4-d4e0-41c0-9f56-4a3902de0b81",
|
|
"observed-data--59186ef4-1510-4b14-9be3-4d4602de0b81",
|
|
"url--59186ef4-1510-4b14-9be3-4d4602de0b81",
|
|
"indicator--59186ef5-32b0-40c2-9f12-4b7502de0b81",
|
|
"indicator--59186ef5-f4b4-40d2-a29d-469602de0b81",
|
|
"observed-data--59186ef6-d52c-4860-a182-458202de0b81",
|
|
"url--59186ef6-d52c-4860-a182-458202de0b81",
|
|
"indicator--59186ef6-c6f0-441e-8972-480d02de0b81",
|
|
"indicator--59186ef7-e05c-4353-ad61-456d02de0b81",
|
|
"observed-data--59186ef7-62ec-4b78-a6af-497302de0b81",
|
|
"url--59186ef7-62ec-4b78-a6af-497302de0b81"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"admiralty-scale:source-reliability=\"b\"",
|
|
"misp-galaxy:ransomware=\"WannaCry\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186cef-0c9c-4b29-8570-449b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"first_observed": "2017-05-14T14:50:42Z",
|
|
"last_observed": "2017-05-14T14:50:42Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186cef-0c9c-4b29-8570-449b950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"technical-report\"",
|
|
"admiralty-scale:source-reliability=\"b\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186cef-0c9c-4b29-8570-449b950d210f",
|
|
"value": "https://www.us-cert.gov/ncas/alerts/TA17-132A"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--59186d01-aff4-49f2-827e-453e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"technical-report\"",
|
|
"admiralty-scale:source-reliability=\"b\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages.\r\nThe latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.\r\n\r\nThis Alert is the result of efforts between the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) to highlight known cyber threats. DHS and the FBI continue to pursue related information of threats to federal, state, and local government systems and as such, further releases of technical information may be forthcoming.\r\nDescription\r\nInitial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010 (link is external) vulnerability on March 14, 2017. According to open sources, one possible infection vector is via phishing emails."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186d3c-63ec-4821-ae62-40a4950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"pattern": "[rule Wanna_Cry_Ransomware_Generic {\r\n meta:\r\n description = \"Detects WannaCry Ransomware on disk and in virtual page\"\r\n author = \"US-CERT Code Analysis Team\"\r\n reference = \"not set\" \r\n date = \"2017/05/12\"\r\n hash0 = \"4DA1F312A214C07143ABEEAFB695D904\"\r\n \r\n strings:\r\n $s0 = {410044004D0049004E0024}\r\n $s1 = \"WannaDecryptor\"\r\n $s2 = \"WANNACRY\"\r\n $s3 = \"Microsoft Enhanced RSA and AES Cryptographic\"\r\n $s4 = \"PKS\"\r\n $s5 = \"StartTask\"\r\n $s6 = \"wcry@123\"\r\n $s7 = {2F6600002F72}\r\n $s8 = \"unzip 0.15 Copyrigh\"\r\n condition:\r\n $s0 and $s1 and $s2 and $s3 or $s4 or $s5 or $s6 or $s7 or $s8\r\n}]",
|
|
"pattern_type": "yara",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"yara\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186d5d-6790-457e-ab13-4f20950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"pattern": "[/*The following Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.*/\r\n\r\nrule MS17_010_WanaCry_worm {\r\n meta:\r\n description = \"Worm exploiting MS17-010 and dropping WannaCry Ransomware\"\r\n author = \"Felipe Molina (@felmoltor)\"\r\n reference = \"https://www.exploit-db.com/exploits/41987/\"\r\n date = \"2017/05/12\"\r\n strings:\r\n $ms17010_str1=\"PC NETWORK PROGRAM 1.0\"\r\n $ms17010_str2=\"LANMAN1.0\"\r\n $ms17010_str3=\"Windows for Workgroups 3.1a\"\r\n $ms17010_str4=\"__TREEID__PLACEHOLDER__\"\r\n $ms17010_str5=\"__USERID__PLACEHOLDER__\"\r\n $wannacry_payload_substr1 = \"h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j\"\r\n $wannacry_payload_substr2 = \"h54WfF9cGigWFEx92bzmOd0UOaZlM\"\r\n $wannacry_payload_substr3 = \"tpGFEoLOU6+5I78Toh/nHs/RAP\"\r\n condition:\r\n all of them\r\n}]",
|
|
"pattern_type": "yara",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"yara\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e63-87a0-4e5b-981e-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"description": "qeriuwjhrf",
|
|
"pattern": "[file:hashes.MD5 = '3175e4ba26e1e75e52935009a526002c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e63-ccb8-4857-8b0d-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"description": "mssecsvc.exe",
|
|
"pattern": "[file:hashes.MD5 = '31dab68b11824153b4c975399df0354f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e63-24e4-4437-b94a-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"description": "cliconfg.exe",
|
|
"pattern": "[file:hashes.MD5 = '4fef5e34143e646dbf9907c4374276f5']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e64-1bc8-4c8e-b7e4-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"description": "diskpart.exe",
|
|
"pattern": "[file:hashes.MD5 = '509c41ec97bb81b0567b059aa2f50fe8']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e64-dd30-4087-a0ef-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"description": "lhdfrgui.exe",
|
|
"pattern": "[file:hashes.MD5 = '5bef35496fcbdbe841c82f4d1ab8b7c2']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e65-36bc-49d2-b313-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"pattern": "[file:hashes.MD5 = '638f9235d038a0a001d5ea7f5c5dc4ae']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e65-2668-4823-bf8d-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"pattern": "[file:hashes.SHA256 = 'b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e66-8f64-4fc3-b5dc-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"description": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25",
|
|
"pattern": "[file:hashes.MD5 = '775a0631fb8229b2aa3d7621427085ad']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e66-89e0-4aee-bd3d-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"pattern": "[file:name = 'b9c5.bin']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e66-bb9c-43d3-884e-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"pattern": "[file:hashes.MD5 = '7bf2b57f2a205768755c07f238fb32cc']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e67-4310-4e07-bd67-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"pattern": "[file:name = '2584E1521065E45EC3C17767C065429038FC6291C091097EA8B22C8A502C41DD.dat']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e67-bdc0-4c44-a075-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"pattern": "[file:hashes.MD5 = '7f7ccaa16fb15eb1c7399d422f8363e8']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e68-b7b8-4f4e-b355-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"pattern": "[file:name = 'waitfor.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e68-cad0-4d08-a8a4-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"pattern": "[file:hashes.MD5 = '8495400f199ac77853c53b5a3f278f3e']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e69-fc34-4bde-b3e7-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"pattern": "[file:name = 'tasksche.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e69-c830-43d6-bdf2-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"pattern": "[file:hashes.MD5 = '84c82835a5d21bbcf75a61706d8ab549']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e69-e734-4325-a178-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"pattern": "[file:hashes.MD5 = '86721e64ffbd69aa6944b9672bcabb6d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e6a-ebf8-4186-b88c-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"pattern": "[file:name = '8dd63adb68ef053e044a5a2f46e0d2cd.virus']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e6a-5b98-4d19-9149-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"pattern": "[file:hashes.MD5 = '8dd63adb68ef053e044a5a2f46e0d2cd']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e6b-dab8-440f-8123-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'b0ad5902366f860f85b892867e5b1e87']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e6b-d830-41e6-ab27-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"pattern": "[file:name = '3.13']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e6c-9764-4c73-80ce-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'b675498639429b85af9d70be1e8a8782']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e6c-115c-44aa-ad3b-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"pattern": "[file:name = 'ransomware07_no_detection.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e6d-5530-412a-a504-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"description": "ransomware07_no_detection.exe",
|
|
"pattern": "[file:hashes.MD5 = 'd6114ba5f10ad67a4131ab72531f02da']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e6d-eb54-46f4-a695-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"description": "mssecsvc.exe",
|
|
"pattern": "[file:hashes.MD5 = 'db349b97c37d22f5ea1d1841e3c89eb4']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e6e-34c0-4625-a0cb-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"description": "Message",
|
|
"pattern": "[file:hashes.MD5 = 'e372d07207b4da75b3434584cd9f3450']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e6e-5354-4011-81b5-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"description": "mssecsvc.exe",
|
|
"pattern": "[file:hashes.MD5 = 'f107a717f76f4f910ae9cb4dc5290594']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e6e-6fec-4fc8-95af-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"description": "taskhcst.eee",
|
|
"pattern": "[file:hashes.MD5 = 'f529f4556a5126bba499c26d67892240']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e6f-b5fc-40ac-af86-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"description": "WCry_WannaCry_ransomware.exe",
|
|
"pattern": "[file:hashes.MD5 = '4da1f312a214c07143abeeafb695d904']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e6f-f734-46f1-8960-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"description": "taskhcst.exe",
|
|
"pattern": "[file:hashes.MD5 = '3bc855bfadfea71a445080ba72b26c1c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e70-80e4-414c-8fe6-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"description": "findstr",
|
|
"pattern": "[file:hashes.MD5 = 'b9b3965d1b218c63cd317ac33edcb942']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e70-d414-4776-af7e-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"pattern": "[file:hashes.MD5 = '808182340fb1b0b0b301c998e855a7c8']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e71-0594-4d79-933c-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"description": "dvdplay",
|
|
"pattern": "[file:hashes.MD5 = '5c7fb0927db37372da25f270708103a2']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e71-ac38-40e5-a3e9-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"description": "Cmd.Exe",
|
|
"pattern": "[file:hashes.MD5 = '66ddbd108b0c347550f18bb953e1831d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186e72-6038-480b-b334-b099950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:50:42.000Z",
|
|
"modified": "2017-05-14T14:50:42.000Z",
|
|
"description": "taskhcst.exe1",
|
|
"pattern": "[file:hashes.MD5 = 'b6ded2b8fe83be35341936e34aa433e5']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:50:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ed4-1b18-4604-bb07-4d0002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:00.000Z",
|
|
"modified": "2017-05-14T14:51:00.000Z",
|
|
"description": "- Xchecked via VT: b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25",
|
|
"pattern": "[file:hashes.SHA1 = '45356a9dd616ed7161a3b9192e2f318d0ab5ad10']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186ed4-c454-4db4-8fe0-470902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:00.000Z",
|
|
"modified": "2017-05-14T14:51:00.000Z",
|
|
"first_observed": "2017-05-14T14:51:00Z",
|
|
"last_observed": "2017-05-14T14:51:00Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186ed4-c454-4db4-8fe0-470902de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186ed4-c454-4db4-8fe0-470902de0b81",
|
|
"value": "https://www.virustotal.com/file/b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25/analysis/1494773175/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ed5-87ac-451a-a49a-4b6b02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:01.000Z",
|
|
"modified": "2017-05-14T14:51:01.000Z",
|
|
"description": "taskhcst.exe1 - Xchecked via VT: b6ded2b8fe83be35341936e34aa433e5",
|
|
"pattern": "[file:hashes.SHA256 = 'fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:01Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ed5-bfcc-434c-8711-452b02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:01.000Z",
|
|
"modified": "2017-05-14T14:51:01.000Z",
|
|
"description": "taskhcst.exe1 - Xchecked via VT: b6ded2b8fe83be35341936e34aa433e5",
|
|
"pattern": "[file:hashes.SHA1 = '64b8e679727e99a369a2be3ed800f7b969d43aa8']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:01Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186ed6-00bc-4f55-8c8b-474a02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:02.000Z",
|
|
"modified": "2017-05-14T14:51:02.000Z",
|
|
"first_observed": "2017-05-14T14:51:02Z",
|
|
"last_observed": "2017-05-14T14:51:02Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186ed6-00bc-4f55-8c8b-474a02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186ed6-00bc-4f55-8c8b-474a02de0b81",
|
|
"value": "https://www.virustotal.com/file/fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a/analysis/1494743524/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ed6-5fcc-4dd2-b252-47e602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:02.000Z",
|
|
"modified": "2017-05-14T14:51:02.000Z",
|
|
"description": "Cmd.Exe - Xchecked via VT: 66ddbd108b0c347550f18bb953e1831d",
|
|
"pattern": "[file:hashes.SHA256 = 'f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ed6-6b10-4080-9597-424002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:02.000Z",
|
|
"modified": "2017-05-14T14:51:02.000Z",
|
|
"description": "Cmd.Exe - Xchecked via VT: 66ddbd108b0c347550f18bb953e1831d",
|
|
"pattern": "[file:hashes.SHA1 = '432c1a5353bab4dba67ea620ea6c1a3095c5d4fa']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186ed7-90e8-4552-af83-48b502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:03.000Z",
|
|
"modified": "2017-05-14T14:51:03.000Z",
|
|
"first_observed": "2017-05-14T14:51:03Z",
|
|
"last_observed": "2017-05-14T14:51:03Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186ed7-90e8-4552-af83-48b502de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186ed7-90e8-4552-af83-48b502de0b81",
|
|
"value": "https://www.virustotal.com/file/f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494/analysis/1494743664/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ed7-c4e0-4a28-ba4c-4ec802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:03.000Z",
|
|
"modified": "2017-05-14T14:51:03.000Z",
|
|
"description": "dvdplay - Xchecked via VT: 5c7fb0927db37372da25f270708103a2",
|
|
"pattern": "[file:hashes.SHA256 = 'be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:03Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ed8-153c-4f8e-81a0-441802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:04.000Z",
|
|
"modified": "2017-05-14T14:51:04.000Z",
|
|
"description": "dvdplay - Xchecked via VT: 5c7fb0927db37372da25f270708103a2",
|
|
"pattern": "[file:hashes.SHA1 = '120ed9279d85cbfa56e5b7779ffa7162074f7a29']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186ed8-5e78-4c77-ac91-416502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:04.000Z",
|
|
"modified": "2017-05-14T14:51:04.000Z",
|
|
"first_observed": "2017-05-14T14:51:04Z",
|
|
"last_observed": "2017-05-14T14:51:04Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186ed8-5e78-4c77-ac91-416502de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186ed8-5e78-4c77-ac91-416502de0b81",
|
|
"value": "https://www.virustotal.com/file/be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844/analysis/1494702148/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ed9-c890-4cc2-8ed5-4aec02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:05.000Z",
|
|
"modified": "2017-05-14T14:51:05.000Z",
|
|
"description": "- Xchecked via VT: 808182340fb1b0b0b301c998e855a7c8",
|
|
"pattern": "[file:hashes.SHA256 = '76a3666ce9119295104bb69ee7af3f2845d23f40ba48ace7987f79b06312bbdf']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ed9-4754-410e-8c84-437302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:05.000Z",
|
|
"modified": "2017-05-14T14:51:05.000Z",
|
|
"description": "- Xchecked via VT: 808182340fb1b0b0b301c998e855a7c8",
|
|
"pattern": "[file:hashes.SHA1 = '4fdae49be25846ca53b5936a731ce79c673a8e1f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186ed9-4ea8-449a-8747-487402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:05.000Z",
|
|
"modified": "2017-05-14T14:51:05.000Z",
|
|
"first_observed": "2017-05-14T14:51:05Z",
|
|
"last_observed": "2017-05-14T14:51:05Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186ed9-4ea8-449a-8747-487402de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186ed9-4ea8-449a-8747-487402de0b81",
|
|
"value": "https://www.virustotal.com/file/76a3666ce9119295104bb69ee7af3f2845d23f40ba48ace7987f79b06312bbdf/analysis/1494743657/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186eda-9aec-44a7-842f-400502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:06.000Z",
|
|
"modified": "2017-05-14T14:51:06.000Z",
|
|
"description": "findstr - Xchecked via VT: b9b3965d1b218c63cd317ac33edcb942",
|
|
"pattern": "[file:hashes.SHA256 = '5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:06Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186eda-e5c4-49aa-9b79-46a802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:06.000Z",
|
|
"modified": "2017-05-14T14:51:06.000Z",
|
|
"description": "findstr - Xchecked via VT: b9b3965d1b218c63cd317ac33edcb942",
|
|
"pattern": "[file:hashes.SHA1 = '02408bb6dc1f3605a7d3f9bad687a858ec147896']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:06Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186edb-6524-4f95-9404-44b202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:07.000Z",
|
|
"modified": "2017-05-14T14:51:07.000Z",
|
|
"first_observed": "2017-05-14T14:51:07Z",
|
|
"last_observed": "2017-05-14T14:51:07Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186edb-6524-4f95-9404-44b202de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186edb-6524-4f95-9404-44b202de0b81",
|
|
"value": "https://www.virustotal.com/file/5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9/analysis/1494743649/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186edb-fbac-475d-b132-404302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:07.000Z",
|
|
"modified": "2017-05-14T14:51:07.000Z",
|
|
"description": "taskhcst.exe - Xchecked via VT: 3bc855bfadfea71a445080ba72b26c1c",
|
|
"pattern": "[file:hashes.SHA256 = '043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba1110771f70c2']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:07Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186edc-a134-401d-85c6-4b2902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:08.000Z",
|
|
"modified": "2017-05-14T14:51:08.000Z",
|
|
"description": "taskhcst.exe - Xchecked via VT: 3bc855bfadfea71a445080ba72b26c1c",
|
|
"pattern": "[file:hashes.SHA1 = 'bc978db3d2dc20b1a305d294a504bb0ceb83f95a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:08Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186edc-9a80-43d3-8760-447c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:08.000Z",
|
|
"modified": "2017-05-14T14:51:08.000Z",
|
|
"first_observed": "2017-05-14T14:51:08Z",
|
|
"last_observed": "2017-05-14T14:51:08Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186edc-9a80-43d3-8760-447c02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186edc-9a80-43d3-8760-447c02de0b81",
|
|
"value": "https://www.virustotal.com/file/043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba1110771f70c2/analysis/1494713702/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186edd-aebc-47d2-809a-4e6f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:09.000Z",
|
|
"modified": "2017-05-14T14:51:09.000Z",
|
|
"description": "WCry_WannaCry_ransomware.exe - Xchecked via VT: 4da1f312a214c07143abeeafb695d904",
|
|
"pattern": "[file:hashes.SHA256 = 'aee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186edd-421c-4098-b5b6-4dc602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:09.000Z",
|
|
"modified": "2017-05-14T14:51:09.000Z",
|
|
"description": "WCry_WannaCry_ransomware.exe - Xchecked via VT: 4da1f312a214c07143abeeafb695d904",
|
|
"pattern": "[file:hashes.SHA1 = 'b629f072c9241fd2451f1cbca2290197e72a8f5e']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186edd-3cdc-4e95-8296-4a5b02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:09.000Z",
|
|
"modified": "2017-05-14T14:51:09.000Z",
|
|
"first_observed": "2017-05-14T14:51:09Z",
|
|
"last_observed": "2017-05-14T14:51:09Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186edd-3cdc-4e95-8296-4a5b02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186edd-3cdc-4e95-8296-4a5b02de0b81",
|
|
"value": "https://www.virustotal.com/file/aee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002c/analysis/1494743633/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ede-c150-4aba-b1ff-47e302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:10.000Z",
|
|
"modified": "2017-05-14T14:51:10.000Z",
|
|
"description": "taskhcst.eee - Xchecked via VT: f529f4556a5126bba499c26d67892240",
|
|
"pattern": "[file:hashes.SHA256 = 'dff26a9a44baa3ce109b8df41ae0a301d9e4a28ad7bd7721bbb7ccd137bfd696']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:10Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ede-cb7c-4978-b81a-420e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:10.000Z",
|
|
"modified": "2017-05-14T14:51:10.000Z",
|
|
"description": "taskhcst.eee - Xchecked via VT: f529f4556a5126bba499c26d67892240",
|
|
"pattern": "[file:hashes.SHA1 = 'fb18818fc383330b401fc5b332cc63a5bbd4cd30']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:10Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186edf-ba58-4660-8a00-4b5502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:11.000Z",
|
|
"modified": "2017-05-14T14:51:11.000Z",
|
|
"first_observed": "2017-05-14T14:51:11Z",
|
|
"last_observed": "2017-05-14T14:51:11Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186edf-ba58-4660-8a00-4b5502de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186edf-ba58-4660-8a00-4b5502de0b81",
|
|
"value": "https://www.virustotal.com/file/dff26a9a44baa3ce109b8df41ae0a301d9e4a28ad7bd7721bbb7ccd137bfd696/analysis/1494720293/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186edf-d044-4037-a06e-495c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:11.000Z",
|
|
"modified": "2017-05-14T14:51:11.000Z",
|
|
"description": "mssecsvc.exe - Xchecked via VT: f107a717f76f4f910ae9cb4dc5290594",
|
|
"pattern": "[file:hashes.SHA256 = 'f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ee0-aeac-4810-81e7-423802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:12.000Z",
|
|
"modified": "2017-05-14T14:51:12.000Z",
|
|
"description": "mssecsvc.exe - Xchecked via VT: f107a717f76f4f910ae9cb4dc5290594",
|
|
"pattern": "[file:hashes.SHA1 = '51e4307093f8ca8854359c0ac882ddca427a813c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:12Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186ee0-84cc-441e-999e-44b502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:12.000Z",
|
|
"modified": "2017-05-14T14:51:12.000Z",
|
|
"first_observed": "2017-05-14T14:51:12Z",
|
|
"last_observed": "2017-05-14T14:51:12Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186ee0-84cc-441e-999e-44b502de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186ee0-84cc-441e-999e-44b502de0b81",
|
|
"value": "https://www.virustotal.com/file/f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85/analysis/1494751064/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ee1-e194-405e-8599-4e2202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:13.000Z",
|
|
"modified": "2017-05-14T14:51:13.000Z",
|
|
"description": "Message - Xchecked via VT: e372d07207b4da75b3434584cd9f3450",
|
|
"pattern": "[file:hashes.SHA256 = '4b76e54de0243274f97430b26624c44694fbde3289ed81a160e0754ab9f56f32']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ee1-9e80-4370-b26b-494502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:13.000Z",
|
|
"modified": "2017-05-14T14:51:13.000Z",
|
|
"description": "Message - Xchecked via VT: e372d07207b4da75b3434584cd9f3450",
|
|
"pattern": "[file:hashes.SHA1 = 'f3839c1cde9ce18021194573fdf0cae09a62172f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186ee1-eff0-4319-8b45-4b6c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:13.000Z",
|
|
"modified": "2017-05-14T14:51:13.000Z",
|
|
"first_observed": "2017-05-14T14:51:13Z",
|
|
"last_observed": "2017-05-14T14:51:13Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186ee1-eff0-4319-8b45-4b6c02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186ee1-eff0-4319-8b45-4b6c02de0b81",
|
|
"value": "https://www.virustotal.com/file/4b76e54de0243274f97430b26624c44694fbde3289ed81a160e0754ab9f56f32/analysis/1494743443/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ee2-6158-4c8d-ac13-402602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:14.000Z",
|
|
"modified": "2017-05-14T14:51:14.000Z",
|
|
"description": "mssecsvc.exe - Xchecked via VT: db349b97c37d22f5ea1d1841e3c89eb4",
|
|
"pattern": "[file:hashes.SHA256 = '24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:14Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ee2-592c-4eb3-b66f-455702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:14.000Z",
|
|
"modified": "2017-05-14T14:51:14.000Z",
|
|
"description": "mssecsvc.exe - Xchecked via VT: db349b97c37d22f5ea1d1841e3c89eb4",
|
|
"pattern": "[file:hashes.SHA1 = 'e889544aff85ffaf8b0d0da705105dee7c97fe26']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:14Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186ee3-eca8-4b41-8634-4bc502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:15.000Z",
|
|
"modified": "2017-05-14T14:51:15.000Z",
|
|
"first_observed": "2017-05-14T14:51:15Z",
|
|
"last_observed": "2017-05-14T14:51:15Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186ee3-eca8-4b41-8634-4bc502de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186ee3-eca8-4b41-8634-4bc502de0b81",
|
|
"value": "https://www.virustotal.com/file/24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c/analysis/1494773179/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ee3-37c0-4002-a3a9-43f802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:15.000Z",
|
|
"modified": "2017-05-14T14:51:15.000Z",
|
|
"description": "ransomware07_no_detection.exe - Xchecked via VT: d6114ba5f10ad67a4131ab72531f02da",
|
|
"pattern": "[file:hashes.SHA256 = '7c465ea7bcccf4f94147add808f24629644be11c0ba4823f16e8c19e0090f0ff']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:15Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ee4-3700-4b2a-80b5-470102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:16.000Z",
|
|
"modified": "2017-05-14T14:51:16.000Z",
|
|
"description": "ransomware07_no_detection.exe - Xchecked via VT: d6114ba5f10ad67a4131ab72531f02da",
|
|
"pattern": "[file:hashes.SHA1 = 'a1818054b40ec9e28bebe518ecc92f4eceaffef4']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:16Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186ee4-d7b8-4329-8551-424a02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:16.000Z",
|
|
"modified": "2017-05-14T14:51:16.000Z",
|
|
"first_observed": "2017-05-14T14:51:16Z",
|
|
"last_observed": "2017-05-14T14:51:16Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186ee4-d7b8-4329-8551-424a02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186ee4-d7b8-4329-8551-424a02de0b81",
|
|
"value": "https://www.virustotal.com/file/7c465ea7bcccf4f94147add808f24629644be11c0ba4823f16e8c19e0090f0ff/analysis/1494751042/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ee5-5b74-425b-85b0-4c2102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:17.000Z",
|
|
"modified": "2017-05-14T14:51:17.000Z",
|
|
"description": "- Xchecked via VT: b675498639429b85af9d70be1e8a8782",
|
|
"pattern": "[file:hashes.SHA256 = '7108d6793a003695ee8107401cfb17af305fa82ff6c16b7a5db45f15e5c9e12d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:17Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ee5-25b0-46c3-bb44-4c6502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:17.000Z",
|
|
"modified": "2017-05-14T14:51:17.000Z",
|
|
"description": "- Xchecked via VT: b675498639429b85af9d70be1e8a8782",
|
|
"pattern": "[file:hashes.SHA1 = 'b8b49a36a52abcf537febcbf2d09497bee79987d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:17Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186ee5-431c-44dc-9dce-42cf02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:17.000Z",
|
|
"modified": "2017-05-14T14:51:17.000Z",
|
|
"first_observed": "2017-05-14T14:51:17Z",
|
|
"last_observed": "2017-05-14T14:51:17Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186ee5-431c-44dc-9dce-42cf02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186ee5-431c-44dc-9dce-42cf02de0b81",
|
|
"value": "https://www.virustotal.com/file/7108d6793a003695ee8107401cfb17af305fa82ff6c16b7a5db45f15e5c9e12d/analysis/1494666506/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ee6-e3a8-4279-ae1c-42bd02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:18.000Z",
|
|
"modified": "2017-05-14T14:51:18.000Z",
|
|
"description": "- Xchecked via VT: b0ad5902366f860f85b892867e5b1e87",
|
|
"pattern": "[file:hashes.SHA256 = 'ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ee6-1010-4fe9-afef-418802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:18.000Z",
|
|
"modified": "2017-05-14T14:51:18.000Z",
|
|
"description": "- Xchecked via VT: b0ad5902366f860f85b892867e5b1e87",
|
|
"pattern": "[file:hashes.SHA1 = 'a52e025d579bebae7c64cb40236b469b3c376024']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186ee7-924c-4790-ae15-4f7502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:19.000Z",
|
|
"modified": "2017-05-14T14:51:19.000Z",
|
|
"first_observed": "2017-05-14T14:51:19Z",
|
|
"last_observed": "2017-05-14T14:51:19Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186ee7-924c-4790-ae15-4f7502de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186ee7-924c-4790-ae15-4f7502de0b81",
|
|
"value": "https://www.virustotal.com/file/ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8/analysis/1494720271/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ee7-f31c-4a5c-8b0a-465e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:19.000Z",
|
|
"modified": "2017-05-14T14:51:19.000Z",
|
|
"description": "- Xchecked via VT: 8dd63adb68ef053e044a5a2f46e0d2cd",
|
|
"pattern": "[file:hashes.SHA256 = '201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:19Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ee8-6dc4-40ee-bf4c-480e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:20.000Z",
|
|
"modified": "2017-05-14T14:51:20.000Z",
|
|
"description": "- Xchecked via VT: 8dd63adb68ef053e044a5a2f46e0d2cd",
|
|
"pattern": "[file:hashes.SHA1 = '1bc604573ceab106e5a0e9c419ade38739228707']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:20Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186ee8-86d0-4f44-8d58-403402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:20.000Z",
|
|
"modified": "2017-05-14T14:51:20.000Z",
|
|
"first_observed": "2017-05-14T14:51:20Z",
|
|
"last_observed": "2017-05-14T14:51:20Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186ee8-86d0-4f44-8d58-403402de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186ee8-86d0-4f44-8d58-403402de0b81",
|
|
"value": "https://www.virustotal.com/file/201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9/analysis/1494720276/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ee9-c5bc-4acc-8799-493d02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:21.000Z",
|
|
"modified": "2017-05-14T14:51:21.000Z",
|
|
"description": "- Xchecked via VT: 86721e64ffbd69aa6944b9672bcabb6d",
|
|
"pattern": "[file:hashes.SHA256 = 'c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:21Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ee9-bfe0-4a09-8002-499702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:21.000Z",
|
|
"modified": "2017-05-14T14:51:21.000Z",
|
|
"description": "- Xchecked via VT: 86721e64ffbd69aa6944b9672bcabb6d",
|
|
"pattern": "[file:hashes.SHA1 = '8897c658c0373be54eeac23bbd4264687a141ae1']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:21Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186eea-ed70-4404-8146-4f7202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:22.000Z",
|
|
"modified": "2017-05-14T14:51:22.000Z",
|
|
"first_observed": "2017-05-14T14:51:22Z",
|
|
"last_observed": "2017-05-14T14:51:22Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186eea-ed70-4404-8146-4f7202de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186eea-ed70-4404-8146-4f7202de0b81",
|
|
"value": "https://www.virustotal.com/file/c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9/analysis/1494750999/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186eea-2358-4fa3-937f-442c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:22.000Z",
|
|
"modified": "2017-05-14T14:51:22.000Z",
|
|
"description": "- Xchecked via VT: 84c82835a5d21bbcf75a61706d8ab549",
|
|
"pattern": "[file:hashes.SHA256 = 'ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:22Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186eea-1c70-41c6-8ab7-483902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:22.000Z",
|
|
"modified": "2017-05-14T14:51:22.000Z",
|
|
"description": "- Xchecked via VT: 84c82835a5d21bbcf75a61706d8ab549",
|
|
"pattern": "[file:hashes.SHA1 = '5ff465afaabcbf0150d1a3ab2c2e74f3a4426467']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:22Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186eeb-30bc-4bb3-a469-44a802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:23.000Z",
|
|
"modified": "2017-05-14T14:51:23.000Z",
|
|
"first_observed": "2017-05-14T14:51:23Z",
|
|
"last_observed": "2017-05-14T14:51:23Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186eeb-30bc-4bb3-a469-44a802de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186eeb-30bc-4bb3-a469-44a802de0b81",
|
|
"value": "https://www.virustotal.com/file/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa/analysis/1494770878/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186eeb-0650-4542-9687-4c1702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:23.000Z",
|
|
"modified": "2017-05-14T14:51:23.000Z",
|
|
"description": "- Xchecked via VT: 8495400f199ac77853c53b5a3f278f3e",
|
|
"pattern": "[file:hashes.SHA256 = '2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186eec-0ff0-42f6-bba9-440002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:24.000Z",
|
|
"modified": "2017-05-14T14:51:24.000Z",
|
|
"description": "- Xchecked via VT: 8495400f199ac77853c53b5a3f278f3e",
|
|
"pattern": "[file:hashes.SHA1 = 'be5d6279874da315e3080b06083757aad9b32c23']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:24Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186eec-d110-445f-b5b6-4c3302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:24.000Z",
|
|
"modified": "2017-05-14T14:51:24.000Z",
|
|
"first_observed": "2017-05-14T14:51:24Z",
|
|
"last_observed": "2017-05-14T14:51:24Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186eec-d110-445f-b5b6-4c3302de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186eec-d110-445f-b5b6-4c3302de0b81",
|
|
"value": "https://www.virustotal.com/file/2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d/analysis/1494772081/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186eed-443c-4e5e-951b-489b02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:25.000Z",
|
|
"modified": "2017-05-14T14:51:25.000Z",
|
|
"description": "- Xchecked via VT: 7f7ccaa16fb15eb1c7399d422f8363e8",
|
|
"pattern": "[file:hashes.SHA256 = '2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186eed-758c-4fc3-bb0b-491d02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:25.000Z",
|
|
"modified": "2017-05-14T14:51:25.000Z",
|
|
"description": "- Xchecked via VT: 7f7ccaa16fb15eb1c7399d422f8363e8",
|
|
"pattern": "[file:hashes.SHA1 = 'bd44d0ab543bf814d93b719c24e90d8dd7111234']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186eee-ab80-4589-ae8e-484002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:26.000Z",
|
|
"modified": "2017-05-14T14:51:26.000Z",
|
|
"first_observed": "2017-05-14T14:51:26Z",
|
|
"last_observed": "2017-05-14T14:51:26Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186eee-ab80-4589-ae8e-484002de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186eee-ab80-4589-ae8e-484002de0b81",
|
|
"value": "https://www.virustotal.com/file/2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd/analysis/1494767002/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186eee-4158-4161-ab1b-4b1902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:26.000Z",
|
|
"modified": "2017-05-14T14:51:26.000Z",
|
|
"description": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 - Xchecked via VT: 775a0631fb8229b2aa3d7621427085ad",
|
|
"pattern": "[file:hashes.SHA256 = '00fdb4c1c49aef198f37b8061eb585b8f9a4d5e6c62251441831fe2f6a0a25b7']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186eef-41b0-4bf8-9cc7-44e402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:27.000Z",
|
|
"modified": "2017-05-14T14:51:27.000Z",
|
|
"description": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 - Xchecked via VT: 775a0631fb8229b2aa3d7621427085ad",
|
|
"pattern": "[file:hashes.SHA1 = '8286354a6a051704dec39993af4e127d317f6974']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:27Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186eef-8cd0-456d-935d-46f802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:27.000Z",
|
|
"modified": "2017-05-14T14:51:27.000Z",
|
|
"first_observed": "2017-05-14T14:51:27Z",
|
|
"last_observed": "2017-05-14T14:51:27Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186eef-8cd0-456d-935d-46f802de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186eef-8cd0-456d-935d-46f802de0b81",
|
|
"value": "https://www.virustotal.com/file/00fdb4c1c49aef198f37b8061eb585b8f9a4d5e6c62251441831fe2f6a0a25b7/analysis/1494767713/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ef0-a37c-4071-89ab-4a2602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:28.000Z",
|
|
"modified": "2017-05-14T14:51:28.000Z",
|
|
"description": "- Xchecked via VT: 638f9235d038a0a001d5ea7f5c5dc4ae",
|
|
"pattern": "[file:hashes.SHA256 = '5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:28Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ef0-57b0-4ce6-a4da-4bfe02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:28.000Z",
|
|
"modified": "2017-05-14T14:51:28.000Z",
|
|
"description": "- Xchecked via VT: 638f9235d038a0a001d5ea7f5c5dc4ae",
|
|
"pattern": "[file:hashes.SHA1 = 'af7db69cbaa6ab3e4730af8763ae4bf7b7c0c9b2']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:28Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186ef0-6ef8-4912-98f7-498102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:28.000Z",
|
|
"modified": "2017-05-14T14:51:28.000Z",
|
|
"first_observed": "2017-05-14T14:51:28Z",
|
|
"last_observed": "2017-05-14T14:51:28Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186ef0-6ef8-4912-98f7-498102de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186ef0-6ef8-4912-98f7-498102de0b81",
|
|
"value": "https://www.virustotal.com/file/5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec/analysis/1494759773/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ef1-3398-4c29-a43a-44e302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:29.000Z",
|
|
"modified": "2017-05-14T14:51:29.000Z",
|
|
"description": "lhdfrgui.exe - Xchecked via VT: 5bef35496fcbdbe841c82f4d1ab8b7c2",
|
|
"pattern": "[file:hashes.SHA256 = '4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ef1-6b28-4ad2-83a4-417502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:29.000Z",
|
|
"modified": "2017-05-14T14:51:29.000Z",
|
|
"description": "lhdfrgui.exe - Xchecked via VT: 5bef35496fcbdbe841c82f4d1ab8b7c2",
|
|
"pattern": "[file:hashes.SHA1 = '50049556b3406e07347411767d6d01a704b6fee6']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186ef2-c8dc-4927-9a76-43aa02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:30.000Z",
|
|
"modified": "2017-05-14T14:51:30.000Z",
|
|
"first_observed": "2017-05-14T14:51:30Z",
|
|
"last_observed": "2017-05-14T14:51:30Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186ef2-c8dc-4927-9a76-43aa02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186ef2-c8dc-4927-9a76-43aa02de0b81",
|
|
"value": "https://www.virustotal.com/file/4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982/analysis/1494750995/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ef2-b3cc-4c54-b55c-4eaa02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:30.000Z",
|
|
"modified": "2017-05-14T14:51:30.000Z",
|
|
"description": "diskpart.exe - Xchecked via VT: 509c41ec97bb81b0567b059aa2f50fe8",
|
|
"pattern": "[file:hashes.SHA256 = '09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:30Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ef3-e590-4c42-9210-448002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:31.000Z",
|
|
"modified": "2017-05-14T14:51:31.000Z",
|
|
"description": "diskpart.exe - Xchecked via VT: 509c41ec97bb81b0567b059aa2f50fe8",
|
|
"pattern": "[file:hashes.SHA1 = '87420a2791d18dad3f18be436045280a4cc16fc4']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:31Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186ef3-9e58-4099-ae06-432102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:31.000Z",
|
|
"modified": "2017-05-14T14:51:31.000Z",
|
|
"first_observed": "2017-05-14T14:51:31Z",
|
|
"last_observed": "2017-05-14T14:51:31Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186ef3-9e58-4099-ae06-432102de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186ef3-9e58-4099-ae06-432102de0b81",
|
|
"value": "https://www.virustotal.com/file/09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa/analysis/1494751000/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ef3-a424-4bd3-b26a-4b0202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:31.000Z",
|
|
"modified": "2017-05-14T14:51:31.000Z",
|
|
"description": "cliconfg.exe - Xchecked via VT: 4fef5e34143e646dbf9907c4374276f5",
|
|
"pattern": "[file:hashes.SHA256 = '4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:31Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ef4-d4e0-41c0-9f56-4a3902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:32.000Z",
|
|
"modified": "2017-05-14T14:51:32.000Z",
|
|
"description": "cliconfg.exe - Xchecked via VT: 4fef5e34143e646dbf9907c4374276f5",
|
|
"pattern": "[file:hashes.SHA1 = '47a9ad4125b6bd7c55e4e7da251e23f089407b8f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:32Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186ef4-1510-4b14-9be3-4d4602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:32.000Z",
|
|
"modified": "2017-05-14T14:51:32.000Z",
|
|
"first_observed": "2017-05-14T14:51:32Z",
|
|
"last_observed": "2017-05-14T14:51:32Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186ef4-1510-4b14-9be3-4d4602de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186ef4-1510-4b14-9be3-4d4602de0b81",
|
|
"value": "https://www.virustotal.com/file/4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79/analysis/1494765091/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ef5-32b0-40c2-9f12-4b7502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:33.000Z",
|
|
"modified": "2017-05-14T14:51:33.000Z",
|
|
"description": "mssecsvc.exe - Xchecked via VT: 31dab68b11824153b4c975399df0354f",
|
|
"pattern": "[file:hashes.SHA256 = '9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:33Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ef5-f4b4-40d2-a29d-469602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:33.000Z",
|
|
"modified": "2017-05-14T14:51:33.000Z",
|
|
"description": "mssecsvc.exe - Xchecked via VT: 31dab68b11824153b4c975399df0354f",
|
|
"pattern": "[file:hashes.SHA1 = '14249e7fb3fb6f4b363c47d5aae9f46dab2083c1']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:33Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186ef6-d52c-4860-a182-458202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:34.000Z",
|
|
"modified": "2017-05-14T14:51:34.000Z",
|
|
"first_observed": "2017-05-14T14:51:34Z",
|
|
"last_observed": "2017-05-14T14:51:34Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186ef6-d52c-4860-a182-458202de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186ef6-d52c-4860-a182-458202de0b81",
|
|
"value": "https://www.virustotal.com/file/9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640/analysis/1494751026/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ef6-c6f0-441e-8972-480d02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:34.000Z",
|
|
"modified": "2017-05-14T14:51:34.000Z",
|
|
"description": "qeriuwjhrf - Xchecked via VT: 3175e4ba26e1e75e52935009a526002c",
|
|
"pattern": "[file:hashes.SHA256 = '7e369022da51937781b3efe6c57f824f05cf43cbd66b4a24367a19488d2939e4']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59186ef7-e05c-4353-ad61-456d02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:35.000Z",
|
|
"modified": "2017-05-14T14:51:35.000Z",
|
|
"description": "qeriuwjhrf - Xchecked via VT: 3175e4ba26e1e75e52935009a526002c",
|
|
"pattern": "[file:hashes.SHA1 = '5d68e2779e2cccee49188363be6cddbb0bac7053']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-05-14T14:51:35Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59186ef7-62ec-4b78-a6af-497302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-05-14T14:51:35.000Z",
|
|
"modified": "2017-05-14T14:51:35.000Z",
|
|
"first_observed": "2017-05-14T14:51:35Z",
|
|
"last_observed": "2017-05-14T14:51:35Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59186ef7-62ec-4b78-a6af-497302de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59186ef7-62ec-4b78-a6af-497302de0b81",
|
|
"value": "https://www.virustotal.com/file/7e369022da51937781b3efe6c57f824f05cf43cbd66b4a24367a19488d2939e4/analysis/1494751050/"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |