adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/59496390-0cf4-4bf9-a93a-e1c402de0b81.json

2301 lines
No EOL
96 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--59496390-0cf4-4bf9-a93a-e1c402de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T14:19:06.000Z",
"modified": "2017-06-21T14:19:06.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--59496390-0cf4-4bf9-a93a-e1c402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T14:19:06.000Z",
"modified": "2017-06-21T14:19:06.000Z",
"name": "OSINT - CVE-\u00ad2017-\u00ad0199 life of an exploit",
"context": "suspicious-activity",
"object_refs": [
"observed-data--5949639b-2504-4a32-a9cf-467d02de0b81",
"url--5949639b-2504-4a32-a9cf-467d02de0b81",
"vulnerability--594963d5-5adc-45c4-b379-458902de0b81",
"indicator--594a220b-a534-4ffb-a2c6-4eda950d210f",
"indicator--594a220b-4738-4d7c-96c1-40f9950d210f",
"indicator--594a221e-ce00-4660-a80b-4e15950d210f",
"indicator--594a223b-6c90-45ce-98b4-4233950d210f",
"indicator--594a23a9-d138-42cb-8cc9-42e3950d210f",
"indicator--594a23a9-375c-4511-b1ca-48bd950d210f",
"indicator--594a23a9-6ed4-4dbc-917a-4b1c950d210f",
"indicator--594a2617-65fc-4e66-ad9a-42e0950d210f",
"indicator--594a2617-b818-400a-81b0-4c13950d210f",
"indicator--594a2737-0014-4d78-a4dc-4fc7950d210f",
"indicator--594a2a4a-7994-47ca-a723-4404950d210f",
"indicator--594a2a4b-f370-45df-8462-458c950d210f",
"indicator--594a2a4b-9b68-4db0-bfce-4792950d210f",
"indicator--594a2a4b-df28-4c58-9c87-4ef3950d210f",
"indicator--594a2a4b-560c-40d2-837c-4b12950d210f",
"indicator--594a2a4b-2d00-4b89-af87-4c45950d210f",
"indicator--594a2ad4-f21c-42d9-81ab-4e37950d210f",
"indicator--594a2ad4-8e20-4935-aae2-4b79950d210f",
"indicator--594a307d-c088-49dd-a3fa-41e3950d210f",
"indicator--594a35db-6838-43f5-8417-4efd950d210f",
"indicator--594a3b3c-9bdc-4760-8624-47dc950d210f",
"indicator--594a3b3c-fd9c-4cfe-9ce9-424c950d210f",
"indicator--594a3b3c-9b40-4ab8-9b3a-41b5950d210f",
"indicator--594a3b3c-1948-4c5e-b6e5-44dd950d210f",
"indicator--594a3b3c-d2f8-4748-8d98-4048950d210f",
"indicator--594a4002-4268-4e31-8040-4762950d210f",
"indicator--594a4002-999c-42c2-8bf8-4477950d210f",
"indicator--594a4002-ff84-45d0-b43e-4d47950d210f",
"indicator--594a4b3d-2668-48f3-ad4b-40d0950d210f",
"indicator--594a4b3d-dbd0-4a2e-938b-4d50950d210f",
"indicator--594a4b3d-ca18-417a-b8c3-4589950d210f",
"indicator--594a4b3d-2c74-4470-816c-4fe2950d210f",
"indicator--594a4bc2-b458-48b9-bd37-4eaf950d210f",
"indicator--594a4bc2-5d0c-467e-850e-4efb950d210f",
"indicator--594a4bc2-48e8-42df-80ac-4252950d210f",
"indicator--594a4c92-de10-43ca-81ea-47bc950d210f",
"indicator--594a4c92-1958-4a43-ae34-48c6950d210f",
"indicator--594a4c93-2b6c-4802-86ec-412d950d210f",
"indicator--594a5d43-270c-4c26-a5aa-4c38950d210f",
"indicator--594a6357-7714-463b-9cea-2309950d210f",
"indicator--594a6358-c970-4ac8-b723-2309950d210f",
"indicator--594a6358-7b90-4ab3-b08d-2309950d210f",
"indicator--594a6358-f3a0-460f-b5bd-2309950d210f",
"indicator--594a6358-4e10-437c-9d60-2309950d210f",
"indicator--594a6358-d338-47e8-93e3-2309950d210f",
"indicator--594a69a5-a950-4760-add0-2ae0950d210f",
"indicator--594a69a5-7938-4915-bcd8-2ae0950d210f",
"indicator--594a69a5-f86c-4ff8-bae8-2ae0950d210f",
"indicator--594a69a5-d180-475a-b523-2ae0950d210f",
"indicator--594a69a5-fbb8-4794-96c0-2ae0950d210f",
"indicator--594a69a5-5c10-4ef3-aa0f-2ae0950d210f",
"indicator--594a7013-123c-4f78-96f1-4ac9950d210f",
"indicator--594a7013-a798-4639-ab4e-42f4950d210f",
"indicator--594a73fb-cac4-40d7-9338-235f950d210f",
"indicator--594a73fb-7f78-4399-884e-235f950d210f",
"indicator--594a73fb-0948-4cdb-9894-235f950d210f",
"indicator--594a73fb-1840-4166-b30c-235f950d210f",
"indicator--594a73fb-58b8-481f-8fbd-235f950d210f",
"indicator--594a74f5-8720-45a1-a8b3-424d950d210f",
"indicator--594a74f5-d504-4960-8649-4cf6950d210f",
"indicator--594a756b-57c0-44bd-b4f1-2ade950d210f",
"indicator--594a756c-3798-4159-8890-2ade950d210f",
"indicator--594a76cf-84a8-4b9d-973d-4a2f950d210f",
"indicator--594a76cf-2a04-458a-85df-4290950d210f",
"indicator--594a76cf-7328-4155-8892-40ed950d210f",
"indicator--594a76cf-a078-417b-aaf6-4859950d210f",
"indicator--594a76cf-4eb8-49ae-a36b-4322950d210f",
"indicator--594a76cf-e598-4777-a8b3-4b70950d210f",
"indicator--594a76cf-92f4-47c4-92b0-4403950d210f",
"indicator--594a76cf-b63c-4223-8ed9-4df9950d210f",
"indicator--594a779c-76f0-4e7f-b144-4d02950d210f",
"indicator--594a779c-fa18-4f34-8131-4d2d950d210f",
"indicator--594a779c-322c-4fa1-ba75-4448950d210f",
"indicator--594a7979-db68-4ff5-a6c7-4d33950d210f",
"indicator--594a7979-3cec-4044-9210-47bc950d210f",
"observed-data--594a7979-5154-4797-9144-4df3950d210f",
"windows-registry-key--594a7979-5154-4797-9144-4df3950d210f",
"indicator--594a7bfd-a954-40ba-a27a-2ad7950d210f",
"indicator--594a7bfd-a120-4be2-ad94-2ad7950d210f",
"indicator--594a7dab-4b38-44f8-b563-2352950d210f",
"indicator--594a7dab-e7d4-48c2-91a3-2352950d210f",
"indicator--594a7f3e-fa60-4e1d-a1a6-4fcd950d210f",
"indicator--594a7f3e-e498-4841-b22d-46cf950d210f",
"indicator--594a7f3e-f0cc-4023-b9c9-45b8950d210f",
"indicator--594a7f3e-2e1c-4860-a182-4c89950d210f",
"indicator--594a7f3e-04f8-41ff-9ea0-4506950d210f",
"indicator--594a7f3e-82c4-499d-b754-4dca950d210f",
"indicator--594a7fb0-854c-413d-adba-4222950d210f",
"indicator--594a7fb1-c45c-4280-afbc-4d64950d210f",
"indicator--594a8015-3874-457b-aff3-236d950d210f",
"indicator--594a8015-2c84-4ddd-b67b-236d950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:tool=\"LATENTBOT\"",
"misp-galaxy:tool=\"AmmyAdmin\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5949639b-2504-4a32-a9cf-467d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-20T18:04:11.000Z",
"modified": "2017-06-20T18:04:11.000Z",
"first_observed": "2017-06-20T18:04:11Z",
"last_observed": "2017-06-20T18:04:11Z",
"number_observed": 1,
"object_refs": [
"url--5949639b-2504-4a32-a9cf-467d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5949639b-2504-4a32-a9cf-467d02de0b81",
"value": "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/CVE-2017-0199-life-of-an-exploit.pdf"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--594963d5-5adc-45c4-b379-458902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-20T18:05:09.000Z",
"modified": "2017-06-20T18:05:09.000Z",
"name": "CVE-2017-0199",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload delivery\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2017-0199"
}
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a220b-a534-4ffb-a2c6-4eda950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T07:36:43.000Z",
"modified": "2017-06-21T07:36:43.000Z",
"description": "decoy",
"pattern": "[url:value = 'http://95.141.38.110/mo/dnr/tmp/template.doc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T07:36:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a220b-4738-4d7c-96c1-40f9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T07:36:43.000Z",
"modified": "2017-06-21T07:36:43.000Z",
"description": "payload",
"pattern": "[url:value = 'http://95.141.38.110/mo/dnr/copy.jpg']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T07:36:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a221e-ce00-4660-a80b-4e15950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T07:37:02.000Z",
"modified": "2017-06-21T07:37:02.000Z",
"pattern": "[file:hashes.SHA1 = 'fceffd0fb6959cca75c781bc3310b6e50f9b5941']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T07:37:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a223b-6c90-45ce-98b4-4233950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T07:37:31.000Z",
"modified": "2017-06-21T07:37:31.000Z",
"pattern": "[url:value = 'http://185.168.186.36/up/dnr/scan/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T07:37:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a23a9-d138-42cb-8cc9-42e3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T07:43:37.000Z",
"modified": "2017-06-21T07:43:37.000Z",
"pattern": "[url:value = 'http://46.102.152.129/template.doc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T07:43:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a23a9-375c-4511-b1ca-48bd950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T07:43:37.000Z",
"modified": "2017-06-21T07:43:37.000Z",
"description": "payload",
"pattern": "[url:value = 'wood.exe/dcihprianeeyirdeuceulx.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T07:43:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a23a9-6ed4-4dbc-917a-4b1c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T07:43:37.000Z",
"modified": "2017-06-21T07:43:37.000Z",
"description": "decoy",
"pattern": "[url:value = 'questions.doc/document.doc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T07:43:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a2617-65fc-4e66-ad9a-42e0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T07:53:59.000Z",
"modified": "2017-06-21T07:53:59.000Z",
"pattern": "[file:name = 'testThis.txt' AND file:hashes.SHA1 = 'fceffd0fb6959cca75c781bc3310b6e50f9b5941']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T07:53:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a2617-b818-400a-81b0-4c13950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T07:53:59.000Z",
"modified": "2017-06-21T07:53:59.000Z",
"pattern": "[file:name = '\u0420\u0410\u0417\u0412\u0415\u0414\u0427\u0418\u041a\u0410.doc' AND file:hashes.SHA1 = '9aed05edab5d0200eb509ed22c8c30f19652814c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T07:53:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a2737-0014-4d78-a4dc-4fc7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T07:58:47.000Z",
"modified": "2017-06-21T07:58:47.000Z",
"description": "Latentbot",
"pattern": "[file:name = 'hire_form.doc' AND file:hashes.SHA1 = '0f3b135fd9eb3c6befbeb69f418ac182aeb56557']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T07:58:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a2a4a-7994-47ca-a723-4404950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T08:11:54.000Z",
"modified": "2017-06-21T08:11:54.000Z",
"pattern": "[file:name = '~WRD0000.tmp' AND file:hashes.SHA1 = '79679d2a9f5e9065b74369ab3724b1033b6659b4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T08:11:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a2a4b-f370-45df-8462-458c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T08:11:55.000Z",
"modified": "2017-06-21T08:11:55.000Z",
"pattern": "[file:hashes.SHA1 = '0f3b135fd9eb3c6befbeb69f418ac182aeb56557']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T08:11:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a2a4b-9b68-4db0-bfce-4792950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T08:13:06.000Z",
"modified": "2017-06-21T08:13:06.000Z",
"description": "Downloads hxxp://d218w8g44zaxak.cloudfront[.]net/Doc1.jpg",
"pattern": "[file:name = 'Malicous.rtf' AND file:hashes.SHA1 = '88357af86c5984cca1b34150e7be08d5db58be03']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T08:13:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a2a4b-df28-4c58-9c87-4ef3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T08:11:55.000Z",
"modified": "2017-06-21T08:11:55.000Z",
"pattern": "[url:value = 'http://d218w8g44zaxak.cloudfront.net/Doc1.jpg']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T08:11:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a2a4b-560c-40d2-837c-4b12950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T08:13:17.000Z",
"modified": "2017-06-21T08:13:17.000Z",
"description": "Downloads hxxp://107.170.240.244/download/omgrtf.doc",
"pattern": "[file:name = 'GrahamMedia2017 (1).rtf' AND file:hashes.SHA1 = 'bd665c2e221352dd0729f3ad9a991f0f23727422']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T08:13:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a2a4b-2d00-4b89-af87-4c45950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T08:11:55.000Z",
"modified": "2017-06-21T08:11:55.000Z",
"pattern": "[url:value = 'http://107.170.240.244/download/omgrtf.doc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T08:11:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a2ad4-f21c-42d9-81ab-4e37950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T08:14:12.000Z",
"modified": "2017-06-21T08:14:12.000Z",
"pattern": "[url:value = 'http://95.46.99.199/template.doc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T08:14:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a2ad4-8e20-4935-aae2-4b79950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T08:14:12.000Z",
"modified": "2017-06-21T08:14:12.000Z",
"pattern": "[url:value = 'http://95.46.99.199/last.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T08:14:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a307d-c088-49dd-a3fa-41e3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T08:38:21.000Z",
"modified": "2017-06-21T08:38:21.000Z",
"description": "Downloads http://107.170.240.244/download/omgrtf.doc",
"pattern": "[file:name = 'resume.doc' AND file:hashes.SHA1 = 'f05323801ba7f7070717aa71b43662ce8a0fa015']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T08:38:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a35db-6838-43f5-8417-4efd950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T09:01:15.000Z",
"modified": "2017-06-21T09:01:15.000Z",
"description": "Ammyy remote administration tool ,connects on this server",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '194.165.16.51' AND network-traffic:dst_port = '443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T09:01:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"ip-dst|port\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a3b3c-9bdc-4760-8624-47dc950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T09:24:12.000Z",
"modified": "2017-06-21T09:24:12.000Z",
"pattern": "[file:name = 'PDP.doc' AND file:hashes.SHA1 = 'e985c7e32fc3af2c99d4158395083c0e7f5b417a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T09:24:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a3b3c-fd9c-4cfe-9ce9-424c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T09:24:12.000Z",
"modified": "2017-06-21T09:24:12.000Z",
"pattern": "[file:name = '~WRD0000.tmp' AND file:hashes.SHA1 = '754af7dc48a00ac16232ae53ad90d88e894d0995']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T09:24:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a3b3c-9b40-4ab8-9b3a-41b5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T09:24:12.000Z",
"modified": "2017-06-21T09:24:12.000Z",
"pattern": "[file:name = '!!!!URGENT!!!!READ!!!.doc' AND file:hashes.SHA1 = '2c8daa1636cbf749b3697eb2895403180aeadb92']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T09:24:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a3b3c-1948-4c5e-b6e5-44dd950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T09:24:12.000Z",
"modified": "2017-06-21T09:24:12.000Z",
"pattern": "[file:name = '!!!!URGENT!!!!READ!!!.rtf' AND file:hashes.SHA1 = '1e9c33a670eed6b125509aceddc7f1667104c29a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T09:24:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a3b3c-d2f8-4748-8d98-4048950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T09:24:12.000Z",
"modified": "2017-06-21T09:24:12.000Z",
"pattern": "[file:name = '~WRD0000.tmp' AND file:hashes.SHA1 = '3c956257874e7fa9bd961d7e31c942d0011e0aa3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T09:24:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a4002-4268-4e31-8040-4762950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T09:44:34.000Z",
"modified": "2017-06-21T09:44:34.000Z",
"description": "Downloads hxxp ://212.86.115.71/template.doc and hxxp://212.86.115.71/sage50.exe",
"pattern": "[file:name = 'document.doc' AND file:hashes.SHA1 = 'f806e1d5949b54cec9b35edb7c7caf88fda8182b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T09:44:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a4002-999c-42c2-8bf8-4477950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T09:44:49.000Z",
"modified": "2017-06-21T09:44:49.000Z",
"pattern": "[file:name = 'http://212.86.115.71/template.doc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T09:44:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a4002-ff84-45d0-b43e-4d47950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T09:44:34.000Z",
"modified": "2017-06-21T09:44:34.000Z",
"pattern": "[url:value = 'http://212.86.115.71/sage50.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T09:44:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a4b3d-2668-48f3-ad4b-40d0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T10:32:29.000Z",
"modified": "2017-06-21T10:32:29.000Z",
"description": "Downloads hxxp://btt5sxcx90[.]com/template.doc which downloads hxxp://btt5sxcx90[.]com/7500.exe and hxxp://btt5sxcx90.com/sample.doc",
"pattern": "[file:name = '45707874[1].doc' AND file:hashes.SHA1 = 'cecbea4349c290bbaaa7eb4ec9c68e15817776d7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T10:32:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a4b3d-dbd0-4a2e-938b-4d50950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T10:32:29.000Z",
"modified": "2017-06-21T10:32:29.000Z",
"description": "(first stage downloader)",
"pattern": "[url:value = 'http://btt5sxcx90.com/template.doc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T10:32:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a4b3d-ca18-417a-b8c3-4589950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T10:32:29.000Z",
"modified": "2017-06-21T10:32:29.000Z",
"description": "(payload)",
"pattern": "[url:value = 'http://btt5sxcx90.com/7500.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T10:32:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a4b3d-2c74-4470-816c-4fe2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T10:32:29.000Z",
"modified": "2017-06-21T10:32:29.000Z",
"description": "(decoy)",
"pattern": "[url:value = 'http://btt5sxcx90.com/sample.doc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T10:32:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a4bc2-b458-48b9-bd37-4eaf950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T10:34:42.000Z",
"modified": "2017-06-21T10:34:42.000Z",
"pattern": "[file:name = '99051154[1].doc' AND file:hashes.SHA1 = '88221f8da9f73b513281647a5587a438b27a367f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T10:34:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a4bc2-5d0c-467e-850e-4efb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T10:34:42.000Z",
"modified": "2017-06-21T10:34:42.000Z",
"pattern": "[file:hashes.SHA1 = 'cecbea4349c290bbaaa7eb4ec9c68e15817776d7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T10:34:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a4bc2-48e8-42df-80ac-4252950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T10:34:42.000Z",
"modified": "2017-06-21T10:34:42.000Z",
"pattern": "[file:name = 'Scan_87642.doc' AND file:hashes.SHA1 = '09048811d050bd5f29be36a4b145709f26d4185a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T10:34:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a4c92-de10-43ca-81ea-47bc950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T10:38:10.000Z",
"modified": "2017-06-21T10:38:10.000Z",
"pattern": "[file:name = '~WRD0000.tmp' AND file:hashes.SHA1 = '730ca80d350256b8f5d609c1c16ab4e67bfd8bf7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T10:38:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a4c92-1958-4a43-ae34-48c6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T11:43:03.000Z",
"modified": "2017-06-21T11:43:03.000Z",
"description": "Downloads hxxp://rottastics36w[.]net/template.doc",
"pattern": "[file:name = 'Scan_45807.pdf' AND file:hashes.SHA1 = '3770051d8cb7df081b5409f2be3b8d6c916a2755']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T11:43:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a4c93-2b6c-4802-86ec-412d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T10:38:11.000Z",
"modified": "2017-06-21T10:38:11.000Z",
"pattern": "[url:value = 'http://rottastics36w.net/template.doc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T10:38:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a5d43-270c-4c26-a5aa-4c38950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T11:49:23.000Z",
"modified": "2017-06-21T11:49:23.000Z",
"pattern": "[file:name = 'Scan_0001_7594711688.doc' AND file:hashes.SHA1 = '10d86ec79cc4fa39eeda1e316706b205f471a88b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T11:49:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a6357-7714-463b-9cea-2309950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T12:15:19.000Z",
"modified": "2017-06-21T12:15:19.000Z",
"pattern": "[file:name = 'Scan_0001_7594711688.doc' AND file:hashes.SHA1 = 'cfca9c2a0e1d60c00c8edca6128a6b6917490a9f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T12:15:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a6358-c970-4ac8-b723-2309950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T12:15:20.000Z",
"modified": "2017-06-21T12:15:20.000Z",
"pattern": "[file:hashes.SHA1 = '3770051d8cb7df081b5409f2be3b8d6c916a2755']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T12:15:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a6358-7b90-4ab3-b08d-2309950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T12:15:20.000Z",
"modified": "2017-06-21T12:15:20.000Z",
"description": "Downloads hxxp://hyoeyeep[.]ws/template.doc; probably downloads hxxp://hyoeyeep[.]ws/sp.exe",
"pattern": "[file:hashes.SHA1 = '04a2977b0307834806214fd219636711352b67c7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T12:15:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a6358-f3a0-460f-b5bd-2309950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T12:15:20.000Z",
"modified": "2017-06-21T12:15:20.000Z",
"pattern": "[url:value = 'http://hyoeyeep.ws/template.doc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T12:15:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a6358-4e10-437c-9d60-2309950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T12:15:20.000Z",
"modified": "2017-06-21T12:15:20.000Z",
"pattern": "[url:value = 'http://hyoeyeep.ws/sp.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T12:15:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a6358-d338-47e8-93e3-2309950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T12:15:20.000Z",
"modified": "2017-06-21T12:15:20.000Z",
"pattern": "[file:name = 'uk_confirmation_ph887064796.pdf' AND file:hashes.SHA1 = 'c10b1c9a34d3d09a720aacecd55f704fc42e1267']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T12:15:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a69a5-a950-4760-add0-2ae0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T12:42:13.000Z",
"modified": "2017-06-21T12:42:13.000Z",
"description": "Downloads hxxp://127.0.0.1/ddsa.doc",
"pattern": "[file:name = 'ddd.rtf' AND file:hashes.SHA1 = 'b073bfbcabd190f94f15d419ae47c60bdf8e5f79']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T12:42:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a69a5-7938-4915-bcd8-2ae0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T12:42:13.000Z",
"modified": "2017-06-21T12:42:13.000Z",
"pattern": "[url:value = 'http://127.0.0.1/ddsa.doc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T12:42:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a69a5-f86c-4ff8-bae8-2ae0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T12:42:13.000Z",
"modified": "2017-06-21T12:42:13.000Z",
"description": "Downloads hxxp://127.0.0.1/EncryptedDocument.doc",
"pattern": "[file:name = 'filez.rtf' AND file:hashes.SHA1 = '002fbd0edf424be94f45dea1e3054b51a3249447']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T12:42:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a69a5-d180-475a-b523-2ae0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T12:42:13.000Z",
"modified": "2017-06-21T12:42:13.000Z",
"pattern": "[url:value = 'http://127.0.0.1/EncryptedDocument.doc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T12:42:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a69a5-fbb8-4794-96c0-2ae0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T12:42:13.000Z",
"modified": "2017-06-21T12:42:13.000Z",
"description": "Downloads hxxp://directxmpp.siph0n.pw/EncryptedDocument.doc; executed calc.exe",
"pattern": "[file:name = 'TweeterUpdate Form.rtf' AND file:hashes.SHA1 = '9267286f0ae177e73ab67dfd73600a85b9085ebe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T12:42:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a69a5-5c10-4ef3-aa0f-2ae0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T12:42:13.000Z",
"modified": "2017-06-21T12:42:13.000Z",
"pattern": "[url:value = 'http://directxmpp.siph0n.pw/EncryptedDocument.doc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T12:42:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a7013-123c-4f78-96f1-4ac9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T13:09:39.000Z",
"modified": "2017-06-21T13:09:39.000Z",
"description": "Original name:assssss - Downloads hxxp://hyoeyeep[.]ws/template.dod",
"pattern": "[file:hashes.SHA1 = '289f7fcf7765890d324eb373d601667cfa0b09be']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T13:09:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a7013-a798-4639-ab4e-42f4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T13:09:39.000Z",
"modified": "2017-06-21T13:09:39.000Z",
"description": "Derived from 04a2977b0307834806214fd219636711352b67c7 (Dridex downloader) by changing a single byte in the URL (the extension was changed from .doc to .dod)",
"pattern": "[url:value = 'http://hyoeyeep.ws/template.dod']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T13:09:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a73fb-cac4-40d7-9338-235f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T13:26:19.000Z",
"modified": "2017-06-21T13:26:19.000Z",
"description": "Original name:assssss - Downloads hstp://hyoeyeep[.]ws/template.doc",
"pattern": "[file:hashes.SHA1 = '064709d96ab41398fc2956edafb13d8835637abd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T13:26:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a73fb-7f78-4399-884e-235f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T13:26:19.000Z",
"modified": "2017-06-21T13:26:19.000Z",
"description": "Derived from 04a2977b0307834806214fd219636711352b67c7 (Dridex downloader) by changing a single byte in the URL (changing http to hstp)",
"pattern": "[url:value = 'hstp://hyoeyeep.ws/template.doc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T13:26:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a73fb-0948-4cdb-9894-235f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T13:26:19.000Z",
"modified": "2017-06-21T13:26:19.000Z",
"description": "Original name:assssss - Downloads hxxp://hyoeyeep.ws/templatc.doc",
"pattern": "[file:hashes.SHA1 = '0c20ffc3d9b8396d78eaa009ce5442af1aa177f8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T13:26:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a73fb-1840-4166-b30c-235f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T13:26:19.000Z",
"modified": "2017-06-21T13:26:19.000Z",
"description": "Derived from 04a2977b0307834806214fd219636711352b67c7 (Dridex downloader ) by changing a single byte in the URL (from template to templatc)",
"pattern": "[url:value = 'http://hyoeyeep.ws/templatc.doc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T13:26:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a73fb-58b8-481f-8fbd-235f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T13:26:19.000Z",
"modified": "2017-06-21T13:26:19.000Z",
"description": "Original name:assssss - Derived from 04a2977b0307834806214fd219636711352b67c7 (Dridex downloader) by manually editing the RTF file in multiple point and eventually breaking the download URL",
"pattern": "[file:hashes.SHA1 = '3a65d6ca26ec701483277a233d847dbfa604b67f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T13:26:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a74f5-8720-45a1-a8b3-424d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T13:30:29.000Z",
"modified": "2017-06-21T13:30:29.000Z",
"description": "Dridex downloaders",
"pattern": "[file:hashes.SHA1 = 'c10b1c9a34d3d09a720aacecd55f704fc42e1267']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T13:30:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a74f5-d504-4960-8649-4cf6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T13:30:29.000Z",
"modified": "2017-06-21T13:30:29.000Z",
"description": "Dridex downloaders",
"pattern": "[file:hashes.SHA256 = 'ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T13:30:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a756b-57c0-44bd-b4f1-2ade950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T13:32:27.000Z",
"modified": "2017-06-21T13:32:27.000Z",
"pattern": "[file:name = 'simpleize.rtf' AND file:hashes.SHA1 = '660f52c8d1db7d700a04be2baac77f84da693b09']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T13:32:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a756c-3798-4159-8890-2ade950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T13:32:28.000Z",
"modified": "2017-06-21T13:32:28.000Z",
"description": "Downloads hxxp://hyoeyeep.ws/template.doc",
"pattern": "[file:name = 'goc2.rtf' AND file:hashes.SHA1 = '20978bcc3f08c3b7b850e8ec6c520449ad96db28']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T13:32:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a76cf-84a8-4b9d-973d-4a2f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T13:38:23.000Z",
"modified": "2017-06-21T13:38:23.000Z",
"description": "Downloads hxxp://127.0.0.1/s/template.doc",
"pattern": "[file:name = 'ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e_mod.doc' AND file:hashes.SHA1 = '5ad786f8835bc5e29339e12fb0a69ff589e845e1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T13:38:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a76cf-2a04-458a-85df-4290950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T13:38:23.000Z",
"modified": "2017-06-21T13:38:23.000Z",
"description": "Downloads hxxp://127.0.0.1/s/template.doc",
"pattern": "[file:name = 'mod2.rtf' AND file:hashes.SHA1 = '7916bbc2af42fcb90bdd59336a7f2913ad7b1da4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T13:38:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a76cf-7328-4155-8892-40ed950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T13:38:23.000Z",
"modified": "2017-06-21T13:38:23.000Z",
"description": "Downloads hxxp://127.0.0.1/s/template.doc",
"pattern": "[file:name = 'mod2.rtf' AND file:hashes.SHA1 = 'c3d491d92d6bfb5e3f6396beadcfd6b856468e86']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T13:38:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a76cf-a078-417b-aaf6-4859950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T13:38:23.000Z",
"modified": "2017-06-21T13:38:23.000Z",
"description": "Downloads hxxp://127.0.0.1/s/template.doc",
"pattern": "[file:name = 'mod2z.rtf' AND file:hashes.SHA1 = '93ab0452b1e1b2ea3b40e88ca182c02f94c084ce']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T13:38:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a76cf-4eb8-49ae-a36b-4322950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T13:38:23.000Z",
"modified": "2017-06-21T13:38:23.000Z",
"description": "Downloads hxxp://127.0.0.1/s/template.doc",
"pattern": "[file:name = 'mod2.rtf' AND file:hashes.SHA1 = 'c578eeedc7d2fd0a1a3837dcc66d0b4792f3fdca']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T13:38:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a76cf-e598-4777-a8b3-4b70950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T13:38:23.000Z",
"modified": "2017-06-21T13:38:23.000Z",
"description": "Downloads hxxp://127.0.0.1/s/template.doc",
"pattern": "[file:name = 'mod3.doc' AND file:hashes.SHA1 = 'eef36fcdc606e072987c0a5b640200d7f8e2ab45']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T13:38:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a76cf-92f4-47c4-92b0-4403950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T13:38:23.000Z",
"modified": "2017-06-21T13:38:23.000Z",
"description": "Downloads hxxp://127.0.0.1/s/template.doc",
"pattern": "[file:name = 'mod3.doc' AND file:hashes.SHA1 = '1922b1ab0b8b77412bb24d1496215b97b1829867']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T13:38:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a76cf-b63c-4223-8ed9-4df9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T13:38:23.000Z",
"modified": "2017-06-21T13:38:23.000Z",
"pattern": "[url:value = 'http://127.0.0.1/s/template.doc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T13:38:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a779c-76f0-4e7f-b144-4d02950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T13:41:48.000Z",
"modified": "2017-06-21T13:41:48.000Z",
"description": "Downloads hxxps://g-\u00ad\u2010mirror.appspot[.]com/report.rtf which downloads hxxps://g-\u00ad\u2010mirror.appspot[.]com/favicon.ico",
"pattern": "[file:name = 'g-mirror.rtf' AND file:hashes.SHA1 = 'c281898ca141104ba791dc146a4407f53814d00d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T13:41:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a779c-fa18-4f34-8131-4d2d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T13:41:48.000Z",
"modified": "2017-06-21T13:41:48.000Z",
"pattern": "[file:name = 'https://g-\u2010mirror.appspot.com/report.rtf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T13:41:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a779c-322c-4fa1-ba75-4448950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T13:41:48.000Z",
"modified": "2017-06-21T13:41:48.000Z",
"pattern": "[file:name = 'https://g-\u2010mirror.ppspot.com/favicon.icoa']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T13:41:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a7979-db68-4ff5-a6c7-4d33950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T13:49:45.000Z",
"modified": "2017-06-21T13:49:45.000Z",
"description": "(installer)",
"pattern": "[file:name = '\\\\%PROFILE\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Display Control Panel\\\\DpiScaling.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T13:49:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a7979-3cec-4044-9210-47bc950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T13:49:45.000Z",
"modified": "2017-06-21T13:49:45.000Z",
"description": "(main backdoor)",
"pattern": "[file:name = '\\\\%PROFILE\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Dynamic COM+\\\\comuid.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T13:49:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--594a7979-5154-4797-9144-4df3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T13:49:45.000Z",
"modified": "2017-06-21T13:49:45.000Z",
"first_observed": "2017-06-21T13:49:45Z",
"last_observed": "2017-06-21T13:49:45Z",
"number_observed": 1,
"object_refs": [
"windows-registry-key--594a7979-5154-4797-9144-4df3950d210f"
],
"labels": [
"misp:type=\"regkey\"",
"misp:category=\"Persistence mechanism\""
]
},
{
"type": "windows-registry-key",
"spec_version": "2.1",
"id": "windows-registry-key--594a7979-5154-4797-9144-4df3950d210f",
"key": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u2192DpiScaling"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a7bfd-a954-40ba-a27a-2ad7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T14:00:29.000Z",
"modified": "2017-06-21T14:00:29.000Z",
"description": "Downloads hxxps://mirror-\u00ad\u2010gcdn.appspot[.]com/template.rtf",
"pattern": "[file:name = 'B\u1ea3n s\u1eeda (1).doc' AND file:hashes.SHA1 = 'bbaa768cf1286d45f16ead0cd0f03cab573aa6f6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T14:00:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a7bfd-a120-4be2-ad94-2ad7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T14:00:29.000Z",
"modified": "2017-06-21T14:00:29.000Z",
"pattern": "[file:name = 'https://mirror-\u2010gcdn.appspot.com/template.rtf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T14:00:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a7dab-4b38-44f8-b563-2352950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T14:19:06.000Z",
"modified": "2017-06-21T14:19:06.000Z",
"description": "Downloads hxxps://cdn-\u00ad\u2010gmirror.appspot[.]com/template.rtf",
"pattern": "[file:name = 'yThoa thuan nhan su Bo Chinh tr\u1ecb Dang CSVN truoc them Hoi nghi Trung uong 5 khoa 12.doc' AND file:hashes.SHA1 = '58e932975f46f89de8880e8bfc278cb116588d7a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T14:19:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a7dab-e7d4-48c2-91a3-2352950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T14:07:39.000Z",
"modified": "2017-06-21T14:07:39.000Z",
"pattern": "[file:name = 'https://cdn-\u2010gmirror.appspot.com/template.rtf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T14:07:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a7f3e-fa60-4e1d-a1a6-4fcd950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T14:14:22.000Z",
"modified": "2017-06-21T14:14:22.000Z",
"description": "Downloads hxxp://135.84.177.155/svchost.exe",
"pattern": "[file:name = 'coolxm.rtf' AND file:hashes.SHA1 = 'e310acf0a13351268df24721d1366f696bb4f0ed']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T14:14:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a7f3e-e498-4841-b22d-46cf950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T14:14:22.000Z",
"modified": "2017-06-21T14:14:22.000Z",
"pattern": "[url:value = 'http://135.84.177.155/svchost.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T14:14:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a7f3e-f0cc-4023-b9c9-45b8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T14:14:22.000Z",
"modified": "2017-06-21T14:14:22.000Z",
"description": "Downloads hxxp://192.168.56.1/test.doc",
"pattern": "[file:name = '2.rtf' AND file:hashes.SHA1 = 'aa194b24f7017301c4f4d8ab60ede0b9d915cdf0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T14:14:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a7f3e-2e1c-4860-a182-4c89950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T14:14:22.000Z",
"modified": "2017-06-21T14:14:22.000Z",
"pattern": "[url:value = 'http://192.168.56.1/test.doc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T14:14:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a7f3e-04f8-41ff-9ea0-4506950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T14:14:22.000Z",
"modified": "2017-06-21T14:14:22.000Z",
"description": "Downloads hxxp://5.79.98.106/logo.doc",
"pattern": "[file:hashes.SHA1 = 'aa194b24f7017301c4f4d8ab60ede0b9d915cdf0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T14:14:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a7f3e-82c4-499d-b754-4dca950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T14:14:22.000Z",
"modified": "2017-06-21T14:14:22.000Z",
"pattern": "[url:value = 'http://5.79.98.106/logo.doc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T14:14:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a7fb0-854c-413d-adba-4222950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T14:16:16.000Z",
"modified": "2017-06-21T14:16:16.000Z",
"description": "Downloads hxxp://87.120.254.189/BFbGXDVNjwJaGfFg.txt",
"pattern": "[file:name = '\u041f\u043e\u0440\u044f\u0434\u043e\u043a \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u044f \u0440\u0430\u0437\u043c\u0435\u0440\u0430 \u043f\u0435\u043d\u0438 .doc' AND file:hashes.SHA1 = 'd0756e4b252521bafeab10f4db15505727efd75b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T14:16:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a7fb1-c45c-4280-afbc-4d64950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T14:16:17.000Z",
"modified": "2017-06-21T14:16:17.000Z",
"pattern": "[url:value = 'http://87.120.254.189/BFbGXDVNjwJaGfFg.txt']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T14:16:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a8015-3874-457b-aff3-236d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T14:17:57.000Z",
"modified": "2017-06-21T14:17:57.000Z",
"description": "Downloads hxxp://wowaskopoq.top/1.xls which is not an Excel spreadsheet, as the extension would suggest, but a Windows executable that drops the Cerber ransomware",
"pattern": "[file:name = 'coolxm.rtf' AND file:hashes.SHA1 = '7a4ae8b7fa54d1685c99bf0fac04153a0f873a03']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T14:17:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--594a8015-2c84-4ddd-b67b-236d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-21T14:17:57.000Z",
"modified": "2017-06-21T14:17:57.000Z",
"pattern": "[url:value = 'http://wowaskopoq.top/1.xls']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-21T14:17:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink