adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/54b4edfc-7f48-4b02-b488-4f83950d210b.json

1023 lines
45 KiB
JSON
Raw Permalink Normal View History

chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--54b4edfc-7f48-4b02-b488-4f83950d210b",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2017-02-22T10:06:41.000Z",
"modified": "2017-02-22T10:06:41.000Z",
"name": "CthulhuSPRL.be",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--54b4edfc-7f48-4b02-b488-4f83950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2017-02-22T10:06:41.000Z",
"modified": "2017-02-22T10:06:41.000Z",
"name": "OSINT DTL-12012015-01: Hong Kong SWC attack from Dragon Threat Labs",
"published": "2017-02-22T10:07:17Z",
"object_refs": [
"observed-data--54b4ee1a-3498-4c7e-9352-1d08950d210b",
"url--54b4ee1a-3498-4c7e-9352-1d08950d210b",
"observed-data--54b4ee1a-a838-4ce2-b166-1d08950d210b",
"url--54b4ee1a-a838-4ce2-b166-1d08950d210b",
"observed-data--54b4ee1a-2cf8-4281-ac73-1d08950d210b",
"url--54b4ee1a-2cf8-4281-ac73-1d08950d210b",
"indicator--54b4ee3e-c8d0-40fa-96ee-0ec8950d210b",
"indicator--54b4ee52-8748-4e83-83e0-1d17950d210b",
"indicator--54b4ee5d-a168-4453-9a4c-1d17950d210b",
"indicator--54b4ee6f-5f64-48a0-b315-4bbc950d210b",
"indicator--54b4ee7f-b380-4792-afea-4f25950d210b",
"indicator--54b4ee8e-2328-4f8e-bff7-45ff950d210b",
"x-misp-attribute--54b4eea5-8ae0-403d-843f-459f950d210b",
"indicator--54b4eebc-9548-4724-961f-4994950d210b",
"indicator--54b4eece-d980-49db-b0fe-9eb1950d210b",
"indicator--54b4eece-0c68-469c-bafa-9eb1950d210b",
"indicator--54b4eece-9214-4b55-800b-9eb1950d210b",
"indicator--54b4eece-fdd4-48e8-96de-9eb1950d210b",
"indicator--54b4eece-20bc-4390-9176-9eb1950d210b",
"indicator--54b4eece-f8b0-40db-84fe-9eb1950d210b",
"indicator--54b4eece-fac8-4269-bb03-9eb1950d210b",
"indicator--54b4eece-c2d8-404f-a0db-9eb1950d210b",
"indicator--54b4eedc-8c50-4b7f-91f7-4c0a950d210b",
"indicator--54b4eee8-418c-4e8e-865e-40b5950d210b",
"indicator--54b4eef6-2490-4eeb-85dd-464b950d210b",
"indicator--54b4eef6-dcb0-4802-b477-4449950d210b",
"x-misp-attribute--54b4ef0d-5fbc-4f21-941c-4c5d950d210b",
"observed-data--54b4ef31-1450-44ee-818c-42dd950d210b",
"email-message--54b4ef31-1450-44ee-818c-42dd950d210b",
"email-addr--54b4ef31-1450-44ee-818c-42dd950d210b",
"vulnerability--54b4ef59-7924-4b30-b0f7-1d17950d210b",
"observed-data--54b4ef7b-f684-4f62-9e00-40c4950d210b",
"url--54b4ef7b-f684-4f62-9e00-40c4950d210b",
"indicator--54b4ef99-d7e4-4210-9cb8-1d08950d210b",
"indicator--56c64b60-2a94-43b1-8722-599c950d210f",
"indicator--56c64b62-d838-4952-a1b5-59a1950d210f",
"indicator--56c64b64-1dc4-47e1-ba2c-59a2950d210f",
"indicator--56c64b61-5984-44ed-ae21-5ca1950d210f",
"indicator--56c64b63-8e90-4978-8952-c654950d210f",
"indicator--56c64b65-cb40-42c3-9fe8-c653950d210f",
"observed-data--56de0885-54dc-46e3-aa52-427e02de0b81",
"url--56de0885-54dc-46e3-aa52-427e02de0b81",
"observed-data--56de0885-28e4-472d-89bd-46cc02de0b81",
"url--56de0885-28e4-472d-89bd-46cc02de0b81",
"observed-data--56de0886-d73c-47f1-9c63-4cb502de0b81",
"url--56de0886-d73c-47f1-9c63-4cb502de0b81",
"indicator--56de0886-8ad8-4c5f-95f3-4c1602de0b81",
"indicator--56de0886-02b4-4bf2-bb06-490202de0b81",
"observed-data--56de0887-bd1c-4c60-b57d-41a302de0b81",
"url--56de0887-bd1c-4c60-b57d-41a302de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT"
],
"object_marking_refs": [
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--54b4ee1a-3498-4c7e-9352-1d08950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:06:18.000Z",
"modified": "2015-01-13T10:06:18.000Z",
"first_observed": "2015-01-13T10:06:18Z",
"last_observed": "2015-01-13T10:06:18Z",
"number_observed": 1,
"object_refs": [
"url--54b4ee1a-3498-4c7e-9352-1d08950d210b"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--54b4ee1a-3498-4c7e-9352-1d08950d210b",
"value": "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--54b4ee1a-a838-4ce2-b166-1d08950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:06:18.000Z",
"modified": "2015-01-13T10:06:18.000Z",
"first_observed": "2015-01-13T10:06:18Z",
"last_observed": "2015-01-13T10:06:18Z",
"number_observed": 1,
"object_refs": [
"url--54b4ee1a-a838-4ce2-b166-1d08950d210b"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--54b4ee1a-a838-4ce2-b166-1d08950d210b",
"value": "https://github.com/DragonThreatLabs/IntelReports/blob/master/DTL-12012015-01.pdf"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--54b4ee1a-2cf8-4281-ac73-1d08950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:06:18.000Z",
"modified": "2015-01-13T10:06:18.000Z",
"first_observed": "2015-01-13T10:06:18Z",
"last_observed": "2015-01-13T10:06:18Z",
"number_observed": 1,
"object_refs": [
"url--54b4ee1a-2cf8-4281-ac73-1d08950d210b"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--54b4ee1a-2cf8-4281-ac73-1d08950d210b",
"value": "https://github.com/DragonThreatLabs/IntelReports/blob/master/DTL-12012015-01.pdf?raw=true"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54b4ee3e-c8d0-40fa-96ee-0ec8950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:06:54.000Z",
"modified": "2015-01-13T10:06:54.000Z",
"pattern": "[rule apt_c16_win_wateringhole {\r\nmeta:\r\n author = \"@dragonthreatlab \"\r\n description = \"Detects code from APT wateringhole\"\r\nstrings:\r\n $str1 = \"function runmumaa()\"\r\n $str2 = \"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"\r\n $str3 = \"function MoSaklgEs7(k)\"\r\ncondition:\r\n any of ($str*)\r\n}]",
"pattern_type": "yara",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"pattern_version": "2.1",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"valid_from": "2015-01-13T10:06:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54b4ee52-8748-4e83-83e0-1d17950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:07:14.000Z",
"modified": "2015-01-13T10:07:14.000Z",
"pattern": "[rule apt_c16_win_swisyn {\r\nmeta:\r\n author = \"@dragonthreatlab\"\r\n md5 = \"a6a18c846e5179259eba9de238f67e41\"\r\n description = \"File matching the md5 above tends to only live in memory, hence the lack of MZ header check.\"\r\nstrings:\r\n $mz = {4D 5A}\r\n $str1 = \"/ShowWU\" ascii\r\n $str2 = \"IsWow64Process\"\r\n $str3 = \"regsvr32 \"\r\n $str4 = {8A 11 2A 55 FC 8B 45 08 88 10 8B 4D 08 8A 11 32 55 FC 8B 45 08 88 10}\r\ncondition:\r\n $mz at 0 and all of ($str*)\r\n}]",
"pattern_type": "yara",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"pattern_version": "2.1",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"valid_from": "2015-01-13T10:07:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54b4ee5d-a168-4453-9a4c-1d17950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:07:24.000Z",
"modified": "2015-01-13T10:07:24.000Z",
"pattern": "[rule apt_c16_win32_dropper {\r\nmeta:\r\n author = \"@dragonthreatlab\"\r\n md5 = \"ad17eff26994df824be36db246c8fb6a\"\r\n description = \"APT malware used to drop PcClient RAT\"\r\nstrings:\r\n $mz = {4D 5A}\r\n $str1 = \"clbcaiq.dll\" ascii\r\n $str2 = \"profapi_104\" ascii\r\n $str3 = \"/ShowWU\" ascii\r\n $str4 = \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\\" ascii\r\n $str5 = {8A 08 2A CA 32 CA 88 08 40 4E 75 F4 5E}\r\ncondition:\r\n $mz at 0 and all of ($str*)\r\n}]",
"pattern_type": "yara",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"pattern_version": "2.1",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"valid_from": "2015-01-13T10:07:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54b4ee6f-5f64-48a0-b315-4bbc950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:07:43.000Z",
"modified": "2015-01-13T10:07:43.000Z",
"pattern": "[rule apt_c16_win64_dropper {\r\nmeta:\r\n author = \"@dragonthreatlab\"\r\n md5 = \"ad17eff26994df824be36db246c8fb6a\"\r\n description = \"APT malware used to drop PcClient RAT\"\r\nstrings:\r\n $mz = {4D 5A}\r\n $str1 = \"clbcaiq.dll\" ascii\r\n $str2 = \"profapi_104\" ascii\r\n $str3 = \"\\\\Microsoft\\\\wuauclt\\\\wuauclt.dat\" ascii\r\n $str4 = {0F B6 0A 48 FF C2 80 E9 03 80 F1 03 49 FF C8 88 4A FF 75 EC}\r\ncondition:\r\n $mz at 0 and all of ($str*)\r\n}]",
"pattern_type": "yara",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"pattern_version": "2.1",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"valid_from": "2015-01-13T10:07:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54b4ee7f-b380-4792-afea-4f25950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2017-02-22T10:06:41.000Z",
"modified": "2017-02-22T10:06:41.000Z",
"description": "copy/paste typo?",
"pattern": "[rule apt_c16_win_disk_pcclient {\r\nmeta:\r\n author = \"@dragonthreatlab \"\r\n md5 = \"55f84d88d84c221437cd23cdbc541d2e\"\r\n description = \"Encoded version of pcclient found on disk\"\r\nstrings:\r\n $header = {51 5C 96 06 03 06 06 06 0A 06 06 06 FF FF 06 06 BE 06 06 06 06 06 06 06 46 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 EE 06 06 06 10 1F BC 10 06 BA 0D D1 25 BE 05 52 D1 25 5A 6E 6D 73 26 76 74 6F 67 74 65 71 26 63 65 70 70 6F 7A 26 64 69 26 74 79 70 26 6D 70 26 4A 4F 53 26 71 6F 6A 69 30 11 11 0C 2A 06 06 06 06 06 06 06 73 43 96 1B 37 24 00 4E 37 24 00 4E 37 24 00 4E BA 40 F6 4E 39 24 00 4E 5E 41 FA 4E 33 24 00 4E 5E 41 FC 4E 39 24 00 4E 37 24 FF 4E 0D 24 00 4E FA 31 A3 4E 40 24 00 4E DF 41 F9 4E 36 24 00 4E F6 2A FE 4E 38 24 00 4E DF 41 FC 4E 38 24 00 4E 54 6D 63 6E 37 24 00 4E 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 56 49 06 06 52 05 09 06 5D 87 8C 5A 06 06 06 06 06 06 06 06 E6 06 10 25 0B 05 08 06 06 1C 06 06 06 1A 06 06 06 06 06 06 E5 27 06 06 06 16 06 06 06 36 06 06 06 06 06 16 06 16 06 06 06 04 06 06 0A 06 06 06 06 06 06 06 0A 06 06 06 06 06 06 06 06 76 06 06 06 0A 06 06 06 06 06 06 04 06 06 06 06 06 16 06 06 16 06 06}\r\ncondition:\r\n $header at 0\r\n}]",
"pattern_type": "yara",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"pattern_version": "2.1",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"valid_from": "2017-02-22T10:06:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54b4ee8e-2328-4f8e-bff7-45ff950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:08:14.000Z",
"modified": "2015-01-13T10:08:14.000Z",
"pattern": "[rule apt_c16_win_memory_pcclient {\r\nmeta:\r\n author = \"@dragonthreatlab \"\r\n md5 = \"ec532bbe9d0882d403473102e9724557\"\r\n description = \"File matching the md5 above tends to only live in memory, hence the lack of MZ header check.\"\r\nstrings:\r\n $str1 = \"Kill You\" ascii\r\n $str2 = \"%4d-%02d-%02d %02d:%02d:%02d\" ascii\r\n $str3 = \"%4.2f KB\" ascii\r\n $encodefunc = {8A 08 32 CA 02 CA 88 08 40 4E 75 F4}\r\ncondition:\r\n all of them\r\n}]",
"pattern_type": "yara",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"pattern_version": "2.1",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"valid_from": "2015-01-13T10:08:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"yara\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--54b4eea5-8ae0-403d-843f-459f950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:08:37.000Z",
"modified": "2015-01-13T10:08:37.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "dtl-12012015-01"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54b4eebc-9548-4724-961f-4994950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:09:00.000Z",
"modified": "2015-01-13T10:09:00.000Z",
"pattern": "[alert tcp $HOME_NET any -> $EXTERNAL_NET [80,443] (msg:\"MALWARE \u00e2\u20ac\u201c DTL ID 21122014 - PcClient beacon\"; flow:established,to_server; content:\"|BB 4E 4E BC BC BC 7E 7E|\"; nocase; offset:160; depth:8; classtype:trojan-activty;)]",
"pattern_type": "snort",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"pattern_version": "2.1",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"valid_from": "2015-01-13T10:09:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"snort\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54b4eece-d980-49db-b0fe-9eb1950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:09:18.000Z",
"modified": "2015-01-13T10:09:18.000Z",
"pattern": "[file:hashes.MD5 = 'a6a18c846e5179259eba9de238f67e41']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-01-13T10:09:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54b4eece-0c68-469c-bafa-9eb1950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:09:18.000Z",
"modified": "2015-01-13T10:09:18.000Z",
"pattern": "[file:hashes.MD5 = '55f84d88d84c221437cd23cdbc541d2e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-01-13T10:09:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54b4eece-9214-4b55-800b-9eb1950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:09:18.000Z",
"modified": "2015-01-13T10:09:18.000Z",
"pattern": "[file:hashes.MD5 = '279ef79f904476ba0f9f44c87358bb1f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-01-13T10:09:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54b4eece-fdd4-48e8-96de-9eb1950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:09:18.000Z",
"modified": "2015-01-13T10:09:18.000Z",
"pattern": "[file:hashes.MD5 = '42b76c0503a6bf21f1ea86e0b14d67ea']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-01-13T10:09:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54b4eece-20bc-4390-9176-9eb1950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:09:18.000Z",
"modified": "2015-01-13T10:09:18.000Z",
"pattern": "[file:hashes.MD5 = 'cff25fe24a90ef63eaa168c07008c2bb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-01-13T10:09:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54b4eece-f8b0-40db-84fe-9eb1950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:09:18.000Z",
"modified": "2015-01-13T10:09:18.000Z",
"pattern": "[file:hashes.MD5 = 'ad17eff26994df824be36db246c8fb6a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-01-13T10:09:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54b4eece-fac8-4269-bb03-9eb1950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:09:18.000Z",
"modified": "2015-01-13T10:09:18.000Z",
"pattern": "[file:hashes.MD5 = 'f66b64ef984ac46ac7395358059979bc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-01-13T10:09:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54b4eece-c2d8-404f-a0db-9eb1950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:09:18.000Z",
"modified": "2015-01-13T10:09:18.000Z",
"pattern": "[file:hashes.MD5 = 'efd9dc39682312d6576468f5c0eb6236']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-01-13T10:09:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54b4eedc-8c50-4b7f-91f7-4c0a950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:09:32.000Z",
"modified": "2015-01-13T10:09:32.000Z",
"pattern": "[domain-name:value = 'c.aoemvp.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-01-13T10:09:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54b4eee8-418c-4e8e-865e-40b5950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:09:44.000Z",
"modified": "2015-01-13T10:09:44.000Z",
"pattern": "[domain-name:value = 'aoemvp.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-01-13T10:09:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54b4eef6-2490-4eeb-85dd-464b950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:09:58.000Z",
"modified": "2015-01-13T10:09:58.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.64.74.101']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-01-13T10:09:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54b4eef6-dcb0-4802-b477-4449950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:09:58.000Z",
"modified": "2015-01-13T10:09:58.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.229.127.104']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-01-13T10:09:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--54b4ef0d-5fbc-4f21-941c-4c5d950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:10:21.000Z",
"modified": "2015-01-13T10:10:21.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Attribution\""
],
"x_misp_category": "Attribution",
"x_misp_comment": "Registrant",
"x_misp_type": "text",
"x_misp_value": "lim.kiu@hotmail.com"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--54b4ef31-1450-44ee-818c-42dd950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:10:57.000Z",
"modified": "2015-01-13T10:10:57.000Z",
"first_observed": "2015-01-13T10:10:57Z",
"last_observed": "2015-01-13T10:10:57Z",
"number_observed": 1,
"object_refs": [
"email-message--54b4ef31-1450-44ee-818c-42dd950d210b",
"email-addr--54b4ef31-1450-44ee-818c-42dd950d210b"
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "email-message",
"spec_version": "2.1",
"id": "email-message--54b4ef31-1450-44ee-818c-42dd950d210b",
"is_multipart": false,
"from_ref": "email-addr--54b4ef31-1450-44ee-818c-42dd950d210b"
},
{
"type": "email-addr",
"spec_version": "2.1",
"id": "email-addr--54b4ef31-1450-44ee-818c-42dd950d210b",
"value": "lim.kiu@hotmail.com"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--54b4ef59-7924-4b30-b0f7-1d17950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:11:37.000Z",
"modified": "2015-01-13T10:11:37.000Z",
"name": "CVE-2014-6332",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload delivery\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2014-6332"
}
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--54b4ef7b-f684-4f62-9e00-40c4950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:12:11.000Z",
"modified": "2015-01-13T10:12:11.000Z",
"first_observed": "2015-01-13T10:12:11Z",
"last_observed": "2015-01-13T10:12:11Z",
"number_observed": 1,
"object_refs": [
"url--54b4ef7b-f684-4f62-9e00-40c4950d210b"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--54b4ef7b-f684-4f62-9e00-40c4950d210b",
"value": "https://www.virustotal.com/en/file/debabe7707040b16172545fc174bd4ded36599ebd032a6f09baa2653b32e4f21/analysis/1420727848/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54b4ef99-d7e4-4210-9cb8-1d08950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-01-13T10:12:41.000Z",
"modified": "2015-01-13T10:12:41.000Z",
"pattern": "[file:hashes.MD5 = 'ec532bbe9d0882d403473102e9724557']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-01-13T10:12:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c64b60-2a94-43b1-8722-599c950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:53:20.000Z",
"modified": "2016-02-18T22:53:20.000Z",
"description": "Automatically added (via ad17eff26994df824be36db246c8fb6a)",
"pattern": "[file:hashes.SHA1 = '5d3b16c01d3fd52976634c50676469853d3743c5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:53:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c64b62-d838-4952-a1b5-59a1950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:53:22.000Z",
"modified": "2016-02-18T22:53:22.000Z",
"description": "Automatically added (via a6a18c846e5179259eba9de238f67e41)",
"pattern": "[file:hashes.SHA1 = 'f8fdb27b9f65e2121ac1e1573bd39a9207d4f014']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:53:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c64b64-1dc4-47e1-ba2c-59a2950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:53:24.000Z",
"modified": "2016-02-18T22:53:24.000Z",
"description": "Automatically added (via ec532bbe9d0882d403473102e9724557)",
"pattern": "[file:hashes.SHA1 = 'b91b2d4a10ef98b76e083ebcd646c21e319ebe84']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:53:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c64b61-5984-44ed-ae21-5ca1950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:53:21.000Z",
"modified": "2016-02-18T22:53:21.000Z",
"description": "Automatically added (via ad17eff26994df824be36db246c8fb6a)",
"pattern": "[file:hashes.SHA256 = 'f79392364595487a049d9ebce118781063225af00a57e80c6591c01a5ccc5b21']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:53:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c64b63-8e90-4978-8952-c654950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:53:23.000Z",
"modified": "2016-02-18T22:53:23.000Z",
"description": "Automatically added (via a6a18c846e5179259eba9de238f67e41)",
"pattern": "[file:hashes.SHA256 = '143b17615314b43c3fd1b26d9432ce58298bec96981186023540670203b0b8d4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:53:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c64b65-cb40-42c3-9fe8-c653950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T22:53:25.000Z",
"modified": "2016-02-18T22:53:25.000Z",
"description": "Automatically added (via ec532bbe9d0882d403473102e9724557)",
"pattern": "[file:hashes.SHA256 = 'debabe7707040b16172545fc174bd4ded36599ebd032a6f09baa2653b32e4f21']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T22:53:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56de0885-54dc-46e3-aa52-427e02de0b81",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-03-07T23:02:29.000Z",
"modified": "2016-03-07T23:02:29.000Z",
"first_observed": "2016-03-07T23:02:29Z",
"last_observed": "2016-03-07T23:02:29Z",
"number_observed": 1,
"object_refs": [
"url--56de0885-54dc-46e3-aa52-427e02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56de0885-54dc-46e3-aa52-427e02de0b81",
"value": "https://www.virustotal.com/file/debabe7707040b16172545fc174bd4ded36599ebd032a6f09baa2653b32e4f21/analysis/1442484430/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56de0885-28e4-472d-89bd-46cc02de0b81",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-03-07T23:02:29.000Z",
"modified": "2016-03-07T23:02:29.000Z",
"first_observed": "2016-03-07T23:02:29Z",
"last_observed": "2016-03-07T23:02:29Z",
"number_observed": 1,
"object_refs": [
"url--56de0885-28e4-472d-89bd-46cc02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56de0885-28e4-472d-89bd-46cc02de0b81",
"value": "https://www.virustotal.com/file/143b17615314b43c3fd1b26d9432ce58298bec96981186023540670203b0b8d4/analysis/1445914123/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56de0886-d73c-47f1-9c63-4cb502de0b81",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-03-07T23:02:30.000Z",
"modified": "2016-03-07T23:02:30.000Z",
"first_observed": "2016-03-07T23:02:30Z",
"last_observed": "2016-03-07T23:02:30Z",
"number_observed": 1,
"object_refs": [
"url--56de0886-d73c-47f1-9c63-4cb502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56de0886-d73c-47f1-9c63-4cb502de0b81",
"value": "https://www.virustotal.com/file/f79392364595487a049d9ebce118781063225af00a57e80c6591c01a5ccc5b21/analysis/1442484423/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56de0886-8ad8-4c5f-95f3-4c1602de0b81",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-03-07T23:02:30.000Z",
"modified": "2016-03-07T23:02:30.000Z",
"description": "- Xchecked via VT: cff25fe24a90ef63eaa168c07008c2bb",
"pattern": "[file:hashes.SHA256 = 'c7432bdded820e088852b041d9cdff84a81e53a940e2cd19990189ddeb5ae052']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-07T23:02:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56de0886-02b4-4bf2-bb06-490202de0b81",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-03-07T23:02:30.000Z",
"modified": "2016-03-07T23:02:30.000Z",
"description": "- Xchecked via VT: cff25fe24a90ef63eaa168c07008c2bb",
"pattern": "[file:hashes.SHA1 = '9fdc73e29546ff7f971564f499170626bd0e7430']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-07T23:02:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56de0887-bd1c-4c60-b57d-41a302de0b81",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-03-07T23:02:31.000Z",
"modified": "2016-03-07T23:02:31.000Z",
"first_observed": "2016-03-07T23:02:31Z",
"last_observed": "2016-03-07T23:02:31Z",
"number_observed": 1,
"object_refs": [
"url--56de0887-bd1c-4c60-b57d-41a302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56de0887-bd1c-4c60-b57d-41a302de0b81",
"value": "https://www.virustotal.com/file/c7432bdded820e088852b041d9cdff84a81e53a940e2cd19990189ddeb5ae052/analysis/1442484444/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:GREEN",
"definition": {
"tlp": "green"
}
}
]
}
Reference in a new issue Copy permalink