1330 lines
54 KiB
JSON
1330 lines
54 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--54bf5a6f-ac50-4f71-9cd3-7080950d210b",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2017-06-22T20:28:37.000Z",
|
||
|
"modified": "2017-06-22T20:28:37.000Z",
|
||
|
"name": "CthulhuSPRL.be",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--54bf5a6f-ac50-4f71-9cd3-7080950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2017-06-22T20:28:37.000Z",
|
||
|
"modified": "2017-06-22T20:28:37.000Z",
|
||
|
"name": "OSINT Analysis of Project Cobra Another extensible framework used by the Uroburos\u00e2\u20ac\u2122 actors from Gdata",
|
||
|
"published": "2017-06-22T20:32:50Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--54bf5a78-e410-48e5-a257-419f950d210b",
|
||
|
"url--54bf5a78-e410-48e5-a257-419f950d210b",
|
||
|
"x-misp-attribute--54bf5aa3-f5f8-4cbb-a0b4-6ec8950d210b",
|
||
|
"x-misp-attribute--54bf5aa4-a808-4ae9-b975-6ec8950d210b",
|
||
|
"x-misp-attribute--54bf5aa4-8258-4f24-b1ce-6ec8950d210b",
|
||
|
"x-misp-attribute--54bf5aa4-0be8-4cf6-acca-6ec8950d210b",
|
||
|
"x-misp-attribute--54bf5aba-42a0-4bd9-99e1-46e6950d210b",
|
||
|
"x-misp-attribute--54bf5aba-b358-43b9-9afe-407a950d210b",
|
||
|
"indicator--54bf5ad1-8da0-4ac9-9e20-7511950d210b",
|
||
|
"x-misp-attribute--54bf5b00-3a30-4dad-9a2f-9372950d210b",
|
||
|
"x-misp-attribute--54bf5b00-7080-42c5-848d-9372950d210b",
|
||
|
"x-misp-attribute--54bf5b19-b504-45c0-8440-4553950d210b",
|
||
|
"indicator--54bf5b49-57c4-4b9c-a422-ed9b950d210b",
|
||
|
"indicator--54bf5b49-edc8-462c-b987-ed9b950d210b",
|
||
|
"indicator--54bf5b49-7968-4324-88e0-ed9b950d210b",
|
||
|
"x-misp-attribute--54bf5bbd-c090-4d32-b2a9-4199950d210b",
|
||
|
"x-misp-attribute--54bf5bc9-adb0-4fa7-9f0b-6011950d210b",
|
||
|
"indicator--54bf5c0c-b3d4-4a26-8d42-96f9950d210b",
|
||
|
"indicator--54bf5c1d-15b8-4343-87d8-409e950d210b",
|
||
|
"indicator--54bf5c49-46f8-4ffc-a42c-7080950d210b",
|
||
|
"indicator--54bf5c49-0f14-4709-90a7-7080950d210b",
|
||
|
"indicator--54bf5c4a-55a4-4bdf-b979-7080950d210b",
|
||
|
"indicator--54bf5c4a-be70-468d-9116-7080950d210b",
|
||
|
"indicator--54bf5c4a-84fc-40f9-8964-7080950d210b",
|
||
|
"indicator--54bf5c4a-6a00-40cb-ae26-7080950d210b",
|
||
|
"indicator--54bf5c4a-c754-4726-b5bc-7080950d210b",
|
||
|
"indicator--54bf5c99-cb10-4624-99c0-6ec8950d210b",
|
||
|
"indicator--54bf5c99-09b4-46b4-90b0-6ec8950d210b",
|
||
|
"indicator--54bf5c99-d088-4afa-94cc-6ec8950d210b",
|
||
|
"indicator--54bf5c99-6ee0-49ba-b47c-6ec8950d210b",
|
||
|
"indicator--54bf5c99-5574-4298-a0f0-6ec8950d210b",
|
||
|
"indicator--54bf5c99-7214-4418-bc8b-6ec8950d210b",
|
||
|
"indicator--54bf5c99-06a0-462b-9659-6ec8950d210b",
|
||
|
"indicator--54bf5c99-bd70-4db0-aa40-6ec8950d210b",
|
||
|
"indicator--54bf5c99-71dc-4d6f-9040-6ec8950d210b",
|
||
|
"observed-data--54bf5ce1-a618-4841-a6fb-4617950d210b",
|
||
|
"domain-name--54bf5ce1-a618-4841-a6fb-4617950d210b",
|
||
|
"observed-data--54bf5ce1-7a38-453c-a2e5-477d950d210b",
|
||
|
"domain-name--54bf5ce1-7a38-453c-a2e5-477d950d210b",
|
||
|
"observed-data--54bf5ce2-8e2c-43bf-bf02-475d950d210b",
|
||
|
"domain-name--54bf5ce2-8e2c-43bf-bf02-475d950d210b",
|
||
|
"observed-data--54bf5ce2-e228-40c9-9a18-4d75950d210b",
|
||
|
"domain-name--54bf5ce2-e228-40c9-9a18-4d75950d210b",
|
||
|
"indicator--54bf5d70-d930-4f50-b42a-4b37950d210b",
|
||
|
"observed-data--54bf5d9b-c570-4280-a5ac-96f9950d210b",
|
||
|
"domain-name--54bf5d9b-c570-4280-a5ac-96f9950d210b",
|
||
|
"observed-data--54bf5d9b-5330-46fe-82f5-96f9950d210b",
|
||
|
"domain-name--54bf5d9b-5330-46fe-82f5-96f9950d210b",
|
||
|
"observed-data--54bf5d9b-264c-4cd3-8c19-96f9950d210b",
|
||
|
"domain-name--54bf5d9b-264c-4cd3-8c19-96f9950d210b",
|
||
|
"observed-data--54bf5d9b-3e8c-4493-a6a9-96f9950d210b",
|
||
|
"domain-name--54bf5d9b-3e8c-4493-a6a9-96f9950d210b",
|
||
|
"observed-data--54bf5d9b-1a7c-4995-b9e6-96f9950d210b",
|
||
|
"domain-name--54bf5d9b-1a7c-4995-b9e6-96f9950d210b",
|
||
|
"observed-data--54bf5d9c-f77c-4060-bfac-96f9950d210b",
|
||
|
"domain-name--54bf5d9c-f77c-4060-bfac-96f9950d210b",
|
||
|
"observed-data--54bf5ddb-dcb0-4a9b-985d-9372950d210b",
|
||
|
"url--54bf5ddb-dcb0-4a9b-985d-9372950d210b",
|
||
|
"x-misp-attribute--54bf66ea-a4f0-4c7c-8142-6ec8950d210b",
|
||
|
"x-misp-attribute--54bf66ea-06bc-4544-b7bb-6ec8950d210b",
|
||
|
"indicator--56c64bfe-ca00-4d5c-99d4-59a3950d210f",
|
||
|
"indicator--56c64c00-b428-41ae-965e-5f51950d210f",
|
||
|
"indicator--56c64c01-4688-443b-a26e-481c950d210f",
|
||
|
"indicator--56c64c03-ce3c-42b8-8261-59a1950d210f",
|
||
|
"indicator--56c64bff-85c8-4610-a8b5-c650950d210f",
|
||
|
"indicator--56c64c00-0b84-4a87-9ba0-5ca1950d210f",
|
||
|
"indicator--56c64c02-d8ec-49fd-a075-4318950d210f",
|
||
|
"indicator--56c64c04-26b4-4bca-973a-4d72950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"type:OSINT",
|
||
|
"misp-galaxy:threat-actor=\"Turla Group\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--54bf5a78-e410-48e5-a257-419f950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T07:51:20.000Z",
|
||
|
"modified": "2015-01-21T07:51:20.000Z",
|
||
|
"first_observed": "2015-01-21T07:51:20Z",
|
||
|
"last_observed": "2015-01-21T07:51:20Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--54bf5a78-e410-48e5-a257-419f950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--54bf5a78-e410-48e5-a257-419f950d210b",
|
||
|
"value": "https://blog.gdatasoftware.com/blog/article/analysis-of-project-cobra.html"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--54bf5aa3-f5f8-4cbb-a0b4-6ec8950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T07:52:03.000Z",
|
||
|
"modified": "2015-01-21T07:52:03.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "Cobra"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--54bf5aa4-a808-4ae9-b975-6ec8950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T07:52:04.000Z",
|
||
|
"modified": "2015-01-21T07:52:04.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "Agent.BTZ"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--54bf5aa4-8258-4f24-b1ce-6ec8950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T07:52:04.000Z",
|
||
|
"modified": "2015-01-21T07:52:04.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "Carbon"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--54bf5aa4-0be8-4cf6-acca-6ec8950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T07:52:04.000Z",
|
||
|
"modified": "2015-01-21T07:52:04.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "Uroburos"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--54bf5aba-42a0-4bd9-99e1-46e6950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T07:52:26.000Z",
|
||
|
"modified": "2015-01-21T07:52:26.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "Snake"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--54bf5aba-b358-43b9-9afe-407a950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T07:52:26.000Z",
|
||
|
"modified": "2015-01-21T07:52:26.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "Turla"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54bf5ad1-8da0-4ac9-9e20-7511950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T07:52:49.000Z",
|
||
|
"modified": "2015-01-21T07:52:49.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'cb1b68d9971c2353c2d6a8119c49b51f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-21T07:52:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--54bf5b00-3a30-4dad-9a2f-9372950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T07:53:36.000Z",
|
||
|
"modified": "2015-01-21T07:53:36.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"Antivirus detection\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_category": "Antivirus detection",
|
||
|
"x_misp_comment": "Gdata",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "Backdoor.TurlaCarbon.A"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--54bf5b00-7080-42c5-848d-9372950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T07:53:36.000Z",
|
||
|
"modified": "2015-01-21T07:53:36.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"Antivirus detection\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_category": "Antivirus detection",
|
||
|
"x_misp_comment": "Gdata",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "Win32.Trojan.Cobra.B"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--54bf5b19-b504-45c0-8440-4553950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T07:54:01.000Z",
|
||
|
"modified": "2015-01-21T07:54:01.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"Attribution\""
|
||
|
],
|
||
|
"x_misp_category": "Attribution",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "f:\\Workshop\\Projects\\cobra\\carbon_system\\x64\\Release\\carbon_system.pdb"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54bf5b49-57c4-4b9c-a422-ed9b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T07:54:49.000Z",
|
||
|
"modified": "2015-01-21T07:54:49.000Z",
|
||
|
"description": "Randomly choosen from one of the three",
|
||
|
"pattern": "[file:name = 'ipvpn.dll']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-21T07:54:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54bf5b49-edc8-462c-b987-ed9b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T07:54:49.000Z",
|
||
|
"modified": "2015-01-21T07:54:49.000Z",
|
||
|
"description": "Randomly choosen from one of the three",
|
||
|
"pattern": "[file:name = 'srsvc.dll']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-21T07:54:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54bf5b49-7968-4324-88e0-ed9b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T07:54:49.000Z",
|
||
|
"modified": "2015-01-21T07:54:49.000Z",
|
||
|
"description": "Randomly choosen from one of the three",
|
||
|
"pattern": "[file:name = 'kmsvc.dll']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-21T07:54:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--54bf5bbd-c090-4d32-b2a9-4199950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T07:56:45.000Z",
|
||
|
"modified": "2015-01-21T07:56:45.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"Artifacts dropped\""
|
||
|
],
|
||
|
"x_misp_category": "Artifacts dropped",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "Services names randomly choosen to match the dropped files among: ipvpn, srservice and hkmsvc.\r\nService display names and service descriptions are available in the blog post."
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--54bf5bc9-adb0-4fa7-9f0b-6011950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T07:56:57.000Z",
|
||
|
"modified": "2015-01-21T07:56:57.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "Data entered by David Andr\u00c3\u00a9"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54bf5c0c-b3d4-4a26-8d42-96f9950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T07:58:04.000Z",
|
||
|
"modified": "2015-01-21T07:58:04.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '43e896ede6fe025ee90f7f27c6d376a4']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-21T07:58:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54bf5c1d-15b8-4343-87d8-409e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T07:58:21.000Z",
|
||
|
"modified": "2015-01-21T07:58:21.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'e6d1dcc6c2601e592f2b03f35b06fa8f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-21T07:58:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54bf5c49-46f8-4ffc-a42c-7080950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T07:59:05.000Z",
|
||
|
"modified": "2015-01-21T07:59:05.000Z",
|
||
|
"pattern": "[mutex:name = 'Global\\\\MSCTF.Shared.MUTEX.zRX']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-21T07:59:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"mutex\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54bf5c49-0f14-4709-90a7-7080950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T07:59:05.000Z",
|
||
|
"modified": "2015-01-21T07:59:05.000Z",
|
||
|
"pattern": "[mutex:name = 'Global\\\\DBWindowsBase']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-21T07:59:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"mutex\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54bf5c4a-55a4-4bdf-b979-7080950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T07:59:06.000Z",
|
||
|
"modified": "2015-01-21T07:59:06.000Z",
|
||
|
"pattern": "[mutex:name = 'Global\\\\IEFrame.LockDefaultBrowser']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-21T07:59:06Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"mutex\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54bf5c4a-be70-468d-9116-7080950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T07:59:06.000Z",
|
||
|
"modified": "2015-01-21T07:59:06.000Z",
|
||
|
"pattern": "[mutex:name = 'Global\\\\WinSta0_DesktopSessionMut']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-21T07:59:06Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"mutex\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54bf5c4a-84fc-40f9-8964-7080950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T07:59:06.000Z",
|
||
|
"modified": "2015-01-21T07:59:06.000Z",
|
||
|
"pattern": "[mutex:name = 'Global\\\\{5FA3BC02-920F-D42A-68BC-04F2A75BE158}']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-21T07:59:06Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"mutex\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54bf5c4a-6a00-40cb-ae26-7080950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T07:59:06.000Z",
|
||
|
"modified": "2015-01-21T07:59:06.000Z",
|
||
|
"pattern": "[mutex:name = 'Global\\\\SENS.LockStarterCacheResource']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-21T07:59:06Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"mutex\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54bf5c4a-c754-4726-b5bc-7080950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T07:59:06.000Z",
|
||
|
"modified": "2015-01-21T07:59:06.000Z",
|
||
|
"pattern": "[mutex:name = 'Global\\\\ShimSharedMemoryLock']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-21T07:59:06Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"mutex\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54bf5c99-cb10-4624-99c0-6ec8950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T08:00:25.000Z",
|
||
|
"modified": "2015-01-21T08:00:25.000Z",
|
||
|
"pattern": "[file:name = 'bootmisc.sdi']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-21T08:00:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54bf5c99-09b4-46b4-90b0-6ec8950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T08:00:25.000Z",
|
||
|
"modified": "2015-01-21T08:00:25.000Z",
|
||
|
"pattern": "[file:name = 'C_56743.NLS']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-21T08:00:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54bf5c99-d088-4afa-94cc-6ec8950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T08:00:25.000Z",
|
||
|
"modified": "2015-01-21T08:00:25.000Z",
|
||
|
"pattern": "[file:name = 'b9s3coff.ax']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-21T08:00:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54bf5c99-6ee0-49ba-b47c-6ec8950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T08:00:25.000Z",
|
||
|
"modified": "2015-01-21T08:00:25.000Z",
|
||
|
"pattern": "[file:name = 'a67ncodc.ax']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-21T08:00:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54bf5c99-5574-4298-a0f0-6ec8950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T08:00:25.000Z",
|
||
|
"modified": "2015-01-21T08:00:25.000Z",
|
||
|
"pattern": "[file:name = 'vndkrmn.dic']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-21T08:00:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54bf5c99-7214-4418-bc8b-6ec8950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T08:00:25.000Z",
|
||
|
"modified": "2015-01-21T08:00:25.000Z",
|
||
|
"pattern": "[file:name = 'qavsrc.dat']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-21T08:00:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54bf5c99-06a0-462b-9659-6ec8950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T08:00:25.000Z",
|
||
|
"modified": "2015-01-21T08:00:25.000Z",
|
||
|
"pattern": "[file:name = 'miniport.dat']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-21T08:00:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54bf5c99-bd70-4db0-aa40-6ec8950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T08:00:25.000Z",
|
||
|
"modified": "2015-01-21T08:00:25.000Z",
|
||
|
"pattern": "[file:name = 'asmcerts.rs']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-21T08:00:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54bf5c99-71dc-4d6f-9040-6ec8950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T08:00:25.000Z",
|
||
|
"modified": "2015-01-21T08:00:25.000Z",
|
||
|
"pattern": "[file:name = 'getcert.rs']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-21T08:00:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--54bf5ce1-a618-4841-a6fb-4617950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T08:02:55.000Z",
|
||
|
"modified": "2015-01-21T08:02:55.000Z",
|
||
|
"first_observed": "2015-01-21T08:02:55Z",
|
||
|
"last_observed": "2015-01-21T08:02:55Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"domain-name--54bf5ce1-a618-4841-a6fb-4617950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "domain-name",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "domain-name--54bf5ce1-a618-4841-a6fb-4617950d210b",
|
||
|
"value": "soheylistore.ir"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--54bf5ce1-7a38-453c-a2e5-477d950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T08:02:55.000Z",
|
||
|
"modified": "2015-01-21T08:02:55.000Z",
|
||
|
"first_observed": "2015-01-21T08:02:55Z",
|
||
|
"last_observed": "2015-01-21T08:02:55Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"domain-name--54bf5ce1-7a38-453c-a2e5-477d950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "domain-name",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "domain-name--54bf5ce1-7a38-453c-a2e5-477d950d210b",
|
||
|
"value": "tazohor.com"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--54bf5ce2-8e2c-43bf-bf02-475d950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T08:02:55.000Z",
|
||
|
"modified": "2015-01-21T08:02:55.000Z",
|
||
|
"first_observed": "2015-01-21T08:02:55Z",
|
||
|
"last_observed": "2015-01-21T08:02:55Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"domain-name--54bf5ce2-8e2c-43bf-bf02-475d950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "domain-name",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "domain-name--54bf5ce2-8e2c-43bf-bf02-475d950d210b",
|
||
|
"value": "jucheafrica.com"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--54bf5ce2-e228-40c9-9a18-4d75950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T08:02:55.000Z",
|
||
|
"modified": "2015-01-21T08:02:55.000Z",
|
||
|
"first_observed": "2015-01-21T08:02:55Z",
|
||
|
"last_observed": "2015-01-21T08:02:55Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"domain-name--54bf5ce2-e228-40c9-9a18-4d75950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "domain-name",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "domain-name--54bf5ce2-e228-40c9-9a18-4d75950d210b",
|
||
|
"value": "61paris.fr"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--54bf5d70-d930-4f50-b42a-4b37950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T08:04:00.000Z",
|
||
|
"modified": "2015-01-21T08:04:00.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '554450c1ecb925693fedbb9e56702646']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-01-21T08:04:00Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--54bf5d9b-c570-4280-a5ac-96f9950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T08:04:43.000Z",
|
||
|
"modified": "2015-01-21T08:04:43.000Z",
|
||
|
"first_observed": "2015-01-21T08:04:43Z",
|
||
|
"last_observed": "2015-01-21T08:04:43Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"domain-name--54bf5d9b-c570-4280-a5ac-96f9950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "domain-name",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "domain-name--54bf5d9b-c570-4280-a5ac-96f9950d210b",
|
||
|
"value": "www.google.com"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--54bf5d9b-5330-46fe-82f5-96f9950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T08:04:43.000Z",
|
||
|
"modified": "2015-01-21T08:04:43.000Z",
|
||
|
"first_observed": "2015-01-21T08:04:43Z",
|
||
|
"last_observed": "2015-01-21T08:04:43Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"domain-name--54bf5d9b-5330-46fe-82f5-96f9950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "domain-name",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "domain-name--54bf5d9b-5330-46fe-82f5-96f9950d210b",
|
||
|
"value": "www.yahoo.com"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--54bf5d9b-264c-4cd3-8c19-96f9950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T08:04:43.000Z",
|
||
|
"modified": "2015-01-21T08:04:43.000Z",
|
||
|
"first_observed": "2015-01-21T08:04:43Z",
|
||
|
"last_observed": "2015-01-21T08:04:43Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"domain-name--54bf5d9b-264c-4cd3-8c19-96f9950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "domain-name",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "domain-name--54bf5d9b-264c-4cd3-8c19-96f9950d210b",
|
||
|
"value": "www.bing.com"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--54bf5d9b-3e8c-4493-a6a9-96f9950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T08:04:43.000Z",
|
||
|
"modified": "2015-01-21T08:04:43.000Z",
|
||
|
"first_observed": "2015-01-21T08:04:43Z",
|
||
|
"last_observed": "2015-01-21T08:04:43Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"domain-name--54bf5d9b-3e8c-4493-a6a9-96f9950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "domain-name",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "domain-name--54bf5d9b-3e8c-4493-a6a9-96f9950d210b",
|
||
|
"value": "update.microsoft.com"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--54bf5d9b-1a7c-4995-b9e6-96f9950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T08:04:43.000Z",
|
||
|
"modified": "2015-01-21T08:04:43.000Z",
|
||
|
"first_observed": "2015-01-21T08:04:43Z",
|
||
|
"last_observed": "2015-01-21T08:04:43Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"domain-name--54bf5d9b-1a7c-4995-b9e6-96f9950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "domain-name",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "domain-name--54bf5d9b-1a7c-4995-b9e6-96f9950d210b",
|
||
|
"value": "windowsupdate.microsoft.com"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--54bf5d9c-f77c-4060-bfac-96f9950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T08:04:44.000Z",
|
||
|
"modified": "2015-01-21T08:04:44.000Z",
|
||
|
"first_observed": "2015-01-21T08:04:44Z",
|
||
|
"last_observed": "2015-01-21T08:04:44Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"domain-name--54bf5d9c-f77c-4060-bfac-96f9950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "domain-name",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "domain-name--54bf5d9c-f77c-4060-bfac-96f9950d210b",
|
||
|
"value": "microsoft.com"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--54bf5ddb-dcb0-4a9b-985d-9372950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T08:05:47.000Z",
|
||
|
"modified": "2015-01-21T08:05:47.000Z",
|
||
|
"first_observed": "2015-01-21T08:05:47Z",
|
||
|
"last_observed": "2015-01-21T08:05:47Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--54bf5ddb-dcb0-4a9b-985d-9372950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--54bf5ddb-dcb0-4a9b-985d-9372950d210b",
|
||
|
"value": "http://%s/%s?uid=%d&context=%s&mode=text&data=%s"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--54bf66ea-a4f0-4c7c-8142-6ec8950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T08:44:26.000Z",
|
||
|
"modified": "2015-01-21T08:44:26.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"named pipe\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_category": "Artifacts dropped",
|
||
|
"x_misp_comment": "The orchestrator creates two named pipes in order to communicate with stage 3 or to receive messages from an external machine",
|
||
|
"x_misp_type": "named pipe",
|
||
|
"x_misp_value": "\\\\.\\\\pipe\\sdlrpc"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--54bf66ea-06bc-4544-b7bb-6ec8950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-01-21T08:44:26.000Z",
|
||
|
"modified": "2015-01-21T08:44:26.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"named pipe\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_category": "Artifacts dropped",
|
||
|
"x_misp_comment": "The orchestrator creates two named pipes in order to communicate with stage 3 or to receive messages from an external machine",
|
||
|
"x_misp_type": "named pipe",
|
||
|
"x_misp_value": "\\\\.\\\\pipe\\comnap"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c64bfe-ca00-4d5c-99d4-59a3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T22:55:58.000Z",
|
||
|
"modified": "2016-02-18T22:55:58.000Z",
|
||
|
"description": "Automatically added (via 554450c1ecb925693fedbb9e56702646)",
|
||
|
"pattern": "[file:hashes.SHA1 = '7ce746bb988cb3b7e64f08174bdb02938555ea53']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T22:55:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c64c00-b428-41ae-965e-5f51950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T22:56:00.000Z",
|
||
|
"modified": "2016-02-18T22:56:00.000Z",
|
||
|
"description": "Automatically added (via e6d1dcc6c2601e592f2b03f35b06fa8f)",
|
||
|
"pattern": "[file:hashes.SHA1 = '7c43f5df784bf50423620d8f1c96e43d8d9a9b28']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T22:56:00Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c64c01-4688-443b-a26e-481c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T22:56:01.000Z",
|
||
|
"modified": "2016-02-18T22:56:01.000Z",
|
||
|
"description": "Automatically added (via 43e896ede6fe025ee90f7f27c6d376a4)",
|
||
|
"pattern": "[file:hashes.SHA1 = 'a28164de29e51f154be12d163ce5818fceb69233']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T22:56:01Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c64c03-ce3c-42b8-8261-59a1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T22:56:03.000Z",
|
||
|
"modified": "2016-02-18T22:56:03.000Z",
|
||
|
"description": "Automatically added (via cb1b68d9971c2353c2d6a8119c49b51f)",
|
||
|
"pattern": "[file:hashes.SHA1 = 'cbde204e7641830017bb84b89223131b2126bc46']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T22:56:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c64bff-85c8-4610-a8b5-c650950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T22:55:59.000Z",
|
||
|
"modified": "2016-02-18T22:55:59.000Z",
|
||
|
"description": "Automatically added (via 554450c1ecb925693fedbb9e56702646)",
|
||
|
"pattern": "[file:hashes.SHA256 = '8d20dd4433821eaeb1b2bec5911ba3633e656ca56ae50b75d35b2d52ea55b2cb']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T22:55:59Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c64c00-0b84-4a87-9ba0-5ca1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T22:56:00.000Z",
|
||
|
"modified": "2016-02-18T22:56:00.000Z",
|
||
|
"description": "Automatically added (via e6d1dcc6c2601e592f2b03f35b06fa8f)",
|
||
|
"pattern": "[file:hashes.SHA256 = 'ffb0e35cfab750c8532f7d49deb8a71284fa420660710b8be632dacdd0a5cf45']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T22:56:00Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c64c02-d8ec-49fd-a075-4318950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T22:56:02.000Z",
|
||
|
"modified": "2016-02-18T22:56:02.000Z",
|
||
|
"description": "Automatically added (via 43e896ede6fe025ee90f7f27c6d376a4)",
|
||
|
"pattern": "[file:hashes.SHA256 = '1a488c6824bd39f3568346b2aaf3f6666f41b1d4961a2d77360c7c65c7978b5e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T22:56:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56c64c04-26b4-4bca-973a-4d72950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2016-02-18T22:56:04.000Z",
|
||
|
"modified": "2016-02-18T22:56:04.000Z",
|
||
|
"description": "Automatically added (via cb1b68d9971c2353c2d6a8119c49b51f)",
|
||
|
"pattern": "[file:hashes.SHA256 = '3b8bd0a0c6069f2d27d759340721b78fd289f92e0a13965262fea4e8907af122']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-02-18T22:56:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:GREEN",
|
||
|
"definition": {
|
||
|
"tlp": "green"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|