363 lines
16 KiB
JSON
363 lines
16 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5706756e-958c-4c53-8f77-45f4950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-07T15:01:31.000Z",
|
||
|
"modified": "2016-04-07T15:01:31.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5706756e-958c-4c53-8f77-45f4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-07T15:01:31.000Z",
|
||
|
"modified": "2016-04-07T15:01:31.000Z",
|
||
|
"name": "PWS: Win32/Kegotip.C",
|
||
|
"published": "2016-04-07T15:10:09Z",
|
||
|
"object_refs": [
|
||
|
"indicator--570675b5-e1ec-4652-9bf7-350b950d210f",
|
||
|
"indicator--570675b5-cc80-446f-927a-350b950d210f",
|
||
|
"indicator--570675b6-d020-44d7-89c7-350b950d210f",
|
||
|
"indicator--570675b6-538c-4e04-855b-350b950d210f",
|
||
|
"indicator--570675b6-c650-4975-9ebc-350b950d210f",
|
||
|
"indicator--570675b7-aa74-4be3-b5b2-350b950d210f",
|
||
|
"indicator--570675b7-ab74-4d18-a67f-350b950d210f",
|
||
|
"indicator--570675b7-f404-471d-8e8f-350b950d210f",
|
||
|
"indicator--570675b7-69e8-4c6b-9676-350b950d210f",
|
||
|
"indicator--570675b8-88f0-42ea-8118-350b950d210f",
|
||
|
"indicator--570675b8-4cb0-473d-b9d9-350b950d210f",
|
||
|
"observed-data--570675ca-d5f4-473e-99a2-350b950d210f",
|
||
|
"url--570675ca-d5f4-473e-99a2-350b950d210f",
|
||
|
"x-misp-attribute--5706764b-31d0-436c-b293-6b92950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"type:OSINT"
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--570675b5-e1ec-4652-9bf7-350b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-07T14:59:01.000Z",
|
||
|
"modified": "2016-04-07T14:59:01.000Z",
|
||
|
"description": "The collected data will be sent to remote server. We have seen this threat connect to the following domains using TCP ports 80 and 20050-20053:",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '176.31.104.106']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-07T14:59:01Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--570675b5-cc80-446f-927a-350b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-07T14:59:01.000Z",
|
||
|
"modified": "2016-04-07T14:59:01.000Z",
|
||
|
"description": "The collected data will be sent to remote server. We have seen this threat connect to the following domains using TCP ports 80 and 20050-20053:",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.165.227.61']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-07T14:59:01Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--570675b6-d020-44d7-89c7-350b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-07T14:59:02.000Z",
|
||
|
"modified": "2016-04-07T14:59:02.000Z",
|
||
|
"description": "The collected data will be sent to remote server. We have seen this threat connect to the following domains using TCP ports 80 and 20050-20053:",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.165.228.199']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-07T14:59:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--570675b6-538c-4e04-855b-350b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-07T14:59:02.000Z",
|
||
|
"modified": "2016-04-07T14:59:02.000Z",
|
||
|
"description": "The collected data will be sent to remote server. We have seen this threat connect to the following domains using TCP ports 80 and 20050-20053:",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '46.165.243.25']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-07T14:59:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--570675b6-c650-4975-9ebc-350b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-07T14:59:02.000Z",
|
||
|
"modified": "2016-04-07T14:59:02.000Z",
|
||
|
"description": "The collected data will be sent to remote server. We have seen this threat connect to the following domains using TCP ports 80 and 20050-20053:",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.135.178.153']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-07T14:59:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--570675b7-aa74-4be3-b5b2-350b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-07T14:59:03.000Z",
|
||
|
"modified": "2016-04-07T14:59:03.000Z",
|
||
|
"description": "The collected data will be sent to remote server. We have seen this threat connect to the following domains using TCP ports 80 and 20050-20053:",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '93.113.37.210']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-07T14:59:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--570675b7-ab74-4d18-a67f-350b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-07T14:59:03.000Z",
|
||
|
"modified": "2016-04-07T14:59:03.000Z",
|
||
|
"description": "The collected data will be sent to remote server. We have seen this threat connect to the following domains using TCP ports 80 and 20050-20053:",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '94.23.32.170']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-07T14:59:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--570675b7-f404-471d-8e8f-350b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-07T14:59:03.000Z",
|
||
|
"modified": "2016-04-07T14:59:03.000Z",
|
||
|
"description": "The collected data will be sent to remote server. We have seen this threat connect to the following domains using TCP ports 80 and 20050-20053:",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '94.75.227.218']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-07T14:59:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--570675b7-69e8-4c6b-9676-350b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-07T14:59:03.000Z",
|
||
|
"modified": "2016-04-07T14:59:03.000Z",
|
||
|
"description": "The collected data will be sent to remote server. We have seen this threat connect to the following domains using TCP ports 80 and 20050-20053:",
|
||
|
"pattern": "[domain-name:value = 'bestconspires.co.in']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-07T14:59:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--570675b8-88f0-42ea-8118-350b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-07T14:59:04.000Z",
|
||
|
"modified": "2016-04-07T14:59:04.000Z",
|
||
|
"description": "The collected data will be sent to remote server. We have seen this threat connect to the following domains using TCP ports 80 and 20050-20053:",
|
||
|
"pattern": "[domain-name:value = 'gefuret.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-07T14:59:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--570675b8-4cb0-473d-b9d9-350b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-07T14:59:04.000Z",
|
||
|
"modified": "2016-04-07T14:59:04.000Z",
|
||
|
"description": "The collected data will be sent to remote server. We have seen this threat connect to the following domains using TCP ports 80 and 20050-20053:",
|
||
|
"pattern": "[domain-name:value = 'localeventit.pro']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-04-07T14:59:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--570675ca-d5f4-473e-99a2-350b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-07T14:59:22.000Z",
|
||
|
"modified": "2016-04-07T14:59:22.000Z",
|
||
|
"first_observed": "2016-04-07T14:59:22Z",
|
||
|
"last_observed": "2016-04-07T14:59:22Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--570675ca-d5f4-473e-99a2-350b950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--570675ca-d5f4-473e-99a2-350b950d210f",
|
||
|
"value": "https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=PWS:Win32/Kegotip.C"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5706764b-31d0-436c-b293-6b92950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-04-07T15:01:31.000Z",
|
||
|
"modified": "2016-04-07T15:01:31.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "This threat can steal your email addresses and other personal information, such as your user names and passwords, from several applications, including FTP software, Outlook Express and Internet Explorer. It sends the stolen data to a malicious hacker."
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|