adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/581fadbd-7acc-4907-9133-4380950d210f.json

289 lines
12 KiB
JSON
Raw Permalink Normal View History

chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--581fadbd-7acc-4907-9133-4380950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-07T12:16:16.000Z",
"modified": "2016-11-07T12:16:16.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--581fadbd-7acc-4907-9133-4380950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-07T12:16:16.000Z",
"modified": "2016-11-07T12:16:16.000Z",
"name": "OSINT - Veil-Framework Infects Victims of Targeted OWA Phishing Attack",
"published": "2016-11-07T13:21:39Z",
"object_refs": [
"observed-data--581fade0-6a38-4c71-9f7d-4181950d210f",
"url--581fade0-6a38-4c71-9f7d-4181950d210f",
"x-misp-attribute--581fadf7-6d18-437e-88eb-4e59950d210f",
"indicator--581fae16-9808-48dc-877c-4c25950d210f",
"indicator--581fae31-7dec-40ef-9c2b-4d01950d210f",
"indicator--581fae48-89d8-4ae3-a458-49f1950d210f",
"indicator--581faec9-1f8c-4466-8e4b-4ac5950d210f",
"indicator--581faec9-14fc-4e35-b407-4379950d210f",
"indicator--581faeca-18a4-4889-b3da-49d3950d210f",
"observed-data--581faede-172c-4d8e-a6f7-44fe950d210f",
"url--581faede-172c-4d8e-a6f7-44fe950d210f",
"observed-data--58207090-a5d8-44d0-b793-49cf02de0b81",
"url--58207090-a5d8-44d0-b793-49cf02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--581fade0-6a38-4c71-9f7d-4181950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T22:25:36.000Z",
"modified": "2016-11-06T22:25:36.000Z",
"first_observed": "2016-11-06T22:25:36Z",
"last_observed": "2016-11-06T22:25:36Z",
"number_observed": 1,
"object_refs": [
"url--581fade0-6a38-4c71-9f7d-4181950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--581fade0-6a38-4c71-9f7d-4181950d210f",
"value": "https://www.proofpoint.com/us/threat-insight/post/veil-framework-infects-victims-targeted-owa-phishing-attack"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--581fadf7-6d18-437e-88eb-4e59950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T22:25:59.000Z",
"modified": "2016-11-06T22:25:59.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Proofpoint researchers recently observed a novel targeted phishing attack that combined Outlook Web Access (OWA) credential phishing with a malicious document download. In May we also observed an Office 365 credential phishing attack leading to iSpy Keylogger [1], but the combination of OWA with this infection chain takes a different approach. While it is not clear whether the primary goal of the attack was delivering the malicious payload or capturing the targets' OWA credentials, this attack uses an OWA phish to additionally pushes a malicious document with a Veil-Framework payload capable of downloading further malware."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581fae16-9808-48dc-877c-4c25950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T22:26:30.000Z",
"modified": "2016-11-06T22:26:30.000Z",
"pattern": "[file:name = 'ViolationReport.xls' AND file:hashes.SHA256 = 'ef9f15bcb18f34a47406ebdbb470a721a1f2ae90d8da7277c6dbcedf38969215']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-06T22:26:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581fae31-7dec-40ef-9c2b-4d01950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T22:26:57.000Z",
"modified": "2016-11-06T22:26:57.000Z",
"description": "Phishing link",
"pattern": "[url:value = 'http://www2.sendsecuremail.com/bellevue/index.php?id=6153']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-06T22:26:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581fae48-89d8-4ae3-a458-49f1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T22:27:20.000Z",
"modified": "2016-11-06T22:27:20.000Z",
"description": "Redirection to download of Excel file",
"pattern": "[url:value = 'http://www2.sendsecuremail.com/bellevue/ViolationReport.xls']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-06T22:27:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581faec9-1f8c-4466-8e4b-4ac5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T22:29:29.000Z",
"modified": "2016-11-06T22:29:29.000Z",
"description": "ViolationReport.xls",
"pattern": "[file:hashes.MD5 = 'bce71fda40b33921de7cbec44b64f3e3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-06T22:29:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581faec9-14fc-4e35-b407-4379950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T22:29:29.000Z",
"modified": "2016-11-06T22:29:29.000Z",
"description": "ViolationReport.xls",
"pattern": "[file:hashes.SHA1 = '1794d5756f1ea13fea2735b4485f0a8bd3faef4e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-06T22:29:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--581faeca-18a4-4889-b3da-49d3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T22:29:30.000Z",
"modified": "2016-11-06T22:29:30.000Z",
"description": "ViolationReport.xls",
"pattern": "[file:hashes.SHA256 = 'ef9f15bcb18f34a47406ebdbb470a721a1f2ae90d8da7277c6dbcedf38969215']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-11-06T22:29:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--581faede-172c-4d8e-a6f7-44fe950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-06T22:29:50.000Z",
"modified": "2016-11-06T22:29:50.000Z",
"first_observed": "2016-11-06T22:29:50Z",
"last_observed": "2016-11-06T22:29:50Z",
"number_observed": 1,
"object_refs": [
"url--581faede-172c-4d8e-a6f7-44fe950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--581faede-172c-4d8e-a6f7-44fe950d210f",
"value": "https://www.virustotal.com/cs/file/ef9f15bcb18f34a47406ebdbb470a721a1f2ae90d8da7277c6dbcedf38969215/analysis/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58207090-a5d8-44d0-b793-49cf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-11-07T12:16:16.000Z",
"modified": "2016-11-07T12:16:16.000Z",
"first_observed": "2016-11-07T12:16:16Z",
"last_observed": "2016-11-07T12:16:16Z",
"number_observed": 1,
"object_refs": [
"url--58207090-a5d8-44d0-b793-49cf02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58207090-a5d8-44d0-b793-49cf02de0b81",
"value": "https://www.virustotal.com/file/ef9f15bcb18f34a47406ebdbb470a721a1f2ae90d8da7277c6dbcedf38969215/analysis/1477917993/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue Copy permalink