319 lines
14 KiB
JSON
319 lines
14 KiB
JSON
|
{
|
||
|
|
"type": "bundle",
|
||
|
|
"id": "bundle--588867a4-c470-4914-b854-d3f6950d210f",
|
||
|
|
"objects": [
|
||
|
|
{
|
||
|
|
"type": "identity",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-01-25T14:35:40.000Z",
|
||
|
|
"modified": "2017-01-25T14:35:40.000Z",
|
||
|
|
"name": "CIRCL",
|
||
|
|
"identity_class": "organization"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "report",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "report--588867a4-c470-4914-b854-d3f6950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-01-25T14:35:40.000Z",
|
||
|
|
"modified": "2017-01-25T14:35:40.000Z",
|
||
|
|
"name": "OSINT - Malicious SVG Files in the Wild",
|
||
|
|
"published": "2017-01-25T14:35:54Z",
|
||
|
|
"object_refs": [
|
||
|
|
"x-misp-attribute--58886c74-6c08-4ab2-8c2b-f8df950d210f",
|
||
|
|
"observed-data--58886ccc-507c-4c7e-87b0-5b46950d210f",
|
||
|
|
"url--58886ccc-507c-4c7e-87b0-5b46950d210f",
|
||
|
|
"indicator--58886d0f-7a80-4188-9ca9-2fc5950d210f",
|
||
|
|
"indicator--58886d10-9ca4-452d-a1e1-2fc5950d210f",
|
||
|
|
"indicator--58886d30-90dc-4a21-8d14-f8e5950d210f",
|
||
|
|
"indicator--5888b58a-9d84-49d9-9465-4e3f02de0b81",
|
||
|
|
"indicator--5888b58b-0fc8-4aee-bc0f-430f02de0b81",
|
||
|
|
"observed-data--5888b58b-879c-409a-8eaa-465b02de0b81",
|
||
|
|
"url--5888b58b-879c-409a-8eaa-465b02de0b81",
|
||
|
|
"indicator--5888b58c-eb80-46a8-8853-46a402de0b81",
|
||
|
|
"indicator--5888b58d-c0c8-406b-b0d1-41ae02de0b81",
|
||
|
|
"observed-data--5888b58e-0508-4f80-a64e-486102de0b81",
|
||
|
|
"url--5888b58e-0508-4f80-a64e-486102de0b81"
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"Threat-Report",
|
||
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
|
"osint:source-type=\"blog-post\"",
|
||
|
|
"misp-galaxy:tool=\"Snifula\""
|
||
|
|
],
|
||
|
|
"object_marking_refs": [
|
||
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "x-misp-attribute",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "x-misp-attribute--58886c74-6c08-4ab2-8c2b-f8df950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-01-25T09:14:28.000Z",
|
||
|
|
"modified": "2017-01-25T09:14:28.000Z",
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"text\"",
|
||
|
|
"misp:category=\"External analysis\""
|
||
|
|
],
|
||
|
|
"x_misp_category": "External analysis",
|
||
|
|
"x_misp_type": "text",
|
||
|
|
"x_misp_value": "In November 2016, the Facebook messenger application was used to deliver malicious SVG files to people [1]. SVG files (or \"Scalable Vector Graphics\") are vector images that can be displayed in most modern browsers (natively or via a specific plugin). More precisely, Internet Explorer 9 supports the basic SVG feature sets and IE10 extended the support by adding SVG 1.1 support. In the Microsoft Windows operating system, SVG files are handled by Internet Explorer by default."
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "observed-data",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "observed-data--58886ccc-507c-4c7e-87b0-5b46950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-01-25T09:16:21.000Z",
|
||
|
|
"modified": "2017-01-25T09:16:21.000Z",
|
||
|
|
"first_observed": "2017-01-25T09:16:21Z",
|
||
|
|
"last_observed": "2017-01-25T09:16:21Z",
|
||
|
|
"number_observed": 1,
|
||
|
|
"object_refs": [
|
||
|
|
"url--58886ccc-507c-4c7e-87b0-5b46950d210f"
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"link\"",
|
||
|
|
"misp:category=\"External analysis\"",
|
||
|
|
"osint:source-type=\"blog-post\"",
|
||
|
|
"admiralty-scale:source-reliability=\"b\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "url",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "url--58886ccc-507c-4c7e-87b0-5b46950d210f",
|
||
|
|
"value": "https://isc.sans.edu/forums/diary/Malicious+SVG+Files+in+the+Wild/21971/"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--58886d0f-7a80-4188-9ca9-2fc5950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-01-25T09:17:03.000Z",
|
||
|
|
"modified": "2017-01-25T09:17:03.000Z",
|
||
|
|
"description": "00967999543-(02).svg",
|
||
|
|
"pattern": "[file:hashes.MD5 = '6b9649531f35c7de78735aa45d25d1a7']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-01-25T09:17:03Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Payload delivery"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"md5\"",
|
||
|
|
"misp:category=\"Payload delivery\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--58886d10-9ca4-452d-a1e1-2fc5950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-01-25T09:17:04.000Z",
|
||
|
|
"modified": "2017-01-25T09:17:04.000Z",
|
||
|
|
"description": "P0039988439992_001.jpg.svg",
|
||
|
|
"pattern": "[file:hashes.MD5 = 'e2f7245d016c52fc9c56531e483e6cfb']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-01-25T09:17:04Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Payload delivery"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"md5\"",
|
||
|
|
"misp:category=\"Payload delivery\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--58886d30-90dc-4a21-8d14-f8e5950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-01-25T14:26:48.000Z",
|
||
|
|
"modified": "2017-01-25T14:26:48.000Z",
|
||
|
|
"description": "The second part is a classic obfuscated JavaScript that executes the following (de-obfuscated) code:",
|
||
|
|
"pattern": "[url:value = 'http://juanpedroperez.com/fotos/photos/xfs_extension.exe']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-01-25T14:26:48Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Network activity"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"url\"",
|
||
|
|
"misp:category=\"Network activity\"",
|
||
|
|
"misp:to_ids=\"True\"",
|
||
|
|
"adversary:infrastructure-status=\"compromised\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5888b58a-9d84-49d9-9465-4e3f02de0b81",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-01-25T14:26:18.000Z",
|
||
|
|
"modified": "2017-01-25T14:26:18.000Z",
|
||
|
|
"description": "P0039988439992_001.jpg.svg - Xchecked via VT: e2f7245d016c52fc9c56531e483e6cfb",
|
||
|
|
"pattern": "[file:hashes.SHA256 = '7cd31c21f03d54f88de2d5ae715be416bfaa69b3230bdd93aba44c07963363df']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-01-25T14:26:18Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Payload delivery"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"sha256\"",
|
||
|
|
"misp:category=\"Payload delivery\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5888b58b-0fc8-4aee-bc0f-430f02de0b81",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-01-25T14:26:19.000Z",
|
||
|
|
"modified": "2017-01-25T14:26:19.000Z",
|
||
|
|
"description": "P0039988439992_001.jpg.svg - Xchecked via VT: e2f7245d016c52fc9c56531e483e6cfb",
|
||
|
|
"pattern": "[file:hashes.SHA1 = 'caf8d6099ed95d223993f43a156b703220d1a1c3']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-01-25T14:26:19Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Payload delivery"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"sha1\"",
|
||
|
|
"misp:category=\"Payload delivery\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "observed-data",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "observed-data--5888b58b-879c-409a-8eaa-465b02de0b81",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-01-25T14:26:19.000Z",
|
||
|
|
"modified": "2017-01-25T14:26:19.000Z",
|
||
|
|
"first_observed": "2017-01-25T14:26:19Z",
|
||
|
|
"last_observed": "2017-01-25T14:26:19Z",
|
||
|
|
"number_observed": 1,
|
||
|
|
"object_refs": [
|
||
|
|
"url--5888b58b-879c-409a-8eaa-465b02de0b81"
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"link\"",
|
||
|
|
"misp:category=\"External analysis\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "url",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "url--5888b58b-879c-409a-8eaa-465b02de0b81",
|
||
|
|
"value": "https://www.virustotal.com/file/7cd31c21f03d54f88de2d5ae715be416bfaa69b3230bdd93aba44c07963363df/analysis/1484747652/"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5888b58c-eb80-46a8-8853-46a402de0b81",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-01-25T14:26:20.000Z",
|
||
|
|
"modified": "2017-01-25T14:26:20.000Z",
|
||
|
|
"description": "00967999543-(02).svg - Xchecked via VT: 6b9649531f35c7de78735aa45d25d1a7",
|
||
|
|
"pattern": "[file:hashes.SHA256 = '4682a3ad2c6ae46a8eb1190936583ebc69644b206e2e9103071c4630f081b3f2']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-01-25T14:26:20Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Payload delivery"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"sha256\"",
|
||
|
|
"misp:category=\"Payload delivery\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5888b58d-c0c8-406b-b0d1-41ae02de0b81",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-01-25T14:26:21.000Z",
|
||
|
|
"modified": "2017-01-25T14:26:21.000Z",
|
||
|
|
"description": "00967999543-(02).svg - Xchecked via VT: 6b9649531f35c7de78735aa45d25d1a7",
|
||
|
|
"pattern": "[file:hashes.SHA1 = '5837a4d288ac9d0065143a88f4899283b4603eee']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-01-25T14:26:21Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Payload delivery"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"sha1\"",
|
||
|
|
"misp:category=\"Payload delivery\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "observed-data",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "observed-data--5888b58e-0508-4f80-a64e-486102de0b81",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-01-25T14:26:22.000Z",
|
||
|
|
"modified": "2017-01-25T14:26:22.000Z",
|
||
|
|
"first_observed": "2017-01-25T14:26:22Z",
|
||
|
|
"last_observed": "2017-01-25T14:26:22Z",
|
||
|
|
"number_observed": 1,
|
||
|
|
"object_refs": [
|
||
|
|
"url--5888b58e-0508-4f80-a64e-486102de0b81"
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"link\"",
|
||
|
|
"misp:category=\"External analysis\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "url",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "url--5888b58e-0508-4f80-a64e-486102de0b81",
|
||
|
|
"value": "https://www.virustotal.com/file/4682a3ad2c6ae46a8eb1190936583ebc69644b206e2e9103071c4630f081b3f2/analysis/1485160514/"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "marking-definition",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
|
"definition_type": "tlp",
|
||
|
|
"name": "TLP:WHITE",
|
||
|
|
"definition": {
|
||
|
|
"tlp": "white"
|
||
|
|
}
|
||
|
|
}
|
||
|
|
]
|
||
|
|
}
|