misp-circl-feed/feeds/circl/stix-2.1/588a6de9-e2f4-4fbc-b09d-427f02de0b81.json

1341 lines
57 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--588a6de9-e2f4-4fbc-b09d-427f02de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:54:25.000Z",
"modified": "2017-01-26T21:54:25.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--588a6de9-e2f4-4fbc-b09d-427f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:54:25.000Z",
"modified": "2017-01-26T21:54:25.000Z",
"name": "OSINT - EITest Nabbing Chrome Users with a \u00e2\u20ac\u0153Chrome Font\u00e2\u20ac\u009d Social Engineering Scheme",
"published": "2017-01-26T21:57:34Z",
"object_refs": [
"x-misp-attribute--588a6dfd-19b8-44c8-b297-4f2002de0b81",
"observed-data--588a6e0b-3338-442b-8f7f-4c5802de0b81",
"url--588a6e0b-3338-442b-8f7f-4c5802de0b81",
"indicator--588a6e2f-3b0c-4d91-a1fe-4e9002de0b81",
"indicator--588a6e30-685c-41ed-9ec3-454802de0b81",
"indicator--588a6e31-83cc-43f7-8097-4dc702de0b81",
"indicator--588a6e31-fff8-407a-bc77-448e02de0b81",
"indicator--588a6e3c-f8cc-4b96-97e0-4dd802de0b81",
"indicator--588a6e74-1650-4d05-9d6c-425502de0b81",
"indicator--588a6e8d-6b48-4294-9a19-43b202de0b81",
"indicator--588a6e9a-75e8-4fbf-bd55-427202de0b81",
"indicator--588a6ebb-28e4-481f-9e5b-496602de0b81",
"indicator--588a6ebc-2270-4929-9c16-42d102de0b81",
"indicator--588a6ebc-9c9c-4d54-b445-40d702de0b81",
"indicator--588a6ebd-1900-4657-8b7a-481802de0b81",
"indicator--588a6edb-e2ec-49c0-8ea7-215902de0b81",
"indicator--588a6edc-657c-46f4-90de-215902de0b81",
"indicator--588a6edd-0234-472b-b99e-215902de0b81",
"indicator--588a6edd-d158-4416-98c6-215902de0b81",
"observed-data--588a6f1c-3404-4dc5-afc0-6dcc02de0b81",
"domain-name--588a6f1c-3404-4dc5-afc0-6dcc02de0b81",
"observed-data--588a6f1d-ccfc-4512-aa8a-6dcc02de0b81",
"network-traffic--588a6f1d-ccfc-4512-aa8a-6dcc02de0b81",
"ipv4-addr--588a6f1d-ccfc-4512-aa8a-6dcc02de0b81",
"observed-data--588a6f1e-0260-4424-b74c-6dcc02de0b81",
"domain-name--588a6f1e-0260-4424-b74c-6dcc02de0b81",
"observed-data--588a6f1f-b9e0-4c96-9721-6dcc02de0b81",
"network-traffic--588a6f1f-b9e0-4c96-9721-6dcc02de0b81",
"ipv4-addr--588a6f1f-b9e0-4c96-9721-6dcc02de0b81",
"observed-data--588a6f20-1df4-4b3b-90a8-6dcc02de0b81",
"domain-name--588a6f20-1df4-4b3b-90a8-6dcc02de0b81",
"observed-data--588a6f20-1810-4702-a053-6dcc02de0b81",
"network-traffic--588a6f20-1810-4702-a053-6dcc02de0b81",
"ipv4-addr--588a6f20-1810-4702-a053-6dcc02de0b81",
"observed-data--588a6f21-37d4-481d-b427-6dcc02de0b81",
"domain-name--588a6f21-37d4-481d-b427-6dcc02de0b81",
"observed-data--588a6f22-11d0-4190-ae0a-6dcc02de0b81",
"network-traffic--588a6f22-11d0-4190-ae0a-6dcc02de0b81",
"ipv4-addr--588a6f22-11d0-4190-ae0a-6dcc02de0b81",
"observed-data--588a6f23-4e18-48b4-abd1-6dcc02de0b81",
"domain-name--588a6f23-4e18-48b4-abd1-6dcc02de0b81",
"observed-data--588a6f23-05c4-4c29-a4b4-6dcc02de0b81",
"network-traffic--588a6f23-05c4-4c29-a4b4-6dcc02de0b81",
"ipv4-addr--588a6f23-05c4-4c29-a4b4-6dcc02de0b81",
"indicator--588a6f39-4c88-464d-8774-471002de0b81",
"indicator--588a6f3a-a320-4e32-9621-46c102de0b81",
"indicator--588a6f3b-45c4-40ae-b38e-428502de0b81",
"indicator--588a6f3b-7134-464a-861f-450902de0b81",
"indicator--588a6f3c-9764-4977-8e02-456f02de0b81",
"indicator--588a6f3d-8528-42b0-9af6-450802de0b81",
"indicator--588a7011-c36c-48ed-9abc-40e502de0b81",
"indicator--588a7011-31fc-4d7b-a442-473702de0b81",
"observed-data--588a7012-f1e8-4f25-a7c8-455602de0b81",
"url--588a7012-f1e8-4f25-a7c8-455602de0b81",
"indicator--588a7013-f6b4-487c-a1ae-4fc602de0b81",
"indicator--588a7013-e0d0-431e-ace0-4fc002de0b81",
"observed-data--588a7014-6648-4d5b-ae8e-4b7b02de0b81",
"url--588a7014-6648-4d5b-ae8e-4b7b02de0b81",
"indicator--588a7015-72d4-4d87-b1f3-4c9b02de0b81",
"indicator--588a7016-1130-4783-8732-421502de0b81",
"observed-data--588a7016-1bdc-4229-a0fa-414c02de0b81",
"url--588a7016-1bdc-4229-a0fa-414c02de0b81",
"indicator--588a7017-ae5c-4778-8d55-422702de0b81",
"indicator--588a7018-94e0-438b-bf8f-4b3d02de0b81",
"observed-data--588a7018-60ec-4202-a54f-4a9e02de0b81",
"url--588a7018-60ec-4202-a54f-4a9e02de0b81",
"indicator--588a7019-96d0-4507-81b2-4fbf02de0b81",
"indicator--588a701a-9664-423c-85d8-435102de0b81",
"observed-data--588a701a-9ff8-4e32-bea2-4bdf02de0b81",
"url--588a701a-9ff8-4e32-bea2-4bdf02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"estimative-language:likelihood-probability=\"very-likely\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--588a6dfd-19b8-44c8-b297-4f2002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:52:12.000Z",
"modified": "2017-01-26T21:52:12.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "\u00e2\u20ac\u0153EITest\u00e2\u20ac\u009d is a well-documented infection chain that generally relies on compromised websites to direct users to exploit kit (EK) landing pages. EITest has been involved in the delivery of a variety of ransomware, information stealers, and other malware, with clear evidence of its use dating back to 2014. Elements of EITest may be much older, though, with hints pointing to EITest being an evolution of the \u00e2\u20ac\u0153Glazunov\u00e2\u20ac\u009d infection chain from 2011 [1]. The first server side documentation of this evolution came from Sucuri in July 2014 [2] associated with waves of Wordpress exploitation via the MailPoet plugin vulnerability. KahuSecurity recently analyzed the server side script in October 2016 [3]."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--588a6e0b-3338-442b-8f7f-4c5802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:52:03.000Z",
"modified": "2017-01-26T21:52:03.000Z",
"first_observed": "2017-01-26T21:52:03Z",
"last_observed": "2017-01-26T21:52:03Z",
"number_observed": 1,
"object_refs": [
"url--588a6e0b-3338-442b-8f7f-4c5802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--588a6e0b-3338-442b-8f7f-4c5802de0b81",
"value": "https://www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a6e2f-3b0c-4d91-a1fe-4e9002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:46:23.000Z",
"modified": "2017-01-26T21:46:23.000Z",
"description": "Fleercivet C&C",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '198.37.112.248']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:46:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a6e30-685c-41ed-9ec3-454802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:46:24.000Z",
"modified": "2017-01-26T21:46:24.000Z",
"description": "Server initiating Fleercivet Fraud Scheme (potentially legitimate)",
"pattern": "[file:name = 'searchtopresults.com|209.126.122.139']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:46:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a6e31-83cc-43f7-8097-4dc702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:46:25.000Z",
"modified": "2017-01-26T21:46:25.000Z",
"description": "Initial Call before Fleercivet clickfraud",
"pattern": "[url:value = 'searchtopresults.com/search.php?aff=8320']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:46:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a6e31-fff8-407a-bc77-448e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:46:25.000Z",
"modified": "2017-01-26T21:46:25.000Z",
"description": "Later Call tied to Fleercivet activity",
"pattern": "[url:value = 'searchtopresults.com/search.php?aff=8170&saff=1203']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:46:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a6e3c-f8cc-4b96-97e0-4dd802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:46:36.000Z",
"modified": "2017-01-26T21:46:36.000Z",
"description": "Fiddler capture (index and post)",
"pattern": "[file:hashes.SHA256 = '7a444891c642ec17459471be40bcc1ea9eef6aeb478318a679908f94bf1e7e74']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:46:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a6e74-1650-4d05-9d6c-425502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:47:32.000Z",
"modified": "2017-01-26T21:47:32.000Z",
"description": "2014-07-14 - Early \u00e2\u20ac\u0153flash redirecting\u00e2\u20ac\u009d EITest Domain",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '48.251.102.176']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:47:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a6e8d-6b48-4294-9a19-43b202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:47:57.000Z",
"modified": "2017-01-26T21:47:57.000Z",
"description": "2014-07-14 - Early \u00e2\u20ac\u0153flash redirecting\u00e2\u20ac\u009d EITest Domain",
"pattern": "[domain-name:value = 'vidvi.cf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:47:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a6e9a-75e8-4fbf-bd55-427202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:48:10.000Z",
"modified": "2017-01-26T21:48:10.000Z",
"description": "EITest node replying to Compromised Server",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '31.184.192.163']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:48:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a6ebb-28e4-481f-9e5b-496602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:48:43.000Z",
"modified": "2017-01-26T21:48:43.000Z",
"description": "EITest node replying to Compromised Server",
"pattern": "[domain-name:value = '54dfa1cb.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:48:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a6ebc-2270-4929-9c16-42d102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:48:44.000Z",
"modified": "2017-01-26T21:48:44.000Z",
"description": "EITest node replying to Compromised Server",
"pattern": "[domain-name:value = 'e5b57288.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:48:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a6ebc-9c9c-4d54-b445-40d702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:48:44.000Z",
"modified": "2017-01-26T21:48:44.000Z",
"description": "EITest node replying to Compromised Server",
"pattern": "[domain-name:value = '33db9538.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:48:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a6ebd-1900-4657-8b7a-481802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:48:45.000Z",
"modified": "2017-01-26T21:48:45.000Z",
"description": "EITest node replying to Compromised Server",
"pattern": "[domain-name:value = '9507c4e8.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:48:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a6edb-e2ec-49c0-8ea7-215902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:49:15.000Z",
"modified": "2017-01-26T21:49:15.000Z",
"description": "FleerCivet 2017-01-15",
"pattern": "[file:hashes.SHA256 = '7fc9721cc648de138a61ec3452d63a83fc76ef527d41f4a7aba78f52df13338a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:49:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a6edc-657c-46f4-90de-215902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:49:16.000Z",
"modified": "2017-01-26T21:49:16.000Z",
"description": "FleerCivet 2017-01-15",
"pattern": "[file:hashes.SHA256 = '7bb7848270e76aa1fcb9d11acb46c8421b86c7d528c108d8f179ec829ff977fc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:49:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a6edd-0234-472b-b99e-215902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:49:17.000Z",
"modified": "2017-01-26T21:49:17.000Z",
"description": "FleerCivet 2017-01-16",
"pattern": "[file:hashes.SHA256 = '9190c865c214cf2b1c602edcfe4ab8858806298ca4b6de16bfbd0377385ffe63']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:49:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a6edd-d158-4416-98c6-215902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:49:17.000Z",
"modified": "2017-01-26T21:49:17.000Z",
"description": "FleerCivet 2017-01-17",
"pattern": "[file:hashes.SHA256 = 'ebeaaef3323331e7ea0e47eac6437dcf5548d9fd759943d2e5c1f3d1fb786167']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:49:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--588a6f1c-3404-4dc5-afc0-6dcc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:50:20.000Z",
"modified": "2017-01-26T21:50:20.000Z",
"first_observed": "2017-01-26T21:50:20Z",
"last_observed": "2017-01-26T21:50:20Z",
"number_observed": 1,
"object_refs": [
"domain-name--588a6f1c-3404-4dc5-afc0-6dcc02de0b81"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--588a6f1c-3404-4dc5-afc0-6dcc02de0b81",
"value": "starrer.com"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--588a6f1d-ccfc-4512-aa8a-6dcc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:50:21.000Z",
"modified": "2017-01-26T21:50:21.000Z",
"first_observed": "2017-01-26T21:50:21Z",
"last_observed": "2017-01-26T21:50:21Z",
"number_observed": 1,
"object_refs": [
"network-traffic--588a6f1d-ccfc-4512-aa8a-6dcc02de0b81",
"ipv4-addr--588a6f1d-ccfc-4512-aa8a-6dcc02de0b81"
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--588a6f1d-ccfc-4512-aa8a-6dcc02de0b81",
"dst_ref": "ipv4-addr--588a6f1d-ccfc-4512-aa8a-6dcc02de0b81",
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--588a6f1d-ccfc-4512-aa8a-6dcc02de0b81",
"value": "209.126.118.146"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--588a6f1e-0260-4424-b74c-6dcc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:50:22.000Z",
"modified": "2017-01-26T21:50:22.000Z",
"first_observed": "2017-01-26T21:50:22Z",
"last_observed": "2017-01-26T21:50:22Z",
"number_observed": 1,
"object_refs": [
"domain-name--588a6f1e-0260-4424-b74c-6dcc02de0b81"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--588a6f1e-0260-4424-b74c-6dcc02de0b81",
"value": "askcom.me"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--588a6f1f-b9e0-4c96-9721-6dcc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:50:23.000Z",
"modified": "2017-01-26T21:50:23.000Z",
"first_observed": "2017-01-26T21:50:23Z",
"last_observed": "2017-01-26T21:50:23Z",
"number_observed": 1,
"object_refs": [
"network-traffic--588a6f1f-b9e0-4c96-9721-6dcc02de0b81",
"ipv4-addr--588a6f1f-b9e0-4c96-9721-6dcc02de0b81"
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--588a6f1f-b9e0-4c96-9721-6dcc02de0b81",
"dst_ref": "ipv4-addr--588a6f1f-b9e0-4c96-9721-6dcc02de0b81",
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--588a6f1f-b9e0-4c96-9721-6dcc02de0b81",
"value": "209.126.123.39"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--588a6f20-1df4-4b3b-90a8-6dcc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:50:24.000Z",
"modified": "2017-01-26T21:50:24.000Z",
"first_observed": "2017-01-26T21:50:24Z",
"last_observed": "2017-01-26T21:50:24Z",
"number_observed": 1,
"object_refs": [
"domain-name--588a6f20-1df4-4b3b-90a8-6dcc02de0b81"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--588a6f20-1df4-4b3b-90a8-6dcc02de0b81",
"value": "twittertravels.com"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--588a6f20-1810-4702-a053-6dcc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:50:24.000Z",
"modified": "2017-01-26T21:50:24.000Z",
"first_observed": "2017-01-26T21:50:24Z",
"last_observed": "2017-01-26T21:50:24Z",
"number_observed": 1,
"object_refs": [
"network-traffic--588a6f20-1810-4702-a053-6dcc02de0b81",
"ipv4-addr--588a6f20-1810-4702-a053-6dcc02de0b81"
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--588a6f20-1810-4702-a053-6dcc02de0b81",
"dst_ref": "ipv4-addr--588a6f20-1810-4702-a053-6dcc02de0b81",
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--588a6f20-1810-4702-a053-6dcc02de0b81",
"value": "173.224.124.110"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--588a6f21-37d4-481d-b427-6dcc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:50:25.000Z",
"modified": "2017-01-26T21:50:25.000Z",
"first_observed": "2017-01-26T21:50:25Z",
"last_observed": "2017-01-26T21:50:25Z",
"number_observed": 1,
"object_refs": [
"domain-name--588a6f21-37d4-481d-b427-6dcc02de0b81"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--588a6f21-37d4-481d-b427-6dcc02de0b81",
"value": "shareyourfashion.net"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--588a6f22-11d0-4190-ae0a-6dcc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:50:26.000Z",
"modified": "2017-01-26T21:50:26.000Z",
"first_observed": "2017-01-26T21:50:26Z",
"last_observed": "2017-01-26T21:50:26Z",
"number_observed": 1,
"object_refs": [
"network-traffic--588a6f22-11d0-4190-ae0a-6dcc02de0b81",
"ipv4-addr--588a6f22-11d0-4190-ae0a-6dcc02de0b81"
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--588a6f22-11d0-4190-ae0a-6dcc02de0b81",
"dst_ref": "ipv4-addr--588a6f22-11d0-4190-ae0a-6dcc02de0b81",
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--588a6f22-11d0-4190-ae0a-6dcc02de0b81",
"value": "209.126.103.104"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--588a6f23-4e18-48b4-abd1-6dcc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:50:27.000Z",
"modified": "2017-01-26T21:50:27.000Z",
"first_observed": "2017-01-26T21:50:27Z",
"last_observed": "2017-01-26T21:50:27Z",
"number_observed": 1,
"object_refs": [
"domain-name--588a6f23-4e18-48b4-abd1-6dcc02de0b81"
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--588a6f23-4e18-48b4-abd1-6dcc02de0b81",
"value": "techgnews.com"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--588a6f23-05c4-4c29-a4b4-6dcc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:50:27.000Z",
"modified": "2017-01-26T21:50:27.000Z",
"first_observed": "2017-01-26T21:50:27Z",
"last_observed": "2017-01-26T21:50:27Z",
"number_observed": 1,
"object_refs": [
"network-traffic--588a6f23-05c4-4c29-a4b4-6dcc02de0b81",
"ipv4-addr--588a6f23-05c4-4c29-a4b4-6dcc02de0b81"
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--588a6f23-05c4-4c29-a4b4-6dcc02de0b81",
"dst_ref": "ipv4-addr--588a6f23-05c4-4c29-a4b4-6dcc02de0b81",
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--588a6f23-05c4-4c29-a4b4-6dcc02de0b81",
"value": "209.239.115.50"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a6f39-4c88-464d-8774-471002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:52:30.000Z",
"modified": "2017-01-26T21:52:30.000Z",
"description": "Exemple of EITest compromised Website acting as download server (POST request with MZ as reply)",
"pattern": "[url:value = 'kyle.dark7.org/download.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:52:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"adversary:infrastructure-status=\"compromised\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a6f3a-a320-4e32-9621-46c102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:52:41.000Z",
"modified": "2017-01-26T21:52:41.000Z",
"description": "Exemple of EITest compromised Website acting as download server (POST request with MZ as reply)",
"pattern": "[url:value = 'oblubienica.odnowa.org/download.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:52:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"adversary:infrastructure-status=\"compromised\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a6f3b-45c4-40ae-b38e-428502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:53:00.000Z",
"modified": "2017-01-26T21:53:00.000Z",
"description": "Exemple of EITest compromised Website acting as download server (POST request with MZ as reply)",
"pattern": "[url:value = 'sriswamidikshananda.org/download.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:53:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"adversary:infrastructure-status=\"compromised\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a6f3b-7134-464a-861f-450902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:53:13.000Z",
"modified": "2017-01-26T21:53:13.000Z",
"description": "Exemple of EITest compromised Website acting as download server (POST request with MZ as reply)",
"pattern": "[url:value = 'demo.signgo.com/help.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:53:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"adversary:infrastructure-status=\"compromised\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a6f3c-9764-4977-8e02-456f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:53:23.000Z",
"modified": "2017-01-26T21:53:23.000Z",
"description": "Exemple of EITest compromised Website acting as download server (POST request with MZ as reply)",
"pattern": "[url:value = 'retail.uvapoint.com/help.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:53:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"adversary:infrastructure-status=\"compromised\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a6f3d-8528-42b0-9af6-450802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:53:37.000Z",
"modified": "2017-01-26T21:53:37.000Z",
"description": "Exemple of EITest compromised Website acting as download server (POST request with MZ as reply)",
"pattern": "[url:value = 'chovek5.lozenetz.org/download.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:53:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"adversary:infrastructure-status=\"compromised\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a7011-c36c-48ed-9abc-40e502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:54:25.000Z",
"modified": "2017-01-26T21:54:25.000Z",
"description": "FleerCivet 2017-01-17 - Xchecked via VT: ebeaaef3323331e7ea0e47eac6437dcf5548d9fd759943d2e5c1f3d1fb786167",
"pattern": "[file:hashes.SHA1 = '35c7f51fcf445ac0a2be0dfc81ec653e3eec6068']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:54:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a7011-31fc-4d7b-a442-473702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:54:25.000Z",
"modified": "2017-01-26T21:54:25.000Z",
"description": "FleerCivet 2017-01-17 - Xchecked via VT: ebeaaef3323331e7ea0e47eac6437dcf5548d9fd759943d2e5c1f3d1fb786167",
"pattern": "[file:hashes.MD5 = '62cfd5f9a600809c9e53ea089920d988']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:54:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--588a7012-f1e8-4f25-a7c8-455602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:54:26.000Z",
"modified": "2017-01-26T21:54:26.000Z",
"first_observed": "2017-01-26T21:54:26Z",
"last_observed": "2017-01-26T21:54:26Z",
"number_observed": 1,
"object_refs": [
"url--588a7012-f1e8-4f25-a7c8-455602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--588a7012-f1e8-4f25-a7c8-455602de0b81",
"value": "https://www.virustotal.com/file/ebeaaef3323331e7ea0e47eac6437dcf5548d9fd759943d2e5c1f3d1fb786167/analysis/1484834402/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a7013-f6b4-487c-a1ae-4fc602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:54:27.000Z",
"modified": "2017-01-26T21:54:27.000Z",
"description": "FleerCivet 2017-01-16 - Xchecked via VT: 9190c865c214cf2b1c602edcfe4ab8858806298ca4b6de16bfbd0377385ffe63",
"pattern": "[file:hashes.SHA1 = '0779fa9caa48b4fd978bf732f8450668eea13f39']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:54:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a7013-e0d0-431e-ace0-4fc002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:54:27.000Z",
"modified": "2017-01-26T21:54:27.000Z",
"description": "FleerCivet 2017-01-16 - Xchecked via VT: 9190c865c214cf2b1c602edcfe4ab8858806298ca4b6de16bfbd0377385ffe63",
"pattern": "[file:hashes.MD5 = '7b9aae9a506fc9e19cc127b5c74bfba1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:54:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--588a7014-6648-4d5b-ae8e-4b7b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:54:28.000Z",
"modified": "2017-01-26T21:54:28.000Z",
"first_observed": "2017-01-26T21:54:28Z",
"last_observed": "2017-01-26T21:54:28Z",
"number_observed": 1,
"object_refs": [
"url--588a7014-6648-4d5b-ae8e-4b7b02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--588a7014-6648-4d5b-ae8e-4b7b02de0b81",
"value": "https://www.virustotal.com/file/9190c865c214cf2b1c602edcfe4ab8858806298ca4b6de16bfbd0377385ffe63/analysis/1484886904/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a7015-72d4-4d87-b1f3-4c9b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:54:29.000Z",
"modified": "2017-01-26T21:54:29.000Z",
"description": "FleerCivet 2017-01-15 - Xchecked via VT: 7bb7848270e76aa1fcb9d11acb46c8421b86c7d528c108d8f179ec829ff977fc",
"pattern": "[file:hashes.SHA1 = '5a95dc982879b78fc44ca6e3d473aab2eafa5012']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:54:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a7016-1130-4783-8732-421502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:54:30.000Z",
"modified": "2017-01-26T21:54:30.000Z",
"description": "FleerCivet 2017-01-15 - Xchecked via VT: 7bb7848270e76aa1fcb9d11acb46c8421b86c7d528c108d8f179ec829ff977fc",
"pattern": "[file:hashes.MD5 = 'f9e1f0083e0e42833c5dfa7faa4a0281']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:54:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--588a7016-1bdc-4229-a0fa-414c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:54:30.000Z",
"modified": "2017-01-26T21:54:30.000Z",
"first_observed": "2017-01-26T21:54:30Z",
"last_observed": "2017-01-26T21:54:30Z",
"number_observed": 1,
"object_refs": [
"url--588a7016-1bdc-4229-a0fa-414c02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--588a7016-1bdc-4229-a0fa-414c02de0b81",
"value": "https://www.virustotal.com/file/7bb7848270e76aa1fcb9d11acb46c8421b86c7d528c108d8f179ec829ff977fc/analysis/1484541299/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a7017-ae5c-4778-8d55-422702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:54:31.000Z",
"modified": "2017-01-26T21:54:31.000Z",
"description": "FleerCivet 2017-01-15 - Xchecked via VT: 7fc9721cc648de138a61ec3452d63a83fc76ef527d41f4a7aba78f52df13338a",
"pattern": "[file:hashes.SHA1 = 'a13b63b53ffd8bf90665f6109b7f6294f6219dd7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:54:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a7018-94e0-438b-bf8f-4b3d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:54:32.000Z",
"modified": "2017-01-26T21:54:32.000Z",
"description": "FleerCivet 2017-01-15 - Xchecked via VT: 7fc9721cc648de138a61ec3452d63a83fc76ef527d41f4a7aba78f52df13338a",
"pattern": "[file:hashes.MD5 = 'b9ec73f2406d87f69a6c8dfc46ed3a28']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:54:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--588a7018-60ec-4202-a54f-4a9e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:54:32.000Z",
"modified": "2017-01-26T21:54:32.000Z",
"first_observed": "2017-01-26T21:54:32Z",
"last_observed": "2017-01-26T21:54:32Z",
"number_observed": 1,
"object_refs": [
"url--588a7018-60ec-4202-a54f-4a9e02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--588a7018-60ec-4202-a54f-4a9e02de0b81",
"value": "https://www.virustotal.com/file/7fc9721cc648de138a61ec3452d63a83fc76ef527d41f4a7aba78f52df13338a/analysis/1485239703/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a7019-96d0-4507-81b2-4fbf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:54:33.000Z",
"modified": "2017-01-26T21:54:33.000Z",
"description": "Fiddler capture (index and post) - Xchecked via VT: 7a444891c642ec17459471be40bcc1ea9eef6aeb478318a679908f94bf1e7e74",
"pattern": "[file:hashes.SHA1 = 'b38e12e5346fb02d41e18574d10fbf96f085a7c0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:54:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588a701a-9664-423c-85d8-435102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:54:34.000Z",
"modified": "2017-01-26T21:54:34.000Z",
"description": "Fiddler capture (index and post) - Xchecked via VT: 7a444891c642ec17459471be40bcc1ea9eef6aeb478318a679908f94bf1e7e74",
"pattern": "[file:hashes.MD5 = 'e8a36364b057d2ca6ea79061188591c0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-26T21:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--588a701a-9ff8-4e32-bea2-4bdf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-26T21:54:34.000Z",
"modified": "2017-01-26T21:54:34.000Z",
"first_observed": "2017-01-26T21:54:34Z",
"last_observed": "2017-01-26T21:54:34Z",
"number_observed": 1,
"object_refs": [
"url--588a701a-9ff8-4e32-bea2-4bdf02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--588a701a-9ff8-4e32-bea2-4bdf02de0b81",
"value": "https://www.virustotal.com/file/7a444891c642ec17459471be40bcc1ea9eef6aeb478318a679908f94bf1e7e74/analysis/1484822761/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}