1046 lines
45 KiB
JSON
1046 lines
45 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--59cab250-1480-406f-8e7a-4c7e02de0b81",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:46.000Z",
|
||
|
"modified": "2017-09-26T20:06:46.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--59cab250-1480-406f-8e7a-4c7e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:46.000Z",
|
||
|
"modified": "2017-09-26T20:06:46.000Z",
|
||
|
"name": "OSINT - Striking Oil: A Closer Look at Adversary Infrastructure",
|
||
|
"published": "2017-09-26T20:07:07Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--59cab25e-8e18-492b-80fd-f69902de0b81",
|
||
|
"url--59cab25e-8e18-492b-80fd-f69902de0b81",
|
||
|
"x-misp-attribute--59cab279-6d8c-42b2-b5f1-476902de0b81",
|
||
|
"indicator--59cab2ae-ee3c-4fb0-bebc-4a3402de0b81",
|
||
|
"indicator--59cab2ae-e7fc-4fe2-9249-4f5c02de0b81",
|
||
|
"indicator--59cab2ae-dbc0-4cd4-8593-4b8702de0b81",
|
||
|
"indicator--59cab2ae-2d4c-4c7b-877a-4d0302de0b81",
|
||
|
"indicator--59cab2ae-6e70-4c00-b632-48eb02de0b81",
|
||
|
"indicator--59cab2ae-d2bc-45c8-9af5-425f02de0b81",
|
||
|
"indicator--59cab2ae-adc8-4820-b9c3-4c9f02de0b81",
|
||
|
"indicator--59cab2ae-2814-4ae0-84b3-499302de0b81",
|
||
|
"indicator--59cab2ae-2444-4dfe-bbbd-4f8702de0b81",
|
||
|
"indicator--59cab2ae-4ce8-4325-b940-4e6202de0b81",
|
||
|
"indicator--59cab2ae-9e74-4969-81e6-44d302de0b81",
|
||
|
"indicator--59cab2ae-27dc-420e-9693-49f802de0b81",
|
||
|
"indicator--59cab2c1-f358-42a9-9d5f-47fb02de0b81",
|
||
|
"indicator--59cab2c2-28e8-413c-bf16-4b7c02de0b81",
|
||
|
"indicator--59cab2c2-bd5c-4a38-b84d-465f02de0b81",
|
||
|
"indicator--59cab2c2-0c68-41cf-a8cb-4d0102de0b81",
|
||
|
"indicator--59cab2c2-c4e4-48f3-b732-44d202de0b81",
|
||
|
"indicator--59cab2c2-ea68-4b85-8e1e-48c402de0b81",
|
||
|
"indicator--59cab2c2-a804-4892-8444-439702de0b81",
|
||
|
"indicator--59cab32d-bc80-49d0-b801-480b02de0b81",
|
||
|
"indicator--59cab357-66cc-473d-a11d-4aaf02de0b81",
|
||
|
"indicator--59cab357-0e80-4b6a-b532-4f1e02de0b81",
|
||
|
"observed-data--59cab357-5428-4492-bfbf-412d02de0b81",
|
||
|
"url--59cab357-5428-4492-bfbf-412d02de0b81",
|
||
|
"indicator--59cab357-afb0-402d-8585-443e02de0b81",
|
||
|
"indicator--59cab357-c808-483b-9e09-4b3f02de0b81",
|
||
|
"observed-data--59cab357-c1ac-4ad8-8355-40e902de0b81",
|
||
|
"url--59cab357-c1ac-4ad8-8355-40e902de0b81",
|
||
|
"indicator--59cab357-febc-4bfa-9185-439902de0b81",
|
||
|
"indicator--59cab357-2330-4b9b-8b15-499b02de0b81",
|
||
|
"observed-data--59cab357-6040-49e1-9e31-4ad502de0b81",
|
||
|
"url--59cab357-6040-49e1-9e31-4ad502de0b81",
|
||
|
"indicator--59cab357-3b20-4868-9a21-471f02de0b81",
|
||
|
"indicator--59cab357-9130-4589-8b79-4edb02de0b81",
|
||
|
"observed-data--59cab357-adb8-4701-a11d-484102de0b81",
|
||
|
"url--59cab357-adb8-4701-a11d-484102de0b81",
|
||
|
"indicator--59cab357-24c4-4f12-8ec1-454502de0b81",
|
||
|
"indicator--59cab357-d410-4086-a717-4aad02de0b81",
|
||
|
"observed-data--59cab357-eb68-44ec-8d84-4d0e02de0b81",
|
||
|
"url--59cab357-eb68-44ec-8d84-4d0e02de0b81",
|
||
|
"indicator--59cab357-b434-4887-ae7c-41fc02de0b81",
|
||
|
"indicator--59cab357-c5c4-4fef-9d9a-468e02de0b81",
|
||
|
"observed-data--59cab357-4da0-4c0b-bfc2-42f002de0b81",
|
||
|
"url--59cab357-4da0-4c0b-bfc2-42f002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:tool=\"TwoFace\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59cab25e-8e18-492b-80fd-f69902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"first_observed": "2017-09-26T20:06:47Z",
|
||
|
"last_observed": "2017-09-26T20:06:47Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59cab25e-8e18-492b-80fd-f69902de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59cab25e-8e18-492b-80fd-f69902de0b81",
|
||
|
"value": "https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--59cab279-6d8c-42b2-b5f1-476902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "While expanding our research into the TwoFace webshell from this past July, we were able to uncover several IP addresses that logged in and directly interfaced with the shell we discovered and wrote about. Investigating deeper into these potential adversary IPs revealed a much larger infrastructure used to execute the attacks. We found the infrastructure was segregated into different functions for specific malicious objectives. We found some sites that were set up as credential harvesters (likely used in phishing attacks), a compromised system that was used to interact with a TwoFace webshell to hide the actor\u00e2\u20ac\u2122s location, and finally systems that interact with TwoFace webshell-compromised systems to provide command and control direction of those compromised systems.\r\n\r\nIn addition to uncovering the attack infrastructure for this adversary, we were able to determine a significant link between the operators of the set of attacks involving TwoFace and another attack campaign we have published on in detail: OilRig."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab2ae-ee3c-4fb0-bebc-4a3402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Post-exploitation Tools",
|
||
|
"pattern": "[file:hashes.SHA256 = '28a0db561ff5a525bc2696cf98d96f443f528afe63c5097c5e0ccad071fcb8c2']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab2ae-e7fc-4fe2-9249-4f5c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Post-exploitation Tools",
|
||
|
"pattern": "[file:hashes.SHA256 = '744e0ce108598aaa8994f211e00769ac8a3f05324d3f07f7705277b9af7a7497']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab2ae-dbc0-4cd4-8593-4b8702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Post-exploitation Tools",
|
||
|
"pattern": "[file:hashes.SHA256 = 'caf5f9791ab3049811e16971b4673ec6d4baf35ffaadd7486ea4c5e318d10696']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab2ae-2d4c-4c7b-877a-4d0302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Post-exploitation Tools",
|
||
|
"pattern": "[file:hashes.SHA256 = '6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab2ae-6e70-4c00-b632-48eb02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Post-exploitation Tools",
|
||
|
"pattern": "[file:hashes.SHA256 = '3b08535b4add194f5661e1131c8e81af373ca322cf669674cf1272095e5cab95']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab2ae-d2bc-45c8-9af5-425f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Post-exploitation Tools",
|
||
|
"pattern": "[file:hashes.SHA256 = '450ebd66ba67bb46bf18d122823ff07ef4a7b11afe63b6f269aec9236a1790cd']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab2ae-adc8-4820-b9c3-4c9f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Post-exploitation Tools",
|
||
|
"pattern": "[file:hashes.SHA256 = '5b7eb534a852c187eee7eb729056082eec7a028819191fc2bc3ba4d1127fbd12']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab2ae-2814-4ae0-84b3-499302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Post-exploitation Tools",
|
||
|
"pattern": "[file:hashes.SHA256 = '6e623311768f1c419b3f755248a3b3d4bf80d26606a74ed4cfd25547a67734c7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab2ae-2444-4dfe-bbbd-4f8702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Post-exploitation Tools",
|
||
|
"pattern": "[file:hashes.SHA256 = '497e6965120a7ca6644da9b8291c65901e78d302139d221fcf0a3ec6c5cf9de3']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab2ae-4ce8-4325-b940-4e6202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Post-exploitation Tools",
|
||
|
"pattern": "[file:hashes.SHA256 = 'd3b03c0da854102802c21c0fa8736910ea039bbe93a140c09689fc802435ea31']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab2ae-9e74-4969-81e6-44d302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Post-exploitation Tools",
|
||
|
"pattern": "[file:hashes.SHA256 = '5ead94f12c307438e6475e49f02bedaee0cd09ce6cebb7939f9a2830f913212c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab2ae-27dc-420e-9693-49f802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Post-exploitation Tools",
|
||
|
"pattern": "[file:hashes.SHA256 = 'bb9b4e088eb99100156f56bbd35a21ff7e96981ffe78ca9132781e9b3f064f44']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab2c1-f358-42a9-9d5f-47fb02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Credential Harvesting Domains",
|
||
|
"pattern": "[domain-name:value = 'owa-insss-org-ill-owa-authen.ml']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab2c2-28e8-413c-bf16-4b7c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:46.000Z",
|
||
|
"modified": "2017-09-26T20:06:46.000Z",
|
||
|
"description": "Credential Harvesting Domains",
|
||
|
"pattern": "[domain-name:value = 'webmaiil-tau-ac-il.ml']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab2c2-bd5c-4a38-b84d-465f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Credential Harvesting Domains",
|
||
|
"pattern": "[domain-name:value = 'mail-macroadvisorypartners.ml']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab2c2-0c68-41cf-a8cb-4d0102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:46.000Z",
|
||
|
"modified": "2017-09-26T20:06:46.000Z",
|
||
|
"description": "Credential Harvesting Domains",
|
||
|
"pattern": "[domain-name:value = 'webmail-tidhar-co-il.ml']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab2c2-c4e4-48f3-b732-44d202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:46.000Z",
|
||
|
"modified": "2017-09-26T20:06:46.000Z",
|
||
|
"description": "Credential Harvesting Domains",
|
||
|
"pattern": "[domain-name:value = 'my-mailcoil.ml']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab2c2-ea68-4b85-8e1e-48c402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:46.000Z",
|
||
|
"modified": "2017-09-26T20:06:46.000Z",
|
||
|
"description": "Credential Harvesting Domains",
|
||
|
"pattern": "[domain-name:value = 'logn-micrsftonine-con.ml']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab2c2-a804-4892-8444-439702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:46.000Z",
|
||
|
"modified": "2017-09-26T20:06:46.000Z",
|
||
|
"description": "Credential Harvesting Domains",
|
||
|
"pattern": "[domain-name:value = 'so-cc-hujii-ac-il.ml']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab32d-bc80-49d0-b801-480b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:46.000Z",
|
||
|
"modified": "2017-09-26T20:06:46.000Z",
|
||
|
"description": "We observed the IP address 137.74.131[.]208 interacting with the TwoFace webshell as described in our previous blog.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '137.74.131.208']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab357-66cc-473d-a11d-4aaf02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Post-exploitation Tools - Xchecked via VT: 28a0db561ff5a525bc2696cf98d96f443f528afe63c5097c5e0ccad071fcb8c2",
|
||
|
"pattern": "[file:hashes.SHA1 = 'fd095248cc300eb60c758a8f51f6050b2fe56520']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab357-0e80-4b6a-b532-4f1e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Post-exploitation Tools - Xchecked via VT: 28a0db561ff5a525bc2696cf98d96f443f528afe63c5097c5e0ccad071fcb8c2",
|
||
|
"pattern": "[file:hashes.MD5 = '28089bfa4a1991ae98a7230f055a6081']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59cab357-5428-4492-bfbf-412d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"first_observed": "2017-09-26T20:06:47Z",
|
||
|
"last_observed": "2017-09-26T20:06:47Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59cab357-5428-4492-bfbf-412d02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59cab357-5428-4492-bfbf-412d02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/28a0db561ff5a525bc2696cf98d96f443f528afe63c5097c5e0ccad071fcb8c2/analysis/1500337719/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab357-afb0-402d-8585-443e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Post-exploitation Tools - Xchecked via VT: 6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301",
|
||
|
"pattern": "[file:hashes.SHA1 = '5221c2ce846d9cbc8ab73142b51414f31544289f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab357-c808-483b-9e09-4b3f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Post-exploitation Tools - Xchecked via VT: 6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301",
|
||
|
"pattern": "[file:hashes.MD5 = 'b5450c8553def4996426ab46996b2e55']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59cab357-c1ac-4ad8-8355-40e902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"first_observed": "2017-09-26T20:06:47Z",
|
||
|
"last_observed": "2017-09-26T20:06:47Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59cab357-c1ac-4ad8-8355-40e902de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59cab357-c1ac-4ad8-8355-40e902de0b81",
|
||
|
"value": "https://www.virustotal.com/file/6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301/analysis/1497352004/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab357-febc-4bfa-9185-439902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Post-exploitation Tools - Xchecked via VT: 3b08535b4add194f5661e1131c8e81af373ca322cf669674cf1272095e5cab95",
|
||
|
"pattern": "[file:hashes.SHA1 = 'b5c62d79eda4f7e4b60a9caa5736a3fdc2f1b27e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab357-2330-4b9b-8b15-499b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Post-exploitation Tools - Xchecked via VT: 3b08535b4add194f5661e1131c8e81af373ca322cf669674cf1272095e5cab95",
|
||
|
"pattern": "[file:hashes.MD5 = 'a7f7a0f74c8b48f1699858b3b6c11eda']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59cab357-6040-49e1-9e31-4ad502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"first_observed": "2017-09-26T20:06:47Z",
|
||
|
"last_observed": "2017-09-26T20:06:47Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59cab357-6040-49e1-9e31-4ad502de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59cab357-6040-49e1-9e31-4ad502de0b81",
|
||
|
"value": "https://www.virustotal.com/file/3b08535b4add194f5661e1131c8e81af373ca322cf669674cf1272095e5cab95/analysis/1506412272/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab357-3b20-4868-9a21-471f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Post-exploitation Tools - Xchecked via VT: 450ebd66ba67bb46bf18d122823ff07ef4a7b11afe63b6f269aec9236a1790cd",
|
||
|
"pattern": "[file:hashes.SHA1 = '289f3bfe297923507cf4c26ca500ae01819c6a95']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab357-9130-4589-8b79-4edb02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Post-exploitation Tools - Xchecked via VT: 450ebd66ba67bb46bf18d122823ff07ef4a7b11afe63b6f269aec9236a1790cd",
|
||
|
"pattern": "[file:hashes.MD5 = '081e2ce7e2a603a78cc6c20a05b08ca8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59cab357-adb8-4701-a11d-484102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"first_observed": "2017-09-26T20:06:47Z",
|
||
|
"last_observed": "2017-09-26T20:06:47Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59cab357-adb8-4701-a11d-484102de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59cab357-adb8-4701-a11d-484102de0b81",
|
||
|
"value": "https://www.virustotal.com/file/450ebd66ba67bb46bf18d122823ff07ef4a7b11afe63b6f269aec9236a1790cd/analysis/1500539163/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab357-24c4-4f12-8ec1-454502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Post-exploitation Tools - Xchecked via VT: 497e6965120a7ca6644da9b8291c65901e78d302139d221fcf0a3ec6c5cf9de3",
|
||
|
"pattern": "[file:hashes.SHA1 = '5447283518473ea8b9d35424532a94e2966f7a90']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab357-d410-4086-a717-4aad02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Post-exploitation Tools - Xchecked via VT: 497e6965120a7ca6644da9b8291c65901e78d302139d221fcf0a3ec6c5cf9de3",
|
||
|
"pattern": "[file:hashes.MD5 = '0f9d0b03254830714654c2ceb11a7f5d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59cab357-eb68-44ec-8d84-4d0e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"first_observed": "2017-09-26T20:06:47Z",
|
||
|
"last_observed": "2017-09-26T20:06:47Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59cab357-eb68-44ec-8d84-4d0e02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59cab357-eb68-44ec-8d84-4d0e02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/497e6965120a7ca6644da9b8291c65901e78d302139d221fcf0a3ec6c5cf9de3/analysis/1505921769/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab357-b434-4887-ae7c-41fc02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Post-exploitation Tools - Xchecked via VT: 5ead94f12c307438e6475e49f02bedaee0cd09ce6cebb7939f9a2830f913212c",
|
||
|
"pattern": "[file:hashes.SHA1 = '0c91a56f61c0365f56dc7b2b4e17bbf1e4cb134b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59cab357-c5c4-4fef-9d9a-468e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"description": "Post-exploitation Tools - Xchecked via VT: 5ead94f12c307438e6475e49f02bedaee0cd09ce6cebb7939f9a2830f913212c",
|
||
|
"pattern": "[file:hashes.MD5 = 'a56abdaa3438378bf16b3eccf317af8a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-09-26T20:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59cab357-4da0-4c0b-bfc2-42f002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-09-26T20:06:47.000Z",
|
||
|
"modified": "2017-09-26T20:06:47.000Z",
|
||
|
"first_observed": "2017-09-26T20:06:47Z",
|
||
|
"last_observed": "2017-09-26T20:06:47Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59cab357-4da0-4c0b-bfc2-42f002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59cab357-4da0-4c0b-bfc2-42f002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/5ead94f12c307438e6475e49f02bedaee0cd09ce6cebb7939f9a2830f913212c/analysis/1483030641/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|