1991 lines
84 KiB
JSON
1991 lines
84 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--59f4a30d-fdf8-4617-b6ab-45df02de0b81",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-22T21:20:18.000Z",
|
||
|
"modified": "2017-11-22T21:20:18.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--59f4a30d-fdf8-4617-b6ab-45df02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-22T21:20:18.000Z",
|
||
|
"modified": "2017-11-22T21:20:18.000Z",
|
||
|
"name": "OSINT - Bahamut Revisited, More Cyber Espionage in the Middle East and South Asia",
|
||
|
"published": "2017-12-28T13:21:35Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--59f4a332-25a4-4cf0-9c00-0a8f02de0b81",
|
||
|
"url--59f4a332-25a4-4cf0-9c00-0a8f02de0b81",
|
||
|
"x-misp-attribute--59f4a349-5d24-42f1-81fb-427b02de0b81",
|
||
|
"indicator--59f4a3af-8a84-4a5a-9ef7-46b202de0b81",
|
||
|
"indicator--59f4a3af-6a74-4147-bab8-462f02de0b81",
|
||
|
"indicator--59f4a3af-9324-4a5f-ab14-425a02de0b81",
|
||
|
"indicator--59f4a3af-6610-44da-a595-4c9e02de0b81",
|
||
|
"indicator--59f4a3af-5c00-4ac5-852f-427302de0b81",
|
||
|
"indicator--59f4a3af-4b70-455b-b716-438d02de0b81",
|
||
|
"indicator--59f4a3af-b0f4-4461-9816-457e02de0b81",
|
||
|
"indicator--59f4a3af-dfb8-4f4a-8a99-424102de0b81",
|
||
|
"indicator--59f4a3af-7a80-4fb5-8033-414302de0b81",
|
||
|
"indicator--59f4a3af-ec60-4491-88d5-464c02de0b81",
|
||
|
"indicator--59f4a3af-5d20-4e14-86e4-415c02de0b81",
|
||
|
"indicator--59f4a3af-69a8-4e3e-9cce-419502de0b81",
|
||
|
"indicator--59f4a3af-5330-4e93-8aaf-404702de0b81",
|
||
|
"indicator--59f4a3af-6370-4398-9b1d-409902de0b81",
|
||
|
"indicator--59f4a3d1-6344-4d78-a2aa-404f02de0b81",
|
||
|
"indicator--59f4a3d1-62bc-4e26-929f-471c02de0b81",
|
||
|
"indicator--59f4a3d1-d934-4478-b90c-42ce02de0b81",
|
||
|
"indicator--59f4a3d1-ae04-4d35-9531-4d6002de0b81",
|
||
|
"indicator--59f4a3d1-27bc-46cc-a325-492402de0b81",
|
||
|
"indicator--59f4a3d1-12b4-479f-9ee3-480402de0b81",
|
||
|
"indicator--59f4a3d1-a0d0-4e20-afe8-487e02de0b81",
|
||
|
"indicator--59f4a3d1-beac-4341-853a-4ac302de0b81",
|
||
|
"indicator--59f4a3d1-3660-4f97-ba51-457702de0b81",
|
||
|
"indicator--59f4a3d1-78f4-4000-a477-429302de0b81",
|
||
|
"indicator--59f4a404-b5bc-41c4-9347-4ee802de0b81",
|
||
|
"indicator--59f4a404-de84-4ff5-8084-481d02de0b81",
|
||
|
"indicator--59f4a404-0010-4f6d-8836-4fb802de0b81",
|
||
|
"indicator--59f4a404-b910-465c-9eef-4fce02de0b81",
|
||
|
"indicator--59f4a404-f3c0-43bf-855c-4cce02de0b81",
|
||
|
"indicator--59f4a404-2bf8-49c5-8a9a-4a9502de0b81",
|
||
|
"indicator--59f4a404-e5d8-48f4-ab58-474e02de0b81",
|
||
|
"indicator--59f4a425-9ea8-4578-9922-4ea302de0b81",
|
||
|
"indicator--59f4a439-698c-4c47-a051-4f2902de0b81",
|
||
|
"indicator--59f4a439-675c-43f6-bd3e-499302de0b81",
|
||
|
"indicator--59f4a439-d53c-404e-b3be-4d8b02de0b81",
|
||
|
"indicator--59f4a439-35e4-48e3-b6be-48a902de0b81",
|
||
|
"indicator--59f4a456-8b14-42ff-9666-0ccc02de0b81",
|
||
|
"indicator--59f4a456-3b74-4fea-8ab8-0ccc02de0b81",
|
||
|
"indicator--59f4a456-687c-4de7-9b05-0ccc02de0b81",
|
||
|
"indicator--59f4a456-2bb8-4fce-b099-0ccc02de0b81",
|
||
|
"indicator--59f4a456-9fe8-4825-a85f-0ccc02de0b81",
|
||
|
"indicator--59f4a456-1888-4734-90e7-0ccc02de0b81",
|
||
|
"indicator--59f4a456-24d0-4ce1-b1d5-0ccc02de0b81",
|
||
|
"indicator--59f4a456-ea64-43f5-b0b8-0ccc02de0b81",
|
||
|
"indicator--59f4a48d-9788-4384-b858-411902de0b81",
|
||
|
"indicator--59f4a48d-5b9c-4f72-8dd4-48a102de0b81",
|
||
|
"indicator--59f4a48d-b230-44f5-9a22-41aa02de0b81",
|
||
|
"indicator--59f4a48d-6c04-414f-bd1d-40c202de0b81",
|
||
|
"indicator--59f4a48d-58a8-4306-9cd8-442f02de0b81",
|
||
|
"indicator--59f4a48d-c3b8-4846-b081-43ed02de0b81",
|
||
|
"indicator--59f4a48d-1564-4a13-9711-4dcb02de0b81",
|
||
|
"indicator--59f4a48d-cef8-4254-94ef-467802de0b81",
|
||
|
"indicator--59f4a48d-8170-473f-8941-4e7802de0b81",
|
||
|
"indicator--59f4a4c7-3db0-410a-ab8d-0a8f02de0b81",
|
||
|
"indicator--59f4a4c7-397c-46fd-a32a-0a8f02de0b81",
|
||
|
"observed-data--59f4a4c7-93c8-4d72-88ce-0a8f02de0b81",
|
||
|
"url--59f4a4c7-93c8-4d72-88ce-0a8f02de0b81",
|
||
|
"indicator--59f4a4c7-d944-473a-95bb-0a8f02de0b81",
|
||
|
"indicator--59f4a4c7-6eb8-4df3-90cf-0a8f02de0b81",
|
||
|
"observed-data--59f4a4c7-4148-4cba-91d2-0a8f02de0b81",
|
||
|
"url--59f4a4c7-4148-4cba-91d2-0a8f02de0b81",
|
||
|
"indicator--59f4a4c7-c9a0-42ab-94ea-0a8f02de0b81",
|
||
|
"indicator--59f4a4c7-d7f4-4ecf-8b42-0a8f02de0b81",
|
||
|
"observed-data--59f4a4c7-6b7c-4e67-8ccc-0a8f02de0b81",
|
||
|
"url--59f4a4c7-6b7c-4e67-8ccc-0a8f02de0b81",
|
||
|
"indicator--59f4a4c7-918c-4245-8ebf-0a8f02de0b81",
|
||
|
"indicator--59f4a4c7-70c8-483e-95b1-0a8f02de0b81",
|
||
|
"observed-data--59f4a4c7-d43c-4a02-9a99-0a8f02de0b81",
|
||
|
"url--59f4a4c7-d43c-4a02-9a99-0a8f02de0b81",
|
||
|
"indicator--59f4a4c7-6d74-4281-937a-0a8f02de0b81",
|
||
|
"indicator--59f4a4c7-1df0-44d5-ad99-0a8f02de0b81",
|
||
|
"observed-data--59f4a4c7-3b28-4a10-8aaf-0a8f02de0b81",
|
||
|
"url--59f4a4c7-3b28-4a10-8aaf-0a8f02de0b81",
|
||
|
"indicator--59f4a4c7-8e84-45ed-b728-0a8f02de0b81",
|
||
|
"indicator--59f4a4c7-a794-4b6b-9542-0a8f02de0b81",
|
||
|
"observed-data--59f4a4c7-4d18-4218-bd0e-0a8f02de0b81",
|
||
|
"url--59f4a4c7-4d18-4218-bd0e-0a8f02de0b81",
|
||
|
"indicator--59f4a4c7-9e84-4f2b-9008-0a8f02de0b81",
|
||
|
"indicator--59f4a4c7-bbfc-460f-8045-0a8f02de0b81",
|
||
|
"observed-data--59f4a4c7-b32c-4349-a488-0a8f02de0b81",
|
||
|
"url--59f4a4c7-b32c-4349-a488-0a8f02de0b81",
|
||
|
"x-misp-object--59f4a7fd-20e0-493a-b9a3-481e02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59f4a332-25a4-4cf0-9c00-0a8f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"first_observed": "2017-10-28T15:39:50Z",
|
||
|
"last_observed": "2017-10-28T15:39:50Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59f4a332-25a4-4cf0-9c00-0a8f02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59f4a332-25a4-4cf0-9c00-0a8f02de0b81",
|
||
|
"value": "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--59f4a349-5d24-42f1-81fb-427b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "In June we published on a previously unknown group we named \u00e2\u20ac\u0153Bahamut,\u00e2\u20ac\u009d a strange campaign of phishing and malware apparently focused on the Middle East and South Asia. In the Bahamut report, we documented a capable actor interested in a diverse set of political, economic, and non-governmental targets, which suggested espionage rather than criminal intent. Bahamut was shown to be resourceful, not only maintaining their own Android malware but running propaganda sites, although the quality of these activities varied noticeably.\r\n\r\nOur publication on the campaign coincided with a series of defacements and leaked emails related to Qatar and its neighbors, the same types of targets that arose in our research. While we have found no evidence to link the group to these incidents, Bahamut provided a useful window into the activities rampant in the Gulf at a time when hacking has contributed to a regional diplomatic crisis. The incident further demonstrated the blurred lines in cybersecurity between attacks against human rights communities and espionage against diplomats, as well as the potential role of non-state actors in state-aligned cyber operations.\r\n\r\nAfter publication, the identified operations and malware domains were taken down. For three months there was no apparent further activity from the actor. However, in the same week of September a series of spearphishing attempts once again targeted a set of otherwise unrelated individuals, employing the same tactics as before. Bahamut remains active, and its operations are more extensive than first disclosed. Our primary contribution in this update is to implicate Bahamut in what are likely counterterrorism-motivated surveillance operations, and to further affirm our belief that the group is a hacker-for-hire operation. Toward this we document a previously unnoticed link with a campaign targeting South Asia that was published last year. This post extends the previous publication with recent activity and lends more evidence to our past hypotheses about the political nature of its operations."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a3af-8a84-4a5a-9ef7-46b202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Credential Harvesting and Recon",
|
||
|
"pattern": "[email-message:from_ref.value = 'noreply.user.subscripton@gmail.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a3af-6a74-4147-bab8-462f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Credential Harvesting and Recon",
|
||
|
"pattern": "[email-message:from_ref.value = 'mirror.news.live@gmail.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a3af-9324-4a5f-ab14-425a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Credential Harvesting and Recon",
|
||
|
"pattern": "[email-message:from_ref.value = 'mail.noreplyportals@gmail.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a3af-6610-44da-a595-4c9e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Credential Harvesting and Recon",
|
||
|
"pattern": "[email-message:from_ref.value = 'rnicrosoft-recovery-update@hotmail.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a3af-5c00-4ac5-852f-427302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Credential Harvesting and Recon",
|
||
|
"pattern": "[email-message:from_ref.value = 'noreply.subscribeuser.alert@gmail.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a3af-4b70-455b-b716-438d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Credential Harvesting and Recon",
|
||
|
"pattern": "[email-message:from_ref.value = 'noreply.users.validation@gmail.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a3af-b0f4-4461-9816-457e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Credential Harvesting and Recon",
|
||
|
"pattern": "[email-message:from_ref.value = 'noreply.applc.id.service@gmail.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a3af-dfb8-4f4a-8a99-424102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Credential Harvesting and Recon",
|
||
|
"pattern": "[email-message:from_ref.value = 'playbooy.magazine.update@outlook.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a3af-7a80-4fb5-8033-414302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Credential Harvesting and Recon",
|
||
|
"pattern": "[email-message:from_ref.value = 'noreply.goolgemail@gmail.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a3af-ec60-4491-88d5-464c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Credential Harvesting and Recon",
|
||
|
"pattern": "[email-message:from_ref.value = 'dubaicalender.eventupdate@outlook.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a3af-5d20-4e14-86e4-415c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Credential Harvesting and Recon",
|
||
|
"pattern": "[email-message:from_ref.value = 'sputniknews@email.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a3af-69a8-4e3e-9cce-419502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Credential Harvesting and Recon",
|
||
|
"pattern": "[email-message:from_ref.value = 'news_update@email.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a3af-5330-4e93-8aaf-404702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Credential Harvesting and Recon",
|
||
|
"pattern": "[email-message:from_ref.value = 'bbcnewsdailysubscribe@gmail.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a3af-6370-4398-9b1d-409902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Credential Harvesting and Recon",
|
||
|
"pattern": "[email-message:from_ref.value = 'noreply.goolgehangouts@gmail.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a3d1-6344-4d78-a2aa-404f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Credential Harvesting and Recon",
|
||
|
"pattern": "[domain-name:value = 'squre39-cld.info']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a3d1-62bc-4e26-929f-471c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Credential Harvesting and Recon",
|
||
|
"pattern": "[domain-name:value = 'goolg-en.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a3d1-d934-4478-b90c-42ce02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Credential Harvesting and Recon",
|
||
|
"pattern": "[domain-name:value = 'login-asmx.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a3d1-ae04-4d35-9531-4d6002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Credential Harvesting and Recon",
|
||
|
"pattern": "[domain-name:value = 'string2port.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a3d1-27bc-46cc-a325-492402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Credential Harvesting and Recon",
|
||
|
"pattern": "[domain-name:value = 'session-en.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a3d1-12b4-479f-9ee3-480402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Credential Harvesting and Recon",
|
||
|
"pattern": "[domain-name:value = 'singin-go-olge.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a3d1-a0d0-4e20-afe8-487e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Credential Harvesting and Recon",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '111.90.138.81']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a3d1-beac-4341-853a-4ac302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Credential Harvesting and Recon",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.68.242.18']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a3d1-3660-4f97-ba51-457702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Credential Harvesting and Recon",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '91.92.136.134']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a3d1-78f4-4000-a477-429302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Credential Harvesting and Recon",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '200.63.45.47']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a404-b5bc-41c4-9347-4ee802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Android Agent",
|
||
|
"pattern": "[domain-name:value = 'devotedtohumanity-fif.info']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a404-de84-4ff5-8084-481d02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Android Agent",
|
||
|
"pattern": "[domain-name:value = 'kashmir-weather-info.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a404-0010-4f6d-8836-4fb802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Android Agent",
|
||
|
"pattern": "[domain-name:value = 'mxiplayer.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a404-b910-465c-9eef-4fce02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Android Agent",
|
||
|
"pattern": "[file:hashes.SHA1 = '6e5e7ecb929fdc29ba93058bf2f501842ac0f2c0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a404-f3c0-43bf-855c-4cce02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Android Agent",
|
||
|
"pattern": "[file:hashes.SHA1 = '0550dad8d55446e5b5dbae61783cfb7c78ee10d2']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a404-2bf8-49c5-8a9a-4a9502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:50.000Z",
|
||
|
"modified": "2017-10-28T15:39:50.000Z",
|
||
|
"description": "Android Agent",
|
||
|
"pattern": "[file:hashes.SHA1 = '00d000679baab456953b4302d8b2a1e65241ed12']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a404-e5d8-48f4-ab58-474e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Android Agent",
|
||
|
"pattern": "[file:hashes.SHA1 = 'ddaf5e43da0b00884ef957c32d7b16ed692a057a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a425-9ea8-4578-9922-4ea302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Windows Agent",
|
||
|
"pattern": "[file:hashes.SHA1 = '9850ac30c3357d3a412d0f6cec2716b63db6c21d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a439-698c-4c47-a051-4f2902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Other Malware References",
|
||
|
"pattern": "[file:hashes.SHA256 = '9e4596bfb4f58d8ecfe2bc3514c6c7b2170040d9acfb02f295ed1e9ab13ec560']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a439-675c-43f6-bd3e-499302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Other Malware References",
|
||
|
"pattern": "[file:hashes.SHA256 = '1518badcb2717e6b0fa9bdd883d5ff61fedddf7ddf22cc3dc04a38f4e137fc96']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a439-d53c-404e-b3be-4d8b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Other Malware References",
|
||
|
"pattern": "[domain-name:value = 'mint-news-portal.hymnfork.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a439-35e4-48e3-b6be-48a902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Other Malware References",
|
||
|
"pattern": "[domain-name:value = 'online-tracking-status.hymnfork.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a456-8b14-42ff-9666-0ccc02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Similar Infrastructure",
|
||
|
"pattern": "[domain-name:value = 'insidecloud-aspx.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a456-3b74-4fea-8ab8-0ccc02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Similar Infrastructure",
|
||
|
"pattern": "[domain-name:value = 'data-covery.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a456-687c-4de7-9b05-0ccc02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Similar Infrastructure",
|
||
|
"pattern": "[domain-name:value = 'sa-google.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a456-2bb8-4fce-b099-0ccc02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Similar Infrastructure",
|
||
|
"pattern": "[domain-name:value = 'rnail-aspx.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a456-9fe8-4825-a85f-0ccc02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Similar Infrastructure",
|
||
|
"pattern": "[domain-name:value = 'session-service.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a456-1888-4734-90e7-0ccc02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Similar Infrastructure",
|
||
|
"pattern": "[domain-name:value = 'session-owa.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a456-24d0-4ce1-b1d5-0ccc02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Similar Infrastructure",
|
||
|
"pattern": "[domain-name:value = 'myinfocheck.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a456-ea64-43f5-b0b8-0ccc02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Similar Infrastructure",
|
||
|
"pattern": "[domain-name:value = 'host-auth.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a48d-9788-4384-b858-411902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Similar Infrastructure",
|
||
|
"pattern": "[email-message:from_ref.value = 'janko.kolar@bulletmail.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a48d-5b9c-4f72-8dd4-48a102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Similar Infrastructure",
|
||
|
"pattern": "[email-message:from_ref.value = 'jacbov.vjan@bulletmail.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a48d-b230-44f5-9a22-41aa02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Similar Infrastructure",
|
||
|
"pattern": "[email-message:from_ref.value = 'robert.warne@list.ru']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a48d-6c04-414f-bd1d-40c202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Similar Infrastructure",
|
||
|
"pattern": "[email-message:from_ref.value = 'viera.taafi@pobox.sk']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a48d-58a8-4306-9cd8-442f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Similar Infrastructure",
|
||
|
"pattern": "[email-message:from_ref.value = 'aaron.drago@pobox.sk']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a48d-c3b8-4846-b081-43ed02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Similar Infrastructure",
|
||
|
"pattern": "[email-message:from_ref.value = 'marek.franko@pobox.sk']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a48d-1564-4a13-9711-4dcb02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Similar Infrastructure",
|
||
|
"pattern": "[email-message:from_ref.value = 'oliver.dagur@mail.ru']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a48d-cef8-4254-94ef-467802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Similar Infrastructure",
|
||
|
"pattern": "[email-message:from_ref.value = 'ralph.cramey@mail.ru']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a48d-8170-473f-8941-4e7802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Similar Infrastructure",
|
||
|
"pattern": "[email-message:from_ref.value = 'petru.negru@pobox.sk']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a4c7-3db0-410a-ab8d-0a8f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Other Malware References - Xchecked via VT: 1518badcb2717e6b0fa9bdd883d5ff61fedddf7ddf22cc3dc04a38f4e137fc96",
|
||
|
"pattern": "[file:hashes.SHA1 = '381307e3120a0ee6b2769b4fe650c910bb55eb90']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a4c7-397c-46fd-a32a-0a8f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Other Malware References - Xchecked via VT: 1518badcb2717e6b0fa9bdd883d5ff61fedddf7ddf22cc3dc04a38f4e137fc96",
|
||
|
"pattern": "[file:hashes.MD5 = '94da91def54db4c1895eb7ba99eb75a6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59f4a4c7-93c8-4d72-88ce-0a8f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"first_observed": "2017-10-28T15:39:51Z",
|
||
|
"last_observed": "2017-10-28T15:39:51Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59f4a4c7-93c8-4d72-88ce-0a8f02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59f4a4c7-93c8-4d72-88ce-0a8f02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/1518badcb2717e6b0fa9bdd883d5ff61fedddf7ddf22cc3dc04a38f4e137fc96/analysis/1508453214/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a4c7-d944-473a-95bb-0a8f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Other Malware References - Xchecked via VT: 9e4596bfb4f58d8ecfe2bc3514c6c7b2170040d9acfb02f295ed1e9ab13ec560",
|
||
|
"pattern": "[file:hashes.SHA1 = '9ef613c4db7e172f7df271513dd501f0a18de2c8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a4c7-6eb8-4df3-90cf-0a8f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Other Malware References - Xchecked via VT: 9e4596bfb4f58d8ecfe2bc3514c6c7b2170040d9acfb02f295ed1e9ab13ec560",
|
||
|
"pattern": "[file:hashes.MD5 = 'cfa27503eb37b1c94966d7ac3a5c28c0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59f4a4c7-4148-4cba-91d2-0a8f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"first_observed": "2017-10-28T15:39:51Z",
|
||
|
"last_observed": "2017-10-28T15:39:51Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59f4a4c7-4148-4cba-91d2-0a8f02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59f4a4c7-4148-4cba-91d2-0a8f02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/9e4596bfb4f58d8ecfe2bc3514c6c7b2170040d9acfb02f295ed1e9ab13ec560/analysis/1508352935/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a4c7-c9a0-42ab-94ea-0a8f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Windows Agent - Xchecked via VT: 9850ac30c3357d3a412d0f6cec2716b63db6c21d",
|
||
|
"pattern": "[file:hashes.SHA256 = 'd0e2e7fe3fab992a670137d0693a2b76a5ac88283011b4aa8786d439b37c877b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a4c7-d7f4-4ecf-8b42-0a8f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Windows Agent - Xchecked via VT: 9850ac30c3357d3a412d0f6cec2716b63db6c21d",
|
||
|
"pattern": "[file:hashes.MD5 = '94a6aba63c9d2d9587e424acfde41bcb']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59f4a4c7-6b7c-4e67-8ccc-0a8f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"first_observed": "2017-10-28T15:39:51Z",
|
||
|
"last_observed": "2017-10-28T15:39:51Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59f4a4c7-6b7c-4e67-8ccc-0a8f02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59f4a4c7-6b7c-4e67-8ccc-0a8f02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/d0e2e7fe3fab992a670137d0693a2b76a5ac88283011b4aa8786d439b37c877b/analysis/1504758200/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a4c7-918c-4245-8ebf-0a8f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Android Agent - Xchecked via VT: ddaf5e43da0b00884ef957c32d7b16ed692a057a",
|
||
|
"pattern": "[file:hashes.SHA256 = '05a4e1e6542d6b0ba7b6eced12c05e96a341deaf88adb28695365544940da5ed']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a4c7-70c8-483e-95b1-0a8f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Android Agent - Xchecked via VT: ddaf5e43da0b00884ef957c32d7b16ed692a057a",
|
||
|
"pattern": "[file:hashes.MD5 = '019db1adb064ff0245470d0c1972c515']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59f4a4c7-d43c-4a02-9a99-0a8f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"first_observed": "2017-10-28T15:39:51Z",
|
||
|
"last_observed": "2017-10-28T15:39:51Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59f4a4c7-d43c-4a02-9a99-0a8f02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59f4a4c7-d43c-4a02-9a99-0a8f02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/05a4e1e6542d6b0ba7b6eced12c05e96a341deaf88adb28695365544940da5ed/analysis/1500233344/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a4c7-6d74-4281-937a-0a8f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Android Agent - Xchecked via VT: 00d000679baab456953b4302d8b2a1e65241ed12",
|
||
|
"pattern": "[file:hashes.SHA256 = '6f60dfbd3c3fdffc731969acc1b7a82a545b8ec5baaecd48e7ae8055beb37259']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a4c7-1df0-44d5-ad99-0a8f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Android Agent - Xchecked via VT: 00d000679baab456953b4302d8b2a1e65241ed12",
|
||
|
"pattern": "[file:hashes.MD5 = 'eec26ee59a6fc0f4b7a2a82b13fe6b05']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59f4a4c7-3b28-4a10-8aaf-0a8f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"first_observed": "2017-10-28T15:39:51Z",
|
||
|
"last_observed": "2017-10-28T15:39:51Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59f4a4c7-3b28-4a10-8aaf-0a8f02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59f4a4c7-3b28-4a10-8aaf-0a8f02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/6f60dfbd3c3fdffc731969acc1b7a82a545b8ec5baaecd48e7ae8055beb37259/analysis/1504073634/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a4c7-8e84-45ed-b728-0a8f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Android Agent - Xchecked via VT: 0550dad8d55446e5b5dbae61783cfb7c78ee10d2",
|
||
|
"pattern": "[file:hashes.SHA256 = '65398e0f12248ca71642216ff8606744305c2397c368ff072c243e6410fd42bc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a4c7-a794-4b6b-9542-0a8f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Android Agent - Xchecked via VT: 0550dad8d55446e5b5dbae61783cfb7c78ee10d2",
|
||
|
"pattern": "[file:hashes.MD5 = '146335f1c4ffaae9cf3d48e767a1c66b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59f4a4c7-4d18-4218-bd0e-0a8f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"first_observed": "2017-10-28T15:39:51Z",
|
||
|
"last_observed": "2017-10-28T15:39:51Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59f4a4c7-4d18-4218-bd0e-0a8f02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59f4a4c7-4d18-4218-bd0e-0a8f02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/65398e0f12248ca71642216ff8606744305c2397c368ff072c243e6410fd42bc/analysis/1504229307/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a4c7-9e84-4f2b-9008-0a8f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Android Agent - Xchecked via VT: 6e5e7ecb929fdc29ba93058bf2f501842ac0f2c0",
|
||
|
"pattern": "[file:hashes.SHA256 = '090bc0f5936a12771b7fdf15070ba2169a24108a095e939920498b94ce19596d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f4a4c7-bbfc-460f-8045-0a8f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"description": "Android Agent - Xchecked via VT: 6e5e7ecb929fdc29ba93058bf2f501842ac0f2c0",
|
||
|
"pattern": "[file:hashes.MD5 = '63c2bc55a032eef24d0746158727e373']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-28T15:39:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59f4a4c7-b32c-4349-a488-0a8f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:39:51.000Z",
|
||
|
"modified": "2017-10-28T15:39:51.000Z",
|
||
|
"first_observed": "2017-10-28T15:39:51Z",
|
||
|
"last_observed": "2017-10-28T15:39:51Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59f4a4c7-b32c-4349-a488-0a8f02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59f4a4c7-b32c-4349-a488-0a8f02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/090bc0f5936a12771b7fdf15070ba2169a24108a095e939920498b94ce19596d/analysis/1504410339/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--59f4a7fd-20e0-493a-b9a3-481e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-28T15:53:33.000Z",
|
||
|
"modified": "2017-10-28T15:53:33.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"whois\"",
|
||
|
"misp:meta-category=\"network\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "domain",
|
||
|
"object_relation": "domain",
|
||
|
"value": "i3mode.com",
|
||
|
"category": "Network activity",
|
||
|
"to_ids": true,
|
||
|
"uuid": "59f4a7fe-8b80-4a1c-9aa4-429002de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "whois-registrant-email",
|
||
|
"object_relation": "registrant-email",
|
||
|
"value": "kedrick.brown.84@mail.ru",
|
||
|
"category": "Attribution",
|
||
|
"uuid": "59f4a7fe-1498-4acb-bc1c-440602de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "whois-registrant-name",
|
||
|
"object_relation": "registrant-name",
|
||
|
"value": "KEDRICK BROWN",
|
||
|
"category": "Attribution",
|
||
|
"uuid": "59f4a7fe-c3f0-41db-ba32-488402de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "whois-registrant-phone",
|
||
|
"object_relation": "registrant-phone",
|
||
|
"value": "00503503226605642",
|
||
|
"category": "Attribution",
|
||
|
"uuid": "59f4a7fe-0614-49f2-81f1-47d702de0b81"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "network",
|
||
|
"x_misp_name": "whois"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|