708 lines
29 KiB
JSON
708 lines
29 KiB
JSON
|
{
|
||
|
|
"type": "bundle",
|
||
|
|
"id": "bundle--5a09aaa3-e7fc-4e3c-acda-cb8d950d210f",
|
||
|
|
"objects": [
|
||
|
|
{
|
||
|
|
"type": "identity",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-17T12:41:16.000Z",
|
||
|
|
"modified": "2017-11-17T12:41:16.000Z",
|
||
|
|
"name": "CIRCL",
|
||
|
|
"identity_class": "organization"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "grouping",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "grouping--5a09aaa3-e7fc-4e3c-acda-cb8d950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-17T12:41:16.000Z",
|
||
|
|
"modified": "2017-11-17T12:41:16.000Z",
|
||
|
|
"name": "OSINT - Saudi Arabia's 'Game of Thobes'",
|
||
|
|
"context": "suspicious-activity",
|
||
|
|
"object_refs": [
|
||
|
|
"observed-data--5a09ab4a-49f4-4c13-9da2-458b950d210f",
|
||
|
|
"url--5a09ab4a-49f4-4c13-9da2-458b950d210f",
|
||
|
|
"indicator--5a09ab6e-33f0-4d46-b1e4-42e7950d210f",
|
||
|
|
"indicator--5a09ab6e-2168-4156-b837-4462950d210f",
|
||
|
|
"indicator--5a09ab6e-88f4-40d1-94bd-44ba950d210f",
|
||
|
|
"indicator--5a09af92-143c-4539-b34a-4939950d210f",
|
||
|
|
"indicator--5a09af92-4234-4cfc-8aa2-4154950d210f",
|
||
|
|
"indicator--5a09af92-f3d4-4794-9bfd-48a2950d210f",
|
||
|
|
"indicator--5a09af92-b3a8-4ad7-a250-4fc7950d210f",
|
||
|
|
"indicator--5a09afd3-f700-41f7-9d84-43ab950d210f",
|
||
|
|
"indicator--5a09afd3-7710-49d4-9626-460c950d210f",
|
||
|
|
"indicator--5a09afd3-5d74-4020-bd70-44fe950d210f",
|
||
|
|
"indicator--5a09afd3-3ec4-4e61-a267-455f950d210f",
|
||
|
|
"indicator--5a09afd3-d328-4cd7-8d4b-46ad950d210f",
|
||
|
|
"indicator--5a09afd3-9e98-4bc5-abc1-4f62950d210f",
|
||
|
|
"indicator--5a09b133-be00-49f3-8ee8-48c6950d210f",
|
||
|
|
"indicator--5a09b133-653c-413d-9682-4ac3950d210f",
|
||
|
|
"indicator--5a09b326-833c-48ce-8397-4034950d210f",
|
||
|
|
"indicator--5a09b326-4660-4c3b-92ba-4a33950d210f",
|
||
|
|
"indicator--5a09b326-bd9c-4a2e-9950-4ff8950d210f",
|
||
|
|
"indicator--5a09b326-1c58-4d04-afb8-46ab950d210f",
|
||
|
|
"observed-data--5a0ed8d0-a348-4851-8def-40e502de0b81",
|
||
|
|
"url--5a0ed8d0-a348-4851-8def-40e502de0b81",
|
||
|
|
"observed-data--5a0ed8d0-2e64-4b0e-b0c7-420e02de0b81",
|
||
|
|
"url--5a0ed8d0-2e64-4b0e-b0c7-420e02de0b81",
|
||
|
|
"x-misp-object--5a09ab2f-39b8-490c-84fb-4daf950d210f",
|
||
|
|
"indicator--5a09abf7-7304-4831-b206-46b8950d210f",
|
||
|
|
"indicator--5a09ad27-2430-434c-ad1b-47ea950d210f",
|
||
|
|
"indicator--5a09b25e-24f0-4913-8df2-4a94950d210f"
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"Threat-Report",
|
||
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
|
"type:OSINT"
|
||
|
|
],
|
||
|
|
"object_marking_refs": [
|
||
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "observed-data",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "observed-data--5a09ab4a-49f4-4c13-9da2-458b950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-17T12:40:47.000Z",
|
||
|
|
"modified": "2017-11-17T12:40:47.000Z",
|
||
|
|
"first_observed": "2017-11-17T12:40:47Z",
|
||
|
|
"last_observed": "2017-11-17T12:40:47Z",
|
||
|
|
"number_observed": 1,
|
||
|
|
"object_refs": [
|
||
|
|
"url--5a09ab4a-49f4-4c13-9da2-458b950d210f"
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"link\"",
|
||
|
|
"misp:category=\"External analysis\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "url",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "url--5a09ab4a-49f4-4c13-9da2-458b950d210f",
|
||
|
|
"value": "https://docs.google.com/document/d/1_nEWAmec3bKBddv30UPXJMiN-F0Ojuhfsmvk6KpFq0Q/edit#heading=h.iixpbs2pcjjp"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5a09ab6e-33f0-4d46-b1e4-42e7950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-17T12:40:47.000Z",
|
||
|
|
"modified": "2017-11-17T12:40:47.000Z",
|
||
|
|
"description": "C2",
|
||
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.76.106.149']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-11-17T12:40:47Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Network activity"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"ip-dst\"",
|
||
|
|
"misp:category=\"Network activity\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5a09ab6e-2168-4156-b837-4462950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-17T12:40:47.000Z",
|
||
|
|
"modified": "2017-11-17T12:40:47.000Z",
|
||
|
|
"description": "C2",
|
||
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.76.36.243']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-11-17T12:40:47Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Network activity"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"ip-dst\"",
|
||
|
|
"misp:category=\"Network activity\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5a09ab6e-88f4-40d1-94bd-44ba950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-17T12:40:47.000Z",
|
||
|
|
"modified": "2017-11-17T12:40:47.000Z",
|
||
|
|
"description": "C2",
|
||
|
|
"pattern": "[domain-name:value = 'saudiedi.toh.info']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-11-17T12:40:47Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Network activity"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"hostname\"",
|
||
|
|
"misp:category=\"Network activity\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5a09af92-143c-4539-b34a-4939950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-17T12:40:47.000Z",
|
||
|
|
"modified": "2017-11-17T12:40:47.000Z",
|
||
|
|
"pattern": "[file:hashes.SHA1 = 'a1047665ed9d665f5cf066e4a9902d809e7325cf']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-11-17T12:40:47Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Payload delivery"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"sha1\"",
|
||
|
|
"misp:category=\"Payload delivery\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5a09af92-4234-4cfc-8aa2-4154950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-17T12:40:47.000Z",
|
||
|
|
"modified": "2017-11-17T12:40:47.000Z",
|
||
|
|
"pattern": "[file:hashes.MD5 = 'ade199b16607fd29c8e7288fb750ca2b']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-11-17T12:40:47Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Payload delivery"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"md5\"",
|
||
|
|
"misp:category=\"Payload delivery\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5a09af92-f3d4-4794-9bfd-48a2950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-17T12:40:47.000Z",
|
||
|
|
"modified": "2017-11-17T12:40:47.000Z",
|
||
|
|
"pattern": "[file:hashes.SHA256 = 'd5b22843aabbbc20af253d579fd1f098138be85e2cff4677f7886e8d31ff00cb']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-11-17T12:40:47Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Payload delivery"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"sha256\"",
|
||
|
|
"misp:category=\"Payload delivery\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5a09af92-b3a8-4ad7-a250-4fc7950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-17T12:40:47.000Z",
|
||
|
|
"modified": "2017-11-17T12:40:47.000Z",
|
||
|
|
"pattern": "[url:value = 'saudiedi.toh.info/search?q=\\\\%E7\\\\%DF\\\\%5D\\\\%10&cvid=714105926300154928']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-11-17T12:40:47Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Network activity"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"url\"",
|
||
|
|
"misp:category=\"Network activity\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5a09afd3-f700-41f7-9d84-43ab950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-17T12:40:47.000Z",
|
||
|
|
"modified": "2017-11-17T12:40:47.000Z",
|
||
|
|
"pattern": "[url:value = 'articles/937933.html']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-11-17T12:40:47Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Network activity"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"url\"",
|
||
|
|
"misp:category=\"Network activity\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5a09afd3-7710-49d4-9626-460c950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-17T12:40:47.000Z",
|
||
|
|
"modified": "2017-11-17T12:40:47.000Z",
|
||
|
|
"pattern": "[url:value = 'articles/937934.html']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-11-17T12:40:47Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Network activity"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"url\"",
|
||
|
|
"misp:category=\"Network activity\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5a09afd3-5d74-4020-bd70-44fe950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-17T12:40:47.000Z",
|
||
|
|
"modified": "2017-11-17T12:40:47.000Z",
|
||
|
|
"pattern": "[url:value = 'articles/937935.html']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-11-17T12:40:47Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Network activity"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"url\"",
|
||
|
|
"misp:category=\"Network activity\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5a09afd3-3ec4-4e61-a267-455f950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-17T12:40:48.000Z",
|
||
|
|
"modified": "2017-11-17T12:40:48.000Z",
|
||
|
|
"pattern": "[url:value = 'articles/937936.html']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-11-17T12:40:48Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Network activity"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"url\"",
|
||
|
|
"misp:category=\"Network activity\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5a09afd3-d328-4cd7-8d4b-46ad950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-17T12:40:48.000Z",
|
||
|
|
"modified": "2017-11-17T12:40:48.000Z",
|
||
|
|
"pattern": "[url:value = 'articles/937937.html']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-11-17T12:40:48Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Network activity"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"url\"",
|
||
|
|
"misp:category=\"Network activity\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5a09afd3-9e98-4bc5-abc1-4f62950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-17T12:40:48.000Z",
|
||
|
|
"modified": "2017-11-17T12:40:48.000Z",
|
||
|
|
"pattern": "[url:value = 'articles/937938.html']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-11-17T12:40:48Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Network activity"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"url\"",
|
||
|
|
"misp:category=\"Network activity\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5a09b133-be00-49f3-8ee8-48c6950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-17T12:40:48.000Z",
|
||
|
|
"modified": "2017-11-17T12:40:48.000Z",
|
||
|
|
"pattern": "[file:name = '00007AA8[.]ex_']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-11-17T12:40:48Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Payload delivery"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"filename\"",
|
||
|
|
"misp:category=\"Payload delivery\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5a09b133-653c-413d-9682-4ac3950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-17T12:40:48.000Z",
|
||
|
|
"modified": "2017-11-17T12:40:48.000Z",
|
||
|
|
"pattern": "[file:name = 'Saudi Arabia\\'s \\'Game of Thobes\\'[.]doc']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-11-17T12:40:48Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Payload delivery"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"filename\"",
|
||
|
|
"misp:category=\"Payload delivery\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5a09b326-833c-48ce-8397-4034950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-17T12:40:48.000Z",
|
||
|
|
"modified": "2017-11-17T12:40:48.000Z",
|
||
|
|
"pattern": "[file:hashes.MD5 = '8598313222c41280eb42863eda8a9490']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-11-17T12:40:48Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Payload delivery"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"md5\"",
|
||
|
|
"misp:category=\"Payload delivery\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5a09b326-4660-4c3b-92ba-4a33950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-17T12:40:48.000Z",
|
||
|
|
"modified": "2017-11-17T12:40:48.000Z",
|
||
|
|
"pattern": "[file:hashes.SHA1 = '256c631372692a1a907b04d27a735eb0905a003e']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-11-17T12:40:48Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Payload delivery"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"sha1\"",
|
||
|
|
"misp:category=\"Payload delivery\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5a09b326-bd9c-4a2e-9950-4ff8950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-17T12:40:48.000Z",
|
||
|
|
"modified": "2017-11-17T12:40:48.000Z",
|
||
|
|
"pattern": "[file:hashes.SHA256 = '50eedaf3150253cc2298446615421f4caa0482cb93658dc095855c38d425e3fb']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-11-17T12:40:48Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Payload delivery"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"sha256\"",
|
||
|
|
"misp:category=\"Payload delivery\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5a09b326-1c58-4d04-afb8-46ab950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-17T12:40:48.000Z",
|
||
|
|
"modified": "2017-11-17T12:40:48.000Z",
|
||
|
|
"pattern": "[file:hashes.SHA256 = '8c81eb0fb49c40a1fa5474f45ff638961330ff73198dc7d537667455e5273bb8']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-11-17T12:40:48Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Payload delivery"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"sha256\"",
|
||
|
|
"misp:category=\"Payload delivery\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "observed-data",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "observed-data--5a0ed8d0-a348-4851-8def-40e502de0b81",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-17T12:40:48.000Z",
|
||
|
|
"modified": "2017-11-17T12:40:48.000Z",
|
||
|
|
"first_observed": "2017-11-17T12:40:48Z",
|
||
|
|
"last_observed": "2017-11-17T12:40:48Z",
|
||
|
|
"number_observed": 1,
|
||
|
|
"object_refs": [
|
||
|
|
"url--5a0ed8d0-a348-4851-8def-40e502de0b81"
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"link\"",
|
||
|
|
"misp:category=\"External analysis\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "url",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "url--5a0ed8d0-a348-4851-8def-40e502de0b81",
|
||
|
|
"value": "https://www.virustotal.com/file/8c81eb0fb49c40a1fa5474f45ff638961330ff73198dc7d537667455e5273bb8/analysis/1509021029/"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "observed-data",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "observed-data--5a0ed8d0-2e64-4b0e-b0c7-420e02de0b81",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-17T12:40:48.000Z",
|
||
|
|
"modified": "2017-11-17T12:40:48.000Z",
|
||
|
|
"first_observed": "2017-11-17T12:40:48Z",
|
||
|
|
"last_observed": "2017-11-17T12:40:48Z",
|
||
|
|
"number_observed": 1,
|
||
|
|
"object_refs": [
|
||
|
|
"url--5a0ed8d0-2e64-4b0e-b0c7-420e02de0b81"
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"link\"",
|
||
|
|
"misp:category=\"External analysis\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "url",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "url--5a0ed8d0-2e64-4b0e-b0c7-420e02de0b81",
|
||
|
|
"value": "https://www.virustotal.com/file/d5b22843aabbbc20af253d579fd1f098138be85e2cff4677f7886e8d31ff00cb/analysis/1510308447/"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "x-misp-object",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "x-misp-object--5a09ab2f-39b8-490c-84fb-4daf950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-13T14:24:47.000Z",
|
||
|
|
"modified": "2017-11-13T14:24:47.000Z",
|
||
|
|
"labels": [
|
||
|
|
"misp:name=\"microblog\"",
|
||
|
|
"misp:meta-category=\"misc\""
|
||
|
|
],
|
||
|
|
"x_misp_attributes": [
|
||
|
|
{
|
||
|
|
"type": "text",
|
||
|
|
"object_relation": "post",
|
||
|
|
"value": "\"Saudi Arabia's 'Game of Thobes'.doc\u05f3\" submitted from TR, CVE-2017-11826, \r\nC2: 45.76.106[.]149 , 45.76.36[.]243 , saudiedi.toh[.]info\r\n\r\nMore details in Raw Threat Intelligence:\r\n\r\n(link: https://docs.google.com/document/d/1_nEWAmec3bKBddv30UPXJMiN-F0Ojuhfsmvk6KpFq0Q/edit#heading=h.iixpbs2pcjjp) docs.google.com/document/d/1_n\u2026",
|
||
|
|
"category": "Other",
|
||
|
|
"uuid": "5a09ab2f-fb18-4691-ad33-4c74950d210f"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "text",
|
||
|
|
"object_relation": "type",
|
||
|
|
"value": "Twitter",
|
||
|
|
"category": "Other",
|
||
|
|
"uuid": "5a09ab2f-e0cc-4dbb-a6f9-47e2950d210f"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "url",
|
||
|
|
"object_relation": "link",
|
||
|
|
"value": "https://mobile.twitter.com/ClearskySec/status/929998314002673666",
|
||
|
|
"category": "External analysis",
|
||
|
|
"to_ids": true,
|
||
|
|
"uuid": "5a09ab2f-db38-4066-9878-4865950d210f"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "datetime",
|
||
|
|
"object_relation": "creation-date",
|
||
|
|
"value": "2017/11/13",
|
||
|
|
"category": "Other",
|
||
|
|
"uuid": "5a09ab2f-13c0-4417-9869-42c4950d210f"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "text",
|
||
|
|
"object_relation": "username",
|
||
|
|
"value": "@ClearskySec",
|
||
|
|
"category": "Other",
|
||
|
|
"uuid": "5a09ab2f-9960-4d5f-a028-4b36950d210f"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"x_misp_meta_category": "misc",
|
||
|
|
"x_misp_name": "microblog"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5a09abf7-7304-4831-b206-46b8950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-13T14:28:07.000Z",
|
||
|
|
"modified": "2017-11-13T14:28:07.000Z",
|
||
|
|
"pattern": "[file:hashes.MD5 = 'aede654e77e92dbd77ca512e19f495b8' AND file:hashes.SHA1 = 'd9fac68b6c49c485675d9141f375799d10572999' AND file:hashes.SHA256 = 'aed93c002574f25dabd1859f080203a2c8f332e92c80db9aa983316695d938d3' AND file:name = '2017-11-13 \u201cSaudi Arabia\\'s \\'Game of Thobes\\'.doc']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-11-13T14:28:07Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "file"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:name=\"file\"",
|
||
|
|
"misp:meta-category=\"file\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5a09ad27-2430-434c-ad1b-47ea950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-13T14:33:11.000Z",
|
||
|
|
"modified": "2017-11-13T14:33:11.000Z",
|
||
|
|
"pattern": "[file:hashes.MD5 = 'b76f4c8c22b84600ac3cff64dadfaf8b' AND file:hashes.SHA1 = '78c0266456e33abed00895cb05d0f9fe09b83da3' AND file:hashes.SHA256 = '5ae0a582ed5d60324d6d1397be3deb0c704a1d77c9ef3d5f486455f99da32e7f' AND file:name = '\\\\%TEMP\\\\%\\\\vcpkgs.exe']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-11-13T14:33:11Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "file"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:name=\"file\"",
|
||
|
|
"misp:meta-category=\"file\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5a09b25e-24f0-4913-8df2-4a94950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2017-11-13T14:55:26.000Z",
|
||
|
|
"modified": "2017-11-13T14:55:26.000Z",
|
||
|
|
"pattern": "[file:hashes.MD5 = 'fea6546e3299a31a58a3aa2a6b7060c9' AND file:hashes.SHA1 = 'eddf2ca780b4396c0bf5ea3f13d22275fb6822fc' AND file:hashes.SHA256 = '26c672b2537f8a89f2d59674f00bcfe9825796ca9b1ec51c96e5675dd586b87b']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2017-11-13T14:55:26Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "file"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:name=\"file\"",
|
||
|
|
"misp:meta-category=\"file\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "marking-definition",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
|
"definition_type": "tlp",
|
||
|
|
"name": "TLP:WHITE",
|
||
|
|
"definition": {
|
||
|
|
"tlp": "white"
|
||
|
|
}
|
||
|
|
}
|
||
|
|
]
|
||
|
|
}
|