826 lines
33 KiB
JSON
826 lines
33 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5a26b911-af14-4c92-86a9-446c950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T10:01:16.000Z",
|
||
|
"modified": "2017-12-06T10:01:16.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5a26b911-af14-4c92-86a9-446c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T10:01:16.000Z",
|
||
|
"modified": "2017-12-06T10:01:16.000Z",
|
||
|
"name": "M2M - \"..doc\" 2017-12-05 : 'Message from \"G10PR0123456.MYCOMPANY.COM\"' - \"20171205123.zip\"",
|
||
|
"published": "2017-12-06T10:01:22Z",
|
||
|
"object_refs": [
|
||
|
"indicator--5a26b912-ec3c-4497-a03d-4bfa950d210f",
|
||
|
"indicator--5a26b913-90cc-4e93-b967-46b4950d210f",
|
||
|
"indicator--5a26b913-96e4-4366-a195-4699950d210f",
|
||
|
"observed-data--5a26b913-3aec-4155-ae75-4cb6950d210f",
|
||
|
"network-traffic--5a26b913-3aec-4155-ae75-4cb6950d210f",
|
||
|
"ipv4-addr--5a26b913-3aec-4155-ae75-4cb6950d210f",
|
||
|
"indicator--5a26b914-d9a0-4056-bb9a-4d7c950d210f",
|
||
|
"indicator--5a26b915-b5a4-486b-99fa-49c6950d210f",
|
||
|
"observed-data--5a26b915-9680-4889-9755-41a3950d210f",
|
||
|
"network-traffic--5a26b915-9680-4889-9755-41a3950d210f",
|
||
|
"ipv4-addr--5a26b915-9680-4889-9755-41a3950d210f",
|
||
|
"indicator--5a26b915-adb0-40c4-8a3f-4d90950d210f",
|
||
|
"indicator--5a26b915-4f90-4288-997d-46a7950d210f",
|
||
|
"observed-data--5a26b915-2bac-4d10-aa7c-4c05950d210f",
|
||
|
"network-traffic--5a26b915-2bac-4d10-aa7c-4c05950d210f",
|
||
|
"ipv4-addr--5a26b915-2bac-4d10-aa7c-4c05950d210f",
|
||
|
"indicator--5a26b916-5040-4ea8-8df8-4b09950d210f",
|
||
|
"indicator--5a26b916-d638-4d8b-9c2e-c53a950d210f",
|
||
|
"observed-data--5a26b916-c440-458b-b20a-4594950d210f",
|
||
|
"network-traffic--5a26b916-c440-458b-b20a-4594950d210f",
|
||
|
"ipv4-addr--5a26b916-c440-458b-b20a-4594950d210f",
|
||
|
"indicator--5a26b916-a12c-4778-8f24-4368950d210f",
|
||
|
"indicator--5a26b917-2868-4050-9e9a-4969950d210f",
|
||
|
"observed-data--5a26b917-fe94-4156-8ec9-4984950d210f",
|
||
|
"network-traffic--5a26b917-fe94-4156-8ec9-4984950d210f",
|
||
|
"ipv4-addr--5a26b917-fe94-4156-8ec9-4984950d210f",
|
||
|
"indicator--5a26b918-9010-44f5-95b5-4320950d210f",
|
||
|
"indicator--5a26b918-93c0-48c3-a334-49db950d210f",
|
||
|
"observed-data--5a26b918-4224-4a53-aba2-45c8950d210f",
|
||
|
"network-traffic--5a26b918-4224-4a53-aba2-45c8950d210f",
|
||
|
"ipv4-addr--5a26b918-4224-4a53-aba2-45c8950d210f",
|
||
|
"indicator--5a26b918-79bc-414c-9849-4be4950d210f",
|
||
|
"indicator--5a26b918-6394-4304-97b1-41fe950d210f",
|
||
|
"observed-data--5a26b919-e41c-4571-8a6f-4d26950d210f",
|
||
|
"network-traffic--5a26b919-e41c-4571-8a6f-4d26950d210f",
|
||
|
"ipv4-addr--5a26b919-e41c-4571-8a6f-4d26950d210f",
|
||
|
"indicator--5a26b919-bf74-40e1-93a9-4a4b950d210f",
|
||
|
"indicator--5a26b919-5e30-4dba-b258-4bf6950d210f",
|
||
|
"observed-data--5a26b919-5870-49ba-b32b-44d0950d210f",
|
||
|
"network-traffic--5a26b919-5870-49ba-b32b-44d0950d210f",
|
||
|
"ipv4-addr--5a26b919-5870-49ba-b32b-44d0950d210f",
|
||
|
"indicator--5a27bf7d-f440-42a7-bad7-553702de0b81",
|
||
|
"indicator--5a27bf7d-bdfc-400d-a524-553702de0b81",
|
||
|
"observed-data--5a27bf7d-6474-47d7-84b8-553702de0b81",
|
||
|
"url--5a27bf7d-6474-47d7-84b8-553702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:ransomware=\"Fake Globe Ransomware\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a26b912-ec3c-4497-a03d-4bfa950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:23.000Z",
|
||
|
"modified": "2017-12-06T09:59:23.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '5da21af74810e3655bcbbe40660f21b8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-12-06T09:59:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a26b913-90cc-4e93-b967-46b4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:23.000Z",
|
||
|
"modified": "2017-12-06T09:59:23.000Z",
|
||
|
"pattern": "[domain-name:value = 'g10pr0123456.mycompany.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-12-06T09:59:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a26b913-96e4-4366-a195-4699950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:23.000Z",
|
||
|
"modified": "2017-12-06T09:59:23.000Z",
|
||
|
"pattern": "[domain-name:value = 'mycompany.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-12-06T09:59:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a26b913-3aec-4155-ae75-4cb6950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:23.000Z",
|
||
|
"modified": "2017-12-06T09:59:23.000Z",
|
||
|
"first_observed": "2017-12-06T09:59:23Z",
|
||
|
"last_observed": "2017-12-06T09:59:23Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--5a26b913-3aec-4155-ae75-4cb6950d210f",
|
||
|
"ipv4-addr--5a26b913-3aec-4155-ae75-4cb6950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--5a26b913-3aec-4155-ae75-4cb6950d210f",
|
||
|
"dst_ref": "ipv4-addr--5a26b913-3aec-4155-ae75-4cb6950d210f",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--5a26b913-3aec-4155-ae75-4cb6950d210f",
|
||
|
"value": "52.5.196.34"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a26b914-d9a0-4056-bb9a-4d7c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:23.000Z",
|
||
|
"modified": "2017-12-06T09:59:23.000Z",
|
||
|
"pattern": "[url:value = 'http://hofgrund.de/hudgy356']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-12-06T09:59:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a26b915-b5a4-486b-99fa-49c6950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:23.000Z",
|
||
|
"modified": "2017-12-06T09:59:23.000Z",
|
||
|
"pattern": "[domain-name:value = 'hofgrund.de']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-12-06T09:59:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a26b915-9680-4889-9755-41a3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:23.000Z",
|
||
|
"modified": "2017-12-06T09:59:23.000Z",
|
||
|
"first_observed": "2017-12-06T09:59:23Z",
|
||
|
"last_observed": "2017-12-06T09:59:23Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--5a26b915-9680-4889-9755-41a3950d210f",
|
||
|
"ipv4-addr--5a26b915-9680-4889-9755-41a3950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--5a26b915-9680-4889-9755-41a3950d210f",
|
||
|
"dst_ref": "ipv4-addr--5a26b915-9680-4889-9755-41a3950d210f",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--5a26b915-9680-4889-9755-41a3950d210f",
|
||
|
"value": "78.111.75.239"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a26b915-adb0-40c4-8a3f-4d90950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:24.000Z",
|
||
|
"modified": "2017-12-06T09:59:24.000Z",
|
||
|
"pattern": "[url:value = 'http://horoskoperstellung.com/hudgy358']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-12-06T09:59:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a26b915-4f90-4288-997d-46a7950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:24.000Z",
|
||
|
"modified": "2017-12-06T09:59:24.000Z",
|
||
|
"pattern": "[domain-name:value = 'horoskoperstellung.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-12-06T09:59:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a26b915-2bac-4d10-aa7c-4c05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:24.000Z",
|
||
|
"modified": "2017-12-06T09:59:24.000Z",
|
||
|
"first_observed": "2017-12-06T09:59:24Z",
|
||
|
"last_observed": "2017-12-06T09:59:24Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--5a26b915-2bac-4d10-aa7c-4c05950d210f",
|
||
|
"ipv4-addr--5a26b915-2bac-4d10-aa7c-4c05950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--5a26b915-2bac-4d10-aa7c-4c05950d210f",
|
||
|
"dst_ref": "ipv4-addr--5a26b915-2bac-4d10-aa7c-4c05950d210f",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--5a26b915-2bac-4d10-aa7c-4c05950d210f",
|
||
|
"value": "213.203.202.31"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a26b916-5040-4ea8-8df8-4b09950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:24.000Z",
|
||
|
"modified": "2017-12-06T09:59:24.000Z",
|
||
|
"pattern": "[url:value = 'http://hosting-jw.de/hudgy356']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-12-06T09:59:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a26b916-d638-4d8b-9c2e-c53a950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:24.000Z",
|
||
|
"modified": "2017-12-06T09:59:24.000Z",
|
||
|
"pattern": "[domain-name:value = 'hosting-jw.de']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-12-06T09:59:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a26b916-c440-458b-b20a-4594950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:24.000Z",
|
||
|
"modified": "2017-12-06T09:59:24.000Z",
|
||
|
"first_observed": "2017-12-06T09:59:24Z",
|
||
|
"last_observed": "2017-12-06T09:59:24Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--5a26b916-c440-458b-b20a-4594950d210f",
|
||
|
"ipv4-addr--5a26b916-c440-458b-b20a-4594950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--5a26b916-c440-458b-b20a-4594950d210f",
|
||
|
"dst_ref": "ipv4-addr--5a26b916-c440-458b-b20a-4594950d210f",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--5a26b916-c440-458b-b20a-4594950d210f",
|
||
|
"value": "85.214.130.145"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a26b916-a12c-4778-8f24-4368950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:24.000Z",
|
||
|
"modified": "2017-12-06T09:59:24.000Z",
|
||
|
"pattern": "[url:value = 'http://primeassociatesinc.com/hudgy356']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-12-06T09:59:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a26b917-2868-4050-9e9a-4969950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:24.000Z",
|
||
|
"modified": "2017-12-06T09:59:24.000Z",
|
||
|
"pattern": "[domain-name:value = 'primeassociatesinc.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-12-06T09:59:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a26b917-fe94-4156-8ec9-4984950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:24.000Z",
|
||
|
"modified": "2017-12-06T09:59:24.000Z",
|
||
|
"first_observed": "2017-12-06T09:59:24Z",
|
||
|
"last_observed": "2017-12-06T09:59:24Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--5a26b917-fe94-4156-8ec9-4984950d210f",
|
||
|
"ipv4-addr--5a26b917-fe94-4156-8ec9-4984950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--5a26b917-fe94-4156-8ec9-4984950d210f",
|
||
|
"dst_ref": "ipv4-addr--5a26b917-fe94-4156-8ec9-4984950d210f",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--5a26b917-fe94-4156-8ec9-4984950d210f",
|
||
|
"value": "209.54.51.32"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a26b918-9010-44f5-95b5-4320950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:24.000Z",
|
||
|
"modified": "2017-12-06T09:59:24.000Z",
|
||
|
"pattern": "[url:value = 'http://rorymartin8.info/hudgy356']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-12-06T09:59:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a26b918-93c0-48c3-a334-49db950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:25.000Z",
|
||
|
"modified": "2017-12-06T09:59:25.000Z",
|
||
|
"pattern": "[domain-name:value = 'rorymartin8.info']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-12-06T09:59:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a26b918-4224-4a53-aba2-45c8950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:25.000Z",
|
||
|
"modified": "2017-12-06T09:59:25.000Z",
|
||
|
"first_observed": "2017-12-06T09:59:25Z",
|
||
|
"last_observed": "2017-12-06T09:59:25Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--5a26b918-4224-4a53-aba2-45c8950d210f",
|
||
|
"ipv4-addr--5a26b918-4224-4a53-aba2-45c8950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--5a26b918-4224-4a53-aba2-45c8950d210f",
|
||
|
"dst_ref": "ipv4-addr--5a26b918-4224-4a53-aba2-45c8950d210f",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--5a26b918-4224-4a53-aba2-45c8950d210f",
|
||
|
"value": "192.185.193.214"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a26b918-79bc-414c-9849-4be4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:25.000Z",
|
||
|
"modified": "2017-12-06T09:59:25.000Z",
|
||
|
"pattern": "[url:value = 'https://ugf57wl6uexcj7fu.onion.link/shfgealjh.php']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-12-06T09:59:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a26b918-6394-4304-97b1-41fe950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:25.000Z",
|
||
|
"modified": "2017-12-06T09:59:25.000Z",
|
||
|
"pattern": "[domain-name:value = 'ugf57wl6uexcj7fu.onion.link']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-12-06T09:59:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a26b919-e41c-4571-8a6f-4d26950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:25.000Z",
|
||
|
"modified": "2017-12-06T09:59:25.000Z",
|
||
|
"first_observed": "2017-12-06T09:59:25Z",
|
||
|
"last_observed": "2017-12-06T09:59:25Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--5a26b919-e41c-4571-8a6f-4d26950d210f",
|
||
|
"ipv4-addr--5a26b919-e41c-4571-8a6f-4d26950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--5a26b919-e41c-4571-8a6f-4d26950d210f",
|
||
|
"dst_ref": "ipv4-addr--5a26b919-e41c-4571-8a6f-4d26950d210f",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--5a26b919-e41c-4571-8a6f-4d26950d210f",
|
||
|
"value": "103.198.0.2"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a26b919-bf74-40e1-93a9-4a4b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:25.000Z",
|
||
|
"modified": "2017-12-06T09:59:25.000Z",
|
||
|
"pattern": "[url:value = 'http://summi.space/count.php?nu=105&fb=110']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-12-06T09:59:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a26b919-5e30-4dba-b258-4bf6950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:25.000Z",
|
||
|
"modified": "2017-12-06T09:59:25.000Z",
|
||
|
"pattern": "[domain-name:value = 'summi.space']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-12-06T09:59:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a26b919-5870-49ba-b32b-44d0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:25.000Z",
|
||
|
"modified": "2017-12-06T09:59:25.000Z",
|
||
|
"first_observed": "2017-12-06T09:59:25Z",
|
||
|
"last_observed": "2017-12-06T09:59:25Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--5a26b919-5870-49ba-b32b-44d0950d210f",
|
||
|
"ipv4-addr--5a26b919-5870-49ba-b32b-44d0950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--5a26b919-5870-49ba-b32b-44d0950d210f",
|
||
|
"dst_ref": "ipv4-addr--5a26b919-5870-49ba-b32b-44d0950d210f",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--5a26b919-5870-49ba-b32b-44d0950d210f",
|
||
|
"value": "198.23.241.227"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a27bf7d-f440-42a7-bad7-553702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:25.000Z",
|
||
|
"modified": "2017-12-06T09:59:25.000Z",
|
||
|
"description": "- Xchecked via VT: 5da21af74810e3655bcbbe40660f21b8",
|
||
|
"pattern": "[file:hashes.SHA256 = 'c0ce6c2f03e3174d347eb2136a230883a725fcd5179221f61435ea709a2ba81f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-12-06T09:59:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a27bf7d-bdfc-400d-a524-553702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:25.000Z",
|
||
|
"modified": "2017-12-06T09:59:25.000Z",
|
||
|
"description": "- Xchecked via VT: 5da21af74810e3655bcbbe40660f21b8",
|
||
|
"pattern": "[file:hashes.SHA1 = '60d60dff0d3af3b564e43bc87ef5a63ff6146da7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-12-06T09:59:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a27bf7d-6474-47d7-84b8-553702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-12-06T09:59:25.000Z",
|
||
|
"modified": "2017-12-06T09:59:25.000Z",
|
||
|
"first_observed": "2017-12-06T09:59:25Z",
|
||
|
"last_observed": "2017-12-06T09:59:25Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a27bf7d-6474-47d7-84b8-553702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a27bf7d-6474-47d7-84b8-553702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/c0ce6c2f03e3174d347eb2136a230883a725fcd5179221f61435ea709a2ba81f/analysis/1512549209/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|