801 lines
33 KiB
JSON
801 lines
33 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5b3e4d3d-0644-43ef-9ebd-30cd0acd0835",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-10T07:45:45.000Z",
|
||
|
"modified": "2018-07-10T07:45:45.000Z",
|
||
|
"name": "Synovus Financial",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5b3e4d3d-0644-43ef-9ebd-30cd0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-10T07:45:45.000Z",
|
||
|
"modified": "2018-07-10T07:45:45.000Z",
|
||
|
"name": "Talos Blog - Smoking Guns - Smoke Loader learned new tricks",
|
||
|
"published": "2018-08-23T09:22:05Z",
|
||
|
"object_refs": [
|
||
|
"indicator--5b3e4dd4-decc-41e8-b689-6b620acd0835",
|
||
|
"indicator--5b3e4dd4-35dc-4390-9271-6b620acd0835",
|
||
|
"indicator--5b3e4dd4-e344-4204-a41e-6b620acd0835",
|
||
|
"indicator--5b3e4dd4-7f38-474b-9086-6b620acd0835",
|
||
|
"indicator--5b3e4dd4-d810-45b1-8964-6b620acd0835",
|
||
|
"indicator--5b3e4dd4-59d4-4c9e-ae60-6b620acd0835",
|
||
|
"indicator--5b3e4dd4-a2f8-4063-b8d4-6b620acd0835",
|
||
|
"indicator--5b3e4dd4-6a40-44b0-bad4-6b620acd0835",
|
||
|
"indicator--5b3e4dd4-5f84-4209-b81f-6b620acd0835",
|
||
|
"indicator--5b3e4dd4-729c-477b-bdd6-6b620acd0835",
|
||
|
"indicator--5b3e4dd4-0d64-4ef8-8b6c-6b620acd0835",
|
||
|
"indicator--5b3e4dd4-b574-4ff1-973a-6b620acd0835",
|
||
|
"indicator--5b3e4dd4-bc0c-4f44-9044-6b620acd0835",
|
||
|
"indicator--5b3e4dd4-7de4-4060-8fd3-6b620acd0835",
|
||
|
"indicator--5b3e4dd4-5298-4538-a277-6b620acd0835",
|
||
|
"indicator--5b3e4dd4-cf4c-45c9-8d53-6b620acd0835",
|
||
|
"indicator--5b3e4dd4-1eb0-4dd7-8019-6b620acd0835",
|
||
|
"indicator--5b3e4dd4-7110-4eb7-b035-6b620acd0835",
|
||
|
"indicator--5b3e4dd4-b308-4e81-8e09-6b620acd0835",
|
||
|
"indicator--5b3e4dd4-a870-4278-9e99-6b620acd0835",
|
||
|
"indicator--5b3e4dea-079c-459d-a60c-31250acd0835",
|
||
|
"indicator--5b3e4dea-ee70-453a-8051-31250acd0835",
|
||
|
"indicator--5b3e4dea-fcb4-4148-b392-31250acd0835",
|
||
|
"observed-data--5b3e4e37-8a5c-44a6-9b1a-e7710acd0835",
|
||
|
"mutex--5b3e4e37-8a5c-44a6-9b1a-e7710acd0835",
|
||
|
"indicator--5b3e4fdc-f53c-4242-8bd5-31250acd0835",
|
||
|
"indicator--5b3e4fdc-45cc-4115-baa5-31250acd0835",
|
||
|
"indicator--5b3e4fdc-4b40-450a-8c1a-31250acd0835",
|
||
|
"indicator--5b3e4fdd-76a0-469b-93f4-31250acd0835",
|
||
|
"observed-data--5b3e50a9-979c-4616-9d89-01690acd0835",
|
||
|
"url--5b3e50a9-979c-4616-9d89-01690acd0835"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"osint:source-type=\"blog-post\"",
|
||
|
"misp-galaxy:tool=\"Smoke Loader\"",
|
||
|
"misp-galaxy:tool=\"Trick Bot\"",
|
||
|
"ms-caro-malware-full:malware-family=\"ShellCode\"",
|
||
|
"trickbot",
|
||
|
" Smoke Loader"
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4dd4-decc-41e8-b689-6b620acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:06:47.000Z",
|
||
|
"modified": "2018-07-05T17:06:47.000Z",
|
||
|
"description": "Trickbot IPs",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.174.173.34']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:06:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"trickbot"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4dd4-35dc-4390-9271-6b620acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:06:49.000Z",
|
||
|
"modified": "2018-07-05T17:06:49.000Z",
|
||
|
"description": "Trickbot IPs",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '162.247.155.114']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:06:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"trickbot"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4dd4-e344-4204-a41e-6b620acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:06:49.000Z",
|
||
|
"modified": "2018-07-05T17:06:49.000Z",
|
||
|
"description": "Trickbot IPs",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.174.173.116']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:06:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"trickbot"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4dd4-7f38-474b-9086-6b620acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:06:49.000Z",
|
||
|
"modified": "2018-07-05T17:06:49.000Z",
|
||
|
"description": "Trickbot IPs",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.174.173.241']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:06:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"trickbot"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4dd4-d810-45b1-8964-6b620acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:06:49.000Z",
|
||
|
"modified": "2018-07-05T17:06:49.000Z",
|
||
|
"description": "Trickbot IPs",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '62.109.26.121']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:06:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"trickbot"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4dd4-59d4-4c9e-ae60-6b620acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:06:49.000Z",
|
||
|
"modified": "2018-07-05T17:06:49.000Z",
|
||
|
"description": "Trickbot IPs",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.68.93.27']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:06:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"trickbot"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4dd4-a2f8-4063-b8d4-6b620acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:06:49.000Z",
|
||
|
"modified": "2018-07-05T17:06:49.000Z",
|
||
|
"description": "Trickbot IPs",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '137.74.151.148']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:06:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"trickbot"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4dd4-6a40-44b0-bad4-6b620acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:06:49.000Z",
|
||
|
"modified": "2018-07-05T17:06:49.000Z",
|
||
|
"description": "Trickbot IPs",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.223.95.66']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:06:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"trickbot"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4dd4-5f84-4209-b81f-6b620acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:06:49.000Z",
|
||
|
"modified": "2018-07-05T17:06:49.000Z",
|
||
|
"description": "Trickbot IPs",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '85.143.221.60']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:06:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"trickbot"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4dd4-729c-477b-bdd6-6b620acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:06:49.000Z",
|
||
|
"modified": "2018-07-05T17:06:49.000Z",
|
||
|
"description": "Trickbot IPs",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '195.123.216.115']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:06:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"trickbot"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4dd4-0d64-4ef8-8b6c-6b620acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:06:49.000Z",
|
||
|
"modified": "2018-07-05T17:06:49.000Z",
|
||
|
"description": "Trickbot IPs",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '94.103.82.216']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:06:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"trickbot"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4dd4-b574-4ff1-973a-6b620acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:06:48.000Z",
|
||
|
"modified": "2018-07-05T17:06:48.000Z",
|
||
|
"description": "Trickbot IPs",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.20.187.13']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:06:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"trickbot"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4dd4-bc0c-4f44-9044-6b620acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:06:49.000Z",
|
||
|
"modified": "2018-07-05T17:06:49.000Z",
|
||
|
"description": "Trickbot IPs",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.242.179.118']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:06:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"trickbot"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4dd4-7de4-4060-8fd3-6b620acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:06:49.000Z",
|
||
|
"modified": "2018-07-05T17:06:49.000Z",
|
||
|
"description": "Trickbot IPs",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '62.109.26.208']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:06:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"trickbot"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4dd4-5298-4538-a277-6b620acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:06:49.000Z",
|
||
|
"modified": "2018-07-05T17:06:49.000Z",
|
||
|
"description": "Trickbot IPs",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '213.183.51.54']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:06:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"trickbot"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4dd4-cf4c-45c9-8d53-6b620acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:06:48.000Z",
|
||
|
"modified": "2018-07-05T17:06:48.000Z",
|
||
|
"description": "Trickbot IPs",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '62.109.24.176']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:06:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"trickbot"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4dd4-1eb0-4dd7-8019-6b620acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:06:48.000Z",
|
||
|
"modified": "2018-07-05T17:06:48.000Z",
|
||
|
"description": "Trickbot IPs",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '62.109.27.196']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:06:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"trickbot"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4dd4-7110-4eb7-b035-6b620acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:06:48.000Z",
|
||
|
"modified": "2018-07-05T17:06:48.000Z",
|
||
|
"description": "Trickbot IPs",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.174.174.156']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:06:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"trickbot"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4dd4-b308-4e81-8e09-6b620acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:06:48.000Z",
|
||
|
"modified": "2018-07-05T17:06:48.000Z",
|
||
|
"description": "Trickbot IPs",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '37.230.112.146']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:06:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"trickbot"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4dd4-a870-4278-9e99-6b620acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:06:49.000Z",
|
||
|
"modified": "2018-07-05T17:06:49.000Z",
|
||
|
"description": "Trickbot IPs",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.174.174.72']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:06:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"trickbot"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4dea-079c-459d-a60c-31250acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:08:32.000Z",
|
||
|
"modified": "2018-07-05T17:08:32.000Z",
|
||
|
"description": "Smoke Loader domains",
|
||
|
"pattern": "[domain-name:value = 'ukcompany.me']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:08:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
" Smoke Loader"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4dea-ee70-453a-8051-31250acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:08:32.000Z",
|
||
|
"modified": "2018-07-05T17:08:32.000Z",
|
||
|
"description": "Smoke Loader domains",
|
||
|
"pattern": "[domain-name:value = 'ukcompany.pw']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:08:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
" Smoke Loader"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4dea-fcb4-4148-b392-31250acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:08:33.000Z",
|
||
|
"modified": "2018-07-05T17:08:33.000Z",
|
||
|
"description": "Smoke Loader domains",
|
||
|
"pattern": "[domain-name:value = 'ukcompany.top']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:08:33Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
" Smoke Loader"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5b3e4e37-8a5c-44a6-9b1a-e7710acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T16:58:31.000Z",
|
||
|
"modified": "2018-07-05T16:58:31.000Z",
|
||
|
"first_observed": "2018-07-05T16:58:31Z",
|
||
|
"last_observed": "2018-07-05T16:58:31Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"mutex--5b3e4e37-8a5c-44a6-9b1a-e7710acd0835"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"mutex\"",
|
||
|
"misp:category=\"Artifacts dropped\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "mutex",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "mutex--5b3e4e37-8a5c-44a6-9b1a-e7710acd0835",
|
||
|
"name": "opera_shared_counter"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4fdc-f53c-4242-8bd5-31250acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:05:32.000Z",
|
||
|
"modified": "2018-07-05T17:05:32.000Z",
|
||
|
"description": "IO08784413.doc",
|
||
|
"pattern": "[file:hashes.SHA256 = 'b98abdbdb85655c64617bb6515df23062ec184fe88d2d6a898b998276a906ebc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:05:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4fdc-45cc-4115-baa5-31250acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:05:32.000Z",
|
||
|
"modified": "2018-07-05T17:05:32.000Z",
|
||
|
"description": "B98abdbdb85655c64617bb6515df23062ec184fe88d2d6a898b998276a906ebc",
|
||
|
"pattern": "[file:name = 'IO08784413.doc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:05:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4fdc-4b40-450a-8c1a-31250acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:05:32.000Z",
|
||
|
"modified": "2018-07-05T17:05:32.000Z",
|
||
|
"description": "Trickbot",
|
||
|
"pattern": "[file:hashes.SHA256 = '0be63a01e2510d161ba9d11e327a55e82dcb5ea07ca1488096dac3e9d4733d41']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:05:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b3e4fdd-76a0-469b-93f4-31250acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:05:33.000Z",
|
||
|
"modified": "2018-07-05T17:05:33.000Z",
|
||
|
"description": "Smoke Loader",
|
||
|
"pattern": "[file:hashes.SHA256 = 'b65806521aa662bff2c655c8a7a3b6c8e598d709e35f3390df880a70c3fded40']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-05T17:05:33Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5b3e50a9-979c-4616-9d89-01690acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-07-05T17:08:57.000Z",
|
||
|
"modified": "2018-07-05T17:08:57.000Z",
|
||
|
"first_observed": "2018-07-05T17:08:57Z",
|
||
|
"last_observed": "2018-07-05T17:08:57Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5b3e50a9-979c-4616-9d89-01690acd0835"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5b3e50a9-979c-4616-9d89-01690acd0835",
|
||
|
"value": "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+feedburner%2FTalos+%28Talos%E2%84%A2+Blog%29"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|