1621 lines
66 KiB
JSON
1621 lines
66 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5b61a496-b034-4321-9406-e0330acd0835",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2020-12-09T14:44:29.000Z",
|
||
|
"modified": "2020-12-09T14:44:29.000Z",
|
||
|
"name": "Synovus Financial",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5b61a496-b034-4321-9406-e0330acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2020-12-09T14:44:29.000Z",
|
||
|
"modified": "2020-12-09T14:44:29.000Z",
|
||
|
"name": "Talos Blog: Multiple Cobalt Personality Disorder",
|
||
|
"published": "2020-12-14T06:19:29Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--5b61a4a4-4d74-4c18-8d63-dab70acd0835",
|
||
|
"url--5b61a4a4-4d74-4c18-8d63-dab70acd0835",
|
||
|
"vulnerability--5b61a605-d6e8-46be-9308-dd5f0acd0835",
|
||
|
"vulnerability--5b61a605-0744-4a88-9b28-dd5f0acd0835",
|
||
|
"vulnerability--5b61a605-8784-4f8e-81b5-dd5f0acd0835",
|
||
|
"vulnerability--5b61a605-c430-4b44-92a6-dd5f0acd0835",
|
||
|
"indicator--5b61a657-dbb8-4b87-b7e9-ea300acd0835",
|
||
|
"indicator--5b61a657-11d0-4c0b-887f-ea300acd0835",
|
||
|
"indicator--5b61a657-5344-4e03-ae4f-ea300acd0835",
|
||
|
"indicator--5b61a657-15a8-4917-9b25-ea300acd0835",
|
||
|
"indicator--5b61a657-2f4c-4f41-9651-ea300acd0835",
|
||
|
"indicator--5b61a657-fef8-414a-9fd0-ea300acd0835",
|
||
|
"indicator--5b61a657-e54c-4cc0-b622-ea300acd0835",
|
||
|
"indicator--5b61a657-dcd0-45ba-be79-ea300acd0835",
|
||
|
"indicator--5b61a68c-1848-4dd4-8cf2-dd5f0acd0835",
|
||
|
"indicator--5b61a68c-6d50-4a2e-bdb9-dd5f0acd0835",
|
||
|
"indicator--5b61a68c-1b00-4519-95c7-dd5f0acd0835",
|
||
|
"indicator--5b61a6a4-9704-4934-a3de-ecbf0acd0835",
|
||
|
"indicator--5b61a6a4-f93c-4f07-87e5-ecbf0acd0835",
|
||
|
"indicator--5b61a6a4-383c-4296-9023-ecbf0acd0835",
|
||
|
"indicator--5b61a6a4-beb8-4ddf-a1f3-ecbf0acd0835",
|
||
|
"indicator--5b61a6c0-b97c-42f6-a819-ecc80acd0835",
|
||
|
"indicator--5b61a6c0-17a0-4ea2-be60-ecc80acd0835",
|
||
|
"indicator--5b61a6c0-6384-4fee-a10d-ecc80acd0835",
|
||
|
"indicator--5b61a6c0-4ad8-4e14-b6e1-ecc80acd0835",
|
||
|
"indicator--5b61a6de-37c4-4869-ac92-ea300acd0835",
|
||
|
"indicator--5b61a6de-3770-4d3d-989b-ea300acd0835",
|
||
|
"indicator--5b61a6de-cf40-4492-a692-ea300acd0835",
|
||
|
"indicator--5b61a6f6-cc20-40f6-8ae5-ecc80acd0835",
|
||
|
"indicator--5b61a713-8f40-49b0-9c95-ecc80acd0835",
|
||
|
"indicator--5b61a713-12f0-4607-8076-ecc80acd0835",
|
||
|
"indicator--5b61a796-5f54-42e5-9d58-ed810acd0835",
|
||
|
"indicator--5b61a796-a1d0-4c35-80ac-ed810acd0835",
|
||
|
"indicator--5b61a796-7ed4-4d7b-9602-ed810acd0835",
|
||
|
"indicator--5b61a796-103c-4dfb-b730-ed810acd0835",
|
||
|
"indicator--5b61a7c6-df00-4cf5-b611-dd5f0acd0835",
|
||
|
"indicator--5b61a7c6-ced4-48f5-9ac1-dd5f0acd0835",
|
||
|
"indicator--5b61a7c6-7bfc-4d40-9980-dd5f0acd0835",
|
||
|
"indicator--5b61a7c6-f6dc-4776-8aa3-dd5f0acd0835",
|
||
|
"indicator--5b61a7c6-ebbc-4066-95ff-dd5f0acd0835",
|
||
|
"indicator--5b61a7c6-d0d4-4ff2-b054-dd5f0acd0835",
|
||
|
"indicator--5b61a7c6-cc5c-4d59-8114-dd5f0acd0835",
|
||
|
"indicator--5b61a7c6-505c-4457-9367-dd5f0acd0835",
|
||
|
"indicator--5b61a7c6-f0e0-41a6-b338-dd5f0acd0835",
|
||
|
"indicator--5b61a7c6-bb0c-416f-a065-dd5f0acd0835",
|
||
|
"indicator--5b61a7ec-1368-4a13-ab39-d5860acd0835",
|
||
|
"indicator--5b61a7ec-9aac-4800-8196-d5860acd0835",
|
||
|
"indicator--5b61a7ec-0eec-4a3e-b7eb-d5860acd0835",
|
||
|
"indicator--5b61a7ec-576c-43e6-a597-d5860acd0835",
|
||
|
"indicator--5b61a7ec-eb10-4845-94b0-d5860acd0835",
|
||
|
"indicator--5b61a808-c654-420e-aac4-ea2c0acd0835",
|
||
|
"indicator--5b61a808-74d8-4b61-86f5-ea2c0acd0835",
|
||
|
"indicator--5b61a825-f9fc-4a4e-be81-f0ac0acd0835",
|
||
|
"indicator--5b61a852-73a0-41e3-9a50-f0ac0acd0835",
|
||
|
"x-misp-attribute--5b62fa2c-1be8-453f-be37-536fd5388438",
|
||
|
"observed-data--5b62fa2c-0698-4e7d-9380-76b1d5388438",
|
||
|
"url--5b62fa2c-0698-4e7d-9380-76b1d5388438",
|
||
|
"x-misp-attribute--5b62fa2c-a150-4a9f-8180-711dd5388438",
|
||
|
"x-misp-attribute--5b62fa2c-6c08-4672-8755-711cd5388438",
|
||
|
"x-misp-attribute--5b62fa2c-764c-49f1-9d4c-5371d5388438",
|
||
|
"x-misp-attribute--5b62fa2c-5288-4f56-bff2-5370d5388438",
|
||
|
"x-misp-attribute--5b62fa2d-9724-4c15-bdcb-7a59d5388438",
|
||
|
"x-misp-attribute--5b62fa2d-7b98-4f78-9fa3-7b2cd5388438",
|
||
|
"x-misp-attribute--5b62fa2d-8128-4b3e-b558-6298d5388438",
|
||
|
"x-misp-attribute--5b62fa2d-b974-44e2-a338-536ed5388438"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"osint:source-type=\"blog-post\"",
|
||
|
"misp-galaxy:threat-actor=\"Cobalt\"",
|
||
|
"misp-galaxy:mitre-enterprise-attack-relationship=\"Cobalt Strike uses PowerShell\"",
|
||
|
"misp-galaxy:exploit-kit=\"ThreadKit\"",
|
||
|
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Attachment - T1193\"",
|
||
|
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Scripting - T1064\"",
|
||
|
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"CMSTP - T1191\"",
|
||
|
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Regsvr32 - T1117\"",
|
||
|
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"PowerShell - T1086\"",
|
||
|
"cert-ist:threat_targeted_system=\"Windows\"",
|
||
|
"cert-ist:threat_targeted_sector=\"Finance\"",
|
||
|
"cert-ist:enriched",
|
||
|
"cert-ist:ioc_accuracy=\"high\"",
|
||
|
"cert-ist:threat_level=\"low\"",
|
||
|
"cert-ist:threat_type=\"apt\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5b61a4a4-4d74-4c18-8d63-dab70acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-02T12:22:34.000Z",
|
||
|
"modified": "2018-08-02T12:22:34.000Z",
|
||
|
"first_observed": "2018-08-02T12:22:34Z",
|
||
|
"last_observed": "2018-08-02T12:22:34Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5b61a4a4-4d74-4c18-8d63-dab70acd0835"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5b61a4a4-4d74-4c18-8d63-dab70acd0835",
|
||
|
"value": "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html"
|
||
|
},
|
||
|
{
|
||
|
"type": "vulnerability",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "vulnerability--5b61a605-d6e8-46be-9308-dd5f0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:22:29.000Z",
|
||
|
"modified": "2018-08-01T12:22:29.000Z",
|
||
|
"name": "CVE-2017-11882",
|
||
|
"labels": [
|
||
|
"misp:type=\"vulnerability\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"external_references": [
|
||
|
{
|
||
|
"source_name": "cve",
|
||
|
"external_id": "CVE-2017-11882"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "vulnerability",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "vulnerability--5b61a605-0744-4a88-9b28-dd5f0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:22:29.000Z",
|
||
|
"modified": "2018-08-01T12:22:29.000Z",
|
||
|
"name": "CVE-2017-8570",
|
||
|
"labels": [
|
||
|
"misp:type=\"vulnerability\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"external_references": [
|
||
|
{
|
||
|
"source_name": "cve",
|
||
|
"external_id": "CVE-2017-8570"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "vulnerability",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "vulnerability--5b61a605-8784-4f8e-81b5-dd5f0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:22:29.000Z",
|
||
|
"modified": "2018-08-01T12:22:29.000Z",
|
||
|
"name": "CVE-2017-0199",
|
||
|
"labels": [
|
||
|
"misp:type=\"vulnerability\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"external_references": [
|
||
|
{
|
||
|
"source_name": "cve",
|
||
|
"external_id": "CVE-2017-0199"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "vulnerability",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "vulnerability--5b61a605-c430-4b44-92a6-dd5f0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:22:29.000Z",
|
||
|
"modified": "2018-08-01T12:22:29.000Z",
|
||
|
"name": "CVE-2018-8174",
|
||
|
"labels": [
|
||
|
"misp:type=\"vulnerability\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"external_references": [
|
||
|
{
|
||
|
"source_name": "cve",
|
||
|
"external_id": "CVE-2018-8174"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a657-dbb8-4b87-b7e9-ea300acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:23:51.000Z",
|
||
|
"modified": "2018-08-01T12:23:51.000Z",
|
||
|
"description": "Malicious RTF doc",
|
||
|
"pattern": "[file:hashes.SHA256 = 'af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:23:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"RTF"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a657-11d0-4c0b-887f-ea300acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:23:51.000Z",
|
||
|
"modified": "2018-08-01T12:23:51.000Z",
|
||
|
"description": "Malicious RTF doc",
|
||
|
"pattern": "[file:hashes.SHA256 = 'e4081eb7f47d76c57bbbe36456eaa4108f488ead5022630ad9b383e84129ffa9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:23:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"RTF"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a657-5344-4e03-ae4f-ea300acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:23:51.000Z",
|
||
|
"modified": "2018-08-01T12:23:51.000Z",
|
||
|
"description": "Malicious RTF doc",
|
||
|
"pattern": "[file:hashes.SHA256 = 'bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:23:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"RTF"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a657-15a8-4917-9b25-ea300acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:23:51.000Z",
|
||
|
"modified": "2018-08-01T12:23:51.000Z",
|
||
|
"description": "Malicious RTF doc",
|
||
|
"pattern": "[file:hashes.SHA256 = '7762bfb2c3251aea23fb0553dabb13db730a7e3fc95856d8b7a276000b9be1f5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:23:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"RTF"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a657-2f4c-4f41-9651-ea300acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:23:51.000Z",
|
||
|
"modified": "2018-08-01T12:23:51.000Z",
|
||
|
"description": "Malicious RTF doc",
|
||
|
"pattern": "[file:hashes.SHA256 = 'a1f3388314c4abd7b1d3ad2aeb863c9c40a56bf438c7a2b71cbcff384d7e7ded']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:23:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"RTF"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a657-fef8-414a-9fd0-ea300acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:23:51.000Z",
|
||
|
"modified": "2018-08-01T12:23:51.000Z",
|
||
|
"description": "Malicious RTF doc",
|
||
|
"pattern": "[file:hashes.SHA256 = 'dc448907dd8d46bad0e996e7d23dd35ebe04873bc4bb7a8d26feaa47d09d1eab']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:23:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"RTF"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a657-e54c-4cc0-b622-ea300acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:23:51.000Z",
|
||
|
"modified": "2018-08-01T12:23:51.000Z",
|
||
|
"description": "Malicious RTF doc",
|
||
|
"pattern": "[file:hashes.SHA256 = 'cbbf2de2fbd4bce3f9a6c7c2a3efd97c729ec506c654ce89cd187d7051717289']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:23:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"RTF"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a657-dcd0-45ba-be79-ea300acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:23:51.000Z",
|
||
|
"modified": "2018-08-01T12:23:51.000Z",
|
||
|
"description": "Malicious RTF doc",
|
||
|
"pattern": "[file:hashes.SHA256 = '40f97cf37c136209a65d5582963a72352509eb802da7f1f5b4478a0d9e0817e8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:23:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"RTF"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a68c-1848-4dd4-8cf2-dd5f0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:24:44.000Z",
|
||
|
"modified": "2018-08-01T12:24:44.000Z",
|
||
|
"description": "Malicious Word Doc(x)",
|
||
|
"pattern": "[file:hashes.SHA256 = 'e566db9e491fda7a5d28ffe9019be64b4d9bc75014bbe189a9dcb9d987856558']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:24:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Word Doc(x)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a68c-6d50-4a2e-bdb9-dd5f0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:24:44.000Z",
|
||
|
"modified": "2018-08-01T12:24:44.000Z",
|
||
|
"description": "Malicious Word Doc(x)",
|
||
|
"pattern": "[file:hashes.SHA256 = '9ddc22718945ac8e29748999d64594c368e20efefc4917d36fead8a9a8151366']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:24:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Word Doc(x)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a68c-1b00-4519-95c7-dd5f0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:24:44.000Z",
|
||
|
"modified": "2018-08-01T12:24:44.000Z",
|
||
|
"description": "Malicious Word Doc(x)",
|
||
|
"pattern": "[file:hashes.SHA256 = '1247e1586a58b3be116d83c62397c9a16ccc8c943967e20d1d504b14a596157c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:24:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Word Doc(x)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a6a4-9704-4934-a3de-ecbf0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:27:54.000Z",
|
||
|
"modified": "2018-08-01T12:27:54.000Z",
|
||
|
"description": "DROPPER DLLS",
|
||
|
"pattern": "[file:hashes.SHA256 = 'cc2e9c6d8bce799829351bd25a64c9b332958038365195e054411b136be61a4f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:27:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"DROPPER DLLS"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a6a4-f93c-4f07-87e5-ecbf0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:27:50.000Z",
|
||
|
"modified": "2018-08-01T12:27:50.000Z",
|
||
|
"description": "DROPPER DLLS",
|
||
|
"pattern": "[file:hashes.SHA256 = '0fef1863af0d7da7ddcfd3727f8fa08d66cd2d9ab4d5300dd3c57e908144edb6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:27:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"DROPPER DLLS"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a6a4-383c-4296-9023-ecbf0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:27:12.000Z",
|
||
|
"modified": "2018-08-01T12:27:12.000Z",
|
||
|
"description": "DROPPER DLLS",
|
||
|
"pattern": "[file:hashes.SHA256 = '74af98fb016bf3adb51f49dff0a88c27bf4437e625a0c7557215a618a7b469a1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:27:12Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"DROPPER DLLS"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a6a4-beb8-4ddf-a1f3-ecbf0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:27:47.000Z",
|
||
|
"modified": "2018-08-01T12:27:47.000Z",
|
||
|
"description": "DROPPER DLLS",
|
||
|
"pattern": "[file:hashes.SHA256 = '844f56b5005946ebc83133b885c89e74bc4985bc3606d3e7a342a6ca9fa1cc0e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:27:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"DROPPER DLLS"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a6c0-b97c-42f6-a819-ecc80acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:27:41.000Z",
|
||
|
"modified": "2018-08-01T12:27:41.000Z",
|
||
|
"description": "SCRIPTLET",
|
||
|
"pattern": "[file:hashes.SHA256 = '283f733d308fe325a0703af9857f59212e436f35fb6063a1b69877613936fc08']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:27:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"SCRIPTLET"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a6c0-17a0-4ea2-be60-ecc80acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:27:38.000Z",
|
||
|
"modified": "2018-08-01T12:27:38.000Z",
|
||
|
"description": "SCRIPTLET",
|
||
|
"pattern": "[file:hashes.SHA256 = 'afeabc34e3260f1a1c03988a3eac494cc403a88711c2391ea3381a500e424940']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:27:38Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"SCRIPTLET"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a6c0-6384-4fee-a10d-ecc80acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:27:35.000Z",
|
||
|
"modified": "2018-08-01T12:27:35.000Z",
|
||
|
"description": "SCRIPTLET",
|
||
|
"pattern": "[file:hashes.SHA256 = '3b73ebb834282ae3ffcaeb3c3384fd4a721d78fff5e7f1d5fd63a9c244d84c48']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:27:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"SCRIPTLET"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a6c0-4ad8-4e14-b6e1-ecc80acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:27:32.000Z",
|
||
|
"modified": "2018-08-01T12:27:32.000Z",
|
||
|
"description": "SCRIPTLET",
|
||
|
"pattern": "[file:hashes.SHA256 = '4afba1aa6b58dc3754fe2ff20c0c23ce6371ba89094827fe83bb994329fa16a3']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:27:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"SCRIPTLET"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a6de-37c4-4869-ac92-ea300acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:26:06.000Z",
|
||
|
"modified": "2018-08-01T12:26:06.000Z",
|
||
|
"description": "Malicious PDF",
|
||
|
"pattern": "[file:hashes.SHA256 = '5ac1612535b6981259cfac95efe84c5608cf51e3a49b9c1e00c5d374f90d10b2']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:26:06Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"PDF"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a6de-3770-4d3d-989b-ea300acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:26:06.000Z",
|
||
|
"modified": "2018-08-01T12:26:06.000Z",
|
||
|
"description": "Malicious PDF",
|
||
|
"pattern": "[file:hashes.SHA256 = '9d6fd7239e1baac696c001cabedfeb72cf0c26991831819c3124a0a726e8fe23']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:26:06Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"PDF"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a6de-cf40-4492-a692-ea300acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:26:06.000Z",
|
||
|
"modified": "2018-08-01T12:26:06.000Z",
|
||
|
"description": "Malicious PDF",
|
||
|
"pattern": "[file:hashes.SHA256 = 'df18e997a2f755159f0753c4e69a45764f746657b782f6d3c878afb8befe2b69']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:26:06Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"PDF"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a6f6-cc20-40f6-8ae5-ecc80acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:27:15.000Z",
|
||
|
"modified": "2018-08-01T12:27:15.000Z",
|
||
|
"description": "Decoy Doc",
|
||
|
"pattern": "[file:hashes.SHA256 = 'f1004c0d6bf312ed8696c364d94bf6e63a907c80348ebf257ceae8ed5340536b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:27:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Decoy"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a713-8f40-49b0-9c95-ecc80acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:26:59.000Z",
|
||
|
"modified": "2018-08-01T12:26:59.000Z",
|
||
|
"description": "EXECUTABLE PAYLOADS",
|
||
|
"pattern": "[file:hashes.SHA256 = 'f266070d4fe999eae02319cb42808ec0e0306125beda92f68e0b59b9f5bcac5a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:26:59Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Payload"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a713-12f0-4607-8076-ecc80acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:26:59.000Z",
|
||
|
"modified": "2018-08-01T12:26:59.000Z",
|
||
|
"description": "EXECUTABLE PAYLOADS",
|
||
|
"pattern": "[file:hashes.SHA256 = 'fc004992ad317eb97d977bd7139dbcc4f11c4447a26703d931df33e72fd96db3']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:26:59Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Payload"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a796-5f54-42e5-9d58-ed810acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:29:10.000Z",
|
||
|
"modified": "2018-08-01T12:29:10.000Z",
|
||
|
"description": "URLs to pull docs",
|
||
|
"pattern": "[url:value = 'http://95.142.39.109/e1.txt']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:29:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Download"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a796-a1d0-4c35-80ac-ed810acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:29:10.000Z",
|
||
|
"modified": "2018-08-01T12:29:10.000Z",
|
||
|
"description": "URLs to pull docs",
|
||
|
"pattern": "[url:value = 'https://kaspersky-security.com/Complaint.doc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:29:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Download"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a796-7ed4-4d7b-9602-ed810acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:29:10.000Z",
|
||
|
"modified": "2018-08-01T12:29:10.000Z",
|
||
|
"description": "URLs to pull docs",
|
||
|
"pattern": "[url:value = 'https://mcafeecloud.us/complaints/67972318.doc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:29:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Download"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a796-103c-4dfb-b730-ed810acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:29:10.000Z",
|
||
|
"modified": "2018-08-01T12:29:10.000Z",
|
||
|
"description": "URLs to pull docs",
|
||
|
"pattern": "[url:value = 'https://s3.sovereigncars.org.uk/inv005189.pdf']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:29:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Download"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a7c6-df00-4cf5-b611-dd5f0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:29:58.000Z",
|
||
|
"modified": "2018-08-01T12:29:58.000Z",
|
||
|
"description": "STAGE 1 - DROP DLL DROPPER",
|
||
|
"pattern": "[url:value = 'http://nl.web-cdn.kz']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:29:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Stage 1",
|
||
|
" Download",
|
||
|
" DLL Dropper"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a7c6-ced4-48f5-9ac1-dd5f0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:29:58.000Z",
|
||
|
"modified": "2018-08-01T12:29:58.000Z",
|
||
|
"description": "STAGE 1 - DROP DLL DROPPER",
|
||
|
"pattern": "[url:value = 'http://mail.halcyonih.com/m.txt']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:29:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Stage 1",
|
||
|
" Download",
|
||
|
" DLL Dropper"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a7c6-7bfc-4d40-9980-dd5f0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:29:58.000Z",
|
||
|
"modified": "2018-08-01T12:29:58.000Z",
|
||
|
"description": "STAGE 1 - DROP DLL DROPPER",
|
||
|
"pattern": "[url:value = 'http://mail.halcyonih.com/humans.txt']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:29:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Stage 1",
|
||
|
" Download",
|
||
|
" DLL Dropper"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a7c6-f6dc-4776-8aa3-dd5f0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:29:58.000Z",
|
||
|
"modified": "2018-08-01T12:29:58.000Z",
|
||
|
"description": "STAGE 1 - DROP DLL DROPPER",
|
||
|
"pattern": "[url:value = 'http://secure.n-document.biz/humans.txt']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:29:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Stage 1",
|
||
|
" Download",
|
||
|
" DLL Dropper"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a7c6-ebbc-4066-95ff-dd5f0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:29:58.000Z",
|
||
|
"modified": "2018-08-01T12:29:58.000Z",
|
||
|
"description": "STAGE 1 - DROP DLL DROPPER",
|
||
|
"pattern": "[url:value = 'http://xstorage.biz/robots.txt']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:29:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Stage 1",
|
||
|
" Download",
|
||
|
" DLL Dropper"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a7c6-d0d4-4ff2-b054-dd5f0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:29:58.000Z",
|
||
|
"modified": "2018-08-01T12:29:58.000Z",
|
||
|
"description": "STAGE 1 - DROP DLL DROPPER",
|
||
|
"pattern": "[url:value = 'http://cloud.yourdocument.biz/robots.txt']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:29:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Stage 1",
|
||
|
" Download",
|
||
|
" DLL Dropper"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a7c6-cc5c-4d59-8114-dd5f0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:29:58.000Z",
|
||
|
"modified": "2018-08-01T12:29:58.000Z",
|
||
|
"description": "STAGE 1 - DROP DLL DROPPER",
|
||
|
"pattern": "[url:value = 'http://cloud-direct.biz/robots.txt']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:29:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Stage 1",
|
||
|
" Download",
|
||
|
" DLL Dropper"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a7c6-505c-4457-9367-dd5f0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-02T12:23:26.000Z",
|
||
|
"modified": "2018-08-02T12:23:26.000Z",
|
||
|
"description": "STAGE 1 - DROP DLL DROPPER",
|
||
|
"pattern": "[file:name = 'http://documents.total-cloud.biz/version.txt']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-02T12:23:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Stage 1",
|
||
|
" Download",
|
||
|
" DLL Dropper"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a7c6-f0e0-41a6-b338-dd5f0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:29:58.000Z",
|
||
|
"modified": "2018-08-01T12:29:58.000Z",
|
||
|
"description": "STAGE 1 - DROP DLL DROPPER",
|
||
|
"pattern": "[url:value = 'http://cloud.pallets32.com/robots.txt']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:29:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Stage 1",
|
||
|
" Download",
|
||
|
" DLL Dropper"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a7c6-bb0c-416f-a065-dd5f0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:29:58.000Z",
|
||
|
"modified": "2018-08-01T12:29:58.000Z",
|
||
|
"description": "STAGE 1 - DROP DLL DROPPER",
|
||
|
"pattern": "[url:value = 'http://document.cdn-one.biz/robots.txt']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:29:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Stage 1",
|
||
|
" Download",
|
||
|
" DLL Dropper"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a7ec-1368-4a13-ab39-d5860acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:30:36.000Z",
|
||
|
"modified": "2018-08-01T12:30:36.000Z",
|
||
|
"description": "BACKDOOR C2",
|
||
|
"pattern": "[url:value = 'https://api.outlook.kz']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:30:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Backdoor",
|
||
|
" C2"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a7ec-9aac-4800-8196-d5860acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:30:36.000Z",
|
||
|
"modified": "2018-08-01T12:30:36.000Z",
|
||
|
"description": "BACKDOOR C2",
|
||
|
"pattern": "[url:value = 'http://api.fujitsu.org.kz']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:30:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Backdoor",
|
||
|
" C2"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a7ec-0eec-4a3e-b7eb-d5860acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:30:36.000Z",
|
||
|
"modified": "2018-08-01T12:30:36.000Z",
|
||
|
"description": "BACKDOOR C2",
|
||
|
"pattern": "[url:value = 'http://api.asus.org.kz']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:30:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Backdoor",
|
||
|
" C2"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a7ec-576c-43e6-a597-d5860acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:30:36.000Z",
|
||
|
"modified": "2018-08-01T12:30:36.000Z",
|
||
|
"description": "BACKDOOR C2",
|
||
|
"pattern": "[url:value = 'http://api.toshiba.org.kz']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:30:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Backdoor",
|
||
|
" C2"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a7ec-eb10-4845-94b0-d5860acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:30:36.000Z",
|
||
|
"modified": "2018-08-01T12:30:36.000Z",
|
||
|
"description": "BACKDOOR C2",
|
||
|
"pattern": "[url:value = 'http://api.miria.kz']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:30:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Backdoor",
|
||
|
" C2"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a808-c654-420e-aac4-ea2c0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:31:04.000Z",
|
||
|
"modified": "2018-08-01T12:31:04.000Z",
|
||
|
"description": "POWERSHELL STAGE",
|
||
|
"pattern": "[url:value = 'http://95.142.39.109/driver']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:31:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Powershell"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a808-74d8-4b61-86f5-ea2c0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:31:04.000Z",
|
||
|
"modified": "2018-08-01T12:31:04.000Z",
|
||
|
"description": "POWERSHELL STAGE",
|
||
|
"pattern": "[url:value = 'http://95.142.39.109/wdriver']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:31:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Powershell"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a825-f9fc-4a4e-be81-f0ac0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:31:33.000Z",
|
||
|
"modified": "2018-08-01T12:31:33.000Z",
|
||
|
"description": "Decoy Doc",
|
||
|
"pattern": "[url:value = 'http://95.142.39.109/document.doc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:31:33Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Download",
|
||
|
" Decoy",
|
||
|
" Doc(x)"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b61a852-73a0-41e3-9a50-f0ac0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-01T12:32:18.000Z",
|
||
|
"modified": "2018-08-01T12:32:18.000Z",
|
||
|
"description": "COBALT STRIKE BEACON STAGE",
|
||
|
"pattern": "[url:value = 'https://95.142.39.109/vFGY']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-01T12:32:18Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"Cobalt Strike",
|
||
|
" Cobalt Strike Beacon"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5b62fa2c-1be8-453f-be37-536fd5388438",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-02T12:33:48.000Z",
|
||
|
"modified": "2018-08-02T12:33:48.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_comment": "Cert-IST Attack name",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "COBALT"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5b62fa2c-0698-4e7d-9380-76b1d5388438",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-02T12:33:48.000Z",
|
||
|
"modified": "2018-08-02T12:33:48.000Z",
|
||
|
"first_observed": "2018-08-02T12:33:48Z",
|
||
|
"last_observed": "2018-08-02T12:33:48Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5b62fa2c-0698-4e7d-9380-76b1d5388438"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5b62fa2c-0698-4e7d-9380-76b1d5388438",
|
||
|
"value": "https://wws.cert-ist.com/private/fr/IocAttack_details?format=html&objectType=ATK&ref=CERT-IST/ATK-2016-069"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5b62fa2c-a150-4a9f-8180-711dd5388438",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-02T12:33:48.000Z",
|
||
|
"modified": "2018-08-02T12:33:48.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_comment": "Cert-IST Attack Alias",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "Buhtrap"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5b62fa2c-6c08-4672-8755-711cd5388438",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-02T12:33:48.000Z",
|
||
|
"modified": "2018-08-02T12:33:48.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_comment": "Cert-IST Attack Alias",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "Cobalt Gang"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5b62fa2c-764c-49f1-9d4c-5371d5388438",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-02T12:33:48.000Z",
|
||
|
"modified": "2018-08-02T12:33:48.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_comment": "Cert-IST Attack Alias",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "Cobalt Group"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5b62fa2c-5288-4f56-bff2-5370d5388438",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-02T12:33:48.000Z",
|
||
|
"modified": "2018-08-02T12:33:48.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_comment": "Cert-IST Description",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "These IOCs originate in a blog post by Cisco Talos regarding several malicious email campaigns attributed to the Cobalt Gang group between May and July 2018. The infection vector consist in .pdf, .rtf, or .doc attachments. Some of the .rtf or .doc files exploit known Microsoft Office vulnerabilities.\r\n\r\nThe kill chain is rather complex, involving vulnerability exploitation, JScript, PowerShell and DLL loading via legitimate Windows tools."
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5b62fa2d-9724-4c15-bdcb-7a59d5388438",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-02T12:33:49.000Z",
|
||
|
"modified": "2018-08-02T12:33:49.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_comment": "Cert-IST Malware Name",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "More_eggs"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5b62fa2d-7b98-4f78-9fa3-7b2cd5388438",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-02T12:33:49.000Z",
|
||
|
"modified": "2018-08-02T12:33:49.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_comment": "Cert-IST Malware Name",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "Cobalt Strike"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5b62fa2d-8128-4b3e-b558-6298d5388438",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-02T12:33:49.000Z",
|
||
|
"modified": "2018-08-02T12:33:49.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"datetime\"",
|
||
|
"misp:category=\"Other\""
|
||
|
],
|
||
|
"x_misp_category": "Other",
|
||
|
"x_misp_comment": "Cert-IST First Seen Date",
|
||
|
"x_misp_type": "datetime",
|
||
|
"x_misp_value": "2018-05-14T22:00:00+00:00"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5b62fa2d-b974-44e2-a338-536ed5388438",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-08-02T12:33:49.000Z",
|
||
|
"modified": "2018-08-02T12:33:49.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"datetime\"",
|
||
|
"misp:category=\"Other\""
|
||
|
],
|
||
|
"x_misp_category": "Other",
|
||
|
"x_misp_comment": "Cert-IST First Disclosed Date",
|
||
|
"x_misp_type": "datetime",
|
||
|
"x_misp_value": "2018-07-30T22:00:00+00:00"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|