345 lines
14 KiB
JSON
345 lines
14 KiB
JSON
|
{
|
||
|
|
"type": "bundle",
|
||
|
|
"id": "bundle--5dc42bcc-a46c-42f4-b473-407e950d210f",
|
||
|
|
"objects": [
|
||
|
|
{
|
||
|
|
"type": "identity",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2019-11-08T07:57:27.000Z",
|
||
|
|
"modified": "2019-11-08T07:57:27.000Z",
|
||
|
|
"name": "CIRCL",
|
||
|
|
"identity_class": "organization"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "grouping",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "grouping--5dc42bcc-a46c-42f4-b473-407e950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2019-11-08T07:57:27.000Z",
|
||
|
|
"modified": "2019-11-08T07:57:27.000Z",
|
||
|
|
"name": "OSINT - #APT #Bitter",
|
||
|
|
"context": "suspicious-activity",
|
||
|
|
"object_refs": [
|
||
|
|
"indicator--5dc43359-ff10-4414-a40a-4e83950d210f",
|
||
|
|
"indicator--5dc43359-15ec-40e4-9de2-4245950d210f",
|
||
|
|
"indicator--5dc43359-a3ec-4806-85ec-4976950d210f",
|
||
|
|
"indicator--5dc43359-a998-40d0-89bd-42fa950d210f",
|
||
|
|
"vulnerability--5dc4340a-0144-4e8b-a548-44f4950d210f",
|
||
|
|
"x-misp-object--5dc432ca-bb14-48e1-85f1-4ba9950d210f",
|
||
|
|
"vulnerability--5dc433d5-6b28-4a6f-a24d-4417950d210f",
|
||
|
|
"x-misp-object--5dc43482-808c-494b-a2ca-cb10950d210f",
|
||
|
|
"indicator--5dc51fe7-143c-444d-9a5b-ff54950d210f"
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"Threat-Report",
|
||
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
|
"workflow:state=\"incomplete\"",
|
||
|
|
"type:OSINT",
|
||
|
|
"osint:lifetime=\"perpetual\"",
|
||
|
|
"osint:certainty=\"50\""
|
||
|
|
],
|
||
|
|
"object_marking_refs": [
|
||
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5dc43359-ff10-4414-a40a-4e83950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2019-11-07T15:08:09.000Z",
|
||
|
|
"modified": "2019-11-07T15:08:09.000Z",
|
||
|
|
"description": "WN",
|
||
|
|
"pattern": "[file:name = 'record.docx']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2019-11-07T15:08:09Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Payload delivery"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"filename\"",
|
||
|
|
"misp:category=\"Payload delivery\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5dc43359-15ec-40e4-9de2-4245950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2019-11-07T15:08:09.000Z",
|
||
|
|
"modified": "2019-11-07T15:08:09.000Z",
|
||
|
|
"description": "NC",
|
||
|
|
"pattern": "[url:value = 'http://comglobal.com.pk/wp-content/g']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2019-11-07T15:08:09Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Network activity"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"url\"",
|
||
|
|
"misp:category=\"Network activity\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5dc43359-a3ec-4806-85ec-4976950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2019-11-07T15:08:09.000Z",
|
||
|
|
"modified": "2019-11-07T15:08:09.000Z",
|
||
|
|
"pattern": "[url:value = 'http://nim.gov.pk/img/g.txt']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2019-11-07T15:08:09Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Network activity"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"url\"",
|
||
|
|
"misp:category=\"Network activity\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5dc43359-a998-40d0-89bd-42fa950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2019-11-07T15:08:09.000Z",
|
||
|
|
"modified": "2019-11-07T15:08:09.000Z",
|
||
|
|
"description": "C2",
|
||
|
|
"pattern": "[domain-name:value = 'tvnservereventlog.net']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2019-11-07T15:08:09Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "Network activity"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"domain\"",
|
||
|
|
"misp:category=\"Network activity\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "vulnerability",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "vulnerability--5dc4340a-0144-4e8b-a548-44f4950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2019-11-07T15:11:06.000Z",
|
||
|
|
"modified": "2019-11-07T15:11:06.000Z",
|
||
|
|
"name": "CVE-2017-11882",
|
||
|
|
"labels": [
|
||
|
|
"misp:type=\"vulnerability\"",
|
||
|
|
"misp:category=\"External analysis\""
|
||
|
|
],
|
||
|
|
"external_references": [
|
||
|
|
{
|
||
|
|
"source_name": "cve",
|
||
|
|
"external_id": "CVE-2017-11882"
|
||
|
|
}
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "x-misp-object",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "x-misp-object--5dc432ca-bb14-48e1-85f1-4ba9950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2019-11-07T15:05:46.000Z",
|
||
|
|
"modified": "2019-11-07T15:05:46.000Z",
|
||
|
|
"labels": [
|
||
|
|
"misp:name=\"microblog\"",
|
||
|
|
"misp:meta-category=\"misc\""
|
||
|
|
],
|
||
|
|
"x_misp_attributes": [
|
||
|
|
{
|
||
|
|
"type": "text",
|
||
|
|
"object_relation": "post",
|
||
|
|
"value": "#APT #Bitter\r\n7d2cc57e27e849fb0617a3a73d68d302c6efc6d849c05fcb0776b82a74d4de9c\r\nWN: E-passport record.docx\r\nNC: http://comglobal[.]com[.]pk/wp-content/g\r\nhttp://nim[.]gov[.]pk/img/g.txt\r\nC2: tvnservereventlog[.]net\r\nAC: TemplateInjection->CVE-2017-11882->EXE",
|
||
|
|
"category": "Other",
|
||
|
|
"uuid": "5dc432ca-6a3c-43c0-bc72-4e56950d210f"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "link",
|
||
|
|
"object_relation": "link",
|
||
|
|
"value": "https://mobile.twitter.com/ccxsaber/status/1192326844529422337",
|
||
|
|
"category": "External analysis",
|
||
|
|
"uuid": "5dc432ca-a900-4186-92bf-44b7950d210f"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "text",
|
||
|
|
"object_relation": "type",
|
||
|
|
"value": "Twitter",
|
||
|
|
"category": "Other",
|
||
|
|
"uuid": "5dc432ca-2b74-46e5-9fcd-4da3950d210f"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "text",
|
||
|
|
"object_relation": "hashtag",
|
||
|
|
"value": "#APT",
|
||
|
|
"category": "Other",
|
||
|
|
"uuid": "5dc432ca-8464-4074-91bb-4834950d210f"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "text",
|
||
|
|
"object_relation": "hashtag",
|
||
|
|
"value": "#Bitter",
|
||
|
|
"category": "Other",
|
||
|
|
"uuid": "5dc432ca-0038-4424-b855-4737950d210f"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "text",
|
||
|
|
"object_relation": "username",
|
||
|
|
"value": "ccxsaber",
|
||
|
|
"category": "Other",
|
||
|
|
"uuid": "5dc432ca-6750-4c32-9c75-41f7950d210f"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "text",
|
||
|
|
"object_relation": "state",
|
||
|
|
"value": "Informative",
|
||
|
|
"category": "Other",
|
||
|
|
"uuid": "5dc432ca-08a4-4cf1-98ff-4d46950d210f"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "datetime",
|
||
|
|
"object_relation": "creation-date",
|
||
|
|
"value": "Nov 7, 2019 7:24 AM",
|
||
|
|
"category": "Other",
|
||
|
|
"uuid": "5dc432ca-0200-43ce-b9bd-470f950d210f"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"x_misp_meta_category": "misc",
|
||
|
|
"x_misp_name": "microblog"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "vulnerability",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "vulnerability--5dc433d5-6b28-4a6f-a24d-4417950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2019-11-07T15:10:13.000Z",
|
||
|
|
"modified": "2019-11-07T15:10:13.000Z",
|
||
|
|
"name": "CVE-2017-11882",
|
||
|
|
"labels": [
|
||
|
|
"misp:name=\"vulnerability\"",
|
||
|
|
"misp:meta-category=\"vulnerability\"",
|
||
|
|
"misp:to_ids=\"False\""
|
||
|
|
],
|
||
|
|
"external_references": [
|
||
|
|
{
|
||
|
|
"source_name": "cve",
|
||
|
|
"external_id": "CVE-2017-11882"
|
||
|
|
}
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "x-misp-object",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "x-misp-object--5dc43482-808c-494b-a2ca-cb10950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2019-11-07T15:13:06.000Z",
|
||
|
|
"modified": "2019-11-07T15:13:06.000Z",
|
||
|
|
"labels": [
|
||
|
|
"misp:name=\"microblog\"",
|
||
|
|
"misp:meta-category=\"misc\""
|
||
|
|
],
|
||
|
|
"x_misp_attributes": [
|
||
|
|
{
|
||
|
|
"type": "text",
|
||
|
|
"object_relation": "post",
|
||
|
|
"value": "I guess exe is ArtraDownloader",
|
||
|
|
"category": "Other",
|
||
|
|
"uuid": "5dc43482-0f30-4961-af0b-cb10950d210f"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "link",
|
||
|
|
"object_relation": "link",
|
||
|
|
"value": "https://mobile.twitter.com/kalki_poison/status/1192339289117360128",
|
||
|
|
"category": "External analysis",
|
||
|
|
"uuid": "5dc43482-7630-4772-a9ba-cb10950d210f"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "text",
|
||
|
|
"object_relation": "type",
|
||
|
|
"value": "Twitter",
|
||
|
|
"category": "Other",
|
||
|
|
"uuid": "5dc43482-ba5c-4bf4-8c86-cb10950d210f"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "text",
|
||
|
|
"object_relation": "username",
|
||
|
|
"value": "kalki_poison",
|
||
|
|
"category": "Other",
|
||
|
|
"uuid": "5dc43482-3204-463c-bfdd-cb10950d210f"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "text",
|
||
|
|
"object_relation": "state",
|
||
|
|
"value": "Informative",
|
||
|
|
"category": "Other",
|
||
|
|
"uuid": "5dc43482-817c-4868-a552-cb10950d210f"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "datetime",
|
||
|
|
"object_relation": "creation-date",
|
||
|
|
"value": "Nov 7, 2019 8:13 AM",
|
||
|
|
"category": "Other",
|
||
|
|
"uuid": "5dc43482-a528-4d87-9175-cb10950d210f"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"x_misp_meta_category": "misc",
|
||
|
|
"x_misp_name": "microblog"
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "indicator",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "indicator--5dc51fe7-143c-444d-9a5b-ff54950d210f",
|
||
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
|
"created": "2019-11-08T07:57:27.000Z",
|
||
|
|
"modified": "2019-11-08T07:57:27.000Z",
|
||
|
|
"pattern": "[file:hashes.SHA256 = '7d2cc57e27e849fb0617a3a73d68d302c6efc6d849c05fcb0776b82a74d4de9c']",
|
||
|
|
"pattern_type": "stix",
|
||
|
|
"pattern_version": "2.1",
|
||
|
|
"valid_from": "2019-11-08T07:57:27Z",
|
||
|
|
"kill_chain_phases": [
|
||
|
|
{
|
||
|
|
"kill_chain_name": "misp-category",
|
||
|
|
"phase_name": "file"
|
||
|
|
}
|
||
|
|
],
|
||
|
|
"labels": [
|
||
|
|
"misp:name=\"file\"",
|
||
|
|
"misp:meta-category=\"file\"",
|
||
|
|
"misp:to_ids=\"True\""
|
||
|
|
]
|
||
|
|
},
|
||
|
|
{
|
||
|
|
"type": "marking-definition",
|
||
|
|
"spec_version": "2.1",
|
||
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
|
"definition_type": "tlp",
|
||
|
|
"name": "TLP:WHITE",
|
||
|
|
"definition": {
|
||
|
|
"tlp": "white"
|
||
|
|
}
|
||
|
|
}
|
||
|
|
]
|
||
|
|
}
|