2023-04-21 14:44:17 +00:00
{
"type" : "bundle" ,
"id" : "bundle--5b6c44c2-e8cc-4c56-8eb9-4f0a950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T20:23:22.000Z" ,
"modified" : "2018-09-17T20:23:22.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--5b6c44c2-e8cc-4c56-8eb9-4f0a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T20:23:22.000Z" ,
"modified" : "2018-09-17T20:23:22.000Z" ,
"name" : "OSINT - Familiar Feeling A Malware Campaign Targeting the Tibetan Diaspora Resurfaces" ,
"published" : "2018-09-17T20:24:35Z" ,
"object_refs" : [
"observed-data--5b6c44d2-6094-4926-a919-48a3950d210f" ,
"url--5b6c44d2-6094-4926-a919-48a3950d210f" ,
"indicator--5b9f6c0b-d8b4-4acd-a92e-d8a3950d210f" ,
"indicator--5b9f6c0c-6bb8-4353-88d2-d8a3950d210f" ,
"indicator--5b9f6c0c-f6c8-466a-b35f-d8a3950d210f" ,
"indicator--5b9f6c0d-265c-4879-8048-d8a3950d210f" ,
"indicator--5b9f6c0d-3360-4aae-a319-d8a3950d210f" ,
"indicator--5b9f6c0e-5760-4610-8e19-d8a3950d210f" ,
"indicator--5b9f71f3-d42c-46dc-a8df-d052950d210f" ,
"indicator--5b9f71f4-bd0c-4a10-bafb-d052950d210f" ,
"indicator--5b9f71f4-96d4-4c41-843c-d052950d210f" ,
"indicator--5b9f7ca7-2330-438c-a9ba-43f1950d210f" ,
"indicator--5b9f7caa-aa08-47db-af9c-479f950d210f" ,
"indicator--5b9f7cae-9a30-4928-a17a-4f2d950d210f" ,
"x-misp-attribute--5b9fa4dd-15a8-44c8-87a8-489f950d210f" ,
"indicator--5b9fac2a-3ad4-456c-910f-408a950d210f" ,
"indicator--5b9fac2a-60e0-4df7-b188-4000950d210f" ,
"indicator--5b9fac2b-0454-4ae0-abe4-4f2a950d210f" ,
"indicator--5b9fac2c-a7a8-400d-bee5-49fd950d210f" ,
"indicator--5b9fac2d-32b8-451b-ad3d-4c50950d210f" ,
"indicator--5b9fac2d-43a0-4cbd-bdd2-44ee950d210f" ,
"indicator--5b9fac2e-2c38-4491-b0bd-471a950d210f" ,
"indicator--5b9fac2f-ce44-4c61-8f50-427a950d210f" ,
"indicator--5b9fac30-3800-4895-b7da-4795950d210f" ,
"indicator--5b9fac31-4418-4328-9f94-4c82950d210f" ,
"indicator--5b9fac32-3fa8-469e-82b7-4a14950d210f" ,
"indicator--5b9fac33-2688-4056-b9a2-42bd950d210f" ,
"indicator--5b9fac33-b9cc-492f-9271-4c9c950d210f" ,
"indicator--5b9fac34-9494-4180-97f4-494a950d210f" ,
"indicator--5b9f6007-36ec-49cc-b7cc-e30b950d210f" ,
"vulnerability--5b9f6302-18e0-4459-a463-e6f4950d210f" ,
"vulnerability--5b9f6b94-f650-4701-be1d-e6f5950d210f" ,
"x-misp-object--5b9f78e4-1670-4c68-bcca-e3a7950d210f" ,
"indicator--5b9f7e1f-8f14-4416-9f3a-452a950d210f" ,
"indicator--5b9f7e47-4ddc-4470-987c-459e950d210f" ,
"indicator--5b9f7e7d-f3ac-44cb-8d2a-4866950d210f" ,
"indicator--5b9f8073-bb3c-481d-b7b1-dc87950d210f" ,
"indicator--5b9f8086-5f30-4482-891d-475b950d210f" ,
"indicator--5b9f8098-16dc-4483-8b05-d04e950d210f" ,
"indicator--5b9faa1d-28a8-4957-b2ab-4b2b950d210f" ,
"indicator--5b9fb486-9674-4e70-9077-4614950d210f" ,
"indicator--5b9fbb80-f010-4a72-a7ab-4f41950d210f" ,
"indicator--5b9fbb96-36dc-47c1-a0b3-4173950d210f" ,
"indicator--5b9fbbab-e5b8-4120-99fd-40b2950d210f" ,
"indicator--d2f5d552-96c4-43ad-84e1-fb8cebbf6000" ,
"x-misp-object--857a21fc-b3c9-47ae-93e4-9e5fe62dc79b" ,
2024-04-05 12:15:17 +00:00
"relationship--4f68a896-aedd-4c14-876a-59fa804c5d2e" ,
"relationship--fc33ce38-252a-4271-b402-b26ac94e8894" ,
"relationship--86a23dad-f573-4d86-933d-6bb52dcda9d0" ,
"relationship--25184864-d953-4427-b96d-93a9a06e129b" ,
"relationship--fdc83e7b-6f21-488b-9af8-82f071a0c630" ,
"relationship--0df605c9-1461-44c8-9ee0-a97f7cd0eeb7" ,
"relationship--6ea2b6a9-4f70-4d25-bf4b-1e791f8f58eb" ,
"relationship--1f64a52a-d920-47a2-a353-fd2a3217653a" ,
"relationship--d08a50a1-8ebe-4505-86c1-5f54be4a5765"
2023-04-21 14:44:17 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"circl:incident-classification=\"malware\"" ,
"osint:source-type=\"blog-post\"" ,
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Attachment - T1193\"" ,
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"PowerShell - T1086\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5b6c44d2-6094-4926-a919-48a3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T12:57:56.000Z" ,
"modified" : "2018-09-17T12:57:56.000Z" ,
"first_observed" : "2018-09-17T12:57:56Z" ,
"last_observed" : "2018-09-17T12:57:56Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5b6c44d2-6094-4926-a919-48a3950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5b6c44d2-6094-4926-a919-48a3950d210f" ,
"value" : "https://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9f6c0b-d8b4-4acd-a92e-d8a3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T08:55:39.000Z" ,
"modified" : "2018-09-17T08:55:39.000Z" ,
"pattern" : "[domain-name:value = 'commail.co']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T08:55:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9f6c0c-6bb8-4353-88d2-d8a3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T08:55:40.000Z" ,
"modified" : "2018-09-17T08:55:40.000Z" ,
"pattern" : "[domain-name:value = 'tibetnews.info']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T08:55:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9f6c0c-f6c8-466a-b35f-d8a3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T08:55:40.000Z" ,
"modified" : "2018-09-17T08:55:40.000Z" ,
"pattern" : "[domain-name:value = 'comemails.email']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T08:55:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9f6c0d-265c-4879-8048-d8a3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T08:55:41.000Z" ,
"modified" : "2018-09-17T08:55:41.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.186.222']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T08:55:41Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9f6c0d-3360-4aae-a319-d8a3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T08:55:41.000Z" ,
"modified" : "2018-09-17T08:55:41.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.55.24.196']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T08:55:41Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9f6c0e-5760-4610-8e19-d8a3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T08:55:42.000Z" ,
"modified" : "2018-09-17T08:55:42.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.189.232.207']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T08:55:42Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9f71f3-d42c-46dc-a8df-d052950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T09:20:51.000Z" ,
"modified" : "2018-09-17T09:20:51.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.127.97.222']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T09:20:51Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9f71f4-bd0c-4a10-bafb-d052950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T09:20:52.000Z" ,
"modified" : "2018-09-17T09:20:52.000Z" ,
"pattern" : "[domain-name:value = 'tibetnews.today']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T09:20:52Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9f71f4-96d4-4c41-843c-d052950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T09:20:52.000Z" ,
"modified" : "2018-09-17T09:20:52.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '115.126.86.151']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T09:20:52Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9f7ca7-2330-438c-a9ba-43f1950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T10:06:31.000Z" ,
"modified" : "2018-09-17T10:06:31.000Z" ,
"pattern" : "[domain-name:value = 'tibethouse.info']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T10:06:31Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9f7caa-aa08-47db-af9c-479f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T10:06:34.000Z" ,
"modified" : "2018-09-17T10:06:34.000Z" ,
"pattern" : "[domain-name:value = 'daynew.today']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T10:06:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9f7cae-9a30-4928-a17a-4f2d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T10:06:38.000Z" ,
"modified" : "2018-09-17T10:06:38.000Z" ,
"pattern" : "[domain-name:value = 'daynews.today']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T10:06:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5b9fa4dd-15a8-44c8-87a8-489f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T12:58:25.000Z" ,
"modified" : "2018-09-17T12:58:25.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "In January 2018, a Tibetan activist received a mundane-looking email purporting to be program updates from a human rights NGO. Attached to the message were a PowerPoint presentation and a document. The activist, like many in the Tibetan diaspora, had grown wary of unsolicited emails with attachments, and instead of opening the documents, shared the files with Citizen Lab researchers.\r\n\r\nThe suspicion was warranted: the attachments were malicious. If clicked, the files would run recent exploits to infect Windows computers with custom malware. This email was the start of a malware campaign active between January to March 2018 that targeted Tibetan activists, journalists, members of the Tibetan Parliament in exile, and the Central Tibetan Administration. We worked closely with the targeted groups to collect the malicious messages, and also engaged in incident response with a compromised organization. This collaboration enabled us to gain further insights into the tactics, techniques, and procedures used by the operators.\r\n\r\nThe campaign used social engineering to trick targets into opening exploit-laden PowerPoint (CVE-2017-0199) and Microsoft Rich Text Format (RTF) documents (CVE-2017-11882) attached to e-mail messages. The malware includes a PowerShell payload we call DMShell++, a backdoor known as TSSL, and a post-compromise tool we call DSNGInstaller.\r\n\r\nWe call this recent campaign the \u00e2\u20ac\u0153Resurfaced Campaign\u00e2\u20ac\u009d because of connections to a 2016 campaign that targeted Tibetan Parliamentarians (which we refer to as the \u00e2\u20ac\u0153Parliamentary Campaign\u00e2\u20ac\u009d). These connections suggest that the same group may be involved or tools and infrastructure are being shared between multiple groups."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9fac2a-3ad4-456c-910f-408a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T13:29:14.000Z" ,
"modified" : "2018-09-17T13:29:14.000Z" ,
"pattern" : "[url:value = 'commail.co:5453/qqqzqa']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T13:29:14Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9fac2a-60e0-4df7-b188-4000950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T13:29:14.000Z" ,
"modified" : "2018-09-17T13:29:14.000Z" ,
"description" : "On port 6001" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.186.222' AND network-traffic:dst_port = '6001']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T13:29:14Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst|port\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9fac2b-0454-4ae0-abe4-4f2a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T13:29:15.000Z" ,
"modified" : "2018-09-17T13:29:15.000Z" ,
"description" : "On port 6002" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.186.222' AND network-traffic:dst_port = '6002']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T13:29:15Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst|port\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9fac2c-a7a8-400d-bee5-49fd950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T13:29:16.000Z" ,
"modified" : "2018-09-17T13:29:16.000Z" ,
"description" : "On port 6003" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.186.222' AND network-traffic:dst_port = '6003']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T13:29:16Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst|port\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9fac2d-32b8-451b-ad3d-4c50950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T13:29:17.000Z" ,
"modified" : "2018-09-17T13:29:17.000Z" ,
"pattern" : "[url:value = 'tibetnews.info:8026/qqqzqa']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T13:29:17Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9fac2d-43a0-4cbd-bdd2-44ee950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T13:29:17.000Z" ,
"modified" : "2018-09-17T13:29:17.000Z" ,
"description" : "On port 80" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.55.24.196' AND network-traffic:dst_port = '80']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T13:29:17Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst|port\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9fac2e-2c38-4491-b0bd-471a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T13:29:18.000Z" ,
"modified" : "2018-09-17T13:29:18.000Z" ,
"description" : "On port 443" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.55.24.196' AND network-traffic:dst_port = '443']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T13:29:18Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst|port\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9fac2f-ce44-4c61-8f50-427a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T13:29:19.000Z" ,
"modified" : "2018-09-17T13:29:19.000Z" ,
"description" : "On port 443" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.127.97.222' AND network-traffic:dst_port = '443']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T13:29:19Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst|port\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9fac30-3800-4895-b7da-4795950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T13:29:20.000Z" ,
"modified" : "2018-09-17T13:29:20.000Z" ,
"description" : "On port 80" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.186.222' AND network-traffic:dst_port = '80']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T13:29:20Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst|port\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9fac31-4418-4328-9f94-4c82950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T13:29:21.000Z" ,
"modified" : "2018-09-17T13:29:21.000Z" ,
"description" : "On port 443" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.186.222' AND network-traffic:dst_port = '443']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T13:29:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst|port\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9fac32-3fa8-469e-82b7-4a14950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T13:29:22.000Z" ,
"modified" : "2018-09-17T13:29:22.000Z" ,
"description" : "On port 8080" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.186.222' AND network-traffic:dst_port = '8080']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T13:29:22Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst|port\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9fac33-2688-4056-b9a2-42bd950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T13:29:23.000Z" ,
"modified" : "2018-09-17T13:29:23.000Z" ,
"pattern" : "[url:value = 'comemails.email:1234/hgf']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T13:29:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9fac33-b9cc-492f-9271-4c9c950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T13:29:23.000Z" ,
"modified" : "2018-09-17T13:29:23.000Z" ,
"description" : "On port 80" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.189.232.207' AND network-traffic:dst_port = '80']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T13:29:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst|port\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9fac34-9494-4180-97f4-494a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T13:29:24.000Z" ,
"modified" : "2018-09-17T13:29:24.000Z" ,
"description" : "On port 443" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.189.232.207' AND network-traffic:dst_port = '443']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T13:29:24Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst|port\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9f6007-36ec-49cc-b7cc-e30b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T08:04:23.000Z" ,
"modified" : "2018-09-17T08:04:23.000Z" ,
"pattern" : "[file:hashes.MD5 = '11e0f3e1c7d8855ed7f1dcfce4b7702a' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T08:04:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "vulnerability" ,
"spec_version" : "2.1" ,
"id" : "vulnerability--5b9f6302-18e0-4459-a463-e6f4950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T08:18:33.000Z" ,
"modified" : "2018-09-17T08:18:33.000Z" ,
"name" : "CVE-2017-11882" ,
"description" : "Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka \\\\\"Microsoft Office Memory Corruption Vulnerability\\\\\". This CVE ID is unique from CVE-2017-11884." ,
"labels" : [
"misp:name=\"vulnerability\"" ,
"misp:meta-category=\"vulnerability\"" ,
"misp:to_ids=\"False\""
] ,
"external_references" : [
{
"source_name" : "cve" ,
"external_id" : "CVE-2017-11882"
} ,
{
"source_name" : "url" ,
"url" : "http://reversingminds-blog.logdown.com/posts/3907313-fileless-attack-in-word-without-macros-cve-2017-11882"
} ,
{
"source_name" : "url" ,
"url" : "http://www.securityfocus.com/bid/101757"
} ,
{
"source_name" : "url" ,
"url" : "http://www.securitytracker.com/id/1039783"
} ,
{
"source_name" : "url" ,
"url" : "https://0patch.blogspot.com/2017/11/did-microsoft-just-manually-patch-their.html"
} ,
{
"source_name" : "url" ,
"url" : "https://0patch.blogspot.com/2017/11/official-patch-for-cve-2017-11882-meets.html"
}
] ,
"x_misp_cvss_score" : "9.3" ,
"x_misp_modified" : "2017-12-30T21:29:00" ,
"x_misp_published" : "2017-11-14T22:29:00" ,
"x_misp_state" : "Published" ,
"x_misp_vulnerable_configuration" : [
"Microsoft Office 2007 Service Pack 3" ,
"cpe:2.3:a:microsoft:office:2010:sp2" ,
"Microsoft Office 2013 SP1" ,
"Microsoft Office 2016"
]
} ,
{
"type" : "vulnerability" ,
"spec_version" : "2.1" ,
"id" : "vulnerability--5b9f6b94-f650-4701-be1d-e6f5950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T08:53:40.000Z" ,
"modified" : "2018-09-17T08:53:40.000Z" ,
"name" : "CVE-2017-0199" ,
"description" : "Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka \\\\\"Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API." ,
"labels" : [
"misp:name=\"vulnerability\"" ,
"misp:meta-category=\"vulnerability\"" ,
"misp:to_ids=\"False\""
] ,
"external_references" : [
{
"source_name" : "cve" ,
"external_id" : "CVE-2017-0199"
} ,
{
"source_name" : "url" ,
"url" : "http://rewtin.blogspot.nl/2017/04/cve-2017-0199-practical-exploitation-poc.html"
} ,
{
"source_name" : "url" ,
"url" : "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02"
} ,
{
"source_name" : "url" ,
"url" : "https://www.exploit-db.com/exploits/41934/"
} ,
{
"source_name" : "url" ,
"url" : "https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html"
} ,
{
"source_name" : "url" ,
"url" : "https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/"
} ,
{
"source_name" : "url" ,
"url" : "http://www.securitytracker.com/id/1038224"
} ,
{
"source_name" : "url" ,
"url" : "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199"
} ,
{
"source_name" : "url" ,
"url" : "http://www.securityfocus.com/bid/97498"
} ,
{
"source_name" : "url" ,
"url" : "https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/"
} ,
{
"source_name" : "url" ,
"url" : "https://www.exploit-db.com/exploits/42995/"
} ,
{
"source_name" : "url" ,
"url" : "https://www.exploit-db.com/exploits/41894/"
}
] ,
"x_misp_cvss_score" : "9.3" ,
"x_misp_modified" : "2018-03-27T21:29:00" ,
"x_misp_published" : "2017-12-04T10:59:00" ,
"x_misp_state" : "Published" ,
"x_misp_vulnerable_configuration" : [
"cpe:2.3:a:microsoft:office:2010:sp2" ,
"Microsoft Office 2007 Service Pack 3" ,
"Microsoft Windows Server 2008 Service Pack 2" ,
"Microsoft Office 2016" ,
"cpe:2.3:o:microsoft:windows_7:-:sp1" ,
"Microsoft Windows Vista Service Pack 2" ,
"Microsoft Windows Server 2008 R2 Service Pack 1" ,
"Microsoft Office 2013 SP1" ,
"Microsoft Windows Server 2012"
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5b9f78e4-1670-4c68-bcca-e3a7950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T09:53:59.000Z" ,
"modified" : "2018-09-17T09:53:59.000Z" ,
"labels" : [
"misp:name=\"whois\"" ,
"misp:meta-category=\"network\""
] ,
"x_misp_attributes" : [
{
"type" : "whois-registrant-email" ,
"object_relation" : "registrant-email" ,
"value" : "bqfkdrmnhh0623[@]gmail.com" ,
"category" : "Attribution" ,
"uuid" : "5b9f78e4-e480-487c-a060-e3a7950d210f"
} ,
{
"type" : "whois-registrant-name" ,
"object_relation" : "registrant-name" ,
"value" : "huang ning" ,
"category" : "Attribution" ,
"uuid" : "5b9f78e6-19b8-4185-969d-e3a7950d210f"
} ,
{
"type" : "whois-registrant-phone" ,
"object_relation" : "registrant-phone" ,
"value" : "8677687877" ,
"category" : "Attribution" ,
"uuid" : "5b9f78e9-0aa4-4e65-91e3-e3a7950d210f"
}
] ,
"x_misp_meta_category" : "network" ,
"x_misp_name" : "whois"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9f7e1f-8f14-4416-9f3a-452a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T10:12:47.000Z" ,
"modified" : "2018-09-17T10:12:47.000Z" ,
"pattern" : "[domain-name:value = 'google.comemails.email' AND domain-name:resolves_to_refs[*].value = '115.126.86.29']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T10:12:47Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9f7e47-4ddc-4470-987c-459e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T10:13:27.000Z" ,
"modified" : "2018-09-17T10:13:27.000Z" ,
"pattern" : "[domain-name:value = 'mail.google.commail.co' AND domain-name:resolves_to_refs[*].value = '115.126.98.78']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T10:13:27Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9f7e7d-f3ac-44cb-8d2a-4866950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T10:14:21.000Z" ,
"modified" : "2018-09-17T10:14:21.000Z" ,
"pattern" : "[domain-name:value = 'google.comemail.email' AND domain-name:resolves_to_refs[*].value = '118.99.59.214']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T10:14:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"domain-ip\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9f8073-bb3c-481d-b7b1-dc87950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T12:46:24.000Z" ,
"modified" : "2018-09-17T12:46:24.000Z" ,
"pattern" : "[file:hashes.SHA1 = '6a4690f454c91fdc559a223d43f0a77d40b59b2a' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T12:46:24Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9f8086-5f30-4482-891d-475b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T12:33:09.000Z" ,
"modified" : "2018-09-17T12:33:09.000Z" ,
"pattern" : "[file:hashes.SHA1 = 'e55cea25ecc118fd798f84eb5395be0678bdbc51' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T12:33:09Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9f8098-16dc-4483-8b05-d04e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T12:26:45.000Z" ,
"modified" : "2018-09-17T12:26:45.000Z" ,
"pattern" : "[file:hashes.SHA1 = 'cdd2fd64a4996b7d901d4a899d660cc5ff118e73' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T12:26:45Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9faa1d-28a8-4957-b2ab-4b2b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T13:20:29.000Z" ,
"modified" : "2018-09-17T13:20:29.000Z" ,
"pattern" : "[email-message:from_ref.value = 'tibetanparliarnent@yahoo.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T13:20:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"email\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9fb486-9674-4e70-9077-4614950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T14:04:54.000Z" ,
"modified" : "2018-09-17T14:04:54.000Z" ,
"pattern" : "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.186.222') AND network-traffic:dst_port = '6001' AND network-traffic:dst_port = '6002' AND network-traffic:dst_port = '6003' AND network-traffic:dst_port = '80' AND network-traffic:dst_port = '8080' AND network-traffic:dst_port = '443']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T14:04:54Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"ip-port\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9fbb80-f010-4a72-a7ab-4f41950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T14:34:40.000Z" ,
"modified" : "2018-09-17T14:34:40.000Z" ,
"pattern" : "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.55.24.196') AND network-traffic:dst_port = '443' AND network-traffic:dst_port = '80']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T14:34:40Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"ip-port\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9fbb96-36dc-47c1-a0b3-4173950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T14:35:02.000Z" ,
"modified" : "2018-09-17T14:35:02.000Z" ,
"pattern" : "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.127.97.222') AND network-traffic:dst_port = '443']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T14:35:02Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"ip-port\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9fbbab-e5b8-4120-99fd-40b2950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T14:35:23.000Z" ,
"modified" : "2018-09-17T14:35:23.000Z" ,
"pattern" : "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.189.232.207') AND network-traffic:dst_port = '443' AND network-traffic:dst_port = '80']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T14:35:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "network"
}
] ,
"labels" : [
"misp:name=\"ip-port\"" ,
"misp:meta-category=\"network\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--d2f5d552-96c4-43ad-84e1-fb8cebbf6000" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T20:22:39.000Z" ,
"modified" : "2018-09-17T20:22:39.000Z" ,
"pattern" : "[file:hashes.MD5 = '11e0f3e1c7d8855ed7f1dcfce4b7702a' AND file:hashes.SHA1 = '9bb47262664b10b60a853002eace4db083ee10af' AND file:hashes.SHA256 = '1b156c7d2cc651d0a58c8dac1353332614b489e4d21e51ca7a0a929295e6ad40']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-17T20:22:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--857a21fc-b3c9-47ae-93e4-9e5fe62dc79b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-17T20:22:45.000Z" ,
"modified" : "2018-09-17T20:22:45.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-08-10T08:33:52" ,
"category" : "Other" ,
"uuid" : "87f7f5c5-40a4-465d-ba91-e82e4595f4e7"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/1b156c7d2cc651d0a58c8dac1353332614b489e4d21e51ca7a0a929295e6ad40/analysis/1533890032/" ,
"category" : "External analysis" ,
"uuid" : "2236a126-0d1a-4f18-b8b4-87d5424a7b7b"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "24/67" ,
"category" : "Other" ,
"uuid" : "4e295ad5-8545-422f-8c7d-683e1a2de6f4"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--4f68a896-aedd-4c14-876a-59fa804c5d2e" ,
2023-04-21 14:44:17 +00:00
"created" : "2018-09-17T09:53:14.000Z" ,
"modified" : "2018-09-17T09:53:14.000Z" ,
"relationship_type" : "uses" ,
"source_ref" : "x-misp-object--5b9f78e4-1670-4c68-bcca-e3a7950d210f" ,
"target_ref" : "indicator--5b9f6c0b-d8b4-4acd-a92e-d8a3950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--fc33ce38-252a-4271-b402-b26ac94e8894" ,
2023-04-21 14:44:17 +00:00
"created" : "2018-09-17T09:53:39.000Z" ,
"modified" : "2018-09-17T09:53:39.000Z" ,
"relationship_type" : "derived-from" ,
"source_ref" : "x-misp-object--5b9f78e4-1670-4c68-bcca-e3a7950d210f" ,
"target_ref" : "indicator--5b9f6c0c-6bb8-4353-88d2-d8a3950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--86a23dad-f573-4d86-933d-6bb52dcda9d0" ,
2023-04-21 14:44:17 +00:00
"created" : "2018-09-17T09:53:49.000Z" ,
"modified" : "2018-09-17T09:53:49.000Z" ,
"relationship_type" : "uses" ,
"source_ref" : "x-misp-object--5b9f78e4-1670-4c68-bcca-e3a7950d210f" ,
"target_ref" : "indicator--5b9f6c0c-6bb8-4353-88d2-d8a3950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--25184864-d953-4427-b96d-93a9a06e129b" ,
2023-04-21 14:44:17 +00:00
"created" : "2018-09-17T09:53:56.000Z" ,
"modified" : "2018-09-17T09:53:56.000Z" ,
"relationship_type" : "uses" ,
"source_ref" : "x-misp-object--5b9f78e4-1670-4c68-bcca-e3a7950d210f" ,
"target_ref" : "indicator--5b9f71f4-bd0c-4a10-bafb-d052950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--fdc83e7b-6f21-488b-9af8-82f071a0c630" ,
2023-04-21 14:44:17 +00:00
"created" : "2018-09-17T12:46:20.000Z" ,
"modified" : "2018-09-17T12:46:20.000Z" ,
"relationship_type" : "related-to" ,
"source_ref" : "indicator--5b9f8073-bb3c-481d-b7b1-dc87950d210f" ,
"target_ref" : "indicator--5b9f7e1f-8f14-4416-9f3a-452a950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--0df605c9-1461-44c8-9ee0-a97f7cd0eeb7" ,
2023-04-21 14:44:17 +00:00
"created" : "2018-09-17T12:33:06.000Z" ,
"modified" : "2018-09-17T12:33:06.000Z" ,
"relationship_type" : "derived-from" ,
"source_ref" : "indicator--5b9f8086-5f30-4482-891d-475b950d210f" ,
"target_ref" : "indicator--5b9f7e47-4ddc-4470-987c-459e950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--6ea2b6a9-4f70-4d25-bf4b-1e791f8f58eb" ,
2023-04-21 14:44:17 +00:00
"created" : "2018-09-17T12:32:59.000Z" ,
"modified" : "2018-09-17T12:32:59.000Z" ,
"relationship_type" : "related-to" ,
"source_ref" : "indicator--5b9f8086-5f30-4482-891d-475b950d210f" ,
"target_ref" : "indicator--5b9f7e47-4ddc-4470-987c-459e950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--1f64a52a-d920-47a2-a353-fd2a3217653a" ,
2023-04-21 14:44:17 +00:00
"created" : "2018-09-17T12:26:42.000Z" ,
"modified" : "2018-09-17T12:26:42.000Z" ,
"relationship_type" : "related-to" ,
"source_ref" : "indicator--5b9f8098-16dc-4483-8b05-d04e950d210f" ,
"target_ref" : "indicator--5b9f7e7d-f3ac-44cb-8d2a-4866950d210f"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--d08a50a1-8ebe-4505-86c1-5f54be4a5765" ,
2023-04-21 14:44:17 +00:00
"created" : "2018-09-17T20:22:52.000Z" ,
"modified" : "2018-09-17T20:22:52.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--d2f5d552-96c4-43ad-84e1-fb8cebbf6000" ,
"target_ref" : "x-misp-object--857a21fc-b3c9-47ae-93e4-9e5fe62dc79b"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}