2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type" : "bundle" ,
"id" : "bundle--5742bb17-ec60-4c81-8b62-45f3950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-01-20T14:46:57.000Z" ,
"modified" : "2017-01-20T14:46:57.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--5742bb17-ec60-4c81-8b62-45f3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-01-20T14:46:57.000Z" ,
"modified" : "2017-01-20T14:46:57.000Z" ,
"name" : "OSINT - APT Case RUAG Technical Report" ,
"published" : "2017-01-20T14:47:24Z" ,
"object_refs" : [
"observed-data--5742bb81-3534-4b9c-a940-42fa950d210f" ,
"url--5742bb81-3534-4b9c-a940-42fa950d210f" ,
"x-misp-attribute--5742bba0-8e90-4a3e-962d-4e27950d210f" ,
"observed-data--5742bbbd-2f18-4ea8-92c4-4777950d210f" ,
"url--5742bbbd-2f18-4ea8-92c4-4777950d210f" ,
"observed-data--5742bbca-1790-42af-90bd-4ec7950d210f" ,
"url--5742bbca-1790-42af-90bd-4ec7950d210f" ,
"indicator--5742bc76-47a0-4a68-a818-4737950d210f" ,
"indicator--5742bc76-adac-4c9d-ac76-4c9a950d210f" ,
"indicator--5742bc76-7c5c-4012-95f6-456a950d210f" ,
"indicator--5742bc77-c8b8-449e-b540-4734950d210f" ,
"indicator--5742bc77-ad48-4339-92b4-45e4950d210f" ,
"indicator--5742bc77-7028-4fa9-b356-46ce950d210f" ,
"indicator--5742bc77-3f90-4447-ae07-4911950d210f" ,
"indicator--5742bc77-3b90-46b1-ad9f-44b1950d210f" ,
"indicator--5742bc77-0588-4ef8-a46c-46a7950d210f" ,
"indicator--5742bc78-77ec-410c-beae-4778950d210f" ,
"indicator--5742bc78-de70-45bd-aae0-4e26950d210f" ,
"indicator--5742bc90-ec70-465b-b630-4cbd950d210f" ,
"indicator--5742bcd3-6800-40e1-ab3a-4c4c950d210f" ,
"indicator--5742bcd3-f5e8-43e8-9e01-42b1950d210f" ,
"indicator--5742bcd3-d900-4865-a6a5-486c950d210f" ,
"indicator--5742bcd4-e40c-4c5f-b2bd-43e5950d210f" ,
"indicator--5742bcd4-b030-434b-a341-46fe950d210f" ,
"indicator--5742bcd4-4964-4392-b03b-4bdc950d210f" ,
"indicator--5742bcd4-581c-4f7f-b740-4999950d210f" ,
"indicator--5742bcd4-6970-48a6-b8d2-45a4950d210f" ,
"indicator--5742bcd4-8ee4-482a-9ddf-4820950d210f" ,
"indicator--5742bcd5-4228-463e-9e19-4056950d210f" ,
"indicator--5742bcd5-4630-49a1-870d-4fef950d210f" ,
"indicator--5742bcd5-c8bc-45cc-8fa1-422d950d210f" ,
"indicator--5742bcd5-f354-4497-82bc-4d8d950d210f" ,
"indicator--5742bcd5-c3dc-4d14-83d9-4647950d210f" ,
"indicator--5742bcd5-c2d4-42b1-bd65-4904950d210f" ,
"indicator--5742bd54-dee8-47cf-b5b0-475e950d210f" ,
"indicator--5742bd54-e4f4-43bf-8ab7-4ec3950d210f" ,
"indicator--5742bd54-047c-4252-b202-4869950d210f" ,
"indicator--5742bd55-8e50-4eae-9f84-4176950d210f" ,
"indicator--5742bd55-730c-4587-90ce-48f1950d210f" ,
"indicator--5742bd55-dcbc-4f5c-af11-4236950d210f" ,
"indicator--5742bd55-7360-4e2b-b7b2-4aa7950d210f" ,
"indicator--5742bd55-90f0-41a1-8473-4766950d210f" ,
"indicator--5742bd55-a16c-4a9f-942a-4022950d210f" ,
"indicator--5742bd56-03a8-4eae-960c-4ee3950d210f" ,
"indicator--5742bd56-4080-4cd7-8c76-4081950d210f" ,
"indicator--5742bd56-e538-4abc-98aa-4725950d210f" ,
"observed-data--5742bde3-7c7c-403a-b820-41a6950d210f" ,
"file--5742bde3-7c7c-403a-b820-41a6950d210f" ,
"artifact--5742bde3-7c7c-403a-b820-41a6950d210f" ,
"observed-data--5742be35-4fa8-4aa1-be60-4ca8950d210f" ,
"url--5742be35-4fa8-4aa1-be60-4ca8950d210f" ,
"observed-data--5742be35-1670-4312-bfa9-4bef950d210f" ,
"url--5742be35-1670-4312-bfa9-4bef950d210f" ,
"observed-data--5742be36-cc7c-4a36-9724-4f14950d210f" ,
"url--5742be36-cc7c-4a36-9724-4f14950d210f" ,
"observed-data--5742be36-68d4-4607-846b-4001950d210f" ,
"url--5742be36-68d4-4607-846b-4001950d210f" ,
"observed-data--5742be36-b53c-4f10-ac94-4fe4950d210f" ,
"url--5742be36-b53c-4f10-ac94-4fe4950d210f" ,
"observed-data--5742be36-b648-4598-9182-4693950d210f" ,
"url--5742be36-b648-4598-9182-4693950d210f" ,
"observed-data--5742be36-0d40-4211-8897-4342950d210f" ,
"url--5742be36-0d40-4211-8897-4342950d210f"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"admiralty-scale:source-reliability=\"b\"" ,
"misp-galaxy:tool=\"Turla\"" ,
"misp-galaxy:threat-actor=\"Turla Group\"" ,
"osint:source-type=\"technical-report\"" ,
"misp-galaxy:tool=\"Wipbot\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5742bb81-3534-4b9c-a940-42fa950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:12:49.000Z" ,
"modified" : "2016-05-23T08:12:49.000Z" ,
"first_observed" : "2016-05-23T08:12:49Z" ,
"last_observed" : "2016-05-23T08:12:49Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5742bb81-3534-4b9c-a940-42fa950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5742bb81-3534-4b9c-a940-42fa950d210f" ,
"value" : "https://www.melani.admin.ch/melani/fr/home/documentation/rapports/rapports-techniques/technical-report_apt_case_ruag.html"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5742bba0-8e90-4a3e-962d-4e27950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:13:20.000Z" ,
"modified" : "2016-05-23T08:13:20.000Z" ,
"labels" : [
"misp:type=\"comment\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "comment" ,
"x_misp_value" : "The following is a short report with the intention to inform the public about Indicators of Compromise\r\n(IOCs) and Modus Operandi of the attacker group that is responsible for the RUAG cyber espionage\r\ncase, which has been made public on Wednesday, May 4th 2016.\r\nOne of the main tasks of MELANI is to support critical infrastructures during security incidents and the coordination\r\nof relevant actors involved. Regarding technical first response and support, GovCERT supported\r\nRUAG with log analysis, forensics, malware reverse engineering and security monitoring. The report below\r\nreflects our experiences during this case."
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5742bbbd-2f18-4ea8-92c4-4777950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:13:49.000Z" ,
"modified" : "2016-05-23T08:13:49.000Z" ,
"first_observed" : "2016-05-23T08:13:49Z" ,
"last_observed" : "2016-05-23T08:13:49Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5742bbbd-2f18-4ea8-92c4-4777950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5742bbbd-2f18-4ea8-92c4-4777950d210f" ,
"value" : "https://www.melani.admin.ch/dam/melani/fr/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5742bbca-1790-42af-90bd-4ec7950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:14:02.000Z" ,
"modified" : "2016-05-23T08:14:02.000Z" ,
"first_observed" : "2016-05-23T08:14:02Z" ,
"last_observed" : "2016-05-23T08:14:02Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5742bbca-1790-42af-90bd-4ec7950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5742bbca-1790-42af-90bd-4ec7950d210f" ,
"value" : "https://www.melani.admin.ch/dam/melani/fr/dokumente/2016/technischer_bericht_apt_case_ruag_summary.pdf.download.pdf/TR-ZF-f.pdf"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bc76-47a0-4a68-a818-4737950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:16:54.000Z" ,
"modified" : "2016-05-23T08:16:54.000Z" ,
"description" : "srsvc.dll" ,
"pattern" : "[file:hashes.MD5 = '22481e4055d438176e47f1b1164a6bad']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:16:54Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bc76-adac-4c9d-ac76-4c9a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:16:54.000Z" ,
"modified" : "2016-05-23T08:16:54.000Z" ,
"description" : "srsvc.dll" ,
"pattern" : "[file:hashes.MD5 = '68b2695f59d5fb3a94120e996b8fafea']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:16:54Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bc76-7c5c-4012-95f6-456a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:16:54.000Z" ,
"modified" : "2016-05-23T08:16:54.000Z" ,
"description" : "ximarsh.dll" ,
"pattern" : "[file:hashes.MD5 = '3881a38adb90821366e3d6480e6bc496']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:16:54Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bc77-c8b8-449e-b540-4734950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:16:55.000Z" ,
"modified" : "2016-05-23T08:16:55.000Z" ,
"description" : "msximl.dll" ,
"pattern" : "[file:hashes.MD5 = '1d82c90bcb9863949897e3235b20fb8a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:16:55Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bc77-ad48-4339-92b4-45e4950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:16:55.000Z" ,
"modified" : "2016-05-23T08:16:55.000Z" ,
"description" : "msximl.dll" ,
"pattern" : "[file:hashes.MD5 = '1a73e08be91bf6bb0edd43008f8338f3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:16:55Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bc77-7028-4fa9-b356-46ce950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:16:55.000Z" ,
"modified" : "2016-05-23T08:16:55.000Z" ,
"description" : "ximarsh.dll" ,
"pattern" : "[file:hashes.MD5 = '2cfcacd99ab2edcfaf8853a11f5e79d5']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:16:55Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bc77-3f90-4447-ae07-4911950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:16:55.000Z" ,
"modified" : "2016-05-23T08:16:55.000Z" ,
"description" : "msximl.dll" ,
"pattern" : "[file:hashes.MD5 = '6b34bf9100c1264faeeb4cb686f7dd41']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:16:55Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bc77-3b90-46b1-ad9f-44b1950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:16:55.000Z" ,
"modified" : "2016-05-23T08:16:55.000Z" ,
"description" : "msimghlp.dll" ,
"pattern" : "[file:hashes.MD5 = '9f040c8a4db21bfa329b91ec2c5ff299']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:16:55Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bc77-0588-4ef8-a46c-46a7950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:16:55.000Z" ,
"modified" : "2016-05-23T08:16:55.000Z" ,
"description" : "msimghlp.dll" ,
"pattern" : "[file:hashes.MD5 = 'a50d8b078869522f68968b61eeb4e61d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:16:55Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bc78-77ec-410c-beae-4778950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:16:56.000Z" ,
"modified" : "2016-05-23T08:16:56.000Z" ,
"description" : "ximarsh.dll" ,
"pattern" : "[file:hashes.MD5 = 'ba860e20c766400eb4fab7f16b6099f6']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:16:56Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bc78-de70-45bd-aae0-4e26950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:16:56.000Z" ,
"modified" : "2016-05-23T08:16:56.000Z" ,
"description" : "msssetup.exe" ,
"pattern" : "[file:hashes.MD5 = '2372e90fc7b4d1ab57c40a2eed9dd050']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:16:56Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bc90-ec70-465b-b630-4cbd950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:17:20.000Z" ,
"modified" : "2016-05-23T08:17:20.000Z" ,
"description" : "msimghlp.dll" ,
"pattern" : "[file:hashes.MD5 = 'b849c860dff468cc52ed045aea429afb']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:17:20Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bcd3-6800-40e1-ab3a-4c4c950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:18:27.000Z" ,
"modified" : "2016-05-23T08:18:27.000Z" ,
"description" : "URL known to be part of the C&C infrastructure of the attacker. Please note that many of these systems have been hacked and that these domains are perfectly legitimate" ,
"pattern" : "[url:value = 'airmax2015.leadingineurope.eu/wp-content/gallery/']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:18:27Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bcd3-f5e8-43e8-9e01-42b1950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:18:27.000Z" ,
"modified" : "2016-05-23T08:18:27.000Z" ,
"description" : "URL known to be part of the C&C infrastructure of the attacker. Please note that many of these systems have been hacked and that these domains are perfectly legitimate" ,
"pattern" : "[url:value = 'bestattung-eckl.at/typo3temp/wizard.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:18:27Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bcd3-d900-4865-a6a5-486c950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:18:27.000Z" ,
"modified" : "2016-05-23T08:18:27.000Z" ,
"description" : "URL known to be part of the C&C infrastructure of the attacker. Please note that many of these systems have been hacked and that these domains are perfectly legitimate" ,
"pattern" : "[url:value = 'buendnis-depression.at/typo3temp/ajaxify-rss.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:18:27Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bcd4-e40c-4c5f-b2bd-43e5950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:18:28.000Z" ,
"modified" : "2016-05-23T08:18:28.000Z" ,
"description" : "URL known to be part of the C&C infrastructure of the attacker. Please note that many of these systems have been hacked and that these domains are perfectly legitimate" ,
"pattern" : "[url:value = 'deutschland-feuerwerk.de/fileadmin/dekoservice/rosefeed.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:18:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bcd4-b030-434b-a341-46fe950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:18:28.000Z" ,
"modified" : "2016-05-23T08:18:28.000Z" ,
"description" : "URL known to be part of the C&C infrastructure of the attacker. Please note that many of these systems have been hacked and that these domains are perfectly legitimate" ,
"pattern" : "[url:value = 'digitallaut.at/typo3temp/viewpage.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:18:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bcd4-4964-4392-b03b-4bdc950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:18:28.000Z" ,
"modified" : "2016-05-23T08:18:28.000Z" ,
"description" : "URL known to be part of the C&C infrastructure of the attacker. Please note that many of these systems have been hacked and that these domains are perfectly legitimate" ,
"pattern" : "[url:value = 'florida4lottery.com/wp-content/languages/index.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:18:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bcd4-581c-4f7f-b740-4999950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:18:28.000Z" ,
"modified" : "2016-05-23T08:18:28.000Z" ,
"description" : "URL known to be part of the C&C infrastructure of the attacker. Please note that many of these systems have been hacked and that these domains are perfectly legitimate" ,
"pattern" : "[url:value = 'porkandmeadmag.com/wp-content/gallery/']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:18:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bcd4-6970-48a6-b8d2-45a4950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:18:28.000Z" ,
"modified" : "2016-05-23T08:18:28.000Z" ,
"description" : "URL known to be part of the C&C infrastructure of the attacker. Please note that many of these systems have been hacked and that these domains are perfectly legitimate" ,
"pattern" : "[url:value = 'salenames.cn/wp-includes/pomo/js/']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:18:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bcd4-8ee4-482a-9ddf-4820950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:18:28.000Z" ,
"modified" : "2016-05-23T08:18:28.000Z" ,
"description" : "URL known to be part of the C&C infrastructure of the attacker. Please note that many of these systems have been hacked and that these domains are perfectly legitimate" ,
"pattern" : "[url:value = 'shdv.de/fileadmin/shdv/Pressemappe/presserss.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:18:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bcd5-4228-463e-9e19-4056950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:18:29.000Z" ,
"modified" : "2016-05-23T08:18:29.000Z" ,
"description" : "URL known to be part of the C&C infrastructure of the attacker. Please note that many of these systems have been hacked and that these domains are perfectly legitimate" ,
"pattern" : "[url:value = 'smartrip-israel.com/wp-content/gallery/about.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:18:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bcd5-4630-49a1-870d-4fef950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:18:29.000Z" ,
"modified" : "2016-05-23T08:18:29.000Z" ,
"description" : "URL known to be part of the C&C infrastructure of the attacker. Please note that many of these systems have been hacked and that these domains are perfectly legitimate" ,
"pattern" : "[url:value = 'woo.dev.ideefix.net/wp-content/info/']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:18:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bcd5-c8bc-45cc-8fa1-422d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:18:29.000Z" ,
"modified" : "2016-05-23T08:18:29.000Z" ,
"description" : "URL known to be part of the C&C infrastructure of the attacker. Please note that many of these systems have been hacked and that these domains are perfectly legitimate" ,
"pattern" : "[url:value = 'www.asilocavalsassi.it/media/index.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:18:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bcd5-f354-4497-82bc-4d8d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:18:29.000Z" ,
"modified" : "2016-05-23T08:18:29.000Z" ,
"description" : "URL known to be part of the C&C infrastructure of the attacker. Please note that many of these systems have been hacked and that these domains are perfectly legitimate" ,
"pattern" : "[url:value = 'www.ljudochbild.se/wp-includes/category/']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:18:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bcd5-c3dc-4d14-83d9-4647950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:18:29.000Z" ,
"modified" : "2016-05-23T08:18:29.000Z" ,
"description" : "URL known to be part of the C&C infrastructure of the attacker. Please note that many of these systems have been hacked and that these domains are perfectly legitimate" ,
"pattern" : "[url:value = 'www.millhavenplace.co.uk/wp-content/gallery/index.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:18:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bcd5-c2d4-42b1-bd65-4904950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:18:29.000Z" ,
"modified" : "2016-05-23T08:18:29.000Z" ,
"description" : "URL known to be part of the C&C infrastructure of the attacker. Please note that many of these systems have been hacked and that these domains are perfectly legitimate" ,
"pattern" : "[url:value = 'www.jagdhornschule.ch/typo3temp/rss-feed.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:18:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bd54-dee8-47cf-b5b0-475e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:20:36.000Z" ,
"modified" : "2016-05-23T08:20:36.000Z" ,
"description" : "g C&C having been used to send tasks and to exfiltrate data. Please note that most of these servers have been hacked by the attacker and the owners are victims of this actor group as well" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.255.93.228']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:20:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bd54-e4f4-43bf-8ab7-4ec3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:20:36.000Z" ,
"modified" : "2016-05-23T08:20:36.000Z" ,
"description" : "g C&C having been used to send tasks and to exfiltrate data. Please note that most of these servers have been hacked by the attacker and the owners are victims of this actor group as well" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '195.3.105.50']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:20:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bd54-047c-4252-b202-4869950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:20:36.000Z" ,
"modified" : "2016-05-23T08:20:36.000Z" ,
"description" : "g C&C having been used to send tasks and to exfiltrate data. Please note that most of these servers have been hacked by the attacker and the owners are victims of this actor group as well" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '85.25.120.177']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:20:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bd55-8e50-4eae-9f84-4176950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:20:37.000Z" ,
"modified" : "2016-05-23T08:20:37.000Z" ,
"description" : "g C&C having been used to send tasks and to exfiltrate data. Please note that most of these servers have been hacked by the attacker and the owners are victims of this actor group as well" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '195.63.103.228']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:20:37Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bd55-730c-4587-90ce-48f1950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:20:37.000Z" ,
"modified" : "2016-05-23T08:20:37.000Z" ,
"description" : "g C&C having been used to send tasks and to exfiltrate data. Please note that most of these servers have been hacked by the attacker and the owners are victims of this actor group as well" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '81.223.14.100']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:20:37Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bd55-dcbc-4f5c-af11-4236950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:20:37.000Z" ,
"modified" : "2016-05-23T08:20:37.000Z" ,
"description" : "g C&C having been used to send tasks and to exfiltrate data. Please note that most of these servers have been hacked by the attacker and the owners are victims of this actor group as well" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '155.94.65.2']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:20:37Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bd55-7360-4e2b-b7b2-4aa7950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:20:37.000Z" ,
"modified" : "2016-05-23T08:20:37.000Z" ,
"description" : "g C&C having been used to send tasks and to exfiltrate data. Please note that most of these servers have been hacked by the attacker and the owners are victims of this actor group as well" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '193.26.18.117']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:20:37Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bd55-90f0-41a1-8473-4766950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:20:37.000Z" ,
"modified" : "2016-05-23T08:20:37.000Z" ,
"description" : "g C&C having been used to send tasks and to exfiltrate data. Please note that most of these servers have been hacked by the attacker and the owners are victims of this actor group as well" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '85.214.40.111']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:20:37Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bd55-a16c-4a9f-942a-4022950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:20:37.000Z" ,
"modified" : "2016-05-23T08:20:37.000Z" ,
"description" : "g C&C having been used to send tasks and to exfiltrate data. Please note that most of these servers have been hacked by the attacker and the owners are victims of this actor group as well" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '92.53.126.118']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:20:37Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bd56-03a8-4eae-960c-4ee3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:20:38.000Z" ,
"modified" : "2016-05-23T08:20:38.000Z" ,
"description" : "g C&C having been used to send tasks and to exfiltrate data. Please note that most of these servers have been hacked by the attacker and the owners are victims of this actor group as well" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '94.242.60.104']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:20:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bd56-4080-4cd7-8c76-4081950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:20:38.000Z" ,
"modified" : "2016-05-23T08:20:38.000Z" ,
"description" : "g C&C having been used to send tasks and to exfiltrate data. Please note that most of these servers have been hacked by the attacker and the owners are victims of this actor group as well" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '217.10.138.233']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:20:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5742bd56-e538-4abc-98aa-4725950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:20:38.000Z" ,
"modified" : "2016-05-23T08:20:38.000Z" ,
"description" : "g C&C having been used to send tasks and to exfiltrate data. Please note that most of these servers have been hacked by the attacker and the owners are victims of this actor group as well" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '80.74.145.80']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-05-23T08:20:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5742bde3-7c7c-403a-b820-41a6950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-05-23T08:22:59.000Z" ,
"modified" : "2016-05-23T08:22:59.000Z" ,
"first_observed" : "2016-05-23T08:22:59Z" ,
"last_observed" : "2016-05-23T08:22:59Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--5742bde3-7c7c-403a-b820-41a6950d210f" ,
"artifact--5742bde3-7c7c-403a-b820-41a6950d210f"
] ,
"labels" : [
"misp:type=\"attachment\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--5742bde3-7c7c-403a-b820-41a6950d210f" ,
"name" : "Report_Ruag-Espionage-Case (1).pdf" ,
"content_ref" : "artifact--5742bde3-7c7c-403a-b820-41a6950d210f"
} ,
{
"type" : "artifact" ,
"spec_version" : "2.1" ,
"id" : "artifact--5742bde3-7c7c-403a-b820-41a6950d210f" ,
"payload_bin" : " J V B E R i 0 x L j U K J e T w 7 f g K N C A w I G 9 i a g o 8 P A o v S W 50 Z W 50 L 1 B l c m N l c H R 1 Y W w K L 0 N v b G 9 y U 3 B h Y 2 V b L 0 N h b F J H Q j w 8 C i 9 X a G l 0 Z V B v a W 50 W z A u O T U w N D Y g M S A x L j A 4 O T A 2 X Q o v R 2 F t b W F b M i 4 y I D I u M i A y L j J d C i 9 N Y X R y a X h b M C 40 M T I z O S A w L j I x M j Y 0 I D A u M D E 5 M z M g M C 4 z N T c 1 O C A w L j c x N T E 3 I D A u M T E 5 M T k g M C 4 x O D A 0 O C A w L j A 3 M j E 5 I D A u O T U w N T N d C j 4 + X Q o v V H l w Z S 9 Y T 2 J q Z W N 0 C i 9 T d W J 0 e X B l L 0 l t Y W d l C i 9 X a W R 0 a C A 0 N T k K L 0 h l a W d o d C A x M T U K L 0 J p d H N Q Z X J D b 21 w b 25 l b n Q g O A o v R m l s d G V y L 0 Z s Y X R l R G V j b 2 R l C i 9 M Z W 5 n d G g g N z I 1 O Q o + P g p z d H J l Y W 0 K e N r t X b 1 t J E 2 S H Q 9 o A p U V D 6 B 6 y o E m 0 I E F 6 M F S X + B A 8 d O O J o w B K 4 w J P G A N 4 O k r c D 0 Y Y Q 3 o i + m 38 x C M i M z K q q 5 q d j X f A 9 F o d m V l R v 69 j I z 8 i c O h i 9 f X w 8 v L 4 f H x c H 9 / + P Z t 27 / b 21 + p P D 8 f f v w 4 v L 8 f B E E Q r g w / f / 7 i t 6 e n w 93 d 5 o z a / 7 u 5 O T w 8 / O L b t z d V i y A I O 4 a R m F H Z p 5 N q n 2 y / f //F/4IgCHuBKas2N79MXi3/wLQXifv7++8XINv3I86c6Pv7+/Pz8+vr6+pF+mRN9DJgGRws2IsS+2vCaspqYfVGfnd39+0IawxD7+yIWv3f2gRizPDw8HBzc2NFd3t7a98XcMWMYt+Y51dvWiMFuEX2Lc4z5AWdMePto3lqXJjziC30R0OrhXXjNFqwOG3otMjfBk2XItjD4fHxEaMSe5Z9//Hjx04J9umIsxuZ3rZQ4M/DVOiMGWGQHddLRbBXSbAWoWmw86aNX55goXpZub27rQs/j9gpwV4TzkmwK9o3RLDXSrCtDt58tFOC/eOPFfW9ZfqqCFYEK4IVwV4nwf7lL+vaVQY7l2m5Ly8v9op1n8fHR/ueC9lUX/sdpgb7EjRhm0fkisAKUZ5imFT2+/vHXcH2oyUNAcpZSZ6tPDfwnvYb24vInY07+SlXst7e3ix1C8kwrUUuRGiwpzaK5XkBiguJ2mcoMTJVXzAfVavkTyfY1iKXvWhSoUYwUrcI1p6i7pjT1sqgJcRaLgPgRZ/lskJzIbeajc+IfVqYYGZEFbPll0ZIX01ZbDYSRtWpqSBMmTWGQfZ9iiRY319aepQJYI9YiUFySIsIkRC7cOfRmgT7X/851o7/+wIJ1urXCsdaxWRIq2WugnExMRCs1REeWWlbMBgffPuBwhxqEDLkARfrbi1zMYSxX8JbeZHrWwNeDBMSkpvYsEIbQk+EOcVSRNI+hnKRK0cYMm6dFFHZZxkGBYh4+MUC5+7GqFg79u/gSsQgwZa0iQqFeKhx1FEO6euObaPUfBASZYJM5TBlY2uVDJ8ywtAs0bxD0/KJsniZzZBBth9flWX74Wpyq49MCoPkoBrh9dwXUKeIx7fAXJKQCvGUwRjAY/KRCDY0DCvb9/YJMpSk1SO7ob0YuiSria0Fvc8rujZQomsEIkIL8SOsRRLaDN5l/GxjoRlP7iKwbFpy1up8q0bTomDoUAYfxjdFi8RbqjPBQlovf1YMkGtfPtDKQpF6qkSXCcOKvYKuyqJAsMF5+mKCZasI4uWQ+N2b+lmYoctDGMsgaxnts9XYGCGG6VbJsJDtl3IIuD2Chf9+RJjoMZsWLAxeiJOp27tIN/Sp3EfwYiiEvjCUxz5bYbhw6TMOkQKZW0Yw8fTBgmLzySaCPRMsipQjFxt2QNnIcyGXLSq0ZJCb5xkwW+gd6JKeclHvXjyQcIh/kmCRF99B7HuLEwL7lXksCXaStdCzgpmlLNIQCcajLGpo4Yh/RImFqFBgPCYJthzgSvoq2w8qPYidxz5OHCZLJjNDybocT8NkoTOPg7bZGbJzljHChtzl9lO24VLmUCD9Ro46DTlCaYzYgspgX4hg//rX1a3itADYZ7DVlO1ncAqZuyo6YFA8sIfZt2EE8wN0p6eME2zZqSFDmWvfRDsNu6XBhu0Zobg6fbYTBiWTia6cZvYJPGg7vbleVb/QiPKUvGSMnJFcaK3txGFQPjS2DJWNoRwQ80wK5NyyUqKEW4WJos6m3bIcyj4SxoW+MCML06jTEGZwtzay86UJdpuTSlh0QOfyVTNYL2WYTHdo22yr1nTRU8By1LisgZXkFhaqch/vECySbhkSjbhC5CFwpxzKR7Q62pfQx8FCk6bvUtq8QAwaCcKXc891TQSt4Sb83hmgg4RUOCdrebBkWrPdrDda26BptFyfggz2mYmUZo1+++n0kSB2X5gcvlWneYG4ZYbFChcXF0Swh81Aw/hGBIu2DW7Bd7wFzsF3MKFvyaU5vdS1WgQLm2cwMvgWW+IUgkVGuMKSszNSpCM04vtFwCUQbDnHL9tMS5cuV1RHSqYz88qPrIX4lbjQTqB+cCXR2146Yi8j2L4w4wQ70kr9MiVOaSFdEex2QA12VnBOIVg/pQWZs61iBTzbBw5zzqK2CLZjRi73Noyz6KR4NL9wXrCFBru4urcm2NLMSM02a7AjB+LGNdiyZFoiQSqUZ/nUXkRr8Ybi8Y3E4wTbESZ0z1MIFu0wbDiRDfbMBIuO0Dolt4BguYBlDONVZTRdTMcC+WSL6CyCRZtpNQ/uadmIYA9ui45XO0t1egGNYMB6X3qN8GKCxZg1YoNFZstmkG2wnfWdZSWTV/rKZcERZvbGH5bYuLl7LsGWwqCb9JvrIMGWLV8EuynBgspCd0Ab6NfpOMFyC5al4hca0ABa7QfNbHJZPKc4ueoKTpgcQU4h2GyHHLGRDtJIa618a4ItawqcVq5segrirqG8i2By3BkvGVBfHpfzTpJZpBdKDJUbNj+sSLAhAJprP7lZBBvWwlAvIthVAJMLChMHOspmTxMoD55YLYeeNU6wbOG5cmlOLI9Zhb24OEgSuklI0aTl9Pz1I7Jdyx/OwhGYxQRrvzBr3LLrGYb7YLkL0X6xV3zGB2mEeWRUqMrBk8uI0GQL5TO5445mbdYIrZFlSEiIkuHm53IfrD1lnFa/xuQjV3uVrIKWxv2HJgk3kYZBKuxs8XMrf7DLBIPkvnwwgvhNIzjut4xg+8JwFGMpYVN6eZKr30rz3nIafucSLAg/XmMigq3s8+WlSTQkdtYdxgkWzSZPG9lQS2lpkO9f+pRXWEZOcpVLXYsJNhdsXjfhIaOWVOM0UkY166DB5AJZGWFuFa2TXEFCrBN1TnL1a3m8ZHhUwcNv0adO6BHMklmeoF2MtJ9Bgp0U5vDxJJcv+QWLXKG0La3WdtkOwXphPry4U4L9+99XtAngyD/gh87Swo/LBIC8y648qFhOxDDm5kcWQxmPD2BCUtocQ0iRg3tGnmFB6wPyAXBEVcqWH/XLqpNoWNprFVFrNc2nOHgdASLMyJt8yqr0NQLBWiFRO9S1WgR7+H28qNMm55aML+RSNt8LQi1AHt/qWu3Ti11eINDqI0HsvjBlciFfZVG0GjALB/NTBMuJdjombntgDLsnWDnqEvaP1v584XogghWEzwDPvP+UpzkR7KUR7D/+oaoTdgQsDOHmPcx/w+00wpcj2P99vVzmF4RdgRvmibu7u1WueRdEsCJYQSDTru57VxDBrinY1BVMgiAIItiFgsnbkSAIItiNBBs4jy8IgiCCXSKYPLcKgrAL3N7uj2C1s0UQhF3g/n5/BKtFWEEQdgGbbu+OYAVBEHYBm27vi2C1R0sQhL3g7W1nBHu9Wwj8dXZvK122cH9/X169+InoXMm1L1xHLoRPo7LLJNgttxDg/mojpbsjHh4eeAHdGYCjlE9HtAj28fHRgo3Tb/9OVMva+Rl43LnYxfeba8iFcIaOXVPZy//84tiRv/8b6+///OdohPZ39hUu3mV9c3ODO6txTfH9uc41TDo9wT3Aszp1X37c5rSRGoYbMsvrak2kK7jk5DpyIWyOzjrXBd6mtQ1wq7kRTrh/A/PZ89gH+uQJryhz3U51CBYumN82u/gRmqrO3QtfHR0
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5742be35-4fa8-4aa1-be60-4ca8950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-01-20T14:21:07.000Z" ,
"modified" : "2017-01-20T14:21:07.000Z" ,
"first_observed" : "2017-01-20T14:21:07Z" ,
"last_observed" : "2017-01-20T14:21:07Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5742be35-4fa8-4aa1-be60-4ca8950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5742be35-4fa8-4aa1-be60-4ca8950d210f" ,
"value" : "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5742be35-1670-4312-bfa9-4bef950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-01-20T14:23:30.000Z" ,
"modified" : "2017-01-20T14:23:30.000Z" ,
"first_observed" : "2017-01-20T14:23:30Z" ,
"last_observed" : "2017-01-20T14:23:30Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5742be35-1670-4312-bfa9-4bef950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5742be35-1670-4312-bfa9-4bef950d210f" ,
"value" : "http://www.symantec.com/connect/blogs/turla-spying-tool-targets-governments-and-diplomats"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5742be36-cc7c-4a36-9724-4f14950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-01-20T14:23:17.000Z" ,
"modified" : "2017-01-20T14:23:17.000Z" ,
"first_observed" : "2017-01-20T14:23:17Z" ,
"last_observed" : "2017-01-20T14:23:17Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5742be36-cc7c-4a36-9724-4f14950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5742be36-cc7c-4a36-9724-4f14950d210f" ,
"value" : "https://www.circl.lu/pub/tr-25/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5742be36-68d4-4607-846b-4001950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-01-20T14:22:57.000Z" ,
"modified" : "2017-01-20T14:22:57.000Z" ,
"first_observed" : "2017-01-20T14:22:57Z" ,
"last_observed" : "2017-01-20T14:22:57Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5742be36-68d4-4607-846b-4001950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5742be36-68d4-4607-846b-4001950d210f" ,
"value" : "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbugattack-group.pdf"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5742be36-b53c-4f10-ac94-4fe4950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-01-20T14:22:45.000Z" ,
"modified" : "2017-01-20T14:22:45.000Z" ,
"first_observed" : "2017-01-20T14:22:45Z" ,
"last_observed" : "2017-01-20T14:22:45Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5742be36-b53c-4f10-ac94-4fe4950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5742be36-b53c-4f10-ac94-4fe4950d210f" ,
"value" : "http://www.kaspersky.com/about/news/virus/2014/Unraveling-mysteries-of-Turla-cyber-espionagecampaign"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5742be36-b648-4598-9182-4693950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-01-20T14:22:34.000Z" ,
"modified" : "2017-01-20T14:22:34.000Z" ,
"first_observed" : "2017-01-20T14:22:34Z" ,
"last_observed" : "2017-01-20T14:22:34Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5742be36-b648-4598-9182-4693950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5742be36-b648-4598-9182-4693950d210f" ,
"value" : "http://artemonsecurity.com/uroburos.pdf"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5742be36-0d40-4211-8897-4342950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-01-20T14:21:27.000Z" ,
"modified" : "2017-01-20T14:21:27.000Z" ,
"first_observed" : "2017-01-20T14:21:27Z" ,
"last_observed" : "2017-01-20T14:21:27Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5742be36-0d40-4211-8897-4342950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5742be36-0d40-4211-8897-4342950d210f" ,
"value" : "https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
2023-04-21 13:25:09 +00:00
]
}
