2023-04-21 13:25:09 +00:00
|
|
|
{
|
2023-06-14 17:31:25 +00:00
|
|
|
"type": "bundle",
|
|
|
|
"id": "bundle--5761398f-31d0-46b0-808f-41de950d210f",
|
|
|
|
"objects": [
|
|
|
|
{
|
|
|
|
"type": "identity",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2016-06-15T14:29:39.000Z",
|
|
|
|
"modified": "2016-06-15T14:29:39.000Z",
|
|
|
|
"name": "CthulhuSPRL.be",
|
|
|
|
"identity_class": "organization"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "report",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "report--5761398f-31d0-46b0-808f-41de950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2016-06-15T14:29:39.000Z",
|
|
|
|
"modified": "2016-06-15T14:29:39.000Z",
|
|
|
|
"name": "OSINT Microsoft Office Zero-Day CVE-2015-2424 Leveraged By Tsar Team report by iSight",
|
|
|
|
"published": "2016-06-15T14:37:12Z",
|
|
|
|
"object_refs": [
|
|
|
|
"observed-data--576139cd-c990-43a1-a4a8-4bf3950d210f",
|
|
|
|
"url--576139cd-c990-43a1-a4a8-4bf3950d210f",
|
|
|
|
"indicator--576139e6-3f30-4918-b364-4153950d210f",
|
|
|
|
"indicator--57613a1d-35ec-44c0-8aec-4b7f950d210f",
|
|
|
|
"indicator--57613a1d-2914-4a97-aa60-44c8950d210f",
|
|
|
|
"indicator--57613a1d-6308-40a1-845c-4a40950d210f",
|
|
|
|
"indicator--57613a1d-13dc-43ee-8402-4e0c950d210f",
|
|
|
|
"x-misp-attribute--57613a36-abb0-413a-abcf-48ea950d210f",
|
|
|
|
"x-misp-attribute--57613a37-0114-48a8-8e8a-4be9950d210f",
|
|
|
|
"x-misp-attribute--57613a37-a08c-4103-874e-403f950d210f",
|
|
|
|
"indicator--57616653-a3f8-4374-9d69-b45602de0b81",
|
|
|
|
"indicator--57616653-8898-4177-ae78-b45602de0b81",
|
|
|
|
"observed-data--57616654-5384-4905-8b97-b45602de0b81",
|
|
|
|
"url--57616654-5384-4905-8b97-b45602de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"Threat-Report",
|
|
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
|
|
"OSINT",
|
|
|
|
"type:OSINT"
|
|
|
|
],
|
|
|
|
"object_marking_refs": [
|
|
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--576139cd-c990-43a1-a4a8-4bf3950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2016-06-15T11:19:41.000Z",
|
|
|
|
"modified": "2016-06-15T11:19:41.000Z",
|
|
|
|
"first_observed": "2016-06-15T11:19:41Z",
|
|
|
|
"last_observed": "2016-06-15T11:19:41Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--576139cd-c990-43a1-a4a8-4bf3950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--576139cd-c990-43a1-a4a8-4bf3950d210f",
|
|
|
|
"value": "https://www.isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--576139e6-3f30-4918-b364-4153950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2016-06-15T11:20:06.000Z",
|
|
|
|
"modified": "2016-06-15T11:20:06.000Z",
|
|
|
|
"pattern": "[file:hashes.MD5 = '112c64f7c07a959a1cbff6621850a4ad']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-06-15T11:20:06Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--57613a1d-35ec-44c0-8aec-4b7f950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2016-06-15T11:21:01.000Z",
|
|
|
|
"modified": "2016-06-15T11:21:01.000Z",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '66.172.11.207']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-06-15T11:21:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--57613a1d-2914-4a97-aa60-44c8950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2016-06-15T11:21:01.000Z",
|
|
|
|
"modified": "2016-06-15T11:21:01.000Z",
|
|
|
|
"pattern": "[domain-name:value = 'wscapi.com']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-06-15T11:21:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"domain\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--57613a1d-6308-40a1-845c-4a40950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2016-06-15T11:21:01.000Z",
|
|
|
|
"modified": "2016-06-15T11:21:01.000Z",
|
|
|
|
"pattern": "[domain-name:value = 'tabsync.net']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-06-15T11:21:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"domain\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--57613a1d-13dc-43ee-8402-4e0c950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2016-06-15T11:21:01.000Z",
|
|
|
|
"modified": "2016-06-15T11:21:01.000Z",
|
|
|
|
"pattern": "[domain-name:value = 'storsvc.org']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-06-15T11:21:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"domain\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "x-misp-attribute",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "x-misp-attribute--57613a36-abb0-413a-abcf-48ea950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2016-06-15T11:21:26.000Z",
|
|
|
|
"modified": "2016-06-15T11:21:26.000Z",
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"threat-actor\"",
|
|
|
|
"misp:category=\"Attribution\""
|
|
|
|
],
|
|
|
|
"x_misp_category": "Attribution",
|
|
|
|
"x_misp_type": "threat-actor",
|
|
|
|
"x_misp_value": "APT28"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "x-misp-attribute",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "x-misp-attribute--57613a37-0114-48a8-8e8a-4be9950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2016-06-15T11:21:27.000Z",
|
|
|
|
"modified": "2016-06-15T11:21:27.000Z",
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"threat-actor\"",
|
|
|
|
"misp:category=\"Attribution\""
|
|
|
|
],
|
|
|
|
"x_misp_category": "Attribution",
|
|
|
|
"x_misp_type": "threat-actor",
|
|
|
|
"x_misp_value": "Sofacy"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "x-misp-attribute",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "x-misp-attribute--57613a37-a08c-4103-874e-403f950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2016-06-15T11:21:27.000Z",
|
|
|
|
"modified": "2016-06-15T11:21:27.000Z",
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"threat-actor\"",
|
|
|
|
"misp:category=\"Attribution\""
|
|
|
|
],
|
|
|
|
"x_misp_category": "Attribution",
|
|
|
|
"x_misp_type": "threat-actor",
|
|
|
|
"x_misp_value": "Tsar Team"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--57616653-a3f8-4374-9d69-b45602de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2016-06-15T14:29:39.000Z",
|
|
|
|
"modified": "2016-06-15T14:29:39.000Z",
|
|
|
|
"description": "- Xchecked via VT: 112c64f7c07a959a1cbff6621850a4ad",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '9e5fbd79d8febe7a162cd5200041772db60dc83244605b1ff37ef8d14334f512']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-06-15T14:29:39Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--57616653-8898-4177-ae78-b45602de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2016-06-15T14:29:39.000Z",
|
|
|
|
"modified": "2016-06-15T14:29:39.000Z",
|
|
|
|
"description": "- Xchecked via VT: 112c64f7c07a959a1cbff6621850a4ad",
|
|
|
|
"pattern": "[file:hashes.SHA1 = 'e7f7f6caaede6cc29c2e7e4888019f2d1be37cef']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2016-06-15T14:29:39Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--57616654-5384-4905-8b97-b45602de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
|
|
"created": "2016-06-15T14:29:40.000Z",
|
|
|
|
"modified": "2016-06-15T14:29:40.000Z",
|
|
|
|
"first_observed": "2016-06-15T14:29:40Z",
|
|
|
|
"last_observed": "2016-06-15T14:29:40Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--57616654-5384-4905-8b97-b45602de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--57616654-5384-4905-8b97-b45602de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/9e5fbd79d8febe7a162cd5200041772db60dc83244605b1ff37ef8d14334f512/analysis/1464765865/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "marking-definition",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
|
|
"definition_type": "tlp",
|
|
|
|
"name": "TLP:WHITE",
|
|
|
|
"definition": {
|
|
|
|
"tlp": "white"
|
|
|
|
}
|
|
|
|
}
|
2023-04-21 13:25:09 +00:00
|
|
|
]
|
|
|
|
}
|