2023-04-21 13:25:09 +00:00
|
|
|
{
|
2023-06-14 17:31:25 +00:00
|
|
|
"type": "bundle",
|
|
|
|
"id": "bundle--5894bd56-d458-489f-a692-41d102de0b81",
|
|
|
|
"objects": [
|
|
|
|
{
|
|
|
|
"type": "identity",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-02-03T21:06:05.000Z",
|
|
|
|
"modified": "2017-02-03T21:06:05.000Z",
|
|
|
|
"name": "CIRCL",
|
|
|
|
"identity_class": "organization"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "report",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "report--5894bd56-d458-489f-a692-41d102de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-02-03T21:06:05.000Z",
|
|
|
|
"modified": "2017-02-03T21:06:05.000Z",
|
|
|
|
"name": "OSINT: Malicious software targeting financial sector internals",
|
|
|
|
"published": "2017-02-03T21:06:16Z",
|
|
|
|
"object_refs": [
|
|
|
|
"indicator--5894be75-7574-4e69-bfae-455202de0b81",
|
|
|
|
"indicator--5894be76-7508-4910-9d02-4dba02de0b81",
|
|
|
|
"indicator--5894be76-4f38-4e7e-ac86-497f02de0b81",
|
|
|
|
"indicator--5894be77-75b0-4734-8249-40a902de0b81",
|
|
|
|
"indicator--5894be78-4ab0-454c-9b6b-450f02de0b81",
|
|
|
|
"indicator--5894be79-6d7c-4bde-bcd3-465202de0b81",
|
|
|
|
"indicator--5894be79-698c-4f80-b7b5-499402de0b81",
|
|
|
|
"indicator--5894be7a-58b4-4e46-a226-480f02de0b81",
|
|
|
|
"indicator--5894be7b-8e00-49c2-aefc-447b02de0b81",
|
|
|
|
"indicator--5894be7c-b780-4516-bbf0-4ed702de0b81",
|
|
|
|
"indicator--5894be7d-b554-4cc4-85d8-499e02de0b81",
|
|
|
|
"indicator--5894be7d-4fb0-4992-b86f-42a502de0b81",
|
|
|
|
"indicator--5894be7e-2770-473e-9555-440f02de0b81",
|
|
|
|
"indicator--5894be7f-4d6c-4b70-816b-409402de0b81",
|
|
|
|
"indicator--5894be7f-62f0-4f96-b04a-482202de0b81",
|
|
|
|
"indicator--5894be80-8628-4324-8b08-488102de0b81",
|
|
|
|
"indicator--5894be81-1b9c-4742-b624-4aa002de0b81",
|
|
|
|
"indicator--5894be81-0220-46ab-b665-4e6c02de0b81",
|
|
|
|
"indicator--5894be82-36dc-43bf-ba0a-4c7902de0b81",
|
|
|
|
"observed-data--5894be83-553c-4da5-9230-445002de0b81",
|
|
|
|
"domain-name--5894be83-553c-4da5-9230-445002de0b81",
|
|
|
|
"observed-data--5894be84-385c-4009-ab47-476802de0b81",
|
|
|
|
"domain-name--5894be84-385c-4009-ab47-476802de0b81",
|
|
|
|
"observed-data--5894be84-c4d0-4b38-85ab-40d802de0b81",
|
|
|
|
"url--5894be84-c4d0-4b38-85ab-40d802de0b81",
|
|
|
|
"observed-data--5894f097-1eb8-4aab-9cbb-41d202de0b81",
|
|
|
|
"url--5894f097-1eb8-4aab-9cbb-41d202de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"Threat-Report",
|
|
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
|
|
"circl:topic=\"finance\"",
|
|
|
|
"Threat Type:RAT"
|
|
|
|
],
|
|
|
|
"object_marking_refs": [
|
|
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5894be75-7574-4e69-bfae-455202de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-02-03T17:31:33.000Z",
|
|
|
|
"modified": "2017-02-03T17:31:33.000Z",
|
|
|
|
"description": "malware hash",
|
|
|
|
"pattern": "[file:hashes.MD5 = 'c1364bbf63b3617b25b58209e4529d8c']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-02-03T17:31:33Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5894be76-7508-4910-9d02-4dba02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-02-03T17:31:34.000Z",
|
|
|
|
"modified": "2017-02-03T17:31:34.000Z",
|
|
|
|
"description": "malware hash",
|
|
|
|
"pattern": "[file:hashes.MD5 = '85d316590edfb4212049c4490db08c4b']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-02-03T17:31:34Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5894be76-4f38-4e7e-ac86-497f02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-02-03T17:31:34.000Z",
|
|
|
|
"modified": "2017-02-03T17:31:34.000Z",
|
|
|
|
"description": "malware hash",
|
|
|
|
"pattern": "[file:hashes.MD5 = '1bfbc0c9e0d9ceb5c3f4f6ced6bcfeae']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-02-03T17:31:34Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5894be77-75b0-4734-8249-40a902de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-02-03T17:31:35.000Z",
|
|
|
|
"modified": "2017-02-03T17:31:35.000Z",
|
|
|
|
"description": "malware hash",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '496207db444203a6a9c02a32aff28d563999736c']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-02-03T17:31:35Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5894be78-4ab0-454c-9b6b-450f02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-02-03T17:31:36.000Z",
|
|
|
|
"modified": "2017-02-03T17:31:36.000Z",
|
|
|
|
"description": "malware hash",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '4f0d7a33d23d53c0eb8b34d102cdd660fc5323a2']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-02-03T17:31:36Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5894be79-6d7c-4bde-bcd3-465202de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-02-03T17:31:37.000Z",
|
|
|
|
"modified": "2017-02-03T17:31:37.000Z",
|
|
|
|
"description": "malware hash",
|
|
|
|
"pattern": "[file:hashes.SHA1 = 'bedceafa2109139c793cb158cec9fa48f980ff2b']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-02-03T17:31:37Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5894be79-698c-4f80-b7b5-499402de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-02-03T17:31:37.000Z",
|
|
|
|
"modified": "2017-02-03T17:31:37.000Z",
|
|
|
|
"description": "malware hash",
|
|
|
|
"pattern": "[file:hashes.SHA256 = 'fc8607c155617e09d540c5030eabad9a9512f656f16b38682fd50b2007583e9b']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-02-03T17:31:37Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5894be7a-58b4-4e46-a226-480f02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-02-03T17:31:38.000Z",
|
|
|
|
"modified": "2017-02-03T17:31:38.000Z",
|
|
|
|
"description": "malware hash",
|
|
|
|
"pattern": "[file:hashes.SHA256 = 'd4616f9706403a0d5a2f9a8726230a4693e4c95c58df5c753ccc684f1d3542e2']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-02-03T17:31:38Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5894be7b-8e00-49c2-aefc-447b02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-02-03T17:31:39.000Z",
|
|
|
|
"modified": "2017-02-03T17:31:39.000Z",
|
|
|
|
"description": "malware hash",
|
|
|
|
"pattern": "[file:hashes.SHA256 = 'cc6a731e9daff84bae4214603e1c3bad8d6735b0cbb2a0ec1635b36e6a38cb3a']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-02-03T17:31:39Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5894be7c-b780-4516-bbf0-4ed702de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-02-03T17:31:40.000Z",
|
|
|
|
"modified": "2017-02-03T17:31:40.000Z",
|
|
|
|
"description": "C&C",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '125.214.195.17']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-02-03T17:31:40Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5894be7d-b554-4cc4-85d8-499e02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-02-03T17:31:40.000Z",
|
|
|
|
"modified": "2017-02-03T17:31:40.000Z",
|
|
|
|
"description": "C&C",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '196.29.166.218']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-02-03T17:31:40Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5894be7d-4fb0-4992-b86f-42a502de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-02-03T17:31:41.000Z",
|
|
|
|
"modified": "2017-02-03T17:31:41.000Z",
|
|
|
|
"description": "injected URL in compromised website",
|
|
|
|
"pattern": "[url:value = 'http://sap.misapor.ch/vishop/view.jsp?pagenum=1']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-02-03T17:31:41Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5894be7e-2770-473e-9555-440f02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-02-03T17:31:42.000Z",
|
|
|
|
"modified": "2017-02-03T17:31:42.000Z",
|
|
|
|
"pattern": "[domain-name:value = 'sap.misapor.ch']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-02-03T17:31:42Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"hostname\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5894be7f-4d6c-4b70-816b-409402de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-02-03T17:31:43.000Z",
|
|
|
|
"modified": "2017-02-03T17:31:43.000Z",
|
|
|
|
"description": "sap.misapor.ch",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '109.164.247.169']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-02-03T17:31:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5894be7f-62f0-4f96-b04a-482202de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-02-03T17:31:43.000Z",
|
|
|
|
"modified": "2017-02-03T17:31:43.000Z",
|
|
|
|
"description": "injected URL in compromised website",
|
|
|
|
"pattern": "[url:value = 'https://www.eye-watch.in/design/fancybox/Pnf.action']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-02-03T17:31:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5894be80-8628-4324-8b08-488102de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-02-03T17:31:44.000Z",
|
|
|
|
"modified": "2017-02-03T17:31:44.000Z",
|
|
|
|
"pattern": "[domain-name:value = 'www.eye-watch.in']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-02-03T17:31:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"hostname\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5894be81-1b9c-4742-b624-4aa002de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-02-03T17:31:45.000Z",
|
|
|
|
"modified": "2017-02-03T17:31:45.000Z",
|
|
|
|
"description": "www.eye-watch.in",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '54.225.154.115']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-02-03T17:31:45Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5894be81-0220-46ab-b665-4e6c02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-02-03T17:31:45.000Z",
|
|
|
|
"modified": "2017-02-03T17:31:45.000Z",
|
|
|
|
"description": "www.eye-watch.in",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '54.235.128.97']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-02-03T17:31:45Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--5894be82-36dc-43bf-ba0a-4c7902de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-02-03T17:31:46.000Z",
|
|
|
|
"modified": "2017-02-03T17:31:46.000Z",
|
|
|
|
"description": "compromised website for distribution",
|
|
|
|
"pattern": "[url:value = 'http://www.knf.gov.pl/DefaultDesign/Layouts/KNF2013/resources/accordian-src.js?ver=11']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-02-03T17:31:46Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5894be83-553c-4da5-9230-445002de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-02-03T17:31:47.000Z",
|
|
|
|
"modified": "2017-02-03T17:31:47.000Z",
|
|
|
|
"first_observed": "2017-02-03T17:31:47Z",
|
|
|
|
"last_observed": "2017-02-03T17:31:47Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"domain-name--5894be83-553c-4da5-9230-445002de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"hostname\"",
|
|
|
|
"misp:category=\"Network activity\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "domain-name",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "domain-name--5894be83-553c-4da5-9230-445002de0b81",
|
|
|
|
"value": "www.knf.gov.pl"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5894be84-385c-4009-ab47-476802de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-02-03T17:31:48.000Z",
|
|
|
|
"modified": "2017-02-03T17:31:48.000Z",
|
|
|
|
"first_observed": "2017-02-03T17:31:48Z",
|
|
|
|
"last_observed": "2017-02-03T17:31:48Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"domain-name--5894be84-385c-4009-ab47-476802de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"hostname\"",
|
|
|
|
"misp:category=\"Network activity\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "domain-name",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "domain-name--5894be84-385c-4009-ab47-476802de0b81",
|
|
|
|
"value": "knf.gov.pl"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5894be84-c4d0-4b38-85ab-40d802de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-02-03T21:06:05.000Z",
|
|
|
|
"modified": "2017-02-03T21:06:05.000Z",
|
|
|
|
"first_observed": "2017-02-03T21:06:05Z",
|
|
|
|
"last_observed": "2017-02-03T21:06:05Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5894be84-c4d0-4b38-85ab-40d802de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\"",
|
|
|
|
"osint:source-type=\"blog-post\"",
|
|
|
|
"admiralty-scale:information-credibility=\"3\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5894be84-c4d0-4b38-85ab-40d802de0b81",
|
|
|
|
"value": "https://badcyber.com/several-polish-banks-hacked-information-stolen-by-unknown-attackers/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--5894f097-1eb8-4aab-9cbb-41d202de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-02-03T21:05:27.000Z",
|
|
|
|
"modified": "2017-02-03T21:05:27.000Z",
|
|
|
|
"first_observed": "2017-02-03T21:05:27Z",
|
|
|
|
"last_observed": "2017-02-03T21:05:27Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--5894f097-1eb8-4aab-9cbb-41d202de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--5894f097-1eb8-4aab-9cbb-41d202de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/d4616f9706403a0d5a2f9a8726230a4693e4c95c58df5c753ccc684f1d3542e2/analysis/1486132198/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "marking-definition",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
|
|
"definition_type": "tlp",
|
|
|
|
"name": "TLP:WHITE",
|
|
|
|
"definition": {
|
|
|
|
"tlp": "white"
|
|
|
|
}
|
|
|
|
}
|
2023-04-21 13:25:09 +00:00
|
|
|
]
|
|
|
|
}
|