1844 lines
75 KiB
JSON
1844 lines
75 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--56266091-a774-467e-b0f8-4d9c950d210b",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-12-22T14:35:56.000Z",
|
||
|
"modified": "2015-12-22T14:35:56.000Z",
|
||
|
"name": "CthulhuSPRL.be",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--56266091-a774-467e-b0f8-4d9c950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-12-22T14:35:56.000Z",
|
||
|
"modified": "2015-12-22T14:35:56.000Z",
|
||
|
"name": "OSINT Pay No Attention to the Server Behind the Proxy: Mapping FinFisher\u00e2\u20ac\u2122s Continuing Proliferation by Citizen Lab",
|
||
|
"published": "2015-11-05T15:27:50Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--562660e7-4764-4382-ba31-4ea2950d210b",
|
||
|
"url--562660e7-4764-4382-ba31-4ea2950d210b",
|
||
|
"indicator--562662b4-1140-4793-8ef8-431b950d210b",
|
||
|
"indicator--562662b5-a1f8-438d-a4fd-431b950d210b",
|
||
|
"indicator--562662b5-0724-41a2-8447-431b950d210b",
|
||
|
"indicator--562662b5-fa90-4116-bb04-431b950d210b",
|
||
|
"indicator--562662b6-3008-4959-9571-431b950d210b",
|
||
|
"indicator--562662b6-90f0-42a5-908e-431b950d210b",
|
||
|
"indicator--562662b7-f508-454c-ac53-431b950d210b",
|
||
|
"indicator--562662b7-8e44-441d-a45c-431b950d210b",
|
||
|
"indicator--562662b7-8ab0-419f-b71e-431b950d210b",
|
||
|
"indicator--562662b8-02bc-44c5-9d59-431b950d210b",
|
||
|
"indicator--562662b9-6eb0-4a23-a7f0-431b950d210b",
|
||
|
"indicator--562662b9-9790-40cc-8d4a-431b950d210b",
|
||
|
"indicator--562662b9-d808-4e0e-b3c3-431b950d210b",
|
||
|
"indicator--562662ba-f03c-45ee-bb92-431b950d210b",
|
||
|
"indicator--562662ba-0d64-4643-86e5-431b950d210b",
|
||
|
"indicator--562662bb-f058-4639-9a04-431b950d210b",
|
||
|
"indicator--562662bb-33d0-418a-96ff-431b950d210b",
|
||
|
"indicator--562662bb-f3a8-4faa-a1a0-431b950d210b",
|
||
|
"indicator--562662bc-9070-48ef-8156-431b950d210b",
|
||
|
"observed-data--562662bc-62d8-4480-8488-431b950d210b",
|
||
|
"network-traffic--562662bc-62d8-4480-8488-431b950d210b",
|
||
|
"ipv4-addr--562662bc-62d8-4480-8488-431b950d210b",
|
||
|
"indicator--562662bd-e2e4-431e-b611-431b950d210b",
|
||
|
"indicator--562662bd-ad60-47de-9df6-431b950d210b",
|
||
|
"indicator--562662be-cb74-4ef4-9c7f-431b950d210b",
|
||
|
"indicator--562662be-5ea8-4a57-9450-431b950d210b",
|
||
|
"indicator--562662be-5fb4-46df-9c41-431b950d210b",
|
||
|
"indicator--562662bf-7790-4849-87a5-431b950d210b",
|
||
|
"indicator--562662bf-f128-4ef6-8a70-431b950d210b",
|
||
|
"indicator--562662c0-2940-45e7-a806-431b950d210b",
|
||
|
"indicator--562662c0-cd50-42d1-bbbf-431b950d210b",
|
||
|
"indicator--562662c0-f4b4-4802-90a8-431b950d210b",
|
||
|
"indicator--562662c1-bc20-46fa-8c38-431b950d210b",
|
||
|
"indicator--562662c1-83dc-45f0-a91a-431b950d210b",
|
||
|
"indicator--562662c2-7f5c-484d-b8f4-431b950d210b",
|
||
|
"indicator--562662c2-d2e8-41c9-a93d-431b950d210b",
|
||
|
"indicator--5626641f-3868-460a-83b6-431b950d210b",
|
||
|
"indicator--56266420-a3d8-4bab-a13f-431b950d210b",
|
||
|
"indicator--56266420-6e24-4b43-9bbf-431b950d210b",
|
||
|
"indicator--56266421-12a8-40ef-bf88-431b950d210b",
|
||
|
"indicator--56266421-b968-4fed-b0f9-431b950d210b",
|
||
|
"indicator--56266422-e1e0-42c2-ad42-431b950d210b",
|
||
|
"indicator--56266422-e228-410c-9e84-431b950d210b",
|
||
|
"indicator--56266422-d968-4fb6-822a-431b950d210b",
|
||
|
"indicator--56266423-80d4-48bc-a89b-431b950d210b",
|
||
|
"indicator--56266531-f698-405d-b709-432e950d210b",
|
||
|
"indicator--56266532-5628-4c7f-8f0f-432e950d210b",
|
||
|
"observed-data--56266532-a820-4819-bb9d-432e950d210b",
|
||
|
"url--56266532-a820-4819-bb9d-432e950d210b",
|
||
|
"indicator--56266533-3a48-4a84-9b40-432e950d210b",
|
||
|
"indicator--56266533-5320-4fdc-8de7-432e950d210b",
|
||
|
"observed-data--56266533-33d4-48ae-a553-432e950d210b",
|
||
|
"url--56266533-33d4-48ae-a553-432e950d210b",
|
||
|
"indicator--56266534-6460-4878-b7ed-432e950d210b",
|
||
|
"observed-data--56266534-8d84-4c98-8e82-432e950d210b",
|
||
|
"url--56266534-8d84-4c98-8e82-432e950d210b",
|
||
|
"indicator--56266535-3ecc-4379-937d-432e950d210b",
|
||
|
"indicator--56266535-8ddc-4658-b1c3-432e950d210b",
|
||
|
"observed-data--56266535-5a00-4a05-9850-432e950d210b",
|
||
|
"url--56266535-5a00-4a05-9850-432e950d210b",
|
||
|
"indicator--56266536-c094-4474-a143-432e950d210b",
|
||
|
"indicator--56266536-7fe8-42a9-bfe2-432e950d210b",
|
||
|
"observed-data--56266537-23d0-48a2-b897-432e950d210b",
|
||
|
"url--56266537-23d0-48a2-b897-432e950d210b",
|
||
|
"indicator--56266537-f308-400a-acca-432e950d210b",
|
||
|
"indicator--56266537-d774-412f-9835-432e950d210b",
|
||
|
"observed-data--56266538-a9fc-469b-903e-432e950d210b",
|
||
|
"url--56266538-a9fc-469b-903e-432e950d210b",
|
||
|
"indicator--56266538-1904-4744-9993-432e950d210b",
|
||
|
"indicator--56266538-a5d0-484c-9faa-432e950d210b",
|
||
|
"observed-data--56266539-4848-4794-b0dc-432e950d210b",
|
||
|
"url--56266539-4848-4794-b0dc-432e950d210b",
|
||
|
"indicator--56266539-c514-478b-b868-432e950d210b",
|
||
|
"indicator--5626653a-27a0-41f9-9e77-432e950d210b",
|
||
|
"observed-data--5626653a-0084-4b65-a86f-432e950d210b",
|
||
|
"url--5626653a-0084-4b65-a86f-432e950d210b",
|
||
|
"indicator--562665f4-171c-4c6f-b471-432e950d210b",
|
||
|
"indicator--562665f4-6c30-4efd-887c-432e950d210b",
|
||
|
"indicator--562665f5-afec-4d12-94bf-432e950d210b",
|
||
|
"indicator--56266694-656c-4cf8-9c4e-432e950d210b",
|
||
|
"indicator--56266695-8bf4-4ddf-ab03-432e950d210b",
|
||
|
"indicator--56795fcc-8df8-4ac3-9fa1-49d5950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"type:OSINT"
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--562660e7-4764-4382-ba31-4ea2950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:42:31.000Z",
|
||
|
"modified": "2015-10-20T15:42:31.000Z",
|
||
|
"first_observed": "2015-10-20T15:42:31Z",
|
||
|
"last_observed": "2015-10-20T15:42:31Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--562660e7-4764-4382-ba31-4ea2950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--562660e7-4764-4382-ba31-4ea2950d210b",
|
||
|
"value": "https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662b4-1140-4793-8ef8-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:12.000Z",
|
||
|
"modified": "2015-10-20T15:50:12.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '1610fc805f980f5c70cec8e138ba800b01ebc86919f42b375cfb161ce6365a48']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:12Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662b5-a1f8-438d-a4fd-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:13.000Z",
|
||
|
"modified": "2015-10-20T15:50:13.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '94abf6df38f26530da2864d80e1a0b7cdfce63fd27b142993b89c52b3cee0389']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662b5-0724-41a2-8447-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:13.000Z",
|
||
|
"modified": "2015-10-20T15:50:13.000Z",
|
||
|
"pattern": "[domain-name:value = 'oogle.wwwhost.biz']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662b5-fa90-4116-bb04-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:13.000Z",
|
||
|
"modified": "2015-10-20T15:50:13.000Z",
|
||
|
"pattern": "[domain-name:value = 'google.wwwhost.biz']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662b6-3008-4959-9571-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:14.000Z",
|
||
|
"modified": "2015-10-20T15:50:14.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '200.74.241.111']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:14Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662b6-90f0-42a5-908e-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:14.000Z",
|
||
|
"modified": "2015-10-20T15:50:14.000Z",
|
||
|
"pattern": "[domain-name:value = 'info.dynamic-dns.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:14Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662b7-f508-454c-ac53-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:15.000Z",
|
||
|
"modified": "2015-10-20T15:50:15.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.161.48.59']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662b7-8e44-441d-a45c-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:15.000Z",
|
||
|
"modified": "2015-10-20T15:50:15.000Z",
|
||
|
"pattern": "[domain-name:value = 'update.ciscofreak.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662b7-8ab0-419f-b71e-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:56:39.000Z",
|
||
|
"modified": "2015-10-20T15:56:39.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '162.220.246.117']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:56:39Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662b8-02bc-44c5-9d59-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:51:46.000Z",
|
||
|
"modified": "2015-10-20T15:51:46.000Z",
|
||
|
"pattern": "[domain-name:value = 'uae.kim']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:51:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662b9-6eb0-4a23-a7f0-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:17.000Z",
|
||
|
"modified": "2015-10-20T15:50:17.000Z",
|
||
|
"pattern": "[domain-name:value = 'r.ddns.me']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:17Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662b9-9790-40cc-8d4a-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:17.000Z",
|
||
|
"modified": "2015-10-20T15:50:17.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '198.105.125.158']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:17Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662b9-d808-4e0e-b3c3-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:17.000Z",
|
||
|
"modified": "2015-10-20T15:50:17.000Z",
|
||
|
"pattern": "[domain-name:value = 'a.ddns.me']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:17Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662ba-f03c-45ee-bb92-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:18.000Z",
|
||
|
"modified": "2015-10-20T15:50:18.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '23.229.3.37']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:18Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662ba-0d64-4643-86e5-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:18.000Z",
|
||
|
"modified": "2015-10-20T15:50:18.000Z",
|
||
|
"pattern": "[domain-name:value = 'test.cable-modem.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:18Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662bb-f058-4639-9a04-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:19.000Z",
|
||
|
"modified": "2015-10-20T15:50:19.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '64c1ef8e0923bf44aaa96caeb28a6c11']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:19Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662bb-33d0-418a-96ff-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:19.000Z",
|
||
|
"modified": "2015-10-20T15:50:19.000Z",
|
||
|
"pattern": "[domain-name:value = 'googlecombq6xx.ddns.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:19Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662bb-f3a8-4faa-a1a0-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:19.000Z",
|
||
|
"modified": "2015-10-20T15:50:19.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '131.72.136.28']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:19Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662bc-9070-48ef-8156-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:20.000Z",
|
||
|
"modified": "2015-10-20T15:50:20.000Z",
|
||
|
"pattern": "[domain-name:value = 'tvnew.otzo.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--562662bc-62d8-4480-8488-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-11-05T15:27:44.000Z",
|
||
|
"modified": "2015-11-05T15:27:44.000Z",
|
||
|
"first_observed": "2015-11-05T15:27:44Z",
|
||
|
"last_observed": "2015-11-05T15:27:44Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--562662bc-62d8-4480-8488-431b950d210b",
|
||
|
"ipv4-addr--562662bc-62d8-4480-8488-431b950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--562662bc-62d8-4480-8488-431b950d210b",
|
||
|
"dst_ref": "ipv4-addr--562662bc-62d8-4480-8488-431b950d210b",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--562662bc-62d8-4480-8488-431b950d210b",
|
||
|
"value": "172.227.95.162"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662bd-e2e4-431e-b611-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:21.000Z",
|
||
|
"modified": "2015-10-20T15:50:21.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '57ab5f60198d311226cdc246598729ea']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662bd-ad60-47de-9df6-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:57:35.000Z",
|
||
|
"modified": "2015-10-20T15:57:35.000Z",
|
||
|
"pattern": "[domain-name:value = 'google.com.r3irv2ykn0qnd7vr7sqv7kg2qho3ab5tngl5avxi5iimz1jxw9pa9.uae.kim']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:57:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662be-cb74-4ef4-9c7f-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:22.000Z",
|
||
|
"modified": "2015-10-20T15:50:22.000Z",
|
||
|
"pattern": "[domain-name:value = 'natco1.no-ip.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:22Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662be-5ea8-4a57-9450-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:22.000Z",
|
||
|
"modified": "2015-10-20T15:50:22.000Z",
|
||
|
"pattern": "[domain-name:value = 'natco2.no-ip.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:22Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662be-5fb4-46df-9c41-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:22.000Z",
|
||
|
"modified": "2015-10-20T15:50:22.000Z",
|
||
|
"pattern": "[domain-name:value = 'natco3.no-ip.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:22Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662bf-7790-4849-87a5-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:23.000Z",
|
||
|
"modified": "2015-10-20T15:50:23.000Z",
|
||
|
"pattern": "[domain-name:value = 'natco4.no-ip.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662bf-f128-4ef6-8a70-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:23.000Z",
|
||
|
"modified": "2015-10-20T15:50:23.000Z",
|
||
|
"pattern": "[domain-name:value = 'natco5.no-ip.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662c0-2940-45e7-a806-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:24.000Z",
|
||
|
"modified": "2015-10-20T15:50:24.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '22deea26981bc6183ac3945da8274111e7fd7a35fbb6da601348cc6d66240114']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662c0-cd50-42d1-bbbf-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:24.000Z",
|
||
|
"modified": "2015-10-20T15:50:24.000Z",
|
||
|
"pattern": "[url:value = 'http://workingulf.net/dfserv.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662c0-f4b4-4802-90a8-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:24.000Z",
|
||
|
"modified": "2015-10-20T15:50:24.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'e2ecf89a49c125e0b4292645a41b5e97c0f7bf15d418faeac0d592205f083119']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662c1-bc20-46fa-8c38-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:25.000Z",
|
||
|
"modified": "2015-10-20T15:50:25.000Z",
|
||
|
"pattern": "[domain-name:value = 'workingulf.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662c1-83dc-45f0-a91a-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:25.000Z",
|
||
|
"modified": "2015-10-20T15:50:25.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'd759dcbebee18a65fda434ba1da5d348c16d9d3775fe1652a1dacf983ffc93b8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662c2-7f5c-484d-b8f4-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:26.000Z",
|
||
|
"modified": "2015-10-20T15:50:26.000Z",
|
||
|
"pattern": "[url:value = 'http://wp.piedslibres.com/wp/wp-includes/js/next.scr']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562662c2-d2e8-41c9-a93d-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:50:26.000Z",
|
||
|
"modified": "2015-10-20T15:50:26.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '08b32da8995ae094bfb703d7d975c3816cf04c075c32281e51158164d76cd655']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:50:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5626641f-3868-460a-83b6-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:56:15.000Z",
|
||
|
"modified": "2015-10-20T15:56:15.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'b53c492168e5b389b0e6a2fc8b4355f5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:56:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56266420-a3d8-4bab-a13f-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:56:16.000Z",
|
||
|
"modified": "2015-10-20T15:56:16.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '212.59.240.98']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:56:16Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56266420-6e24-4b43-9bbf-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:56:16.000Z",
|
||
|
"modified": "2015-10-20T15:56:16.000Z",
|
||
|
"pattern": "[domain-name:value = 'news.redirectme.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:56:16Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56266421-12a8-40ef-bf88-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:56:17.000Z",
|
||
|
"modified": "2015-10-20T15:56:17.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '37.123.112.5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:56:17Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56266421-b968-4fed-b0f9-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:56:17.000Z",
|
||
|
"modified": "2015-10-20T15:56:17.000Z",
|
||
|
"pattern": "[domain-name:value = 'docs.gmailserver.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:56:17Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56266422-e1e0-42c2-ad42-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:56:18.000Z",
|
||
|
"modified": "2015-10-20T15:56:18.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '37.123.112.169']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:56:18Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56266422-e228-410c-9e84-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:56:18.000Z",
|
||
|
"modified": "2015-10-20T15:56:18.000Z",
|
||
|
"pattern": "[domain-name:value = 'office.gmailserver.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:56:18Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56266422-d968-4fb6-822a-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:56:18.000Z",
|
||
|
"modified": "2015-10-20T15:56:18.000Z",
|
||
|
"pattern": "[domain-name:value = 'verify-login.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:56:18Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56266423-80d4-48bc-a89b-431b950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T15:56:19.000Z",
|
||
|
"modified": "2015-10-20T15:56:19.000Z",
|
||
|
"pattern": "[domain-name:value = 'western.gmailserver.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T15:56:19Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56266531-f698-405d-b709-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:00:49.000Z",
|
||
|
"modified": "2015-10-20T16:00:49.000Z",
|
||
|
"description": "- Xchecked via VT: 08b32da8995ae094bfb703d7d975c3816cf04c075c32281e51158164d76cd655",
|
||
|
"pattern": "[file:hashes.SHA1 = '44529ffbfeb5bdfab852795c6d995616522ae63d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T16:00:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56266532-5628-4c7f-8f0f-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:00:50.000Z",
|
||
|
"modified": "2015-10-20T16:00:50.000Z",
|
||
|
"description": "- Xchecked via VT: 08b32da8995ae094bfb703d7d975c3816cf04c075c32281e51158164d76cd655",
|
||
|
"pattern": "[file:hashes.MD5 = '6b8f4dcfea0b4e9cbeb19cfad7f11e9e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T16:00:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--56266532-a820-4819-bb9d-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:00:50.000Z",
|
||
|
"modified": "2015-10-20T16:00:50.000Z",
|
||
|
"first_observed": "2015-10-20T16:00:50Z",
|
||
|
"last_observed": "2015-10-20T16:00:50Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--56266532-a820-4819-bb9d-432e950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--56266532-a820-4819-bb9d-432e950d210b",
|
||
|
"value": "https://www.virustotal.com/file/08b32da8995ae094bfb703d7d975c3816cf04c075c32281e51158164d76cd655/analysis/1444961310/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56266533-3a48-4a84-9b40-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:00:51.000Z",
|
||
|
"modified": "2015-10-20T16:00:51.000Z",
|
||
|
"description": "- Xchecked via VT: d759dcbebee18a65fda434ba1da5d348c16d9d3775fe1652a1dacf983ffc93b8",
|
||
|
"pattern": "[file:hashes.SHA1 = '5ef1bf0fbc1e7543e65558bea6090ae2f92ec756']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T16:00:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56266533-5320-4fdc-8de7-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:00:51.000Z",
|
||
|
"modified": "2015-10-20T16:00:51.000Z",
|
||
|
"description": "- Xchecked via VT: d759dcbebee18a65fda434ba1da5d348c16d9d3775fe1652a1dacf983ffc93b8",
|
||
|
"pattern": "[file:hashes.MD5 = '111a622b041bf2e9813c831ef46403b5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T16:00:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--56266533-33d4-48ae-a553-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:00:51.000Z",
|
||
|
"modified": "2015-10-20T16:00:51.000Z",
|
||
|
"first_observed": "2015-10-20T16:00:51Z",
|
||
|
"last_observed": "2015-10-20T16:00:51Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--56266533-33d4-48ae-a553-432e950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--56266533-33d4-48ae-a553-432e950d210b",
|
||
|
"value": "https://www.virustotal.com/file/d759dcbebee18a65fda434ba1da5d348c16d9d3775fe1652a1dacf983ffc93b8/analysis/1432824292/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56266534-6460-4878-b7ed-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:00:52.000Z",
|
||
|
"modified": "2015-10-20T16:00:52.000Z",
|
||
|
"description": "- Xchecked via VT: e2ecf89a49c125e0b4292645a41b5e97c0f7bf15d418faeac0d592205f083119",
|
||
|
"pattern": "[file:hashes.SHA1 = '874e41967e8c34b444ccecd365add06ab263165e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T16:00:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--56266534-8d84-4c98-8e82-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:00:52.000Z",
|
||
|
"modified": "2015-10-20T16:00:52.000Z",
|
||
|
"first_observed": "2015-10-20T16:00:52Z",
|
||
|
"last_observed": "2015-10-20T16:00:52Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--56266534-8d84-4c98-8e82-432e950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--56266534-8d84-4c98-8e82-432e950d210b",
|
||
|
"value": "https://www.virustotal.com/file/e2ecf89a49c125e0b4292645a41b5e97c0f7bf15d418faeac0d592205f083119/analysis/1444961305/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56266535-3ecc-4379-937d-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:00:53.000Z",
|
||
|
"modified": "2015-10-20T16:00:53.000Z",
|
||
|
"description": "- Xchecked via VT: 22deea26981bc6183ac3945da8274111e7fd7a35fbb6da601348cc6d66240114",
|
||
|
"pattern": "[file:hashes.SHA1 = '41e9c2e4935a2b39c7b5b066588986a363c58390']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T16:00:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56266535-8ddc-4658-b1c3-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:00:53.000Z",
|
||
|
"modified": "2015-10-20T16:00:53.000Z",
|
||
|
"description": "- Xchecked via VT: 22deea26981bc6183ac3945da8274111e7fd7a35fbb6da601348cc6d66240114",
|
||
|
"pattern": "[file:hashes.MD5 = '3e766f5cedbc5a669622ced136f53fc9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T16:00:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--56266535-5a00-4a05-9850-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:00:53.000Z",
|
||
|
"modified": "2015-10-20T16:00:53.000Z",
|
||
|
"first_observed": "2015-10-20T16:00:53Z",
|
||
|
"last_observed": "2015-10-20T16:00:53Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--56266535-5a00-4a05-9850-432e950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--56266535-5a00-4a05-9850-432e950d210b",
|
||
|
"value": "https://www.virustotal.com/file/22deea26981bc6183ac3945da8274111e7fd7a35fbb6da601348cc6d66240114/analysis/1432101483/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56266536-c094-4474-a143-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:00:54.000Z",
|
||
|
"modified": "2015-10-20T16:00:54.000Z",
|
||
|
"description": "- Xchecked via VT: 94abf6df38f26530da2864d80e1a0b7cdfce63fd27b142993b89c52b3cee0389",
|
||
|
"pattern": "[file:hashes.SHA1 = '5e98486f941091eae2fbb89eedc36082fd5d9153']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T16:00:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56266536-7fe8-42a9-bfe2-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:00:54.000Z",
|
||
|
"modified": "2015-10-20T16:00:54.000Z",
|
||
|
"description": "- Xchecked via VT: 94abf6df38f26530da2864d80e1a0b7cdfce63fd27b142993b89c52b3cee0389",
|
||
|
"pattern": "[file:hashes.MD5 = '4395feba04c6cafba33fa659df1ec5a3']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T16:00:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--56266537-23d0-48a2-b897-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:00:55.000Z",
|
||
|
"modified": "2015-10-20T16:00:55.000Z",
|
||
|
"first_observed": "2015-10-20T16:00:55Z",
|
||
|
"last_observed": "2015-10-20T16:00:55Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--56266537-23d0-48a2-b897-432e950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--56266537-23d0-48a2-b897-432e950d210b",
|
||
|
"value": "https://www.virustotal.com/file/94abf6df38f26530da2864d80e1a0b7cdfce63fd27b142993b89c52b3cee0389/analysis/1439466209/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56266537-f308-400a-acca-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:00:55.000Z",
|
||
|
"modified": "2015-10-20T16:00:55.000Z",
|
||
|
"description": "- Xchecked via VT: 1610fc805f980f5c70cec8e138ba800b01ebc86919f42b375cfb161ce6365a48",
|
||
|
"pattern": "[file:hashes.SHA1 = 'ce3d62ca9d3ae2cc0e2d64c50745522503200ee0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T16:00:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56266537-d774-412f-9835-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:00:55.000Z",
|
||
|
"modified": "2015-10-20T16:00:55.000Z",
|
||
|
"description": "- Xchecked via VT: 1610fc805f980f5c70cec8e138ba800b01ebc86919f42b375cfb161ce6365a48",
|
||
|
"pattern": "[file:hashes.MD5 = '471848024b7f7eb717a9597f54802428']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T16:00:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--56266538-a9fc-469b-903e-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:00:56.000Z",
|
||
|
"modified": "2015-10-20T16:00:56.000Z",
|
||
|
"first_observed": "2015-10-20T16:00:56Z",
|
||
|
"last_observed": "2015-10-20T16:00:56Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--56266538-a9fc-469b-903e-432e950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--56266538-a9fc-469b-903e-432e950d210b",
|
||
|
"value": "https://www.virustotal.com/file/1610fc805f980f5c70cec8e138ba800b01ebc86919f42b375cfb161ce6365a48/analysis/1427332547/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56266538-1904-4744-9993-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:00:56.000Z",
|
||
|
"modified": "2015-10-20T16:00:56.000Z",
|
||
|
"description": "- Xchecked via VT: 57ab5f60198d311226cdc246598729ea",
|
||
|
"pattern": "[file:hashes.SHA256 = '089a31178bff1a4001016e51b4f59ae90c8847a9d5397a611c6fbeb028fc8d41']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T16:00:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56266538-a5d0-484c-9faa-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:00:56.000Z",
|
||
|
"modified": "2015-10-20T16:00:56.000Z",
|
||
|
"description": "- Xchecked via VT: 57ab5f60198d311226cdc246598729ea",
|
||
|
"pattern": "[file:hashes.SHA1 = '1d1c24ee7dd77f742e59f54626ff68211d24b64a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T16:00:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--56266539-4848-4794-b0dc-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:00:57.000Z",
|
||
|
"modified": "2015-10-20T16:00:57.000Z",
|
||
|
"first_observed": "2015-10-20T16:00:57Z",
|
||
|
"last_observed": "2015-10-20T16:00:57Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--56266539-4848-4794-b0dc-432e950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--56266539-4848-4794-b0dc-432e950d210b",
|
||
|
"value": "https://www.virustotal.com/file/089a31178bff1a4001016e51b4f59ae90c8847a9d5397a611c6fbeb028fc8d41/analysis/1444029943/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56266539-c514-478b-b868-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:00:57.000Z",
|
||
|
"modified": "2015-10-20T16:00:57.000Z",
|
||
|
"description": "- Xchecked via VT: 64c1ef8e0923bf44aaa96caeb28a6c11",
|
||
|
"pattern": "[file:hashes.SHA256 = '6001692fde7a070df22a184fa8ecd844ab7b304a79fc7852aac8d81466ec3860']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T16:00:57Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5626653a-27a0-41f9-9e77-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:00:58.000Z",
|
||
|
"modified": "2015-10-20T16:00:58.000Z",
|
||
|
"description": "- Xchecked via VT: 64c1ef8e0923bf44aaa96caeb28a6c11",
|
||
|
"pattern": "[file:hashes.SHA1 = '8aad6f55c47e7079977b107918c1e4cd30613379']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T16:00:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5626653a-0084-4b65-a86f-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:00:58.000Z",
|
||
|
"modified": "2015-10-20T16:00:58.000Z",
|
||
|
"first_observed": "2015-10-20T16:00:58Z",
|
||
|
"last_observed": "2015-10-20T16:00:58Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5626653a-0084-4b65-a86f-432e950d210b"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5626653a-0084-4b65-a86f-432e950d210b",
|
||
|
"value": "https://www.virustotal.com/file/6001692fde7a070df22a184fa8ecd844ab7b304a79fc7852aac8d81466ec3860/analysis/1422287826/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562665f4-171c-4c6f-b471-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:04:04.000Z",
|
||
|
"modified": "2015-10-20T16:04:04.000Z",
|
||
|
"pattern": "[domain-name:value = 'pal4u.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T16:04:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562665f4-6c30-4efd-887c-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:04:04.000Z",
|
||
|
"modified": "2015-10-20T16:04:04.000Z",
|
||
|
"pattern": "[domain-name:value = 'pal2me.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T16:04:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--562665f5-afec-4d12-94bf-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:04:05.000Z",
|
||
|
"modified": "2015-10-20T16:04:05.000Z",
|
||
|
"pattern": "[domain-name:value = 'shop8d.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T16:04:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56266694-656c-4cf8-9c4e-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:06:44.000Z",
|
||
|
"modified": "2015-10-20T16:06:44.000Z",
|
||
|
"pattern": "[domain-name:value = 'news-youm7.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T16:06:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56266695-8bf4-4ddf-ab03-432e950d210b",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-10-20T16:06:45.000Z",
|
||
|
"modified": "2015-10-20T16:06:45.000Z",
|
||
|
"pattern": "[domain-name:value = 'to70.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-10-20T16:06:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--56795fcc-8df8-4ac3-9fa1-49d5950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
||
|
"created": "2015-12-22T14:35:56.000Z",
|
||
|
"modified": "2015-12-22T14:35:56.000Z",
|
||
|
"pattern": "[url:value = 'https://www.virustotal.com/file/089a31178bff1a4001016e51b4f59ae90c8847a9d5397a611c6fbeb028fc8d41/analysis/1447091115/']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2015-12-22T14:35:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "External analysis"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|