2642 lines
356 KiB
JSON
2642 lines
356 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5b0d929e-4c6c-438a-9fe5-78130acd0835",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2021-05-24T09:49:12.000Z",
|
||
|
"modified": "2021-05-24T09:49:12.000Z",
|
||
|
"name": "Synovus Financial",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5b0d929e-4c6c-438a-9fe5-78130acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2021-05-24T09:49:12.000Z",
|
||
|
"modified": "2021-05-24T09:49:12.000Z",
|
||
|
"name": "US-CERT Alert (TA18-149A) HIDDEN COBRA \u2013 Joanap Backdoor Trojan and Brambul Server Message Block Worm",
|
||
|
"published": "2020-12-13T05:55:20Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--5b0d92c8-5410-41e7-9207-85ad0acd0835",
|
||
|
"url--5b0d92c8-5410-41e7-9207-85ad0acd0835",
|
||
|
"indicator--5b0d9337-d95c-4309-a433-80480acd0835",
|
||
|
"indicator--5b0d9337-38e0-49be-9f24-80480acd0835",
|
||
|
"indicator--5b0d9337-75d8-45b1-aa72-80480acd0835",
|
||
|
"observed-data--5b0d9337-0224-4404-99a7-80480acd0835",
|
||
|
"network-traffic--5b0d9337-0224-4404-99a7-80480acd0835",
|
||
|
"ipv4-addr--5b0d9337-0224-4404-99a7-80480acd0835",
|
||
|
"indicator--5b0d9337-4098-4d75-bb67-80480acd0835",
|
||
|
"indicator--5b0d9337-1318-4bcf-a29a-80480acd0835",
|
||
|
"indicator--5b0d9337-c294-4d57-a9ad-80480acd0835",
|
||
|
"indicator--5b0d9337-9be0-42e0-bc42-80480acd0835",
|
||
|
"indicator--5b0d9337-b234-493d-beae-80480acd0835",
|
||
|
"indicator--5b0d9337-9b80-4614-bbdb-80480acd0835",
|
||
|
"indicator--5b0d9337-6d9c-4f62-a240-80480acd0835",
|
||
|
"indicator--5b0d9337-b05c-4be1-a6d1-80480acd0835",
|
||
|
"indicator--5b0d9337-4480-4666-8a00-80480acd0835",
|
||
|
"indicator--5b0d9337-d628-44c1-a705-80480acd0835",
|
||
|
"indicator--5b0d9337-c6fc-4c04-9992-80480acd0835",
|
||
|
"indicator--5b0d9337-e6b0-4cbc-9c37-80480acd0835",
|
||
|
"indicator--5b0d9337-2454-4cda-9c1e-80480acd0835",
|
||
|
"indicator--5b0d9337-08a8-4809-8dd6-80480acd0835",
|
||
|
"indicator--5b0d9337-1290-4b7d-a464-80480acd0835",
|
||
|
"indicator--5b0d9338-ce2c-4585-811a-80480acd0835",
|
||
|
"indicator--5b0d9338-eec4-4b26-b84d-80480acd0835",
|
||
|
"indicator--5b0d9338-00f4-4c6f-b2d2-80480acd0835",
|
||
|
"indicator--5b0d9338-7894-4918-b5bd-80480acd0835",
|
||
|
"indicator--5b0d9338-f3f8-4452-af53-80480acd0835",
|
||
|
"indicator--5b0d9338-73c0-4fc7-8c95-80480acd0835",
|
||
|
"indicator--5b0d9338-1734-4879-9c8b-80480acd0835",
|
||
|
"indicator--5b0d9338-b7d0-4eb6-ae4f-80480acd0835",
|
||
|
"indicator--5b0d9338-8168-4cfe-939f-80480acd0835",
|
||
|
"indicator--5b0d9338-0f4c-4500-962b-80480acd0835",
|
||
|
"indicator--5b0d9338-ba58-4a8e-9377-80480acd0835",
|
||
|
"indicator--5b0d9338-3f40-48cc-8156-80480acd0835",
|
||
|
"indicator--5b0d9338-b590-470d-9c1b-80480acd0835",
|
||
|
"indicator--5b0d9338-38e8-444f-8414-80480acd0835",
|
||
|
"indicator--5b0d9338-b4b0-4871-9912-80480acd0835",
|
||
|
"indicator--5b0d9338-593c-4fef-89b6-80480acd0835",
|
||
|
"indicator--5b0d9338-a1b4-4e3b-a2d6-80480acd0835",
|
||
|
"indicator--5b0d9338-7cf0-424e-838b-80480acd0835",
|
||
|
"indicator--5b0d9338-0df4-4cd1-b2f4-80480acd0835",
|
||
|
"indicator--5b0d9338-07a8-4eb7-85cc-80480acd0835",
|
||
|
"indicator--5b0d9338-d8bc-4753-b44c-80480acd0835",
|
||
|
"indicator--5b0d9338-a81c-4b14-9afc-80480acd0835",
|
||
|
"indicator--5b0d9338-09dc-443f-bff5-80480acd0835",
|
||
|
"indicator--5b0d9338-0158-4c7b-9bf0-80480acd0835",
|
||
|
"indicator--5b0d9338-b928-41ad-ad33-80480acd0835",
|
||
|
"indicator--5b0d9338-2098-4512-a7f7-80480acd0835",
|
||
|
"indicator--5b0d9338-55c8-4b52-b833-80480acd0835",
|
||
|
"indicator--5b0d9338-fc40-41a0-b8e0-80480acd0835",
|
||
|
"indicator--5b0d9338-c924-41ec-8793-80480acd0835",
|
||
|
"indicator--5b0d9338-d2b8-48ba-b0e1-80480acd0835",
|
||
|
"indicator--5b0d9338-b730-4f49-a2f4-80480acd0835",
|
||
|
"indicator--5b0d9338-3aa4-4e7f-a649-80480acd0835",
|
||
|
"indicator--5b0d9338-2108-40b4-bc19-80480acd0835",
|
||
|
"indicator--5b0d9338-9588-473f-a352-80480acd0835",
|
||
|
"indicator--5b0d9338-0254-492f-8138-80480acd0835",
|
||
|
"indicator--5b0d9338-9670-427f-a76e-80480acd0835",
|
||
|
"indicator--5b0d9338-1508-4f12-b934-80480acd0835",
|
||
|
"indicator--5b0d9338-fd8c-49d6-a9a2-80480acd0835",
|
||
|
"indicator--5b0d9338-ea9c-4e4b-b106-80480acd0835",
|
||
|
"indicator--5b0d9338-94a0-4e8f-b5d8-80480acd0835",
|
||
|
"indicator--5b0d9338-fdc4-4801-8ed2-80480acd0835",
|
||
|
"indicator--5b0d9338-fee4-4087-a72e-80480acd0835",
|
||
|
"indicator--5b0d9338-87f4-4e40-92cf-80480acd0835",
|
||
|
"indicator--5b0d9338-c018-4fd0-a5be-80480acd0835",
|
||
|
"indicator--5b0d9338-6e50-46e0-a04f-80480acd0835",
|
||
|
"indicator--5b0d9338-0e48-4e19-84b4-80480acd0835",
|
||
|
"indicator--5b0d9338-bdbc-458d-bb51-80480acd0835",
|
||
|
"indicator--5b0d9338-1dec-4336-80be-80480acd0835",
|
||
|
"indicator--5b0d9338-17a0-4d0e-8907-80480acd0835",
|
||
|
"indicator--5b0d9338-17f0-4978-9b7d-80480acd0835",
|
||
|
"indicator--5b0d9338-9ab8-420d-af11-80480acd0835",
|
||
|
"indicator--5b0d9338-fa3c-45d2-a179-80480acd0835",
|
||
|
"indicator--5b0d9338-528c-4b2a-a4d8-80480acd0835",
|
||
|
"indicator--5b0d9338-584c-41fd-b0f9-80480acd0835",
|
||
|
"indicator--5b0d9338-4088-46ae-a681-80480acd0835",
|
||
|
"indicator--5b0d9338-e874-4c40-9697-80480acd0835",
|
||
|
"indicator--5b0d9338-0674-4bb4-a76e-80480acd0835",
|
||
|
"indicator--5b0d9338-b6c4-4c87-b717-80480acd0835",
|
||
|
"indicator--5b0d9338-daa8-4f9d-ac46-80480acd0835",
|
||
|
"indicator--5b0d9338-98b4-4959-8197-80480acd0835",
|
||
|
"indicator--5b0d9338-6448-487c-aee8-80480acd0835",
|
||
|
"indicator--5b0d9338-d794-4960-a71a-80480acd0835",
|
||
|
"indicator--5b0d9339-3648-4efb-af16-80480acd0835",
|
||
|
"indicator--5b0d9339-a7e8-4495-b4ed-80480acd0835",
|
||
|
"indicator--5b0d9339-0960-4e7b-8ae8-80480acd0835",
|
||
|
"indicator--5b0d9339-aa3c-49a2-b910-80480acd0835",
|
||
|
"indicator--5b0d9339-7c74-49d7-9d6e-80480acd0835",
|
||
|
"indicator--5b0d9339-b9bc-4ce2-afda-80480acd0835",
|
||
|
"indicator--5b0d9339-7688-49a4-b486-80480acd0835",
|
||
|
"observed-data--5b0fec1c-4c58-45a4-aa7a-1e000acd0835",
|
||
|
"file--5b0fec1c-4c58-45a4-aa7a-1e000acd0835",
|
||
|
"artifact--5b0fec1c-4c58-45a4-aa7a-1e000acd0835",
|
||
|
"observed-data--5b0fec1c-4e20-4ada-a185-1e000acd0835",
|
||
|
"file--5b0fec1c-4e20-4ada-a185-1e000acd0835",
|
||
|
"artifact--5b0fec1c-4e20-4ada-a185-1e000acd0835",
|
||
|
"indicator--5b0fe700-85cc-4c01-9c1f-1e220acd0835",
|
||
|
"indicator--5b0fe7f7-ac3c-46e4-8257-20350acd0835",
|
||
|
"indicator--5b0fe901-12a8-4b77-9134-1f380acd0835",
|
||
|
"indicator--5b0fe9ca-0874-4425-9665-1e1d0acd0835"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:threat-actor=\"Lazarus Group\"",
|
||
|
"misp-galaxy:mitre-enterprise-attack-relationship=\"Lazarus Group (G0032) uses Remote File Copy (T1105)\"",
|
||
|
"misp-galaxy:mitre-enterprise-attack-relationship=\"Lazarus Group (G0032) uses Brute Force (T1110)\"",
|
||
|
"misp-galaxy:mitre-enterprise-attack-relationship=\"Lazarus Group (G0032) uses Connection Proxy (T1090)\"",
|
||
|
"misp-galaxy:mitre-enterprise-attack-relationship=\"Lazarus Group (G0032) uses Command-Line Interface (T1059)\"",
|
||
|
"misp-galaxy:mitre-enterprise-attack-relationship=\"Lazarus Group (G0032) uses System Information Discovery (T1082)\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5b0d92c8-5410-41e7-9207-85ad0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-29T17:50:00.000Z",
|
||
|
"modified": "2018-05-29T17:50:00.000Z",
|
||
|
"first_observed": "2018-05-29T17:50:00Z",
|
||
|
"last_observed": "2018-05-29T17:50:00Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5b0d92c8-5410-41e7-9207-85ad0acd0835"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5b0d92c8-5410-41e7-9207-85ad0acd0835",
|
||
|
"value": "https://www.us-cert.gov/ncas/alerts/TA18-149A"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9337-d95c-4309-a433-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:02.000Z",
|
||
|
"modified": "2018-05-31T12:11:02.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '181.1.253.234']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9337-38e0-49be-9f24-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '200.82.62.24']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9337-75d8-45b1-aa72-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '81.243.151.226']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5b0d9337-0224-4404-99a7-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2019-06-14T15:00:41.000Z",
|
||
|
"modified": "2019-06-14T15:00:41.000Z",
|
||
|
"first_observed": "2019-06-14T15:00:41Z",
|
||
|
"last_observed": "2019-06-14T15:00:41Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--5b0d9337-0224-4404-99a7-80480acd0835",
|
||
|
"ipv4-addr--5b0d9337-0224-4404-99a7-80480acd0835"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--5b0d9337-0224-4404-99a7-80480acd0835",
|
||
|
"dst_ref": "ipv4-addr--5b0d9337-0224-4404-99a7-80480acd0835",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--5b0d9337-0224-4404-99a7-80480acd0835",
|
||
|
"value": "81.247.219.196"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9337-4098-4d75-bb67-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '138.204.211.197']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9337-1318-4bcf-a29a-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '177.221.11.176']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9337-c294-4d57-a9ad-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '177.221.11.233']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9337-9be0-42e0-bc42-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '177.41.74.199']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9337-b234-493d-beae-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '179.107.219.90']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9337-9b80-4614-bbdb-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '187.127.112.60']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9337-6d9c-4f62-a240-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '187.127.115.206']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9337-b05c-4be1-a6d1-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '189.15.173.106']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9337-4480-4666-8a00-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.227.174.79']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9337-d628-44c1-a705-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '146.88.205.56']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9337-c6fc-4c04-9992-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '113.57.34.213']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9337-e6b0-4cbc-9c37-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '117.179.224.33']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9337-2454-4cda-9c1e-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '181.234.231.152']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9337-08a8-4809-8dd6-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '190.60.109.166']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9337-1290-4b7d-a464-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '196.204.141.76']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-ce2c-4585-811a-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '196.221.41.109']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-eec4-4b26-b84d-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '1.186.218.107']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-00f4-4c6f-b2d2-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.71.212.72']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-7894-4918-b5bd-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '106.51.226.188']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-f3f8-4452-af53-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '114.79.191.185']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-73c0-4fc7-8c95-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:05.000Z",
|
||
|
"modified": "2018-05-31T12:11:05.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '117.213.169.79']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-1734-4879-9c8b-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:05.000Z",
|
||
|
"modified": "2018-05-31T12:11:05.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '117.213.170.132']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-b7d0-4eb6-ae4f-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:05.000Z",
|
||
|
"modified": "2018-05-31T12:11:05.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '117.213.170.252']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-8168-4cfe-939f-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:05.000Z",
|
||
|
"modified": "2018-05-31T12:11:05.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '117.214.92.199']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-0f4c-4500-962b-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:05.000Z",
|
||
|
"modified": "2018-05-31T12:11:05.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '117.254.85.138']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-ba58-4a8e-9377-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '123.201.161.60']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-3f40-48cc-8156-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '157.49.171.35']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-b590-470d-9c1b-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '202.142.71.166']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-38e8-444f-8414-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '49.206.100.19']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-b4b0-4871-9912-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '49.206.105.206']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-593c-4fef-89b6-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '59.92.69.202']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-a1b4-4e3b-a2d6-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '59.92.69.23']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-7cf0-424e-838b-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '59.92.69.254']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-0df4-4cd1-b2f4-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '59.92.69.51']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-07a8-4eb7-85cc-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '59.92.70.122']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-d8bc-4753-b44c-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '59.92.70.162']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-a81c-4b14-9afc-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '59.92.70.164']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-09dc-443f-bff5-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '59.95.151.28']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-0158-4c7b-9bf0-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:04.000Z",
|
||
|
"modified": "2018-05-31T12:11:04.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '59.97.22.192']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-b928-41ad-ad33-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '61.3.239.224']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-2098-4512-a7f7-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:02.000Z",
|
||
|
"modified": "2018-05-31T12:11:02.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '2.182.31.181']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-55c8-4b52-b833-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '2.182.31.195']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-fc40-41a0-b8e0-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:02.000Z",
|
||
|
"modified": "2018-05-31T12:11:02.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '2.182.31.84']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-c924-41ec-8793-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:02.000Z",
|
||
|
"modified": "2018-05-31T12:11:02.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '2.187.201.47']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-d2b8-48ba-b0e1-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:02.000Z",
|
||
|
"modified": "2018-05-31T12:11:02.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '82.212.93.217']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-b730-4f49-a2f4-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:02.000Z",
|
||
|
"modified": "2018-05-31T12:11:02.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '110.36.226.146']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-3aa4-4e7f-a649-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:02.000Z",
|
||
|
"modified": "2018-05-31T12:11:02.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.130.24.202']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-2108-40b4-bc19-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:02.000Z",
|
||
|
"modified": "2018-05-31T12:11:02.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '176.45.234.206']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-9588-473f-a352-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:02.000Z",
|
||
|
"modified": "2018-05-31T12:11:02.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '176.45.248.239']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-0254-492f-8138-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:02.000Z",
|
||
|
"modified": "2018-05-31T12:11:02.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '176.47.60.110']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-9670-427f-a76e-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:02.000Z",
|
||
|
"modified": "2018-05-31T12:11:02.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.49.198.65']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-1508-4f12-b934-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:02.000Z",
|
||
|
"modified": "2018-05-31T12:11:02.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.54.209.88']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-fd8c-49d6-a9a2-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:02.000Z",
|
||
|
"modified": "2018-05-31T12:11:02.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.54.251.115']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-ea9c-4e4b-b106-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:02.000Z",
|
||
|
"modified": "2018-05-31T12:11:02.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.156.110.212']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-94a0-4e8f-b5d8-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:02.000Z",
|
||
|
"modified": "2018-05-31T12:11:02.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.156.137.47']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-fdc4-4801-8ed2-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:02.000Z",
|
||
|
"modified": "2018-05-31T12:11:02.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '51.235.186.186']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-fee4-4087-a72e-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:02.000Z",
|
||
|
"modified": "2018-05-31T12:11:02.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '90.148.206.252']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-87f4-4e40-92cf-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:02.000Z",
|
||
|
"modified": "2018-05-31T12:11:02.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.184.0.49']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-c018-4fd0-a5be-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:02.000Z",
|
||
|
"modified": "2018-05-31T12:11:02.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.218.39.84']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-6e50-46e0-a04f-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:02.000Z",
|
||
|
"modified": "2018-05-31T12:11:02.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '2.137.162.251']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-0e48-4e19-84b4-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:02.000Z",
|
||
|
"modified": "2018-05-31T12:11:02.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '124.43.35.86']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-bdbc-458d-bb51-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:02.000Z",
|
||
|
"modified": "2018-05-31T12:11:02.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '124.43.39.105']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-1dec-4336-80be-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '124.43.41.213']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-17a0-4d0e-8907-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '124.43.41.48']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-17f0-4978-9b7d-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '124.43.42.30']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-9ab8-420d-af11-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '90.236.254.71']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-fa3c-45d2-a179-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '1.160.139.122']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-528c-4b2a-a4d8-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '1.169.112.88']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-584c-41fd-b0f9-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '1.170.194.142']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-4088-46ae-a681-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '111.253.145.11']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-e874-4c40-9697-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '111.255.198.92']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-0674-4bb4-a76e-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '114.26.231.136']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-b6c4-4c87-b717-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:02.000Z",
|
||
|
"modified": "2018-05-31T12:11:02.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '114.36.15.80']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-daa8-4f9d-ac46-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '114.36.3.66']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-98b4-4959-8197-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '114.39.179.133']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-6448-487c-aee8-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '114.46.75.51']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9338-d794-4960-a71a-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '122.121.9.203']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9339-3648-4efb-af16-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '36.229.45.69']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9339-a7e8-4495-b4ed-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '36.231.179.65']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9339-0960-4e7b-8ae8-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:03.000Z",
|
||
|
"modified": "2018-05-31T12:11:03.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '36.231.36.64']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9339-aa3c-49a2-b910-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:02.000Z",
|
||
|
"modified": "2018-05-31T12:11:02.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '36.235.81.169']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9339-7c74-49d7-9d6e-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:11:05.000Z",
|
||
|
"modified": "2018-05-31T12:11:05.000Z",
|
||
|
"description": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '36.238.65.99']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:11:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"adversary:infrastructure-status=\"compromised\"",
|
||
|
"veris:action:malware:variety=\"C2\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9339-b9bc-4ce2-afda-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:09:04.000Z",
|
||
|
"modified": "2018-05-31T12:09:04.000Z",
|
||
|
"description": "Enriched via the stiximport module",
|
||
|
"pattern": "[email-message:from_ref.value = 'misswang8107@gmail.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:09:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0d9339-7688-49a4-b486-80480acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:09:04.000Z",
|
||
|
"modified": "2018-05-31T12:09:04.000Z",
|
||
|
"description": "Enriched via the stiximport module",
|
||
|
"pattern": "[email-message:from_ref.value = 'redhat@gmail.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:09:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5b0fec1c-4c58-45a4-aa7a-1e000acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:35:40.000Z",
|
||
|
"modified": "2018-05-31T12:35:40.000Z",
|
||
|
"first_observed": "2018-05-31T12:35:40Z",
|
||
|
"last_observed": "2018-05-31T12:35:40Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"file--5b0fec1c-4c58-45a4-aa7a-1e000acd0835",
|
||
|
"artifact--5b0fec1c-4c58-45a4-aa7a-1e000acd0835"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"attachment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "file",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "file--5b0fec1c-4c58-45a4-aa7a-1e000acd0835",
|
||
|
"name": "TA18-194A.pdf",
|
||
|
"content_ref": "artifact--5b0fec1c-4c58-45a4-aa7a-1e000acd0835"
|
||
|
},
|
||
|
{
|
||
|
"type": "artifact",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "artifact--5b0fec1c-4c58-45a4-aa7a-1e000acd0835",
|
||
|
"payload_bin": "JVBERi0xLjUNJeLjz9MNCjI1IDAgb2JqDTw8L0xpbmVhcml6ZWQgMS9MIDQ0MzU2L08gMjcvRSAyNDgyOS9OIDQvVCA0NDAyMC9IIFsgNDc5IDIwOF0+Pg1lbmRvYmoNICAgICAgICAgICAgICAgICAgDQozOSAwIG9iag08PC9EZWNvZGVQYXJtczw8L0NvbHVtbnMgNC9QcmVkaWN0b3IgMTI+Pi9GaWx0ZXIvRmxhdGVEZWNvZGUvSURbPEQxODRBRTE1OThEM0VEQjU4MUM2MEE2MTE3MDRGRjBDPjxGQzM5OTgzQ0Y1MThCMzQ1QjIxOThDMzBGNkJCRURCOT5dL0luZGV4WzI1IDI1XS9JbmZvIDI0IDAgUi9MZW5ndGggNzYvUHJldiA0NDAyMS9Sb290IDI2IDAgUi9TaXplIDUwL1R5cGUvWFJlZi9XWzEgMiAxXT4+c3RyZWFtDQpo3mJiZBBgYGJgmg8kGAOBBMMWIMHsBiJegYjtINkkECsPxKoAsUCKmWeAdDwFEtwtQOL2RwYmRoYVIAMYGIkh/jMe/gEQYAAlIg0UDQplbmRzdHJlYW0NZW5kb2JqDXN0YXJ0eHJlZg0KMA0KJSVFT0YNCiAgICAgICAgDQo0OSAwIG9iag08PC9GaWx0ZXIvRmxhdGVEZWNvZGUvSSAxMjgvTCAxMTIvTGVuZ3RoIDEyMS9TIDYzPj5zdHJlYW0NCmjeYmBgYGZgYDJgYGFgENzAwM+AAPwMTEBRFgaOCQwzZnFmCJ5gYJjOICizgIOBoQEmAARcDAyzFgBpHiDmBYtsYeBjYNBU6G1iZtshvaCQ8TX7BGGhEqtjjAvA0twMDLP3AGlGIO4CYqDiVTshfEYbgAADAGbgFVwNCmVuZHN0cmVhbQ1lbmRvYmoNMjYgMCBvYmoNPDwvTWV0YWRhdGEgMTIgMCBSL1BhZ2VMYWJlbHMgMjEgMCBSL1BhZ2VzIDIzIDAgUi9UeXBlL0NhdGFsb2c+Pg1lbmRvYmoNMjcgMCBvYmoNPDwvQ29udGVudHNbMjkgMCBSIDMwIDAgUiAzMSAwIFIgMzIgMCBSIDMzIDAgUiAzNCAwIFIgMzUgMCBSIDM2IDAgUl0vQ3JvcEJveFswIDAgNjEyIDc5Ml0vTWVkaWFCb3hbMCAwIDYxMiA3OTJdL1BhcmVudCAyMyAwIFIvUmVzb3VyY2VzIDQwIDAgUi9Sb3RhdGUgMC9UeXBlL1BhZ2U+Pg1lbmRvYmoNMjggMCBvYmoNPDwvRmlsdGVyL0ZsYXRlRGVjb2RlL0ZpcnN0IDY0L0xlbmd0aCA3NDMvTiA5L1R5cGUvT2JqU3RtPj5zdHJlYW0NCmjepJRbb9owFID/ih+3B2Y7iZ0gVUhAS4e0dqhBayXEQwoeZMoFJa7W/vudY8chsNELk2V8fO7GXxwwwkjACQ8kCTzCZUACn3geLCiFJBAkAg2YORPgGhIuZJ8EEeFhX5KLCzous7KKd8lK4aaWmI6Ru8GAXj3r61gnGg3XMccC1jApCw26+dzDMqADMcAaVpSY3nrOqnIVK72gs8sJnatnTad5slHjJX34/vhLrTDNNOfEbwIGgwWdjsejpFZrAu2Dcgku32fkZ5LVCoQbwmk8bLbxDWFfmEfnLzu1b5eWO2sfDCB2WK9UoUmfCTpOdl9Vutlq+DMYo5fKmnoe53SSJZua+J453GhUPi960otIzw8l8cAbQni0NNZJkqfZy6dhlSbZZ6O5TXJFzb43KrP1zdxoY10pvdrS27LKk8yo7m35EKpPdZKlq2GxyRRhNNYq/0G4H9mzoC+2V6U7XVb0odO2ORT+QehzWPSqWJXrtNjQ+7QYFnXa7idpVevxNqncAfe5kRe8tm9J48E9+IOfHjW2Ma+elOmnbQpSr/W2Xngh3pgboYdo+L5vptWh5LyEkAerlfa7bp7uZERy3ugx1z7CeIBGyrDZoYTeNu5fA6PRo7vafnGH+W2/+BtFfaN1E84DGhfhokPjD9Lyf1GTAlDzhEONybdRe5Oy4ARl0VmQnc2XOOJLfJwvdkQXWh1fjov3zP0d2wHftLDgwHTQtSCBYwse3ArqMUkEhV/HD+W+eRmtfY/VIfyYtdtaK2NVmGjHFSseHwWPb+wujtk+TM5mfmx47YeD+ZCCA6qjPn+FaumoDjpUC4kPKAtbqsMDqudprmpyq36TuzJPig7fxgIGo5/F55PufZD0vwufx3x4zDx7D/Pi9OUY2gVrYTw199LxF9RC2qBuXzWrN98WvG/2JcS3z30M9sV16LsYC/fxCECLlburw9T25rrHNTw6CWu76J7x9Gv+viEMxX8EGABX/lfZDQplbmRzdHJlYW0NZW5kb2JqDTI5IDAgb2JqDTw8L0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGggNjc2Pj5zdHJlYW0NCkiJjFNNT9wwEL3nV8zRlrre+CNO3NsuW7UgUdQSiUPhEIKzBDYJTQKr/SP9vR1/pPSIInkm9sx7zzNjDvtk/fWaw35KpGZcAK6phkwaVhSQczQCRps0ye+EQwuJkkwWoKViBQhdsFwBF5z5oBvoMUxowwQvIMXPH2l4T8LwukvW5x2H3ZD8wG99NmmoJ2CFzIRBoyRXaDJlYKr7SJjlBcvQiIwhNJOZMSbo2pbJuiwFcCibhAsmIzE6kVYIpgWUXZLibVcsTVMFZZ04R0N5TH6RzcGOM9ySkuaSGbLhxYors7ml9K68cPAqwnPGdcD3XiRIUZsncOA8Yos8YH+jK8U0OaeoguzCz46ynHyhK6w4+e58OLva/gxnG/gDFwP6pOr9+uJWoBmTZBtSKsqZIvXzgzsZfOwIJZUufaQrjpHDU0ALGCG7cm7vc30mbMeqc4g5uX91Gwe4tmPYeEMYYke4tO5gmqq9s9Ynw/YQwIf62UUv+DcUq56TwQeNna8dYglfMO/EXhaGpe/1ypdmxIJdje2+7asDtvdgq8nCAwovyGw/w2V1AmE+gUh5sbQmdr5gRnki70SiTLmhQSIHvzRGGsdDrk/TbLsJNk1j69k+0PLp/06nblR9p70XASVnmfqn3CyIKij/7oqFd5+PWBYyjM8wnSa3lRNH9RHFroKLYOngUy/26s2Ob609fkSkwvJqHUFwSBFkFe/vRJaP7USdSnjCrhls1wrXtqdepuukxnfAUwTBfrvN+tGbvvXxdeX/DoCPxns4MRg64yHOsX9Dbkbd48kILFxzwAgZ2Flvp9cAFVmHJmBUQUvkoThZp4De1gHMNhTftCLNEASE0ymg3Afs+WiD04ft+TFy74J9qWJuF8PiBQJkQ+/grwADAIrNKFQNCmVuZHN0cmVhbQ1lbmRvYmoNMzAgMCBvYmoNPDwvRmlsdGVyL0ZsYXRlRGVjb2RlL0xlbmd0aCA2MjU+PnN0cmVhbQ0KSIlUVE2P2jAQvfMrfLSljYWdkEB7KkUItlK7KlQ9wB7cEMDaJEaJAfHvO54xgj3Np988P0+yfh0MWaJkOlQFW88GcjhUGVuXwRkqtr4ONnzhmkpkcsRrg6bdoWGrqgRH87MAAMU7CMbcCnD9DQtsyzE3E1pO+GK1FRgy0yJAhPFHtBUTI5nzOY3akeloYs2mZ4opbShibg9nwC4J8IJTK6LTY+BFAr490DGP7dZR+53eXCRapny6jPwkniE6f4UqgLuj6R+IaVuCY1dLgEeaSCf+SMytpHhfR3H1JFd3cYsgbhLU1aTuweHQC4kAo8e8azHVVGS9CFoi+MlgpvNUie1QCvdFEi8QgMSzxYpkHqPMkJlPl1SylLiD2z2m4d0yXsUDAZVRe4uBR/8Tu+qJ21vnHhG5JdGhoA7gQe5AdBma3raCbmSIzY4uUfUoQ0/gfWyJ96DIEZcjtXQPlZ9WOGxued/lILJtd7Y03nUREhYHF7R0zalzjYUog6lAcfnrO0KqVGYTlbPhHVIHyA3vgbjpe1da46sdrkAGy3OkHSJ0f3Xk7E1ja1sRIHwD6Xj0AFQR8DOjxtRI5ipUuHpXsXMPc/7dmMcGHAQvxX66Dr6cgJz
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5b0fec1c-4e20-4ada-a185-1e000acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:35:40.000Z",
|
||
|
"modified": "2018-05-31T12:35:40.000Z",
|
||
|
"first_observed": "2018-05-31T12:35:40Z",
|
||
|
"last_observed": "2018-05-31T12:35:40Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"file--5b0fec1c-4e20-4ada-a185-1e000acd0835",
|
||
|
"artifact--5b0fec1c-4e20-4ada-a185-1e000acd0835"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"attachment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "file",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "file--5b0fec1c-4e20-4ada-a185-1e000acd0835",
|
||
|
"name": "MAR-10135536-3_WHITE.pdf",
|
||
|
"content_ref": "artifact--5b0fec1c-4e20-4ada-a185-1e000acd0835"
|
||
|
},
|
||
|
{
|
||
|
"type": "artifact",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "artifact--5b0fec1c-4e20-4ada-a185-1e000acd0835",
|
||
|
"payload_bin": "JVBERi0xLjUNJeLjz9MNCjY1IDAgb2JqDTw8L0xpbmVhcml6ZWQgMS9MIDEzMTg5Ny9PIDY3L0UgNjYzNjcvTiAxNC9UIDEzMTUwMi9IIFsgNDcyIDI0MF0+Pg1lbmRvYmoNICAgICAgICAgICAgICAgDQo3NSAwIG9iag08PC9EZWNvZGVQYXJtczw8L0NvbHVtbnMgNC9QcmVkaWN0b3IgMTI+Pi9GaWx0ZXIvRmxhdGVEZWNvZGUvSURbPENCN0NCQjEyNEYxMzY3REU5MUFEQUZBQzFBNDg5RDE3Pjw3MkY3QTI4NTdEQUU5MTQ1OUREMkMyMjNEODBBRDJCMj5dL0luZGV4WzY1IDIxXS9JbmZvIDY0IDAgUi9MZW5ndGggNjgvUHJldiAxMzE1MDMvUm9vdCA2NiAwIFIvU2l6ZSA4Ni9UeXBlL1hSZWYvV1sxIDIgMV0+PnN0cmVhbQ0KaN5iYmQQYGBiYNoBJBgDgQRDE5BgkQESvI+AhJA/kOBuARImD4CEhwKQCOZgYGJkuABSzMBIDPGfccoPgAADAM32CQUNCmVuZHN0cmVhbQ1lbmRvYmoNc3RhcnR4cmVmDQowDQolJUVPRg0KICAgICAgICANCjg1IDAgb2JqDTw8L0ZpbHRlci9GbGF0ZURlY29kZS9JIDIyMS9MIDIwNS9MZW5ndGggMTUyL1MgMTY1Pj5zdHJlYW0NCmjeYmBgYGZgYNIEkaxzGQQYEEAAKMbMwMLAsQDEc/jVycfIr8jLKvCOp4x/n8AHbhWOcKD4AR5Wmffbbuduuw3kxOzYWVj06OnR093TxfX0YqDcYzHsHQ0VHfiIjgZ8xiM5igOKGRiaGPgZGPgykhllLjr4XF98PjQQJKrJwPgR5F5GIO4CYh0GJoZlED4jJ0CAAQBpLTmVDQplbmRzdHJlYW0NZW5kb2JqDTY2IDAgb2JqDTw8L01ldGFkYXRhIDQyIDAgUi9QYWdlTGFiZWxzIDU5IDAgUi9QYWdlcyA2MSAwIFIvVHlwZS9DYXRhbG9nPj4NZW5kb2JqDTY3IDAgb2JqDTw8L0NvbnRlbnRzIDY5IDAgUi9Dcm9wQm94WzAgMCA2MTIgNzkyXS9NZWRpYUJveFswIDAgNjEyIDc5Ml0vUGFyZW50IDYyIDAgUi9SZXNvdXJjZXMgNzYgMCBSL1JvdGF0ZSAwL1R5cGUvUGFnZT4+DWVuZG9iag02OCAwIG9iag08PC9GaWx0ZXIvRmxhdGVEZWNvZGUvRmlyc3QgNjQvTGVuZ3RoIDk1Ny9OIDkvVHlwZS9PYmpTdG0+PnN0cmVhbQ0KaN6clWtv2kgUhv/K+bjVKuu5X6QKKaElQdskqEZtpSgfXDIFd7GNjLOb/Ps9ZwYDCSpFERo8Prc5M35e2xpgYC1wbcE64FaD9SCkBsdAMwmOg7cCnAAuFAcngTtjwSkQzCt4/z4bNsumzVfFLNDN2lA5Bp8Hg+zjU3eZd0VHjsuc0wLJMWrqDm3TqaBl0IZTRWukqaHyKXLSNrM8dHfZ5MMom4anLhtXxTwM77Nvt99/hhmVGVdYOpUZVwLsJncwuMvGw+FFsQ4PYDkZ7zH6dgI/iuU64OQaeJafb27za2B/MZFNn1dh13nWrJJ/MMDc8/Us1B14brJhsboK5XzRgXEm+xCS50xwm42WxXwNUsRtXlw0T3dngjn0aQacKQVe8vvoHBVVuXz+Y9QW9T/LsobLpluUM7gKxb/P71JEuQy4pXQyZLgpqpDdXI5uJ3//2eeltLOYFoPyrg3dbJHdNG1VLKPpa2pWMZaNu2JZzs7r+TIAy/IuVFfAvYuzL3EWz4CyaF9tueqaNvu22a7mPJ4FnSuFHG3mYz1rHsp6nn0t6/N6XW7vR2W77oaLou3PabcSAUi7/VRsIrgQWf74vaOmpu1jiN1tW8TSD91ifUenK7kGtvlZRf/CyziSTSDeNHAPoJ05aVB8X1MrpBvpN9KBURKMwCu2q1EWWqEduTWoGCkIN6OxgvQIMydIwHiesujq0c8sqAgu1fMMr1hfe+rN7dZk8T92Y0ELma54L70AbXzMEJ5Ep5F9gap0WqconFMkngx2pSVeESXt0MtwJ4rORXOBXfD7I4Ab+1vAOfaxARxP2/njgF+Hh/KxekG4PCB8Mvz0GqqU90bEne0J5/wo4crLA8J/3cybEHf8FeJWnYg44SjxRdrjafHNZrkFwdUW9i26CF4/VMT0ROQ3Ofs2Flcx+EUgbDVWMwSZxDkjMQgcmIXiIMQMdqM8os8QdU1gI4h4T1eSgMauFYnGYw36rNDc4Erkk8SCim8Bgn8jAOoHxaRMEpUWCuWOc45ngasLpePQMs2dZdGuhU/xOJfoUxrzBNrx9aCoGxSOovNBv8Ja8fwY23tpnPKT8amkFwXK5YQMa+X+/IX8UD578uMMgd7Tn+n1p/b0pw1+YCQ+GYHRlGJfCHBaVmENN+E/+NxURf1uJ7ToQUe0T/Lr6ZvU9QU/3kc1RZt4KarDhd+mJPlKSdydqKRfPkvkL/l7+n43Xj1ZIbYUGM63Nin7J+6c30Sxg0iv1HHS5CGXfQ87H1qQqP8FGAAIFpSTDQplbmRzdHJlYW0NZW5kb2JqDTY5IDAgb2JqDTw8L0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGggMzIyNz4+c3RyZWFtDQpo3qRZS3PbRhK+81dM7WmwZcIYvJHTSpa89padSixW+WDvAQSGEmIQYABQiv79ft09AClZcbYqcUoczKOn3/01YNTt6vW/b4y6HVdR6ptchcbPcpVEhZ+HKotzP1GDXe1Wv6+MatQqDv0wVkmQ+AF2BYVfxCr005g2fVbdyk/THDR/tG23+vUptTALfBOetmUvEntx1xmtJPKTXMVp7JtUxUXup8pEfpjOxF6/GVNVjcovgiTP8RPhP/wkaZ6qsep+SOC7e6IMP3/jmhfPf39LWPhh+HeueZEA3ROQYmPWZUbGViZgNZvMD5yZLjer15tNqIza7FYm8EMV4B8P4iz2C7hH7Geh2uzB8+3KDwKDrRUPcrV5WOnNh19+Up/fvd9ce5vfVtebp3aPAhhYFQVYi2I/CGfZfl9hLssyvo5WYJXlgKr2q9fv90Zd9ZDiiRxC70U5XuI+SkhDjvlnrBLVdWz8nJSbJD7kuiK5QBICBiTcF/2zt878TPeen+ip2TVVOTV95/138x/SWyx6QwDJzTxIUj9OVZJlvonpalJVQiTXGCVCduOl+s4zfqibEQIcPDCr+2FSeDwM/X1T84zF31zX3hriavWPcuRZBZ5wjsf/UMyLQeBFUQ4WIAPdEyTOSrFcuOsH1XReAnIY7lmKslWH43DoRzsKEeNHeRAJEaIxWzpyRJRHmlinfqQ7D1Lq9tFXmztL81f2UA7T3naT6ndYBL/v+r1ty652LCZ+nCfFQl38iHiFtpj8ja2O4DDWQzM9qq/66t3NV0/VvR1V108nvSTaqrJ7ZKpr+HWi1sY3SVzMws98x07bD+UwlN3UgFC/I2ZxWn1ruppJEIGT3sJZ5uwk82Bvy6Fuulu6liaablEiRDVaVX03lU1na1p9aKa7phPNXGE90+88bLohzcVatBFGvgmS9OziaFZHFMrNi+C2q/thtGx2YqBiG2R6v7dD1cCKtADt1Mdq4jFsPdrhXnY1lX3lVAUnoTufaUtE5psjjujB7uxguwrSNJ2CLKOieEEcmPzkHbOCtse2tRM24lbyj+nODg/NaH251J3CnWx9Z/sfxkPdsx/kei/+33FY7EuoMtfDt6dBQTGNkPYyuMXGWxt97bMOrlyAVF6IlbaXpyN24NRgVXMWS6TktmFL7ZsJvxR5IB9pCUMRJcR6mMQnB170Fs++ctMfh8qyixLDjyCVyBVHui6F4zK/GIdwCoNVJCP1cGe7JUjCRckntyB153IHXI91M/ufquDcDR9GwkmLs6NL+Lr4gjvtm67Zw2PEVl0vNkJqNSbMzh0Dx1BHnHypWZKIxeWFHuXHllB7obctfnLINjTjN9aieOEO1/HKeGSdulOvyKt
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0fe700-85cc-4c01-9c1f-1e220acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:13:52.000Z",
|
||
|
"modified": "2018-05-31T12:13:52.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '4613f51087f01715bf9132c704aea2c2' AND file:hashes.SHA1 = '6b1ddf0e63e04146d68cd33b0e18e668b29035c4' AND file:hashes.SHA256 = 'a1c483b0ee740291b91b11e18dd05f0a460127acfc19d47b446d11cd0e26d717' AND file:x_misp_text = 'According to DHS and FBI analysis, this Dynamic Link Library (DLL) is a Remote Access Tool (RAT) capable of providing an array of remote command and control capabilities. It has the ability to exfiltrate data, drop and run secondary payloads, and provide proxy capabilities on a compromised Windows device. The malware binds and listens on port 443 for incoming connections from a remote operator.' AND file:x_misp_ssdeep = '768:qtT2AxNtcgpqLepcy2y6/chYdP8KuSFM+Cs5CBaho9S4AJKqBz8MZdVsrQVBnVGa:qwONtBqL1dDMrs5CN9S 4A3HOYBnVL' AND file:x_misp_state = 'Malicious']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:13:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware-full:malware-type=\"TrojanDropper\"",
|
||
|
"ms-caro-malware-full:malware-type=\"RemoteAccess\"",
|
||
|
"kill-chain:Installation",
|
||
|
"ms-caro-malware-full:malware-type=\"TrojanProxy\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0fe7f7-ac3c-46e4-8257-20350acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:17:59.000Z",
|
||
|
"modified": "2018-05-31T12:17:59.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '298775b04a166ff4b8fbd3609e716945' AND file:hashes.SHA1 = '2e0f666831f64d7383a11b444e2c16b38231f481' AND file:hashes.SHA256 = 'fe7d35d19af5f5ae2939457a06868754b8bdd022e1ff5bdbe4e7c135c48f9a16' AND file:hashes.SSDEEP = '768:i+cDn8nAQ5Toz4c0+u5jrdXs+W+aCNkiC8xeC3cs:i+M8ndTozOn5jxF/US0s' AND file:x_misp_text = 'According to DHS and FBI analysis, this is a malicious Portable Executable 32-bit (PE32) file designed to scan the local network and the internet for machines that are accessible and have open Server Message Block (SMB) ports. Once the malware gains access to a remote machine it will deliver a malicious payload.' AND file:x_misp_state = 'Malicious']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:17:59Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"SMB",
|
||
|
"veris:action:malware:vector=\"Network propagation\"",
|
||
|
"kill-chain:Installation",
|
||
|
"veris:action:malware:variety=\"Scan network\"",
|
||
|
"malware_classification:payload-classification=\"dropper\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0fe901-12a8-4b77-9134-1f380acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:22:25.000Z",
|
||
|
"modified": "2018-05-31T12:22:25.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'e86c2f4fc88918246bf697b6a404c3ea' AND file:hashes.SHA1 = '9b7609349a4b9128b9db8f11ac1c77728258862c' AND file:hashes.SHA256 = 'ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781' AND file:hashes.SSDEEP = '768:9eY/pEwKWcwP/bY4XxlGLup3Tq1LpDLJkDcw3f9zj:MitnU4viJJDw3Z' AND file:x_misp_text = 'According to DHS and FBI analysis, this file is a malicious 32-bit Windows Dynamic Link Library (DLL), dropped and loaded by [MD5: 4731CBAEE7ACA37B596E38690160A749]. When executed, the DLL attempts to contact all of the Internet Protocol (IP) addresses on the victim\\'s local subnet. If the file is able to connect to these IPs, it will attempt to gain unauthorized access via the Server Message Block (SMB) protocol on port 445 utilizing a brute-force password attack.' AND file:x_misp_state = 'Malicious']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:22:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"veris:action:malware:variety=\"Brute force\"",
|
||
|
"veris:action:malware:variety=\"Scan network\"",
|
||
|
"SMB",
|
||
|
"kill-chain:Installation"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b0fe9ca-0874-4425-9665-1e1d0acd0835",
|
||
|
"created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a",
|
||
|
"created": "2018-05-31T12:25:46.000Z",
|
||
|
"modified": "2018-05-31T12:25:46.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '4731cbaee7aca37b596e38690160a749' AND file:hashes.SHA1 = '80fac6361184a3e24b33f6acb8688a6b7276b0f2' AND file:hashes.SHA256 = '077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885' AND file:hashes.SSDEEP = '6144:M6atGpHk4NdSksOBbNUyb4ajb1TWiYW9ebYwtJEGLYMYR4:Msdk4NdSksOv' AND file:x_misp_text = 'According to DHS and FBI analysis, this is a Portable Executable 32-bit (PE32) file that can be used to drop and install other malware on the compromised host.' AND file:x_misp_state = 'Malicious']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-05-31T12:25:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\"",
|
||
|
"ms-caro-malware-full:malware-type=\"TrojanDropper\"",
|
||
|
"kill-chain:Delivery"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|