misp-circl-feed/feeds/circl/stix-2.1/58ab3fb6-6c3c-49e3-8294-b3f202de0b81.json

805 lines
315 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--58ab3fb6-6c3c-49e3-8294-b3f202de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:18:19.000Z",
"modified": "2017-02-20T19:18:19.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--58ab3fb6-6c3c-49e3-8294-b3f202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:18:19.000Z",
"modified": "2017-02-20T19:18:19.000Z",
"name": "OSINT - The Rise of Dridex and the Role of ESPs",
"published": "2017-02-20T19:18:35Z",
"object_refs": [
"observed-data--58ab3fed-8664-47ac-b60c-444e02de0b81",
"url--58ab3fed-8664-47ac-b60c-444e02de0b81",
"x-misp-attribute--58ab4023-6630-4448-a573-4ee402de0b81",
"indicator--58ab4053-54f8-44b6-9e2b-4a3102de0b81",
"indicator--58ab4053-4780-4e80-b48b-4b1b02de0b81",
"indicator--58ab4054-4580-4a28-8122-445202de0b81",
"indicator--58ab4055-a368-4f79-b8e1-45a002de0b81",
"indicator--58ab4056-3390-43d0-9d25-4c3f02de0b81",
"indicator--58ab4057-593c-40e8-b9f3-43b802de0b81",
"indicator--58ab4058-6bd0-418d-a485-446102de0b81",
"indicator--58ab4058-11b0-49c0-97de-4dbe02de0b81",
"indicator--58ab4059-2f24-48c6-8b5e-4cd402de0b81",
"indicator--58ab405a-8ecc-4329-962d-4d9b02de0b81",
"indicator--58ab405b-3b58-4ce5-b80e-48bd02de0b81",
"indicator--58ab405b-21a4-4dd2-8f00-4df002de0b81",
"indicator--58ab405c-2b20-4376-ad58-4ce702de0b81",
"indicator--58ab405d-4ee0-48f5-a7ce-44d702de0b81",
"indicator--58ab405e-c340-41a5-bf64-490002de0b81",
"indicator--58ab405e-03ac-4b58-91c0-4c7102de0b81",
"indicator--58ab405f-bfbc-461e-9a9a-4e8a02de0b81",
"indicator--58ab4060-5550-4968-bc53-414202de0b81",
"indicator--58ab4061-c8fc-4d17-ac46-413802de0b81",
"indicator--58ab4061-01cc-429c-8931-40d802de0b81",
"indicator--58ab4062-0eb8-4397-81d9-4be402de0b81",
"indicator--58ab4063-4f9c-4a5d-8e44-4bf402de0b81",
"indicator--58ab4064-be9c-41a1-987c-433902de0b81",
"indicator--58ab4078-9f34-471d-bdeb-410102de0b81",
"indicator--58ab4078-e588-4f2b-937b-413e02de0b81",
"indicator--58ab409e-d2d0-4b6f-878a-49aa02de0b81",
"indicator--58ab409e-c224-41bb-8058-45bd02de0b81",
"observed-data--58ab40c9-d044-42d6-a243-b3f302de0b81",
"file--58ab40c9-d044-42d6-a243-b3f302de0b81",
"artifact--58ab40c9-d044-42d6-a243-b3f302de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:threat-actor=\"Anunak\"",
"misp-galaxy:tool=\"Dridex\"",
"osint:source-type=\"blog-post\"",
"circl:topic=\"finance\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58ab3fed-8664-47ac-b60c-444e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:14:10.000Z",
"modified": "2017-02-20T19:14:10.000Z",
"first_observed": "2017-02-20T19:14:10Z",
"last_observed": "2017-02-20T19:14:10Z",
"number_observed": 1,
"object_refs": [
"url--58ab3fed-8664-47ac-b60c-444e02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"admiralty-scale:source-reliability=\"b\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58ab3fed-8664-47ac-b60c-444e02de0b81",
"value": "https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58ab4023-6630-4448-a573-4ee402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:17:53.000Z",
"modified": "2017-02-20T19:17:53.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"admiralty-scale:source-reliability=\"b\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Last week, we have warned Swiss citizens about a new malspam run targeting exclusively Swiss internet users. The attack aimed to infect them with Dridex. Dridex is a sophisticated eBanking Trojan that emerged from the code base of Bugat / Cridex in 2014. Despite takedown attempts by the security industry and several arrests conducted by the FBI in 2015, the botnet is still very active. In 2016, MELANI / GovCERT.ch became aware of a handful of highly sophisticated attacks against small and medium businesses (SMB) in Switzerland aiming to steal large amounts of money by targeting offline payment software. During our incident response in 2016, we could identify Dridex to be the initial infection vector, which had arrived in the victim\u00e2\u20ac\u2122s mailbox by malicious Office Word documents, and uncovered the installation of a sophisticated malware called Carbanak, used by the attacker for lateral movement and conducting the actual fraud. Between 2013 and 2015, the Carbanak malware was used to steal approximately 1 billion USD from banks worldwide."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab4053-54f8-44b6-9e2b-4a3102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:15:31.000Z",
"modified": "2017-02-20T19:15:31.000Z",
"description": "On port 1843",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '109.235.76.95']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:15:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab4053-4780-4e80-b48b-4b1b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:15:31.000Z",
"modified": "2017-02-20T19:15:31.000Z",
"description": "On port 443",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '136.243.209.34']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:15:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab4054-4580-4a28-8122-445202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:15:32.000Z",
"modified": "2017-02-20T19:15:32.000Z",
"description": "On port 4431",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '159.226.92.9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:15:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab4055-a368-4f79-b8e1-45a002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:15:33.000Z",
"modified": "2017-02-20T19:15:33.000Z",
"description": "On port 443",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '173.196.157.250']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:15:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab4056-3390-43d0-9d25-4c3f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:15:34.000Z",
"modified": "2017-02-20T19:15:34.000Z",
"description": "On port 8443",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '178.195.0.12']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:15:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab4057-593c-40e8-b9f3-43b802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:15:35.000Z",
"modified": "2017-02-20T19:15:35.000Z",
"description": "On port 3101",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '194.150.118.25']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:15:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab4058-6bd0-418d-a485-446102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:15:36.000Z",
"modified": "2017-02-20T19:15:36.000Z",
"description": "On port 443",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '195.22.127.26']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:15:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab4058-11b0-49c0-97de-4dbe02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:15:36.000Z",
"modified": "2017-02-20T19:15:36.000Z",
"description": "On port 443",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '82.99.60.26']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:15:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab4059-2f24-48c6-8b5e-4cd402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:15:37.000Z",
"modified": "2017-02-20T19:15:37.000Z",
"description": "On port 8443",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '89.35.178.115']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:15:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab405a-8ecc-4329-962d-4d9b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:15:38.000Z",
"modified": "2017-02-20T19:15:38.000Z",
"description": "On port 8443",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '179.177.114.30']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:15:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab405b-3b58-4ce5-b80e-48bd02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:15:39.000Z",
"modified": "2017-02-20T19:15:39.000Z",
"description": "On port 8443",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '154.0.171.105']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:15:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab405b-21a4-4dd2-8f00-4df002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:15:39.000Z",
"modified": "2017-02-20T19:15:39.000Z",
"description": "On port 8443",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.208.65.134']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:15:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab405c-2b20-4376-ad58-4ce702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:15:40.000Z",
"modified": "2017-02-20T19:15:40.000Z",
"description": "On port 8443",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '81.130.131.55']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:15:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab405d-4ee0-48f5-a7ce-44d702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:15:41.000Z",
"modified": "2017-02-20T19:15:41.000Z",
"description": "On port 4433",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '77.236.97.60']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:15:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab405e-c340-41a5-bf64-490002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:15:42.000Z",
"modified": "2017-02-20T19:15:42.000Z",
"description": "On port 443",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '198.167.136.139']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:15:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab405e-03ac-4b58-91c0-4c7102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:15:42.000Z",
"modified": "2017-02-20T19:15:42.000Z",
"description": "On port 5353",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '209.20.67.87']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:15:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab405f-bfbc-461e-9a9a-4e8a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:15:43.000Z",
"modified": "2017-02-20T19:15:43.000Z",
"description": "On port 443",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '213.222.56.155']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:15:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab4060-5550-4968-bc53-414202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:15:44.000Z",
"modified": "2017-02-20T19:15:44.000Z",
"description": "On port 4043",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '216.51.232.176']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:15:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab4061-c8fc-4d17-ac46-413802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:15:45.000Z",
"modified": "2017-02-20T19:15:45.000Z",
"description": "On port 443",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '37.0.26.34']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:15:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab4061-01cc-429c-8931-40d802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:15:45.000Z",
"modified": "2017-02-20T19:15:45.000Z",
"description": "On port 8343",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '37.139.21.245']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:15:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab4062-0eb8-4397-81d9-4be402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:15:46.000Z",
"modified": "2017-02-20T19:15:46.000Z",
"description": "On port 443",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '46.17.3.237']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:15:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab4063-4f9c-4a5d-8e44-4bf402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:15:47.000Z",
"modified": "2017-02-20T19:15:47.000Z",
"description": "On port 8443",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '81.155.55.211']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:15:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab4064-be9c-41a1-987c-433902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:15:48.000Z",
"modified": "2017-02-20T19:15:48.000Z",
"description": "On port 8443",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '86.130.54.90']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:15:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab4078-9f34-471d-bdeb-410102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:16:08.000Z",
"modified": "2017-02-20T19:16:08.000Z",
"description": "Dridex payload:",
"pattern": "[url:value = 'https://talofinancial-my.sharepoint.com/personal/ashleigh_schipp_talofinancial_com_au/_layouts/15/guestaccess.aspx?docid=07697c8afb3e544808bf527394eb7154b&authkey=Adh6QVItbnSLOpXvxh_BfCs']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:16:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab4078-e588-4f2b-937b-413e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:16:08.000Z",
"modified": "2017-02-20T19:16:08.000Z",
"description": "Dridex payload:",
"pattern": "[url:value = 'https://yemposolutions-my.sharepoint.com/personal/amor_novicio_yempo-solu-tions_com/_layouts/15/guestaccess.aspx?docid=0ce03b9fd12d949cf91f56a7d1fbf4b93&authkey=ASOCPusN_QaBSXcCPxEkT9s']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:16:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab409e-d2d0-4b6f-878a-49aa02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:16:46.000Z",
"modified": "2017-02-20T19:16:46.000Z",
"description": "JS download",
"pattern": "[url:value = 'https://jensenbowers-my.sharepoint.com/personal/leeanderson_jensenbowers_com_au/_layouts/15/download.aspx?docid=068187f5a930340c89e3b7c5c9b9c24f7&authkey=AarHUbAy66DSX08VzRPQ25w']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:16:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ab409e-c224-41bb-8058-45bd02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:16:46.000Z",
"modified": "2017-02-20T19:16:46.000Z",
"description": "JS download",
"pattern": "[url:value = 'https://jensenbowers-my.sharepoint.com/personal/leeanderson_jensenbowers_com_au/_layouts/15/guestaccess.aspx?docid=068187f5a930340c89e3b7c5c9b9c24f7&authkey=AarHUbAy66DSX08VzRPQ25w']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-20T19:16:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58ab40c9-d044-42d6-a243-b3f302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-20T19:17:29.000Z",
"modified": "2017-02-20T19:17:29.000Z",
"first_observed": "2017-02-20T19:17:29Z",
"last_observed": "2017-02-20T19:17:29Z",
"number_observed": 1,
"object_refs": [
"file--58ab40c9-d044-42d6-a243-b3f302de0b81",
"artifact--58ab40c9-d044-42d6-a243-b3f302de0b81"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--58ab40c9-d044-42d6-a243-b3f302de0b81",
"name": "infection_chain.jpg",
"content_ref": "artifact--58ab40c9-d044-42d6-a243-b3f302de0b81"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--58ab40c9-d044-42d6-a243-b3f302de0b81",
"payload_bin": "/9j/4AAQSkZJRgABAgAAZABkAAD/7AARRHVja3kAAQAEAAAAPAAA/+4AJkFkb2JlAGTAAAAAAQMAFQQDBgoNAADZfQABcWcAAlGrAANJfP/bAIQABgQEBAUEBgUFBgkGBQYJCwgGBggLDAoKCwoKDBAMDAwMDAwQDA4PEA8ODBMTFBQTExwbGxscHx8fHx8fHx8fHwEHBwcNDA0YEBAYGhURFRofHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8f/8IAEQgF6gWmAwERAAIRAQMRAf/EARMAAQACAwEBAQAAAAAAAAAAAAABBAIDBQYHCAEBAQADAQEAAAAAAAAAAAAAAAECAwQFBhAAAAUDAQYFAwQCAwACAwEAAAECAwQREgUQIEAxExQGMFBgMhUhNDVwQTMWIjZCIyQlRrDAQyYRAAIBAgQBBggLBAgEBQMEAwECAwARITESBBNBUWFxIjIQQIGRscEUBSAwUKHRQlJyIzM0YGKSc3Dw4YKywkMk8VOTs6Lig3QV0mOj8kQlBmSENRIAAQMCBAYCAwEAAAAAAAAAEQABIRBwIGAxYVCAkLDAQTCgUQISIhMBAAIBAgQEBgMBAQEBAQEAAQARITFhEEFRcSAw8KFAUIGRsdFgwfHhcICQsMD/2gAMAwEAAhEDEQAAAfeYAAAAAAAAAAAAAAAAAABIAAAAAAABIAAAAAAAAAAAAAAAAAIAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABJAAAAAAAAAAAAAAAAABIAAAAAAAJAAAAAAAAAAAAAAAAAAAAABAAAAAAABAAAAAAAAAAAAAABiZA5p0isYmZYAABUBbAOIdsAAwMwAAAAAACSAAAAAAAAAAAAAAAACQAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAQAAAAAAAAAAAAeOrYXTzpfMDAunLBZPbwPK1RNJgdEqlg4Z3ziHRPWRTPPV3I7wAAAAAAJIAAAAAAAAAAAAAAAJAAAAAABIAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAABAAAAAAAAAAABiazceUrpxTraajItQOwDzlYmAMgaToRWoXY7AKxZAAAAAAAJIAAAAAAAAAAAAAAJAAAAAAJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABJAAAAAAAAAAAAAAJAAAAABIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAABAAAAAAAAAAAAAAABzatRYAAAAAAAAAAAAAAJIAB87ydA97GgwLBkAACgSYHSAAAAAAAAAAAAAABIAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAABAAAAAAABXiAAAfPsnaj08AAAAAAAAAAAAAASQAD5JnOsv1HF8Pr0x7Q1mZSPRR5+rh5osFc95AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAqxiAAD59k7UengAAAAAAAAAAAAACSAAfJM51l+o4vh1ejPRHkDzx6Q9Scg8kegO6aj3kAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAACrGIAAObVqLAAAAAAAAAAAAAABJAAPkmc6y/UcXxGvemsg8keyOUecKh6E7pqPeQAAAAAAAAAAAAAAAAAAAAAAAAJAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAKsYgAAAAAAAAAAAAAAAAAEkAA+SZzrL9RxcWqx1DYVi1A4peNpvMS6AAAAAAAAAAAAAAAAAAAASAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAQAAAACrGIAAPGZOvHcgAAAAAAAAAAAAACSAAWaGYAABIAAAAAAAAAAAAAAAAAAAAJAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAIAAAAKsYgAA+fZO1Hp4AAAgEgAAAAAAAAAkgAFygAAJAAAAAAAAAAAAAAAAAAABIAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAABAAABVjEAAHz7J2o9PAAA5lWY3HKrswAAAAAAAABJAALlAACQAAAAAAAAAAAAAAAAAASAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAQAACrGIAAPn2Ttx6aAAB5muzGiqp1ItAAAAAAAAAkgAFygAJAAAAAAAAAAAAAAAAABIAAAABlkkAAAAAAAAAAAAAAiMYAAAAAAgyrKgAAAAAAAAAAAAABhEQAIAAKsYgAA51Wo3gAHNrxtdc6ceVrvR6skAxjAgAAAAAEkAAuUAJAAAAAAAAAAAAAAAAAJAAAAAArdWGWvDLEAAAAAAAAAAAADfhs1zLDEAAAAAAJrfZW2agAAAAAAAAAAAAJLGvdXiIAAgAFWMQAAAAAaDjVJhVgqnoigd2BiSV4wAAAAABJAALlASAAAAAAAAAAAAAAAACQAAAAAAK3VR38tbPUAAAAAAAAAAAAB0dPTnr3YYgAAAAABNbcseR08QAAAAAAAAAAAAEr2OXurxEAACACrGIAAPFZOxHdgAVSycatVc8unrYqVbjEyJK0YAAAAAAkgAFyhIAAAAAAAAAAAAAAAJAAAAAAAAFbqo7+Wlnr8fr25JtqvL6XPX0LiAAAAAN+OzZjlhZlLJoz167iB0dPTnr3YYgBhljp26bOjoAAAE1tyx5HTxecw2QdPLHj45+iy16zfWxAAAAN2OecyylAAAws1ZYdbm7a8RAiyvt0bte3PHMQCrGIAAPn2TtR6eAANBtPM5OWe8MYtkGwArRgAAAAACSAAXKkAAAAAAAAAAAAAAAEgAAAAAAAAVuqjv5a2erwGrf6fPX5nHZvT1meu3cQAAAAJW5q3DC45TKTCyrs0gdHT05692GIRZX3aNG3Tljle5ewAAATW3LHkdPF4/Db1rj4zXt6GU3JSl7mWHqM9YAAAFnDbnLBlKABhZnLWz19Xn7K8RGnbpr7tGNxuc3ZswzAgqxiAAD59k7UengADE5NdOrUceuub4kwMiStGAAAAAAJIABdoAAAAAAAAAAAAAACQAAAAAAAAATW2qO/l5mWvy2G3qZYjs5YbkAwXNAAABtxz3Y5jCzKWQVs9WNg6Onpz17sI0bNNfdoxuIymVnT0AbMM4IsA2S7q5HTxcrHPOzh4520s2VZenlj0biAAABZw27McoMbM5RFkGUorZ6+rz9lTLCpu5sMsAN+rfljkANJAAAPNVfjrAAAmLLJLkAAQRZoY4UAAGrbMoAEkAAu0AAAAAAAAAAAAABIAAAAAAAABIArbVHfy1s9XmMNl6znzKrL18sLdnOmXGxy7OWO1KsvQsqLbTnS619PHSmQiyZQK2zVruI6OnpnDZQ38uGWAAAAuc/XX26NeesC3p6LmG3kdPF47Xt2V2ssNUu2zk455JdssWcnHLqZY6Za0uo6dnVyws4bdmOQisLjMsWbMcgK2zVtwzrbNQAAAAAAAAApc/d53yvoq+npvdPB6T1/m9uerZLMoAAEWYWQgAAy5eycMwAJIABdoAAAAAAAAAAAACQAAAAAAAASAABW2qO/loZ6/Ga9uw7OWHJxytWc+ZbkhckA1LTl1nZyxoy/QrjuxzAAFbZq13EdHT05a9tTbo0bdMIAABd5+uvt0as9YFvT0XMNvI6eKpMvDa9tuzmzLu5YVJcDsXHkTLs5Y87HLJAB7HZqs4bdmOWNkkygYWZSyVs9d7V0UNvPhlgAAAAAAAANeG3xXz323ru7yO50cHzHx/qr/T5/rvd+QAAAAAAAAy5eycMwAJIABdoAAAAAAAAAAAASAAAAAAACQAAAKG2qO/lq56+DjncuNeXEzNhXLdm8AHMluWWDUWMNnVlAAFbZq13EdHT05692MYXGrv5tWesZ452dO+n0cou8/XX26NWevPHO1p6M5lvOR08XCxzyNxoMy1ZRlsFmzmy9CzA3o
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}