2023-04-21 14:44:17 +00:00
{
"type" : "bundle" ,
"id" : "bundle--5b3b7b6f-6234-45ea-be4f-ab8202de0b81" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T14:00:12.000Z" ,
"modified" : "2018-07-03T14:00:12.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--5b3b7b6f-6234-45ea-be4f-ab8202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T14:00:12.000Z" ,
"modified" : "2018-07-03T14:00:12.000Z" ,
"name" : "OSINT - Down but Not Out: A Look Into Recent Exploit Kit Activities" ,
"published" : "2018-07-03T14:03:14Z" ,
"object_refs" : [
"observed-data--5b3b7b80-2e20-4f5a-b8a8-ab8202de0b81" ,
"url--5b3b7b80-2e20-4f5a-b8a8-ab8202de0b81" ,
"x-misp-attribute--5b3b7ba2-e47c-404d-928f-415002de0b81" ,
"indicator--5b3b7e1c-756c-4e5a-aa63-46d002de0b81" ,
"indicator--5b3b7e1c-a6c0-44b4-b4e7-415f02de0b81" ,
"indicator--5b3b7e1d-bbec-4f67-aef5-40d702de0b81" ,
"indicator--5b3b7e37-a474-4145-94c3-4b1402de0b81" ,
"indicator--5b3b7e78-3d10-4fee-842a-ae7e02de0b81" ,
"indicator--5b3b7e78-63a8-46d0-b8df-ae7e02de0b81" ,
"indicator--5b3b7e79-0498-40d8-b851-ae7e02de0b81" ,
"indicator--5b3b7f41-9ca8-45cb-b4f8-ab8202de0b81" ,
"indicator--5b3b7f41-b204-4a20-a7e2-ab8202de0b81" ,
"indicator--5b3b7f41-cd24-4412-969c-ab8202de0b81" ,
"indicator--5b3b7f42-acc0-4282-98f3-ab8202de0b81" ,
"indicator--5b3b7f42-db68-451e-8a47-ab8202de0b81" ,
"indicator--5b3b7f43-c578-46ca-acbb-ab8202de0b81" ,
"indicator--5b3b7f43-ab28-4653-b8ea-ab8202de0b81" ,
"indicator--5b3b7f44-3a94-4042-ab95-ab8202de0b81" ,
"indicator--5b3b7f44-7518-4f82-a1fb-ab8202de0b81" ,
"indicator--5b3b7f45-c1d8-47e7-b326-ab8202de0b81" ,
"indicator--5b3b8010-54e0-4e3c-85bb-ae8f02de0b81" ,
"indicator--5b3b8010-0738-42da-8b4e-ae8f02de0b81" ,
"indicator--5b3b8011-1f14-4735-9bc2-ae8f02de0b81" ,
"indicator--5b3b8078-ec74-4cff-bfa6-4b9d02de0b81" ,
"indicator--5b3b8078-ad54-4d3b-9cd0-424d02de0b81" ,
"indicator--5b3b8079-b7f4-4277-858a-432902de0b81" ,
"indicator--5b3b8079-8bb0-447f-ae3d-4d3d02de0b81" ,
"x-misp-object--73665dc3-b0f2-4564-91b8-2932403695d7" ,
"x-misp-object--d02d31c4-8128-41d2-bd3b-825b2389df8c" ,
"x-misp-object--1924a25c-c807-4fa6-a14c-d8061c3c72a3" ,
"x-misp-object--bcc933cf-b284-4ab8-b1fa-2e2c8a2e1613" ,
"x-misp-object--25e765d8-e066-4981-a075-0912806c404c" ,
"x-misp-object--87ffa5a2-5445-4088-81a6-13475f44401a" ,
"x-misp-object--a23c9b1d-82e5-4df2-9308-78f86d3e7f59" ,
"x-misp-object--1c6f0eb3-95ce-493b-96b4-33424617a396" ,
2023-12-14 14:30:15 +00:00
"relationship--25cd6ab2-8947-41ce-ae3f-302baad84cc6" ,
"relationship--6b6f4503-8ac7-41ae-840e-76e9a372299b" ,
"relationship--c7dd7a4c-7068-4293-954e-333ccd5887cf" ,
"relationship--cc2aeb84-6165-4bcd-a4e2-a152e8d1e9a7"
2023-04-21 14:44:17 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"misp-galaxy:exploit-kit=\"RIG\"" ,
"osint:source-type=\"blog-post\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5b3b7b80-2e20-4f5a-b8a8-ab8202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:34:56.000Z" ,
"modified" : "2018-07-03T13:34:56.000Z" ,
"first_observed" : "2018-07-03T13:34:56Z" ,
"last_observed" : "2018-07-03T13:34:56Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5b3b7b80-2e20-4f5a-b8a8-ab8202de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5b3b7b80-2e20-4f5a-b8a8-ab8202de0b81" ,
"value" : "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-recent-exploit-kit-activities/"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5b3b7ba2-e47c-404d-928f-415002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:35:30.000Z" ,
"modified" : "2018-07-03T13:35:30.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "Exploit kits may be down, but they\u00e2\u20ac\u2122re not out. While they\u00e2\u20ac\u2122re still using the same techniques that involve malvertisements or embedding links in spam and malicious or compromised websites, their latest activities are making them significant factors in the threat landscape again. This is the case with Rig and GrandSoft, as well as the private exploit kit Magnitude \u00e2\u20ac\u201d exploit kits we found roping in relatively recent vulnerabilities to deliver cryptocurrency-mining malware, ransomware, botnet loaders, and banking trojans.\r\n\r\nBased on the exploit kits\u00e2\u20ac\u2122 latest activities, it appears they and their users are shifting tactics by joining the bandwagon, like capitalizing on cryptocurrency\u00e2\u20ac\u2122s popularity or using off-the-rack malware. We expect this to be the status quo this year, given the profitability of using cryptocurrency miners and the convenience of using ready-made malware. We also foresee more exploits that work on other software, such as CVE-2018-8174, which can be exploited via Microsoft Word and Internet Explorer."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b3b7e1c-756c-4e5a-aa63-46d002de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:46:04.000Z" ,
"modified" : "2018-07-03T13:46:04.000Z" ,
"description" : "Malicious domains and IP addresses related to GrandSoft exploit kit" ,
"pattern" : "[domain-name:value = 'ethical-buyback.lesbianssahgbrewingqzw.xyz']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-03T13:46:04Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"hostname\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b3b7e1c-a6c0-44b4-b4e7-415f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:46:04.000Z" ,
"modified" : "2018-07-03T13:46:04.000Z" ,
"description" : "Malicious domains and IP addresses related to GrandSoft exploit kit" ,
"pattern" : "[url:value = 'ethical-buyback.lesbianssahgbrewingqzw.xyz/masking_celebration-skies']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-03T13:46:04Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b3b7e1d-bbec-4f67-aef5-40d702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:46:05.000Z" ,
"modified" : "2018-07-03T13:46:05.000Z" ,
"description" : "Malicious domains and IP addresses related to GrandSoft exploit kit" ,
"pattern" : "[url:value = 'papconnecting.net/wp-content/traffic.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-03T13:46:05Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b3b7e37-a474-4145-94c3-4b1402de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:46:31.000Z" ,
"modified" : "2018-07-03T13:46:31.000Z" ,
"description" : "GandCrab C&C" ,
"pattern" : "[domain-name:value = 'carder.bit']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-03T13:46:31Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b3b7e78-3d10-4fee-842a-ae7e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:47:36.000Z" ,
"modified" : "2018-07-03T13:47:36.000Z" ,
"pattern" : "[url:value = '91.210.104.247/debug.txt']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-03T13:47:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b3b7e78-63a8-46d0-b8df-ae7e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:47:36.000Z" ,
"modified" : "2018-07-03T13:47:36.000Z" ,
"description" : "GandCrab Ransomware" ,
"pattern" : "[url:value = '91.210.104.247/putty.exe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-03T13:47:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b3b7e79-0498-40d8-b851-ae7e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:47:37.000Z" ,
"modified" : "2018-07-03T13:47:37.000Z" ,
"description" : "(BlackTDS IP)" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '200.74.240.219']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-03T13:47:37Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b3b7f41-9ca8-45cb-b4f8-ab8202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:50:57.000Z" ,
"modified" : "2018-07-03T13:50:57.000Z" ,
"description" : "Magniber Payment Server" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '54.37.57.152']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-03T13:50:57Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b3b7f41-b204-4a20-a7e2-ab8202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:50:57.000Z" ,
"modified" : "2018-07-03T13:50:57.000Z" ,
"description" : "Magniber Payment Server" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '64.188.10.44']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-03T13:50:57Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b3b7f41-cd24-4412-969c-ab8202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:50:57.000Z" ,
"modified" : "2018-07-03T13:50:57.000Z" ,
"description" : "Magniber Payment Server" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '139.60.161.51']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-03T13:50:57Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b3b7f42-acc0-4282-98f3-ab8202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:50:58.000Z" ,
"modified" : "2018-07-03T13:50:58.000Z" ,
"description" : "Magnigate Step 1" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '149.56.159.203']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-03T13:50:58Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b3b7f42-db68-451e-8a47-ab8202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:50:58.000Z" ,
"modified" : "2018-07-03T13:50:58.000Z" ,
"description" : "Magnitude EK" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '167.114.191.124']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-03T13:50:58Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b3b7f43-c578-46ca-acbb-ab8202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:50:59.000Z" ,
"modified" : "2018-07-03T13:50:59.000Z" ,
"description" : "Magnigate Step 2" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '167.114.33.110']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-03T13:50:59Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b3b7f43-ab28-4653-b8ea-ab8202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:50:59.000Z" ,
"modified" : "2018-07-03T13:50:59.000Z" ,
"description" : "Magniber Payment Server" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.244.150.110']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-03T13:50:59Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b3b7f44-3a94-4042-ab95-ab8202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:51:00.000Z" ,
"modified" : "2018-07-03T13:51:00.000Z" ,
"description" : "Magnigate Step 2" ,
"pattern" : "[domain-name:value = 'fedpart.website']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-03T13:51:00Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b3b7f44-7518-4f82-a1fb-ab8202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:51:00.000Z" ,
"modified" : "2018-07-03T13:51:00.000Z" ,
"description" : "Magnitude landing page" ,
"pattern" : "[domain-name:value = 'addrole.space']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-03T13:51:00Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b3b7f45-c1d8-47e7-b326-ab8202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:51:01.000Z" ,
"modified" : "2018-07-03T13:51:01.000Z" ,
"description" : "Magnigate Step 1b" ,
"pattern" : "[domain-name:value = 'taxhuge.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-03T13:51:01Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b3b8010-54e0-4e3c-85bb-ae8f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:54:24.000Z" ,
"modified" : "2018-07-03T13:54:24.000Z" ,
"description" : "Rig EK; also where Kardon Loader was downloaded" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.225.37.242']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-03T13:54:24Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b3b8010-0738-42da-8b4e-ae8f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:54:24.000Z" ,
"modified" : "2018-07-03T13:54:24.000Z" ,
"description" : "Malicious domains and IP addresses related to Rig exploit kit" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '193.23.181.154']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-03T13:54:24Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b3b8011-1f14-4735-9bc2-ae8f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:54:25.000Z" ,
"modified" : "2018-07-03T13:54:25.000Z" ,
"description" : "Malicious domains and IP addresses related to Rig exploit kit" ,
"pattern" : "[url:value = '193.23.181.154/crypto/?placement=198395354']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-03T13:54:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b3b8078-ec74-4cff-bfa6-4b9d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:56:08.000Z" ,
"modified" : "2018-07-03T13:56:08.000Z" ,
"description" : "TROJ_DLOADR.SULQ" ,
"pattern" : "[file:hashes.SHA256 = '69ec63646a589127c573fed9498a11d3e75009751ac5e16a80e7aa684ad66240']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-03T13:56:08Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b3b8078-ad54-4d3b-9cd0-424d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:56:08.000Z" ,
"modified" : "2018-07-03T13:56:08.000Z" ,
"description" : "TROJ_KARDONLDR.A" ,
"pattern" : "[file:hashes.SHA256 = 'aca8e9ecb7c8797c1bc03202a738a0ad586b00968f6c21ab83b9bb43b5c49243']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-03T13:56:08Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b3b8079-b7f4-4277-858a-432902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:56:09.000Z" ,
"modified" : "2018-07-03T13:56:09.000Z" ,
"description" : "TROJ_KARIUS.A" ,
"pattern" : "[file:hashes.SHA256 = '5f7d3d7bf2ad424b8552ae78682a4f89080b41fedbcc34edce2b2a2c8baf47d4']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-03T13:56:09Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b3b8079-8bb0-447f-ae3d-4d3d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:56:09.000Z" ,
"modified" : "2018-07-03T13:56:09.000Z" ,
"description" : "COINMINER_MALXMR.SM4-WIN32" ,
"pattern" : "[file:hashes.SHA256 = '24d17158531180849f5b0819ac965d796886b8238d8a690e2a7ecb3d7fd3bf2b']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-07-03T13:56:09Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--73665dc3-b0f2-4564-91b8-2932403695d7" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:57:55.000Z" ,
"modified" : "2018-07-03T13:57:55.000Z" ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "file"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--d02d31c4-8128-41d2-bd3b-825b2389df8c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:57:53.000Z" ,
"modified" : "2018-07-03T13:57:53.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--1924a25c-c807-4fa6-a14c-d8061c3c72a3" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:57:57.000Z" ,
"modified" : "2018-07-03T13:57:57.000Z" ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "file"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--bcc933cf-b284-4ab8-b1fa-2e2c8a2e1613" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:57:56.000Z" ,
"modified" : "2018-07-03T13:57:56.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--25e765d8-e066-4981-a075-0912806c404c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:58:00.000Z" ,
"modified" : "2018-07-03T13:58:00.000Z" ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "file"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--87ffa5a2-5445-4088-81a6-13475f44401a" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:57:58.000Z" ,
"modified" : "2018-07-03T13:57:58.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--a23c9b1d-82e5-4df2-9308-78f86d3e7f59" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:58:02.000Z" ,
"modified" : "2018-07-03T13:58:02.000Z" ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "file"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--1c6f0eb3-95ce-493b-96b4-33424617a396" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-07-03T13:58:01.000Z" ,
"modified" : "2018-07-03T13:58:01.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-12-14 14:30:15 +00:00
"id" : "relationship--25cd6ab2-8947-41ce-ae3f-302baad84cc6" ,
2023-04-21 14:44:17 +00:00
"created" : "2018-07-03T13:58:02.000Z" ,
"modified" : "2018-07-03T13:58:02.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "x-misp-object--73665dc3-b0f2-4564-91b8-2932403695d7" ,
"target_ref" : "x-misp-object--d02d31c4-8128-41d2-bd3b-825b2389df8c"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-12-14 14:30:15 +00:00
"id" : "relationship--6b6f4503-8ac7-41ae-840e-76e9a372299b" ,
2023-04-21 14:44:17 +00:00
"created" : "2018-07-03T13:58:02.000Z" ,
"modified" : "2018-07-03T13:58:02.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "x-misp-object--1924a25c-c807-4fa6-a14c-d8061c3c72a3" ,
"target_ref" : "x-misp-object--bcc933cf-b284-4ab8-b1fa-2e2c8a2e1613"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-12-14 14:30:15 +00:00
"id" : "relationship--c7dd7a4c-7068-4293-954e-333ccd5887cf" ,
2023-04-21 14:44:17 +00:00
"created" : "2018-07-03T13:58:02.000Z" ,
"modified" : "2018-07-03T13:58:02.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "x-misp-object--25e765d8-e066-4981-a075-0912806c404c" ,
"target_ref" : "x-misp-object--87ffa5a2-5445-4088-81a6-13475f44401a"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-12-14 14:30:15 +00:00
"id" : "relationship--cc2aeb84-6165-4bcd-a4e2-a152e8d1e9a7" ,
2023-04-21 14:44:17 +00:00
"created" : "2018-07-03T13:58:02.000Z" ,
"modified" : "2018-07-03T13:58:02.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "x-misp-object--a23c9b1d-82e5-4df2-9308-78f86d3e7f59" ,
"target_ref" : "x-misp-object--1c6f0eb3-95ce-493b-96b4-33424617a396"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}