adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/a57a8551-4e22-44b9-a72d-fa8345532029.json

714 lines
1.4 MiB
JSON
Raw Normal View History

chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--a57a8551-4e22-44b9-a72d-fa8345532029",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-19T12:31:21.000Z",
"modified": "2023-04-19T12:31:21.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--a57a8551-4e22-44b9-a72d-fa8345532029",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-19T12:31:21.000Z",
"modified": "2023-04-19T12:31:21.000Z",
"name": "HALFRIG - Malware Analysis Report",
"published": "2023-04-19T12:31:38Z",
"object_refs": [
"x-misp-attribute--e7963e75-00ed-4542-8e3d-4d7bc73fee77",
"indicator--da0840d2-552d-4198-9f22-bb212dd53880",
"indicator--2295b11f-5b27-43ea-b152-f2f2b0580e8f",
"indicator--5ef9091e-b65c-4033-8136-878f4ddea0b5",
"indicator--a04f9dd8-a1c0-43d3-9b3b-bcfd9c95747b",
"x-misp-object--9a5c7967-ce23-4e98-956b-f1e09bc6f77b",
"indicator--fee5eb3a-c2dd-40ea-97ff-78d827b5848c",
"indicator--fad6bb9e-862f-428a-9ded-fe90217d1c18",
"indicator--b1dd9581-897d-4ac8-bd2f-98f30d601147",
"indicator--f7585879-72a8-4a51-a414-cdae1aa8947c",
"indicator--fab51584-fda0-4be9-88e2-d301c21dacd8",
"indicator--4e8ebc97-432e-48f6-af54-e6f1f4589a0d",
"indicator--09833510-9b3b-4e7f-974a-423e25b96e5b",
"x-misp-object--a6b876c3-c517-48a4-9b4e-0ae68492089a",
"x-misp-object--b3ddd480-33ba-462a-a783-98bc0315ba43",
"x-misp-object--6f954c43-b864-43ad-8579-5eda4026a3b7",
"x-misp-object--ad1e8e48-20db-488e-95fd-bb75b6f96293",
"x-misp-object--77bba20a-f103-402c-9fd6-40fd2641f7f9",
"x-misp-object--ca7257d8-9bdc-459e-9f7f-5cdeecbd549d",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"relationship--2c090051-1760-4489-b38e-a0bcdd64c710",
"relationship--a8e3f89f-f14c-44c2-b80a-9e1b0a96b9a3",
"relationship--8e15b11d-9a50-4f27-91f0-0cfab566fafe",
"relationship--3c8d3c7f-93d6-4ab4-b44c-4c71c4c50c08",
"relationship--e5b634cf-3702-42e6-a02e-74b5598613c6",
"relationship--f5d92e32-77ea-4f67-8094-02af9cf9c720",
"relationship--013a4b9a-6008-4d66-a47b-62c8231c7110",
"relationship--5113f038-fb53-4411-ae7f-baa3d669fd0f",
"relationship--361228fb-6d02-4961-9dd8-eb77a733dcae",
"relationship--fe2a37bf-2b24-4260-b471-dc5c768452db",
"relationship--27c18af4-e126-4933-8d60-fc85b7f8cf56",
"relationship--1425e16a-71a1-4bd9-ae36-3c70c0981f19",
"relationship--04e9b735-ce78-4c02-83ef-19f45b91dddc",
"relationship--4e5cb4f5-2624-41a3-ae54-bf92454526ce",
"relationship--cba782a1-ae92-4afc-b610-3d57bba2433a"
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"tlp:clear",
"misp-galaxy:tool=\"HALFRIG\"",
"misp-galaxy:mitre-attack-pattern=\"Virtual Private Server - T1583.003\"",
"misp-galaxy:mitre-attack-pattern=\"Compromise Infrastructure - T1584\"",
"misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"",
"misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"",
"misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"",
"misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"",
"misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"",
"misp-galaxy:mitre-attack-pattern=\"DLL Search Order Hijacking - T1574.001\"",
"misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"",
"misp-galaxy:mitre-attack-pattern=\"HTML Smuggling - T1027.006\"",
"misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"",
"misp-galaxy:mitre-attack-pattern=\"Mark-of-the-Web Bypass - T1553.005\"",
"admiralty-scale:source-reliability=\"a\"",
"estimative-language:confidence-in-analytic-judgment=\"high\"",
"estimative-language:likelihood-probability=\"almost-certain\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--e7963e75-00ed-4542-8e3d-4d7bc73fee77",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-19T11:25:24.000Z",
"modified": "2023-04-19T11:25:24.000Z",
"labels": [
"misp:type=\"pattern-in-traffic\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Network activity",
"x_misp_comment": "Pattern-ENVYSCOUT backend fingerprint collector",
"x_misp_type": "pattern-in-traffic",
"x_misp_value": "sawabfoundation.net/p.php?ip=<IP>&ua=<USER_AGENT>"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--da0840d2-552d-4198-9f22-bb212dd53880",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-19T11:18:47.000Z",
"modified": "2023-04-19T11:18:47.000Z",
"description": "ENVYSCOUT",
"pattern": "[url:value = 'sawabfoundation.net/note.html']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-19T11:18:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2295b11f-5b27-43ea-b152-f2f2b0580e8f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-19T11:18:53.000Z",
"modified": "2023-04-19T11:18:53.000Z",
"description": "compromised hosting used for ENVYSCOUT",
"pattern": "[domain-name:value = 'sawabfoundation.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-19T11:18:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ef9091e-b65c-4033-8136-878f4ddea0b5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-19T11:18:59.000Z",
"modified": "2023-04-19T11:18:59.000Z",
"description": "CobaltStrike redirector",
"pattern": "[domain-name:value = 'communitypowersports.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-19T11:18:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a04f9dd8-a1c0-43d3-9b3b-bcfd9c95747b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-19T11:19:05.000Z",
"modified": "2023-04-19T11:19:05.000Z",
"description": "Actual CobaltStrike C2",
"pattern": "[domain-name:value = 'sanjosemotosport.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-19T11:19:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--9a5c7967-ce23-4e98-956b-f1e09bc6f77b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-18T07:45:44.000Z",
"modified": "2023-04-18T07:45:44.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://www.gov.pl/attachment/64193e8d-05e2-4cbf-bb4c-5f58da21fefb",
"category": "External analysis",
"uuid": "c5e93a26-3edb-468d-8231-548ab7518f30"
},
{
"type": "text",
"object_relation": "summary",
"value": "HALFRIG is a stager for CobaltStrike Beacon that was used in an espionage campaign significantly\r\noverlapping with publicly described activity linked to the APT291 and NOBELIUM2 activity sets. HALFRIG\r\nhas significant code overlap with the QUARTERRIG and it is highly probable that it was developed\r\nby the same team.",
"category": "Other",
"uuid": "4433e9c9-7e46-4bd1-a31b-31ec7fd42fe7"
},
{
"type": "text",
"object_relation": "type",
"value": "Report",
"category": "Other",
"uuid": "a2b33d90-ff72-47d1-af81-a90215d00c96"
},
{
"type": "attachment",
"object_relation": "report-file",
"value": "HALFRIG_.pdf",
"category": "External analysis",
"uuid": "acb1b478-874b-4e5d-adbe-54b25f38c80f",
"data": "JVBERi0xLjcNCiW1tbW1DQoxIDAgb2JqDQo8PC9UeXBlL0NhdGFsb2cvUGFnZXMgMiAwIFIvTGFuZyhlbi1VUykgL1N0cnVjdFRyZWVSb290IDEzNSAwIFIvTWFya0luZm88PC9NYXJrZWQgdHJ1ZT4+L01ldGFkYXRhIDEwNjYgMCBSL1ZpZXdlclByZWZlcmVuY2VzIDEwNjcgMCBSPj4NCmVuZG9iag0KMiAwIG9iag0KPDwvVHlwZS9QYWdlcy9Db3VudCAyMC9LaWRzWyAzIDAgUiAxNSAwIFIgMjQgMCBSIDI2IDAgUiAyOSAwIFIgMzcgMCBSIDQwIDAgUiA0MiAwIFIgNDMgMCBSIDQ1IDAgUiA0NiAwIFIgNDggMCBSIDQ5IDAgUiA1MCAwIFIgNTIgMCBSIDU0IDAgUiA1NyAwIFIgNTggMCBSIDYwIDAgUiAxMzAgMCBSXSA+Pg0KZW5kb2JqDQozIDAgb2JqDQo8PC9UeXBlL1BhZ2UvUGFyZW50IDIgMCBSL1Jlc291cmNlczw8L0ZvbnQ8PC9GMSA1IDAgUi9GMiA5IDAgUi9GMyAxMSAwIFIvRjQgMTMgMCBSPj4vRXh0R1N0YXRlPDwvR1M3IDcgMCBSL0dTOCA4IDAgUj4+L1Byb2NTZXRbL1BERi9UZXh0L0ltYWdlQi9JbWFnZUMvSW1hZ2VJXSA+Pi9NZWRpYUJveFsgMCAwIDU5NS4zMiA4NDEuOTJdIC9Db250ZW50cyA0IDAgUi9Hcm91cDw8L1R5cGUvR3JvdXAvUy9UcmFuc3BhcmVuY3kvQ1MvRGV2aWNlUkdCPj4vVGFicy9TL1N0cnVjdFBhcmVudHMgMD4+DQplbmRvYmoNCjQgMCBvYmoNCjw8L0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGggMTA1Nz4+DQpzdHJlYW0NCnicvVhLb9s4EL4L8H/gaSEVMM3hm4uigOumaYsGyMYG9hD0oCaKa8DrpIqbwv++M/KjsiXFj6jrg2CSQ8033wxnRuz18/nkLr2Zs9eve/35PL35lt2y697o/uFLb7R4yHqX6XgyS+eT+1lv+OPrnKY+ZOltlr95w96+G7DvnUhwQT/vHTDBTDBcSeY18CBZnnWif1+xWSd6O+pEvffAALjQbHTXiUhaMGAyOG4dc8HSxtF/KHc+dGz8iK9m42LkV6PzTnQds6Sr8WHLf76w0adOdIY6/ulELWBSILmCMqYCygbBafpQlp1dDBjrXRLhF4OP75hoj0gnuJeaOStoxx7QFSBwGhDJwPBga4FIw709GohsH4iwXB/PiGoPiFKWu8Cstzz4o4Ho1hmx1nGjjwZiTgOingGiA1dH47Dt45Ceh6NxuFNxqFoQxocaEB8SgLifgIk/J6Di9wno+CoBGX+k4fkeiL4liOA9t6EB4j6ewmkgNGqt5QkznFmh4Ma4YjUfl0dXBa6LdPozzTPWn6XTxSOVi0ni4kd2lT3c54mK5y8qHBV40miuzeHw9qbkUnHoLpGBlM6vAaGCbYTTzUQhDV4B0OTW5u2lpUGFMxtUSKw0tqRhS8wqQepw+lsnunu1pvFPo0X6Xg532MA6VFnXHsLBdkgpXEmzEMbanaWVHdwDrXjhV0+KEqkVD6jNeq5DYZHVxYR2XPvixcpT7Te6CDeaMAEnACPPcG0bvfF/WUHR3ZoZTV6SFS+JoMLB0SYsCGVKBmrvrN9dK50OQ20q6wbPHa7h65X/PZyu1wEbR++aPPAHERLlJ0BsYldVzwBYC6dGj3JauoboKWdIQmgMkxgWqMJqwTUWbQt8efyVwthhXdjolEFzI9FGDJzdNFQ1at1HAflTacOdwQZEc+WYxAYtYFBho1jkeXqHoPWflN6J3Oflhyt93+nFlgMJeq50IajQBvAU0r9LyBawUl912O5NAZLbbaZRHF3tjOG22t19up8kXRnPqPCx9PZpWQ9x5hGLYVfFC/aVRou/K1XxRaA0ekvKJlB7a6BtmRupua1+lFwQAQUZU3oU/+ZpvmCD+x+zRMfzDBuHfEJSBX80nG6Lj7NkuXiTJSZmwyx/KuZx2CqfRgaOeaDBkL18upb5FKHu2+qvdm1W2FLh91ODsr02+3Zttph1RJX6wRm5+4oeIwwDjmFz+bllHgKQ0xsA7PBQS8W6FadWmk4DtwgGHHX1eEAx966zX/SsRCnfOczOnq4d0AJdCCqGNd7qhmwnS13tIXs3VFQvPJBCTwuq5psEVHE91Mez+ICeyCfT5XXRrj9eBoF0Y19ZB4FR7aOyN7q5jqWQqm3VytBlQr31ey9ZoGUneM19TXp/Ak60i5Ztp1ZDNCptOAe/AF5qCdENCmVuZHN0cmVhbQ0KZW5kb2JqDQo1IDAgb2JqDQo8PC9UeXBlL0ZvbnQvU3VidHlwZS9UcnVlVHlwZS9OYW1lL0YxL0Jhc2VGb250L0JDREVFRStSYWpkaGFuaS1SZWd1bGFyL0VuY29kaW5nL1dpbkFuc2lFbmNvZGluZy9Gb250RGVzY3JpcHRvciA2IDAgUi9GaXJzdENoYXIgMzIvTGFzdENoYXIgMTIyL1dpZHRocyAxMDQ0IDAgUj4+DQplbmRvYmoNCjYgMCBvYmoNCjw8L1R5cGUvRm9udERlc2NyaXB0b3IvRm9udE5hbWUvQkNERUVFK1JhamRoYW5pLVJlZ3VsYXIvRmxhZ3MgMzIvSXRhbGljQW5nbGUgMC9Bc2NlbnQgOTMwL0Rlc2NlbnQgLTM0Ni9DYXBIZWlnaHQgOTMwL0F2Z1dpZHRoIDQ3Ny9NYXhXaWR0aCAyNDM2L0ZvbnRXZWlnaHQgNDAwL1hIZWlnaHQgMjUwL1N0ZW1WIDQ3L0ZvbnRCQm94WyAtNDE2IC0zNDYgMjAyMCA5MzBdIC9Gb250RmlsZTIgMTA0MiAwIFI+Pg0KZW5kb2JqDQo3IDAgb2JqDQo8PC9UeXBlL0V4dEdTdGF0ZS9CTS9Ob3JtYWwvY2EgMT4+DQplbmRvYmoNCjggMCBvYmoNCjw8L1R5cGUvRXh0R1N0YXRlL0JNL05vcm1hbC9DQSAxPj4NCmVuZG9iag0KOSAwIG9iag0KPDwvVHlwZS9Gb250L1N1YnR5cGUvVHJ1ZVR5cGUvTmFtZS9GMi9CYXNlRm9udC9CQ0RGRUUrVmVyZGFuYS1Cb2xkL0VuY29kaW5nL1dpbkFuc2lFbmNvZGluZy9Gb250RGVzY3JpcHRvciAxMCAwIFIvRmlyc3RDaGFyIDMyL0xhc3RDaGFyIDMyL1dpZHRocyAxMDQ1IDAgUj4+DQplbmRvYmoNCjEwIDAgb2JqDQo8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL0JDREZFRStWZXJkYW5hLUJvbGQvRmxhZ3MgMzIvSXRhbGljQW5nbGUgMC9Bc2NlbnQgMTAwNS9EZXNjZW50IC0yMDcvQ2FwSGVpZ2h0IDc2NS9BdmdXaWR0aCA1NjgvTWF4V2lkdGggMjI1Ny9Gb250V2VpZ2h0IDcwMC9YSGVpZ2h0IDI1MC9TdGVtViA1Ni9Gb250QkJveFsgLTU1MCAtMjA3IDE3MDcgNzY1XSAvRm9udEZpbGUyIDEwNDYgMCBSPj4NCmVuZG9iag0KMTEgMCBvYmoNCjw8L1R5cGUvRm9udC9TdWJ0eXBlL1RydWVUeXBlL05hbWUvRjMvQmFzZUZvbnQvQkNER0VFK1JhamRoYW5pLVNlbWlCb2xkL0VuY29kaW5nL1dpbkFuc2lFbmNvZGluZy9Gb250RGVzY3JpcHRvciAxMiAwIFIvRmlyc3RDaGFyIDMyL0xhc3RDaGFyIDEyMS9XaWR0aHMgMTA1MCAwIFI+Pg0KZW5kb2JqDQoxMiAwIG9iag0KPDwvVHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9CQ0RHRUUrUmFqZGhhbmktU2VtaUJvbGQvRmxhZ3MgMzIvSXRhbGljQW5nbGUgMC9Bc2NlbnQgOTMwL0Rlc2NlbnQgLTM0Ni9DYX
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--fee5eb3a-c2dd-40ea-97ff-78d827b5848c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-18T13:58:31.000Z",
"modified": "2023-04-18T13:58:31.000Z",
"name": "APT29_HALFRIG_OBFUSCATION",
"description": "A rule that can be used to scan for HALFRIG",
"pattern": "rule APT29_HALFRIG_OBFUSCATION\r\n{\r\nmeta:\r\ndescription = \\\\\"Detects obfuscation patterns used in HALFRIG. This rule wasn\\'t tested against large dataset, it should be used for threat hunting and not on services like VTI.\\\\\"\r\n\r\nstrings:\r\n\r\n// Decryption constants and decryption operation\r\n\r\n$ = {48 BB 0B 91 09 19 4D FD 9B F3 }\r\n\r\n\r\n$ = {4D 8D 40 01 48 8B CA 48 8B C2 48 C1 E9 38 48 83 C9 01 48 C1 E0 08 48 8B D1 48 33 D0}\r\n\r\n\r\n$ = {C7 05 [3] 00 F7 91 4D 01 }\r\n\r\n condition:\r\n\r\nuint16(0) == 0x5A4D\r\n\r\nand\r\n\r\nfilesize < 500KB\r\n\r\nand\r\n\r\nall of them\r\n}",
"pattern_type": "yara",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"pattern_version": "2.1",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"valid_from": "2023-04-18T13:58:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"x_misp_reference": "https://www.gov.pl/attachment/64193e8d-05e2-4cbf-bb4c-5f58da21fefb"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--fad6bb9e-862f-428a-9ded-fe90217d1c18",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-19T11:13:38.000Z",
"modified": "2023-04-19T11:13:38.000Z",
"description": "Legitimate binary used for loading malicious DLL",
"pattern": "[file:hashes.MD5 = '83863beee3502e42ced7e4b6dacb9eac' AND file:hashes.SHA1 = 'd9d40cb3e2fe05cf223dc0b592a592c132340042' AND file:hashes.SHA256 = 'cb470d77087518ed7bc53ca624806c265ae2485d40ec212acc2559720940fb27' AND file:name = 'Note.exe' AND file:size = '1597000']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-19T11:13:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b1dd9581-897d-4ac8-bd2f-98f30d601147",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-19T09:53:01.000Z",
"modified": "2023-04-19T09:53:01.000Z",
"description": "Virtual disc container",
"pattern": "[file:hashes.MD5 = '0e5ed33778ee9c020aa067546384abcb' AND file:hashes.SHA1 = 'fbb482415f5312ed64b3a0ebee7fed5e6610c21a' AND file:hashes.SHA256 = 'd1455c42553fab54e78c874525c812aaefb1f3cc69f9c314649bd6e4e57b9fa9' AND file:name = 'Note.iso' AND file:size = '2688000']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-19T09:53:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f7585879-72a8-4a51-a414-cdae1aa8947c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-19T11:13:58.000Z",
"modified": "2023-04-19T11:13:58.000Z",
"description": "1st module",
"pattern": "[file:hashes.MD5 = 'f532c0247b683de8936982e86876093b' AND file:hashes.SHA1 = 'f61e0d09be2fc81d6f325aa7041be6136a747c2d' AND file:hashes.SHA256 = 'ddf218e4e7ccd5e8bd502fb115d1e7fbfaa393fb7e0b3b9001168caebc771c50' AND file:name = 'AppvIsvSubsystems64.dll' AND file:size = '27000']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-19T11:13:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--fab51584-fda0-4be9-88e2-d301c21dacd8",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-19T11:14:12.000Z",
"modified": "2023-04-19T11:14:12.000Z",
"description": "2nd module\r\n",
"pattern": "[file:hashes.MD5 = 'abc87df854f31725dd1d7231f6f07354' AND file:hashes.SHA1 = 'e418d37fdcf4c288884bfe744b416cbdb0243a9e' AND file:hashes.SHA256 = 'efeb7d9d0fabe464a32c4e33fe756d6ef7a9b369c0f1462b3dd573b6b667488e' AND file:name = 'msword.dll' AND file:size = '53000']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-19T11:14:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4e8ebc97-432e-48f6-af54-e6f1f4589a0d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-19T11:14:33.000Z",
"modified": "2023-04-19T11:14:33.000Z",
"description": "3rd module",
"pattern": "[file:hashes.MD5 = '2ffaa8cbc7f0d21d03d3dd897d974dba' AND file:hashes.SHA1 = '6dff9a9f13300a5ce72a70d907ff7854599e990a' AND file:hashes.SHA256 = 'cfa65036aff012d7478694ea733e3e882cf8e18f336af5fba3ed2ef29160d45b' AND file:name = 'envsrv.dll' AND file:size = '56000']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-19T11:14:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--09833510-9b3b-4e7f-974a-423e25b96e5b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-19T09:01:53.000Z",
"modified": "2023-04-19T09:01:53.000Z",
"description": "4 module (shellcode stager)",
"pattern": "[file:hashes.MD5 = '5b6d8a474c556fe327004ed8a33edcdb' AND file:hashes.SHA1 = 'a677b6aa958fe02cac0730d36e8123648e02884f' AND file:hashes.SHA256 = '86edfd6c7a2fab8c50a372494e3d5b08c032cca754396f6e288d5d4c5738cb4c' AND file:name = 'mschost.dll' AND file:size = '391000']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-19T09:01:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--a6b876c3-c517-48a4-9b4e-0ae68492089a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-19T09:02:52.000Z",
"modified": "2023-04-19T09:02:52.000Z",
"labels": [
"misp:name=\"process\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "name",
"value": "RunTimeBroker.exe",
"category": "Other",
"uuid": "074efb8b-4300-44e1-b81b-85c33a3f61f8"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "process"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--b3ddd480-33ba-462a-a783-98bc0315ba43",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-19T09:03:25.000Z",
"modified": "2023-04-19T09:03:25.000Z",
"labels": [
"misp:name=\"process\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "name",
"value": "TaskHostW.exe",
"category": "Other",
"uuid": "68894fb2-fa01-453b-9af5-015195c38906"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "process"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--6f954c43-b864-43ad-8579-5eda4026a3b7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-19T09:04:02.000Z",
"modified": "2023-04-19T09:04:02.000Z",
"labels": [
"misp:name=\"process\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "name",
"value": "Svchost.exe",
"category": "Other",
"uuid": "8ea48407-6a1b-4233-a836-3d8c6783a85d"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "process"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--ad1e8e48-20db-488e-95fd-bb75b6f96293",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-19T09:05:04.000Z",
"modified": "2023-04-19T09:05:04.000Z",
"labels": [
"misp:name=\"process\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "name",
"value": "IpfHelper.exe",
"category": "Other",
"uuid": "6dccd3a5-bbd3-4d7a-9feb-5938f484bff7"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "process"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--77bba20a-f103-402c-9fd6-40fd2641f7f9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-19T09:05:19.000Z",
"modified": "2023-04-19T09:05:19.000Z",
"labels": [
"misp:name=\"process\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "name",
"value": "SecurityHealthService.exe",
"category": "Other",
"uuid": "8ac9b619-8143-4553-9793-2728db1d3e9a"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "process"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--ca7257d8-9bdc-459e-9f7f-5cdeecbd549d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-19T09:05:45.000Z",
"modified": "2023-04-19T09:05:45.000Z",
"labels": [
"misp:name=\"process\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "name",
"value": "ApplicationFrameHost.exe",
"category": "Other",
"uuid": "b30ddce2-82a8-46a9-838c-a019c2549d00"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "process"
},
{
"type": "relationship",
"spec_version": "2.1",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"id": "relationship--2c090051-1760-4489-b38e-a0bcdd64c710",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"created": "2023-04-19T11:13:38.000Z",
"modified": "2023-04-19T11:13:38.000Z",
"relationship_type": "followed-by",
"source_ref": "indicator--fad6bb9e-862f-428a-9ded-fe90217d1c18",
"target_ref": "indicator--f7585879-72a8-4a51-a414-cdae1aa8947c"
},
{
"type": "relationship",
"spec_version": "2.1",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"id": "relationship--a8e3f89f-f14c-44c2-b80a-9e1b0a96b9a3",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"created": "2023-04-19T09:51:50.000Z",
"modified": "2023-04-19T09:51:50.000Z",
"relationship_type": "contains",
"source_ref": "indicator--b1dd9581-897d-4ac8-bd2f-98f30d601147",
"target_ref": "indicator--fad6bb9e-862f-428a-9ded-fe90217d1c18"
},
{
"type": "relationship",
"spec_version": "2.1",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"id": "relationship--8e15b11d-9a50-4f27-91f0-0cfab566fafe",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"created": "2023-04-19T09:52:12.000Z",
"modified": "2023-04-19T09:52:12.000Z",
"relationship_type": "contains",
"source_ref": "indicator--b1dd9581-897d-4ac8-bd2f-98f30d601147",
"target_ref": "indicator--f7585879-72a8-4a51-a414-cdae1aa8947c"
},
{
"type": "relationship",
"spec_version": "2.1",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"id": "relationship--3c8d3c7f-93d6-4ab4-b44c-4c71c4c50c08",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"created": "2023-04-19T09:52:30.000Z",
"modified": "2023-04-19T09:52:30.000Z",
"relationship_type": "contains",
"source_ref": "indicator--b1dd9581-897d-4ac8-bd2f-98f30d601147",
"target_ref": "indicator--fab51584-fda0-4be9-88e2-d301c21dacd8"
},
{
"type": "relationship",
"spec_version": "2.1",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"id": "relationship--e5b634cf-3702-42e6-a02e-74b5598613c6",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"created": "2023-04-19T09:52:46.000Z",
"modified": "2023-04-19T09:52:46.000Z",
"relationship_type": "contains",
"source_ref": "indicator--b1dd9581-897d-4ac8-bd2f-98f30d601147",
"target_ref": "indicator--4e8ebc97-432e-48f6-af54-e6f1f4589a0d"
},
{
"type": "relationship",
"spec_version": "2.1",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"id": "relationship--f5d92e32-77ea-4f67-8094-02af9cf9c720",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"created": "2023-04-19T09:53:01.000Z",
"modified": "2023-04-19T09:53:01.000Z",
"relationship_type": "contains",
"source_ref": "indicator--b1dd9581-897d-4ac8-bd2f-98f30d601147",
"target_ref": "indicator--09833510-9b3b-4e7f-974a-423e25b96e5b"
},
{
"type": "relationship",
"spec_version": "2.1",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"id": "relationship--013a4b9a-6008-4d66-a47b-62c8231c7110",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"created": "2023-04-19T11:13:58.000Z",
"modified": "2023-04-19T11:13:58.000Z",
"relationship_type": "followed-by",
"source_ref": "indicator--f7585879-72a8-4a51-a414-cdae1aa8947c",
"target_ref": "indicator--fab51584-fda0-4be9-88e2-d301c21dacd8"
},
{
"type": "relationship",
"spec_version": "2.1",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"id": "relationship--5113f038-fb53-4411-ae7f-baa3d669fd0f",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"created": "2023-04-19T11:14:12.000Z",
"modified": "2023-04-19T11:14:12.000Z",
"relationship_type": "followed-by",
"source_ref": "indicator--fab51584-fda0-4be9-88e2-d301c21dacd8",
"target_ref": "indicator--4e8ebc97-432e-48f6-af54-e6f1f4589a0d"
},
{
"type": "relationship",
"spec_version": "2.1",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"id": "relationship--361228fb-6d02-4961-9dd8-eb77a733dcae",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"created": "2023-04-19T09:07:38.000Z",
"modified": "2023-04-19T09:07:38.000Z",
"relationship_type": "injected-into",
"source_ref": "indicator--4e8ebc97-432e-48f6-af54-e6f1f4589a0d",
"target_ref": "x-misp-object--a6b876c3-c517-48a4-9b4e-0ae68492089a"
},
{
"type": "relationship",
"spec_version": "2.1",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"id": "relationship--fe2a37bf-2b24-4260-b471-dc5c768452db",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"created": "2023-04-19T09:07:48.000Z",
"modified": "2023-04-19T09:07:48.000Z",
"relationship_type": "injected-into",
"source_ref": "indicator--4e8ebc97-432e-48f6-af54-e6f1f4589a0d",
"target_ref": "x-misp-object--b3ddd480-33ba-462a-a783-98bc0315ba43"
},
{
"type": "relationship",
"spec_version": "2.1",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"id": "relationship--27c18af4-e126-4933-8d60-fc85b7f8cf56",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"created": "2023-04-19T09:08:16.000Z",
"modified": "2023-04-19T09:08:16.000Z",
"relationship_type": "injected-into",
"source_ref": "indicator--4e8ebc97-432e-48f6-af54-e6f1f4589a0d",
"target_ref": "x-misp-object--6f954c43-b864-43ad-8579-5eda4026a3b7"
},
{
"type": "relationship",
"spec_version": "2.1",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"id": "relationship--1425e16a-71a1-4bd9-ae36-3c70c0981f19",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"created": "2023-04-19T09:08:30.000Z",
"modified": "2023-04-19T09:08:30.000Z",
"relationship_type": "injected-into",
"source_ref": "indicator--4e8ebc97-432e-48f6-af54-e6f1f4589a0d",
"target_ref": "x-misp-object--ad1e8e48-20db-488e-95fd-bb75b6f96293"
},
{
"type": "relationship",
"spec_version": "2.1",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"id": "relationship--04e9b735-ce78-4c02-83ef-19f45b91dddc",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"created": "2023-04-19T09:08:55.000Z",
"modified": "2023-04-19T09:08:55.000Z",
"relationship_type": "injected-into",
"source_ref": "indicator--4e8ebc97-432e-48f6-af54-e6f1f4589a0d",
"target_ref": "x-misp-object--77bba20a-f103-402c-9fd6-40fd2641f7f9"
},
{
"type": "relationship",
"spec_version": "2.1",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"id": "relationship--4e5cb4f5-2624-41a3-ae54-bf92454526ce",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"created": "2023-04-19T09:09:03.000Z",
"modified": "2023-04-19T09:09:03.000Z",
"relationship_type": "injected-into",
"source_ref": "indicator--4e8ebc97-432e-48f6-af54-e6f1f4589a0d",
"target_ref": "x-misp-object--ca7257d8-9bdc-459e-9f7f-5cdeecbd549d"
},
{
"type": "relationship",
"spec_version": "2.1",
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"id": "relationship--cba782a1-ae92-4afc-b610-3d57bba2433a",
chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
"created": "2023-04-19T11:14:33.000Z",
"modified": "2023-04-19T11:14:33.000Z",
"relationship_type": "followed-by",
"source_ref": "indicator--4e8ebc97-432e-48f6-af54-e6f1f4589a0d",
"target_ref": "indicator--09833510-9b3b-4e7f-974a-423e25b96e5b"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue Copy permalink