2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type" : "bundle" ,
"id" : "bundle--5a462890-bb44-47c7-ba3b-21bda5fe7088" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T12:15:11.000Z" ,
"modified" : "2017-12-29T12:15:11.000Z" ,
"name" : "Crimeware" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--5a462890-bb44-47c7-ba3b-21bda5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T12:15:11.000Z" ,
"modified" : "2017-12-29T12:15:11.000Z" ,
"name" : "Threat Analysis: Malicious Microsoft Word Documents Being Used in Targeted Attack Campaigns" ,
"published" : "2018-04-24T22:38:54Z" ,
"object_refs" : [
"observed-data--5a462b24-9d10-4f02-afce-24b9a5fe7088" ,
"file--5a462b24-9d10-4f02-afce-24b9a5fe7088" ,
"artifact--5a462b24-9d10-4f02-afce-24b9a5fe7088" ,
"observed-data--5a462a87-dd74-4356-be5c-21c0a5fe7088" ,
"url--5a462a87-dd74-4356-be5c-21c0a5fe7088" ,
"observed-data--5a462921-ae28-47ba-b058-24b8a5fe7088" ,
"url--5a462921-ae28-47ba-b058-24b8a5fe7088" ,
"x-misp-attribute--5a46293d-1dd0-4aa8-b2dc-24cea5fe7088" ,
"indicator--5a462a00-89c8-449f-8cee-24c3a5fe7088" ,
"indicator--5a462a01-69f8-4ee8-b0ce-24c3a5fe7088" ,
"indicator--5a462a01-04d0-4bb8-ae2e-24c3a5fe7088" ,
"indicator--5a462a01-f43c-4d17-8f06-24c3a5fe7088" ,
"indicator--5a462a01-40a8-4652-9457-24c3a5fe7088" ,
"indicator--5a462a00-2338-4071-b27e-24c3a5fe7088" ,
"indicator--5a462993-bad8-4de5-bc25-21bea5fe7088" ,
"indicator--5a462a39-a918-4393-9c0f-21c0a5fe7088" ,
"indicator--5a462a39-b014-485d-858b-21c0a5fe7088" ,
"indicator--5a462a39-9690-4c69-96a4-21c0a5fe7088" ,
"indicator--5a462a39-bc88-4dd8-99ef-21c0a5fe7088" ,
"indicator--5a462a39-971c-44eb-8fac-21c0a5fe7088" ,
"indicator--5a462994-0180-478c-950f-21bea5fe7088" ,
"indicator--5a462a39-041c-420e-84fc-21c0a5fe7088" ,
"indicator--5a462994-4a3c-4344-a383-21bea5fe7088" ,
"indicator--5a462a39-9f74-4044-ba5f-21c0a5fe7088" ,
"indicator--5a462a39-c24c-450f-acd2-21c0a5fe7088" ,
"indicator--5a462a39-85fc-4ac2-ad5d-21c0a5fe7088" ,
"indicator--5a462a39-4008-4bbb-85cc-21c0a5fe7088" ,
"indicator--5a462994-4cd4-4f75-b09a-21bea5fe7088" ,
"indicator--5a462a39-905c-4cb6-bb25-21c0a5fe7088" ,
"indicator--5a462a39-99e0-4dd8-bf3d-21c0a5fe7088"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"osint:source-type=\"blog-post\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5a462b24-9d10-4f02-afce-24b9a5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:46:44.000Z" ,
"modified" : "2017-12-29T11:46:44.000Z" ,
"first_observed" : "2017-12-29T11:46:44Z" ,
"last_observed" : "2017-12-29T11:46:44Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--5a462b24-9d10-4f02-afce-24b9a5fe7088" ,
"artifact--5a462b24-9d10-4f02-afce-24b9a5fe7088"
] ,
"labels" : [
"misp:type=\"attachment\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--5a462b24-9d10-4f02-afce-24b9a5fe7088" ,
"name" : "Figure_10_fixed_for_release.jpg" ,
"content_ref" : "artifact--5a462b24-9d10-4f02-afce-24b9a5fe7088"
} ,
{
"type" : "artifact" ,
"spec_version" : "2.1" ,
"id" : "artifact--5a462b24-9d10-4f02-afce-24b9a5fe7088" ,
"payload_bin" : " / 9 j / 4 Q A Y R X h p Z g A A S U k q A A g A A A A A A A A A A A A A A P / s A B F E d W N r e Q A B A A Q A A A A 8 A A D / 4 Q M q a H R 0 c D o v L 25 z L m F k b 2 J l L m N v b S 94 Y X A v M S 4 w L w A 8 P 3 h w Y W N r Z X Q g Y m V n a W 49 I u + 7 v y I g a W Q 9 I l c 1 T T B N c E N l a G l I e n J l U 3 p O V G N 6 a 2 M 5 Z C I / P i A 8 e D p 4 b X B t Z X R h I H h t b G 5 z O n g 9 I m F k b 2 J l O m 5 z O m 1 l d G E v I i B 4 O n h t c H R r P S J B Z G 9 i Z S B Y T V A g Q 29 y Z S A 1 L j Y t Y z E 0 M i A 3 O S 4 x N j A 5 M j Q s I D I w M T c v M D c v M T M t M D E 6 M D Y 6 M z k g I C A g I C A g I C I + I D x y Z G Y 6 U k R G I H h t b G 5 z O n J k Z j 0 i a H R 0 c D o v L 3 d 3 d y 53 M y 5 v c m c v M T k 5 O S 8 w M i 8 y M i 1 y Z G Y t c 3 l u d G F 4 L W 5 z I y I + I D x y Z G Y 6 R G V z Y 3 J p c H R p b 24 g c m R m O m F i b 3 V 0 P S I i I H h t b G 5 z O n h t c D 0 i a H R 0 c D o v L 25 z L m F k b 2 J l L m N v b S 94 Y X A v M S 4 w L y I g e G 1 s b n M 6 e G 1 w T U 0 9 I m h 0 d H A 6 L y 9 u c y 5 h Z G 9 i Z S 5 j b 20 v e G F w L z E u M C 9 t b S 8 i I H h t b G 5 z O n N 0 U m V m P S J o d H R w O i 8 v b n M u Y W R v Y m U u Y 29 t L 3 h h c C 8 x L j A v c 1 R 5 c G U v U m V z b 3 V y Y 2 V S Z W Y j I i B 4 b X A 6 Q 3 J l Y X R v c l R v b 2 w 9 I k F k b 2 J l I F B o b 3 R v c 2 h v c C B D Q y A o V 2 l u Z G 93 c y k i I H h t c E 1 N O k l u c 3 R h b m N l S U Q 9 I n h t c C 5 p a W Q 6 R T N B Q k E 4 M D B F N E U z M T F F N 0E3 O D B G N 0 U y Q j U x Q j l B M z U i I H h t c E 1 N O k R v Y 3 V t Z W 50 S U Q 9 I n h t c C 5 k a W Q 6 R T N B Q k E 4 M D F F N E U z M T F F N 0E3 O D B G N 0 U y Q j U x Q j l B M z U i P i A 8 e G 1 w T U 0 6 R G V y a X Z l Z E Z y b 20 g c 3 R S Z W Y 6 a W 5 z d G F u Y 2 V J R D 0 i e G 1 w L m l p Z D p F M 0 F C Q T d G R U U 0 R T M x M U U 3 Q T c 4 M E Y 3 R T J C N T F C O U E z N S I g c 3 R S Z W Y 6 Z G 9 j d W 1 l b n R J R D 0 i e G 1 w L m R p Z D p F M 0 F C Q T d G R k U 0 R T M x M U U 3 Q T c 4 M E Y 3 R T J C N T F C O U E z N S I v P i A 8 L 3 J k Z j p E Z X N j c m l w d G l v b j 4 g P C 9 y Z G Y 6 U k R G P i A 8 L 3 g 6 e G 1 w b W V 0 Y T 4 g P D 94 c G F j a 2 V 0 I G V u Z D 0 i c i I / P v / u A A 5 B Z G 9 i Z Q B k w A A A A A H / 2 w C E A A Y E B A Q F B A Y F B Q Y J B g U G C Q s I B g Y I C w w K C g s K C g w Q D A w M D A w M E A w O D x A P D g w T E x Q U E x M c G x s b H B 8 f H x 8 f H x 8 f H x 8 B B w c H D Q w N G B A Q G B o V E R U a H x 8 f H x 8 f H x 8 f H x 8 f H x 8 f H x 8 f H x 8 f H x 8 f H x 8 f H x 8 f H x 8 f H x 8 f H x 8 f H x 8 f H x 8 f H x 8 f H //AABEIAZMEAAMBEQACEQEDEQH/xADIAAEAAgMBAQEAAAAAAAAAAAAAAwQBAgUGBwgBAQADAQEBAAAAAAAAAAAAAAACAwQBBQYQAAICAQMCAgUFCQoLBwMEAwECAAMEERIFIQYxE0FRIjIUYXEzFQeBkaFCUmKyIxax0XKConOTs3S0kkNTY4PTJDQ1VgjBwkSEVXU28OEl8dLDN1RFRhEBAAIAAgUJBQYFBAIDAQAAAAECEQMhMUESBFFhcYGRwdETFKGxMlIF8OEiQnKSgqKy0jPxwuIjYrPyQzRT/9oADAMBAAIRAxEAPwD9UwEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQOXR3V2zfyzcPTyuLZyqsyNgpchuDVgl12A66qAdR6JCMyuOGOlotwmbFN+a23OXDQ6kmzkBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA53cHOY/B8TfyeRRfk1Ubd1OLWbbTvYKNqDT8rrI3tuxiv4fInNvFImImeWcIfPew+38HuTtjmeUxmfis7l+WzcjF5ShUTkMepsgN5ZfqyEhSrLu8D8szZVItWZ1YzPS9r6hxNsjOpSfx1pl1iaz8Ezu6+d3/sr5DkL+F5DD5DOs5C/jOUzMGvIvIa5qqLNFLnxJ6yzh5mYmJnHCZY/q+XSuZW1a7sXpW2EasZjY9pL3lEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA+b8Bm9wdo8lza85xlWL2vk8nmZ7dwvl1BUXKs1pU0DWz2mKr85mWk2pM4x+HGdOL3eIplcTSnl2mc6KVrubs/ljTp1c6D7Ju3+3c/N5nvFKRdyd3L8guLyAeza2O7+ztTcKyCGPXbOcPSszNtuMp/WOJzaVpkTOFIy6Y10a8O19Pmt8+QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQK2ZRl3GoY+ScZUdXsZVViwVgSntAjay6g+n1QPJ8p2r35nYmTi/tJSara6a6hdg49oDVZptax1ZdrM+Kq1kabQ+rqF6AcmMUq3ms4xOEunw3A9w4KW1W8rW2N8ZfbjY1GNTSleHbYrVUeyo9qtAw3ektqfCIjAtabTjM4y9FOokBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAjyWyFxrWxlV8gIxpRzopfT2Qx9AJgeeyr+9HKmnHVRWpsGq16u20AKyjI095m1XdpoAd2vswNsm/vGyy0V4y0pTajUsprbzE2WiwaGwa+0E267fHr6dAl5S3nclt3EeYKLanWxrE8l6ragXr2LcFLeczBGOmgAgVRld0jt74VKbH5wecLGdFGiEv5TK4auhm619BYSBrrqQYFrKyu66ccPXRU5Flm4bdxWpWUISBZq25NzEqCddBsMCGvke8muSv4KrXy2sbeuxeptCBmFr7T7KdF3+PXb6AtYOfzleJddzGP5be7RRiVm2w+zrrqrWD5Oug19PWBBx690eZgHIFi1nc2TWxpYoC1p2WMpbftU1KjJ46EtprpAkxE5spx1mWcinyFusz9TU5fYdK62SrfuZ927VPydPEwJcm7lLr8h8RL/hnwm8g6V1kZAYgAJbtcMR+UNsDTKzu4KqcBcfDNltoCZIs2kq4rFpbVH2gfq2r6/jsvo1gT8Fb3BbVa/MVVUMGK01V
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5a462a87-dd74-4356-be5c-21c0a5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:44:07.000Z" ,
"modified" : "2017-12-29T11:44:07.000Z" ,
"first_observed" : "2017-12-29T11:44:07Z" ,
"last_observed" : "2017-12-29T11:44:07Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5a462a87-dd74-4356-be5c-21c0a5fe7088"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5a462a87-dd74-4356-be5c-21c0a5fe7088" ,
"value" : "https://www.cobaltstrike.com/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5a462921-ae28-47ba-b058-24b8a5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:38:09.000Z" ,
"modified" : "2017-12-29T11:38:09.000Z" ,
"first_observed" : "2017-12-29T11:38:09Z" ,
"last_observed" : "2017-12-29T11:38:09Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5a462921-ae28-47ba-b058-24b8a5fe7088"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5a462921-ae28-47ba-b058-24b8a5fe7088" ,
"value" : "https://www.carbonblack.com/2017/12/19/threat-analysis-malicious-microsoft-word-documents-used-targeted-attack-campaigns/"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5a46293d-1dd0-4aa8-b2dc-24cea5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:38:37.000Z" ,
"modified" : "2017-12-29T11:38:37.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "A Microsoft Word document (.doc) believed to be malicious was recently submitted to Carbon Black\u00e2\u20ac\u2122s Threat Analysis Unit (TAU). The submitting organization did not feel that that document (and subsequent payload) was fully executing in their analysis environment, and questioned whether or not it was actually malicious.\r\n\r\nThe submitted file was part of a targeted attack against an organization, and would not properly run unless the infected system configured for a domain that matched a hard coded pattern. The malicious carrier file contained embedded macros which would launch a series of VB scripts. Ultimately the scripts would inject a Cobalt Strike payload into a running process. While researching this variant TAU discovered numerous other variants (both .doc and .docx formats), which were written in the same manner. Only one instance contained the portion of code to ensure the script would only run at a targeted domain. All of these variants had very low coverage when run through an analysis engine, and as this technique emerges it will continue to be used in targeted attacks and eventually commoditized."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a462a00-89c8-449f-8cee-24c3a5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:41:52.000Z" ,
"modified" : "2017-12-29T11:41:52.000Z" ,
"description" : "Cobalt Strike C2" ,
"pattern" : "[domain-name:value = 'carbon-copy-marketing.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-29T11:41:52Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a462a01-69f8-4ee8-b0ce-24c3a5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:41:53.000Z" ,
"modified" : "2017-12-29T11:41:53.000Z" ,
"description" : "Cobalt Strike C2" ,
"pattern" : "[domain-name:value = 'free-clipart-archive.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-29T11:41:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a462a01-04d0-4bb8-ae2e-24c3a5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:41:53.000Z" ,
"modified" : "2017-12-29T11:41:53.000Z" ,
"description" : "Cobalt Strike C2" ,
"pattern" : "[domain-name:value = 'stationmovil.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-29T11:41:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a462a01-f43c-4d17-8f06-24c3a5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:41:53.000Z" ,
"modified" : "2017-12-29T11:41:53.000Z" ,
"description" : "Cobalt Strike C2" ,
"pattern" : "[domain-name:value = 'www.bankingandfinanceexpert.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-29T11:41:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a462a01-40a8-4652-9457-24c3a5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:41:53.000Z" ,
"modified" : "2017-12-29T11:41:53.000Z" ,
"description" : "Cobalt Strike C2" ,
"pattern" : "[domain-name:value = 'www.themediaeducation.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-29T11:41:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a462a00-2338-4071-b27e-24c3a5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:41:52.000Z" ,
"modified" : "2017-12-29T11:41:52.000Z" ,
"description" : "Cobalt Strike C2" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '212.83.58.231']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-29T11:41:52Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a462993-bad8-4de5-bc25-21bea5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:40:03.000Z" ,
"modified" : "2017-12-29T11:40:03.000Z" ,
"description" : "Embedded payload" ,
"pattern" : "[file:name = 'Cobalt_Strike.dll']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-29T11:40:03Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a462a39-a918-4393-9c0f-21c0a5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:42:49.000Z" ,
"modified" : "2017-12-29T11:42:49.000Z" ,
"pattern" : "[file:hashes.MD5 = '3f06c23c4119d720b2a627ab5454a3e0']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-29T11:42:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a462a39-b014-485d-858b-21c0a5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:42:49.000Z" ,
"modified" : "2017-12-29T11:42:49.000Z" ,
"pattern" : "[file:hashes.MD5 = '376396fceb8e52425780459c41ac3ab4']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-29T11:42:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a462a39-9690-4c69-96a4-21c0a5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:42:49.000Z" ,
"modified" : "2017-12-29T11:42:49.000Z" ,
"pattern" : "[file:hashes.MD5 = 'd79a8e0a9e8c7294351657f7897fd121']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-29T11:42:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a462a39-bc88-4dd8-99ef-21c0a5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:42:49.000Z" ,
"modified" : "2017-12-29T11:42:49.000Z" ,
"pattern" : "[file:hashes.MD5 = 'c17cfcab0d115732a262da8a58dcf318']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-29T11:42:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a462a39-971c-44eb-8fac-21c0a5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:42:49.000Z" ,
"modified" : "2017-12-29T11:42:49.000Z" ,
"pattern" : "[file:hashes.MD5 = '81af1f218c0a44ea39aa3eca78f24bc0']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-29T11:42:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a462994-0180-478c-950f-21bea5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:40:04.000Z" ,
"modified" : "2017-12-29T11:40:04.000Z" ,
"description" : "Embedded payload" ,
"pattern" : "[file:hashes.MD5 = 'f2f52c78d594c37b546f6c09207cb481']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-29T11:40:04Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a462a39-041c-420e-84fc-21c0a5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:42:49.000Z" ,
"modified" : "2017-12-29T11:42:49.000Z" ,
"pattern" : "[file:hashes.MD5 = 'c916685d48dec5891e92c09e18300381']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-29T11:42:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a462994-4a3c-4344-a383-21bea5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:40:04.000Z" ,
"modified" : "2017-12-29T11:40:04.000Z" ,
"description" : "Embedded payload" ,
"pattern" : "[file:hashes.SHA1 = '12bc1affe86327d9f78684cde46cfff4dee57149']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-29T11:40:04Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a462a39-9f74-4044-ba5f-21c0a5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:42:49.000Z" ,
"modified" : "2017-12-29T11:42:49.000Z" ,
"pattern" : "[file:hashes.SHA256 = '277226cb5f59de6f4493a42e42f7ea575d65da7a033ae343166ad4fa96db8654']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-29T11:42:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a462a39-c24c-450f-acd2-21c0a5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:42:49.000Z" ,
"modified" : "2017-12-29T11:42:49.000Z" ,
"pattern" : "[file:hashes.SHA256 = '76e2277c63303df6c5b32fdacffcf37c8657ec263070a533eba100d83cade81e']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-29T11:42:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a462a39-85fc-4ac2-ad5d-21c0a5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:42:49.000Z" ,
"modified" : "2017-12-29T11:42:49.000Z" ,
"pattern" : "[file:hashes.SHA256 = '2519e09e54ccc18c7dfc938760b48b559b7e4fb8465e12d8144083d2178789e2']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-29T11:42:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a462a39-4008-4bbb-85cc-21c0a5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:42:49.000Z" ,
"modified" : "2017-12-29T11:42:49.000Z" ,
"pattern" : "[file:hashes.SHA256 = 'c10ee375a841fd537ede2afa9e68817ddaaaf2e6587a519c267aac6c1fe8d081']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-29T11:42:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a462994-4cd4-4f75-b09a-21bea5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:40:04.000Z" ,
"modified" : "2017-12-29T11:40:04.000Z" ,
"description" : "Embedded payload" ,
"pattern" : "[file:hashes.SHA256 = 'fa405c36d82b264568219b521886d2e7ef589674874983c7db1d67928003489e']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-29T11:40:04Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a462a39-905c-4cb6-bb25-21c0a5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:42:49.000Z" ,
"modified" : "2017-12-29T11:42:49.000Z" ,
"pattern" : "[file:hashes.SHA256 = '9416893eb0b8b1e7b4afd342887fa358d1ea7dbd56d4a51a25a801715c761356']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-29T11:42:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a462a39-99e0-4dd8-bf3d-21c0a5fe7088" ,
"created_by_ref" : "identity--569f692d-b290-40cc-ae1a-2c48ff32448e" ,
"created" : "2017-12-29T11:42:49.000Z" ,
"modified" : "2017-12-29T11:42:49.000Z" ,
"pattern" : "[file:hashes.SHA256 = '2a31a24ce994ae3465e77d4ec190882804233209b7f67bd4ef03375bd9b5f9ed']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-12-29T11:42:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
2023-04-21 13:25:09 +00:00
]
}
