2083 lines
87 KiB
JSON
2083 lines
87 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--572a1a62-2510-4a7e-b983-4793950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-27T11:59:36.000Z",
|
||
|
"modified": "2016-05-27T11:59:36.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--572a1a62-2510-4a7e-b983-4793950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-27T11:59:36.000Z",
|
||
|
"modified": "2016-05-27T11:59:36.000Z",
|
||
|
"name": "OSINT - Turbo Twist: Two 64-bit Derusbi Strains Converge",
|
||
|
"published": "2017-01-11T20:15:03Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--572a1a71-edb4-4dbf-9e8b-45bf950d210f",
|
||
|
"url--572a1a71-edb4-4dbf-9e8b-45bf950d210f",
|
||
|
"indicator--572a1abb-c7f0-43e3-91dd-4f9f950d210f",
|
||
|
"indicator--572a1abc-51b0-46d5-8898-4af8950d210f",
|
||
|
"indicator--572a1abc-d5c0-45f4-bcdc-48b4950d210f",
|
||
|
"indicator--572a1abd-5a68-4987-92e7-4d2c950d210f",
|
||
|
"indicator--572a1abd-45c8-4bfc-8611-4bcf950d210f",
|
||
|
"indicator--572a1abe-52f0-44b2-9bcd-4959950d210f",
|
||
|
"indicator--572a1abe-8664-4b07-bb34-4e7e950d210f",
|
||
|
"indicator--572a1abe-5d34-4fe1-81f5-41ef950d210f",
|
||
|
"indicator--572a1abf-1ed0-43d7-9896-4421950d210f",
|
||
|
"indicator--572a1abf-d138-4b6e-87ac-44c5950d210f",
|
||
|
"indicator--572a1ac0-5074-43cf-9b55-4aba950d210f",
|
||
|
"indicator--572a1ac0-c2d4-40e8-a3ad-4419950d210f",
|
||
|
"indicator--572a1ac0-0128-4cb3-8d96-4395950d210f",
|
||
|
"indicator--572a1ac1-b93c-4b2e-9ab8-4ce9950d210f",
|
||
|
"indicator--572a1ac1-a47c-4153-a55e-451c950d210f",
|
||
|
"indicator--572a1ac2-555c-4609-9bf1-4cef950d210f",
|
||
|
"indicator--572a1ac2-4b3c-4adc-b4c6-4358950d210f",
|
||
|
"indicator--572a1ac2-ca94-4b6d-9b99-4d60950d210f",
|
||
|
"indicator--572a1ac3-eb08-4629-a85a-4fdc950d210f",
|
||
|
"indicator--572a1ac3-84dc-4075-a1b1-4e7e950d210f",
|
||
|
"indicator--572a1ac4-21d0-4c82-9a1d-4240950d210f",
|
||
|
"indicator--572a1ac4-c738-4f9a-a8a4-4525950d210f",
|
||
|
"indicator--572a1ac4-47e8-4ce8-b070-4daa950d210f",
|
||
|
"indicator--572a1ac5-7a5c-4ab6-9ea8-4ad4950d210f",
|
||
|
"indicator--572a1ac5-760c-4d10-92e8-4546950d210f",
|
||
|
"indicator--572a1ac6-b554-4553-aa6d-4d7c950d210f",
|
||
|
"indicator--572a1ac6-5f58-4255-ba23-41da950d210f",
|
||
|
"indicator--572a1ac7-09b0-4610-bb7e-4e66950d210f",
|
||
|
"indicator--572a1ac7-6eac-4138-8f7d-49ad950d210f",
|
||
|
"indicator--572a1ac7-b4e0-4e7f-aaf5-4164950d210f",
|
||
|
"indicator--572a1ac8-d954-4e9e-ab6b-4a28950d210f",
|
||
|
"indicator--572a1ac8-57f4-4853-a7fe-4d33950d210f",
|
||
|
"indicator--572a1ac9-60d4-407e-a2ae-459d950d210f",
|
||
|
"indicator--572a1ac9-46fc-44df-afd3-4c8f950d210f",
|
||
|
"indicator--572a1ac9-a4a0-48c2-b8f0-4330950d210f",
|
||
|
"indicator--572a1aca-cc24-4464-b5d8-44ed950d210f",
|
||
|
"indicator--572a1aca-02b8-412d-a188-44ea950d210f",
|
||
|
"indicator--572a1acb-e85c-4a33-8e51-4059950d210f",
|
||
|
"indicator--572a1acb-4b5c-46f0-b8c5-4fc2950d210f",
|
||
|
"indicator--572a1acb-f270-4082-8228-4bdf950d210f",
|
||
|
"indicator--572a1acc-748c-47a5-8b2f-4340950d210f",
|
||
|
"indicator--572a1acc-6da0-424a-90b6-4af5950d210f",
|
||
|
"indicator--572a1acd-cd1c-49fb-86e6-48af950d210f",
|
||
|
"indicator--572a1acd-7580-4a9b-94eb-49ea950d210f",
|
||
|
"indicator--572a1acd-6814-4405-8470-4c12950d210f",
|
||
|
"indicator--572a1ace-f670-4710-9011-4747950d210f",
|
||
|
"indicator--572a1ace-07a8-4bdb-a6e6-4117950d210f",
|
||
|
"indicator--572a1acf-780c-4794-8875-47f8950d210f",
|
||
|
"indicator--572a1acf-7264-41e6-81e7-4972950d210f",
|
||
|
"indicator--572a1ad0-2164-4f38-a1e7-425e950d210f",
|
||
|
"indicator--572a1ad0-a6dc-4579-a520-4e6b950d210f",
|
||
|
"indicator--572a1ad0-9fd4-4b18-879c-4846950d210f",
|
||
|
"indicator--572a1ad1-37b4-4bce-9874-45a1950d210f",
|
||
|
"indicator--572a1ad1-a368-4394-b36a-4aa7950d210f",
|
||
|
"indicator--572a1ad2-6b30-4340-a85c-4771950d210f",
|
||
|
"indicator--572a1ad2-bd64-40cd-9370-494b950d210f",
|
||
|
"indicator--572a1ad2-6378-4ca5-912f-4371950d210f",
|
||
|
"indicator--572a1ad3-ac8c-46ba-91eb-4c92950d210f",
|
||
|
"indicator--572a1ad3-9464-4fe1-bbae-453d950d210f",
|
||
|
"indicator--572a1ad4-5a5c-4117-949e-432c950d210f",
|
||
|
"indicator--572a1ad4-48e0-41c4-8f1b-4c72950d210f",
|
||
|
"indicator--572a1ad4-a57c-4b1f-8850-4fcf950d210f",
|
||
|
"indicator--572a1ad5-639c-4368-a027-4790950d210f",
|
||
|
"indicator--572a1ad5-ffa4-4dfb-bd1f-4251950d210f",
|
||
|
"indicator--572a1b21-eb60-4e09-af53-4bdb950d210f",
|
||
|
"indicator--572a1b37-6ca4-45b1-b0f2-412b950d210f",
|
||
|
"indicator--572a1b37-7580-4e22-a644-40e9950d210f",
|
||
|
"indicator--572a1b37-6958-4706-af56-459d950d210f",
|
||
|
"indicator--572a1b68-1380-4d6a-9ab6-4512950d210f",
|
||
|
"indicator--572a1b68-a378-4592-8cef-41e3950d210f",
|
||
|
"indicator--572a1b68-2fa8-4247-91ec-4692950d210f",
|
||
|
"x-misp-attribute--572a1b83-4574-436e-b98b-4802950d210f",
|
||
|
"indicator--572a1bd5-d044-4155-a3fd-40bd02de0b81",
|
||
|
"indicator--572a1bd5-5cb0-4748-bcd9-45a802de0b81",
|
||
|
"observed-data--572a1bd5-3d50-4d7d-b6da-48a502de0b81",
|
||
|
"url--572a1bd5-3d50-4d7d-b6da-48a502de0b81",
|
||
|
"indicator--572a1bd6-ba08-47e0-979f-415902de0b81",
|
||
|
"indicator--572a1bd6-a978-4041-bad2-443b02de0b81",
|
||
|
"observed-data--572a1bd7-6f70-4bca-83e4-4b4002de0b81",
|
||
|
"url--572a1bd7-6f70-4bca-83e4-4b4002de0b81",
|
||
|
"indicator--572a1bd7-fa14-4fe4-9c91-45e602de0b81",
|
||
|
"indicator--572a1bd7-31a4-43e1-b8dd-458b02de0b81",
|
||
|
"observed-data--572a1bd8-15dc-49e0-afa8-43c402de0b81",
|
||
|
"url--572a1bd8-15dc-49e0-afa8-43c402de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"type:OSINT"
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--572a1a71-edb4-4dbf-9e8b-45bf950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:51:13.000Z",
|
||
|
"modified": "2016-05-04T15:51:13.000Z",
|
||
|
"first_observed": "2016-05-04T15:51:13Z",
|
||
|
"last_observed": "2016-05-04T15:51:13Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--572a1a71-edb4-4dbf-9e8b-45bf950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--572a1a71-edb4-4dbf-9e8b-45bf950d210f",
|
||
|
"value": "http://www.threatgeek.com/2016/05/turbo-twist-two-64-bit-derusbi-strains-converge.html"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1abb-c7f0-43e3-91dd-4f9f950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:27.000Z",
|
||
|
"modified": "2016-05-04T15:52:27.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'asixgroupincmeer.biz']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:27Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1abc-51b0-46d5-8898-4af8950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:28.000Z",
|
||
|
"modified": "2016-05-04T15:52:28.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'attrcorp.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:28Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1abc-d5c0-45f4-bcdc-48b4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:28.000Z",
|
||
|
"modified": "2016-05-04T15:52:28.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'smtp.attrcorp.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:28Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1abd-5a68-4987-92e7-4d2c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:29.000Z",
|
||
|
"modified": "2016-05-04T15:52:29.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'office365e.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:29Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1abd-45c8-4bfc-8611-4bcf950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:29.000Z",
|
||
|
"modified": "2016-05-04T15:52:29.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'usapappers.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:29Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1abe-52f0-44b2-9bcd-4959950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:30.000Z",
|
||
|
"modified": "2016-05-04T15:52:30.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'e.usapappers.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:30Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1abe-8664-4b07-bb34-4e7e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:30.000Z",
|
||
|
"modified": "2016-05-04T15:52:30.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'bee.usapappers.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:30Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1abe-5d34-4fe1-81f5-41ef950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:30.000Z",
|
||
|
"modified": "2016-05-04T15:52:30.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'ftp.usapappers.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:30Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1abf-1ed0-43d7-9896-4421950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:31.000Z",
|
||
|
"modified": "2016-05-04T15:52:31.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'sun.usapappers.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:31Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1abf-d138-4b6e-87ac-44c5950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:31.000Z",
|
||
|
"modified": "2016-05-04T15:52:31.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'wow.usapappers.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:31Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ac0-5074-43cf-9b55-4aba950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:32.000Z",
|
||
|
"modified": "2016-05-04T15:52:32.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'shot.usapappers.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ac0-c2d4-40e8-a3ad-4419950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:32.000Z",
|
||
|
"modified": "2016-05-04T15:52:32.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'email.usapappers.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ac0-0128-4cb3-8d96-4395950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:32.000Z",
|
||
|
"modified": "2016-05-04T15:52:32.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'dijlacultus.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ac1-b93c-4b2e-9ab8-4ce9950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:33.000Z",
|
||
|
"modified": "2016-05-04T15:52:33.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'bbs.dijlacultus.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:33Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ac1-a47c-4153-a55e-451c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:33.000Z",
|
||
|
"modified": "2016-05-04T15:52:33.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'fok.dijlacultus.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:33Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ac2-555c-4609-9bf1-4cef950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:34.000Z",
|
||
|
"modified": "2016-05-04T15:52:34.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'back.dijlacultus.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:34Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ac2-4b3c-4adc-b4c6-4358950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:34.000Z",
|
||
|
"modified": "2016-05-04T15:52:34.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'info.dijlacultus.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:34Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ac2-ca94-4b6d-9b99-4d60950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:34.000Z",
|
||
|
"modified": "2016-05-04T15:52:34.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'live.dijlacultus.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:34Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ac3-eb08-4629-a85a-4fdc950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:35.000Z",
|
||
|
"modified": "2016-05-04T15:52:35.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'mail.dijlacultus.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ac3-84dc-4075-a1b1-4e7e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:35.000Z",
|
||
|
"modified": "2016-05-04T15:52:35.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'news.dijlacultus.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ac4-21d0-4c82-9a1d-4240950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:36.000Z",
|
||
|
"modified": "2016-05-04T15:52:36.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'serv.dijlacultus.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ac4-c738-4f9a-a8a4-4525950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:36.000Z",
|
||
|
"modified": "2016-05-04T15:52:36.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'tele.dijlacultus.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ac4-47e8-4ce8-b070-4daa950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:36.000Z",
|
||
|
"modified": "2016-05-04T15:52:36.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'thec.dijlacultus.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ac5-7a5c-4ab6-9ea8-4ad4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:37.000Z",
|
||
|
"modified": "2016-05-04T15:52:37.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'zero.dijlacultus.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ac5-760c-4d10-92e8-4546950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:37.000Z",
|
||
|
"modified": "2016-05-04T15:52:37.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'swiss.dijlacultus.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ac6-b554-4553-aa6d-4d7c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:38.000Z",
|
||
|
"modified": "2016-05-04T15:52:38.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'living.dijlacultus.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:38Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ac6-5f58-4255-ba23-41da950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:38.000Z",
|
||
|
"modified": "2016-05-04T15:52:38.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'mailsrv.dijlacultus.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:38Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ac7-09b0-4610-bb7e-4e66950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:39.000Z",
|
||
|
"modified": "2016-05-04T15:52:39.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'google-dash.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:39Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ac7-6eac-4138-8f7d-49ad950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:39.000Z",
|
||
|
"modified": "2016-05-04T15:52:39.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'virtualboxs.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:39Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ac7-b4e0-4e7f-aaf5-4164950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:39.000Z",
|
||
|
"modified": "2016-05-04T15:52:39.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'steletracker.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:39Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ac8-d954-4e9e-ab6b-4a28950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:40.000Z",
|
||
|
"modified": "2016-05-04T15:52:40.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'vmtools.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ac8-57f4-4853-a7fe-4d33950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:40.000Z",
|
||
|
"modified": "2016-05-04T15:52:40.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'pwc.vmtools.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ac9-60d4-407e-a2ae-459d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:41.000Z",
|
||
|
"modified": "2016-05-04T15:52:41.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'win.winlogon.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ac9-46fc-44df-afd3-4c8f950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:41.000Z",
|
||
|
"modified": "2016-05-04T15:52:41.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'asia.winlogon.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ac9-a4a0-48c2-b8f0-4330950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:41.000Z",
|
||
|
"modified": "2016-05-04T15:52:41.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'winner.winlogon.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1aca-cc24-4464-b5d8-44ed950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:42.000Z",
|
||
|
"modified": "2016-05-04T15:52:42.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'hawkthorn.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:42Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1aca-02b8-412d-a188-44ea950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:42.000Z",
|
||
|
"modified": "2016-05-04T15:52:42.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'strightspunddeals.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:42Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1acb-e85c-4a33-8e51-4059950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:43.000Z",
|
||
|
"modified": "2016-05-04T15:52:43.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'northropgruman.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:43Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1acb-4b5c-46f0-b8c5-4fc2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:43.000Z",
|
||
|
"modified": "2016-05-04T15:52:43.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'owa.northropgruman.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:43Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1acb-f270-4082-8228-4bdf950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:43.000Z",
|
||
|
"modified": "2016-05-04T15:52:43.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'vpn.northropgruman.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:43Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1acc-748c-47a5-8b2f-4340950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:44.000Z",
|
||
|
"modified": "2016-05-04T15:52:44.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'soft.northropgruman.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1acc-6da0-424a-90b6-4af5950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:44.000Z",
|
||
|
"modified": "2016-05-04T15:52:44.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'update.northropgruman.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1acd-cd1c-49fb-86e6-48af950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:45.000Z",
|
||
|
"modified": "2016-05-04T15:52:45.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'software.northropgruman.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1acd-7580-4a9b-94eb-49ea950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:45.000Z",
|
||
|
"modified": "2016-05-04T15:52:45.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'cegauoqsykgqecqc.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1acd-6814-4405-8470-4c12950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:45.000Z",
|
||
|
"modified": "2016-05-04T15:52:45.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'eimqqakugeccgwak.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ace-f670-4710-9011-4747950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:46.000Z",
|
||
|
"modified": "2016-05-04T15:52:46.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'uogwoigiuweyccsw.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ace-07a8-4bdb-a6e6-4117950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:46.000Z",
|
||
|
"modified": "2016-05-04T15:52:46.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'soyy.info']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1acf-780c-4794-8875-47f8950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:47.000Z",
|
||
|
"modified": "2016-05-04T15:52:47.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'ns1.krimeware.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1acf-7264-41e6-81e7-4972950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:47.000Z",
|
||
|
"modified": "2016-05-04T15:52:47.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'ns2.krimeware.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ad0-2164-4f38-a1e7-425e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:48.000Z",
|
||
|
"modified": "2016-05-04T15:52:48.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'tianzhen.co']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ad0-a6dc-4579-a520-4e6b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:48.000Z",
|
||
|
"modified": "2016-05-04T15:52:48.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'www.tianzhen.co']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ad0-9fd4-4b18-879c-4846950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:48.000Z",
|
||
|
"modified": "2016-05-04T15:52:48.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'monsterlegendsvn.biz']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ad1-37b4-4bce-9874-45a1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:49.000Z",
|
||
|
"modified": "2016-05-04T15:52:49.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'www.monsterlegendsvn.biz']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ad1-a368-4394-b36a-4aa7950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:49.000Z",
|
||
|
"modified": "2016-05-04T15:52:49.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'nickytoh.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ad2-6b30-4340-a85c-4771950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:50.000Z",
|
||
|
"modified": "2016-05-04T15:52:50.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'www.nickytoh.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ad2-bd64-40cd-9370-494b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:50.000Z",
|
||
|
"modified": "2016-05-04T15:52:50.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'seratjati.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ad2-6378-4ca5-912f-4371950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:50.000Z",
|
||
|
"modified": "2016-05-04T15:52:50.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'aiselamodefactory.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ad3-ac8c-46ba-91eb-4c92950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:51.000Z",
|
||
|
"modified": "2016-05-04T15:52:51.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'tasty-and-healthy.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ad3-9464-4fe1-bbae-453d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:51.000Z",
|
||
|
"modified": "2016-05-04T15:52:51.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'nickytoh.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ad4-5a5c-4117-949e-432c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:52.000Z",
|
||
|
"modified": "2016-05-04T15:52:52.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'www.nickytoh.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ad4-48e0-41c4-8f1b-4c72950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:52.000Z",
|
||
|
"modified": "2016-05-04T15:52:52.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'animationmyth.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ad4-a57c-4b1f-8850-4fcf950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:52.000Z",
|
||
|
"modified": "2016-05-04T15:52:52.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'www.animationmyth.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ad5-639c-4368-a027-4790950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:53.000Z",
|
||
|
"modified": "2016-05-04T15:52:53.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'petersenstore.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1ad5-ffa4-4dfb-bd1f-4251950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:52:53.000Z",
|
||
|
"modified": "2016-05-04T15:52:53.000Z",
|
||
|
"description": "Domains identified from pDNS pivots",
|
||
|
"pattern": "[domain-name:value = 'www.petersenstore.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:52:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1b21-eb60-4e09-af53-4bdb950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-27T11:59:36.000Z",
|
||
|
"modified": "2016-05-27T11:59:36.000Z",
|
||
|
"pattern": "[rule apt_win32_dll_bergard_pgv_pvid_variant {\r\n meta:\r\n copyright = \"Fidelis Cybersecurity\"\r\n strings:\r\n $ = \"Accept:\"\r\n $ = \"User-Agent: %s\"\r\n $ = \"Host: %s:%d\"\r\n $ = \"Cache-Control: no-cache\"\r\n $ = \"Connection: Keep-Alive\"\r\n $ = \"Cookie: pgv_pvid=\"\r\n $ = \"Content-Type: application/x-octet-stream\"\r\n $ = \"User-Agent: %s\"\r\n $ = \"Host: %s:%d\"\r\n $ = \"Pragma: no-cache\"\r\n $ = \"Connection: Keep-Alive\"\r\n $ = \"HTTP/1.0\"\r\n condition:\r\n (uint16(0) == 0x5A4D) and (all of them)\r\n\r\n}]",
|
||
|
"pattern_type": "yara",
|
||
|
"valid_from": "2016-05-27T11:59:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"yara\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1b37-6ca4-45b1-b0f2-412b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:54:31.000Z",
|
||
|
"modified": "2016-05-04T15:54:31.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '3e4fbb9190227848af32dacb17e9fd17']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:54:31Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1b37-7580-4e22-a644-40e9950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:54:31.000Z",
|
||
|
"modified": "2016-05-04T15:54:31.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'b93197e2aa147fe6b70695ae7bb298b0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:54:31Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1b37-6958-4706-af56-459d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:54:31.000Z",
|
||
|
"modified": "2016-05-04T15:54:31.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '791295ef196cf8c20913b3cce76af29a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:54:31Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1b68-1380-4d6a-9ab6-4512950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:55:20.000Z",
|
||
|
"modified": "2016-05-04T15:55:20.000Z",
|
||
|
"pattern": "[file:hashes.IMPHASH = '86fafe21566d0906fecc5dfd939f3e45']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:55:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"imphash\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1b68-a378-4592-8cef-41e3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:55:20.000Z",
|
||
|
"modified": "2016-05-04T15:55:20.000Z",
|
||
|
"pattern": "[file:hashes.IMPHASH = '711a1d4aef8414cf1db45a6945ba3d84']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:55:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"imphash\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1b68-2fa8-4247-91ec-4692950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:55:20.000Z",
|
||
|
"modified": "2016-05-04T15:55:20.000Z",
|
||
|
"pattern": "[file:hashes.IMPHASH = '6752d45fd952c97c969939600acc5748']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:55:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"imphash\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--572a1b83-4574-436e-b98b-4802950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:55:47.000Z",
|
||
|
"modified": "2016-05-04T15:55:47.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "To follow up on the March report on the discovery of a 64-bit Linux variant of Derusbi used in the Turbo campaign, this post covers our analysis of two unique Windows variants of the Derusbi PGV_PVID malware. Derusbi has been widely covered and associated with numerous Chinese cyber espionage actors, including the group known as C0d0s0 Team (aka Sunshop Group) and its watering-hole attacks using Forbes[.]com in 2014.\r\n\r\nWhat made these two variants of interest is that, as of April 28, 2016, there are zero (0) antivirus detections of these variants at VirusTotal. On April 29, our team also scanned these variants with two different local antivirus tools running the latest virus signatures and the APT malware was still undetected. Based on compile times in the variants analyzed, it appears that this variant has been around since at least 2013.\r\n\r\nSome of the strings in these variants have also been observed in variants of the Bergard APT malware. The Derusbi variants were identified and named by Proofpoint earlier this year.\r\n\r\nOur Yara hunting rule that detected these two Derusbi PGV_PVID variants with zero antivirus detections also detected two other variants that are detected by AVs as \u00e2\u20ac\u0153Derusbi\u00e2\u20ac\u009d. One of the Derusbi PGV_PVID samples that we analyzed shares its command-and-control server with a Rekaf sample identified by Proofpoint, furthering the connection between these families that they established in their post."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1bd5-d044-4155-a3fd-40bd02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:57:09.000Z",
|
||
|
"modified": "2016-05-04T15:57:09.000Z",
|
||
|
"description": "- Xchecked via VT: 791295ef196cf8c20913b3cce76af29a",
|
||
|
"pattern": "[file:hashes.SHA256 = 'ecac0b7abed0c5ca580064839813176a68f75d18176234fc15b2aefd277237aa']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:57:09Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1bd5-5cb0-4748-bcd9-45a802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:57:09.000Z",
|
||
|
"modified": "2016-05-04T15:57:09.000Z",
|
||
|
"description": "- Xchecked via VT: 791295ef196cf8c20913b3cce76af29a",
|
||
|
"pattern": "[file:hashes.SHA1 = '761cd81c46034c3d186f626d17487b804b24e4a1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:57:09Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--572a1bd5-3d50-4d7d-b6da-48a502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:57:09.000Z",
|
||
|
"modified": "2016-05-04T15:57:09.000Z",
|
||
|
"first_observed": "2016-05-04T15:57:09Z",
|
||
|
"last_observed": "2016-05-04T15:57:09Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--572a1bd5-3d50-4d7d-b6da-48a502de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--572a1bd5-3d50-4d7d-b6da-48a502de0b81",
|
||
|
"value": "https://www.virustotal.com/file/ecac0b7abed0c5ca580064839813176a68f75d18176234fc15b2aefd277237aa/analysis/1457567423/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1bd6-ba08-47e0-979f-415902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:57:10.000Z",
|
||
|
"modified": "2016-05-04T15:57:10.000Z",
|
||
|
"description": "- Xchecked via VT: b93197e2aa147fe6b70695ae7bb298b0",
|
||
|
"pattern": "[file:hashes.SHA256 = 'c6f1a8f9ea60286b24db87d6022991a4342bea473a520569b996a5883332788c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:57:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1bd6-a978-4041-bad2-443b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:57:10.000Z",
|
||
|
"modified": "2016-05-04T15:57:10.000Z",
|
||
|
"description": "- Xchecked via VT: b93197e2aa147fe6b70695ae7bb298b0",
|
||
|
"pattern": "[file:hashes.SHA1 = '71c2407eaa08c7093316b62bc1f8eecaa089f775']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:57:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--572a1bd7-6f70-4bca-83e4-4b4002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:57:11.000Z",
|
||
|
"modified": "2016-05-04T15:57:11.000Z",
|
||
|
"first_observed": "2016-05-04T15:57:11Z",
|
||
|
"last_observed": "2016-05-04T15:57:11Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--572a1bd7-6f70-4bca-83e4-4b4002de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--572a1bd7-6f70-4bca-83e4-4b4002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/c6f1a8f9ea60286b24db87d6022991a4342bea473a520569b996a5883332788c/analysis/1458611076/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1bd7-fa14-4fe4-9c91-45e602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:57:11.000Z",
|
||
|
"modified": "2016-05-04T15:57:11.000Z",
|
||
|
"description": "- Xchecked via VT: 3e4fbb9190227848af32dacb17e9fd17",
|
||
|
"pattern": "[file:hashes.SHA256 = '9c4053485b37ebc972c95abd98ea4ee386feb745cc012b9e57dc689469ea064f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:57:11Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--572a1bd7-31a4-43e1-b8dd-458b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:57:11.000Z",
|
||
|
"modified": "2016-05-04T15:57:11.000Z",
|
||
|
"description": "- Xchecked via VT: 3e4fbb9190227848af32dacb17e9fd17",
|
||
|
"pattern": "[file:hashes.SHA1 = '4a152785c8b092166cfb164688fc767c22dd3932']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-05-04T15:57:11Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload installation"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload installation\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--572a1bd8-15dc-49e0-afa8-43c402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-05-04T15:57:12.000Z",
|
||
|
"modified": "2016-05-04T15:57:12.000Z",
|
||
|
"first_observed": "2016-05-04T15:57:12Z",
|
||
|
"last_observed": "2016-05-04T15:57:12Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--572a1bd8-15dc-49e0-afa8-43c402de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--572a1bd8-15dc-49e0-afa8-43c402de0b81",
|
||
|
"value": "https://www.virustotal.com/file/9c4053485b37ebc972c95abd98ea4ee386feb745cc012b9e57dc689469ea064f/analysis/1461791370/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|