643 lines
28 KiB
JSON
643 lines
28 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--587e787d-c9f8-4132-9673-4d8402de0b81",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:12:54.000Z",
|
||
|
"modified": "2017-01-17T20:12:54.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--587e787d-c9f8-4132-9673-4d8402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:12:54.000Z",
|
||
|
"modified": "2017-01-17T20:12:54.000Z",
|
||
|
"name": "OSINT - CARBANAK GROUP USES GOOGLE FOR MALWARE COMMAND-AND-CONTROL",
|
||
|
"published": "2017-01-17T20:13:43Z",
|
||
|
"object_refs": [
|
||
|
"x-misp-attribute--587e789e-d278-42a1-aa6a-457e02de0b81",
|
||
|
"observed-data--587e78b8-05ac-41d3-88b0-4a4902de0b81",
|
||
|
"url--587e78b8-05ac-41d3-88b0-4a4902de0b81",
|
||
|
"indicator--587e7a5e-f1e8-4295-b5ce-473102de0b81",
|
||
|
"indicator--587e7a5f-6d14-4a0e-a94e-448802de0b81",
|
||
|
"indicator--587e7a60-99e8-4a1c-afdc-4cc302de0b81",
|
||
|
"indicator--587e7a72-c370-4b7e-853a-41bc02de0b81",
|
||
|
"indicator--587e7a72-963c-4a15-8a07-4c6102de0b81",
|
||
|
"indicator--587e7a73-7e5c-4fb3-b848-4ce002de0b81",
|
||
|
"indicator--587e7a81-f360-40d6-943b-42a502de0b81",
|
||
|
"indicator--587e7a82-9c50-4923-bc1e-460002de0b81",
|
||
|
"indicator--587e7a83-8088-4b4e-a146-43b102de0b81",
|
||
|
"indicator--587e7a90-1318-4655-bfb4-4bcf02de0b81",
|
||
|
"indicator--587e7a91-cfa8-4d57-8ff5-4e5602de0b81",
|
||
|
"indicator--587e7aa0-3a6c-4023-9e36-4c6402de0b81",
|
||
|
"indicator--587e7aa1-f6b4-4b0d-9e3c-400802de0b81",
|
||
|
"indicator--587e7ac6-6f94-4ab2-a39b-4d0802de0b81",
|
||
|
"indicator--587e7ac7-072c-4bb4-8650-46d702de0b81",
|
||
|
"observed-data--587e7ac7-3a78-4e9e-aa27-436a02de0b81",
|
||
|
"url--587e7ac7-3a78-4e9e-aa27-436a02de0b81",
|
||
|
"indicator--587e7ac8-81ac-4b8b-9a34-422c02de0b81",
|
||
|
"indicator--587e7ac9-c1ec-4401-bfc2-4def02de0b81",
|
||
|
"observed-data--587e7aca-6bc4-44dd-b72a-449b02de0b81",
|
||
|
"url--587e7aca-6bc4-44dd-b72a-449b02de0b81",
|
||
|
"indicator--587e7acb-41a4-481b-a177-42b702de0b81",
|
||
|
"indicator--587e7acc-5c98-4e6d-b6f3-4cf302de0b81",
|
||
|
"observed-data--587e7acc-e2d4-4795-abf7-4afb02de0b81",
|
||
|
"url--587e7acc-e2d4-4795-abf7-4afb02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:threat-actor=\"Anunak\"",
|
||
|
"osint:source-type=\"blog-post\"",
|
||
|
"veris:actor:motive=\"Financial\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--587e789e-d278-42a1-aa6a-457e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:03:42.000Z",
|
||
|
"modified": "2017-01-17T20:03:42.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "Forcepoint Security Labs\u00e2\u201e\u00a2 recently investigated a trojanized RTF document which we tied to the Carbank criminal gang. The document contains an encoded Visual Basic Script (VBScript) typical of previous Carbanak malware. Recent samples of the malware have now included the ability to use Google services for command-and-control (C&C) communication. We have notified Google of the abuse and are working with them to share additional information.\r\n\r\nCarbanak (also known as Anunak) are a group of financially motivated criminals first exposed in 2015. The actors typically steal from financial institutions using targeted malware. Recently a new Carbanak attack campaign dubbed \"Digital Plagiarist\" was exposed where the group used weaponized office documents hosted on mirrored domains, in order to distribute malware."
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--587e78b8-05ac-41d3-88b0-4a4902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:04:08.000Z",
|
||
|
"modified": "2017-01-17T20:04:08.000Z",
|
||
|
"first_observed": "2017-01-17T20:04:08Z",
|
||
|
"last_observed": "2017-01-17T20:04:08Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--587e78b8-05ac-41d3-88b0-4a4902de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--587e78b8-05ac-41d3-88b0-4a4902de0b81",
|
||
|
"value": "https://blogs.forcepoint.com/security-labs/carbanak-group-uses-google-malware-command-and-control"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--587e7a5e-f1e8-4295-b5ce-473102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:11:10.000Z",
|
||
|
"modified": "2017-01-17T20:11:10.000Z",
|
||
|
"description": "3-ThompsonDan.rtf",
|
||
|
"pattern": "[file:hashes.SHA1 = '1ec48e5c0b88f4f850facc718bbdec9200e4bd2d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-17T20:11:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--587e7a5f-6d14-4a0e-a94e-448802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:11:11.000Z",
|
||
|
"modified": "2017-01-17T20:11:11.000Z",
|
||
|
"description": "order.docx",
|
||
|
"pattern": "[file:hashes.SHA1 = '400f02249ba29a19ad261373e6ff3488646e95fb']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-17T20:11:11Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--587e7a60-99e8-4a1c-afdc-4cc302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:11:12.000Z",
|
||
|
"modified": "2017-01-17T20:11:12.000Z",
|
||
|
"description": "claim.rtf",
|
||
|
"pattern": "[file:hashes.SHA1 = '88f9bf3d6e767f1d324632b998051f4730f011c3']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-17T20:11:12Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--587e7a72-c370-4b7e-853a-41bc02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:11:30.000Z",
|
||
|
"modified": "2017-01-17T20:11:30.000Z",
|
||
|
"description": "Carbanak Google Apps Script C&Cs",
|
||
|
"pattern": "[url:value = 'https://script.google.com/macros/s/AKfycbzuykcvX7j3TlBNyQfxtB1mqii31b4VTON640yiRJT0t6rS4s4/exec']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-17T20:11:30Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--587e7a72-963c-4a15-8a07-4c6102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:11:30.000Z",
|
||
|
"modified": "2017-01-17T20:11:30.000Z",
|
||
|
"description": "Carbanak Google Apps Script C&Cs",
|
||
|
"pattern": "[url:value = 'https://script.google.com/macros/s/AKfycbxxx5DHr0F8AYhLuDjnp7kGNELq6g27J4c_JWWx1p1nDfZh6InO/exec']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-17T20:11:30Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--587e7a73-7e5c-4fb3-b848-4ce002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:11:31.000Z",
|
||
|
"modified": "2017-01-17T20:11:31.000Z",
|
||
|
"description": "Carbanak Google Apps Script C&Cs",
|
||
|
"pattern": "[url:value = 'https://script.google.com/macros/s/AKfycbwZHCgg5EsCiPup_mNxDbSX7k7yBMeXWenOVN1BWXHmyBpb8ng/exec']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-17T20:11:31Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--587e7a81-f360-40d6-943b-42a502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:11:45.000Z",
|
||
|
"modified": "2017-01-17T20:11:45.000Z",
|
||
|
"description": "Carbanak Google Forms C&Cs",
|
||
|
"pattern": "[url:value = 'https://docs.google.com/forms/d/e/1FAIpQLScx9gwNadC7Vjo11mXLbU3aBQRrqVpoWjmNJ1ZneqpjaYLE3g/formResponse']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-17T20:11:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--587e7a82-9c50-4923-bc1e-460002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:11:46.000Z",
|
||
|
"modified": "2017-01-17T20:11:46.000Z",
|
||
|
"description": "Carbanak Google Forms C&Cs",
|
||
|
"pattern": "[url:value = 'https://docs.google.com/forms/d/e/1FAIpQLSfE9kshYBFSDAfRclW8m9rAdajqoYhzhEYmEAgZexE3LQ-17A/formResponse']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-17T20:11:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--587e7a83-8088-4b4e-a146-43b102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:11:47.000Z",
|
||
|
"modified": "2017-01-17T20:11:47.000Z",
|
||
|
"description": "Carbanak Google Forms C&Cs",
|
||
|
"pattern": "[url:value = 'https://docs.google.com/forms/d/e/1FAIpQLSdcdE7lTEiqV5MW3Up8Hgcy5NGkIKnLKoe0YPFriD4_9qYq9A/formResponse']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-17T20:11:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--587e7a90-1318-4655-bfb4-4bcf02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:12:00.000Z",
|
||
|
"modified": "2017-01-17T20:12:00.000Z",
|
||
|
"description": "Carbanak C&Cs",
|
||
|
"pattern": "[url:value = 'http://atlantis-bahamas.com/css/informs.jsp']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-17T20:12:00Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--587e7a91-cfa8-4d57-8ff5-4e5602de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:12:01.000Z",
|
||
|
"modified": "2017-01-17T20:12:01.000Z",
|
||
|
"description": "Carbanak C&Cs",
|
||
|
"pattern": "[url:value = 'http://138.201.44.4/informs.jsp']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-17T20:12:01Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--587e7aa0-3a6c-4023-9e36-4c6402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:12:16.000Z",
|
||
|
"modified": "2017-01-17T20:12:16.000Z",
|
||
|
"description": "Carbanak Cobalt Strike / Meterpreter DNS Beacon C&Cs",
|
||
|
"pattern": "[domain-name:value = 'aaa.stage.15594901.en.onokder.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-17T20:12:16Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--587e7aa1-f6b4-4b0d-9e3c-400802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:12:17.000Z",
|
||
|
"modified": "2017-01-17T20:12:17.000Z",
|
||
|
"description": "Carbanak Cobalt Strike / Meterpreter DNS Beacon C&Cs",
|
||
|
"pattern": "[domain-name:value = 'aaa.stage.4710846.ns3.kiposerd.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-17T20:12:17Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--587e7ac6-6f94-4ab2-a39b-4d0802de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:12:54.000Z",
|
||
|
"modified": "2017-01-17T20:12:54.000Z",
|
||
|
"description": "3-ThompsonDan.rtf - Xchecked via VT: 1ec48e5c0b88f4f850facc718bbdec9200e4bd2d",
|
||
|
"pattern": "[file:hashes.SHA256 = '7db1b8fd3ca8edbcb25a3849bad0182ea0b840e3cabc53c30b74af070d3ba247']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-17T20:12:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--587e7ac7-072c-4bb4-8650-46d702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:12:55.000Z",
|
||
|
"modified": "2017-01-17T20:12:55.000Z",
|
||
|
"description": "3-ThompsonDan.rtf - Xchecked via VT: 1ec48e5c0b88f4f850facc718bbdec9200e4bd2d",
|
||
|
"pattern": "[file:hashes.MD5 = '4b783bd0bd7fcf880ca75359d9fc4da6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-17T20:12:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--587e7ac7-3a78-4e9e-aa27-436a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:12:55.000Z",
|
||
|
"modified": "2017-01-17T20:12:55.000Z",
|
||
|
"first_observed": "2017-01-17T20:12:55Z",
|
||
|
"last_observed": "2017-01-17T20:12:55Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--587e7ac7-3a78-4e9e-aa27-436a02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--587e7ac7-3a78-4e9e-aa27-436a02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/7db1b8fd3ca8edbcb25a3849bad0182ea0b840e3cabc53c30b74af070d3ba247/analysis/1483977881/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--587e7ac8-81ac-4b8b-9a34-422c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:12:56.000Z",
|
||
|
"modified": "2017-01-17T20:12:56.000Z",
|
||
|
"description": "order.docx - Xchecked via VT: 400f02249ba29a19ad261373e6ff3488646e95fb",
|
||
|
"pattern": "[file:hashes.SHA256 = 'c9f3e017b921c3d90127b25ef2f0c770a7fcbb429177284115ad18569ba4a441']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-17T20:12:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--587e7ac9-c1ec-4401-bfc2-4def02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:12:57.000Z",
|
||
|
"modified": "2017-01-17T20:12:57.000Z",
|
||
|
"description": "order.docx - Xchecked via VT: 400f02249ba29a19ad261373e6ff3488646e95fb",
|
||
|
"pattern": "[file:hashes.MD5 = 'ae8404ad422e92b1be7561c418c35fb7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-17T20:12:57Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--587e7aca-6bc4-44dd-b72a-449b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:12:58.000Z",
|
||
|
"modified": "2017-01-17T20:12:58.000Z",
|
||
|
"first_observed": "2017-01-17T20:12:58Z",
|
||
|
"last_observed": "2017-01-17T20:12:58Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--587e7aca-6bc4-44dd-b72a-449b02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--587e7aca-6bc4-44dd-b72a-449b02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/c9f3e017b921c3d90127b25ef2f0c770a7fcbb429177284115ad18569ba4a441/analysis/1484193729/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--587e7acb-41a4-481b-a177-42b702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:12:59.000Z",
|
||
|
"modified": "2017-01-17T20:12:59.000Z",
|
||
|
"description": "claim.rtf - Xchecked via VT: 88f9bf3d6e767f1d324632b998051f4730f011c3",
|
||
|
"pattern": "[file:hashes.SHA256 = '5c431c3c66b6dde35ffd528edca614b8b00ba7026714f431af8200f13098665f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-17T20:12:59Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--587e7acc-5c98-4e6d-b6f3-4cf302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:13:00.000Z",
|
||
|
"modified": "2017-01-17T20:13:00.000Z",
|
||
|
"description": "claim.rtf - Xchecked via VT: 88f9bf3d6e767f1d324632b998051f4730f011c3",
|
||
|
"pattern": "[file:hashes.MD5 = 'af53db730732aa7db5fdd45ebba34b94']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-01-17T20:13:00Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--587e7acc-e2d4-4795-abf7-4afb02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-01-17T20:13:00.000Z",
|
||
|
"modified": "2017-01-17T20:13:00.000Z",
|
||
|
"first_observed": "2017-01-17T20:13:00Z",
|
||
|
"last_observed": "2017-01-17T20:13:00Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--587e7acc-e2d4-4795-abf7-4afb02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--587e7acc-e2d4-4795-abf7-4afb02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/5c431c3c66b6dde35ffd528edca614b8b00ba7026714f431af8200f13098665f/analysis/1483178982/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|