misp-circl-feed/feeds/circl/stix-2.1/59ac43b3-d8a8-4fcf-9543-4a8f02de0b81.json

432 lines
18 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--59ac43b3-d8a8-4fcf-9543-4a8f02de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T10:52:03.000Z",
"modified": "2017-12-18T10:52:03.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--59ac43b3-d8a8-4fcf-9543-4a8f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T10:52:03.000Z",
"modified": "2017-12-18T10:52:03.000Z",
"name": "OSINT - Javascript malware hosted on US government site which launches powershell to connect to C2.",
"published": "2017-12-18T10:53:26Z",
"object_refs": [
"observed-data--59ac43e1-dff8-46a7-9514-4f4702de0b81",
"url--59ac43e1-dff8-46a7-9514-4f4702de0b81",
"indicator--59ac43f8-6c28-48c0-99e0-453402de0b81",
"indicator--59ac4419-3df8-4eda-9312-421002de0b81",
"indicator--59ac4419-4af4-416c-aa4f-4cb302de0b81",
"observed-data--59ac4419-ddd0-47d5-a136-4ac002de0b81",
"url--59ac4419-ddd0-47d5-a136-4ac002de0b81",
"indicator--59ac444f-e13c-4f0d-9ff7-aa5c02de0b81",
"observed-data--59ac4475-de90-483c-81a6-492502de0b81",
"url--59ac4475-de90-483c-81a6-492502de0b81",
"indicator--5a3781ac-e49c-4f47-a5c0-47a9950d210f",
"observed-data--5a37820a-a000-466c-bff1-44e1950d210f",
"url--5a37820a-a000-466c-bff1-44e1950d210f",
"indicator--7bbbd45c-82a1-44f6-ab72-7fdf191b8148",
"x-misp-object--8328c6e4-df62-4f8a-b9c4-309693e5d9f9",
"indicator--5e701ff1-51b4-4e2b-aacd-421636d9c852",
"x-misp-object--801bce9a-1810-4811-a6e0-b8338414db9d",
2023-05-19 09:05:37 +00:00
"relationship--16643379-1120-4685-96d6-4982c06a55e8",
"relationship--746bd353-8d29-4a61-8e8c-67259d67cd28"
2023-04-21 14:44:17 +00:00
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\"",
"osint:source-type=\"pastie-website\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59ac43e1-dff8-46a7-9514-4f4702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T10:51:55.000Z",
"modified": "2017-12-18T10:51:55.000Z",
"first_observed": "2017-12-18T10:51:55Z",
"last_observed": "2017-12-18T10:51:55Z",
"number_observed": 1,
"object_refs": [
"url--59ac43e1-dff8-46a7-9514-4f4702de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"pastie-website\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59ac43e1-dff8-46a7-9514-4f4702de0b81",
"value": "https://pastebin.com/0eAPV7Lc"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59ac43f8-6c28-48c0-99e0-453402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T10:51:55.000Z",
"modified": "2017-12-18T10:51:55.000Z",
"pattern": "[file:hashes.SHA256 = '1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T10:51:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59ac4419-3df8-4eda-9312-421002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T10:51:55.000Z",
"modified": "2017-12-18T10:51:55.000Z",
"description": "- Xchecked via VT: 1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd",
"pattern": "[file:hashes.SHA1 = '898e4131496d0ae8eb3fd2a742a30830be3989f6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T10:51:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59ac4419-4af4-416c-aa4f-4cb302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-03T18:04:09.000Z",
"modified": "2017-09-03T18:04:09.000Z",
"description": "- Xchecked via VT: 1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd",
"pattern": "[file:hashes.MD5 = 'c714ca63fc9fccce002941c171c07e4d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-03T18:04:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59ac4419-ddd0-47d5-a136-4ac002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T10:51:55.000Z",
"modified": "2017-12-18T10:51:55.000Z",
"first_observed": "2017-12-18T10:51:55Z",
"last_observed": "2017-12-18T10:51:55Z",
"number_observed": 1,
"object_refs": [
"url--59ac4419-ddd0-47d5-a136-4ac002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59ac4419-ddd0-47d5-a136-4ac002de0b81",
"value": "https://www.virustotal.com/file/1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd/analysis/1504118595/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59ac444f-e13c-4f0d-9ff7-aa5c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T10:51:55.000Z",
"modified": "2017-12-18T10:51:55.000Z",
"description": "Javascript malware hosted on US government site which launches powershell to connect to C2.",
"pattern": "[url:value = 'http://dms.nwcg.gov/pipermail/ross-suggestion/attachments/20170304/9ee8a89e/attachment.zip']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T10:51:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59ac4475-de90-483c-81a6-492502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T10:51:55.000Z",
"modified": "2017-12-18T10:51:55.000Z",
"first_observed": "2017-12-18T10:51:55Z",
"last_observed": "2017-12-18T10:51:55Z",
"number_observed": 1,
"object_refs": [
"url--59ac4475-de90-483c-81a6-492502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"admiralty-scale:source-reliability=\"f\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59ac4475-de90-483c-81a6-492502de0b81",
"value": "https://blog.newskysecurity.com/us-government-site-unwittingly-hosting-malware-f1f4f11b6a1d"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a3781ac-e49c-4f47-a5c0-47a9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T08:54:51.000Z",
"modified": "2017-12-18T08:54:51.000Z",
"description": "Cerber Ransomware",
"pattern": "[file:hashes.SHA256 = '1f15415da53df8a8e0197aa7e17e594d24ea6d7fbe80fe3bb4a5cd41bc8f09f6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T08:54:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"workflow:todo=\"expansion\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a37820a-a000-466c-bff1-44e1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T10:51:55.000Z",
"modified": "2017-12-18T10:51:55.000Z",
"first_observed": "2017-12-18T10:51:55Z",
"last_observed": "2017-12-18T10:51:55Z",
"number_observed": 1,
"object_refs": [
"url--5a37820a-a000-466c-bff1-44e1950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"pastie-website\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5a37820a-a000-466c-bff1-44e1950d210f",
"value": "https://pastebin.com/HAiqH0Wq"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--7bbbd45c-82a1-44f6-ab72-7fdf191b8148",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T10:51:58.000Z",
"modified": "2017-12-18T10:51:58.000Z",
"pattern": "[file:hashes.MD5 = 'c714ca63fc9fccce002941c171c07e4d' AND file:hashes.SHA1 = '898e4131496d0ae8eb3fd2a742a30830be3989f6' AND file:hashes.SHA256 = '1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T10:51:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--8328c6e4-df62-4f8a-b9c4-309693e5d9f9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T10:51:55.000Z",
"modified": "2017-12-18T10:51:55.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd/analysis/1504922776/",
"category": "External analysis",
"comment": "- Xchecked via VT: 1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd",
"uuid": "5a379dcb-1d74-48e4-8937-48b002de0b81"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "36/60",
"category": "Other",
"comment": "- Xchecked via VT: 1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd",
"uuid": "5a379dcb-5f38-4007-a029-423d02de0b81"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2017-09-09T02:06:16",
"category": "Other",
"comment": "- Xchecked via VT: 1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd",
"uuid": "5a379dcb-d190-49b0-adbe-42a502de0b81"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e701ff1-51b4-4e2b-aacd-421636d9c852",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T10:51:58.000Z",
"modified": "2017-12-18T10:51:58.000Z",
"pattern": "[file:hashes.MD5 = '61bcd1f3233b857be0aee9ceba6779f3' AND file:hashes.SHA1 = 'f996046fea268074d2edd430e628f23942d7b5b6' AND file:hashes.SHA256 = '1f15415da53df8a8e0197aa7e17e594d24ea6d7fbe80fe3bb4a5cd41bc8f09f6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-18T10:51:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--801bce9a-1810-4811-a6e0-b8338414db9d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-12-18T10:51:55.000Z",
"modified": "2017-12-18T10:51:55.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/1f15415da53df8a8e0197aa7e17e594d24ea6d7fbe80fe3bb4a5cd41bc8f09f6/analysis/1504623436/",
"category": "External analysis",
"comment": "Cerber Ransomware",
"uuid": "5a379dcb-2534-458c-b5be-40a602de0b81"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "51/64",
"category": "Other",
"comment": "Cerber Ransomware",
"uuid": "5a379dcb-1b28-4489-b32e-4db702de0b81"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2017-09-05T14:57:16",
"category": "Other",
"comment": "Cerber Ransomware",
"uuid": "5a379dcb-ab70-4d4e-8fba-4c1c02de0b81"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
2023-05-19 09:05:37 +00:00
"id": "relationship--16643379-1120-4685-96d6-4982c06a55e8",
2023-04-21 14:44:17 +00:00
"created": "2017-12-18T10:51:55.000Z",
"modified": "2017-12-18T10:51:55.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--7bbbd45c-82a1-44f6-ab72-7fdf191b8148",
"target_ref": "x-misp-object--8328c6e4-df62-4f8a-b9c4-309693e5d9f9"
},
{
"type": "relationship",
"spec_version": "2.1",
2023-05-19 09:05:37 +00:00
"id": "relationship--746bd353-8d29-4a61-8e8c-67259d67cd28",
2023-04-21 14:44:17 +00:00
"created": "2017-12-18T10:51:56.000Z",
"modified": "2017-12-18T10:51:56.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--5e701ff1-51b4-4e2b-aacd-421636d9c852",
"target_ref": "x-misp-object--801bce9a-1810-4811-a6e0-b8338414db9d"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}