2023-04-21 14:44:17 +00:00
{
"type" : "bundle" ,
"id" : "bundle--5a9922cb-9c5c-4979-a78c-4fee950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-03-02T10:46:13.000Z" ,
"modified" : "2018-03-02T10:46:13.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--5a9922cb-9c5c-4979-a78c-4fee950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-03-02T10:46:13.000Z" ,
"modified" : "2018-03-02T10:46:13.000Z" ,
"name" : "SMS/iMessage phishes forcing users to install/run scripts and update VPN settings" ,
"published" : "2018-03-02T10:48:18Z" ,
"object_refs" : [
"indicator--5a9922e9-c640-42d2-8428-4808950d210f" ,
"indicator--5a99230c-d524-44ac-a40a-c8e0950d210f" ,
"indicator--5a992340-a754-4006-9526-4892950d210f" ,
"indicator--5a992341-2d9c-4ece-a508-418e950d210f" ,
"indicator--5a992341-8798-47cf-ad4e-490f950d210f" ,
"indicator--5a99236a-56b4-4f76-8928-4d41950d210f" ,
"observed-data--5a99237b-5c80-4ba0-92df-47b0950d210f" ,
"url--5a99237b-5c80-4ba0-92df-47b0950d210f" ,
"indicator--5a9924eb-e468-417f-a0e9-4bce950d210f" ,
"observed-data--5a99258c-a394-4f4b-915a-4a6b950d210f" ,
"url--5a99258c-a394-4f4b-915a-4a6b950d210f" ,
"observed-data--5a992b72-c434-48f1-af1b-43e7950d210f" ,
"url--5a992b72-c434-48f1-af1b-43e7950d210f" ,
"observed-data--5a992b9b-a540-4a1e-8fd0-44a0950d210f" ,
"file--5a992b9b-a540-4a1e-8fd0-44a0950d210f" ,
"artifact--5a992b9b-a540-4a1e-8fd0-44a0950d210f" ,
"indicator--0601169d-401d-466b-99e5-ab32aca720c0" ,
"x-misp-object--37a03acb-9238-44c5-8f31-2ae308034e7b" ,
"indicator--491fb46e-2c0f-4060-a745-a5cf809be441" ,
"x-misp-object--9aaf2bc6-ccc6-4658-9440-d6a54f790a9f" ,
2024-04-05 12:15:17 +00:00
"relationship--77fd3b63-0eff-49bb-804e-e33f1606106c" ,
"relationship--bef7c0b6-ebe1-41dd-9ffa-8d5b0b1fe5e8"
2023-04-21 14:44:17 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"admiralty-scale:source-reliability=\"c\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a9922e9-c640-42d2-8428-4808950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-03-02T10:23:41.000Z" ,
"modified" : "2018-03-02T10:23:41.000Z" ,
"pattern" : "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '172.96.173.150']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-03-02T10:23:41Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"ip-dst\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a99230c-d524-44ac-a40a-c8e0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-03-02T10:23:41.000Z" ,
"modified" : "2018-03-02T10:23:41.000Z" ,
"pattern" : "[domain-name:value = 'corp-vpn.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-03-02T10:23:41Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a992340-a754-4006-9526-4892950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-03-02T10:23:41.000Z" ,
"modified" : "2018-03-02T10:23:41.000Z" ,
"pattern" : "[domain-name:value = 'sso-vpn.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-03-02T10:23:41Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a992341-2d9c-4ece-a508-418e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-03-02T10:23:42.000Z" ,
"modified" : "2018-03-02T10:23:42.000Z" ,
"pattern" : "[domain-name:value = 'up-sso.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-03-02T10:23:42Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a992341-8798-47cf-ad4e-490f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-03-02T10:23:43.000Z" ,
"modified" : "2018-03-02T10:23:43.000Z" ,
"pattern" : "[domain-name:value = 'up-vpn.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-03-02T10:23:43Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a99236a-56b4-4f76-8928-4d41950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-03-02T10:11:54.000Z" ,
"modified" : "2018-03-02T10:11:54.000Z" ,
"description" : "Phishing used against Apple employees + others, this would be dropped by script that they are attempting to get piped to bash via a SMS/iMessage request. This is just a simple pyinstaller wrapped pupy script which beacons back to tipok.gotdns.ch" ,
"pattern" : "[file:hashes.SHA256 = '2ff6b78a4c2b239b2502d4eb7907906ae68275dbb92d3773fa083fb2fbc09a76']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-03-02T10:11:54Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5a99237b-5c80-4ba0-92df-47b0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-03-02T10:23:43.000Z" ,
"modified" : "2018-03-02T10:23:43.000Z" ,
"first_observed" : "2018-03-02T10:23:43Z" ,
"last_observed" : "2018-03-02T10:23:43Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5a99237b-5c80-4ba0-92df-47b0950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5a99237b-5c80-4ba0-92df-47b0950d210f" ,
"value" : "https://virustotal.com/en/file/2ff6b78a4c2b239b2502d4eb7907906ae68275dbb92d3773fa083fb2fbc09a76/analysis/1519948184/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5a9924eb-e468-417f-a0e9-4bce950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-03-02T10:18:19.000Z" ,
"modified" : "2018-03-02T10:18:19.000Z" ,
"description" : "Phishing used against Apple employees + others, this would be dropped by script that they are attempting to get piped to bash via a SMS/iMessage request. This is just a simple pyinstaller wrapped pupy script which beacons back to tatiano96.zapto.org" ,
"pattern" : "[file:hashes.SHA256 = '1bccbc10642a31b871f5503a52ec5c89598976e6aea0874ed2e396394d8dca00']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-03-02T10:18:19Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5a99258c-a394-4f4b-915a-4a6b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-03-02T10:23:44.000Z" ,
"modified" : "2018-03-02T10:23:44.000Z" ,
"first_observed" : "2018-03-02T10:23:44Z" ,
"last_observed" : "2018-03-02T10:23:44Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5a99258c-a394-4f4b-915a-4a6b950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5a99258c-a394-4f4b-915a-4a6b950d210f" ,
"value" : "https://twitter.com/timstrazz/status/969360276423311360"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5a992b72-c434-48f1-af1b-43e7950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-03-02T10:46:10.000Z" ,
"modified" : "2018-03-02T10:46:10.000Z" ,
"first_observed" : "2018-03-02T10:46:10Z" ,
"last_observed" : "2018-03-02T10:46:10Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5a992b72-c434-48f1-af1b-43e7950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5a992b72-c434-48f1-af1b-43e7950d210f" ,
"value" : "https://twitter.com/dyngnosis/status/969397210860478464"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5a992b9b-a540-4a1e-8fd0-44a0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-03-02T10:46:51.000Z" ,
"modified" : "2018-03-02T10:46:51.000Z" ,
"first_observed" : "2018-03-02T10:46:51Z" ,
"last_observed" : "2018-03-02T10:46:51Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--5a992b9b-a540-4a1e-8fd0-44a0950d210f" ,
"artifact--5a992b9b-a540-4a1e-8fd0-44a0950d210f"
] ,
"labels" : [
"misp:type=\"attachment\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--5a992b9b-a540-4a1e-8fd0-44a0950d210f" ,
"name" : "DXP9dttU0AAGavM.jpg" ,
"content_ref" : "artifact--5a992b9b-a540-4a1e-8fd0-44a0950d210f"
} ,
{
"type" : "artifact" ,
"spec_version" : "2.1" ,
"id" : "artifact--5a992b9b-a540-4a1e-8fd0-44a0950d210f" ,
"payload_bin" : " / 9 j / 4 A A Q S k Z J R g A B A Q A A A Q A B A A D / 2 w B D A A U D B A Q E A w U E B A Q F B Q U G B w w I B w c H B w 8 L C w k M E Q 8 S E h E P E R E T F h w X E x Q a F R E R G C E Y G h 0 d H x 8 f E x c i J C I e J B w e H x 7 / 2 w B D A Q U F B Q c G B w 4 I C A 4 e F B E U H h 4 e H h 4 e H h 4 e H h 4 e H h 4 e H h 4 e H h 4 e H h 4 e H h 4 e H h 4 e H h 4 e H h 4 e H h 4 e H h 4 e H h 4 e H h 4 e H h 7 / w g A R C A K r B L A D A S I A A h E B A x E B / 8 Q A H A A B A A I D A Q E B A A A A A A A A A A A A A A M E A Q I F B g c I / 8 Q A G g E B A A M B A Q E A A A A A A A A A A A A A A A E C A w Q F B v / a A A w D A Q A C E A M Q A A A B + y g A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A g 1 s g A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A D H B q Y t z W e / 5 P e Y 9 Y K d Q A A A A A A A A A A A A A A A D j w U b c 9 n t e b g m n t W M 0 6 w A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A P H 26 r T h 2 n q d m L d g U 7 A A A A A A A A A A A A A A A A P L 17 E O n D t L V 6 C e 9 u Z 9 g J A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A O W O o 51 M 6 v A t z T n z v T c 7 R P V c 3 a L 9 B w + g X A A A A A A A A A A A A A C u W H M y d D z s l 6 a c r v Q 5 R e U 68 a d R y 7 p O A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A D l U P S D g c 72 A 83 c 7 A 87 L 3 R 5 u 91 h x t + s A A A A A A A A A A A A A H J 6 w 4 M H p R 5 D o 94 c D P e H B k 7 Q 8 z 35 w A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A 0 3 j J A A A A A A A A A A A A G N C R F k k R g k E a Q a 7 A M G k m m 4 x k R p B G k G m + N C R H g l R Z J G m 4 A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A j k j J A A A A A A A G m C R E J d d d j R K I s y D T c A A A A A E c k Z I A A A A A A B H I I 0 g j S C O R G S I x I j E i O Q A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A V b Q h m A A A B r t E Z S C L M g x k A A A A A A A A A A F C + M Z A A A A A A A A A A A A B H I I 0 g j S Y K 1 q O Q A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A o + W 83 z O r D 1 n t / j v r Y f Q B z b g A I p Y i U A A A A A A A A A A A A p o p + V 87 y u z D 6 L 7 H 5 R 6 f K / s x h q A A A A A A A A A A A A A 5 n Q + S a U 9 D t 4 P p d O P 16 f w 3 u e T c K 2 A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A / P 9 j 23 A 7 + T k 97 n / Q K z 6 k c X U A A i l i J Q A A A A A A A A A A A O B 38 T H w a p 6 a x 38 l P u e Y + v Z a d A c n Q A A A A A A A A A A A A B V + E / o D 5 f 0 Y + Q 6 H U 5 n R j 3 / p / D 7 n H 0 h n c A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A p 8 Y 9 L z q t Q 7 V z j 1 Z j 0 T y 3 d i b g A E U s R K A A A A A A A A A A A a m z z s R 6 f j 61 E e g l 89 O d p 5 q 0 n t g A A A A A A A A A A A F G F 55 q a V q 5 w b 0 x 2 X n I o n 1 C K U A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A 153 R 2 N K X Q E M F z J B J v q b A A R S x E o A A A A A A A A A A A K S 6 I q f R E O l k V Z Z M g A A A A A A A A A A B r q S Q 77 l C e x g q b 2 R T l m y Y z i M l A A A A A A A A A A A A A A A A A A A A A A A A A I S Z U w X F b U t q u S y o T F l X F h F o W F W A 6 O l X c l z W k L K s L K G u W p I J w C N J g y i 2 N 4 l Q 6 C p s W V P c s o o C 4 q i 0 q T E q v q W l G Q t K w s o q x e V s F p S t G + E Z i Y A A I p U R K p b l p S 0 O g p a l 9 S 2 L a h u X F G c l 1 p z E y H Q s o h K g k N 1 a U m 2 h m B C Z k y A N G + p t U n j J J K k R 0 F K Q s q k p M r b k y t G X W s B Z U t y 0 q b F l Q m L K v g s q s Z e A A A A A A A A A A A A A A A A A A A R D b X f Y j k A A A A C O T G p u A B j I i 1 n h J k W 5 s A A A A A Y M t M E i M S I x J i O M k l j y M b 5 I 2 s R O i E s e d S T N f J a z V k J l e c y q 5 L K t q W 0 G h a V x Y U 5 C w h m A A G M a m J Q A A A x H K C G Y 10 l G M x 4 J Q A A A A A A A A A A A A A A A A A A A A A A A A A Q 7 V r o A A A A A A A h m p F 0 A A C O S M k 12 E M 1 K 6 A N d q p L n O 5 G k E e d w A A x n B D P T u A A G G R h k Y x s I 0 l E u s j G Q 1 z k Y x s M Y 2 G G R r n I A A a b 1 S a T X Y A A A A A Q T 0 y 4 A C F u I d 9 s k e d s k E m d i P W b B r p N g 3 g s R m u J B F t n Y g k 2 y a a T a m N Z c E g A A A A A A A A A A A A C D y 1 q + w f G v e X r 6 k Z a A A A A A A F O 5 W Q t A A C O S M k A N I b q 1 m J C 0 A A A A A F L y d q + 5 f G v p l 69 k Z a A A A A A E c d Z s C 0 A A A A A A A H C 8 t p T 6 M + W / Q 4 X x S 4 A A A A B i r W b Y t A A A A A A A A A A A A A A A A A A A A A A A A A H h P B + w 8 h 3 c s H o f K + k v X 6 b 1 e L 2 u D q C t g A A A A O b 5 r t + M 8 P 0 f T d H h 9 X W n f H r 8 I C O S M k A I I n y E 3 G s / N + t 3 P S e S 9 b 7 H A H b z g A A A f L f M d v j + h y a + g 8 t 3 k f X p Y Z v P 6 w S A A A A 8 P 6 / 575 P b 3 L n E 6 W G v r B 7 v m g A A A A I 5 I j 4 z x 97 H p c V 31 H j / A E u d / p w 4 e o A A A A B 4313 z 3 z O z q X O H 0 e P o 9 i P f 8 s A A A A A A A A A A A A A A A A A A A A A A A C p 8 u + u N K f K + h 9 D z a A x 0 A A A A G D L X Y g S 7 U m j e w l k x a M g R y R k g D G S r H c 2 z t F L j N 6 m E s g A A A 5 H z j 680 p 8 n 9 N 7 H M w G W g A A A B r k z U t 4 r N K 1 J r E 7 G t 67 A A A A A A 8 b 5 j 6 z j X P 5 D 9 L 6 i J D O 4 A A A B g Z r W d a z T s T I k w v X L G Q A A A A A A A A A A A A A A A A A A B 5 D 18 Z 47 H t h 4e56 w j x k f r 7 E T 43 f 16 X k N P Z D y s n p s H l 4 / V Y P J 9 H v j x t 70 g A e P 9 g h 4 v 0 n Q S 8 p L 6 Y e X j 9 Y h y P L f Q E u N 2 Q R y R k n E 7 a H z v u + n S 8 F 6 P t D x t v 0 48 j 2 + m A O B z f Y x Q 8 X v 7 P e X l Y v X j x m f Z D g c 32 I 8 r a 7 k k P F 9 H 0 G 8 v J R + x A D G R 5 T H r B 4 / X 2 Q 5 H I 9 c h x u B 7 h L y n q w A 53 n f Z x n i X u h 5 / i e 7 j P I R e 0 k P I 49 e P E 2 v W D z F T 2 U c P P V v X J e e o + v H j + / 0 Q B 5 j m e 6 H m + R 7 s c b k + v H j J v W o e d 9 E S A A A A A A A A A A I d C y p S F l W F l X j L i t k s K c 5 K g i L i r k s o I i 4 g 1 L K v g s 4 q z k g A A A G i u W w A A A A A A A A I 5 I y Q A A A A A A A G M 1 c l l T k L C s L K O s W Z O Z e J V a Q l Q R l t U 2 L K v G X E G h a Q x l p U t G Q A A A N d o y Q A A A E c l G 8 A A A A A A A A A A A A A A A A A A Y Z G M h j G w w y M M j G Q w y M Z B j I x k N c 5 G N d x j M U o A A B H J F K A A A A A A A A A I 5 I y Q A A A A A A A E M u k h j I A N d o j b c B q Z Z G M 4 G c A Z w Z w D L B l j I Y G W B l g Z i k 1 N 2 M g A A 1 N J d d g A A A A A A A A A A A A A A A A A A A A A A A A A A A A A C O R E S g A a 7 R G + w A A A A A A A A A I 5 I y Q A A A A A A A G m 2 Y y Q A C K T Q k B r V u C t i 0 K m 9 g V 8 W R X 1 t C t t O I o b Y q 5 s i r m y K + l s V s 2 B W l k E U s e 5 k A C O S I l A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A i l p l x H I A I 5 I y Q A A A A A A A A A C O S g X w A A A A A A A I 5 O e d A A E c k c g A A A A A A A A A A A A A i l 550 A A R y R y A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A w Z A A A A A A A A A A A M G X m P P 6 U + j u V 1 a W C J A A A A A A A M Z A A A A A A A A A A A A A A A A D G Y B I A A A A A A A A A A A A A A A A A A A A A A A A A A A A
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--0601169d-401d-466b-99e5-ab32aca720c0" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-03-02T10:23:47.000Z" ,
"modified" : "2018-03-02T10:23:47.000Z" ,
"pattern" : "[file:hashes.MD5 = 'b97847bcc1a27107888475fd6baeb2d9' AND file:hashes.SHA1 = '5e8784026c3fd64c932e53622d0454c33038976e' AND file:hashes.SHA256 = '2ff6b78a4c2b239b2502d4eb7907906ae68275dbb92d3773fa083fb2fbc09a76']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-03-02T10:23:47Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--37a03acb-9238-44c5-8f31-2ae308034e7b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-03-02T10:23:46.000Z" ,
"modified" : "2018-03-02T10:23:46.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/2ff6b78a4c2b239b2502d4eb7907906ae68275dbb92d3773fa083fb2fbc09a76/analysis/1519981318/" ,
"category" : "External analysis" ,
"comment" : "Phishing used against Apple employees + others, this would be dropped by script that they are attempting to get piped to bash via a SMS/iMessage request. This is just a simple pyinstaller wrapped pupy script which beacons back to tipok.gotdns.ch" ,
"uuid" : "5a992632-874c-409b-a280-437e02de0b81"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "1/60" ,
"category" : "Other" ,
"comment" : "Phishing used against Apple employees + others, this would be dropped by script that they are attempting to get piped to bash via a SMS/iMessage request. This is just a simple pyinstaller wrapped pupy script which beacons back to tipok.gotdns.ch" ,
"uuid" : "5a992633-db0c-4e94-bdf4-4bec02de0b81"
} ,
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-03-02T09:01:58" ,
"category" : "Other" ,
"comment" : "Phishing used against Apple employees + others, this would be dropped by script that they are attempting to get piped to bash via a SMS/iMessage request. This is just a simple pyinstaller wrapped pupy script which beacons back to tipok.gotdns.ch" ,
"uuid" : "5a992633-896c-4657-8f26-471002de0b81"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--491fb46e-2c0f-4060-a745-a5cf809be441" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-03-02T10:23:50.000Z" ,
"modified" : "2018-03-02T10:23:50.000Z" ,
"pattern" : "[file:hashes.MD5 = '35fba2a83659d22eedf5926a3dc680f4' AND file:hashes.SHA1 = '4fb8edfe9694e2cd58ffaae30777bae324ac1558' AND file:hashes.SHA256 = '1bccbc10642a31b871f5503a52ec5c89598976e6aea0874ed2e396394d8dca00']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-03-02T10:23:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--9aaf2bc6-ccc6-4658-9440-d6a54f790a9f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-03-02T10:23:48.000Z" ,
"modified" : "2018-03-02T10:23:48.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/1bccbc10642a31b871f5503a52ec5c89598976e6aea0874ed2e396394d8dca00/analysis/1519980899/" ,
"category" : "External analysis" ,
"comment" : "Phishing used against Apple employees + others, this would be dropped by script that they are attempting to get piped to bash via a SMS/iMessage request. This is just a simple pyinstaller wrapped pupy script which beacons back to tatiano96.zapto.org" ,
"uuid" : "5a992635-6d0c-4faf-b632-449e02de0b81"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "1/60" ,
"category" : "Other" ,
"comment" : "Phishing used against Apple employees + others, this would be dropped by script that they are attempting to get piped to bash via a SMS/iMessage request. This is just a simple pyinstaller wrapped pupy script which beacons back to tatiano96.zapto.org" ,
"uuid" : "5a992635-0854-453f-a479-4c9d02de0b81"
} ,
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-03-02T08:54:59" ,
"category" : "Other" ,
"comment" : "Phishing used against Apple employees + others, this would be dropped by script that they are attempting to get piped to bash via a SMS/iMessage request. This is just a simple pyinstaller wrapped pupy script which beacons back to tatiano96.zapto.org" ,
"uuid" : "5a992635-d534-48df-ba48-41c302de0b81"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--77fd3b63-0eff-49bb-804e-e33f1606106c" ,
2023-04-21 14:44:17 +00:00
"created" : "2018-03-02T10:23:49.000Z" ,
"modified" : "2018-03-02T10:23:49.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--0601169d-401d-466b-99e5-ab32aca720c0" ,
"target_ref" : "x-misp-object--37a03acb-9238-44c5-8f31-2ae308034e7b"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2024-04-05 12:15:17 +00:00
"id" : "relationship--bef7c0b6-ebe1-41dd-9ffa-8d5b0b1fe5e8" ,
2023-04-21 14:44:17 +00:00
"created" : "2018-03-02T10:23:50.000Z" ,
"modified" : "2018-03-02T10:23:50.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--491fb46e-2c0f-4060-a745-a5cf809be441" ,
"target_ref" : "x-misp-object--9aaf2bc6-ccc6-4658-9440-d6a54f790a9f"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}