adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/5cd2770d-27fc-4e41-8bfe-476e950d210f.json

1374 lines
311 KiB
JSON
Raw Normal View History

chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5cd2770d-27fc-4e41-8bfe-476e950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T11:23:43.000Z",
"modified": "2019-05-08T11:23:43.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--5cd2770d-27fc-4e41-8bfe-476e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T11:23:43.000Z",
"modified": "2019-05-08T11:23:43.000Z",
"name": "OSINT - Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People's Republic",
"context": "suspicious-activity",
"object_refs": [
"observed-data--5cd2771f-ddb0-4c67-aec6-4ab5950d210f",
"url--5cd2771f-ddb0-4c67-aec6-4ab5950d210f",
"x-misp-attribute--5cd278cd-95bc-4427-b42b-4da4950d210f",
"observed-data--5cd27965-10d0-45d5-8cf7-414a950d210f",
"file--5cd27965-10d0-45d5-8cf7-414a950d210f",
"artifact--5cd27965-10d0-45d5-8cf7-414a950d210f",
"indicator--5cd28fc2-029c-430e-b467-4874950d210f",
"indicator--5cd28fc2-0b98-4394-9e6e-400e950d210f",
"indicator--5cd28fc2-1c3c-465f-9da1-46a6950d210f",
"indicator--5cd28fc2-040c-4b9d-acbe-4736950d210f",
"indicator--5cd28fc2-e740-41e0-9c43-46fe950d210f",
"indicator--5cd28fc3-80e8-44fb-8a12-4711950d210f",
"indicator--5cd28fc3-7fbc-46ee-a244-4810950d210f",
"indicator--5cd28fc3-e080-4de0-b890-4d46950d210f",
"indicator--5cd28fc3-69ac-43d8-9c6f-4f14950d210f",
"indicator--5cd28fc3-9f68-430d-ad9f-44df950d210f",
"indicator--5cd28fc3-ebac-4ea8-b26e-4fdb950d210f",
"indicator--5cd28fc3-e74c-4a45-8f50-427b950d210f",
"indicator--5cd28fc3-6a70-467d-afad-47ae950d210f",
"indicator--5cd28fc3-d0ac-4022-9a64-441d950d210f",
"indicator--5cd28fc3-f0e8-4849-8ef4-4799950d210f",
"indicator--5cd28fc3-e648-4dfe-8bf1-4a4d950d210f",
"indicator--5cd28fc3-422c-465a-b913-413e950d210f",
"indicator--5cd28fc3-c0b0-4bc1-b45c-4adb950d210f",
"indicator--5cd28fc3-679c-4030-a00e-4676950d210f",
"indicator--5cd28fc3-5b88-41ef-a3cc-4aeb950d210f",
"indicator--5cd28fc3-4bb0-496f-9175-4bd5950d210f",
"indicator--5cd28fc3-70f8-49f1-b17c-48c9950d210f",
"observed-data--5cd290e9-165c-4464-a604-4c13950d210f",
"domain-name--5cd290e9-165c-4464-a604-4c13950d210f",
"indicator--5cd2a7cc-bb0c-4865-a988-451b950d210f",
"indicator--5cd2a7cc-1d60-441b-89ee-439e950d210f",
"indicator--5cd2a7cc-6414-401b-bf87-44b7950d210f",
"indicator--5cd2a7cc-2fbc-4328-856a-403d950d210f",
"indicator--5cd2a7cc-aaf4-4905-b166-4fd9950d210f",
"indicator--5cd2a7cc-641c-4b80-9bc8-42c6950d210f",
"indicator--5cd2ae7d-6724-42a1-9f71-6b3d950d210f",
"indicator--5cd2ae7d-8f94-4724-ad31-6b3d950d210f",
"indicator--5cd27f3c-49f0-4ff5-8fca-40a0950d210f",
"indicator--5cd280c9-a63c-467d-91ec-49c8950d210f",
"indicator--5cd281d0-85c8-4572-b487-45b1950d210f",
"indicator--5cd282dc-a808-4591-b3a3-472f950d210f",
"indicator--5cd28329-c834-4d7c-a1c4-4b38950d210f",
"indicator--5cd2836d-8148-4123-a015-4318950d210f",
"indicator--5cd29268-0a88-4a5b-a417-418c950d210f",
"indicator--5cd2a311-775c-41b7-b6c3-4c2a950d210f",
"indicator--5cd2a46c-bf78-416e-a7ee-6b3e950d210f",
"indicator--5cd2a73d-e1f4-4904-a5fc-6b06950d210f",
"indicator--5cd2a74d-1344-4c51-be2d-6b06950d210f",
"indicator--5cd2a762-6fa8-47af-ac81-499e950d210f",
"indicator--5cd2a776-885c-4236-abe2-6d70950d210f",
"indicator--5cd2ae66-1350-46cc-adb5-4cf9950d210f",
"indicator--5cd2b0f1-5a7c-47d7-b5f8-4380950d210f",
"indicator--5cd2b198-1d2c-4463-99e6-4ef5950d210f",
"indicator--5cd2b1c8-e3bc-47a5-bc20-6b3d950d210f",
"relationship--0dfc4cf4-263a-4cc0-9395-b67820268fbc",
"relationship--ba719784-9df5-4e87-be1f-269e9c3032c7",
"relationship--3b0d0479-6153-492e-a306-059c3618acac",
"relationship--030bbb4d-54d7-4545-ba17-7558267585c1",
"relationship--14b23784-b861-4bad-a7a8-04b271afa0d4",
"relationship--c12665c6-aa22-4f60-9968-c30b56866c88"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\"",
"workflow:todo=\"expansion\"",
"enisa:nefarious-activity-abuse=\"spear-phishing-attacks\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5cd2771f-ddb0-4c67-aec6-4ab5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T06:28:47.000Z",
"modified": "2019-05-08T06:28:47.000Z",
"first_observed": "2019-05-08T06:28:47Z",
"last_observed": "2019-05-08T06:28:47Z",
"number_observed": 1,
"object_refs": [
"url--5cd2771f-ddb0-4c67-aec6-4ab5950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5cd2771f-ddb0-4c67-aec6-4ab5950d210f",
"value": "https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5cd278cd-95bc-4427-b42b-4da4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T06:35:57.000Z",
"modified": "2019-05-08T06:35:57.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "In early 2019, FireEye Threat Intelligence identified a spear phishing email targeting government entities in Ukraine. The spear phishing email included a malicious LNK file with PowerShell script to download the second-stage payload from the command and control (C&C) server. The email was received by military departments in Ukraine and included lure content related to the sale of demining machines. \r\n\r\nThis latest activity is a continuation of spear phishing that targeted the Ukrainian Government as early as 2014. The email is linked to activity that previously targeted the Ukrainian Government with RATVERMIN. Infrastructure analysis indicates the actors behind the intrusion activity may be associated with the so-called Luhansk People's Republic (LPR)."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5cd27965-10d0-45d5-8cf7-414a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T06:38:29.000Z",
"modified": "2019-05-08T06:38:29.000Z",
"first_observed": "2019-05-08T06:38:29Z",
"last_observed": "2019-05-08T06:38:29Z",
"number_observed": 1,
"object_refs": [
"file--5cd27965-10d0-45d5-8cf7-414a950d210f",
"artifact--5cd27965-10d0-45d5-8cf7-414a950d210f"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5cd27965-10d0-45d5-8cf7-414a950d210f",
"name": "Picture1.png",
"content_ref": "artifact--5cd27965-10d0-45d5-8cf7-414a950d210f"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--5cd27965-10d0-45d5-8cf7-414a950d210f",
"payload_bin": "iVBORw0KGgoAAAANSUhEUgAAA7wAAAK+CAYAAACB/BKIAAAABGdBTUEAALGPC/xhBQAAIABJREFUeJzsvQmUZMlZ3zsDQttIllmEl2c/np+xecbYBmwwi0CA9DBgI2zOE5Ytg7EsYw/HB4kDGIRYjC3QMtqXETPTo5npvadn7a4la8nKrCWrcqmsqlwq96zc970ys6uqt//7vsi8WVl71tZV3f195/xPZd+8GTduRNzo+N344otHHnnkETz66KN473vfi/Pnz2NtdQ2rK6tYubGCGzduiEQikUgkEolEIpFIdKrF/MocyzxbLBaRSqWQSCTwCAPv+973Ppx94SzKpTJWVlYEdkUikUgkEolEIpFIdF+JOVbj2VKxhGQy2QLej33sYxgfH1dfnnQmRSLRg6P6ch3LtWWlk86LSCQSiUQikejhEHNttVpFJptpAe+FCxfg9/tPPGMikejBUaPeQCFXQCadQS6bU/8+6TyJRCKRSCQSiR4O1et1lCvlFvBazBaUSqV9J9JoNFRCy8vLHfEx1lFkcrv0+d9HnX73NbR/H9U1RKKHUfwMFfIFhEIh+Hw+BAIB5HN59YyddN5EIpFIJBKJRA+HeMJFAa/ft7/ZXXZPZJ/oeDwOn9+HhYUFJbfbjUAwoHyla9XaoTJXrVRVOv6AX6WrXYOvx9fl6x9mxojzl8lkEIvF4PV5O+nz56WlJfXdYe9BJHoYxS+L+BkKh8IqWAC7kqTTafVvPs4wfNJ5FIlEIpFIJBI9+OoAL8/A9PqjSrmCaDSqZmy0mRsexLJ4Noddo71er/pcLBT3PVPKMM2/499zOpwef9auwdfj4/w3lUyp/Own/WazqYJzcVqc9uZ74M98nBUOh9W5/JuTriyR6DSrXC4jnUqrZ3VmeqbzAsnhcHSkHTPPmOFyupCIJ9SLq73Tb6Jeo/QjQcxazJg2mzHv8CGayKFS057NBnLxKGJLYcpDWMF1OBhEOJJAoVJDvdlKi5/laiZO31F/FWyf11aQzk9kiygvNzrXbdJ1l7xuzM5YYTZZYLXNwx9JYbmxvz6hmk8h4l+E3TyDaUrHFYihTB1ws+sclbd0DAs2C2amZmC1LiAYz3Xur5BKqPsLhjbmmxUKhqi/WkK2tEzp7JQPKqNkHIlIBLFkYftzKA+NUhYhfxDJfAmVOpUB9eHFVBSRWB71rvtuNhuoZBMIdJ2r6qpSQMA5D/P0NKx2B1zeEHLl/c3sNxvLSIQWYZuZwQyVPdd3qlDd0i4a9SqificspmnMmOfg8UepDDa/qKT8Uz6XvA4q12mYLfOIpYtYrvdah61yS8VjyHbdR7WQRjzsg8NupXTNmLW7EEtxuo0NeWzWKogHF+FasFPbt8BC+fRH0vtuQ1qZ15crSHA7CERRqtXR2O03zTrq5Twi1LbjmRJq9e76W29vXH7c3gKx3L7zxGm452epvmfo/mZVGo1N96baSj4J1xw9R9Nm2GwO+ILxrue3F3FZlhD2uGCldmGx2LHg8qu2taHNq3vOwUt5mp4ywT6/iEgig+qWPNVRq5RUWYaWNj3TXDZUv4uUxgyXDdWty7u0z3bMz0IJsQDl12qhsrFSG3EiGMt06qxWyCIVi6i+Z/MzHeZnml8SxrLUf7Xy1qC2VKF8BQMR6qeaG/oPVT7VAsKBELKF8oa6bj1TVaTo2Y+Ho+0y29wX8vWC1L9EkKbnub5D+2xQ+ytmU/Sb6DZ54HJdRpbuKRRu98V8H6ylOMrVBhpaX0z9Spn6lWBAu+eQ+v+Dz8sWq7v0YyKRSLQ/LdeX9we8DKM8u8qds+qgw60Zmwh1oprUzA4dZ3Dkf/OAlgPX9JI+n5fNZtXv+Pe7pc/X586R87OfgDg8c6ylrzrXTdfohnftHhiqBXpFop3Fzwy/gOJnOJfLolgqoFQqbhEf5+8ZkDlc/N59T5NgKwL/3AwMhjEYGAQt9HnMiLGxKYKceeRp0NygwatnegpmvR5jegMmjOOYGGt/nrDBS4PrIg/OGnUkvTZMGAyUngFGg7GjsVEDPEsJ5KvUXxFw1YopWCcmYBgZwSSBkokG9FNGI0b1RkzNuOm8WmcgupPUQD8TJiCahHGcNEn5N5swMjqGKYuXBpZlNfjlfBUTQUxNGKE3mggK6F5MkzCMT8EZzqBOnXXENQfrJN+3UeVdP6pXMrTvZZzODWaqnQHl1rzUEZ63YX58HFMme6s8Np9D+Yg7p2HUj8HhTyBTIqBariLmmsG4kcq63LrnZr2GAuWXy9FoWUQyV8IynceDcev4BPRDRlhsVM6UV+MI3eu0Felyo6dBLF9vyWmh347CZLHBNDmFCarXiYlppIrL7ftrokCD5ZDDTHml86yzmKL6nhgz0HXnKd/LnfaTJnBeME/ASN9P83l0vtEwQeCRpoH/3v83cbn5bVY4CFYD6RZ0VzMRmKlOuR0ajVOYpXsdHx6hdMfhDCXaYNwkoMphwTQF4+goJqhcTARq05OtNjQ9R2BSqm6pg91UK2aQDrthoPrRj44jnq9geYcyXS4XkCQg5zY7Ru3E5FxS9afVc3d7myIw5PY2RuXC7W25B+8pTqOcDrfTmKJnZAqW6VYaC8FUJw2uz1zcT8+kAaMj45iZMWNyclLlf8rkRLmxtR1uEcMpQayNn8dhI8xmC7ULep6GqVzpmUoWa6pdNBs15FMxzI5TGQ8ZYJu1Ur3T8zJOUG/3o9oBxyJCTjvmTJQe1YXe4FQvDzgfzeUSyrkY5deIEcqv3T6nynBc32rHmV7aMeW3UkxTPsZhoLqfIsifnjbBxGVFbWRmIYwav0iKB+CaNau+h5/hsdGx1nPN9Utt2Uj92KSN8r3cylshSWOTeZNqd4vx8kZIp/qopYMYp99NUv8U4hcP3c9VLQ87vzCctiBI7bi7L+Trrfcr1M9SHmcdPsRS+S19XJHy4JulNm2cVHlobPq+TlDunhynNj+GcUpvgvrWcXUN7qMsWErm1MuxxnINUepX1P2OGTr9GPfZRuME5heXUOYXOjL2EolEh9S+gJeBj9fkdYNiN4huFn/P6fKsT2+zODfUeexizL/rJX2GXs4P56sXIOVzOHhOL+l330M2kxU3TJFoG/FzwS+pnE6nmrHlfc84It5e4mexUqlgbm6utXygVtv2GW7WK4j4XDAb9RifmYc/HEE8GoHX7cAUDSZ1ujH4afBWp4Gug0DGTIMwy7wbPq8XPg/Pqs1ibGgMM1YXAslSG+gmMTw4jjm7Ex6PF962Ft0eArciKssNVEt5RJw2DF4bhmXWgUCIX4RRn+D3YME6jYFBgmMaUGYru79sa1AnG3POYHhkiqDMqfIfi4ThsJowoBtHIJZBiSNZVwn+6ZiOznN6Q4gshRDyuWGeGMPo1BwKVGbpGA12/ZRPjwcetxsT/X0YGTNjweFu3YPXT4Px+o6DcZ558dM1zEODqtzC2erGwSTB+XKlANvYIPquXcesJ4I0A+Yy1cGcEYP9FuQI0OoEMMVMHHNcDsNTcAcTKFaX6bdZ5GIeDPUNqMFyJB5HgO6BZxDHBkfgCOe3zPxtEYFCOZfAtEGHiWk7gksx6oeDcM/ZYOgfpDwlaPDfoMF7CWHvAp03jEnLAsLROJWNG3aCtgmCB0cgpQChUS3AaZsiKJuEyebAUixB5erCxKAOZrsPnqXsnrDF5bZIcDtLIOdJskdRk+rUgpHhCQKZOXh9QcTiMfgXXTCNDGHC5EIwwrOcyygRgOj7+2GeXYDbG8QSv1QN+TA3bcTAqAlLqRxqPc5kNetlJEIeukcDBgYGcP3aEKLZ8rbA26jkEQt6YDOb1EsTPbUVgy2AbLGm8r+5vanZOKory4RetTcG8Z1enLTUSiNga6Ux5/IjxC+O6d44Df2UXaVRJ6irFLLw03ncVhyuACL0/IYCXswRfI326+FLFnecTezuB4opP3TX+tRsazhC7SLoVzPL+r5BzAczasa+RpAZ8cxhuG8IswsEbIkYvK45Vf9DehOihYqaIQ8uOgg+CZj1ehhGhtE3aCfgXVZtoZpPIhmYR3/fGBYW/UgkktS2FuGY7b0dN+t
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd28fc2-029c-430e-b467-4874950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:13:54.000Z",
"modified": "2019-05-08T08:13:54.000Z",
"pattern": "[email-message:from_ref.value = 're2a1er1@yandex.ru']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T08:13:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd28fc2-0b98-4394-9e6e-400e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:13:54.000Z",
"modified": "2019-05-08T08:13:54.000Z",
"description": "Domain Registered by re2a1er1@yandex.ru - possibly mimicks 24tv.ua, A large news portal in Ukraine",
"pattern": "[domain-name:value = '24ua.website']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T08:13:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd28fc2-1c3c-465f-9da1-46a6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:13:54.000Z",
"modified": "2019-05-08T08:13:54.000Z",
"description": "Domain Registered by re2a1er1@yandex.ru - possibly mimicks censor.net.ua, A large news portal in Ukraine",
"pattern": "[domain-name:value = 'censor.website']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T08:13:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd28fc2-040c-4b9d-acbe-4736950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:13:54.000Z",
"modified": "2019-05-08T08:13:54.000Z",
"description": "Domain Registered by re2a1er1@yandex.ru - possibly mimicks fakty.ua, A large news portal in Ukraine",
"pattern": "[domain-name:value = 'fakty.website']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T08:13:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd28fc2-e740-41e0-9c43-46fe950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:13:54.000Z",
"modified": "2019-05-08T08:13:54.000Z",
"description": "Domain Registered by re2a1er1@yandex.ru - possibly mimicks Volodymyr Borysovych Groysman ( V. B. Groysman is a politician who has been the Prime Minister of Ukraine since April 14, 2016)",
"pattern": "[domain-name:value = 'groysman.host']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T08:13:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd28fc3-80e8-44fb-8a12-4711950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:13:55.000Z",
"modified": "2019-05-08T08:13:55.000Z",
"description": "Domain Registered by re2a1er1@yandex.ru - possibly mimicks gordonua.com, A large mail service in Ukraine",
"pattern": "[domain-name:value = 'gordon.co.ua']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T08:13:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd28fc3-7fbc-46ee-a244-4810950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:13:55.000Z",
"modified": "2019-05-08T08:13:55.000Z",
"description": "Domain Registered by re2a1er1@yandex.ru - possibly mimicks ukr.net, A large news portal in Ukraine",
"pattern": "[domain-name:value = 'mailukr.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T08:13:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd28fc3-e080-4de0-b890-4d46950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:13:55.000Z",
"modified": "2019-05-08T08:13:55.000Z",
"description": "Domain Registered by re2a1er1@yandex.ru - possibly mimicks me.gov.ua, Ukraine's Ministry of Economic Development and Trade",
"pattern": "[domain-name:value = 'me.co.ua']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T08:13:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd28fc3-69ac-43d8-9c6f-4f14950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:13:55.000Z",
"modified": "2019-05-08T08:13:55.000Z",
"description": "Domain Registered by re2a1er1@yandex.ru - possibly mimicks novaposhta.ua, Ukraine's largest logistics services company",
"pattern": "[domain-name:value = 'novaposhta.website']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T08:13:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd28fc3-9f68-430d-ad9f-44df950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:13:55.000Z",
"modified": "2019-05-08T08:13:55.000Z",
"description": "Domain Registered by re2a1er1@yandex.ru - possibly mimicks olx.ua, Ukraine's largest online ad platform",
"pattern": "[domain-name:value = 'olx.website']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T08:13:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd28fc3-ebac-4ea8-b26e-4fdb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:13:55.000Z",
"modified": "2019-05-08T08:13:55.000Z",
"description": "Domain Registered by re2a1er1@yandex.ru - possibly mimicks online.ua, A large news portal in Ukraine",
"pattern": "[domain-name:value = 'onlineua.website']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T08:13:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd28fc3-e74c-4a45-8f50-427b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:13:55.000Z",
"modified": "2019-05-08T08:13:55.000Z",
"description": "Domain Registered by re2a1er1@yandex.ru - possibly mimicks rst.ua, One of the largest car sales websites in Ukraine",
"pattern": "[domain-name:value = 'rst.website']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T08:13:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd28fc3-6a70-467d-afad-47ae950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:13:55.000Z",
"modified": "2019-05-08T08:13:55.000Z",
"description": "Domain Registered by re2a1er1@yandex.ru - TV-related",
"pattern": "[domain-name:value = 'satv.pw']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T08:13:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd28fc3-d0ac-4022-9a64-441d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:13:55.000Z",
"modified": "2019-05-08T08:13:55.000Z",
"description": "Domain Registered by re2a1er1@yandex.ru - possibly mimicks sinoptik.ua, The largest weather website in Ukraine",
"pattern": "[domain-name:value = 'sinoptik.website']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T08:13:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd28fc3-f0e8-4849-8ef4-4799950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:13:55.000Z",
"modified": "2019-05-08T08:13:55.000Z",
"description": "Domain Registered by re2a1er1@yandex.ru - possibly mimicks spectator.co.uk, A large news portal in the UK",
"pattern": "[domain-name:value = 'spectator.website']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T08:13:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd28fc3-e648-4dfe-8bf1-4a4d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:13:55.000Z",
"modified": "2019-05-08T08:13:55.000Z",
"description": "Domain Registered by re2a1er1@yandex.ru - TV-related",
"pattern": "[domain-name:value = 'tv.co.ua']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T08:13:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd28fc3-422c-465a-b913-413e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:13:55.000Z",
"modified": "2019-05-08T08:13:55.000Z",
"description": "Domain Registered by re2a1er1@yandex.ru - possibly mimicks uatoday.news, A large news portal in Ukraine",
"pattern": "[domain-name:value = 'uatoday.website']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T08:13:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd28fc3-c0b0-4bc1-b45c-4adb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:13:55.000Z",
"modified": "2019-05-08T08:13:55.000Z",
"description": "Domain Registered by re2a1er1@yandex.ru - possibly mimicks ukrposhta.ua, State Post of Ukraine",
"pattern": "[domain-name:value = 'ukrposhta.website']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T08:13:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd28fc3-679c-4030-a00e-4676950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:13:55.000Z",
"modified": "2019-05-08T08:13:55.000Z",
"description": "Domain Registered by re2a1er1@yandex.ru - possibly mimicks unian.net, A large news portal in Ukraine",
"pattern": "[domain-name:value = 'unian.pw']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T08:13:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd28fc3-5b88-41ef-a3cc-4aeb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:13:55.000Z",
"modified": "2019-05-08T08:13:55.000Z",
"description": "Domain Registered by re2a1er1@yandex.ru",
"pattern": "[domain-name:value = 'vj2.pw']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T08:13:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd28fc3-4bb0-496f-9175-4bd5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:21:18.000Z",
"modified": "2019-05-08T08:21:18.000Z",
"description": "Domain Registered by re2a1er1@yandex.ru - possibly mimicks zik.ua, A large news portal in Ukraine",
"pattern": "[domain-name:value = 'z1k.pw']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T08:21:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd28fc3-70f8-49f1-b17c-48c9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:21:27.000Z",
"modified": "2019-05-08T08:21:27.000Z",
"description": "Military news",
"pattern": "[domain-name:value = 'milnews.info']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T08:21:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5cd290e9-165c-4464-a604-4c13950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:22:41.000Z",
"modified": "2019-05-08T08:22:41.000Z",
"first_observed": "2019-05-08T08:22:41Z",
"last_observed": "2019-05-08T08:22:41Z",
"number_observed": 1,
"object_refs": [
"domain-name--5cd290e9-165c-4464-a604-4c13950d210f"
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--5cd290e9-165c-4464-a604-4c13950d210f",
"value": "xn--90adzbis.xn--c1avg"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd2a7cc-bb0c-4865-a988-451b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T09:56:28.000Z",
"modified": "2019-05-08T09:56:28.000Z",
"pattern": "[domain-name:value = 'akamainet022.info']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T09:56:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd2a7cc-1d60-441b-89ee-439e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T09:56:28.000Z",
"modified": "2019-05-08T09:56:28.000Z",
"pattern": "[domain-name:value = 'notifymail.ru']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T09:56:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd2a7cc-6414-401b-bf87-44b7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T09:56:28.000Z",
"modified": "2019-05-08T09:56:28.000Z",
"pattern": "[domain-name:value = 'akamainet066.info']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T09:56:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd2a7cc-2fbc-4328-856a-403d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T09:56:28.000Z",
"modified": "2019-05-08T09:56:28.000Z",
"pattern": "[domain-name:value = 'akamainet024.info']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T09:56:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd2a7cc-aaf4-4905-b166-4fd9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T09:56:28.000Z",
"modified": "2019-05-08T09:56:28.000Z",
"pattern": "[domain-name:value = 'akamaicdn.ru']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T09:56:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd2a7cc-641c-4b80-9bc8-42c6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T09:56:28.000Z",
"modified": "2019-05-08T09:56:28.000Z",
"pattern": "[domain-name:value = 'cdnakamai.ru']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T09:56:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd2ae7d-6724-42a1-9f71-6b3d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T10:25:01.000Z",
"modified": "2019-05-08T10:25:01.000Z",
"description": "C&C",
"pattern": "[url:value = 'http://sinoptik.website/OxslV6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T10:25:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd2ae7d-8f94-4724-ad31-6b3d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T10:25:01.000Z",
"modified": "2019-05-08T10:25:01.000Z",
"description": "C&C",
"pattern": "[url:value = 'http://cdn1186.site/zG4roJ']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T10:25:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd27f3c-49f0-4ff5-8fca-40a0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T07:15:37.000Z",
"modified": "2019-05-08T07:15:37.000Z",
"pattern": "[email-message:body = 'Dear Colleagues,\r\n\r\nPlease accept the best regards from representatives of Armtrac Ltd. which were on the meeting held on 24th May in Astana. My name is Alex Gallil and I\\'m am responsible person from Armtrac Ltd. for cooperation development with Ukrainian partners. \r\nAs part of conversation held between our sides, were discussed joint opportunities in demining activities, development of demining vehicles, ammunition recycling, participation in tenders with further technology transfer and other. Among other were discussed the border surveillance system which is highly interesting for us.\r\n\r\nSincerely,\r\nAlex Gallil\r\nExecutive manager' AND email-message:from_ref.display_name = 'Armtrac' AND email-message:date = '2019-01-22 11:35' AND email-message:subject = 'SPEC-20T-MK2-000-ISS-4.10-09-2018-STANDARD' AND email-message:body_multipart[0].body_raw_ref.name = 'Armtrac-Commercial.7z' AND email-message:body_multipart[0].content_disposition = 'attachment']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T07:15:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"email\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd280c9-a63c-467d-91ec-49c8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T07:16:10.000Z",
"modified": "2019-05-08T07:16:10.000Z",
"pattern": "[file:hashes.MD5 = '982565e80981ce13c48e0147fb271fe5' AND file:name = 'Armtrac-Commercial.7z' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T07:16:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd281d0-85c8-4572-b487-45b1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T07:22:50.000Z",
"modified": "2019-05-08T07:22:50.000Z",
"pattern": "[file:hashes.MD5 = 'e92d01d9b1a783a23477e182914b2454' AND file:name = 'Armtrac-Commercial.zip' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T07:22:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd282dc-a808-4591-b3a3-472f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T07:18:52.000Z",
"modified": "2019-05-08T07:18:52.000Z",
"description": "benign document from the official Armtrac website",
"pattern": "[file:hashes.MD5 = '0d6a46eb0d0148aafb34e287fcafa68f' AND file:name = 'Armtrac-20T-with-Equipment-35078.pdf' AND file:x_misp_state = 'Harmless']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T07:18:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd28329-c834-4d7c-a1c4-4b38950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T07:20:09.000Z",
"modified": "2019-05-08T07:20:09.000Z",
"description": "benign document from the official Armtrac website",
"pattern": "[file:hashes.MD5 = 'bace12f3be3d825c6339247f4bd73115' AND file:name = 'SPEC-20T-MK2-000-ISS-4.10-09-2018-STANDARD.pdf' AND file:x_misp_state = 'Harmless']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T07:20:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd2836d-8148-4123-a015-4318950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T07:21:17.000Z",
"modified": "2019-05-08T07:21:17.000Z",
"description": "Malicious LNK file that executes a PowerShell script.\r\nInterestingly, while the LNK file used a forged extension to impersonate a PDF document, the icon was replaced with a Microsoft Word document icon.",
"pattern": "[file:hashes.MD5 = 'ec0fb9d17ec77ad05f9a69879327e2f9' AND file:name = 'SPEC-10T-MK2-000-ISS-4.10-09-2018-STANDARD.pdf.lnk' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T07:21:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd29268-0a88-4a5b-a417-418c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:25:12.000Z",
"modified": "2019-05-08T08:25:12.000Z",
"pattern": "[domain-name:value = 'sinoptik.website' AND domain-name:value = 'www.sinoptik.website' AND domain-name:resolves_to_refs[*].value = '78.140.167.89' AND domain-name:resolves_to_refs[*].value = '78.140.164.221' AND domain-name:resolves_to_refs[*].value = '185.125.46.158' AND domain-name:resolves_to_refs[*].value = '78.140.167.89']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T08:25:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd2a311-775c-41b7-b6c3-4c2a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T09:36:17.000Z",
"modified": "2019-05-08T09:36:17.000Z",
"pattern": "[file:hashes.MD5 = '47161360b84388d1c254eb68ad3d6dfa' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T09:36:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd2a46c-bf78-416e-a7ee-6b3e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T09:42:04.000Z",
"modified": "2019-05-08T09:42:04.000Z",
"pattern": "[file:hashes.MD5 = '242f0ab53ac5d194af091296517ec10a' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T09:42:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd2a73d-e1f4-4904-a5fc-6b06950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T09:54:05.000Z",
"modified": "2019-05-08T09:54:05.000Z",
"pattern": "[file:hashes.MD5 = '07633a79d28bb8b4ef8a6283b881be0e' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T09:54:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd2a74d-1344-4c51-be2d-6b06950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T09:54:21.000Z",
"modified": "2019-05-08T09:54:21.000Z",
"pattern": "[file:hashes.MD5 = '5feae6cb9915c6378c4bb68740557d0a' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T09:54:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd2a762-6fa8-47af-ac81-499e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T09:54:42.000Z",
"modified": "2019-05-08T09:54:42.000Z",
"pattern": "[file:hashes.MD5 = 'dc0ab74129a4be18d823b71a54b0cab0' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T09:54:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd2a776-885c-4236-abe2-6d70950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T09:55:02.000Z",
"modified": "2019-05-08T09:55:02.000Z",
"pattern": "[file:hashes.MD5 = 'bbcce9c91489eef00b48841015bb36c1' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T09:55:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd2ae66-1350-46cc-adb5-4cf9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T10:24:38.000Z",
"modified": "2019-05-08T10:24:38.000Z",
"pattern": "[file:hashes.MD5 = 'fe198e90813c5ee1cfd95edce5241e25' AND file:name = '\u0412\u0438\u0441\u043d\u043e\u0432\u043a\u0438. S021000262_1901141812000. Scancopy_0003. HP LaserJet Enterprise 700 M775dn(CC522A).docx.lnk' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T10:24:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd2b0f1-5a7c-47d7-b5f8-4380950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T10:35:29.000Z",
"modified": "2019-05-08T10:35:29.000Z",
"description": "ZIP archive containing a malicious LNK file",
"pattern": "[file:hashes.MD5 = 'a5300dc3e19f0f0b919de5cda4aeb71c' AND file:name = '\u041a\u041c\u0423 \u0431\u0430\u0437\u0430 \u0434\u0430\u043d\u0438\u0445.zip' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T10:35:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd2b198-1d2c-4463-99e6-4ef5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T10:38:16.000Z",
"modified": "2019-05-08T10:38:16.000Z",
"description": "Benign decoy document",
"pattern": "[file:hashes.MD5 = 'a40fb835a54925aea12ffaa0d76f4ca7' AND file:name = '\u0414\u043e\u0434\u0430\u0442\u043e\u043a.pdf' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T10:38:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd2b1c8-e3bc-47a5-bc20-6b3d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T10:39:04.000Z",
"modified": "2019-05-08T10:39:04.000Z",
"description": "Malicious LNK that executes a PowerShell script",
"pattern": "[file:hashes.MD5 = '4b8aac0649c3a846c24f93dc670bb1ef' AND file:name = '\u041a\u041c\u0423_\u0431\u0430\u0437\u0430_\u0434\u0430\u043d\u0438\u0445_\u043e\u0440\u0433\u0430\u043d\u0438_\u0443\u043f\u0440,_\u0421\u0413_\u041a\u041c\u0423.rtf.lnk' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-08T10:39:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--0dfc4cf4-263a-4cc0-9395-b67820268fbc",
"created": "2019-05-08T07:06:58.000Z",
"modified": "2019-05-08T07:06:58.000Z",
"relationship_type": "same-as",
"source_ref": "indicator--5cd27f3c-49f0-4ff5-8fca-40a0950d210f",
"target_ref": "observed-data--5cd27965-10d0-45d5-8cf7-414a950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ba719784-9df5-4e87-be1f-269e9c3032c7",
"created": "2019-05-08T07:15:37.000Z",
"modified": "2019-05-08T07:15:37.000Z",
"relationship_type": "contains",
"source_ref": "indicator--5cd27f3c-49f0-4ff5-8fca-40a0950d210f",
"target_ref": "indicator--5cd280c9-a63c-467d-91ec-49c8950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--3b0d0479-6153-492e-a306-059c3618acac",
"created": "2019-05-08T07:16:10.000Z",
"modified": "2019-05-08T07:16:10.000Z",
"relationship_type": "contains",
"source_ref": "indicator--5cd280c9-a63c-467d-91ec-49c8950d210f",
"target_ref": "indicator--5cd281d0-85c8-4572-b487-45b1950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--030bbb4d-54d7-4545-ba17-7558267585c1",
"created": "2019-05-08T07:21:47.000Z",
"modified": "2019-05-08T07:21:47.000Z",
"relationship_type": "contains",
"source_ref": "indicator--5cd281d0-85c8-4572-b487-45b1950d210f",
"target_ref": "indicator--5cd282dc-a808-4591-b3a3-472f950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--14b23784-b861-4bad-a7a8-04b271afa0d4",
"created": "2019-05-08T07:22:14.000Z",
"modified": "2019-05-08T07:22:14.000Z",
"relationship_type": "contains",
"source_ref": "indicator--5cd281d0-85c8-4572-b487-45b1950d210f",
"target_ref": "indicator--5cd28329-c834-4d7c-a1c4-4b38950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c12665c6-aa22-4f60-9968-c30b56866c88",
"created": "2019-05-08T07:22:39.000Z",
"modified": "2019-05-08T07:22:39.000Z",
"relationship_type": "contains",
"source_ref": "indicator--5cd281d0-85c8-4572-b487-45b1950d210f",
"target_ref": "indicator--5cd2836d-8148-4123-a015-4318950d210f"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue Copy permalink