adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/5bf290ce-2df0-4d91-9e62-4cb6950d210f.json

413 lines
18 KiB
JSON
Raw Normal View History

chg: [feed] feed updated
2023-06-14 17:31:25 +00:00
{
"type": "bundle",
"id": "bundle--5bf290ce-2df0-4d91-9e62-4cb6950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-19T14:32:21.000Z",
"modified": "2018-11-19T14:32:21.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--5bf290ce-2df0-4d91-9e62-4cb6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-19T14:32:21.000Z",
"modified": "2018-11-19T14:32:21.000Z",
"name": "OSINT - OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government",
"context": "suspicious-activity",
"object_refs": [
"observed-data--5bf29192-07b0-4f32-bce6-4bca950d210f",
"url--5bf29192-07b0-4f32-bce6-4bca950d210f",
"indicator--5bf2b90a-aba0-4bb8-a5ca-4f70950d210f",
"indicator--5bf29643-27dc-452c-91bc-4c4a950d210f",
"indicator--5bf29a92-4e88-4432-a67c-4b84950d210f",
"indicator--5bf29c1e-4304-40db-bb46-46d3950d210f",
"indicator--5bf29d8f-e558-4af1-a0f3-4653950d210f",
"indicator--5bf29da3-deec-4a6a-9967-408a950d210f",
"indicator--1ad2e243-0418-419a-8300-12ac17adb5f0",
"x-misp-object--48845792-c31e-45a2-ba4b-f60e29e7d371",
"indicator--5ce1579d-18af-4c70-8a05-238a5a7e25bd",
"x-misp-object--11df404f-cd09-4341-9779-b38b73e4d580",
"indicator--6ce66cdf-6c35-4d67-9978-1876aa656790",
"x-misp-object--e6c24ac2-3816-483f-8ca6-7cfdfb17f64f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Attachment - T1193\"",
"malware_classification:malware-category=\"Trojan\"",
"workflow:todo=\"add-missing-misp-galaxy-cluster-values\"",
"misp-galaxy:threat-actor=\"OilRig\"",
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"OilRig\"",
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"OilRig - G0049\"",
"misp-galaxy:mitre-intrusion-set=\"OilRig\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5bf29192-07b0-4f32-bce6-4bca950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-19T10:34:17.000Z",
"modified": "2018-11-19T10:34:17.000Z",
"first_observed": "2018-11-19T10:34:17Z",
"last_observed": "2018-11-19T10:34:17Z",
"number_observed": 1,
"object_refs": [
"url--5bf29192-07b0-4f32-bce6-4bca950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5bf29192-07b0-4f32-bce6-4bca950d210f",
"value": "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bf2b90a-aba0-4bb8-a5ca-4f70950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-19T13:34:21.000Z",
"modified": "2018-11-19T13:34:21.000Z",
"description": "BONDUPDATER C2",
"pattern": "[domain-name:value = 'withyourface.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-11-19T13:34:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bf29643-27dc-452c-91bc-4c4a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-19T13:35:36.000Z",
"modified": "2018-11-19T13:35:36.000Z",
"description": "BONDUPDATER Dropper Docs\r\ncontains a macro that attempted to install a new version of the BONDUPDATER Trojan\r\n",
"pattern": "[file:hashes.SHA256 = '7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00' AND file:name = 'N56.15.doc' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-11-19T13:35:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bf29a92-4e88-4432-a67c-4b84950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-19T13:35:58.000Z",
"modified": "2018-11-19T13:35:58.000Z",
"description": "BONDUPDATER Dropper Docs",
"pattern": "[file:hashes.SHA256 = 'c0018a2e36c7ef8aa15b81001a19c4127ad7cd21ae410c1f854e5dadfa98b322' AND file:name = 'AppPool.vbs' AND file:parent_directory_ref.path = '\\\\%ALLUSERSPROFILE\\\\%\\\\WindowsAppPool' AND file:x_misp_state = 'Malicious' AND file:x_misp_fullpath = '\\\\%ALLUSERSPROFILE\\\\%\\\\WindowsAppPool\\\\AppPool.vbs']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-11-19T13:35:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bf29c1e-4304-40db-bb46-46d3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-19T13:36:28.000Z",
"modified": "2018-11-19T13:36:28.000Z",
"description": "BONDUPDATER Dropper Docs",
"pattern": "[file:hashes.SHA256 = 'd5c1822a36f2e7107d0d4c005c26978d00bcb34a587bd9ccf11ae7761ec73fb7' AND file:name = 'AppPool.ps1' AND file:parent_directory_ref.path = '\\\\%ALLUSERSPROFILE\\\\%\\\\WindowsAppPool\\\\' AND file:x_misp_state = 'Malicious' AND file:x_misp_fullpath = '\\\\%ALLUSERSPROFILE\\\\%\\\\WindowsAppPool\\\\AppPool.ps1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-11-19T13:36:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bf29d8f-e558-4af1-a0f3-4653950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-19T11:25:03.000Z",
"modified": "2018-11-19T11:25:03.000Z",
"pattern": "[file:name = '\\\\%ALLUSERSPROFILE\\\\%\\\\WindowsAppPool\\\\lock' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-11-19T11:25:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5bf29da3-deec-4a6a-9967-408a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-19T11:25:23.000Z",
"modified": "2018-11-19T11:25:23.000Z",
"pattern": "[file:name = '\\\\%ALLUSERSPROFILE\\\\%\\\\WindowsAppPool\\\\quid' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-11-19T11:25:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--1ad2e243-0418-419a-8300-12ac17adb5f0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-19T14:26:24.000Z",
"modified": "2018-11-19T14:26:24.000Z",
"pattern": "[file:hashes.MD5 = '52b6e1ef0d079f4c2572705156365c06' AND file:hashes.SHA1 = '5732b44851ec10f16c8e1201af3bec455f724961' AND file:hashes.SHA256 = '7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-11-19T14:26:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--48845792-c31e-45a2-ba4b-f60e29e7d371",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-19T14:26:26.000Z",
"modified": "2018-11-19T14:26:26.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-10-29 01:55:45",
"category": "Other",
"uuid": "37fd897a-6742-48b4-bc55-8ec2ab7d4119"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00/analysis/1540778145/",
"category": "External analysis",
"uuid": "e88f35c0-a05d-44ef-80a8-99d2a29980b4"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "39/58",
"category": "Other",
"uuid": "f2c56cfe-2278-4d43-acec-2b77dc5af11c"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ce1579d-18af-4c70-8a05-238a5a7e25bd",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-19T14:26:27.000Z",
"modified": "2018-11-19T14:26:27.000Z",
"pattern": "[file:hashes.MD5 = '88a3636fbae365ac19d7fb68c2cc2fef' AND file:hashes.SHA1 = '64e1751562347134e17a7e1985a8765085302f93' AND file:hashes.SHA256 = 'c0018a2e36c7ef8aa15b81001a19c4127ad7cd21ae410c1f854e5dadfa98b322']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-11-19T14:26:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--11df404f-cd09-4341-9779-b38b73e4d580",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-19T14:26:29.000Z",
"modified": "2018-11-19T14:26:29.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-10-17 23:42:45",
"category": "Other",
"uuid": "d3581511-855c-43c3-858c-4d5f3f489e8b"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/c0018a2e36c7ef8aa15b81001a19c4127ad7cd21ae410c1f854e5dadfa98b322/analysis/1539819765/",
"category": "External analysis",
"uuid": "f7081c18-1de8-4365-bdf8-6dd8a3af9c51"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "26/56",
"category": "Other",
"uuid": "afb88b5f-d777-4892-941d-9a853f4a2cc6"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6ce66cdf-6c35-4d67-9978-1876aa656790",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-19T14:26:30.000Z",
"modified": "2018-11-19T14:26:30.000Z",
"pattern": "[file:hashes.MD5 = '8c4fa86dcc2fd00933b70cbf239f0636' AND file:hashes.SHA1 = '204855fa620bf1f8b2a781e1e8ecfda4d411ca77' AND file:hashes.SHA256 = 'd5c1822a36f2e7107d0d4c005c26978d00bcb34a587bd9ccf11ae7761ec73fb7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-11-19T14:26:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--e6c24ac2-3816-483f-8ca6-7cfdfb17f64f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-11-19T14:26:31.000Z",
"modified": "2018-11-19T14:26:31.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-10-16 23:36:19",
"category": "Other",
"uuid": "9b3fe04c-f077-40e2-ac6e-0318207570d7"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/d5c1822a36f2e7107d0d4c005c26978d00bcb34a587bd9ccf11ae7761ec73fb7/analysis/1539732979/",
"category": "External analysis",
"uuid": "31c239f5-61f1-44aa-b098-96391ce6eafa"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "24/57",
"category": "Other",
"uuid": "8fab6ce4-d439-4d29-9307-def6e20c980e"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue Copy permalink