adulau/misp-circl-feed
1
0
Fork 0
Code Issues Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/1cccd5d8-5d52-4610-b8b7-7bbebd0d6d7b.json

1689 lines
7 MiB
JSON
Raw Normal View History

chg: [feeds] updated
2024-12-27 11:52:46 +01:00
{
"type": "bundle",
"id": "bundle--1cccd5d8-5d52-4610-b8b7-7bbebd0d6d7b",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:24:06.000Z",
"modified": "2024-09-26T08:24:06.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--1cccd5d8-5d52-4610-b8b7-7bbebd0d6d7b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:24:06.000Z",
"modified": "2024-09-26T08:24:06.000Z",
"name": "OSINT - Unraveling SloppyLemming\u2019s Operations Across South Asia",
"published": "2024-09-26T09:13:44Z",
"object_refs": [
"x-misp-object--9c30da9f-1d33-4109-a521-6c3ff8a933b6",
"observed-data--7379cb86-69b9-49f1-9af4-1fc9937bc6ea",
"email-message--7379cb86-69b9-49f1-9af4-1fc9937bc6ea",
"malware--8648ab5f-0d70-4f2e-85ae-6e7fad3d15e4",
"indicator--cd3abe6b-bbac-4eb7-8290-3ae767462087",
"indicator--0d8a6a60-0cf9-4592-9981-cf0dcf7fa273",
"indicator--ab1cb60c-869c-448b-b31c-cb0b6b54de90",
"indicator--dd46076c-51fb-4ca7-aa93-4a5b8e665b31",
"indicator--b5db5235-bbcb-4a19-861b-99949f6ab146",
"indicator--2d46fb8b-889b-4619-8b36-92964fdd33ab",
"indicator--7fe7decc-edea-4033-b601-25485885b827",
"indicator--91cc8a82-404c-49d9-83f3-7c5a4632ff19",
"indicator--bf3c1a08-3134-4626-b952-3fbf33204912",
"indicator--b8c24219-c192-4e27-b331-e18520ba47ff",
"indicator--abfd3ace-3fab-4bcf-9c82-a470ac0618bb",
"indicator--91707b81-1568-4b04-bd9c-d35be74d9472",
"indicator--3902fec8-2fce-4672-a281-b5ee6abe5960",
"indicator--a15f5b75-f8df-40c5-af1f-131b35b45aea",
"indicator--8d8a544b-7264-466d-9c63-7b999c9cc0c5",
"indicator--8f11e476-3bfc-4de1-a349-e9f4c524f665",
"indicator--9f901585-951c-4c4d-9a2a-e8a2447c8e18",
"indicator--a1b62d00-9ad4-42fd-ae7f-a977313e842d",
"indicator--abc7200c-1013-4504-b7b2-99de2cf25a33",
"indicator--5751dcfc-4995-45e0-9ccc-7b063436b334",
"indicator--8b1d459a-47d7-4360-a629-0b83a0dda16e",
"indicator--92d42dfb-3631-4847-b77f-ea4fef5112bb",
"indicator--4457f5f1-4941-480b-9284-3d6947359e98",
"indicator--f9a34025-9fdb-4c50-95c2-2ec72a0dc444",
"indicator--532a7f92-2cac-40b1-ac9f-5ecaac3f0dcd",
"indicator--56ee3482-f293-410f-b2bb-7a3611a7261b",
"indicator--70e05653-0108-498c-84f6-cd71341b8a19",
"indicator--d0365184-cc69-4bd6-a2f0-c56db5c541e3",
"indicator--d516eff7-0e15-4458-95ba-d14907200109",
"indicator--38d9a1f2-7588-4db2-884e-a3ac2f95c7a0",
"indicator--09b4ca94-c810-45b3-84f5-fed3a13289ed",
"indicator--acfe32cc-6045-4de3-b57e-b397084ab7c2",
"indicator--de120a14-3e07-464e-bd01-0031c22b324c",
"indicator--d368f5a0-9368-40cc-ba4a-00db7b2a0310",
"indicator--36f77fcf-82fb-4ba3-98a8-985e19261a80",
"indicator--3c5ffe47-81b7-4dc7-bb24-02f29a377cbe",
"indicator--97c4669b-f884-4a7e-9ea2-2b11cfbe44b7",
"indicator--05b0fa1f-beea-4229-8c61-d16f1e44acec",
"indicator--5b00e211-33a4-446a-801b-a03fd7615faa",
"indicator--1059c0d5-a5ac-482b-b1c3-fefaa7c9b37e",
"indicator--aa50f0d2-492e-4ae7-ba05-d0174ff33c01",
"indicator--03be3344-6af2-4c74-a514-91211818caa5",
"indicator--3a5b0840-103a-4efc-b8ac-6a69c33e9722",
"indicator--33b8a83a-1422-4a39-9d16-197aa7020530",
"indicator--c0b9c9f4-076a-4abe-bd21-8637f2a30be0",
"indicator--5b0332bb-3f98-4e42-bad8-f6e4bad60168",
"indicator--19dbb316-000c-49d9-8ae0-b82e942dd9eb",
"indicator--4636b86a-d007-4ff4-93c4-4faefede1a16",
"indicator--9a27cc52-1629-444b-ae13-152e833ae7ca",
"indicator--d9436e4c-0bde-441c-8f2f-d3e521412568",
"indicator--af1fe156-a05b-4c48-9793-313329983b03",
"indicator--5fed89ec-8ec2-47df-999b-0c30ac680846",
"indicator--bfaa9ac7-eb53-497a-a8fa-47e416701a4c",
"indicator--6e75e192-ec76-4cf4-863c-f2d103d1f6a9",
"indicator--8e698eb8-7f70-40f8-bc2a-dc513c715e3c",
"indicator--c99dbc3d-ad39-4970-819c-a3906d71e26e",
"indicator--ef9f34fe-6514-4b75-a9d2-cf3e85018279",
"indicator--9940be2e-387f-4b7e-a392-2cb3ce952b50",
"indicator--505438c1-1e30-453f-8b46-1617950b91c8",
"indicator--4b7cbbf2-8088-40b2-9181-181195768001",
"indicator--01dfde1c-179a-45c3-8757-bdf6ef82bfc8",
"indicator--335a515c-1107-4304-b77f-d7ff1f1eb695",
"indicator--e64162db-e8c6-4349-ba99-9f416dc53e56",
"note--0fc58862-2f2b-441f-aa78-855d230edd28"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:threat-actor=\"SloppyLemming\"",
"misp-galaxy:country=\"sri lanka\"",
"misp-galaxy:country=\"pakistan\"",
"misp-galaxy:country=\"bangladesh\"",
"misp-galaxy:country=\"china\"",
"misp-galaxy:sector=\"Police - Law enforcement\"",
"misp-galaxy:sector=\"Energy\"",
"misp-galaxy:sector=\"Telecoms\"",
"misp-galaxy:sector=\"Technology\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"tlp:clear"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--9c30da9f-1d33-4109-a521-6c3ff8a933b6",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:24:06.000Z",
"modified": "2024-09-26T08:24:06.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://blog.cloudflare.com/unraveling-sloppylemming-operations/",
"category": "External analysis",
"uuid": "5e4cd5f4-3f35-4cc5-abb6-be0069582d44"
},
{
"type": "text",
"object_relation": "summary",
"value": "Cloudforce One is publishing the results of an investigation into an advanced actor that uses multiple cloud service providers to facilitate different aspects of their activities, such as credential harvesting, malware delivery and command and control (C2). This actor conducts extensive operations targeting Pakistani, Sri Lanka, Bangladesh, and China. Industries targeted include government, law enforcement, energy, telecommunications, and technology entities. \r\nExecutive Summary\r\n\r\n Between late 2022 to present, SloppyLemming has routinely used Cloudflare Workers likely as part of a broad espionage campaign targeting South and East Asian countries\r\n\r\n SloppyLemming displays a lack of operational security (OPSEC) allowing Cloudforce One insight into its tooling \r\n\r\n The actor primarily targets Pakistani government, defense, telecommunications, technology, and energy sector organizations; SloppyLemming also targets Bangladesh, Sri Lanka, Nepal, and China.",
"category": "Other",
"uuid": "8c625f1f-97e8-4bec-a802-eeba2be84c83"
},
{
"type": "text",
"object_relation": "type",
"value": "Blog",
"category": "Other",
"uuid": "f563152e-cfb0-46e5-b77b-b9c3f6bbb861"
},
{
"type": "attachment",
"object_relation": "report-file",
"value": "capture.zip",
"category": "External analysis",
"uuid": "2160c313-59a5-4e80-9d4a-33535f198e2f",
"data": "UEsDBBQAAAAAANJSOlkbNMlGDAsAAAwLAAApAAAAMjAyNC0wOS0yNlQxMDoyMjozNi4yMjg0ODYvMC5jb29raWVzLmpzb25beyJuYW1lIjogIl9fY2ZfYm0iLCAidmFsdWUiOiAiTkFvRnd6QmhfaG5ROVNwejh0YkVWNkZzeHN5X3VaSzdjQXBWS3NwTl9SZy0xNzI3MzM4ODc3LTEuMC4xLjEtSG9kckRrZFpCeWYua0M4WGE4N0VYd1h5enlTSXI2b1NrcjNIQm43bW95TEJFN1VHdGszVldfX2NWd0tieGNqQTlqc2FxYlpGdzZPRW1Kd1k3dGNJTEEiLCAiZG9tYWluIjogIi5ibG9nLmNsb3VkZmxhcmUuY29tIiwgInBhdGgiOiAiLyIsICJleHBpcmVzIjogMTcyNzM0MDY3Ny4xMTUyNDUsICJodHRwT25seSI6IHRydWUsICJzZWN1cmUiOiB0cnVlLCAic2FtZVNpdGUiOiAiTm9uZSJ9LCB7Im5hbWUiOiAiX19jZl9ibSIsICJ2YWx1ZSI6ICJSb2VkV2J3ajcwSDNxVTBiV2wwRlo2MU1RVUdNcDdxalhQNExaSXJ5UU5FLTE3MjczMzg4NzctMS4wLjEuMS05MVRSd1Q5a3BrdUtkTk1fMmRvck1rLi5WNG11OTgzZEtHWlFSUjVlUmxtRjU3MHptSXRuZGJxRzhjdzZoLndpMFc5Q1Ftb1B1bnZYZWplNUlFQzYzVXVITEtBZF94YlplV0U1X2lSVlBlUSIsICJkb21haW4iOiAiLnd3dy5jbG91ZGZsYXJlLmNvbSIsICJwYXRoIjogIi8iLCAiZXhwaXJlcyI6IDE3MjczNDA2NzcuNDE0NzA4LCAiaHR0cE9ubHkiOiB0cnVlLCAic2VjdXJlIjogdHJ1ZSwgInNhbWVTaXRlIjogIk5vbmUifSwgeyJuYW1lIjogImNmenNfZ29vZ2xlLWFuYWx5dGljc192NCIsICJ2YWx1ZSI6ICIlN0IlMjJuemNyX3BhZ2V2aWV3Q291bnRlciUyMiUzQSU3QiUyMnYlMjIlM0ElMjIxJTIyJTdEJTdEIiwgImRvbWFpbiI6ICIuY2xvdWRmbGFyZS5jb20iLCAicGF0aCI6ICIvIiwgImV4cGlyZXMiOiAtMSwgImh0dHBPbmx5IjogdHJ1ZSwgInNlY3VyZSI6IHRydWUsICJzYW1lU2l0ZSI6ICJMYXgifSwgeyJuYW1lIjogImNmel9nb29nbGUtYW5hbHl0aWNzX3Y0IiwgInZhbHVlIjogIiU3QiUyMm56Y3JfZW5nYWdlbWVudER1cmF0aW9uJTIyJTNBJTdCJTIydiUyMiUzQSUyMjAlMjIlMkMlMjJlJTIyJTNBMTc1ODg3NDg3NzY0MiU3RCUyQyUyMm56Y3JfZW5nYWdlbWVudFN0YXJ0JTIyJTNBJTdCJTIydiUyMiUzQSUyMjE3MjczMzg4Nzc2NDIlMjIlMkMlMjJlJTIyJTNBMTc1ODg3NDg3NzY0MiU3RCUyQyUyMm56Y3JfY291bnRlciUyMiUzQSU3QiUyMnYlMjIlM0ElMjIxJTIyJTJDJTIyZSUyMiUzQTE3NTg4NzQ4Nzc2NDIlN0QlMkMlMjJuemNyX2dhNHNpZCUyMiUzQSU3QiUyMnYlMjIlM0ElMjI3NzU0NzM0NCUyMiUyQyUyMmUlMjIlM0ExNzI3MzQwNjc3NjQyJTdEJTJDJTIybnpjcl9zZXNzaW9uX2NvdW50ZXIlMjIlM0ElN0IlMjJ2JTIyJTNBJTIyMSUyMiUyQyUyMmUlMjIlM0ExNzU4ODc0ODc3NjQyJTdEJTJDJTIybnpjcl9nYTQlMjIlM0ElN0IlMjJ2JTIyJTNBJTIyNGExOWNmZGQtNWVlZC00NzVlLWJmODMtYjAzYjQwZTcyYjRmJTIyJTJDJTIyZSUyMiUzQTE3NTg4NzQ4Nzc2NDIlN0QlMkMlMjJuemNyX196X2dhX2F1ZGllbmNlcyUyMiUzQSU3QiUyMnYlMjIlM0ElMjI0YTE5Y2ZkZC01ZWVkLTQ3NWUtYmY4My1iMDNiNDBlNzJiNGYlMjIlMkMlMjJlJTIyJTNBMTc1ODg3NDg3NzY0MiU3RCUyQyUyMm56Y3JfbGV0JTIyJTNBJTdCJTIydiUyMiUzQSUyMjE3MjczMzg4Nzc2NDIlMjIlMkMlMjJlJTIyJTNBMTc1ODg3NDg3NzY0MiU3RCU3RCIsICJkb21haW4iOiAiLmNsb3VkZmxhcmUuY29tIiwgInBhdGgiOiAiLyIsICJleHBpcmVzIjogMTc1ODg3NDg3OC42MDY1NzcsICJodHRwT25seSI6IHRydWUsICJzZWN1cmUiOiB0cnVlLCAic2FtZVNpdGUiOiAiTGF4In0sIHsibmFtZSI6ICJfX2NmX2JtIiwgInZhbHVlIjogImFKWklyd3VrWDU5SDBRdm9NWERqdTM1QmloNjYwUEZpcDFESndfdG5OS0UtMTcyNzMzODg3Ny0xLjAuMS4xLXFZVllsUERxV3EwdWxXdWk4a2t6Mm84T0RFUlBydFBPa0JXaXdQcmE2ek90SDBSQjVCVmJ0RzZ1czc5NjdqQjdTbkpXaW14LnRMRG5tamt4d2g4aTdRIiwgImRvbWFpbiI6ICIucmFkYXIuY2xvdWRmbGFyZS5jb20iLCAicGF0aCI6ICIvIiwgImV4cGlyZXMiOiAxNzI3MzQwNjc3Ljg2NTg2NywgImh0dHBPbmx5IjogdHJ1ZSwgInNlY3VyZSI6IHRydWUsICJzYW1lU2l0ZSI6ICJOb25lIn0sIHsibmFtZSI6ICJfbWt0b190cmsiLCAidmFsdWUiOiAiaWQ6NzEzLVhTQy05MTgmdG9rZW46X21jaC1jbG91ZGZsYXJlLmNvbS0xNzI3MzM4ODc3ODM4LTg2MjAwIiwgImRvbWFpbiI6ICIuY2xvdWRmbGFyZS5jb20iLCAicGF0aCI6ICIvIiwgImV4cGlyZXMiOiAxNzYxODk4ODc4LjYxMzYwOSwgImh0dHBPbmx5IjogZmFsc2UsICJzZWN1cmUiOiBmYWxzZSwgInNhbWVTaXRlIjogIkxheCJ9LCB7Im5hbWUiOiAiT3B0YW5vbkNvbnNlbnQiLCAidmFsdWUiOiAiaXNHcGNFbmFibGVkPTAmZGF0ZXN0YW1wPVRodStTZXArMjYrMjAyNCswOCUzQTIxJTNBMTcrR01UJTJCMDAwMCsoQ29vcmRpbmF0ZWQrVW5pdmVyc2FsK1RpbWUpJnZlcnNpb249MjAyNDA3LjIuMCZicm93c2VyR3BjRmxhZz0wJmlzSUFCR2xvYmFsPWZhbHNlJmhvc3RzPSZjb25zZW50SWQ9ZjFhMjlmNDgtN2Y5ZC00YTM2LWI4NWItMzQ0Y2QzODVjZGIwJmludGVyYWN0aW9uQ291bnQ9MCZpc0Fub25Vc2VyPTEmbGFuZGluZ1BhdGg9aHR0cHMlM0ElMkYlMkZibG9nLmNsb3VkZmxhcmUuY29tJTJGdW5yYXZlbGluZy1zbG9wcHlsZW1taW5nLW9wZXJhdGlvbnMlMkYmZ3JvdXBzPUMwMDAxJTNBMSUyQ0MwMDAzJTNBMCUyQ0MwMDAyJTNBMCUyQ0MwMDA0JTNBMCIsICJkb21haW4iOiAiLmNsb3VkZmxhcmUuY29tIiwgInBhdGgiOiAiLyIsICJleHBpcmVzIjogMTc1ODg3NDg3NywgImh0dHBPbmx5IjogZmFsc2UsICJzZWN1cmUiOiBmYWxzZSwgInNhbWVTaXRlIjogIkxheCJ9XVBLAwQUAAAAAADSUjpZ0yeMztQcFQDUHBUAIwAAADIwMjQtMDktMjZUMTA6MjI6MzYuMjI4NDg2LzAuaGFyLmd6H4sICMwZ9WYC/zAuaGFyAOy9iWPbNrI4/K+w2X2t9CpRJHXL6+Y5vuI2iV1bSdocnwqSkMSYIhWSsqyk/t+/mQF4irJlJ32bt7/uNolI4hgAgzmAOT
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--7379cb86-69b9-49f1-9af4-1fc9937bc6ea",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T06:44:02.000Z",
"modified": "2024-09-26T06:44:02.000Z",
"first_observed": "2024-09-26T06:44:02Z",
"last_observed": "2024-09-26T06:44:02Z",
"number_observed": 1,
"object_refs": [
"email-message--7379cb86-69b9-49f1-9af4-1fc9937bc6ea"
],
"labels": [
"misp:name=\"email\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"False\""
]
},
{
"type": "email-message",
"spec_version": "2.1",
"id": "email-message--7379cb86-69b9-49f1-9af4-1fc9937bc6ea",
"is_multipart": false,
"x_misp_email_body": "Dear [Officer\u2019s Name],\r\n\r\nAs part of our ongoing efforts to enhance the security of our internal systems, we are rolling out a mandatory update to our secure access protocols. All personnel are required to complete this update within the next 24 hours to ensure continued access to department resources.\r\n\r\nPlease log in to the police department\u2019s IT portal using the link below to initiate the update process:\r\n\r\n[Fake IT Portal Link]\r\n\r\nFailure to complete this update will result in the temporary suspension of your account access.\r\n\r\nThank you for your cooperation.\r\n\r\nBest regards,\r\nIT Department\r\n[Police Department\u2019s Name]"
},
{
"type": "malware",
"spec_version": "2.1",
"id": "malware--8648ab5f-0d70-4f2e-85ae-6e7fad3d15e4",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T06:59:49.000Z",
"modified": "2024-09-26T06:59:49.000Z",
"is_family": false,
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"script\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"False\""
],
"x_misp_script": "# Enter password\r\npassword_input = driver.find_element(By.ID, \"password\")\r\npassword_input.send_keys(password)\r\n\r\n# Click the login button\r\npassword_input.send_keys(Keys.RETURN)\r\n...\r\n# Navigate to the Inbox\r\ninbox_link = driver.find_element(By.CSS_SELECTOR, 'a[href=\"#zv__main_page__main_Mail\"]')\r\ninbox_link.click()\r\n...\r\n# Iterate through each email in the inbox\r\nemails = driver.find_elements(By.CSS_SELECTOR, 'div[class=\"zA zE\"]')\r\n\r\nfor email in emails:\r\n # Click on the email\r\n email.click()\r\n...\r\n # Search for attachments and click on download links\r\n attachments = driver.find_elements(By.CSS_SELECTOR, 'a.AttLink[id^=\"zv__CLV__main_MSGC\"][title=\"Download\"]')\r\n \r\n for attachment in attachments:\r\n attachment.click()\r\n...\r\n # Go back to the Inbox\r\n driver.execute_script(\"window.history.go(-1)\")\r\n...\r\n# Get the subject of the first email\r\nfirst_email_subject = driver.find_element_by_css_selector('.zA span.bqe').text\r\nprint(\"Subject of the first email:\", first_email_subject)\r\n...",
"x_misp_state": "Malicious"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--cd3abe6b-bbac-4eb7-8290-3ae767462087",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:27:02.000Z",
"modified": "2024-09-26T07:27:02.000Z",
"pattern": "[file:hashes.SHA256 = '06f82a8d80ec911498e3493ebefa8ad45e102dd887ce2edc11f8f51bafab2e80' AND file:name = 'sspicli.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:27:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0d8a6a60-0cf9-4592-9981-cf0dcf7fa273",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:27:24.000Z",
"modified": "2024-09-26T07:27:24.000Z",
"pattern": "[file:hashes.SHA256 = 'ac3dff91982709f575cfbc6954b61130b4eeab5d3759772db220f1b76836be4d' AND file:name = 'profapi.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:27:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ab1cb60c-869c-448b-b31c-cb0b6b54de90",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:27:39.000Z",
"modified": "2024-09-26T07:27:39.000Z",
"pattern": "[file:hashes.SHA256 = '3dfb8d198de95090e2ad3ffc9d9846af5c3074563acb0ce5b0ef62b20e4bf432' AND file:name = 'profapis.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:27:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--dd46076c-51fb-4ca7-aa93-4a5b8e665b31",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:28:01.000Z",
"modified": "2024-09-26T07:28:01.000Z",
"pattern": "[file:hashes.SHA256 = '82e99ceea9e6d31555b0f2bf637318fd97e5609e3d4d1341aec39db2e26cf211' AND file:name = 'CRYPTSP.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:28:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b5db5235-bbcb-4a19-861b-99949f6ab146",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:29:56.000Z",
"modified": "2024-09-26T07:29:56.000Z",
"pattern": "[file:hashes.SHA256 = 'b6ae5b714f18ca40a111498d0991e1e30cd95317b4904d2ef0d49937f0552000' AND file:name = 'Outlook.eml' AND file:name = 'NekroWire.dll' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:29:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2d46fb8b-889b-4619-8b36-92964fdd33ab",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:32:11.000Z",
"modified": "2024-09-26T07:32:11.000Z",
"description": "82e99ceea9e6d31555b0f2bf637318fd97e5609e3d4d1341aec39db2e26cf211: Enriched via the virustotal module",
"pattern": "[file:hashes.MD5 = 'e2a32e7d772a9a4eeccee9c71ec3a6d4' AND file:hashes.SHA1 = 'b53de85852479ea2a772bd3407b9e4d38eb1e1e7' AND file:hashes.SHA256 = '82e99ceea9e6d31555b0f2bf637318fd97e5609e3d4d1341aec39db2e26cf211' AND file:hashes.SSDEEP = '24576:+9KZsFQmIHwObgHONiDkPpzfH6WH+D/NwR61FM/VIH06iy4aQn652XObZtiNUZ:+9KMJPOcuNbPpzfHjUI6vEIU6iVBVet' AND file:hashes.VHASH = '126056656d15655048z4a3z3oz166z1' AND file:x_misp_tlsh = 't117a56c12ba8a596dc05ac5b493478a326a3174ca0b36bbff05c481353e6abf51f3c75c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:32:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--7fe7decc-edea-4033-b601-25485885b827",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:43:39.000Z",
"modified": "2024-09-26T07:43:39.000Z",
"description": "Mitigated SloppyLemming Workers Domains",
"pattern": "[(network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'mail-na-gov-pk.na-gov-pk.workers.dev') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'storage-e13.sharepoint-e13.workers.dev') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'zoom.osutuga7.workers.dev') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'sharepoint-punjab.sharepoint-e13.workers.dev') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'pitb.gov-pkgov.workers.dev') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'mail-islamabadpolice-gov-pk.ntc-telecommunication-safecity.workers.dev') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'herald-b2a.workers.dev') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'images-11d.workers.dev') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'classifieds.workers.dev') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'dawnnews.workers.dev') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'aurora.dawn-904.workers.dev') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'epaper.dawn-323.workers.dev') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'obituary.workers.dev')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:43:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--91cc8a82-404c-49d9-83f3-7c5a4632ff19",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:44:27.000Z",
"modified": "2024-09-26T07:44:27.000Z",
"description": "ac3dff91982709f575cfbc6954b61130b4eeab5d3759772db220f1b76836be4d: Enriched via the virustotal module",
"pattern": "[file:hashes.MD5 = 'fa40357daaa8ed8e73eeef25f0f478ac' AND file:hashes.SHA1 = 'bc490c61ce87efc0faf93dd4160219ef303e3e1d' AND file:hashes.SHA256 = 'ac3dff91982709f575cfbc6954b61130b4eeab5d3759772db220f1b76836be4d' AND file:hashes.SSDEEP = '3072:mqF9393J1H09rwUyiwtn5V/aSbprpoQ/AxVYo:mqF939Z1HT9Ht5V/zKBx' AND file:hashes.VHASH = '115076655d751510151az11=z6c' AND file:x_misp_tlsh = 't1e3c3d0352ada05f0d8a9e73ce526a1394167b84d5be110f3c5846867e4c12efab70efc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:44:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--bf3c1a08-3134-4626-b952-3fbf33204912",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:46:46.000Z",
"modified": "2024-09-26T07:46:46.000Z",
"description": "C2 Address",
"pattern": "[(network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'pitb.gov-pkgov.workers.dev')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:46:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b8c24219-c192-4e27-b331-e18520ba47ff",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:47:34.000Z",
"modified": "2024-09-26T07:47:34.000Z",
"description": "C2 Address",
"pattern": "[(network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'redzone.apl-org.online')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:47:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--abfd3ace-3fab-4bcf-9c82-a470ac0618bb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:50:57.000Z",
"modified": "2024-09-26T07:50:57.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.83.23.246') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'www.crec-bd.site')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:50:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--91707b81-1568-4b04-bd9c-d35be74d9472",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:51:34.000Z",
"modified": "2024-09-26T07:51:34.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.83.23.246') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'crec-bd.site')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:51:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3902fec8-2fce-4672-a281-b5ee6abe5960",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:51:56.000Z",
"modified": "2024-09-26T07:51:56.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '159.65.6.251') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'jammycanonicalupdates.cloud')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:51:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a15f5b75-f8df-40c5-af1f-131b35b45aea",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:52:12.000Z",
"modified": "2024-09-26T07:52:12.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '139.59.109.136') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'locaal.navybd-gov.info')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:52:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8d8a544b-7264-466d-9c63-7b999c9cc0c5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:52:43.000Z",
"modified": "2024-09-26T07:52:43.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '37.27.41.167') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'maldevfudding.com')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:52:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8f11e476-3bfc-4de1-a349-e9f4c524f665",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:53:11.000Z",
"modified": "2024-09-26T07:53:11.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.237.105.113') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'openkm.paknavy-pk.org')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:53:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9f901585-951c-4c4d-9a2a-e8a2447c8e18",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:53:30.000Z",
"modified": "2024-09-26T07:53:30.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.249.198.218') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'cloud.adobefileshare.com')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:53:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a1b62d00-9ad4-42fd-ae7f-a977313e842d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:53:46.000Z",
"modified": "2024-09-26T07:53:46.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.249.198.218') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'adobefileshare.com')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:53:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--abc7200c-1013-4504-b7b2-99de2cf25a33",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:53:58.000Z",
"modified": "2024-09-26T07:53:58.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '8.222.235.145') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'quran-books.store')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:53:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5751dcfc-4995-45e0-9ccc-7b063436b334",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:54:17.000Z",
"modified": "2024-09-26T07:54:17.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '8.219.169.226') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'aljazeerak.online')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:54:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8b1d459a-47d7-4360-a629-0b83a0dda16e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:54:31.000Z",
"modified": "2024-09-26T07:54:31.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.237.20.135') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'redzone2.apl-org.online')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:54:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--92d42dfb-3631-4847-b77f-ea4fef5112bb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:54:49.000Z",
"modified": "2024-09-26T07:54:49.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.237.20.135') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'hurr.zapto.org')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:54:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4457f5f1-4941-480b-9284-3d6947359e98",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:55:06.000Z",
"modified": "2024-09-26T07:55:06.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.245.56.29') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'login.apl-org.online')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:55:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f9a34025-9fdb-4c50-95c2-2ec72a0dc444",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:55:19.000Z",
"modified": "2024-09-26T07:55:19.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.237.20.201') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'helpdesk-lab.site')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:55:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--532a7f92-2cac-40b1-ac9f-5ecaac3f0dcd",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:55:33.000Z",
"modified": "2024-09-26T07:55:33.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.237.25.198') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'owa-spamcheck.apl-org.online')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:55:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56ee3482-f293-410f-b2bb-7a3611a7261b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:55:46.000Z",
"modified": "2024-09-26T07:55:46.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.245.2.77') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'redzone.apl-org.online')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:55:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--70e05653-0108-498c-84f6-cd71341b8a19",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:56:08.000Z",
"modified": "2024-09-26T07:56:08.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.237.25.198') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'dawn.apl-org.online')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:56:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d0365184-cc69-4bd6-a2f0-c56db5c541e3",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:56:20.000Z",
"modified": "2024-09-26T07:56:20.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '208.85.22.252') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'hit-pk.org')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:56:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d516eff7-0e15-4458-95ba-d14907200109",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:56:33.000Z",
"modified": "2024-09-26T07:56:33.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '8.219.114.124') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'blabla.apl-com.icu')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:56:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--38d9a1f2-7588-4db2-884e-a3ac2f95c7a0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:56:50.000Z",
"modified": "2024-09-26T07:56:50.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.236.65.190') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'acrobat.paknavy-pk.org')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:56:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--09b4ca94-c810-45b3-84f5-fed3a13289ed",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:57:05.000Z",
"modified": "2024-09-26T07:57:05.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.236.65.190') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'paknavy-pk.org')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:57:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--acfe32cc-6045-4de3-b57e-b397084ab7c2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:58:04.000Z",
"modified": "2024-09-26T07:58:04.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.245.114.11') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'mail.pakistangov.com')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:58:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--de120a14-3e07-464e-bd01-0031c22b324c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:58:20.000Z",
"modified": "2024-09-26T07:58:20.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.236.65.190') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'mail.apl-com.icu')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:58:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d368f5a0-9368-40cc-ba4a-00db7b2a0310",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T07:58:39.000Z",
"modified": "2024-09-26T07:58:39.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.76.61.241') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = '168-gov.info')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T07:58:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--36f77fcf-82fb-4ba3-98a8-985e19261a80",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:02:28.000Z",
"modified": "2024-09-26T08:02:28.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.76.61.241') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'www.168-gov.info')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:02:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3c5ffe47-81b7-4dc7-bb24-02f29a377cbe",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:02:39.000Z",
"modified": "2024-09-26T08:02:39.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '149.28.153.250') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'browser.apl-org.online')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:02:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--97c4669b-f884-4a7e-9ea2-2b11cfbe44b7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:02:54.000Z",
"modified": "2024-09-26T08:02:54.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.245.42.208') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'docs.apl-com.icu')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:02:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--05b0fa1f-beea-4229-8c61-d16f1e44acec",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:03:07.000Z",
"modified": "2024-09-26T08:03:07.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.74.84.168') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'new.apl-org.online')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:03:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b00e211-33a4-446a-801b-a03fd7615faa",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:03:19.000Z",
"modified": "2024-09-26T08:03:19.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.74.87.155') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'mozilla.apl-org.online')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:03:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--1059c0d5-a5ac-482b-b1c3-fefaa7c9b37e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:03:50.000Z",
"modified": "2024-09-26T08:03:50.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.74.87.155') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'mozilla.apl-org.online')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:03:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--aa50f0d2-492e-4ae7-ba05-d0174ff33c01",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:04:18.000Z",
"modified": "2024-09-26T08:04:18.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '159.253.120.25') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'm.opensecurity-legacy.com')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:04:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--03be3344-6af2-4c74-a514-91211818caa5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:06:02.000Z",
"modified": "2024-09-26T08:06:02.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '159.253.120.25') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'monitor.opensecurity-legacy.com')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:06:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3a5b0840-103a-4efc-b8ac-6a69c33e9722",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:07:10.000Z",
"modified": "2024-09-26T08:07:10.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '159.253.120.25') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'sensors.opensecurity-legacy.com')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:07:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--33b8a83a-1422-4a39-9d16-197aa7020530",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:07:28.000Z",
"modified": "2024-09-26T08:07:28.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '159.253.120.25') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'static.opensecurity-legacy.com')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:07:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c0b9c9f4-076a-4abe-bd21-8637f2a30be0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:07:43.000Z",
"modified": "2024-09-26T08:07:43.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '159.253.120.25') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'bin.opensecurity-legacy.com')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:07:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b0332bb-3f98-4e42-bad8-f6e4bad60168",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:08:09.000Z",
"modified": "2024-09-26T08:08:09.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '159.253.120.25') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'api.opensecurity-legacy.com')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:08:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--19dbb316-000c-49d9-8ae0-b82e942dd9eb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:08:52.000Z",
"modified": "2024-09-26T08:08:52.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '159.253.120.25') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'frontend-m.opensecurity-legacy.com')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:08:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4636b86a-d007-4ff4-93c4-4faefede1a16",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:09:36.000Z",
"modified": "2024-09-26T08:09:36.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '159.253.120.25') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'accounts.opensecurity-legacy.com')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:09:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9a27cc52-1629-444b-ae13-152e833ae7ca",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:09:59.000Z",
"modified": "2024-09-26T08:09:59.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '159.253.120.25') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'opensecurity-legacy.com')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:09:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d9436e4c-0bde-441c-8f2f-d3e521412568",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:10:38.000Z",
"modified": "2024-09-26T08:10:38.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '207.148.73.145') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'oil.hascolgov.info')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:10:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--af1fe156-a05b-4c48-9793-313329983b03",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:11:09.000Z",
"modified": "2024-09-26T08:11:09.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '207.148.73.145') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'hesco.hascolgov.info')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:11:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5fed89ec-8ec2-47df-999b-0c30ac680846",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:11:24.000Z",
"modified": "2024-09-26T08:11:24.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '207.148.73.145') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'locall.hascolgov.info')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:11:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--bfaa9ac7-eb53-497a-a8fa-47e416701a4c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:11:43.000Z",
"modified": "2024-09-26T08:11:43.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.254.229.56') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'itsupport-gov.com')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:11:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6e75e192-ec76-4cf4-863c-f2d103d1f6a9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:12:07.000Z",
"modified": "2024-09-26T08:12:07.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.76.181.76') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'updpcn.online')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:12:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8e698eb8-7f70-40f8-bc2a-dc513c715e3c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:12:32.000Z",
"modified": "2024-09-26T08:12:32.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.74.84.168') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'update.apl-org.online')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:12:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c99dbc3d-ad39-4970-819c-a3906d71e26e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:12:47.000Z",
"modified": "2024-09-26T08:12:47.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.245.126.218') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'zero-berlin-covenant.apl-org.online')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:12:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ef9f34fe-6514-4b75-a9d2-cf3e85018279",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:13:02.000Z",
"modified": "2024-09-26T08:13:02.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '47.74.87.155') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'fonts.apl-org.online')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:13:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9940be2e-387f-4b7e-a392-2cb3ce952b50",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:13:21.000Z",
"modified": "2024-09-26T08:13:21.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '142.93.139.164') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'localhost.apl-com.icu')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:13:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--505438c1-1e30-453f-8b46-1617950b91c8",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:13:42.000Z",
"modified": "2024-09-26T08:13:42.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.137.116.8') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'cloud.cflayerprotection.com')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:13:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4b7cbbf2-8088-40b2-9181-181195768001",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:14:06.000Z",
"modified": "2024-09-26T08:14:06.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.137.116.8') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'secure.cflayerprotection.com')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:14:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--01dfde1c-179a-45c3-8757-bdf6ef82bfc8",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:14:22.000Z",
"modified": "2024-09-26T08:14:22.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.137.116.8') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'cflayerprotection.com')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:14:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--335a515c-1107-4304-b77f-d7ff1f1eb695",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:14:38.000Z",
"modified": "2024-09-26T08:14:38.000Z",
"pattern": "[domain-name:value = 'data.cloudlflares.com' AND domain-name:resolves_to_refs[*].value = '45.137.116.8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:14:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"domain-ip\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e64162db-e8c6-4349-ba99-9f416dc53e56",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:14:54.000Z",
"modified": "2024-09-26T08:14:54.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.137.116.8') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'cloudlflares.com') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'secure.cloudlflares.com') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'www.cloudlflares.com')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-09-26T08:14:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "note",
"spec_version": "2.1",
"id": "note--0fc58862-2f2b-441f-aa78-855d230edd28",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-09-26T08:20:10.000Z",
"modified": "2024-09-26T08:20:10.000Z",
"abstract": "Report from - https://blog.cloudflare.com/unraveling-sloppylemming-operations/ (1727338512)",
"content": "# Unraveling SloppyLemming Operations Across South Asia\r\n\r\n2024\\-09\\-25\r\n\r\nCloudforce One is publishing the results of an investigation into an advanced actor that uses multiple cloud service providers to facilitate different aspects of their activities, such as credential harvesting, malware delivery and command and control (C2\\). This actor conducts extensive operations targeting Pakistani, Sri Lanka, Bangladesh, and China. Industries targeted include government, law enforcement, energy, telecommunications, and technology entities.\u00c2\u00a0\r\n\r\n### Executive Summary\r\n\r\n* Between late 2022 to present, SloppyLemming has routinely used Cloudflare Workers likely as part of a broad espionage campaign targeting South and East Asian countries\r\n* SloppyLemming displays a lack of operational security (OPSEC) allowing Cloudforce One insight into its tooling\u00c2\r\n* The actor primarily targets Pakistani government, defense, telecommunications, technology, and energy sector organizations; SloppyLemming also targets Bangladesh, Sri Lanka, Nepal, and China.\r\n\r\n## Who is SloppyLemming?\r\n\r\nSloppyLemming is the cryptonym given by Cloudforce One to this threat actor, which aligns with the adversary OUTRIDER TIGER tracked by CrowdStrike. The actor predominantly relies on open source adversary emulation frameworks, such as Cobalt Strike, Havoc, and others. Based on Cloudflare\u00e2\u0080\u0099s visibility, the actor predominantly targets within Asia. Pakistan is a primary target for SloppyLemming; however, the actor also routinely targets Bangladesh, Indonesia, Sri Lanka, China, and Nepal. Targeted sectors predominantly consist of government entities within Pakistan.\r\n\r\n## SloppyLemming Phishing Activity Focuses on Credential, Token Collection\r\n\r\nSloppyLemming extensively uses credential harvesting as a means to gain access to targeted email accounts within organizations that provide intelligence value to the actor. Throughout our research, Cloudforce One has been able to replicate the actor\u00e2\u0080\u0099s credential harvesting chain. Through our unique visibility, we have also obtained actor\\-side tools that help facilitate the creation of malicious Workers used in credential harvesting operations, and a utility to collect emails from compromised accounts.\r\n\r\n### SloppyLemming Credential Harvesting Overview\r\n\r\nFirst, SloppyLemming operators will craft a phishing email that is likely tailor\\-made for the target to ensure a higher degree of success in the user clicking a malicious link. An example draft phishing email obtained by Cloudforce One can be found below:\r\n\r\n\r\n\r\n```\r\nDear [Officer\u00e2\u0080\u0099s Name],\r\n\r\nAs part of our ongoing efforts to enhance the security of our internal systems, we are rolling out a mandatory update to our secure access protocols. All personnel are required to complete this update within the next 24 hours to ensure continued access to department resources.\r\n\r\nPlease log in to the police department\u00e2\u0080\u0099s IT portal using the link below to initiate the update process:\r\n\r\n[Fake IT Portal Link]\r\n\r\nFailure to complete this update will result in the temporary suspension of your account access.\r\n\r\nThank you for your cooperation.\r\n\r\nBest regards,\r\nIT Department\r\n[Police Department\u00e2\u0080\u0099s Name]\r\n```\r\n\r\nNext, the actor uses a custom\\-built tool named CloudPhish to create a malicious Cloudflare Worker to handle the credential logging logic and exfiltration of victim credentials to the threat actor. CloudPhish works in the following manner:\r\n\r\n1. Operator inputs the following parameters:\r\n\r\n\r\n\t1. \u00e2\u0080\u009cMission\u00e2\u0080\u009d name (Generally, the target of the operation)\r\n\t2. \u00e2\u0080\u008b\u00e2\u0080\u008bTarget URL\r\n\t3. Discord Webhook URL\r\n\t4. Redirect URL\r\n\t5. Cloudflare URL\r\n2. Scrapes targeted webmail login HTML content\r\n\r\n\r\n\t1. Checks if its a support mail client (i.e. Zimbra, Axigen, or cPanel)\r\n\t2. Replaces
"object_refs": [
"indicator--cd3abe6b-bbac-4eb7-8290-3ae767462087",
"indicator--dd46076c-51fb-4ca7-aa93-4a5b8e665b31",
"indicator--0d8a6a60-0cf9-4592-9981-cf0dcf7fa273",
"indicator--b5db5235-bbcb-4a19-861b-99949f6ab146",
"indicator--ab1cb60c-869c-448b-b31c-cb0b6b54de90"
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue Copy permalink