825 lines
35 KiB
JSON
825 lines
35 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5aa670db-6ef0-4d81-8e90-9476950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:28:45.000Z",
|
||
|
"modified": "2018-03-12T12:28:45.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5aa670db-6ef0-4d81-8e90-9476950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:28:45.000Z",
|
||
|
"modified": "2018-03-12T12:28:45.000Z",
|
||
|
"name": "OSINT - APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS",
|
||
|
"published": "2018-03-12T12:28:53Z",
|
||
|
"object_refs": [
|
||
|
"indicator--5aa670f5-39b4-4382-9f91-0fa3950d210f",
|
||
|
"indicator--5aa670f6-d5ac-4682-9a04-0fa3950d210f",
|
||
|
"indicator--5aa670f6-d5d4-4202-9a37-0fa3950d210f",
|
||
|
"indicator--5aa670f7-0014-4df2-a56f-0fa3950d210f",
|
||
|
"indicator--5aa670f7-6a48-4bdf-8746-0fa3950d210f",
|
||
|
"indicator--5aa67102-ced4-4a30-b0d7-0fa3950d210f",
|
||
|
"indicator--5aa6710e-52b4-40af-ac3b-0fa3950d210f",
|
||
|
"indicator--5aa6710f-fe88-4d3d-96a7-0fa3950d210f",
|
||
|
"indicator--5aa6710f-50d0-4454-860d-0fa3950d210f",
|
||
|
"indicator--5aa6711b-a1c4-40d1-92b7-0fa3950d210f",
|
||
|
"indicator--5aa6711b-f3b8-4787-b246-0fa3950d210f",
|
||
|
"indicator--5aa67145-28d0-47cb-927a-d9cd950d210f",
|
||
|
"indicator--5aa67145-68d0-4b05-a406-d9cd950d210f",
|
||
|
"indicator--5aa67146-a2d0-4ed0-968e-d9cd950d210f",
|
||
|
"indicator--5aa67146-e6a4-40d8-a37c-d9cd950d210f",
|
||
|
"indicator--5aa67146-1288-4aa0-9671-d9cd950d210f",
|
||
|
"x-misp-attribute--5aa67163-e99c-4bf6-9649-d928950d210f",
|
||
|
"x-misp-attribute--5aa67177-ac60-43db-9bd5-4053950d210f",
|
||
|
"x-misp-attribute--5aa671e4-c8f4-4d39-ad4b-9394950d210f",
|
||
|
"observed-data--5aa67218-06ac-49e7-baa9-d9cd950d210f",
|
||
|
"url--5aa67218-06ac-49e7-baa9-d9cd950d210f",
|
||
|
"indicator--0e812898-7fc4-40f8-ac95-7a23e22438de",
|
||
|
"x-misp-object--bf2e6e7d-19c6-4341-94b9-8f15b563b0b3",
|
||
|
"indicator--06f1e0a0-004c-4356-9f89-380b53274f42",
|
||
|
"x-misp-object--326d28d2-bc18-4205-945a-2b3ef2cfa9fa",
|
||
|
"indicator--f1bdc5bc-932a-4efa-9855-e8e3981fbd2f",
|
||
|
"x-misp-object--3d28abc7-0edd-438c-bd55-54bfbf90e295",
|
||
|
"indicator--c752a171-4c3d-403e-bb4a-5dae51f2993f",
|
||
|
"x-misp-object--8840afc4-669d-4a92-8a3e-a104c2994436",
|
||
|
"relationship--6dd3caba-8041-40f8-8bc3-03ad1f2549e3",
|
||
|
"relationship--f6979c73-bee3-4216-8c81-ed790dc482e8",
|
||
|
"relationship--c4e13b80-8ca5-41f6-877f-c4b8aa4f6e64",
|
||
|
"relationship--207b436e-7d65-4e10-b927-eb213f08be98"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:threat-actor=\"Mirage\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5aa670f5-39b4-4382-9f91-0fa3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:27:51.000Z",
|
||
|
"modified": "2018-03-12T12:27:51.000Z",
|
||
|
"description": "Possible linked APT15 domains include:",
|
||
|
"pattern": "[domain-name:value = 'micakiz.wikaba.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-12T12:27:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5aa670f6-d5ac-4682-9a04-0fa3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:27:51.000Z",
|
||
|
"modified": "2018-03-12T12:27:51.000Z",
|
||
|
"description": "Possible linked APT15 domains include:",
|
||
|
"pattern": "[domain-name:value = 'cavanic9.net']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-12T12:27:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5aa670f6-d5d4-4202-9a37-0fa3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:27:52.000Z",
|
||
|
"modified": "2018-03-12T12:27:52.000Z",
|
||
|
"description": "Possible linked APT15 domains include:",
|
||
|
"pattern": "[domain-name:value = 'ridingduck.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-12T12:27:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5aa670f7-0014-4df2-a56f-0fa3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:27:52.000Z",
|
||
|
"modified": "2018-03-12T12:27:52.000Z",
|
||
|
"description": "Possible linked APT15 domains include:",
|
||
|
"pattern": "[domain-name:value = 'zipcodeterm.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-12T12:27:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5aa670f7-6a48-4bdf-8746-0fa3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:27:52.000Z",
|
||
|
"modified": "2018-03-12T12:27:52.000Z",
|
||
|
"description": "Possible linked APT15 domains include:",
|
||
|
"pattern": "[domain-name:value = 'dnsapp.info']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-12T12:27:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5aa67102-ced4-4a30-b0d7-0fa3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:27:53.000Z",
|
||
|
"modified": "2018-03-12T12:27:53.000Z",
|
||
|
"description": "RoyalDNS backdoor was seen communicating to the domain:",
|
||
|
"pattern": "[domain-name:value = 'andspurs.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-12T12:27:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5aa6710e-52b4-40af-ac3b-0fa3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:27:53.000Z",
|
||
|
"modified": "2018-03-12T12:27:53.000Z",
|
||
|
"description": "The BS2005 backdoor utilised the following domains for C2:",
|
||
|
"pattern": "[domain-name:value = 'run.linodepower.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-12T12:27:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5aa6710f-fe88-4d3d-96a7-0fa3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:27:53.000Z",
|
||
|
"modified": "2018-03-12T12:27:53.000Z",
|
||
|
"description": "The BS2005 backdoor utilised the following domains for C2:",
|
||
|
"pattern": "[domain-name:value = 'singa.linodepower.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-12T12:27:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5aa6710f-50d0-4454-860d-0fa3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:27:54.000Z",
|
||
|
"modified": "2018-03-12T12:27:54.000Z",
|
||
|
"description": "The BS2005 backdoor utilised the following domains for C2:",
|
||
|
"pattern": "[domain-name:value = 'log.autocount.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-12T12:27:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5aa6711b-a1c4-40d1-92b7-0fa3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:27:54.000Z",
|
||
|
"modified": "2018-03-12T12:27:54.000Z",
|
||
|
"description": "The RoyalCli backdoor was attempting to communicate to the following domains:",
|
||
|
"pattern": "[domain-name:value = 'news.memozilla.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-12T12:27:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5aa6711b-f3b8-4787-b246-0fa3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:27:55.000Z",
|
||
|
"modified": "2018-03-12T12:27:55.000Z",
|
||
|
"description": "The RoyalCli backdoor was attempting to communicate to the following domains:",
|
||
|
"pattern": "[domain-name:value = 'video.memozilla.org']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-12T12:27:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5aa67145-28d0-47cb-927a-d9cd950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:23:33.000Z",
|
||
|
"modified": "2018-03-12T12:23:33.000Z",
|
||
|
"description": "Royal DNS",
|
||
|
"pattern": "[file:hashes.SHA256 = 'bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-12T12:23:33Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5aa67145-68d0-4b05-a406-d9cd950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:23:33.000Z",
|
||
|
"modified": "2018-03-12T12:23:33.000Z",
|
||
|
"description": "BS2005",
|
||
|
"pattern": "[file:hashes.SHA256 = '750d9eecd533f89b8aa13aeab173a1cf813b021b6824bc30e60f5db6fa7b950b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-12T12:23:33Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5aa67146-a2d0-4ed0-968e-d9cd950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:23:34.000Z",
|
||
|
"modified": "2018-03-12T12:23:34.000Z",
|
||
|
"description": "BS2005",
|
||
|
"pattern": "[file:hashes.SHA256 = '6ea9cc475d41ca07fa206eb84b10cf2bbd2392366890de5ae67241afa2f4269f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-12T12:23:34Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5aa67146-e6a4-40d8-a37c-d9cd950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:23:34.000Z",
|
||
|
"modified": "2018-03-12T12:23:34.000Z",
|
||
|
"description": "RoyalCli",
|
||
|
"pattern": "[file:hashes.SHA256 = '6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-12T12:23:34Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5aa67146-1288-4aa0-9671-d9cd950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:23:34.000Z",
|
||
|
"modified": "2018-03-12T12:23:34.000Z",
|
||
|
"description": "MS Exchange Tool",
|
||
|
"pattern": "[file:hashes.SHA256 = '16b868d1bef6be39f69b4e976595e7bd46b6c0595cf6bc482229dbb9e64f1bce']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-12T12:23:34Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5aa67163-e99c-4bf6-9649-d928950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:27:55.000Z",
|
||
|
"modified": "2018-03-12T12:27:55.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"pdb\"",
|
||
|
"misp:category=\"Artifacts dropped\""
|
||
|
],
|
||
|
"x_misp_category": "Artifacts dropped",
|
||
|
"x_misp_type": "pdb",
|
||
|
"x_misp_value": "%USERPROFILE%\\documents\\visual studio 2010\\Projects\\RoyalCli\\Release\\RoyalCli.pdb"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5aa67177-ac60-43db-9bd5-4053950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:27:56.000Z",
|
||
|
"modified": "2018-03-12T12:27:56.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS\r\nIn May 2017, NCC Group's Incident Response team reacted to an ongoing incident where our client, which provides a range of services to UK Government, suffered a network compromise involving the advanced persistent threat group APT15.\r\n\r\nAPT15 is also known as, Ke3chang, Mirage, Vixen Panda GREF and Playful Dragon.\r\nA number of sensitive documents were stolen by the attackers during the incident and we believe APT15 was targeting information related to UK government departments and military technology."
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5aa671e4-c8f4-4d39-ad4b-9394950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:27:56.000Z",
|
||
|
"modified": "2018-03-12T12:27:56.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"Other\""
|
||
|
],
|
||
|
"x_misp_category": "Other",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "5aa64b62-8f2c-4081-a6f9-4480950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5aa67218-06ac-49e7-baa9-d9cd950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:27:56.000Z",
|
||
|
"modified": "2018-03-12T12:27:56.000Z",
|
||
|
"first_observed": "2018-03-12T12:27:56Z",
|
||
|
"last_observed": "2018-03-12T12:27:56Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5aa67218-06ac-49e7-baa9-d9cd950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5aa67218-06ac-49e7-baa9-d9cd950d210f",
|
||
|
"value": "https://github.com/nccgroup/Royal_APT"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--0e812898-7fc4-40f8-ac95-7a23e22438de",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:28:00.000Z",
|
||
|
"modified": "2018-03-12T12:28:00.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'ed21ce2beee56f0a0b1c5a62a80c128b' AND file:hashes.SHA1 = '201e74fd33724a872ab89f8a002a560d1ce73e54' AND file:hashes.SHA256 = '750d9eecd533f89b8aa13aeab173a1cf813b021b6824bc30e60f5db6fa7b950b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-12T12:28:00Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--bf2e6e7d-19c6-4341-94b9-8f15b563b0b3",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:27:58.000Z",
|
||
|
"modified": "2018-03-12T12:27:58.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/750d9eecd533f89b8aa13aeab173a1cf813b021b6824bc30e60f5db6fa7b950b/analysis/1520793006/",
|
||
|
"category": "External analysis",
|
||
|
"comment": "BS2005",
|
||
|
"uuid": "5aa6724e-e14c-4ad9-ad8e-947502de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "44/67",
|
||
|
"category": "Other",
|
||
|
"comment": "BS2005",
|
||
|
"uuid": "5aa6724f-fd84-4c88-9a54-947502de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2018-03-11T18:30:06",
|
||
|
"category": "Other",
|
||
|
"comment": "BS2005",
|
||
|
"uuid": "5aa6724f-d5a8-4efc-b433-947502de0b81"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--06f1e0a0-004c-4356-9f89-380b53274f42",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:28:02.000Z",
|
||
|
"modified": "2018-03-12T12:28:02.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '941a4fc3d2a3289017cf9c56584d1168' AND file:hashes.SHA1 = '3d4ee6cbfaeb7890bb0b2d41547849f8e2d9243f' AND file:hashes.SHA256 = 'bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-12T12:28:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--326d28d2-bc18-4205-945a-2b3ef2cfa9fa",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:28:00.000Z",
|
||
|
"modified": "2018-03-12T12:28:00.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d/analysis/1520841997/",
|
||
|
"category": "External analysis",
|
||
|
"comment": "Royal DNS",
|
||
|
"uuid": "5aa67250-7bc8-45a9-b533-947502de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "7/65",
|
||
|
"category": "Other",
|
||
|
"comment": "Royal DNS",
|
||
|
"uuid": "5aa67251-59a4-4b15-9b43-947502de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2018-03-12T08:06:37",
|
||
|
"category": "Other",
|
||
|
"comment": "Royal DNS",
|
||
|
"uuid": "5aa67251-5338-45f7-a3c9-947502de0b81"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--f1bdc5bc-932a-4efa-9855-e8e3981fbd2f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:28:04.000Z",
|
||
|
"modified": "2018-03-12T12:28:04.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '5e5c9e6e710f67f4886e4f4169d02b1d' AND file:hashes.SHA1 = 'a35297163ed0efcb71e63069a3115737d2fe2d1d' AND file:hashes.SHA256 = '6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-12T12:28:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--3d28abc7-0edd-438c-bd55-54bfbf90e295",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:28:03.000Z",
|
||
|
"modified": "2018-03-12T12:28:03.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785/analysis/1520793104/",
|
||
|
"category": "External analysis",
|
||
|
"comment": "RoyalCli",
|
||
|
"uuid": "5aa67253-ffe8-4691-9928-947502de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "45/67",
|
||
|
"category": "Other",
|
||
|
"comment": "RoyalCli",
|
||
|
"uuid": "5aa67253-2ca8-410a-914b-947502de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2018-03-11T18:31:44",
|
||
|
"category": "Other",
|
||
|
"comment": "RoyalCli",
|
||
|
"uuid": "5aa67253-568c-41df-8205-947502de0b81"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--c752a171-4c3d-403e-bb4a-5dae51f2993f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:28:07.000Z",
|
||
|
"modified": "2018-03-12T12:28:07.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'd21a7e349e796064ce10f2f6ede31c71' AND file:hashes.SHA1 = '63fbd3feb41c0b6de892b4a70a6241d123ec1e5a' AND file:hashes.SHA256 = '16b868d1bef6be39f69b4e976595e7bd46b6c0595cf6bc482229dbb9e64f1bce']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-03-12T12:28:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--8840afc4-669d-4a92-8a3e-a104c2994436",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-03-12T12:28:05.000Z",
|
||
|
"modified": "2018-03-12T12:28:05.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/16b868d1bef6be39f69b4e976595e7bd46b6c0595cf6bc482229dbb9e64f1bce/analysis/1520844201/",
|
||
|
"category": "External analysis",
|
||
|
"comment": "MS Exchange Tool",
|
||
|
"uuid": "5aa67255-56f0-4687-875c-947502de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "2/67",
|
||
|
"category": "Other",
|
||
|
"comment": "MS Exchange Tool",
|
||
|
"uuid": "5aa67255-5500-48d8-9364-947502de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2018-03-12T08:43:21",
|
||
|
"category": "Other",
|
||
|
"comment": "MS Exchange Tool",
|
||
|
"uuid": "5aa67255-bb78-4fff-b7bf-947502de0b81"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--6dd3caba-8041-40f8-8bc3-03ad1f2549e3",
|
||
|
"created": "2018-03-12T12:28:06.000Z",
|
||
|
"modified": "2018-03-12T12:28:06.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--0e812898-7fc4-40f8-ac95-7a23e22438de",
|
||
|
"target_ref": "x-misp-object--bf2e6e7d-19c6-4341-94b9-8f15b563b0b3"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--f6979c73-bee3-4216-8c81-ed790dc482e8",
|
||
|
"created": "2018-03-12T12:28:06.000Z",
|
||
|
"modified": "2018-03-12T12:28:06.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--06f1e0a0-004c-4356-9f89-380b53274f42",
|
||
|
"target_ref": "x-misp-object--326d28d2-bc18-4205-945a-2b3ef2cfa9fa"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--c4e13b80-8ca5-41f6-877f-c4b8aa4f6e64",
|
||
|
"created": "2018-03-12T12:28:06.000Z",
|
||
|
"modified": "2018-03-12T12:28:06.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--f1bdc5bc-932a-4efa-9855-e8e3981fbd2f",
|
||
|
"target_ref": "x-misp-object--3d28abc7-0edd-438c-bd55-54bfbf90e295"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--207b436e-7d65-4e10-b927-eb213f08be98",
|
||
|
"created": "2018-03-12T12:28:07.000Z",
|
||
|
"modified": "2018-03-12T12:28:07.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--c752a171-4c3d-403e-bb4a-5dae51f2993f",
|
||
|
"target_ref": "x-misp-object--8840afc4-669d-4a92-8a3e-a104c2994436"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|