170 lines
9.7 KiB
JSON
170 lines
9.7 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5b4f5308-42c0-434a-a8c5-48ae950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-07-20T14:02:51.000Z",
|
||
|
"modified": "2018-07-20T14:02:51.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5b4f5308-42c0-434a-a8c5-48ae950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-07-20T14:02:51.000Z",
|
||
|
"modified": "2018-07-20T14:02:51.000Z",
|
||
|
"name": "OVH Phishing",
|
||
|
"published": "2018-07-20T14:03:10Z",
|
||
|
"object_refs": [
|
||
|
"indicator--d64b0aa2-2712-440f-ae2d-405b02afe37f",
|
||
|
"indicator--8a483d15-8731-46eb-802a-4dad004e29ad",
|
||
|
"observed-data--f5cfa131-4703-426c-a7b5-cbe616e76ea7",
|
||
|
"email-message--f5cfa131-4703-426c-a7b5-cbe616e76ea7",
|
||
|
"email-addr--76432d08-a77d-4cdb-9fbb-3c2d12e7b6b9",
|
||
|
"email-addr--334cb4ea-384c-43f2-ab65-de6c244bbe55",
|
||
|
"relationship--dbf75236-db2f-450d-88e3-7422413f7184",
|
||
|
"relationship--c4185ee0-b7a0-4726-8cd9-287483173d76"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--d64b0aa2-2712-440f-ae2d-405b02afe37f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-07-20T14:02:48.000Z",
|
||
|
"modified": "2018-07-20T14:02:48.000Z",
|
||
|
"pattern": "[url:value = 'https://xyu7564.phpnet.org/?page0=rafi0t.fr#https://www.ovh.com/fr/cgi-bin/order/renew.cgi']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-20T14:02:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--8a483d15-8731-46eb-802a-4dad004e29ad",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-07-18T14:47:40.000Z",
|
||
|
"modified": "2018-07-18T14:47:40.000Z",
|
||
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '195.144.11.40') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'xyu7564.phpnet.org')]",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-07-18T14:47:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"ip-port\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--f5cfa131-4703-426c-a7b5-cbe616e76ea7",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-07-18T14:47:44.000Z",
|
||
|
"modified": "2018-07-18T14:47:44.000Z",
|
||
|
"first_observed": "2018-07-18T14:47:44Z",
|
||
|
"last_observed": "2018-07-18T14:47:44Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"email-message--f5cfa131-4703-426c-a7b5-cbe616e76ea7",
|
||
|
"email-addr--76432d08-a77d-4cdb-9fbb-3c2d12e7b6b9",
|
||
|
"email-addr--334cb4ea-384c-43f2-ab65-de6c244bbe55"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"email\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"False\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "email-message",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "email-message--f5cfa131-4703-426c-a7b5-cbe616e76ea7",
|
||
|
"is_multipart": false,
|
||
|
"from_ref": "email-addr--76432d08-a77d-4cdb-9fbb-3c2d12e7b6b9",
|
||
|
"to_refs": [
|
||
|
"email-addr--334cb4ea-384c-43f2-ab65-de6c244bbe55"
|
||
|
],
|
||
|
"message_id": "<15319105661d91a508966dcc5f602c73b4f97fa392_540455@ovh.com>",
|
||
|
"subject": "[OVH-WEB] Suspension du nom de domaine rafi0t.fr",
|
||
|
"additional_header_fields": {
|
||
|
"Reply-To": "support@ovh.com"
|
||
|
},
|
||
|
"x_misp_email_body": "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\">\n<HTML><HEAD><META http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\">\n</HEAD>\n<BODY>\n<DIV><FONT size=2 face=Tahoma>SAS OVH - </FONT><A\nhref=\"http://www.ovh.com/\"><FONT size=2\nface=Tahoma>http://www.ovh.com</FONT></A><BR><FONT size=2 face=Tahoma>2 rue\nKellermann<BR>BP 80157<BR>59100 Roubaix</FONT></DIV>\n<DIV> </DIV>\n<DIV> </DIV>\n<DIV> </DIV>\n<DIV> </DIV>\n<DIV><FONT size=2 face=Tahoma>Cher(e) Client(e),</FONT></DIV>\n<DIV> </DIV>\n<DIV><FONT size=2 face=Tahoma>Votre nom de domaine rafi0t.fr est actuellement\nenregistr\u00c3\u00a9 chez OVH.<BR>Notre syst\u00c3\u00a8me de facturation a d\u00c3\u00a9tect\u00c3\u00a9 que ce service\nest expir\u00c3\u00a9, non renouvel\u00c3\u00a9.</FONT></DIV>\n<DIV> </DIV>\n<DIV><FONT size=2 face=Tahoma>Votre nom de domaine rafi0t.fr a donc \u00c3\u00a9t\u00c3\u00a9\nsuspendu.</FONT></DIV>\n<DIV> </DIV>\n<DIV><BR><FONT size=2 face=Tahoma>Pour le r\u00c3\u00a9activer, il vous suffit de vous\nrendre sur notre site, et dutiliser <BR>la commande de renouvellement :\n</FONT></DIV>\n<DIV> </DIV>\n<DIV><A\nhref=\"https://xyu7564.phpnet.org/?page0=rafi0t.fr#https://www.ovh.com/fr/cgi-bin/order/renew.cgi\"><FONT\nsize=2 face=Tahoma>https://www.ovh.com/fr/cgi-bin/order/renew.cgi</FONT></A>\n</DIV>\n<DIV><BR><FONT size=2 face=Tahoma>Le r\u00c3\u00a8glement peut se faire via l'un des moyens\nde paiement propos\u00c3\u00a9s. Mais nous <BR>recommandons de r\u00c3\u00a9gler par Carte Bancaire\npour acc\u00c3\u00a9l\u00c3\u00a9rer le traitement et donc <BR>la r\u00c3\u00a9ouverture de votre\nservice.</FONT></DIV>\n<DIV> </DIV>\n<DIV><FONT size=2 face=Tahoma>La facture acquitt\u00c3\u00a9e vous parviendra peu apr\u00c3\u00a8s\nvalidation de la commande, confirmant <BR>le renouvellement de votre redevance\npour la p\u00c3\u00a9riode choisie.</FONT></DIV>\n<DIV> </DIV>\n<DIV><BR><FONT size=2 face=Tahoma>IMPORTANT : En cas de non r\u00c3\u00a8glement sous 24 H,\nvotre domaine pourrait \u00c3\u00aatre DEFINITIVEMENT effac\u00c3\u00a9.</FONT></DIV>\n<DIV> </DIV>\n<DIV><FONT size=2 face=Tahoma>Pour toute information compl\u00c3\u00a9mentaire, notre\nsupport reste \u00c3\u00a0 votre disposition.</FONT></DIV>\n<DIV> </DIV>\n<DIV><FONT size=2 face=Tahoma>Merci de votre compr\u00c3\u00a9hension.</FONT></DIV>\n<DIV> </DIV>\n<DIV> </DIV>\n<DIV> </DIV>\n<DIV><FONT size=2 face=Tahoma>Cordialement,</FONT></DIV>\n<DIV> </DIV>\n<DIV><FONT size=2 face=Tahoma>Votre Service Client OVH<BR>Lun - Vend : 8h - 20h\n| Samedi : 9h \u00c3\u00a0 17h<BR>1007<BR>Num\u00c3\u00a9ro unique gratuit depuis un poste fixe, hors\nsurco\u00c3\u00bbt \u00c3\u00a9ventuel selon op\u00c3\u00a9rateur depuis une ligne\nmobile</FONT></DIV></BODY></HTML>",
|
||
|
"x_misp_eml": "Full email.eml",
|
||
|
"x_misp_return_path": "<support@ovh.com>"
|
||
|
},
|
||
|
{
|
||
|
"type": "email-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "email-addr--76432d08-a77d-4cdb-9fbb-3c2d12e7b6b9",
|
||
|
"value": "\"support@ovh.com\" <support@ovh.com>"
|
||
|
},
|
||
|
{
|
||
|
"type": "email-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "email-addr--334cb4ea-384c-43f2-ab65-de6c244bbe55",
|
||
|
"value": "contact@rafi0t.fr"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--dbf75236-db2f-450d-88e3-7422413f7184",
|
||
|
"created": "2018-07-18T14:47:43.000Z",
|
||
|
"modified": "2018-07-18T14:47:43.000Z",
|
||
|
"relationship_type": "contains",
|
||
|
"source_ref": "observed-data--f5cfa131-4703-426c-a7b5-cbe616e76ea7",
|
||
|
"target_ref": "indicator--d64b0aa2-2712-440f-ae2d-405b02afe37f"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--c4185ee0-b7a0-4726-8cd9-287483173d76",
|
||
|
"created": "2018-07-18T14:47:44.000Z",
|
||
|
"modified": "2018-07-18T14:47:44.000Z",
|
||
|
"relationship_type": "contains",
|
||
|
"source_ref": "observed-data--f5cfa131-4703-426c-a7b5-cbe616e76ea7",
|
||
|
"target_ref": "indicator--8a483d15-8731-46eb-802a-4dad004e29ad"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|