4515 lines
1.9 MiB
JSON
4515 lines
1.9 MiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5a0eb192-bf90-4995-9082-fb44950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-20T13:15:00.000Z",
|
||
|
"modified": "2017-11-20T13:15:00.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "grouping",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "grouping--5a0eb192-bf90-4995-9082-fb44950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-20T13:15:00.000Z",
|
||
|
"modified": "2017-11-20T13:15:00.000Z",
|
||
|
"name": "OSINT - HIDDEN COBRA \u2013 North Korean Trojan: Volgmer",
|
||
|
"context": "suspicious-activity",
|
||
|
"object_refs": [
|
||
|
"observed-data--5a0eb4e4-5314-481d-8402-4e16950d210f",
|
||
|
"file--5a0eb4e4-5314-481d-8402-4e16950d210f",
|
||
|
"artifact--5a0eb4e4-5314-481d-8402-4e16950d210f",
|
||
|
"indicator--5a0eb50d-8bd8-4c02-a27c-436a950d210f",
|
||
|
"indicator--5a0eb50d-7c70-4270-af1e-4497950d210f",
|
||
|
"indicator--5a0eb50d-a028-4792-ac3b-4ce3950d210f",
|
||
|
"indicator--5a0eb50d-28bc-4774-91b1-498f950d210f",
|
||
|
"indicator--5a0eb50d-5ad4-4eff-914f-43d8950d210f",
|
||
|
"indicator--5a0eb50d-2878-4c7a-a077-40d2950d210f",
|
||
|
"indicator--5a0eb708-4190-42d2-9d32-45a2950d210f",
|
||
|
"indicator--5a0eb708-e68c-4c90-8d11-4280950d210f",
|
||
|
"indicator--5a0eb708-2974-479e-883d-4084950d210f",
|
||
|
"indicator--5a0eb708-55f4-44f3-93ae-4a6e950d210f",
|
||
|
"indicator--5a0eb708-fb94-40c5-97bc-4652950d210f",
|
||
|
"indicator--5a0eb708-9980-4711-917a-44c2950d210f",
|
||
|
"indicator--5a0eb708-1208-4b64-ad08-49fd950d210f",
|
||
|
"indicator--5a0eb708-a310-49d5-8e76-4c22950d210f",
|
||
|
"indicator--5a0eb708-b668-4c30-b5d9-427d950d210f",
|
||
|
"indicator--5a0eb708-e6a8-45fe-86fc-4e01950d210f",
|
||
|
"indicator--5a0eb708-2c64-4b18-a42d-4d1d950d210f",
|
||
|
"indicator--5a0eb708-4008-425e-a8f5-4d47950d210f",
|
||
|
"indicator--5a0eb708-bc2c-410f-845b-435b950d210f",
|
||
|
"indicator--5a0eb708-eadc-4887-86e9-455d950d210f",
|
||
|
"indicator--5a0ebc15-f7ac-42f6-b7b8-e7e8950d210f",
|
||
|
"indicator--5a0ebc15-5780-4a1e-815d-e7e8950d210f",
|
||
|
"indicator--5a0ebc15-290c-4ecc-b12b-e7e8950d210f",
|
||
|
"indicator--5a0ebc15-0a4c-4fe7-a54c-e7e8950d210f",
|
||
|
"indicator--5a0ebc15-2368-4646-90c5-e7e8950d210f",
|
||
|
"indicator--5a0ec0a1-1a4c-4c40-9ae0-477f950d210f",
|
||
|
"indicator--5a0ec0a1-7f00-4788-a560-4707950d210f",
|
||
|
"indicator--5a0ec0a1-73c4-4b16-a809-4a52950d210f",
|
||
|
"indicator--5a0ec0a1-0ac8-436c-a568-4e16950d210f",
|
||
|
"indicator--5a0ec0a1-23e0-4c09-903c-4c73950d210f",
|
||
|
"indicator--5a0ec0a1-cc14-4707-a19f-4d87950d210f",
|
||
|
"indicator--5a0ec4f8-5008-4cbf-8e0c-4f33950d210f",
|
||
|
"indicator--5a0ec4f8-d7d8-43c7-ac24-4794950d210f",
|
||
|
"indicator--5a0ec4f8-217c-45f1-864d-4004950d210f",
|
||
|
"indicator--5a0ec4f8-d714-463c-a063-4daa950d210f",
|
||
|
"indicator--5a0ec4f8-1cf4-43dc-8e3c-4fa1950d210f",
|
||
|
"indicator--5a0ec4f8-e484-458f-b830-4364950d210f",
|
||
|
"indicator--5a0ec7f2-dfa0-465c-9c01-40be950d210f",
|
||
|
"indicator--5a0ec7f2-1e00-4949-96dc-460d950d210f",
|
||
|
"indicator--5a0ec7f2-22f8-4198-943b-44ed950d210f",
|
||
|
"indicator--5a0ec7f2-984c-48a1-b294-4988950d210f",
|
||
|
"indicator--5a0ec7f2-7b24-43ec-bea3-4570950d210f",
|
||
|
"indicator--5a0ec929-1b28-42dd-98b3-4448950d210f",
|
||
|
"indicator--5a0ec929-4944-4e52-87e5-476f950d210f",
|
||
|
"indicator--5a0ec929-1324-4cf7-9e4c-4f4b950d210f",
|
||
|
"indicator--5a0ec929-8d38-4bd7-a62a-428d950d210f",
|
||
|
"indicator--5a0ec929-8218-4df0-8586-443a950d210f",
|
||
|
"indicator--5a0ecce8-a26c-4542-ac13-44e0950d210f",
|
||
|
"indicator--5a0ecd3e-bf34-490d-8f47-4acb950d210f",
|
||
|
"indicator--5a0ecd3e-9d5c-4615-9ea7-4cd1950d210f",
|
||
|
"indicator--5a0ecd3e-124c-4b99-8f77-44a0950d210f",
|
||
|
"indicator--5a0ecd3e-bcb0-4bd0-b487-4942950d210f",
|
||
|
"indicator--5a0ecd3e-df88-43fc-bfbc-42d0950d210f",
|
||
|
"indicator--5a0ecd3e-01a0-454a-b0da-4687950d210f",
|
||
|
"indicator--5a0ecd3e-7cac-4748-834d-436e950d210f",
|
||
|
"indicator--5a0ecd3e-930c-4a8b-8a8b-4c8e950d210f",
|
||
|
"indicator--5a0ecd3e-8214-4986-89ab-4d34950d210f",
|
||
|
"indicator--5a0ecd3e-3b6c-419d-b77f-4a88950d210f",
|
||
|
"indicator--5a0ecd3e-9878-46b6-9ebf-4065950d210f",
|
||
|
"indicator--5a0ecd3e-b744-4ee1-9e52-4ddf950d210f",
|
||
|
"indicator--5a0ecd3e-17b0-4e97-91d0-4dec950d210f",
|
||
|
"indicator--5a0ecd3e-78c8-48d2-82e2-482f950d210f",
|
||
|
"indicator--5a0ecd3e-94b4-4c71-a0a6-4b50950d210f",
|
||
|
"indicator--5a0ecd3e-68c0-4f44-a7cb-4e0d950d210f",
|
||
|
"indicator--5a0ecd3e-1348-4eeb-964a-46d3950d210f",
|
||
|
"indicator--5a0ecd3e-3408-46d1-bf94-4f75950d210f",
|
||
|
"indicator--5a0ecd3e-4038-4234-af56-4511950d210f",
|
||
|
"indicator--5a0ecd3e-b68c-4319-adc2-4600950d210f",
|
||
|
"indicator--5a0ecd3e-0540-45a0-b1ef-4c36950d210f",
|
||
|
"indicator--5a0ecd3e-f6c4-49e3-9a38-41ef950d210f",
|
||
|
"indicator--5a0ecd3e-a858-4768-a6cf-456d950d210f",
|
||
|
"indicator--5a0ecd3e-1df0-4885-a64f-491d950d210f",
|
||
|
"indicator--5a0ecd3e-2ed0-4f69-8797-4299950d210f",
|
||
|
"indicator--5a0ecd3e-f188-4829-aa77-427b950d210f",
|
||
|
"indicator--5a0ecd3e-2820-42a6-b14d-4b7b950d210f",
|
||
|
"indicator--5a0ecd3e-81b0-4258-a870-42ae950d210f",
|
||
|
"indicator--5a0ecd3e-fee8-4091-af94-4034950d210f",
|
||
|
"indicator--5a0ecd3e-0130-4173-91cd-4d4e950d210f",
|
||
|
"indicator--5a0ecd3e-8e48-49e0-9113-4a58950d210f",
|
||
|
"indicator--5a0ecd3e-aec8-46c6-ab59-4ef0950d210f",
|
||
|
"indicator--5a0ecd3e-f52c-4711-965c-4c83950d210f",
|
||
|
"indicator--5a0ecd3e-ead0-4a14-b246-4d79950d210f",
|
||
|
"indicator--5a0ecd3e-e018-4356-91e9-4a5d950d210f",
|
||
|
"indicator--5a0ecd3e-3080-4fa2-bdd3-4dbf950d210f",
|
||
|
"indicator--5a0ecd3e-1388-4322-a7d6-45a1950d210f",
|
||
|
"indicator--5a0ecd3e-1f14-4dfd-b535-436d950d210f",
|
||
|
"indicator--5a0ecd3e-bc5c-4037-a912-4571950d210f",
|
||
|
"indicator--5a0ecd3e-f218-45d8-8e0f-4555950d210f",
|
||
|
"indicator--5a0ecd3f-4b30-48e1-8762-465a950d210f",
|
||
|
"indicator--5a0ecd3f-f980-4a4f-b1a2-4ce2950d210f",
|
||
|
"indicator--5a0ecd3f-b22c-4fec-9b1c-4c33950d210f",
|
||
|
"indicator--5a0ecd3f-84a8-4acb-8dc1-46b3950d210f",
|
||
|
"indicator--5a0ecd3f-8d14-40e2-96db-4284950d210f",
|
||
|
"indicator--5a0ecd3f-360c-4b90-aca6-46d4950d210f",
|
||
|
"indicator--5a0ecd3f-d34c-41d2-a5ea-4fcd950d210f",
|
||
|
"indicator--5a0ecd3f-8110-447d-8683-45ab950d210f",
|
||
|
"indicator--5a0ecd3f-4a64-4637-a24e-4b8c950d210f",
|
||
|
"indicator--5a0ecd3f-f500-4458-987e-4a54950d210f",
|
||
|
"indicator--5a0ecd3f-d43c-49de-8ed5-4f56950d210f",
|
||
|
"indicator--5a0ecd3f-e578-4e67-9771-42de950d210f",
|
||
|
"indicator--5a0ecd3f-4260-48d2-9dbe-4480950d210f",
|
||
|
"indicator--5a0ecd3f-4b28-4c6d-abd9-4651950d210f",
|
||
|
"indicator--5a0ecd3f-2448-43b5-8620-4532950d210f",
|
||
|
"indicator--5a0ecd3f-05f8-43c0-ad43-4f10950d210f",
|
||
|
"indicator--5a0ecd3f-07c8-4258-94b6-43e0950d210f",
|
||
|
"indicator--5a0ecd3f-eca0-46c9-a652-4f95950d210f",
|
||
|
"indicator--5a0ecd3f-1c78-4aea-b6ec-4651950d210f",
|
||
|
"indicator--5a0ecd3f-3f10-41ed-a40c-4bcf950d210f",
|
||
|
"indicator--5a0ecd3f-d074-43ac-83a9-4e84950d210f",
|
||
|
"indicator--5a0ecd3f-f090-418e-a77b-44f2950d210f",
|
||
|
"indicator--5a0ecd3f-c6b4-470c-bfb4-4267950d210f",
|
||
|
"indicator--5a0ecd3f-d068-4024-b379-471a950d210f",
|
||
|
"indicator--5a0ecd3f-7638-438e-975d-4fb1950d210f",
|
||
|
"indicator--5a0ecd3f-6adc-4861-9373-44c2950d210f",
|
||
|
"indicator--5a0ecd3f-ac6c-4b5f-bcb9-4028950d210f",
|
||
|
"indicator--5a0ecd3f-cc40-412e-8b64-431e950d210f",
|
||
|
"indicator--5a0ecd3f-e850-40ea-bbf5-4770950d210f",
|
||
|
"indicator--5a0ecd3f-bdec-4dc8-8686-46d4950d210f",
|
||
|
"indicator--5a0ecd3f-cf4c-421d-9bd7-4653950d210f",
|
||
|
"indicator--5a0ecd3f-ae64-4fe0-88fe-4699950d210f",
|
||
|
"indicator--5a0ecd3f-919c-4383-98ee-4fb7950d210f",
|
||
|
"indicator--5a0ecd3f-c11c-430c-b323-4fdd950d210f",
|
||
|
"indicator--5a0ecd3f-a408-4e95-9547-4771950d210f",
|
||
|
"indicator--5a0ecd3f-f760-4b10-ba87-4026950d210f",
|
||
|
"indicator--5a0ecd3f-d750-4bdc-9097-418a950d210f",
|
||
|
"indicator--5a0ecd3f-588c-4540-8700-4588950d210f",
|
||
|
"indicator--5a0ecd3f-2618-4397-bc15-47a4950d210f",
|
||
|
"indicator--5a0ecd3f-4c90-486e-a378-43bf950d210f",
|
||
|
"indicator--5a0ecd3f-6884-41b7-a5ae-46fd950d210f",
|
||
|
"indicator--5a0ecd3f-0b10-42f1-b64e-4fdf950d210f",
|
||
|
"indicator--5a0ecd3f-ad9c-41c2-9bf6-47f6950d210f",
|
||
|
"indicator--5a0ecd3f-50f8-4c30-a601-4538950d210f",
|
||
|
"indicator--5a0ecd3f-1884-4f86-925f-4898950d210f",
|
||
|
"indicator--5a0ecd3f-ed18-422b-befb-45af950d210f",
|
||
|
"indicator--5a0ecd3f-4294-48c7-b924-49b0950d210f",
|
||
|
"indicator--5a0ecd3f-87b8-4158-9d7f-43fe950d210f",
|
||
|
"indicator--5a0ecd3f-558c-4008-ae54-496b950d210f",
|
||
|
"indicator--5a0ecd40-9c78-4f0c-8d93-42d6950d210f",
|
||
|
"indicator--5a0ecd40-05bc-45f4-96ec-4ec0950d210f",
|
||
|
"indicator--5a0ecd40-aec4-48dd-a2e4-4c37950d210f",
|
||
|
"indicator--5a0ecd40-0cdc-47dd-b205-43ab950d210f",
|
||
|
"indicator--5a0ecd40-9a9c-450b-a228-4016950d210f",
|
||
|
"observed-data--5a0ecdd7-2970-4158-b34d-4271950d210f",
|
||
|
"url--5a0ecdd7-2970-4158-b34d-4271950d210f",
|
||
|
"x-misp-attribute--5a0ecde6-fc20-42f6-89b0-4277950d210f",
|
||
|
"indicator--5a0ed722-f28c-4cda-a06a-46f502de0b81",
|
||
|
"observed-data--5a0ed722-13e0-4939-aa75-415b02de0b81",
|
||
|
"url--5a0ed722-13e0-4939-aa75-415b02de0b81",
|
||
|
"indicator--5a0ed722-4694-4bc1-95f2-4a8f02de0b81",
|
||
|
"observed-data--5a0ed722-cf6c-4d89-9a09-4f1402de0b81",
|
||
|
"url--5a0ed722-cf6c-4d89-9a09-4f1402de0b81",
|
||
|
"indicator--5a0ed722-de38-44d2-a650-4f6902de0b81",
|
||
|
"observed-data--5a0ed722-b0c0-4de1-92bb-4f7a02de0b81",
|
||
|
"url--5a0ed722-b0c0-4de1-92bb-4f7a02de0b81",
|
||
|
"indicator--5a0ed722-50bc-43d2-ab1c-449002de0b81",
|
||
|
"observed-data--5a0ed722-6d24-4a5e-828c-461902de0b81",
|
||
|
"url--5a0ed722-6d24-4a5e-828c-461902de0b81",
|
||
|
"indicator--5a0ed722-59f4-4dd4-af44-41f102de0b81",
|
||
|
"observed-data--5a0ed722-73c4-42a3-b4e0-459902de0b81",
|
||
|
"url--5a0ed722-73c4-42a3-b4e0-459902de0b81",
|
||
|
"indicator--5a0ee257-0e58-433e-9f9b-4a20950d210f",
|
||
|
"indicator--5a0ee257-259c-4935-9bab-4672950d210f",
|
||
|
"indicator--5a0ee257-aae0-4b71-8043-4af4950d210f",
|
||
|
"indicator--5a0ee257-626c-42e2-a9c1-4bd7950d210f",
|
||
|
"indicator--5a0ee257-5388-47d0-a9a6-4cf4950d210f",
|
||
|
"indicator--5a0ee257-0368-49aa-8448-4c3f950d210f",
|
||
|
"indicator--5a0ebb4a-6b6c-4af4-a678-46be950d210f",
|
||
|
"indicator--5a0ebfbe-2cd4-4955-a509-48cb950d210f",
|
||
|
"indicator--5a0ec065-a2f4-419e-910c-4628950d210f",
|
||
|
"indicator--5a0ec788-f438-4e69-9059-467c950d210f",
|
||
|
"indicator--5a0ec8d7-2f9c-4dda-b85e-45a6950d210f",
|
||
|
"indicator--5a0ec946-12b8-4ff3-a4fb-49dc950d210f",
|
||
|
"indicator--5a0ec959-0648-44b3-a4ce-4dbd950d210f",
|
||
|
"indicator--5a0ec96c-0bec-4c30-8c70-476c950d210f",
|
||
|
"indicator--5a0ec985-0b00-4eed-98f0-44fd950d210f",
|
||
|
"indicator--5a0ec9a2-f170-4090-aec0-477e950d210f",
|
||
|
"indicator--5a0ec9b7-e7dc-4736-8f3b-44e0950d210f",
|
||
|
"indicator--5a0ec9cd-1168-4baa-805a-463b950d210f",
|
||
|
"indicator--5a0ec9e8-5648-44db-94b9-49d2950d210f",
|
||
|
"indicator--5a0ec9fc-ac2c-4004-ac02-4170950d210f",
|
||
|
"indicator--5a0eca1d-0288-418f-bcfb-456e950d210f",
|
||
|
"indicator--5a0eca34-8828-4475-acc5-40aa950d210f",
|
||
|
"indicator--5a0eca4c-0014-4b58-8cae-4588950d210f",
|
||
|
"indicator--5a0eca81-aed4-4a4d-aa2b-4a9e950d210f",
|
||
|
"indicator--5a0eca93-20e0-4820-9a35-455d950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"type:OSINT",
|
||
|
"osint:source-type=\"technical-report\"",
|
||
|
"misp-galaxy:threat-actor=\"Lazarus Group\"",
|
||
|
"misp-galaxy:tool=\"Volgmer\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a0eb4e4-5314-481d-8402-4e16950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"first_observed": "2017-11-17T12:33:35Z",
|
||
|
"last_observed": "2017-11-17T12:33:35Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"file--5a0eb4e4-5314-481d-8402-4e16950d210f",
|
||
|
"artifact--5a0eb4e4-5314-481d-8402-4e16950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"attachment\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"technical-report\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "file",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "file--5a0eb4e4-5314-481d-8402-4e16950d210f",
|
||
|
"name": "MAR-10135536-D_WHITE_S508C.PDF",
|
||
|
"content_ref": "artifact--5a0eb4e4-5314-481d-8402-4e16950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "artifact",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "artifact--5a0eb4e4-5314-481d-8402-4e16950d210f",
|
||
|
"payload_bin": "JVBERi0xLjYNJeLjz9MNCjgwIDAgb2JqDTw8L0xpbmVhcml6ZWQgMS9MIDI5NTk5OC9PIDgyL0UgMjcwNzYvTiAxOC9UIDI5NTU2MC9IIFsgNDYwIDIzNV0+Pg1lbmRvYmoNICAgICAgICAgICAgICAgDQo4NyAwIG9iag08PC9EZWNvZGVQYXJtczw8L0NvbHVtbnMgNC9QcmVkaWN0b3IgMTI+Pi9GaWx0ZXIvRmxhdGVEZWNvZGUvSURbPDhBMjYyMUExOUM4M0YzQzAwRjkwNjkxMjRBNTMyQ0Q5Pjw5Njc5QkI4OTI2NTAzNTQxQkZFMUIyODMyQ0Q3NUU2Nz5dL0luZGV4WzgwIDE3XS9JbmZvIDc5IDAgUi9MZW5ndGggNTYvUHJldiAyOTU1NjEvUm9vdCA4MSAwIFIvU2l6ZSA5Ny9UeXBlL1hSZWYvV1sxIDIgMV0+PnN0cmVhbQ0KaN5iYmQQYGBiYFoOJBgDQQQvkGB+DSR4dgEJ7hYg8ciMgYmR4T6QxcDASID4z1j5EyDAADvOB/ENCmVuZHN0cmVhbQ1lbmRvYmoNc3RhcnR4cmVmDQowDQolJUVPRg0KICAgICAgICANCjk2IDAgb2JqDTw8L0ZpbHRlci9GbGF0ZURlY29kZS9JIDIwNS9MIDE4OS9MZW5ndGggMTQ3L1MgMTU0Pj5zdHJlYW0NCmjeYmBgYAIiWRDJ4c4gxIAAQkAxJgYWBo6rblNDA8TnOuQ6MDCwazKWNWy/oP1j7aX5+xlSFmhKsPkwpDWwXuC0YUxjvOTA07Bs2aqVC9hj75YDQewBDg6GhoYGDigAsok2B8klrFDMwMjLwA/UWxGbMb3SXwEkYsrAUmQGkgHiLiC2YGBpbIbwGTkAAgwAfTsuvQ0KZW5kc3RyZWFtDWVuZG9iag04MSAwIG9iag08PC9NZXRhZGF0YSA1NCAwIFIvUGFnZUxhYmVscyA3NCAwIFIvUGFnZXMgNzYgMCBSL1R5cGUvQ2F0YWxvZz4+DWVuZG9iag04MiAwIG9iag08PC9Db250ZW50cyA4NCAwIFIvQ3JvcEJveFswIDAgNjEyIDc5Ml0vTWVkaWFCb3hbMCAwIDYxMiA3OTJdL1BhcmVudCA3NyAwIFIvUmVzb3VyY2VzPDwvQ29sb3JTcGFjZTw8L0NTMCA4OCAwIFI+Pi9FeHRHU3RhdGU8PC9HUzAgODkgMCBSPj4vRm9udDw8L1RUMCA5MSAwIFIvVFQxIDkzIDAgUi9UVDIgOTUgMCBSPj4vUHJvY1NldFsvUERGL1RleHQvSW1hZ2VDXS9YT2JqZWN0PDwvSW0wIDg2IDAgUj4+Pj4vUm90YXRlIDAvVHlwZS9QYWdlPj4NZW5kb2JqDTgzIDAgb2JqDTw8L0ZpbHRlci9GbGF0ZURlY29kZS9GaXJzdCA1NC9MZW5ndGggNjUyL04gOC9UeXBlL09ialN0bT4+c3RyZWFtDQpo3qSVX0/bMBDAv8o9bg+d/yRxEgkhtR3dkAZDpIJJiAev9dpIaVIlRoNvvzsnTlM2oHSyrrHvzudL7ndukgCHJAWRQMohxl8BEiWVEAcppAGkoUIBEaa4jEDEUsEdO59OJ7oxS0giDHB9f3LCvl/BL100BicXIFg27pbZBfBPXLL509aws0f7JbPaGlZtW/vpKe4dNwtTWkwhYlO9/Wry1dqC4Jyzz6Y1jaQQbFboVQOBZLOqtJNJ9Xg3UjKBURArkOiNW0Ry76wzvcmLpw/jOtfFR6e51BvD3Ho0qYrlxdxpM1sbu1izy6re6MKpbtvjYzz93OoiX4zLVWGAs8yazQ2IIGnfhXwpvTrf2qpmPwZpu5eiD0Q++4eelYtqmZcrdpuX47LJ+/Usrxs7Xevav+AuNtUGvzL7pjsPISXLHn5aSmNePxiXT58Uhl7adXMnsZ5BEAAfDFrvdDQjLw5RpA6SYTwlBP7GUu6JUrGzxBiX1m18Z0FtgvudJ2rJ03v1u7p5Gobu6U9pB2XQ/pJ2+KS8aE6yeyOaJYi3t7SxAtQM99A83n0Fzu//F0oVIZQy8lBy9TaUb/IYvsBjchSOR5Mon5EYiQNJdDRGUfeVXVWwvgIvG8+kq0sSgufW7zqUTe/PXRQSdyNELVwE2yuIYtmd3iX3Tki93idAEqp0gGsH1l6q/ZwyQCE7Pen0f7Wds/t9vG0pF7OT9w06aXgZECd73CepeIV75bkPB9xHii5jHvfcx3vcz/ONaeDS/IbraqPLQQc4Cxqc/io7vhfkO3vh74OP64rwWVeIg7oierk8vizDAr8m+4PQ4D3ywxu0HdR9/S3eQe/Bfguc5/8oXZbIzh8BBgCXgyXGDQplbmRzdHJlYW0NZW5kb2JqDTg0IDAgb2JqDTw8L0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGggMzE4Nz4+c3RyZWFtDQpIiYxXS3PbRhK+81dM5QRsmRAGb/hmW8k6W07KsViVg70HCBhKiPFgAFAK8+v36+kGCEqyN6UqajDT09Pv/lqru83Vv298dTduwkQF2ktUHOZeHqk0yrxMDWaz31y9A0U5Kt9LwxC/evlVY9ltwtTTkUqCzAvoduz5GY7Bzl6O08ALApX4OXjbbZ17fsCHuBon9kxnfDUATXQ+JcZ8arfpqgj1pxzHEDrld6Noufy76r57vt/8tnCI8sRLo5c4+J7v2x37m+B3pfDL19aMdQx9Z4LAy1Z8kySD6b9Dxnwiq2+UJuSROAi9WOnQy5Izo9wnq+bWI3mcsoDfu3bBWAe0u1DkwT9j/OI1YgzSSEMxpgvFA7kXIp5iLxW6WX3tp6StkGF3TXQOuu9IEurUC7LnklzKoSEBeMSRF5C1M4rHJ4IE9K7QkSAXVMQoDq142gvBT2dejn+QXoLx7W5Dz13tdr7Sare3kROoXak0uCF48cerKIOUxCnx4kjt2o2z+/Dx9e/vf9796O7+2Py4Wz1n0/Gbj32Dc5BQuL/E2IYlMjFFYnPcQpdUk3PE639u5mjGH04itdxIM1W2m6ufW19d9/D0byQGiUqawmhQdTsvHxUCJBLZ7IrZJMjEyNdWuF+K5rEYjHrTFc1prEf1yRz6YVJfnF/efPriqi200mEch8n2muT3ia2vtjBJlqrd9eazE/g63WoXlswd7eL1zNn62v3v7j//r2KxpNGL/gltRdKxpwMS9LPza+9uUaacqd7XZTG52wgfdd/Zh3z2umavW75BvBgjIKEzMjA9YBdxQBEZ57ZKWv67e+YPGwy0ShyyBK8mRf8DnLnbxNOOOjDt0D/UleF1pX5gomJcqH+Q1X5mpOoO67aYatEGZp+ZHYdDL/zNzKLvmpObho5ntbTKaOtkWxJD0itIPT+GWrsKSigXOQxVjLo2B+KVOIULgzrD1JqONyYXZcNR/V6971vTFF2lbkx5HOg0dWo3wu90QgRcv2dpblw4w/niMgE9EThVb5jbqLp+Uoeh588HF3pXRhXdaSVysIhsJUZj89NFZMQf3Q2dAZLmTtFNNem/3A7OUa1zur+lUEMBQhAGYcpcoI1YHw+DW+Cor/y/hvSp07H9K/Zt6pi7Yqh474LgDpLz6jR7Ub7Fh6nTgl475MJOSMq+m1bargLPyovKEeezukXdmYoki6F5Pd3XnafIX8RJw+Q3Sk57CQLtkIFNN28PiJGYYgTWgjeKjvdPquT93u63reH9wbq/rBFnzA2uElbHclL9wH5T40z/UAsj80puDGZvBiPvlIgenFUrB63KDioZFAZy8amTkMawn4KW0AXVg+2Tnu2TsT9T29StP9lKt8emMVPdScixlBS0070ZHmfHbgMKQLNOjvzMO1lKVZxLqaIcpzIFcSpe9eURiTGp2loVPmmL4SsvSUfr3t0HppUy7sn2dT2WTNn0q2hN51iPOdixDBbvj0eOIVRcm6lcUELJ267n00k1dVtPpvLUjWwdh9LwaoSIp/OtwDkKD6NIUCL5+PqpRWzuJRKMURDN8liFmI21auTcm06x3XMJeRvwmQR8WditgVK0nemsJzKnRYz1A+r
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0eb50d-8bd8-4c02-a27c-436a950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T10:08:13.000Z",
|
||
|
"modified": "2017-11-17T10:08:13.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '143cb4f16dcfc16a02812718acd32c8f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T10:08:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0eb50d-7c70-4270-af1e-4497950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T10:08:13.000Z",
|
||
|
"modified": "2017-11-17T10:08:13.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '1ecd83ee7e4cfc8fed7ceb998e75b996']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T10:08:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0eb50d-a028-4792-ac3b-4ce3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T10:08:13.000Z",
|
||
|
"modified": "2017-11-17T10:08:13.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '35f9cfe5110471a82e330d904c97466a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T10:08:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0eb50d-28bc-4774-91b1-498f950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T10:08:13.000Z",
|
||
|
"modified": "2017-11-17T10:08:13.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '5dd1ccc8fb2a5615bf5656721339efed']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T10:08:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0eb50d-5ad4-4eff-914f-43d8950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T10:08:13.000Z",
|
||
|
"modified": "2017-11-17T10:08:13.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '81180bf9c7b282c6b8411f8f315bc422']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T10:08:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0eb50d-2878-4c7a-a077-40d2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T10:08:13.000Z",
|
||
|
"modified": "2017-11-17T10:08:13.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'e3d03829cbec1a8cca56c6ae730ba9a8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T10:08:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0eb708-4190-42d2-9d32-45a2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T10:16:40.000Z",
|
||
|
"modified": "2017-11-17T10:16:40.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.16.223.35']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T10:16:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0eb708-e68c-4c90-8d11-4280950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T10:16:40.000Z",
|
||
|
"modified": "2017-11-17T10:16:40.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '113.28.244.194']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T10:16:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0eb708-2974-479e-883d-4084950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T10:16:40.000Z",
|
||
|
"modified": "2017-11-17T10:16:40.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '116.48.145.179']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T10:16:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0eb708-55f4-44f3-93ae-4a6e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T10:16:40.000Z",
|
||
|
"modified": "2017-11-17T10:16:40.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '186.116.9.20']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T10:16:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0eb708-fb94-40c5-97bc-4652950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T10:16:40.000Z",
|
||
|
"modified": "2017-11-17T10:16:40.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '186.149.198.172']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T10:16:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0eb708-9980-4711-917a-44c2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T10:16:40.000Z",
|
||
|
"modified": "2017-11-17T10:16:40.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '195.28.91.232']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T10:16:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0eb708-1208-4b64-ad08-49fd950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T10:16:40.000Z",
|
||
|
"modified": "2017-11-17T10:16:40.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '195.97.97.148']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T10:16:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0eb708-a310-49d5-8e76-4c22950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T10:16:40.000Z",
|
||
|
"modified": "2017-11-17T10:16:40.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '199.15.234.120']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T10:16:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0eb708-b668-4c30-b5d9-427d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T10:16:40.000Z",
|
||
|
"modified": "2017-11-17T10:16:40.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '200.42.69.133']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T10:16:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0eb708-e6a8-45fe-86fc-4e01950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T10:16:40.000Z",
|
||
|
"modified": "2017-11-17T10:16:40.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.131.222.99']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T10:16:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0eb708-2c64-4b18-a42d-4d1d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T10:16:40.000Z",
|
||
|
"modified": "2017-11-17T10:16:40.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '210.187.87.181']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T10:16:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0eb708-4008-425e-a8f5-4d47950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T10:16:40.000Z",
|
||
|
"modified": "2017-11-17T10:16:40.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '83.231.204.157']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T10:16:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0eb708-bc2c-410f-845b-435b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T10:16:40.000Z",
|
||
|
"modified": "2017-11-17T10:16:40.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '84.232.224.218']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T10:16:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0eb708-eadc-4887-86e9-455d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '89.190.188.42']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ebc15-f7ac-42f6-b7b8-e7e8950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": "(header)",
|
||
|
"pattern": "[file:hashes.MD5 = 'b6214e428fa300398d713f342dd73720']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ebc15-5780-4a1e-815d-e7e8950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": ".text",
|
||
|
"pattern": "[file:hashes.MD5 = 'ccee43451bf78c75c2a487a75245aed2']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ebc15-290c-4ecc-b12b-e7e8950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": ".rdata",
|
||
|
"pattern": "[file:hashes.MD5 = '921b3440b4b8a40600f0d733db4fdca8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ebc15-0a4c-4fe7-a54c-e7e8950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": ".data",
|
||
|
"pattern": "[file:hashes.MD5 = '2211eee046bd996c987599e0cbe6e1cc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ebc15-2368-4646-90c5-e7e8950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": ".rsrc",
|
||
|
"pattern": "[file:hashes.MD5 = 'e12b92a1aeeb53d25ac14b4be573e860']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec0a1-1a4c-4c40-9ae0-477f950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": "(header)",
|
||
|
"pattern": "[file:hashes.MD5 = '8f4d22d26031119928449f856466da0a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec0a1-7f00-4788-a560-4707950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": ".text",
|
||
|
"pattern": "[file:hashes.MD5 = '74a2bd172adaf6d5964d238371ba9f4e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec0a1-73c4-4b16-a809-4a52950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": ".rdata",
|
||
|
"pattern": "[file:hashes.MD5 = '9f849d9f0bb48924b8f04e47a36b59c4']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec0a1-0ac8-436c-a568-4e16950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": ".data",
|
||
|
"pattern": "[file:hashes.MD5 = '07768f7af89f774cbeaa36bf80d68dd9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec0a1-23e0-4c09-903c-4c73950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": ".rsrc",
|
||
|
"pattern": "[file:hashes.MD5 = '68fe7330ba22a7f4f9a4b7c2582a803a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec0a1-cc14-4707-a19f-4d87950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": ".reloc",
|
||
|
"pattern": "[file:hashes.MD5 = '74c867b7fa902e50761d82dfe59ee255']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec4f8-5008-4cbf-8e0c-4f33950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": "(header)",
|
||
|
"pattern": "[file:hashes.MD5 = 'e1d6628e550c3c99207d85828a6cd932']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec4f8-d7d8-43c7-ac24-4794950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": ".text",
|
||
|
"pattern": "[file:hashes.MD5 = 'eb005743ac215eb0f146227f3480e6e9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec4f8-217c-45f1-864d-4004950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": ".rdata",
|
||
|
"pattern": "[file:hashes.MD5 = 'a92c0e7aeced10cc835d04f072c44c5d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec4f8-d714-463c-a063-4daa950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": ".data",
|
||
|
"pattern": "[file:hashes.MD5 = 'c83f6ab61a65902e9b94f8fa0c93fa07']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec4f8-1cf4-43dc-8e3c-4fa1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": ".rsrc",
|
||
|
"pattern": "[file:hashes.MD5 = '6e50576388df1a686f37bd49ea0542e4']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec4f8-e484-458f-b830-4364950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": ".reloc",
|
||
|
"pattern": "[file:hashes.MD5 = '686c6badf362b2716ea522a2357991fd']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec7f2-dfa0-465c-9c01-40be950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": "(header)",
|
||
|
"pattern": "[file:hashes.MD5 = 'e1b62318f465d0a1e7b5e98574456f62']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec7f2-1e00-4949-96dc-460d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": ".text",
|
||
|
"pattern": "[file:hashes.MD5 = '12c4003f6526b045c92e9fa4cf3da2f9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec7f2-22f8-4198-943b-44ed950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": ".rdata",
|
||
|
"pattern": "[file:hashes.MD5 = '6a0443b1df33fdb22fe2068751f9f007']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec7f2-984c-48a1-b294-4988950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": ".data",
|
||
|
"pattern": "[file:hashes.MD5 = '819f69a104b87fb32f61b9853df8a9be']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec7f2-7b24-43ec-bea3-4570950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": ".reloc",
|
||
|
"pattern": "[file:hashes.MD5 = '9a6eb9c39222d2a6358f6c2adeabcf87']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec929-1b28-42dd-98b3-4448950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": "(header)",
|
||
|
"pattern": "[file:hashes.MD5 = '0c73039cd8388fd8c45b8367398f2ce6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec929-4944-4e52-87e5-476f950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": ".text",
|
||
|
"pattern": "[file:hashes.MD5 = 'a8b3c39fdf381c29d7e2a9f1a46ddfdd']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec929-1324-4cf7-9e4c-4f4b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": ".rdata",
|
||
|
"pattern": "[file:hashes.MD5 = 'a7cf4e7d72c146b5abc2bfb31ad7ccfc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec929-8d38-4bd7-a62a-428d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": ".data",
|
||
|
"pattern": "[file:hashes.MD5 = '762fc1698ef3b6b4577f8dc8872dcac5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec929-8218-4df0-8586-443a950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": ".reloc",
|
||
|
"pattern": "[file:hashes.MD5 = '4911328ef1c6ec0210fa3b92fe556efe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecce8-a26c-4542-ac13-44e0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": "According to a trusted third party, between November 24, and November 30, 2016, Volgmer malware was observed communicating from this IP address over Port 8002.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '199.68.196.125']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-bf34-490d-8f47-4acb950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '109.68.120.179']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-9d5c-4615-9ea7-4cd1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '85.132.123.50']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-124c-4b99-8f77-44a0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '80.95.219.72']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-bcb0-4bd0-b487-4942950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '88.201.64.185']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-df88-43fc-bfbc-42d0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.10.55.35']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-01a0-454a-b0da-4687950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.124.169.36']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-7cac-4748-834d-436e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '222.44.80.138']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-930c-4a8b-8a8b-4c8e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '61.153.146.207']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-8214-4986-89ab-4d34950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:35.000Z",
|
||
|
"modified": "2017-11-17T12:33:35.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '41.131.164.156']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-3b6c-419d-b77f-4a88950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '82.129.240.148']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-9878-46b6-9ebf-4065950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '82.201.131.124']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-b744-4ee1-9e52-4ddf950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '31.146.82.22']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-17b0-4e97-91d0-4dec950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.27.164.10']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-78c8-48d2-82e2-482f950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.27.164.42']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-94b4-4c71-a0a6-4b50950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '112.133.214.38']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-68c0-4f44-a7cb-4e0d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '114.79.141.59']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-1348-4eeb-964a-46d3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '115.115.174.67']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-3408-46d1-bf94-4f75950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '115.178.96.66']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-4038-4234-af56-4511950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '115.249.29.78']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-b68c-4319-adc2-4600950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '117.211.164.245']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-0540-45a0-b1ef-4c36950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '117.218.84.197']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-f6c4-49e3-9a38-41ef950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '117.239.102.132']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-a858-4768-a6cf-456d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '117.239.144.203']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-1df0-4885-a64f-491d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '117.240.190.226']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-2ed0-4f69-8797-4299950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '117.247.63.127']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-f188-4829-aa77-427b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '117.247.8.239']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-2820-42a6-b14d-4b7b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '118.67.237.124']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-81b0-4258-a870-42ae950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '125.17.79.35']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-fee8-4091-af94-4034950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '125.18.9.228']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-0130-4173-91cd-4d4e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '14.102.46.3']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-8e48-49e0-9113-4a58950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '14.139.125.214']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-aec8-46c6-ab59-4ef0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '14.141.129.116']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-f52c-4711-965c-4c83950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '180.211.97.186']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-ead0-4a14-b246-4d79950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '182.156.76.122']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-e018-4356-91e9-4a5d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '182.72.113.90']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-3080-4fa2-bdd3-4dbf950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '182.73.165.58']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-1388-4322-a7d6-45a1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '182.73.245.46']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-1f14-4dfd-b535-436d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '182.74.42.194']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-bc5c-4037-a912-4571950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '182.77.61.231']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3e-f218-45d8-8e0f-4555950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '183.82.199.174']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-4b30-48e1-8762-465a950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '183.82.33.102']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-f980-4a4f-b1a2-4ce2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.110.91.252']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-b22c-4fec-9b1c-4c33950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.196.136.60']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-84a8-4acb-8dc1-46b3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.88.138.79']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-8d14-40e2-96db-4284950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '43.249.216.6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-360c-4b90-aca6-46d4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.118.34.215']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-d34c-41d2-a5ea-4fcd950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '139.255.62.10']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-8110-447d-8683-45ab950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '128.65.184.131']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-4a64-4637-a24e-4b8c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '128.65.187.94']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-f500-4458-987e-4a54950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '178.248.41.117']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-d43c-49de-8ed5-4f56950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:36.000Z",
|
||
|
"modified": "2017-11-17T12:33:36.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.113.149.239']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-e578-4e67-9771-42de950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.115.164.86']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-4260-48d2-9dbe-4480950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.46.218.77']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-4b28-4c6d-abd9-4651950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '213.207.209.36']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-2448-43b5-8620-4532950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '217.218.90.124']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-05f8-43c0-ad43-4f10950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '217.219.193.158']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-07c8-4258-94b6-43e0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '217.219.202.199']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-eca0-46c9-a652-4f95950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '37.235.21.166']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-1c78-4aea-b6ec-4651950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '37.98.114.90']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-3f10-41ed-a40c-4bcf950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '78.38.114.15']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-d074-43ac-83a9-4e84950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '78.38.182.242']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-f090-418e-a77b-44f2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '78.39.125.67']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-c6b4-470c-bfb4-4267950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '80.191.171.32']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-d068-4024-b379-471a950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '85.185.30.195']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-7638-438e-975d-4fb1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '85.9.74.159']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-6adc-4861-9373-44c2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '89.165.119.105']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-ac6c-4b5f-bcb9-4028950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '91.106.77.7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-cc40-412e-8b64-431e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '91.98.112.196']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-e850-40ea-bbf5-4770950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '91.98.126.92']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-bdec-4dc8-8686-46d4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '91.98.36.66']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-cf4c-421d-9bd7-4653950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '94.183.177.90']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-ae64-4fe0-88fe-4699950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.38.16.188']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-919c-4383-98ee-4fb7950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.114.187.37']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-c11c-430c-b323-4fdd950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '116.90.226.67']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-a408-4e95-9547-4771950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '113.203.238.98']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-f760-4b10-ba87-4026950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '115.186.133.195']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-d750-4bdc-9097-418a950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '182.176.121.244']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-588c-4540-8700-4588950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '182.187.139.132']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-2618-4397-bc15-47a4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '37.216.67.155']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-4c90-486e-a378-43bf950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '84.235.85.86']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-6884-41b7-a5ae-46fd950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.241.106.15']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-0b10-42f1-b64e-4fdf950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.118.42.155']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-ad9c-41c2-9bf6-47f6950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '58.185.197.210']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-50f8-4c30-a601-4538950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '123.231.112.147']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-1884-4f86-925f-4898950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '222.165.146.86']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-ed18-422b-befb-45af950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '122.146.157.141']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-4294-48c7-b924-49b0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '140.136.205.209']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-87b8-4158-9d7f-43fe950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '110.77.137.38']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd3f-558c-4008-ae54-496b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '118.175.22.10']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd40-9c78-4f0c-8d93-42d6950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '125.25.206.15']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd40-05bc-45f4-96ec-4ec0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.147.10.65']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd40-aec4-48dd-a2e4-4c37950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:37.000Z",
|
||
|
"modified": "2017-11-17T12:33:37.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '58.82.155.98']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd40-0cdc-47dd-b205-43ab950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:38.000Z",
|
||
|
"modified": "2017-11-17T12:33:38.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '61.91.47.142']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:38Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ecd40-9a9c-450b-a228-4016950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:38.000Z",
|
||
|
"modified": "2017-11-17T12:33:38.000Z",
|
||
|
"description": "USG analysis identified this IP address as HIDDEN COBRA infrastructure, which is a likely compromised host.",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.134.98.141']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:38Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a0ecdd7-2970-4158-b34d-4271950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:38.000Z",
|
||
|
"modified": "2017-11-17T12:33:38.000Z",
|
||
|
"first_observed": "2017-11-17T12:33:38Z",
|
||
|
"last_observed": "2017-11-17T12:33:38Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a0ecdd7-2970-4158-b34d-4271950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a0ecdd7-2970-4158-b34d-4271950d210f",
|
||
|
"value": "https://www.us-cert.gov/ncas/alerts/TA17-318B"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5a0ecde6-fc20-42f6-89b0-4277950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:38.000Z",
|
||
|
"modified": "2017-11-17T12:33:38.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a Trojan malware variant used by the North Korean government\u2014commonly known as Volgmer. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.\r\n\r\nFBI has high confidence that HIDDEN COBRA actors are using the IP addresses\u2014listed in this report\u2019s IOC files\u2014to maintain a presence on victims\u2019 networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to North Korean government malicious cyber activity."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ed722-f28c-4cda-a06a-46f502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:38.000Z",
|
||
|
"modified": "2017-11-17T12:33:38.000Z",
|
||
|
"description": "- Xchecked via VT: e3d03829cbec1a8cca56c6ae730ba9a8",
|
||
|
"pattern": "[file:hashes.SHA256 = 'e79bbb45421320be05211a94ed507430cc9f6cf80d607d61a317af255733fcf2']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:38Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a0ed722-13e0-4939-aa75-415b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:38.000Z",
|
||
|
"modified": "2017-11-17T12:33:38.000Z",
|
||
|
"first_observed": "2017-11-17T12:33:38Z",
|
||
|
"last_observed": "2017-11-17T12:33:38Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a0ed722-13e0-4939-aa75-415b02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a0ed722-13e0-4939-aa75-415b02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/e79bbb45421320be05211a94ed507430cc9f6cf80d607d61a317af255733fcf2/analysis/1510736372/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ed722-4694-4bc1-95f2-4a8f02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:38.000Z",
|
||
|
"modified": "2017-11-17T12:33:38.000Z",
|
||
|
"description": "- Xchecked via VT: 5dd1ccc8fb2a5615bf5656721339efed",
|
||
|
"pattern": "[file:hashes.SHA256 = '1d0999ba3217cbdb0cc85403ef75587f747556a97dee7c2616e28866db932a0d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:38Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a0ed722-cf6c-4d89-9a09-4f1402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:38.000Z",
|
||
|
"modified": "2017-11-17T12:33:38.000Z",
|
||
|
"first_observed": "2017-11-17T12:33:38Z",
|
||
|
"last_observed": "2017-11-17T12:33:38Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a0ed722-cf6c-4d89-9a09-4f1402de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a0ed722-cf6c-4d89-9a09-4f1402de0b81",
|
||
|
"value": "https://www.virustotal.com/file/1d0999ba3217cbdb0cc85403ef75587f747556a97dee7c2616e28866db932a0d/analysis/1510736339/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ed722-de38-44d2-a650-4f6902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:38.000Z",
|
||
|
"modified": "2017-11-17T12:33:38.000Z",
|
||
|
"description": "- Xchecked via VT: 35f9cfe5110471a82e330d904c97466a",
|
||
|
"pattern": "[file:hashes.SHA256 = '6dae368eecbcc10266bba32776c40d9ffa5b50d7f6199a9b6c31d40dfe7877d1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:38Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a0ed722-b0c0-4de1-92bb-4f7a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:38.000Z",
|
||
|
"modified": "2017-11-17T12:33:38.000Z",
|
||
|
"first_observed": "2017-11-17T12:33:38Z",
|
||
|
"last_observed": "2017-11-17T12:33:38Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a0ed722-b0c0-4de1-92bb-4f7a02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a0ed722-b0c0-4de1-92bb-4f7a02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/6dae368eecbcc10266bba32776c40d9ffa5b50d7f6199a9b6c31d40dfe7877d1/analysis/1510794755/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ed722-50bc-43d2-ab1c-449002de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:38.000Z",
|
||
|
"modified": "2017-11-17T12:33:38.000Z",
|
||
|
"description": "- Xchecked via VT: 1ecd83ee7e4cfc8fed7ceb998e75b996",
|
||
|
"pattern": "[file:hashes.SHA256 = 'eff3e37d0406c818e3430068d90e7ed2f594faa6bb146ab0a1c00a2f4a4809a5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:38Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a0ed722-6d24-4a5e-828c-461902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:38.000Z",
|
||
|
"modified": "2017-11-17T12:33:38.000Z",
|
||
|
"first_observed": "2017-11-17T12:33:38Z",
|
||
|
"last_observed": "2017-11-17T12:33:38Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a0ed722-6d24-4a5e-828c-461902de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a0ed722-6d24-4a5e-828c-461902de0b81",
|
||
|
"value": "https://www.virustotal.com/file/eff3e37d0406c818e3430068d90e7ed2f594faa6bb146ab0a1c00a2f4a4809a5/analysis/1510776348/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ed722-59f4-4dd4-af44-41f102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:38.000Z",
|
||
|
"modified": "2017-11-17T12:33:38.000Z",
|
||
|
"description": "- Xchecked via VT: 143cb4f16dcfc16a02812718acd32c8f",
|
||
|
"pattern": "[file:hashes.SHA256 = 'ff2eb800ff16745fc13c216ff6d5cc2de99466244393f67ab6ea6f8189ae01dd']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T12:33:38Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5a0ed722-73c4-42a3-b4e0-459902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T12:33:38.000Z",
|
||
|
"modified": "2017-11-17T12:33:38.000Z",
|
||
|
"first_observed": "2017-11-17T12:33:38Z",
|
||
|
"last_observed": "2017-11-17T12:33:38Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5a0ed722-73c4-42a3-b4e0-459902de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5a0ed722-73c4-42a3-b4e0-459902de0b81",
|
||
|
"value": "https://www.virustotal.com/file/ff2eb800ff16745fc13c216ff6d5cc2de99466244393f67ab6ea6f8189ae01dd/analysis/1510776360/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ee257-0e58-433e-9f9b-4a20950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T13:21:27.000Z",
|
||
|
"modified": "2017-11-17T13:21:27.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '9a5fa5c5f3915b2297a1c379be9979f0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T13:21:27Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ee257-259c-4935-9bab-4672950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T13:21:27.000Z",
|
||
|
"modified": "2017-11-17T13:21:27.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '2d2b88ae9f7e5b49b728ad7a1d220e84']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T13:21:27Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ee257-aae0-4b71-8043-4af4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T13:21:27.000Z",
|
||
|
"modified": "2017-11-17T13:21:27.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'ba8c717088a00999f08984408d0c5288']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T13:21:27Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ee257-626c-42e2-a9c1-4bd7950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T13:21:27.000Z",
|
||
|
"modified": "2017-11-17T13:21:27.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '1b8ad5872662a03f4ec08f6750c89abc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T13:21:27Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ee257-5388-47d0-a9a6-4cf4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T13:21:27.000Z",
|
||
|
"modified": "2017-11-17T13:21:27.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'e034ba76beb43b04d2ca6785aa76f007']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T13:21:27Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ee257-0368-49aa-8448-4c3f950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T13:21:27.000Z",
|
||
|
"modified": "2017-11-17T13:21:27.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'eb9db98914207815d763e2e5cfbe96b9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T13:21:27Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ebb4a-6b6c-4af4-a678-46be950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T10:34:50.000Z",
|
||
|
"modified": "2017-11-17T10:34:50.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '1ecd83ee7e4cfc8fed7ceb998e75b996' AND file:hashes.SHA1 = 'eddb7228e2f8b7a99c4c32a743504ed3c16b5ef3' AND file:hashes.SSDEEP = '3072:Kn13mR+uvEuCBlMclG4te7DFQstzN29ZfyXZM5QVj+XZ4dC:KneZvrRclG4mF5qZfyO2AJWC' AND file:name = '1ecd83ee7e4cfc8fed7ceb998e75b996' AND file:size = '131072' AND file:x_misp_entropy = '7.00782518905']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T10:34:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ebfbe-2cd4-4955-a509-48cb950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T10:53:50.000Z",
|
||
|
"modified": "2017-11-17T10:53:50.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '81180bf9c7b282c6b8411f8f315bc422' AND file:hashes.SHA1 = 'c9b703cbc692977dfa0fe7b82768974f17dbf309' AND file:size = '546' AND file:x_misp_entropy = '1.69870551288' AND file:x_misp_ssdeep = '3:3l/l/0P5BQCfqgFwylTDRv9tWpdYYg11MBMs5v\r\nY6Pw/l/lN:3tlMP5BQCigFwyFDlWzYn1FF6PQ/']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T10:53:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec065-a2f4-419e-910c-4628950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T10:56:37.000Z",
|
||
|
"modified": "2017-11-17T10:56:37.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '5dd1ccc8fb2a5615bf5656721339efed' AND file:hashes.SHA1 = '1b247442e28d9d72cb0c1a6e7dfbcd092829ee6d' AND file:name = '5dd1ccc8fb2a5615bf5656721339efed' AND file:size = '110592' AND file:x_misp_entropy = '6.09092146887' AND file:x_misp_ssdeep = '1536:VWzaaYA98ReypyDfOyzrj5b6T9LN52GoDCK\r\nRRpyJutZTgMJ:gaS98ppkj5b0DBSCscJuthg']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T10:56:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec788-f438-4e69-9059-467c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T11:27:04.000Z",
|
||
|
"modified": "2017-11-17T11:27:04.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '143cb4f16dcfc16a02812718acd32c8f' AND file:hashes.SHA1 = 'f8397d940a204a2261dba2babd6e0718dd87574c' AND file:name = '143cb4f16dcfc16a02812718acd32c8f' AND file:size = '107008' AND file:x_misp_entropy = '5.74626869405' AND file:x_misp_ssdeep = '1536:GvSjInlBLrYOyzlgZdQ0OTigNDFxu/7zS5o3tRShIYQtl5ye:Gv\r\nSjIPrmgZdQ00NHoKUShctl5ye']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T11:27:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec8d7-2f9c-4dda-b85e-45a6950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T11:32:39.000Z",
|
||
|
"modified": "2017-11-17T11:32:39.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'e3d03829cbec1a8cca56c6ae730ba9a8' AND file:hashes.SHA1 = 'ae65ffcd83dab3fdafea3ff6915fce34e1307bce' AND file:hashes.SSDEEP = '3072:+4V0+H9kt2K5aiV6CDDP+LQWOfsJEta8Ql:+35p6wP+X8Q' AND file:name = 'e3d03829cbec1a8cca56c6ae730ba9a8' AND file:size = '139264' AND file:x_misp_entropy = '6.27885773112']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T11:32:39Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec946-12b8-4ff3-a4fb-49dc950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T11:34:30.000Z",
|
||
|
"modified": "2017-11-17T11:34:30.000Z",
|
||
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.16.223.35') AND network-traffic:dst_port = '8080']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T11:34:30Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"ip-port\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec959-0648-44b3-a4ce-4dbd950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T11:34:49.000Z",
|
||
|
"modified": "2017-11-17T11:34:49.000Z",
|
||
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '113.28.244.194') AND network-traffic:dst_port = '8080']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T11:34:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"ip-port\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec96c-0bec-4c30-8c70-476c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T11:35:08.000Z",
|
||
|
"modified": "2017-11-17T11:35:08.000Z",
|
||
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '116.48.145.179') AND network-traffic:dst_port = '8080']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T11:35:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"ip-port\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec985-0b00-4eed-98f0-44fd950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T11:35:33.000Z",
|
||
|
"modified": "2017-11-17T11:35:33.000Z",
|
||
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '186.116.9.20') AND network-traffic:dst_port = '8000']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T11:35:33Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"ip-port\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec9a2-f170-4090-aec0-477e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T11:36:02.000Z",
|
||
|
"modified": "2017-11-17T11:36:02.000Z",
|
||
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '186.149.198.172') AND network-traffic:dst_port = '8080']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T11:36:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"ip-port\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec9b7-e7dc-4736-8f3b-44e0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T11:36:23.000Z",
|
||
|
"modified": "2017-11-17T11:36:23.000Z",
|
||
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '195.28.91.232') AND network-traffic:dst_port = '8088']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T11:36:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"ip-port\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec9cd-1168-4baa-805a-463b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T11:36:45.000Z",
|
||
|
"modified": "2017-11-17T11:36:45.000Z",
|
||
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '195.97.97.148') AND network-traffic:dst_port = '8080']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T11:36:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"ip-port\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec9e8-5648-44db-94b9-49d2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T11:37:12.000Z",
|
||
|
"modified": "2017-11-17T11:37:12.000Z",
|
||
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '199.15.234.120') AND network-traffic:dst_port = '8080']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T11:37:12Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"ip-port\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0ec9fc-ac2c-4004-ac02-4170950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T11:37:32.000Z",
|
||
|
"modified": "2017-11-17T11:37:32.000Z",
|
||
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '200.42.69.133') AND network-traffic:dst_port = '8080']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T11:37:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"ip-port\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0eca1d-0288-418f-bcfb-456e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T11:38:05.000Z",
|
||
|
"modified": "2017-11-17T11:38:05.000Z",
|
||
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.131.222.99') AND network-traffic:dst_port = '8080']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T11:38:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"ip-port\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0eca34-8828-4475-acc5-40aa950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T11:38:28.000Z",
|
||
|
"modified": "2017-11-17T11:38:28.000Z",
|
||
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '210.187.87.181') AND network-traffic:dst_port = '8080']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T11:38:28Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"ip-port\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0eca4c-0014-4b58-8cae-4588950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T11:38:52.000Z",
|
||
|
"modified": "2017-11-17T11:38:52.000Z",
|
||
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '83.231.204.157') AND network-traffic:dst_port = '8088']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T11:38:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"ip-port\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0eca81-aed4-4a4d-aa2b-4a9e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T11:39:45.000Z",
|
||
|
"modified": "2017-11-17T11:39:45.000Z",
|
||
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '84.232.224.218') AND network-traffic:dst_port = '8088']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T11:39:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"ip-port\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5a0eca93-20e0-4820-9a35-455d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-11-17T11:40:03.000Z",
|
||
|
"modified": "2017-11-17T11:40:03.000Z",
|
||
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '84.232.224.218') AND network-traffic:dst_port = '8080']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-11-17T11:40:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"ip-port\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|