1170 lines
311 KiB
JSON
1170 lines
311 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5bfd7696-5874-4de3-acf3-4478950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T17:09:14.000Z",
|
||
|
"modified": "2018-11-27T17:09:14.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5bfd7696-5874-4de3-acf3-4478950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T17:09:14.000Z",
|
||
|
"modified": "2018-11-27T17:09:14.000Z",
|
||
|
"name": "OSINT - DNSpionage Campaign Targets Middle East",
|
||
|
"published": "2018-11-27T17:20:04Z",
|
||
|
"object_refs": [
|
||
|
"x-misp-attribute--5bfd76aa-1978-4706-96ab-4795950d210f",
|
||
|
"observed-data--5bfd76b7-2150-40f1-bcf0-45c1950d210f",
|
||
|
"url--5bfd76b7-2150-40f1-bcf0-45c1950d210f",
|
||
|
"indicator--5bfd77ab-0e54-41cd-9846-4b59950d210f",
|
||
|
"indicator--5bfd77ab-d404-4f61-96d7-465c950d210f",
|
||
|
"indicator--5bfd77ac-07a8-4505-bc1a-42a2950d210f",
|
||
|
"indicator--5bfd77ac-47b4-4aa1-a4ce-4249950d210f",
|
||
|
"indicator--5bfd77ad-c6a0-43e1-933f-4527950d210f",
|
||
|
"indicator--5bfd77ad-64c4-4f18-b372-4bcf950d210f",
|
||
|
"indicator--5bfd77ae-b530-4ddb-93cb-47a8950d210f",
|
||
|
"indicator--5bfd77ae-eccc-4314-a8d4-49d8950d210f",
|
||
|
"indicator--5bfd77af-7364-425f-97d6-40db950d210f",
|
||
|
"indicator--5bfd77af-63ec-4f18-a2fd-4ec4950d210f",
|
||
|
"indicator--5bfd77c7-d470-494a-be58-4980950d210f",
|
||
|
"indicator--5bfd77e0-fbb0-4b89-aa5f-4808950d210f",
|
||
|
"indicator--5bfd77e0-421c-4574-adca-4866950d210f",
|
||
|
"indicator--5bfd77e1-1974-4553-a30a-4cae950d210f",
|
||
|
"indicator--5bfd77fa-7770-4829-8002-4ad0950d210f",
|
||
|
"indicator--5bfd77fb-be64-4578-9d94-432e950d210f",
|
||
|
"indicator--5bfd77fb-6e28-4951-a4b9-40fb950d210f",
|
||
|
"indicator--5bfd7826-b5bc-482e-a28b-40f8950d210f",
|
||
|
"indicator--5bfd7827-4588-4e21-8357-46a3950d210f",
|
||
|
"indicator--5bfd7827-f984-473a-abe0-4fb5950d210f",
|
||
|
"indicator--5bfd783c-daf8-40c2-a92d-4976950d210f",
|
||
|
"indicator--5bfd783d-af70-4573-a50e-4816950d210f",
|
||
|
"observed-data--5bfd79ba-9690-4fe1-8117-4976e387cbd9",
|
||
|
"network-traffic--5bfd79ba-9690-4fe1-8117-4976e387cbd9",
|
||
|
"ipv4-addr--5bfd79ba-9690-4fe1-8117-4976e387cbd9",
|
||
|
"observed-data--5bfd79bb-06c0-4e27-8d8e-4805e387cbd9",
|
||
|
"network-traffic--5bfd79bb-06c0-4e27-8d8e-4805e387cbd9",
|
||
|
"ipv4-addr--5bfd79bb-06c0-4e27-8d8e-4805e387cbd9",
|
||
|
"observed-data--5bfd79bc-defc-4d9d-ae52-45e5e387cbd9",
|
||
|
"network-traffic--5bfd79bc-defc-4d9d-ae52-45e5e387cbd9",
|
||
|
"ipv4-addr--5bfd79bc-defc-4d9d-ae52-45e5e387cbd9",
|
||
|
"observed-data--5bfd79bd-01c8-4c91-96f3-4098e387cbd9",
|
||
|
"network-traffic--5bfd79bd-01c8-4c91-96f3-4098e387cbd9",
|
||
|
"ipv4-addr--5bfd79bd-01c8-4c91-96f3-4098e387cbd9",
|
||
|
"observed-data--5bfd79bd-c714-4d3f-9807-42e5e387cbd9",
|
||
|
"network-traffic--5bfd79bd-c714-4d3f-9807-42e5e387cbd9",
|
||
|
"ipv4-addr--5bfd79bd-c714-4d3f-9807-42e5e387cbd9",
|
||
|
"observed-data--5bfd7bc8-433c-4ebd-91b6-49ee950d210f",
|
||
|
"file--5bfd7bc8-433c-4ebd-91b6-49ee950d210f",
|
||
|
"artifact--5bfd7bc8-433c-4ebd-91b6-49ee950d210f",
|
||
|
"indicator--6e6483af-2f0d-424d-a499-d6a3e6353299",
|
||
|
"x-misp-object--84a65bd8-7fce-49dd-a208-c370fd9b4712",
|
||
|
"indicator--bf245fce-307d-43b4-99a1-1621912adaa1",
|
||
|
"x-misp-object--eefe884e-c9ac-4c89-a933-c7a28b86f3e4",
|
||
|
"indicator--4000505b-9af4-4fce-9268-7be10e3505ad",
|
||
|
"x-misp-object--8287973f-a9fd-4a35-a0e1-7078c2728c2f",
|
||
|
"indicator--825a35c4-4f37-4ab4-99aa-102f48160497",
|
||
|
"x-misp-object--ebaeaa9d-fa51-4c9f-9d88-0496e017318b",
|
||
|
"indicator--d0fd14c2-720a-4bb3-bc6f-f2caa1412a2e",
|
||
|
"x-misp-object--b59e3757-0be0-4ea6-91c2-cf6eb149c993"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"estimative-language:confidence-in-analytic-judgment=\"moderate\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5bfd76aa-1978-4706-96ab-4795950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T17:06:17.000Z",
|
||
|
"modified": "2018-11-27T17:06:17.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it's clear that this adversary spent time understanding the victims' network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks.\r\n\r\nBased on this actor's infrastructure and TTPs, we haven't been able to connect them with any other campaign or actor that's been observed recently. This particular campaign utilizes two fake, malicious websites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor, which we are calling \"DNSpionage,\" supports HTTP and DNS communication with the attackers.\r\n\r\nIn a separate campaign, the attackers used the same IP to redirect the DNS of legitimate .gov and private company domains. During each DNS compromise, the actor carefully generated Let's Encrypt certificates for the redirected domains. These certificates provide X.509 certificates for TLS free of charge to the user. We don't know at this time if the DNS redirections were successful.\r\n\r\nIn this post, we will break down the attackers' methods and show how they used malicious documents to attempt to trick users into opening malicious websites that are disguised as \"help wanted\" sites for job seekers. Additionally, we will describe the malicious DNS redirection and the timeline of the events."
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5bfd76b7-2150-40f1-bcf0-45c1950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T17:06:16.000Z",
|
||
|
"modified": "2018-11-27T17:06:16.000Z",
|
||
|
"first_observed": "2018-11-27T17:06:16Z",
|
||
|
"last_observed": "2018-11-27T17:06:16Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5bfd76b7-2150-40f1-bcf0-45c1950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5bfd76b7-2150-40f1-bcf0-45c1950d210f",
|
||
|
"value": "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5bfd77ab-0e54-41cd-9846-4b59950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T16:58:19.000Z",
|
||
|
"modified": "2018-11-27T16:58:19.000Z",
|
||
|
"description": "Domains in the MEA certificate (on 185.20.187.8):",
|
||
|
"pattern": "[domain-name:value = 'memail.mea.com.lb']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T16:58:19Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5bfd77ab-d404-4f61-96d7-465c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T16:58:19.000Z",
|
||
|
"modified": "2018-11-27T16:58:19.000Z",
|
||
|
"description": "Domains in the MEA certificate (on 185.20.187.8):",
|
||
|
"pattern": "[domain-name:value = 'autodiscover.mea.com.lb']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T16:58:19Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5bfd77ac-07a8-4505-bc1a-42a2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T16:58:20.000Z",
|
||
|
"modified": "2018-11-27T16:58:20.000Z",
|
||
|
"description": "Domains in the MEA certificate (on 185.20.187.8):",
|
||
|
"pattern": "[domain-name:value = 'owa.mea.com.lb']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T16:58:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5bfd77ac-47b4-4aa1-a4ce-4249950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T16:58:20.000Z",
|
||
|
"modified": "2018-11-27T16:58:20.000Z",
|
||
|
"description": "Domains in the MEA certificate (on 185.20.187.8):",
|
||
|
"pattern": "[domain-name:value = 'www.mea.com.lb']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T16:58:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5bfd77ad-c6a0-43e1-933f-4527950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T16:58:21.000Z",
|
||
|
"modified": "2018-11-27T16:58:21.000Z",
|
||
|
"description": "Domains in the MEA certificate (on 185.20.187.8):",
|
||
|
"pattern": "[domain-name:value = 'autodiscover.mea.aero']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T16:58:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5bfd77ad-64c4-4f18-b372-4bcf950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T16:58:21.000Z",
|
||
|
"modified": "2018-11-27T16:58:21.000Z",
|
||
|
"description": "Domains in the MEA certificate (on 185.20.187.8):",
|
||
|
"pattern": "[domain-name:value = 'autodiscover.meacorp.com.lb']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T16:58:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5bfd77ae-b530-4ddb-93cb-47a8950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T16:58:22.000Z",
|
||
|
"modified": "2018-11-27T16:58:22.000Z",
|
||
|
"description": "Domains in the MEA certificate (on 185.20.187.8):",
|
||
|
"pattern": "[domain-name:value = 'meacorp.com.lb']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T16:58:22Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5bfd77ae-eccc-4314-a8d4-49d8950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T16:58:22.000Z",
|
||
|
"modified": "2018-11-27T16:58:22.000Z",
|
||
|
"description": "Domains in the MEA certificate (on 185.20.187.8):",
|
||
|
"pattern": "[domain-name:value = 'memailr.meacorp.com.lb']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T16:58:22Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5bfd77af-7364-425f-97d6-40db950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T16:58:23.000Z",
|
||
|
"modified": "2018-11-27T16:58:23.000Z",
|
||
|
"description": "Domains in the MEA certificate (on 185.20.187.8):",
|
||
|
"pattern": "[domain-name:value = 'meoutlook.meacorp.com.lb']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T16:58:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5bfd77af-63ec-4f18-a2fd-4ec4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T16:58:23.000Z",
|
||
|
"modified": "2018-11-27T16:58:23.000Z",
|
||
|
"description": "Domains in the MEA certificate (on 185.20.187.8):",
|
||
|
"pattern": "[domain-name:value = 'tmec.mea.com.lb']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T16:58:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"hostname\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5bfd77c7-d470-494a-be58-4980950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T16:58:47.000Z",
|
||
|
"modified": "2018-11-27T16:58:47.000Z",
|
||
|
"description": "C2 Server Domain",
|
||
|
"pattern": "[domain-name:value = '0ffice36o.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T16:58:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5bfd77e0-fbb0-4b89-aa5f-4808950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T16:59:12.000Z",
|
||
|
"modified": "2018-11-27T16:59:12.000Z",
|
||
|
"description": "C2 Server IP",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.20.184.138']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T16:59:12Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5bfd77e0-421c-4574-adca-4866950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T16:59:12.000Z",
|
||
|
"modified": "2018-11-27T16:59:12.000Z",
|
||
|
"description": "C2 Server IP",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.20.187.8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T16:59:12Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5bfd77e1-1974-4553-a30a-4cae950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T16:59:13.000Z",
|
||
|
"modified": "2018-11-27T16:59:13.000Z",
|
||
|
"description": "C2 Server IP",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.161.211.72']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T16:59:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5bfd77fa-7770-4829-8002-4ad0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T16:59:38.000Z",
|
||
|
"modified": "2018-11-27T16:59:38.000Z",
|
||
|
"description": "DNSpionage sample",
|
||
|
"pattern": "[file:hashes.SHA256 = '2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T16:59:38Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5bfd77fb-be64-4578-9d94-432e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T16:59:39.000Z",
|
||
|
"modified": "2018-11-27T16:59:39.000Z",
|
||
|
"description": "DNSpionage sample",
|
||
|
"pattern": "[file:hashes.SHA256 = '82285b6743cc5e3545d8e67740a4d04c5aed138d9f31d7c16bd11188a2042969']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T16:59:39Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5bfd77fb-6e28-4951-a4b9-40fb950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T16:59:39.000Z",
|
||
|
"modified": "2018-11-27T16:59:39.000Z",
|
||
|
"description": "DNSpionage sample",
|
||
|
"pattern": "[file:hashes.SHA256 = '45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T16:59:39Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5bfd7826-b5bc-482e-a28b-40f8950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T17:00:22.000Z",
|
||
|
"modified": "2018-11-27T17:00:22.000Z",
|
||
|
"description": "(LB submit)",
|
||
|
"pattern": "[file:hashes.SHA256 = '9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T17:00:22Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5bfd7827-4588-4e21-8357-46a3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T17:00:23.000Z",
|
||
|
"modified": "2018-11-27T17:00:23.000Z",
|
||
|
"description": "(LB submit)",
|
||
|
"pattern": "[file:hashes.SHA256 = '15fe5dbcd31be15f98aa9ba18755ee6264a26f5ea0877730b00ca0646d0f25fa']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T17:00:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5bfd7827-f984-473a-abe0-4fb5950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T17:00:23.000Z",
|
||
|
"modified": "2018-11-27T17:00:23.000Z",
|
||
|
"description": "(RU submit)",
|
||
|
"pattern": "[file:hashes.SHA256 = 'e279985597af22dddf1217ee35a8cffb17d1418ae1b4bae2d9ea79c0c6963a85']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T17:00:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5bfd783c-daf8-40c2-a92d-4976950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T17:00:44.000Z",
|
||
|
"modified": "2018-11-27T17:00:44.000Z",
|
||
|
"description": "Fake job website",
|
||
|
"pattern": "[domain-name:value = 'hr-wipro.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T17:00:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5bfd783d-af70-4573-a50e-4816950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T17:00:45.000Z",
|
||
|
"modified": "2018-11-27T17:00:45.000Z",
|
||
|
"description": "Fake job website",
|
||
|
"pattern": "[domain-name:value = 'hr-suncor.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T17:00:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5bfd79ba-9690-4fe1-8117-4976e387cbd9",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T17:07:06.000Z",
|
||
|
"modified": "2018-11-27T17:07:06.000Z",
|
||
|
"first_observed": "2018-11-27T17:07:06Z",
|
||
|
"last_observed": "2018-11-27T17:07:06Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--5bfd79ba-9690-4fe1-8117-4976e387cbd9",
|
||
|
"ipv4-addr--5bfd79ba-9690-4fe1-8117-4976e387cbd9"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-src\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--5bfd79ba-9690-4fe1-8117-4976e387cbd9",
|
||
|
"src_ref": "ipv4-addr--5bfd79ba-9690-4fe1-8117-4976e387cbd9",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--5bfd79ba-9690-4fe1-8117-4976e387cbd9",
|
||
|
"value": "91.199.39.133"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5bfd79bb-06c0-4e27-8d8e-4805e387cbd9",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T17:07:07.000Z",
|
||
|
"modified": "2018-11-27T17:07:07.000Z",
|
||
|
"first_observed": "2018-11-27T17:07:07Z",
|
||
|
"last_observed": "2018-11-27T17:07:07Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--5bfd79bb-06c0-4e27-8d8e-4805e387cbd9",
|
||
|
"ipv4-addr--5bfd79bb-06c0-4e27-8d8e-4805e387cbd9"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-src\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--5bfd79bb-06c0-4e27-8d8e-4805e387cbd9",
|
||
|
"src_ref": "ipv4-addr--5bfd79bb-06c0-4e27-8d8e-4805e387cbd9",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--5bfd79bb-06c0-4e27-8d8e-4805e387cbd9",
|
||
|
"value": "40.101.8.168"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5bfd79bc-defc-4d9d-ae52-45e5e387cbd9",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T17:07:08.000Z",
|
||
|
"modified": "2018-11-27T17:07:08.000Z",
|
||
|
"first_observed": "2018-11-27T17:07:08Z",
|
||
|
"last_observed": "2018-11-27T17:07:08Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--5bfd79bc-defc-4d9d-ae52-45e5e387cbd9",
|
||
|
"ipv4-addr--5bfd79bc-defc-4d9d-ae52-45e5e387cbd9"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-src\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--5bfd79bc-defc-4d9d-ae52-45e5e387cbd9",
|
||
|
"src_ref": "ipv4-addr--5bfd79bc-defc-4d9d-ae52-45e5e387cbd9",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--5bfd79bc-defc-4d9d-ae52-45e5e387cbd9",
|
||
|
"value": "104.16.1.7"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5bfd79bd-01c8-4c91-96f3-4098e387cbd9",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T17:07:09.000Z",
|
||
|
"modified": "2018-11-27T17:07:09.000Z",
|
||
|
"first_observed": "2018-11-27T17:07:09Z",
|
||
|
"last_observed": "2018-11-27T17:07:09Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--5bfd79bd-01c8-4c91-96f3-4098e387cbd9",
|
||
|
"ipv4-addr--5bfd79bd-01c8-4c91-96f3-4098e387cbd9"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-src\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--5bfd79bd-01c8-4c91-96f3-4098e387cbd9",
|
||
|
"src_ref": "ipv4-addr--5bfd79bd-01c8-4c91-96f3-4098e387cbd9",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--5bfd79bd-01c8-4c91-96f3-4098e387cbd9",
|
||
|
"value": "185.20.184.138"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5bfd79bd-c714-4d3f-9807-42e5e387cbd9",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T17:07:09.000Z",
|
||
|
"modified": "2018-11-27T17:07:09.000Z",
|
||
|
"first_observed": "2018-11-27T17:07:09Z",
|
||
|
"last_observed": "2018-11-27T17:07:09Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--5bfd79bd-c714-4d3f-9807-42e5e387cbd9",
|
||
|
"ipv4-addr--5bfd79bd-c714-4d3f-9807-42e5e387cbd9"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-src\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--5bfd79bd-c714-4d3f-9807-42e5e387cbd9",
|
||
|
"src_ref": "ipv4-addr--5bfd79bd-c714-4d3f-9807-42e5e387cbd9",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--5bfd79bd-c714-4d3f-9807-42e5e387cbd9",
|
||
|
"value": "185.161.211.79"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5bfd7bc8-433c-4ebd-91b6-49ee950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T17:15:52.000Z",
|
||
|
"modified": "2018-11-27T17:15:52.000Z",
|
||
|
"first_observed": "2018-11-27T17:15:52Z",
|
||
|
"last_observed": "2018-11-27T17:15:52Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"file--5bfd7bc8-433c-4ebd-91b6-49ee950d210f",
|
||
|
"artifact--5bfd7bc8-433c-4ebd-91b6-49ee950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"attachment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "file",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "file--5bfd7bc8-433c-4ebd-91b6-49ee950d210f",
|
||
|
"name": "image3.png",
|
||
|
"content_ref": "artifact--5bfd7bc8-433c-4ebd-91b6-49ee950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "artifact",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "artifact--5bfd7bc8-433c-4ebd-91b6-49ee950d210f",
|
||
|
"payload_bin": "iVBORw0KGgoAAAANSUhEUgAABY4AAAPSCAIAAABTbNkMAAAAA3NCSVQICAjb4U/gAAAAX3pUWHRSYXcgcHJvZmlsZSB0eXBlIEFQUDEAAAiZ40pPzUstykxWKCjKT8vMSeVSAANjEy4TSxNLo0QDAwMLAwgwNDAwNgSSRkC2OVQo0QAFmJibpQGhuVmymSmIzwUAT7oVaBst2IwAACAASURBVHic7L3XnxxHlu93Tpi0VVm+qw3QDQwMCYIAZ5aXa+/sXj3oozd9PvpLpVe9SLq7K+nunZ3VDDkckiBBuDblfdpweojqQjcAwgwJgATy+4HJqnSRUZkZESd+5xw0xgDAnXvHQuo4lVIbRpEgAgAYgDP/bRYNPPm9EDrJhMtJtx2GPgcAY4w9MkEEe7SnMAaUMlJqIbVSBowBYzZHXn9YL25OZwAAEDmnvu8wRp955HcYRNRaKyUBgFJGEM0L9ykpKSkpKXkNKKVEUQgplZKUUt/3GeNv7OyMUc910vi7o0f/mxT9Zuuy79ff2NmfwNiej1badmYQCSEICADaaKO1McaAQUA80ynafAkAgICAhBAA1FoDGAC0GDD2CADr78j6H7I52GkBtNYKAJAQggQQwRittTHarHtTgIhICCIioDFGG22M3vTp1msBjTk9IwAi2uPb5afP/rZYrca93h1Kt/b2/5dK9IFSSuuyW1RSUlLyy8Z1eLvVAABmP4ceA4Ba6PzI424aLdu4vnBjxpAx6sF7Z3H4izHGIOKmL1g2yCUlJSUlbwtKKfV9722d3mzmLyggBaCbXs2bB20XiPKnOzQE4FW7OfTp7V90hNMCPLUvAiHPPderFe3nBkOgAKcTbGWvqKSkpOQd4lyj/tat4yUlJSUlJSUlL4m1VABQRAb2T8n7BCJFpIhkba0oKSkpKXmHKBv1kpKSkpKSkl8ep36hiEgQGAL7xUsESl4Va6dAAggbL+KSkpKSkneDtanClJq5kpKSkpKSkl8S5jT6AgHrA4KlqeJ9gwI5q6owZYe2pKSk5JfO5j2+NlVobZQ2QmqpjP5L3/NPR+F8KfD1ivYQkRJkFDknlDx5qk34z83CuwSe4W2XpaSkpKSk5HWAAGztAAJvLqhnyc8BRI7IsDRRlZSUlLyLrE0VUpmsUNNFEadSKP1q8ZPPZQR5dTMHnjdW/KRjagRkFF2HVgLWqDrUfbIxM8YopbTWSmlj9E957p8BiISuIaW1oqSkpKTkXcPYNBkMiYPoIJamivcLRE6QI9IyVkVJSUnJu8faVHE8TFaZOpmIRaKEAvXy5oYnMpk+S5hw9qtntiTPG0X/iKbHWkAYAZfqZpVd2NKtmuO7lDMCpzIKKWVeFEYbRil5fozsXyDGmKIoCCGO4zBGS2tFSUlJSck7w+MEIEjJena9jMD1fmF/dESKgGUCkJKSkpJ3jHWj/odvpovMHM5glhNNHA0E4KVf+Y9VFZus3OfWPmmqOL8WnjRHPO/TK2H9HlAVWCSdivlwWVzZCy50w42pQkqZZfkqjhmlzUbd89y//GQ/S7IsnyULrQ0gIHEpKbUVJSUlJSXvGLhOAwFlrIr3D6SIBJGUSexKSkpK3j3Wpoo/3Vsmio4LL1ZUE2KQvkR66jMKirNhKp5qLM4qLZ5sSl5oDTndAZ956BftigRAUZOTOBMIMUXTiNwo5LA2VSitNaPUdR3f9wLff6Xj//xBwDhOCiG01lopUgatKCkpKSl5x0BrqrCxKkpVxXsGMiSsdAApKSkp+VlhAIwxWoMxoE8jQ8KpkoCgzd314oHpulH/5jAFx8eKS1wfNGi9eef/oC3BAOLzLQ3POjc+Ial4YctybodXGmdb/w9ERqjDM5l8fzJxUF3bj+xqrY2UklLSaTeDwA98n7N3rYtDEJVSaZYprZXW9J2LG1pSUlJS8l5jez6EgeGAHMpYFe8ZiAzRQWQIWPp/lJSUlPwcMOtwkKaQRigjlVFKa2MQgFJkBBlDTglnhL5ocL8enA/mwgncSkAYUmOU0WcDTD771b+xjjxjyyf/f9GxnjRCnPlwfnRtTkNwvshmgdbzxCASRpA5hRSrpRzPdSHU6aGM0pozFvh+JQw5Y+9erAqtje+52ug0y80rhUotKSkpKSn5uWMzliEiw7Wd4l2bcih5ERwJR2SlA0hJSUnJW8cYMMYU0iS5SnMd5zordKGMVFoZjWAYJZwgp+g7pOqzwKMuJ5T+oPJ/3agrZZRSSiqUQgultYanvDueLMozkn089fklR8dP5it9bnuDT8a7ePYR7T8IxlBEY5TUWmuD5y7LmJcu4i8bm4n1/bjWkpKSkpL3CgRkgA4gK1UV7x3Ibb5SgBcofUtKSkpKXjfGGKHMPJEn42I4l7NYxbkutBFaS6MQDUPCARmayCPbDd5tOO26G/qMkmfn2WCb42ptlJJESqWkUc9N22n9TZ5M/vHUVs9dC/ByATSf8e3aDPGy6grQSoHVnTxdkvciXrQBMPZHe/evtaSkpKTkfcHYGQcEYIgMgQGUYTXfL6ygZm2qKCkpKSl5S1g9RVroWSyHM/FoVIzmaplBJo0CMAhA0BgArUEZ0GbmQFKoRChpoK2h6jOHPcNYwc4cXhuttJZaieeYKsyZv6f/4plv8cxnXG/zPFPFY4mEObcXnFt39lyn656UYvzQ8dGgQtD6aXeV90dpUNopSkpKSkreQYw5zQDCARiY0lTxvkGRWBMV/nB3s6SkpKTk9WKMEdLMVvJeLzueiMnKpAIBmesSzojDwXWMNipJRZqrTJiVVKuJmGUqkyaX+mI74CHCU9IKdub4RmulldQ/rKo4TfRhzn+Bm2Vzxmxx9vsf5qnMpWsTxHoZn157Zr8XWCvOmiqMMs+2Srz7Y/j1tNM7fpUlJSUlJe8Xj9vvdfoPWqoq3j9smJIyVkVJSUnJ20Qos0zVeCFOpqI/V5mghLIo5NWAVXzqOcio0VoVgq1SNVmp6UrMV0osFSU5JRgF3HeIw58MtPnYAcRYVYWSWkn9PFWFOWOMePYW51c/32DxrLVnlRNPHPfcNvgCHxCrvECDmuAzVBXvgZXiHO/TtZaUlJSUvBcYAESgCDamZmmqeL9AYKc/PSm7OSUlJSVvi1yY4Uz0pmIW60wQILwS8r0O226yTo1xhqtUg2EV101y9WBQPBoSbUyciuFCObToRCJ0aY1wSp5lqgAAMFprhRq1llr/cKyKpwNVnFu7/qfqs712UA04AEhl0lwuEzFZFojQqXsAMJxlBHG76QFAb5quUnnuOM8QTTx9Rnxsr/gBEAG0QU2IVj+hr0eSpuPxBABarWbg+wCgtRZCSKmUVpQQ13XZO5H61F5XksTT6TTPckJIGIatVssPgtd0LqWkUooQ+hbrMInj4XAYxzEAUEZdxw3CsFarua77ms6YpulkPAaAZqvl+/5rOssPkaXpdDoFgEaj4b3xs1uSJBmt63z9ignDsNPpBGH44n3jeDgcaqObzVYQBJTSdy+bz48hy7L5bAYAtXrd87wn1tqaB4B2pxP8wHOd5/lyuQSAarVKEOM4NgBBECBinudGa+44jLF3oOaTJBmNhkkcG/PK9+FZlFJFUSilEIBSyh2H0l/GENoYY4wRQqRJAohhGHL+OFBllmXz+TzPMgBwPa9Wqz19R70NbAYQ/UqqCillluVxnCyXyyIvAMD13FqtFoaB4/BX/b1stC8ppBASCfq+98vqA+R5sXnGXdd5Y+dVStsnBQAoIY77FzwpdK2qKGNVlJSUlPylKKUKIdI0Xa1iAKhUQt/3Hf4KrWEh9GQpRwudFKiBcspCn3XqrNtgFZ8W0mRCIUCryjwHs8KkhZ6s5CpWsZDjperN8tAnnkNdfq4neVZVYYxRWoPWUmv1dAk2hgMDmxAPT0aSWK82eqfh/89/t/3hfgQAi0Qej5KvHy7++9djTvE/32wAwD9/PmCU/I9/1QaE//13veUqf7qVMedDWZw5oQGwdohzAZ+fdlNERNBANDFGPcuJ8S80XozHk//7//0dAPzD330WXNgDACHEYrFcxUmWZa7rdLc6v6xuyg8hhFg
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--6e6483af-2f0d-424d-a499-d6a3e6353299",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T17:09:02.000Z",
|
||
|
"modified": "2018-11-27T17:09:02.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'd2052cb9016dab6592c532d5ea47cb7e' AND file:hashes.SHA1 = '1c1fbda6ffc4d19be63a630bd2483f3d2f7aa1f5' AND file:hashes.SHA256 = '2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T17:09:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--84a65bd8-7fce-49dd-a208-c370fd9b4712",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T17:09:04.000Z",
|
||
|
"modified": "2018-11-27T17:09:04.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2018-11-27T16:07:22",
|
||
|
"category": "Other",
|
||
|
"uuid": "9c2d143f-d491-4afc-9e0b-6503bd33421e"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec/analysis/1543334842/",
|
||
|
"category": "External analysis",
|
||
|
"uuid": "1c5fc483-b964-4969-8b7b-6fb343e6b1a4"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "27/66",
|
||
|
"category": "Other",
|
||
|
"uuid": "861f0fee-95e9-4a77-adc7-7b56fc44bb17"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--bf245fce-307d-43b4-99a1-1621912adaa1",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T17:09:05.000Z",
|
||
|
"modified": "2018-11-27T17:09:05.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '48320f502811645fa1f2f614bd8a385a' AND file:hashes.SHA1 = '1f007ab17b62cca88a5681f02089ab33adc10eec' AND file:hashes.SHA256 = '15fe5dbcd31be15f98aa9ba18755ee6264a26f5ea0877730b00ca0646d0f25fa']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T17:09:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--eefe884e-c9ac-4c89-a933-c7a28b86f3e4",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T17:09:07.000Z",
|
||
|
"modified": "2018-11-27T17:09:07.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2018-11-27T16:10:08",
|
||
|
"category": "Other",
|
||
|
"uuid": "e87b0956-d6a7-4677-ade1-e88763b6824c"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/15fe5dbcd31be15f98aa9ba18755ee6264a26f5ea0877730b00ca0646d0f25fa/analysis/1543335008/",
|
||
|
"category": "External analysis",
|
||
|
"uuid": "64af8286-4eb6-4fbd-9709-63f829fd7545"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "24/59",
|
||
|
"category": "Other",
|
||
|
"uuid": "65f0de8b-c1b9-436f-b1f0-7cc10e5a132a"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--4000505b-9af4-4fce-9268-7be10e3505ad",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T17:09:08.000Z",
|
||
|
"modified": "2018-11-27T17:09:08.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'ba6bd22449d990be6fd9acf7e710c192' AND file:hashes.SHA1 = '14810a41ad9cca0f1028483e0ed3f52591772a61' AND file:hashes.SHA256 = 'e279985597af22dddf1217ee35a8cffb17d1418ae1b4bae2d9ea79c0c6963a85']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T17:09:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--8287973f-a9fd-4a35-a0e1-7078c2728c2f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T17:09:09.000Z",
|
||
|
"modified": "2018-11-27T17:09:09.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2018-11-27T05:32:45",
|
||
|
"category": "Other",
|
||
|
"uuid": "7d8312d5-277c-41b9-968f-debc2f28976d"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/e279985597af22dddf1217ee35a8cffb17d1418ae1b4bae2d9ea79c0c6963a85/analysis/1543296765/",
|
||
|
"category": "External analysis",
|
||
|
"uuid": "744b795b-0f4d-4428-94a2-78bb84392988"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "1/57",
|
||
|
"category": "Other",
|
||
|
"uuid": "0c749f4d-79de-44e6-8b84-af9b9da6c64c"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--825a35c4-4f37-4ab4-99aa-102f48160497",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T17:09:10.000Z",
|
||
|
"modified": "2018-11-27T17:09:10.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = '807482efce3397ece64a1ded3d436139' AND file:hashes.SHA1 = '9ea865e000e3e15cec15efc466801bb181ba40a1' AND file:hashes.SHA256 = '9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T17:09:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--ebaeaa9d-fa51-4c9f-9d88-0496e017318b",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T17:09:12.000Z",
|
||
|
"modified": "2018-11-27T17:09:12.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2018-11-27T05:31:55",
|
||
|
"category": "Other",
|
||
|
"uuid": "8cd9e418-9e12-481c-bb48-133603686037"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14/analysis/1543296715/",
|
||
|
"category": "External analysis",
|
||
|
"uuid": "19294000-dacb-4a1a-9e30-6aca6211ece9"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "26/58",
|
||
|
"category": "Other",
|
||
|
"uuid": "b9b3772e-c257-45e0-9508-0b0701be1ddc"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--d0fd14c2-720a-4bb3-bc6f-f2caa1412a2e",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T17:09:13.000Z",
|
||
|
"modified": "2018-11-27T17:09:13.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'c00c9f6ebf2979292d524acff19dd306' AND file:hashes.SHA1 = '1022620da25db2497dc237adedb53755e6b859e3' AND file:hashes.SHA256 = '45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-11-27T17:09:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--b59e3757-0be0-4ea6-91c2-cf6eb149c993",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-11-27T17:09:14.000Z",
|
||
|
"modified": "2018-11-27T17:09:14.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2018-11-20T21:56:27",
|
||
|
"category": "Other",
|
||
|
"uuid": "e60e9d16-e737-46fe-b844-903b12497fb5"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff/analysis/1542750987/",
|
||
|
"category": "External analysis",
|
||
|
"uuid": "2b939201-2374-42a8-9c04-2c1bed37ecdc"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "33/67",
|
||
|
"category": "Other",
|
||
|
"uuid": "9eea241b-cd72-4723-aeb3-d7ef52caaa2c"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|