{ "type": "bundle", "id": "bundle--54ec3439-7154-48e4-ae1e-4c1c950d210b", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-06-15T07:28:02.000Z", "modified": "2015-06-15T07:28:02.000Z", "name": "CthulhuSPRL.be", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--54ec3439-7154-48e4-ae1e-4c1c950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-06-15T07:28:02.000Z", "modified": "2015-06-15T07:28:02.000Z", "name": "OSINT A deeper look into ScanBox TLP:WHITE report from PWC UK", "published": "2016-02-22T15:15:26Z", "object_refs": [ "observed-data--54ec345f-6524-4783-bc45-41c5950d210b", "url--54ec345f-6524-4783-bc45-41c5950d210b", "observed-data--54ec345f-43d8-4a5a-b214-448c950d210b", "url--54ec345f-43d8-4a5a-b214-448c950d210b", "x-misp-attribute--54ec3477-e1a8-43b2-8731-4047950d210b", "indicator--54ec34c0-ad7c-488c-ab16-42fc950d210b", "indicator--54ec3633-164c-47a9-8693-4dad950d210b", "indicator--54ec36b6-6678-4619-9169-4f79950d210b", "indicator--54ec36d4-caf8-4d3d-83eb-4746950d210b", "indicator--54ec3702-76c4-4368-b35e-4406950d210b", "indicator--54ec3718-c068-4cdc-9cb6-510f950d210b", "indicator--54ec376c-66f4-415a-b8ef-47e5950d210b", "x-misp-attribute--54ec39be-9658-411d-9a63-43c5950d210b", "indicator--54ec39d8-4934-47ac-aa10-479d950d210b", "x-misp-attribute--54ec39ee-9854-4f56-b521-474b950d210b", "indicator--54ec3a18-b9d4-4f76-93e7-4f99950d210b", "indicator--54ec3a2a-0918-435c-a163-4b3e950d210b", "indicator--54ec3b25-8f44-4071-9fdd-65e2950d210b", "indicator--54ec3b25-4bf8-4707-9c47-65e2950d210b", "indicator--54ec3b25-04c8-4824-a61e-65e2950d210b", "indicator--54ec3b25-3ef8-4b3b-806b-65e2950d210b", "indicator--54ec3b25-b1b4-40fd-ac2b-65e2950d210b", "indicator--54ec3b25-1528-4ea9-bf00-65e2950d210b", "indicator--54ec3b65-b04c-483f-8b0d-c5e6950d210b", "indicator--54ec3b65-abc4-4227-8c5c-c5e6950d210b", "indicator--54ec3b65-82ac-49a8-b2b2-c5e6950d210b", "indicator--54ec3b65-28c0-4bd8-93e3-c5e6950d210b", "indicator--54ec3b65-3d60-4126-ad34-c5e6950d210b", "indicator--54ec3b95-14c8-409d-a793-48bb950d210b", "indicator--54ec3b95-9fe8-4d24-be71-4665950d210b", "indicator--54ec3b95-7118-461c-ba2c-4cfb950d210b", "indicator--54ec3b95-5820-4cb3-b8dd-4c54950d210b", "indicator--54ec3be3-cb88-4725-8231-41ca950d210b", "indicator--54ec3be3-4954-479c-b579-422f950d210b", "indicator--54ec3be4-7b64-4b7a-aab6-4de2950d210b", "indicator--54ec3be4-2c04-47d0-8172-4e87950d210b", "indicator--54ec4094-59d4-4b92-883c-4c9a950d210b", "indicator--54ec4094-fc8c-4e3f-a701-40f4950d210b", "indicator--54ec4095-baf4-4f93-bd14-430f950d210b", "indicator--54ec40a9-18ac-4e47-a399-4941950d210b", "indicator--54ec40a9-7220-4c16-979d-4913950d210b", "indicator--54ec40bc-e490-4845-a9d6-65e2950d210b", "observed-data--557e7e82-ee90-4a49-b920-3a74950d210b", "url--557e7e82-ee90-4a49-b920-3a74950d210b", "indicator--56c655a3-066c-40d9-847b-59a3950d210f", "indicator--56c655a4-a164-4629-8286-599e950d210f", "indicator--56c655a6-4ed4-4e67-93a4-4e9c950d210f", "indicator--56c655a1-b548-42d5-8f06-c652950d210f", "indicator--56c655a2-ca34-4a49-a2cb-59a1950d210f", "indicator--56c655a4-fdec-4a71-abf7-4d79950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--54ec345f-6524-4783-bc45-41c5950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:20:47.000Z", "modified": "2015-02-24T08:20:47.000Z", "first_observed": "2015-02-24T08:20:47Z", "last_observed": "2015-02-24T08:20:47Z", "number_observed": 1, "object_refs": [ "url--54ec345f-6524-4783-bc45-41c5950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--54ec345f-6524-4783-bc45-41c5950d210b", "value": "http://pwc.blogs.com/cyber_security_updates/2015/02/my-entry.html" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--54ec345f-43d8-4a5a-b214-448c950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:20:47.000Z", "modified": "2015-02-24T08:20:47.000Z", "first_observed": "2015-02-24T08:20:47Z", "last_observed": "2015-02-24T08:20:47Z", "number_observed": 1, "object_refs": [ "url--54ec345f-43d8-4a5a-b214-448c950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--54ec345f-43d8-4a5a-b214-448c950d210b", "value": "http://pwc.blogs.com/files/2015-02-24--scanbox-ii---tlpwhite.pdf" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--54ec3477-e1a8-43b2-8731-4047950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:21:11.000Z", "modified": "2015-02-24T08:21:11.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "ScanBox" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec34c0-ad7c-488c-ab16-42fc950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:22:24.000Z", "modified": "2015-02-24T08:22:24.000Z", "description": "Malware distribution point", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '88.80.190.133']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T08:22:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec3633-164c-47a9-8693-4dad950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:28:35.000Z", "modified": "2015-02-24T08:28:35.000Z", "pattern": "[domain-name:value = 'googlecaches.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T08:28:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec36b6-6678-4619-9169-4f79950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:30:45.000Z", "modified": "2015-02-24T08:30:45.000Z", "description": "Legitimate compromised site", "pattern": "[domain-name:value = 'gokbayrak.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T08:30:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec36d4-caf8-4d3d-83eb-4746950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:31:43.000Z", "modified": "2015-02-24T08:31:43.000Z", "description": "Legitimate compromised site", "pattern": "[domain-name:value = 'macanna.com.tw']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T08:31:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec3702-76c4-4368-b35e-4406950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:32:02.000Z", "modified": "2015-02-24T08:32:02.000Z", "pattern": "[file:hashes.MD5 = '3b8d7732de3b3c8823d241e7cd3185c4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T08:32:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec3718-c068-4cdc-9cb6-510f950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:32:24.000Z", "modified": "2015-02-24T08:32:24.000Z", "pattern": "[domain-name:value = 'happynewyear.dns04.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T08:32:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec376c-66f4-415a-b8ef-47e5950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:33:48.000Z", "modified": "2015-02-24T08:33:48.000Z", "description": "IP of happynewyear.dns04.com and hosts a lot of other malicious host names", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '115.23.172.151']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T08:33:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--54ec39be-9658-411d-9a63-43c5950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:43:42.000Z", "modified": "2015-02-24T08:43:42.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "TH3Bug" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec39d8-4934-47ac-aa10-479d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:52:19.000Z", "modified": "2015-02-24T08:52:19.000Z", "description": "Cluster 1", "pattern": "[domain-name:value = 'news.foundationssl.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T08:52:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--54ec39ee-9854-4f56-b521-474b950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:44:30.000Z", "modified": "2015-02-24T08:44:30.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Deep Panda" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec3a18-b9d4-4f76-93e7-4f99950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:45:11.000Z", "modified": "2015-02-24T08:45:11.000Z", "pattern": "[domain-name:value = 'qoog1e.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T08:45:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec3a2a-0918-435c-a163-4b3e950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:45:30.000Z", "modified": "2015-02-24T08:45:30.000Z", "pattern": "[domain-name:value = 'webmailgoogle.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T08:45:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec3b25-8f44-4071-9fdd-65e2950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:49:41.000Z", "modified": "2015-02-24T08:49:41.000Z", "pattern": "[alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"--[PwC CTD] -- MultiGroup - ScanBox and Targetted Watering Holes Content (plugin_pdf_ie())\"; flow:established,from_server; file_data; content:\"plugin_pdf_ie()\"; classtype:trojanactivity; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanboxframework- whos-affected-and-whos-using-it-1.html; metadata:tlp WHITE,author CDD; rev:2015021901;)]", "pattern_type": "snort", "pattern_version": "2.1", "valid_from": "2015-02-24T08:49:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"snort\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec3b25-4bf8-4707-9c47-65e2950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:49:41.000Z", "modified": "2015-02-24T08:49:41.000Z", "pattern": "[alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"--[PwC CTD] -- MultiGroup - ScanBox Watering Hole Content (.item(0).appendChild(iframe_tag))\"; flow:established,from_server; file_data; content:\".item(0).appendChild(iframe_tag)\"; classtype:trojan-activity; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected- and-whos-using-it-1.html; metadata:tlp WHITE,author CDD; rev:2015021901;)]", "pattern_type": "snort", "pattern_version": "2.1", "valid_from": "2015-02-24T08:49:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"snort\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec3b25-04c8-4824-a61e-65e2950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:49:41.000Z", "modified": "2015-02-24T08:49:41.000Z", "pattern": "[alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"--[PwC CTD] -- MultiGroup - ScanBox and Targetted Watering Holes Content (var version\\;var ax\\;var e\\;try{axo=new ActiveXObject)\"; flow:established,from_server; file_data; content:\"var version\\;var ax\\;var e\\;try{axo=new ActiveXObject\"; classtype:trojan-activity; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected- and-whos-using-it-1.html; metadata:tlp WHITE,author CDD; rev:2015021901;)]", "pattern_type": "snort", "pattern_version": "2.1", "valid_from": "2015-02-24T08:49:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"snort\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec3b25-3ef8-4b3b-806b-65e2950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:49:41.000Z", "modified": "2015-02-24T08:49:41.000Z", "pattern": "[alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"--[PwC CTD] -- MultiGroup - ScanBox Watering Hole Content (document.getElementsByTagName('head').item(0).appendChild(form_tag)\\;)\"; flow:established,from_server; file_data; content:\"document.getElementsByTagName('head').item(0).appendChild(form_tag)\\;\"; classtype:trojan-activity; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected- and-whos-using-it-1.html; metadata:tlp WHITE,author CDD; rev:2015021901;)]", "pattern_type": "snort", "pattern_version": "2.1", "valid_from": "2015-02-24T08:49:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"snort\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec3b25-b1b4-40fd-ac2b-65e2950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:49:41.000Z", "modified": "2015-02-24T08:49:41.000Z", "pattern": "[alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"--[PwC CTD] -- MultiGroup - ScanBox Watering Hole Content (return ((!a) ? 'x-': a) + Math.floor(Math.random() * 99999)\\;)\"; flow:established,from_server; file_data; content:\"return ((!a) ? 'x-': a) + Math.floor(Math.random() * 99999)\\;\"; classtype:trojan-activity; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected- and-whos-using-it-1.html; metadata:tlp WHITE,author CDD; rev:2015021901;)]", "pattern_type": "snort", "pattern_version": "2.1", "valid_from": "2015-02-24T08:49:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"snort\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec3b25-1528-4ea9-bf00-65e2950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:49:41.000Z", "modified": "2015-02-24T08:49:41.000Z", "pattern": "[alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"--[PwC CTD] -- MultiGroup - TH3BUG and Non-Targetted Groups Watering Hole Code (Chr(CInt(ns(i)) Xor n))\"; flow:established,from_server; file_data; content:\"Chr(CInt(ns(i)) Xor n)\"; classtype:trojan-activity; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected- and-whos-using-it-1.html; metadata:tlp WHITE,author CDD; rev:2015021901;)]", "pattern_type": "snort", "pattern_version": "2.1", "valid_from": "2015-02-24T08:49:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"snort\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec3b65-b04c-483f-8b0d-c5e6950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:50:45.000Z", "modified": "2015-02-24T08:50:45.000Z", "description": "Cluster 1", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '1.9.5.38']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T08:50:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec3b65-abc4-4227-8c5c-c5e6950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:50:45.000Z", "modified": "2015-02-24T08:50:45.000Z", "description": "Cluster 1", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.255.61.227']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T08:50:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec3b65-82ac-49a8-b2b2-c5e6950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:50:45.000Z", "modified": "2015-02-24T08:50:45.000Z", "description": "Cluster 1", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '118.193.153.221']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T08:50:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec3b65-28c0-4bd8-93e3-c5e6950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:50:45.000Z", "modified": "2015-02-24T08:50:45.000Z", "description": "Cluster 1", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '118.193.153.227']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T08:50:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec3b65-3d60-4126-ad34-c5e6950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:50:45.000Z", "modified": "2015-02-24T08:50:45.000Z", "description": "Cluster 1", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.121.122.73']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T08:50:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec3b95-14c8-409d-a793-48bb950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:52:19.000Z", "modified": "2015-02-24T08:52:19.000Z", "description": "Cluster 1", "pattern": "[domain-name:value = 'file.googlecaches.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T08:52:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec3b95-9fe8-4d24-be71-4665950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:52:19.000Z", "modified": "2015-02-24T08:52:19.000Z", "description": "Cluster 1", "pattern": "[domain-name:value = 'gtm.googlecaches.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T08:52:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec3b95-7118-461c-ba2c-4cfb950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:52:19.000Z", "modified": "2015-02-24T08:52:19.000Z", "description": "Cluster 1", "pattern": "[domain-name:value = 'js.googlewebcache.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T08:52:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec3b95-5820-4cb3-b8dd-4c54950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:52:19.000Z", "modified": "2015-02-24T08:52:19.000Z", "description": "Cluster 1", "pattern": "[domain-name:value = 'owa.outlookssl.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T08:52:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec3be3-cb88-4725-8231-41ca950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:52:51.000Z", "modified": "2015-02-24T08:52:51.000Z", "description": "Cluster 1", "pattern": "[file:hashes.SHA256 = '4639c30b3666cb11b3927d5579790a88bff68e8137f18241f4693e0d4539c608']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T08:52:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec3be3-4954-479c-b579-422f950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:52:51.000Z", "modified": "2015-02-24T08:52:51.000Z", "description": "Cluster 1", "pattern": "[file:hashes.SHA1 = '809959f390d5a49c8999ad6fff27fdc92ff1b2b0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T08:52:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec3be4-7b64-4b7a-aab6-4de2950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:52:52.000Z", "modified": "2015-02-24T08:52:52.000Z", "description": "Cluster 1", "pattern": "[file:hashes.SHA256 = 'ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T08:52:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec3be4-2c04-47d0-8172-4e87950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T08:52:52.000Z", "modified": "2015-02-24T08:52:52.000Z", "description": "Cluster 1", "pattern": "[file:hashes.SHA1 = 'e8a8ffe39040fe36e95217b4e4f1316177d675ed']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T08:52:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec4094-59d4-4b92-883c-4c9a950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T09:14:06.000Z", "modified": "2015-02-24T09:14:06.000Z", "description": "Cluster 4", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '122.10.10.161']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T09:14:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec4094-fc8c-4e3f-a701-40f4950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T09:14:06.000Z", "modified": "2015-02-24T09:14:06.000Z", "description": "Cluster 4", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '204.152.199.43']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T09:14:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec4095-baf4-4f93-bd14-430f950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T09:14:06.000Z", "modified": "2015-02-24T09:14:06.000Z", "description": "Cluster 4", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '50.2.24.211']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T09:14:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec40a9-18ac-4e47-a399-4941950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T09:14:06.000Z", "modified": "2015-02-24T09:14:06.000Z", "description": "Cluster 4", "pattern": "[domain-name:value = 'bak.mailaunch.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T09:14:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec40a9-7220-4c16-979d-4913950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T09:14:06.000Z", "modified": "2015-02-24T09:14:06.000Z", "description": "Cluster 4", "pattern": "[domain-name:value = 'us-mg6.mail.yahoo.mailaunch.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T09:14:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--54ec40bc-e490-4845-a9d6-65e2950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-02-24T09:14:06.000Z", "modified": "2015-02-24T09:14:06.000Z", "description": "Cluster 4", "pattern": "[file:hashes.SHA1 = 'f1890cc9d6dc84021426834063394539414f68d8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-02-24T09:14:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--557e7e82-ee90-4a49-b920-3a74950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-06-15T07:28:02.000Z", "modified": "2015-06-15T07:28:02.000Z", "first_observed": "2015-06-15T07:28:02Z", "last_observed": "2015-06-15T07:28:02Z", "number_observed": 1, "object_refs": [ "url--557e7e82-ee90-4a49-b920-3a74950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--557e7e82-ee90-4a49-b920-3a74950d210b", "value": "http://pwc.blogs.com/files/cto-tib-20150223-01a.pdf" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c655a3-066c-40d9-847b-59a3950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:37:07.000Z", "modified": "2016-02-18T23:37:07.000Z", "description": "Automatically added (via f1890cc9d6dc84021426834063394539414f68d8)", "pattern": "[file:hashes.MD5 = 'be3a3daa7d0d11df2380d3401696624a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:37:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c655a4-a164-4629-8286-599e950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:37:08.000Z", "modified": "2016-02-18T23:37:08.000Z", "description": "Automatically added (via e8a8ffe39040fe36e95217b4e4f1316177d675ed)", "pattern": "[file:hashes.MD5 = 'ef498ea09bf51b002fc7eb3dfd0d19d3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:37:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c655a6-4ed4-4e67-93a4-4e9c950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:37:10.000Z", "modified": "2016-02-18T23:37:10.000Z", "description": "Automatically added (via 809959f390d5a49c8999ad6fff27fdc92ff1b2b0)", "pattern": "[file:hashes.MD5 = '9cf5523da799277a4d40881199eb8325']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:37:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c655a1-b548-42d5-8f06-c652950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:37:05.000Z", "modified": "2016-02-18T23:37:05.000Z", "description": "Automatically added (via 3b8d7732de3b3c8823d241e7cd3185c4)", "pattern": "[file:hashes.SHA1 = '27a774e6bb82d4575598be00eb2ca44734d9bcf2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:37:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c655a2-ca34-4a49-a2cb-59a1950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:37:06.000Z", "modified": "2016-02-18T23:37:06.000Z", "description": "Automatically added (via 3b8d7732de3b3c8823d241e7cd3185c4)", "pattern": "[file:hashes.SHA256 = '9dc7d24cf0e0426e0e882badd6145de57384206fd6be46dc31fdfc7ea2a072cc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:37:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56c655a4-fdec-4a71-abf7-4d79950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-02-18T23:37:08.000Z", "modified": "2016-02-18T23:37:08.000Z", "description": "Automatically added (via f1890cc9d6dc84021426834063394539414f68d8)", "pattern": "[file:hashes.SHA256 = '3112420afeb829a575ba46512314c0fab2fc80870c153de35cde4d3140a2dd26']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-18T23:37:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }