{ "type": "bundle", "id": "bundle--5761398f-31d0-46b0-808f-41de950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-06-15T14:29:39.000Z", "modified": "2016-06-15T14:29:39.000Z", "name": "CthulhuSPRL.be", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5761398f-31d0-46b0-808f-41de950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-06-15T14:29:39.000Z", "modified": "2016-06-15T14:29:39.000Z", "name": "OSINT Microsoft Office Zero-Day CVE-2015-2424 Leveraged By Tsar Team report by iSight", "published": "2016-06-15T14:37:12Z", "object_refs": [ "observed-data--576139cd-c990-43a1-a4a8-4bf3950d210f", "url--576139cd-c990-43a1-a4a8-4bf3950d210f", "indicator--576139e6-3f30-4918-b364-4153950d210f", "indicator--57613a1d-35ec-44c0-8aec-4b7f950d210f", "indicator--57613a1d-2914-4a97-aa60-44c8950d210f", "indicator--57613a1d-6308-40a1-845c-4a40950d210f", "indicator--57613a1d-13dc-43ee-8402-4e0c950d210f", "x-misp-attribute--57613a36-abb0-413a-abcf-48ea950d210f", "x-misp-attribute--57613a37-0114-48a8-8e8a-4be9950d210f", "x-misp-attribute--57613a37-a08c-4103-874e-403f950d210f", "indicator--57616653-a3f8-4374-9d69-b45602de0b81", "indicator--57616653-8898-4177-ae78-b45602de0b81", "observed-data--57616654-5384-4905-8b97-b45602de0b81", "url--57616654-5384-4905-8b97-b45602de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "OSINT", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--576139cd-c990-43a1-a4a8-4bf3950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-06-15T11:19:41.000Z", "modified": "2016-06-15T11:19:41.000Z", "first_observed": "2016-06-15T11:19:41Z", "last_observed": "2016-06-15T11:19:41Z", "number_observed": 1, "object_refs": [ "url--576139cd-c990-43a1-a4a8-4bf3950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--576139cd-c990-43a1-a4a8-4bf3950d210f", "value": "https://www.isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--576139e6-3f30-4918-b364-4153950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-06-15T11:20:06.000Z", "modified": "2016-06-15T11:20:06.000Z", "pattern": "[file:hashes.MD5 = '112c64f7c07a959a1cbff6621850a4ad']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-15T11:20:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57613a1d-35ec-44c0-8aec-4b7f950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-06-15T11:21:01.000Z", "modified": "2016-06-15T11:21:01.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '66.172.11.207']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-15T11:21:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57613a1d-2914-4a97-aa60-44c8950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-06-15T11:21:01.000Z", "modified": "2016-06-15T11:21:01.000Z", "pattern": "[domain-name:value = 'wscapi.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-15T11:21:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57613a1d-6308-40a1-845c-4a40950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-06-15T11:21:01.000Z", "modified": "2016-06-15T11:21:01.000Z", "pattern": "[domain-name:value = 'tabsync.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-15T11:21:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57613a1d-13dc-43ee-8402-4e0c950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-06-15T11:21:01.000Z", "modified": "2016-06-15T11:21:01.000Z", "pattern": "[domain-name:value = 'storsvc.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-15T11:21:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--57613a36-abb0-413a-abcf-48ea950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-06-15T11:21:26.000Z", "modified": "2016-06-15T11:21:26.000Z", "labels": [ "misp:type=\"threat-actor\"", "misp:category=\"Attribution\"" ], "x_misp_category": "Attribution", "x_misp_type": "threat-actor", "x_misp_value": "APT28" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--57613a37-0114-48a8-8e8a-4be9950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-06-15T11:21:27.000Z", "modified": "2016-06-15T11:21:27.000Z", "labels": [ "misp:type=\"threat-actor\"", "misp:category=\"Attribution\"" ], "x_misp_category": "Attribution", "x_misp_type": "threat-actor", "x_misp_value": "Sofacy" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--57613a37-a08c-4103-874e-403f950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-06-15T11:21:27.000Z", "modified": "2016-06-15T11:21:27.000Z", "labels": [ "misp:type=\"threat-actor\"", "misp:category=\"Attribution\"" ], "x_misp_category": "Attribution", "x_misp_type": "threat-actor", "x_misp_value": "Tsar Team" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57616653-a3f8-4374-9d69-b45602de0b81", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-06-15T14:29:39.000Z", "modified": "2016-06-15T14:29:39.000Z", "description": "- Xchecked via VT: 112c64f7c07a959a1cbff6621850a4ad", "pattern": "[file:hashes.SHA256 = '9e5fbd79d8febe7a162cd5200041772db60dc83244605b1ff37ef8d14334f512']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-15T14:29:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57616653-8898-4177-ae78-b45602de0b81", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-06-15T14:29:39.000Z", "modified": "2016-06-15T14:29:39.000Z", "description": "- Xchecked via VT: 112c64f7c07a959a1cbff6621850a4ad", "pattern": "[file:hashes.SHA1 = 'e7f7f6caaede6cc29c2e7e4888019f2d1be37cef']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-15T14:29:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57616654-5384-4905-8b97-b45602de0b81", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-06-15T14:29:40.000Z", "modified": "2016-06-15T14:29:40.000Z", "first_observed": "2016-06-15T14:29:40Z", "last_observed": "2016-06-15T14:29:40Z", "number_observed": 1, "object_refs": [ "url--57616654-5384-4905-8b97-b45602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57616654-5384-4905-8b97-b45602de0b81", "value": "https://www.virustotal.com/file/9e5fbd79d8febe7a162cd5200041772db60dc83244605b1ff37ef8d14334f512/analysis/1464765865/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }