{ "type": "bundle", "id": "bundle--5dc42bcc-a46c-42f4-b473-407e950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-08T07:57:27.000Z", "modified": "2019-11-08T07:57:27.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "grouping", "spec_version": "2.1", "id": "grouping--5dc42bcc-a46c-42f4-b473-407e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-08T07:57:27.000Z", "modified": "2019-11-08T07:57:27.000Z", "name": "OSINT - #APT #Bitter", "context": "suspicious-activity", "object_refs": [ "indicator--5dc43359-ff10-4414-a40a-4e83950d210f", "indicator--5dc43359-15ec-40e4-9de2-4245950d210f", "indicator--5dc43359-a3ec-4806-85ec-4976950d210f", "indicator--5dc43359-a998-40d0-89bd-42fa950d210f", "vulnerability--5dc4340a-0144-4e8b-a548-44f4950d210f", "x-misp-object--5dc432ca-bb14-48e1-85f1-4ba9950d210f", "vulnerability--5dc433d5-6b28-4a6f-a24d-4417950d210f", "x-misp-object--5dc43482-808c-494b-a2ca-cb10950d210f", "indicator--5dc51fe7-143c-444d-9a5b-ff54950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "workflow:state=\"incomplete\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5dc43359-ff10-4414-a40a-4e83950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-07T15:08:09.000Z", "modified": "2019-11-07T15:08:09.000Z", "description": "WN", "pattern": "[file:name = 'record.docx']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-07T15:08:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5dc43359-15ec-40e4-9de2-4245950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-07T15:08:09.000Z", "modified": "2019-11-07T15:08:09.000Z", "description": "NC", "pattern": "[url:value = 'http://comglobal.com.pk/wp-content/g']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-07T15:08:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5dc43359-a3ec-4806-85ec-4976950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-07T15:08:09.000Z", "modified": "2019-11-07T15:08:09.000Z", "pattern": "[url:value = 'http://nim.gov.pk/img/g.txt']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-07T15:08:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5dc43359-a998-40d0-89bd-42fa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-07T15:08:09.000Z", "modified": "2019-11-07T15:08:09.000Z", "description": "C2", "pattern": "[domain-name:value = 'tvnservereventlog.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-07T15:08:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--5dc4340a-0144-4e8b-a548-44f4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-07T15:11:06.000Z", "modified": "2019-11-07T15:11:06.000Z", "name": "CVE-2017-11882", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"External analysis\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2017-11882" } ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5dc432ca-bb14-48e1-85f1-4ba9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-07T15:05:46.000Z", "modified": "2019-11-07T15:05:46.000Z", "labels": [ "misp:name=\"microblog\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "post", "value": "#APT #Bitter\r\n7d2cc57e27e849fb0617a3a73d68d302c6efc6d849c05fcb0776b82a74d4de9c\r\nWN: E-passport record.docx\r\nNC: http://comglobal[.]com[.]pk/wp-content/g\r\nhttp://nim[.]gov[.]pk/img/g.txt\r\nC2: tvnservereventlog[.]net\r\nAC: TemplateInjection->CVE-2017-11882->EXE", "category": "Other", "uuid": "5dc432ca-6a3c-43c0-bc72-4e56950d210f" }, { "type": "link", "object_relation": "link", "value": "https://mobile.twitter.com/ccxsaber/status/1192326844529422337", "category": "External analysis", "uuid": "5dc432ca-a900-4186-92bf-44b7950d210f" }, { "type": "text", "object_relation": "type", "value": "Twitter", "category": "Other", "uuid": "5dc432ca-2b74-46e5-9fcd-4da3950d210f" }, { "type": "text", "object_relation": "hashtag", "value": "#APT", "category": "Other", "uuid": "5dc432ca-8464-4074-91bb-4834950d210f" }, { "type": "text", "object_relation": "hashtag", "value": "#Bitter", "category": "Other", "uuid": "5dc432ca-0038-4424-b855-4737950d210f" }, { "type": "text", "object_relation": "username", "value": "ccxsaber", "category": "Other", "uuid": "5dc432ca-6750-4c32-9c75-41f7950d210f" }, { "type": "text", "object_relation": "state", "value": "Informative", "category": "Other", "uuid": "5dc432ca-08a4-4cf1-98ff-4d46950d210f" }, { "type": "datetime", "object_relation": "creation-date", "value": "Nov 7, 2019 7:24 AM", "category": "Other", "uuid": "5dc432ca-0200-43ce-b9bd-470f950d210f" } ], "x_misp_meta_category": "misc", "x_misp_name": "microblog" }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--5dc433d5-6b28-4a6f-a24d-4417950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-07T15:10:13.000Z", "modified": "2019-11-07T15:10:13.000Z", "name": "CVE-2017-11882", "labels": [ "misp:name=\"vulnerability\"", "misp:meta-category=\"vulnerability\"", "misp:to_ids=\"False\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2017-11882" } ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5dc43482-808c-494b-a2ca-cb10950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-07T15:13:06.000Z", "modified": "2019-11-07T15:13:06.000Z", "labels": [ "misp:name=\"microblog\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "post", "value": "I guess exe is ArtraDownloader", "category": "Other", "uuid": "5dc43482-0f30-4961-af0b-cb10950d210f" }, { "type": "link", "object_relation": "link", "value": "https://mobile.twitter.com/kalki_poison/status/1192339289117360128", "category": "External analysis", "uuid": "5dc43482-7630-4772-a9ba-cb10950d210f" }, { "type": "text", "object_relation": "type", "value": "Twitter", "category": "Other", "uuid": "5dc43482-ba5c-4bf4-8c86-cb10950d210f" }, { "type": "text", "object_relation": "username", "value": "kalki_poison", "category": "Other", "uuid": "5dc43482-3204-463c-bfdd-cb10950d210f" }, { "type": "text", "object_relation": "state", "value": "Informative", "category": "Other", "uuid": "5dc43482-817c-4868-a552-cb10950d210f" }, { "type": "datetime", "object_relation": "creation-date", "value": "Nov 7, 2019 8:13 AM", "category": "Other", "uuid": "5dc43482-a528-4d87-9175-cb10950d210f" } ], "x_misp_meta_category": "misc", "x_misp_name": "microblog" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5dc51fe7-143c-444d-9a5b-ff54950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-08T07:57:27.000Z", "modified": "2019-11-08T07:57:27.000Z", "pattern": "[file:hashes.SHA256 = '7d2cc57e27e849fb0617a3a73d68d302c6efc6d849c05fcb0776b82a74d4de9c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-08T07:57:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }