{ "type": "bundle", "id": "bundle--56580480-2738-4888-98be-b742950d210b", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T08:16:15.000Z", "modified": "2015-11-27T08:16:15.000Z", "name": "CthulhuSPRL.be", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--56580480-2738-4888-98be-b742950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T08:16:15.000Z", "modified": "2015-11-27T08:16:15.000Z", "name": "OSINT Expansion on APT-28 - Evolving Threats: dissection of a Cyber-Espionage attack", "published": "2016-07-11T14:11:38Z", "object_refs": [ "x-misp-attribute--565804a4-6bc8-4dbb-88c4-4b02950d210b", "x-misp-attribute--565804a4-5b60-4e42-a2db-4a6c950d210b", "x-misp-attribute--565804a5-7c14-4b8f-8ad5-40cc950d210b", "indicator--565804d5-38bc-4e6e-9cc0-b791950d210b", "indicator--565804d6-aa04-48b1-99ee-b791950d210b", "indicator--565804d6-f130-4582-8c10-b791950d210b", "indicator--565804d7-4408-4786-b006-b791950d210b", "indicator--565804d7-d8f4-4eba-a35a-b791950d210b", "indicator--565804d8-a4fc-4721-8b3a-b791950d210b", "indicator--565804d8-e720-4012-b480-b791950d210b", "indicator--565804d9-6174-41e1-a430-b791950d210b", "indicator--565804d9-df2c-490e-95fb-b791950d210b", "indicator--565804da-08a8-40f5-9bd1-b791950d210b", "indicator--565804da-f894-4f3d-8fed-b791950d210b", "observed-data--5658050b-9fe8-45be-bf50-b742950d210b", "url--5658050b-9fe8-45be-bf50-b742950d210b", "observed-data--5658050c-3aec-4100-b938-b742950d210b", "url--5658050c-3aec-4100-b938-b742950d210b", "indicator--565805ba-f6fc-43db-90bb-b376950d210b", "indicator--565805bc-f64c-4cc5-b5a3-b376950d210b", "indicator--565805bc-10fc-4f47-a3a9-b376950d210b", "indicator--565805bd-6630-4743-ba10-b376950d210b", "indicator--565805bd-4320-414c-9afd-b376950d210b", "x-misp-attribute--56581095-fba8-4c69-bd27-b376950d210b", "x-misp-attribute--565810e0-b624-4b74-9335-401f950d210b", "indicator--5658114d-bc94-4a40-8080-485d950d210b", "indicator--5658114e-9a4c-4fac-92a3-4868950d210b", "indicator--5658114e-1b48-4304-87ec-4fc9950d210b" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--565804a4-6bc8-4dbb-88c4-4b02950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T07:22:12.000Z", "modified": "2015-11-27T07:22:12.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "APT28" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--565804a4-5b60-4e42-a2db-4a6c950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T07:22:12.000Z", "modified": "2015-11-27T07:22:12.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Sednit" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--565804a5-7c14-4b8f-8ad5-40cc950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T07:22:13.000Z", "modified": "2015-11-27T07:22:13.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Sofacy" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--565804d5-38bc-4e6e-9cc0-b791950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T07:23:01.000Z", "modified": "2015-11-27T07:23:01.000Z", "description": "CnC list paragraph", "pattern": "[domain-name:value = 'microsofthelpcenter.info']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-27T07:23:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--565804d6-aa04-48b1-99ee-b791950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T07:23:02.000Z", "modified": "2015-11-27T07:23:02.000Z", "description": "CnC list paragraph", "pattern": "[domain-name:value = '1oo7.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-27T07:23:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--565804d6-f130-4582-8c10-b791950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T07:23:02.000Z", "modified": "2015-11-27T07:23:02.000Z", "description": "CnC list paragraph", "pattern": "[domain-name:value = 'microsoftdriver.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-27T07:23:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--565804d7-4408-4786-b006-b791950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T07:23:03.000Z", "modified": "2015-11-27T07:23:03.000Z", "description": "CnC list paragraph", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '198.105.125.74']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-27T07:23:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--565804d7-d8f4-4eba-a35a-b791950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T07:23:03.000Z", "modified": "2015-11-27T07:23:03.000Z", "description": "CnC list paragraph", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '66.172.12.133']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-27T07:23:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--565804d8-a4fc-4721-8b3a-b791950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T07:23:04.000Z", "modified": "2015-11-27T07:23:04.000Z", "description": "CnC list paragraph", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.64.105.23']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-27T07:23:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--565804d8-e720-4012-b480-b791950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T07:23:04.000Z", "modified": "2015-11-27T07:23:04.000Z", "description": "CnC list paragraph", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '176.31.112.10']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-27T07:23:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--565804d9-6174-41e1-a430-b791950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T07:23:05.000Z", "modified": "2015-11-27T07:23:05.000Z", "description": "CnC list paragraph", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '176.31.96.178']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-27T07:23:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--565804d9-df2c-490e-95fb-b791950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T07:23:05.000Z", "modified": "2015-11-27T07:23:05.000Z", "description": "CnC list paragraph", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '87.236.215.13']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-27T07:23:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--565804da-08a8-40f5-9bd1-b791950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T07:23:06.000Z", "modified": "2015-11-27T07:23:06.000Z", "description": "CnC list paragraph", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '46.19.138.66']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-27T07:23:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--565804da-f894-4f3d-8fed-b791950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T07:23:06.000Z", "modified": "2015-11-27T07:23:06.000Z", "description": "CnC list paragraph", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.199.171.58']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-27T07:23:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5658050b-9fe8-45be-bf50-b742950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T07:23:55.000Z", "modified": "2015-11-27T07:23:55.000Z", "first_observed": "2015-11-27T07:23:55Z", "last_observed": "2015-11-27T07:23:55Z", "number_observed": 1, "object_refs": [ "url--5658050b-9fe8-45be-bf50-b742950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5658050b-9fe8-45be-bf50-b742950d210b", "value": "http://www.rsaconference.com/writable/presentations/file_upload/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5658050c-3aec-4100-b938-b742950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T07:23:56.000Z", "modified": "2015-11-27T07:23:56.000Z", "first_observed": "2015-11-27T07:23:56Z", "last_observed": "2015-11-27T07:23:56Z", "number_observed": 1, "object_refs": [ "url--5658050c-3aec-4100-b938-b742950d210b" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5658050c-3aec-4100-b938-b742950d210b", "value": "https://github.com/gasgas4/APTnotes/blob/master/2015/2015.11.04_Evolving_Threats/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--565805ba-f6fc-43db-90bb-b376950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T07:26:50.000Z", "modified": "2015-11-27T07:26:50.000Z", "description": "Combing through screenshots", "pattern": "[domain-name:value = 'militaryexponews.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-27T07:26:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--565805bc-f64c-4cc5-b5a3-b376950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T07:26:52.000Z", "modified": "2015-11-27T07:26:52.000Z", "description": "Combing through screenshots", "pattern": "[domain-name:value = 'irwing.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-27T07:26:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--565805bc-10fc-4f47-a3a9-b376950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T07:26:52.000Z", "modified": "2015-11-27T07:26:52.000Z", "description": "Combing through screenshots", "pattern": "[domain-name:value = 'eservicesystems.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-27T07:26:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--565805bd-6630-4743-ba10-b376950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T07:26:53.000Z", "modified": "2015-11-27T07:26:53.000Z", "description": "Combing through screenshots", "pattern": "[domain-name:value = 'windowsappstore.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-27T07:26:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--565805bd-4320-414c-9afd-b376950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T07:26:53.000Z", "modified": "2015-11-27T07:26:53.000Z", "description": "Combing through screenshots", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '131.72.136.10']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-27T07:26:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--56581095-fba8-4c69-bd27-b376950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T08:13:09.000Z", "modified": "2015-11-27T08:13:09.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Additional IOCs found combing through screenshots & using threatCrowd.org" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--565810e0-b624-4b74-9335-401f950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T08:14:24.000Z", "modified": "2015-11-27T08:14:24.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"Network activity\"" ], "x_misp_category": "Network activity", "x_misp_type": "comment", "x_misp_value": "GET to URLs containing the follwoing tokens: /find/?itwm= &from= &utm= &oprnd= &from=\r\nPOST to URLs containing the follwoing tokens: /open/?ags= &ags= &oprnd= &channel= &itwm=" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5658114d-bc94-4a40-8080-485d950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T08:16:13.000Z", "modified": "2015-11-27T08:16:13.000Z", "description": "Resolution of domain irwing.org", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '204.12.244.58']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-27T08:16:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5658114e-9a4c-4fac-92a3-4868950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T08:16:14.000Z", "modified": "2015-11-27T08:16:14.000Z", "description": "Resolution of domain irwing.org", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.200.17.202']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-27T08:16:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5658114e-1b48-4304-87ec-4fc9950d210b", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2015-11-27T08:16:14.000Z", "modified": "2015-11-27T08:16:14.000Z", "description": "Resolution of domain irwing.org", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.200.17.53']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2015-11-27T08:16:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:GREEN", "definition": { "tlp": "green" } } ] }