{ "type": "bundle", "id": "bundle--57a89cb0-1a80-4f24-a85b-43d4950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2017-04-28T18:17:38.000Z", "modified": "2017-04-28T18:17:38.000Z", "name": "CthulhuSPRL.be", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--57a89cb0-1a80-4f24-a85b-43d4950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2017-04-28T18:17:38.000Z", "modified": "2017-04-28T18:17:38.000Z", "name": "OSINT Massive AdGholas Malvertising Campaigns Use Steganography and File Whitelisting to Hide in Plain Sight by ProofPoint", "published": "2017-04-28T18:57:30Z", "object_refs": [ "observed-data--57a89cda-502c-4c00-872c-4a2e950d210f", "url--57a89cda-502c-4c00-872c-4a2e950d210f", "indicator--57a89d67-90f4-4ecd-94cf-4fe3950d210f", "indicator--57a89d67-a718-4757-9714-4c32950d210f", "indicator--57a89d67-b980-4c96-98cd-49d4950d210f", "indicator--57a89d68-4270-4382-8191-4e03950d210f", "indicator--57a89d68-1038-4f62-8001-4694950d210f", "indicator--57a89d68-da14-49b0-bfd0-4da6950d210f", "indicator--57a89d68-afb0-4700-9591-45aa950d210f", "indicator--57a89d68-6164-4769-81be-4f7f950d210f", "indicator--57a89d69-c0d8-4caf-ba31-4882950d210f", "indicator--57a89d69-e450-46a2-8c02-4741950d210f", "indicator--57a89d69-a9e8-474c-9860-4641950d210f", "indicator--57a89d69-f0f0-43db-9991-44af950d210f", "indicator--57a89d69-6ddc-4e3a-95fa-4616950d210f", "indicator--57a89d78-73b8-4bdf-94c7-4dee950d210f", "indicator--57a89d79-fb18-4d5e-a545-4b5f950d210f", "indicator--57a89d79-ff64-4fc0-8c91-45d3950d210f", "indicator--57a89d8b-d4e8-4e15-a1c0-4cee950d210f", "indicator--57a89d8b-6814-4875-94fb-406b950d210f", "indicator--57a89d8b-12d4-4382-833b-47fb950d210f", "indicator--57a89d8b-3c2c-4a1a-9d96-4b7f950d210f", "indicator--57a89d8b-f15c-4025-9bee-4984950d210f", "indicator--57a89d8c-b1c4-4231-95f3-4255950d210f", "indicator--57a89d8c-8b50-4e83-b456-4dca950d210f", "indicator--57a89d8c-9f10-43b7-8bb8-4e7d950d210f", "indicator--57a89d8c-2560-4076-b500-4bc6950d210f", "indicator--57a89d8c-0480-4e00-9e29-4bd2950d210f", "indicator--57a89d8c-6e94-4bbb-9f0c-4a66950d210f", "indicator--57a89d8d-7dc8-4433-8ed1-41ae950d210f", "indicator--57a89d8d-c7e8-490f-93cf-4646950d210f", "indicator--57a89d8d-4138-4acf-9696-4e09950d210f", "indicator--57a89d8d-abb0-4604-9cc9-4e9e950d210f", "indicator--57a89d8d-74b0-4507-9ea8-4cea950d210f", "indicator--57a89dfd-d4d0-468f-b66b-4181950d210f", "indicator--57a89dfd-0088-4d78-921a-4d6c950d210f", "indicator--57a89dfe-215c-4030-97c0-4f17950d210f", "indicator--57a89dfe-19b0-491a-96ac-4975950d210f", "indicator--57a89dfe-7d38-4e77-a631-4326950d210f", "indicator--57a89dfe-a39c-4b20-98a0-4aff950d210f", "indicator--57a89dff-8c98-43fb-b064-4ce9950d210f", "indicator--57a89dff-2a30-48e7-bbd3-41e2950d210f", "indicator--57a89dff-e68c-4ee7-a7a1-4202950d210f", "indicator--57a89dff-dd6c-4400-87bd-4d32950d210f", "indicator--57a89dff-f750-4895-8537-4f40950d210f", "indicator--57a89e00-cbec-4c22-8682-4751950d210f", "indicator--57a89e19-57ac-45fe-9c0a-403a950d210f", "indicator--57a89e19-5ae0-4597-9a74-4fc1950d210f", "indicator--57a89e19-1964-4253-b0a4-4154950d210f", "indicator--57a89e1a-1a10-451d-9ccf-4c2c950d210f", "indicator--57a89e25-a258-49ba-a36a-4ddf950d210f", "indicator--57a89e25-6a28-4026-8108-4ae1950d210f", "indicator--57a89e26-8b3c-4a3c-a88d-4eaa950d210f", "indicator--57a89e26-5eac-41cb-90fc-4e9d950d210f", "indicator--57a89e26-8f3c-447c-a0f6-40f0950d210f", "indicator--57a89e39-43c4-4c41-ad7e-4943950d210f", "indicator--57a89e39-6d00-4231-8fe4-4ab5950d210f", "indicator--57a89e39-d61c-4e8b-b526-48c0950d210f", "indicator--57a89e3a-021c-4005-bfea-4d4f950d210f", "indicator--57a89e3a-bf48-4851-a137-486d950d210f", "indicator--57a89e3a-44f0-4b61-a213-492a950d210f", "indicator--57a89e3a-9d0c-4a94-881a-4e9d950d210f", "indicator--57a89e3a-2fd0-455c-aedb-45f7950d210f", "indicator--57a89e3b-e718-421b-b049-40ed950d210f", "indicator--57a89e3b-4be0-47b1-ba46-466c950d210f", "indicator--57a89e3b-c38c-4943-817e-414a950d210f", "indicator--57a89e3b-bb78-43bb-b705-42e0950d210f", "indicator--57a89e3c-da8c-49cd-8129-40c1950d210f", "indicator--57a89e3c-7364-4edc-84e9-4dda950d210f", "indicator--57a89e3c-705c-47a0-ad9d-4c67950d210f", "indicator--57a89e3c-6398-46b8-89d8-49ac950d210f", "indicator--57a89e3c-1f7c-4b02-9a37-43b3950d210f", "indicator--57a89e4b-80ec-45f4-9cef-4cfe950d210f", "indicator--57a89e4b-2018-4f65-adc0-48b3950d210f", "indicator--57a89e4b-b734-46dc-b3f6-453a950d210f", "indicator--57a89e4c-60b8-4768-992f-4019950d210f", "indicator--57a89e4c-d3c0-4276-855f-4403950d210f", "indicator--57a89e4c-e0cc-47d1-90b7-4c81950d210f", "indicator--57a89e4c-4194-4bdb-86c6-41f0950d210f", "indicator--57a89e4c-7624-43f7-b5b4-4780950d210f", "indicator--57a89e4c-00c0-46e1-8d8a-47e3950d210f", "indicator--57a89e4d-f93c-470c-9eb1-4ebd950d210f", "indicator--57a89e70-2270-4df0-ad4c-495f950d210f", "indicator--57a89e7c-1090-44a6-8d7e-4be2950d210f", "indicator--57a89e97-d100-4a36-a731-41e6950d210f", "indicator--57a89ea4-0130-4423-bba4-4c31950d210f", "indicator--57a89f26-2de4-4480-8200-4cbf950d210f", "indicator--57a89f28-0cb8-47cc-956b-46c3950d210f", "indicator--57a89f2b-fbe4-4dbe-bd19-4213950d210f", "indicator--57a89f2d-62f8-4437-9b65-4c69950d210f", "indicator--57a89f31-6610-4e18-95f6-4299950d210f", "indicator--57a89f34-3640-4efb-bf6e-4457950d210f", "indicator--57a89f37-a410-4538-9926-4924950d210f", "indicator--57a89f39-9594-4912-a651-4c88950d210f", "indicator--57a89f27-1940-4f9c-9e98-4729950d210f", "indicator--57a89f29-378c-418b-b5a0-458a950d210f", "indicator--57a89f2c-5070-44d4-aed7-41b8950d210f", "indicator--57a89f2e-297c-48df-b8be-437d950d210f", "indicator--57a89f32-0920-44c2-bc0b-4570950d210f", "indicator--57a89f34-ad98-4946-badd-43fe950d210f", "indicator--57a89f37-f7ac-408c-ace5-4609950d210f", "indicator--57a89f3a-58cc-4f61-b95b-446a950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57a89cda-502c-4c00-872c-4a2e950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:53:14.000Z", "modified": "2016-08-08T14:53:14.000Z", "first_observed": "2016-08-08T14:53:14Z", "last_observed": "2016-08-08T14:53:14Z", "number_observed": 1, "object_refs": [ "url--57a89cda-502c-4c00-872c-4a2e950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57a89cda-502c-4c00-872c-4a2e950d210f", "value": "https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d67-90f4-4ecd-94cf-4fe3950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:55:35.000Z", "modified": "2016-08-08T14:55:35.000Z", "pattern": "[domain-name:value = 'brainram.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:55:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d67-a718-4757-9714-4c32950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:55:35.000Z", "modified": "2016-08-08T14:55:35.000Z", "pattern": "[domain-name:value = 'cleanerzoomer.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:55:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d67-b980-4c96-98cd-49d4950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:55:35.000Z", "modified": "2016-08-08T14:55:35.000Z", "pattern": "[domain-name:value = 'cruzame.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:55:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d68-4270-4382-8191-4e03950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:55:36.000Z", "modified": "2016-08-08T14:55:36.000Z", "pattern": "[domain-name:value = 'ec-centre.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:55:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d68-1038-4f62-8001-4694950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:55:36.000Z", "modified": "2016-08-08T14:55:36.000Z", "pattern": "[domain-name:value = 'emaxing.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:55:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d68-da14-49b0-bfd0-4da6950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:55:36.000Z", "modified": "2016-08-08T14:55:36.000Z", "pattern": "[domain-name:value = 'iipus.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:55:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d68-afb0-4700-9591-45aa950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:55:36.000Z", "modified": "2016-08-08T14:55:36.000Z", "pattern": "[domain-name:value = 'mamaniaca.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:55:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d68-6164-4769-81be-4f7f950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:55:36.000Z", "modified": "2016-08-08T14:55:36.000Z", "pattern": "[domain-name:value = 'merovinjo.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:55:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d69-c0d8-4caf-ba31-4882950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:55:37.000Z", "modified": "2016-08-08T14:55:37.000Z", "pattern": "[domain-name:value = 'moyeuvelo.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:55:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d69-e450-46a2-8c02-4741950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:55:37.000Z", "modified": "2016-08-08T14:55:37.000Z", "pattern": "[domain-name:value = 'ponteblue.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:55:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d69-a9e8-474c-9860-4641950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:55:37.000Z", "modified": "2016-08-08T14:55:37.000Z", "pattern": "[domain-name:value = 'sensecreator.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:55:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d69-f0f0-43db-9991-44af950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:55:37.000Z", "modified": "2016-08-08T14:55:37.000Z", "pattern": "[domain-name:value = 'tjprofile.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:55:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d69-6ddc-4e3a-95fa-4616950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:55:37.000Z", "modified": "2016-08-08T14:55:37.000Z", "pattern": "[domain-name:value = 'xuwakix.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:55:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d78-73b8-4bdf-94c7-4dee950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:55:52.000Z", "modified": "2016-08-08T14:55:52.000Z", "description": "Domain shadowing", "pattern": "[domain-name:value = 'a.stylefinishdesign.com.au']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:55:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d79-fb18-4d5e-a545-4b5f950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:55:53.000Z", "modified": "2016-08-08T14:55:53.000Z", "description": "Domain shadowing", "pattern": "[domain-name:value = 'ads.avodirect.ca']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:55:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d79-ff64-4fc0-8c91-45d3950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:55:53.000Z", "modified": "2016-08-08T14:55:53.000Z", "description": "Domain shadowing", "pattern": "[domain-name:value = 'ads.boxerbuilding.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:55:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d8b-d4e8-4e15-a1c0-4cee950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:56:11.000Z", "modified": "2016-08-08T14:56:11.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '162.247.14.213']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:56:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d8b-6814-4875-94fb-406b950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:56:11.000Z", "modified": "2016-08-08T14:56:11.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '179.43.147.195']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:56:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d8b-12d4-4382-833b-47fb950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:56:11.000Z", "modified": "2016-08-08T14:56:11.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '179.43.147.242']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:56:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d8b-3c2c-4a1a-9d96-4b7f950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:56:11.000Z", "modified": "2016-08-08T14:56:11.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.240.97.164']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:56:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d8b-f15c-4025-9bee-4984950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:56:11.000Z", "modified": "2016-08-08T14:56:11.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '193.109.69.212']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:56:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d8c-b1c4-4231-95f3-4255950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:56:12.000Z", "modified": "2016-08-08T14:56:12.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.187.5.206']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:56:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d8c-8b50-4e83-b456-4dca950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:56:12.000Z", "modified": "2016-08-08T14:56:12.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '50.7.124.160']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:56:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d8c-9f10-43b7-8bb8-4e7d950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:56:12.000Z", "modified": "2016-08-08T14:56:12.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '50.7.124.184']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:56:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d8c-2560-4076-b500-4bc6950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:56:12.000Z", "modified": "2016-08-08T14:56:12.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '50.7.124.215']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:56:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d8c-0480-4e00-9e29-4bd2950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:56:12.000Z", "modified": "2016-08-08T14:56:12.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '50.7.143.14']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:56:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d8c-6e94-4bbb-9f0c-4a66950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:56:12.000Z", "modified": "2016-08-08T14:56:12.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '50.7.143.70']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:56:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d8d-7dc8-4433-8ed1-41ae950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:56:13.000Z", "modified": "2016-08-08T14:56:13.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.154.199.135']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:56:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d8d-c7e8-490f-93cf-4646950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:56:13.000Z", "modified": "2016-08-08T14:56:13.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.154.199.181']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:56:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d8d-4138-4acf-9696-4e09950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:56:13.000Z", "modified": "2016-08-08T14:56:13.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.154.199.182']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:56:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d8d-abb0-4604-9cc9-4e9e950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:56:13.000Z", "modified": "2016-08-08T14:56:13.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.154.199.67']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:56:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89d8d-74b0-4507-9ea8-4cea950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:56:13.000Z", "modified": "2016-08-08T14:56:13.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.154.199.79']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:56:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89dfd-d4d0-468f-b66b-4181950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:58:05.000Z", "modified": "2016-08-08T14:58:05.000Z", "pattern": "[file:hashes.SHA256 = '09ba8463a09bbb430987ac1cbcbb7004c3be6b9bcf72b2db2333e599cc4203eb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:58:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89dfd-0088-4d78-921a-4d6c950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:58:05.000Z", "modified": "2016-08-08T14:58:05.000Z", "pattern": "[file:hashes.SHA256 = '0ca994d7e06405793f8fc9b9ced5364bd0dd46119031b8b0d09f03e8bbffb85e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:58:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89dfe-215c-4030-97c0-4f17950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:58:06.000Z", "modified": "2016-08-08T14:58:06.000Z", "pattern": "[file:hashes.SHA256 = '588fe945aeba2099e0f1743f046ee82cb7b92737fbae8673faeba50faebba847']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:58:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89dfe-19b0-491a-96ac-4975950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:58:06.000Z", "modified": "2016-08-08T14:58:06.000Z", "pattern": "[file:hashes.SHA256 = '5962b458a0d3852a6974836951dc072593ecd4407b58dccad4a38eccc39dc54c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:58:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89dfe-7d38-4e77-a631-4326950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:58:06.000Z", "modified": "2016-08-08T14:58:06.000Z", "pattern": "[file:hashes.SHA256 = '676ea2b87029e18edf3a1b221e5173cbc7a5dc73da9e48b09644eac65ab544f0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:58:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89dfe-a39c-4b20-98a0-4aff950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:58:06.000Z", "modified": "2016-08-08T14:58:06.000Z", "pattern": "[file:hashes.SHA256 = '7ea69328bc3dbaa53db243c3b789f719bb14283c32168f1bc8ea947fedf968f8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:58:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89dff-8c98-43fb-b064-4ce9950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:58:07.000Z", "modified": "2016-08-08T14:58:07.000Z", "pattern": "[file:hashes.SHA256 = 'a5881a71d46346224e3d23d49a0577ea898fab3ea619d0e1acc77c982787fca0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:58:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89dff-2a30-48e7-bbd3-41e2950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:58:07.000Z", "modified": "2016-08-08T14:58:07.000Z", "pattern": "[file:hashes.SHA256 = 'af4ad3afa72ac39650f508a5f301c6e37b2b5f296563e43cd29eff49b8f25c7c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:58:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89dff-e68c-4ee7-a7a1-4202950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:58:07.000Z", "modified": "2016-08-08T14:58:07.000Z", "pattern": "[file:hashes.SHA256 = 'b46408cefa56cd09faa2d994271f03fcae9aa27dee279ea2eb71e163a15c3d44']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:58:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89dff-dd6c-4400-87bd-4d32950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:58:07.000Z", "modified": "2016-08-08T14:58:07.000Z", "pattern": "[file:hashes.SHA256 = 'd2d8de76afcf1fec3b8a41b1fc41405051c352b38b215666197d7045a79b99a9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:58:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89dff-f750-4895-8537-4f40950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:58:07.000Z", "modified": "2016-08-08T14:58:07.000Z", "pattern": "[file:hashes.SHA256 = 'e06b753aa98e1b8fdc7c8ee1cbd07f5d46b2bbf88ebc8d450c8f24c6e79520a4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:58:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e00-cbec-4c22-8682-4751950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:58:08.000Z", "modified": "2016-08-08T14:58:08.000Z", "pattern": "[file:hashes.SHA256 = 'e7febe0cdfa798c3bb78e5ca8fd143b4721b04ff4d81cfea2b4c7b9da039fa19']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:58:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e19-57ac-45fe-9c0a-403a950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:58:33.000Z", "modified": "2016-08-08T14:58:33.000Z", "pattern": "[domain-name:value = 'allerager.click']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:58:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e19-5ae0-4597-9a74-4fc1950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:58:33.000Z", "modified": "2016-08-08T14:58:33.000Z", "pattern": "[domain-name:value = 'amyrwsmur.click']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:58:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e19-1964-4253-b0a4-4154950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:58:33.000Z", "modified": "2016-08-08T14:58:33.000Z", "pattern": "[domain-name:value = 'biicqwfvqiec.click']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:58:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e1a-1a10-451d-9ccf-4c2c950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:58:34.000Z", "modified": "2016-08-08T14:58:34.000Z", "pattern": "[domain-name:value = 'cmedia.cloud']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:58:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e25-a258-49ba-a36a-4ddf950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:58:45.000Z", "modified": "2016-08-08T14:58:45.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '108.61.103.205']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:58:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e25-6a28-4026-8108-4ae1950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:58:45.000Z", "modified": "2016-08-08T14:58:45.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '176.31.62.78']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:58:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e26-8b3c-4a3c-a88d-4eaa950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:58:46.000Z", "modified": "2016-08-08T14:58:46.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '198.105.244.11']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:58:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e26-5eac-41cb-90fc-4e9d950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:58:46.000Z", "modified": "2016-08-08T14:58:46.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.32.157.168']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:58:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e26-8f3c-447c-a0f6-40f0950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:58:46.000Z", "modified": "2016-08-08T14:58:46.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '93.190.177.179']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:58:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e39-43c4-4c41-ad7e-4943950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:05.000Z", "modified": "2016-08-08T14:59:05.000Z", "pattern": "[domain-name:value = '987034569274692894.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e39-6d00-4231-8fe4-4ab5950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:05.000Z", "modified": "2016-08-08T14:59:05.000Z", "pattern": "[domain-name:value = 'allkindsublidamages.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e39-d61c-4e8b-b526-48c0950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:05.000Z", "modified": "2016-08-08T14:59:05.000Z", "pattern": "[domain-name:value = 'allenia.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e3a-021c-4005-bfea-4d4f950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:06.000Z", "modified": "2016-08-08T14:59:06.000Z", "pattern": "[domain-name:value = 'fqelkidudcwb.eu']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e3a-bf48-4851-a137-486d950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:06.000Z", "modified": "2016-08-08T14:59:06.000Z", "pattern": "[domain-name:value = 'genetyoucircuminformed.xyz']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e3a-44f0-4b61-a213-492a950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:06.000Z", "modified": "2016-08-08T14:59:06.000Z", "pattern": "[domain-name:value = 'ionbudeerttsq.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e3a-9d0c-4a94-881a-4e9d950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:06.000Z", "modified": "2016-08-08T14:59:06.000Z", "pattern": "[domain-name:value = 'j73gdy64reff625r.cc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e3a-2fd0-455c-aedb-45f7950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:06.000Z", "modified": "2016-08-08T14:59:06.000Z", "pattern": "[domain-name:value = 'oghtjpo.eu']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e3b-e718-421b-b049-40ed950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:07.000Z", "modified": "2016-08-08T14:59:07.000Z", "pattern": "[domain-name:value = 'othrebso.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e3b-4be0-47b1-ba46-466c950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:07.000Z", "modified": "2016-08-08T14:59:07.000Z", "pattern": "[domain-name:value = 'andnetscapeadefective.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e3b-c38c-4943-817e-414a950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:07.000Z", "modified": "2016-08-08T14:59:07.000Z", "pattern": "[domain-name:value = 'allerapo.eu']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e3b-bb78-43bb-b705-42e0950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:07.000Z", "modified": "2016-08-08T14:59:07.000Z", "pattern": "[domain-name:value = 'blastercast.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e3c-da8c-49cd-8129-40c1950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:08.000Z", "modified": "2016-08-08T14:59:08.000Z", "pattern": "[domain-name:value = 'enwhhdvfolsn.click']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e3c-7364-4edc-84e9-4dda950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:08.000Z", "modified": "2016-08-08T14:59:08.000Z", "pattern": "[domain-name:value = 'gegbghtyg.eu']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e3c-705c-47a0-ad9d-4c67950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:08.000Z", "modified": "2016-08-08T14:59:08.000Z", "pattern": "[domain-name:value = 'heleryjoortusd.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e3c-6398-46b8-89d8-49ac950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:08.000Z", "modified": "2016-08-08T14:59:08.000Z", "pattern": "[domain-name:value = 'obesca.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e3c-1f7c-4b02-9a37-43b3950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:08.000Z", "modified": "2016-08-08T14:59:08.000Z", "pattern": "[domain-name:value = 'stream.gizdosales.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e4b-80ec-45f4-9cef-4cfe950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:23.000Z", "modified": "2016-08-08T14:59:23.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '112.20.178.110']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e4b-2018-4f65-adc0-48b3950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:23.000Z", "modified": "2016-08-08T14:59:23.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.42.116.41']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e4b-b734-46dc-b3f6-453a950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:23.000Z", "modified": "2016-08-08T14:59:23.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '212.92.127.39']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e4c-60b8-4768-992f-4019950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:24.000Z", "modified": "2016-08-08T14:59:24.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.32.154.141']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e4c-d3c0-4276-855f-4403950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:24.000Z", "modified": "2016-08-08T14:59:24.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.32.245.19']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e4c-e0cc-47d1-90b7-4c81950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:24.000Z", "modified": "2016-08-08T14:59:24.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '46.45.169.120']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e4c-4194-4bdb-86c6-41f0950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:24.000Z", "modified": "2016-08-08T14:59:24.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '46.45.169.182']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e4c-7624-43f7-b5b4-4780950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:24.000Z", "modified": "2016-08-08T14:59:24.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '87.98.254.64']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e4c-00c0-46e1-8d8a-47e3950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:24.000Z", "modified": "2016-08-08T14:59:24.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '91.233.116.174']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e4d-f93c-470c-9eb1-4ebd950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T14:59:25.000Z", "modified": "2016-08-08T14:59:25.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '94.242.254.51']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T14:59:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e70-2270-4df0-ad4c-495f950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T15:00:00.000Z", "modified": "2016-08-08T15:00:00.000Z", "pattern": "[rule AdGholas_mem\r\n{\r\n meta:\r\n malfamily = \"AdGholas\"\r\n\r\n strings:\r\n $a1 = \"(3e8)!=\" ascii wide\r\n $a2 = /href=\\x22\\.\\x22\\+[a-z]+\\,mimeType\\}/ ascii wide\r\n $a3 = /\\+[a-z]+\\([\\x22\\x27]divx[^\\x22\\x27]+torrent[^\\x22\\x27]*[\\x22\\x27]\\.split/ ascii wide\r\n $a4 = \"chls\" nocase ascii wide\r\n $a5 = \"saz\" nocase ascii wide\r\n $a6 = \"flac\" nocase ascii wide\r\n $a7 = \"pcap\" nocase ascii wide\r\n\r\n condition:\r\n all of ($a*)\r\n}]", "pattern_type": "yara", "valid_from": "2016-08-08T15:00:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e7c-1090-44a6-8d7e-4be2950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T15:00:12.000Z", "modified": "2016-08-08T15:00:12.000Z", "pattern": "[rule AdGholas_mem_MIME\r\n{\r\n meta:\r\n malfamily = \"AdGholas\"\r\n\r\n strings:\r\n $b1=\".300000000\" ascii nocase wide fullword\r\n $b2=\".saz\" ascii nocase wide fullword\r\n $b3=\".py\" ascii nocase wide fullword\r\n $b4=\".pcap\" ascii nocase wide fullword\r\n $b5=\".chls\" ascii nocase wide fullword\r\n\r\n condition:\r\n all of ($b*)\r\n}]", "pattern_type": "yara", "valid_from": "2016-08-08T15:00:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89e97-d100-4a36-a731-41e6950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T15:00:39.000Z", "modified": "2016-08-08T15:00:39.000Z", "pattern": "[rule AdGholas_mem_antisec_M2\r\n{\r\n meta:\r\n malfamily = \"AdGholas\"\r\n\r\n strings:\r\n $s1 = \"ActiveXObject(\\\"Microsoft.XMLDOM\\\")\" nocase ascii wide\r\n $s2 = \"loadXML\" nocase ascii wide fullword\r\n $s3 = \"parseError.errorCode\" nocase ascii wide\r\n $s4 = /res\\x3a\\x2f\\x2f[\\x27\\x22]\\x2b/ nocase ascii wide\r\n $s5 = /\\x251e3\\x21\\s*\\x3d\\x3d\\s*[a-zA-Z]+\\x3f1\\x3a0/ nocase ascii wide\r\n\r\n condition:\r\n all of ($s*)\r\n}]", "pattern_type": "yara", "valid_from": "2016-08-08T15:00:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89ea4-0130-4423-bba4-4c31950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T15:00:52.000Z", "modified": "2016-08-08T15:00:52.000Z", "pattern": "[rule AdGholas_mem_MIME_M2\r\n{\r\n meta:\r\n malfamily = \"AdGholas\"\r\n\r\n strings:\r\n $s1 = \"halog\" nocase ascii wide fullword\r\n $s2 = \"pcap\" nocase ascii wide fullword\r\n $s3 = \"saz\" nocase ascii wide fullword\r\n $s4 = \"chls\" nocase ascii wide fullword\r\n $s5 = /return[^\\x3b\\x7d\\n]+href\\s*=\\s*[\\x22\\x27]\\x2e[\\x27\\x22]\\s*\\+\\s*[^\\x3b\\x7d\\n]+\\s*,\\s*[^\\x3b\\x7d\\n]+\\.mimeType/ nocase ascii wide\r\n $s6 = /\\x21==[a-zA-Z]+\\x3f\\x210\\x3a\\x211/ nocase ascii wide\r\n\r\n condition:\r\n all of ($s*)\r\n}]", "pattern_type": "yara", "valid_from": "2016-08-08T15:00:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89f26-2de4-4480-8200-4cbf950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T15:03:02.000Z", "modified": "2016-08-08T15:03:02.000Z", "description": "Automatically added (via 09ba8463a09bbb430987ac1cbcbb7004c3be6b9bcf72b2db2333e599cc4203eb)", "pattern": "[file:hashes.MD5 = '59e964c3556c3edee5ec46047d22334f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:03:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89f28-0cb8-47cc-956b-46c3950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T15:03:04.000Z", "modified": "2016-08-08T15:03:04.000Z", "description": "Automatically added (via 0ca994d7e06405793f8fc9b9ced5364bd0dd46119031b8b0d09f03e8bbffb85e)", "pattern": "[file:hashes.MD5 = '6ab935d12654160bb9dc2c423330b04c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:03:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89f2b-fbe4-4dbe-bd19-4213950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T15:03:07.000Z", "modified": "2016-08-08T15:03:07.000Z", "description": "Automatically added (via 5962b458a0d3852a6974836951dc072593ecd4407b58dccad4a38eccc39dc54c)", "pattern": "[file:hashes.MD5 = 'f3b3266a92725d42c2bc8a1a6fb49a69']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:03:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89f2d-62f8-4437-9b65-4c69950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T15:03:09.000Z", "modified": "2016-08-08T15:03:09.000Z", "description": "Automatically added (via 676ea2b87029e18edf3a1b221e5173cbc7a5dc73da9e48b09644eac65ab544f0)", "pattern": "[file:hashes.MD5 = '9b03a798139e9509322ce95755ac4250']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:03:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89f31-6610-4e18-95f6-4299950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T15:03:13.000Z", "modified": "2016-08-08T15:03:13.000Z", "description": "Automatically added (via a5881a71d46346224e3d23d49a0577ea898fab3ea619d0e1acc77c982787fca0)", "pattern": "[file:hashes.MD5 = 'c8f5b2b6507d0fd7e421c5b59699deb7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:03:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89f34-3640-4efb-bf6e-4457950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T15:03:16.000Z", "modified": "2016-08-08T15:03:16.000Z", "description": "Automatically added (via b46408cefa56cd09faa2d994271f03fcae9aa27dee279ea2eb71e163a15c3d44)", "pattern": "[file:hashes.MD5 = 'fd6b65fc06598d473baa02d4c81b26f0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:03:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89f37-a410-4538-9926-4924950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T15:03:19.000Z", "modified": "2016-08-08T15:03:19.000Z", "description": "Automatically added (via e06b753aa98e1b8fdc7c8ee1cbd07f5d46b2bbf88ebc8d450c8f24c6e79520a4)", "pattern": "[file:hashes.MD5 = '92094b6882ce0584feb37de21266d38b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:03:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89f39-9594-4912-a651-4c88950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T15:03:21.000Z", "modified": "2016-08-08T15:03:21.000Z", "description": "Automatically added (via e7febe0cdfa798c3bb78e5ca8fd143b4721b04ff4d81cfea2b4c7b9da039fa19)", "pattern": "[file:hashes.MD5 = '88e1bd67c7bd0554fda176d5621d08dc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:03:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89f27-1940-4f9c-9e98-4729950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T15:03:03.000Z", "modified": "2016-08-08T15:03:03.000Z", "description": "Automatically added (via 09ba8463a09bbb430987ac1cbcbb7004c3be6b9bcf72b2db2333e599cc4203eb)", "pattern": "[file:hashes.SHA1 = '997d1ecef80855818be02c2faf8aba21f813c090']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:03:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89f29-378c-418b-b5a0-458a950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T15:03:05.000Z", "modified": "2016-08-08T15:03:05.000Z", "description": "Automatically added (via 0ca994d7e06405793f8fc9b9ced5364bd0dd46119031b8b0d09f03e8bbffb85e)", "pattern": "[file:hashes.SHA1 = '5500fbff24ef6d5de69970794ac0a1296099f6bc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:03:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89f2c-5070-44d4-aed7-41b8950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T15:03:08.000Z", "modified": "2016-08-08T15:03:08.000Z", "description": "Automatically added (via 5962b458a0d3852a6974836951dc072593ecd4407b58dccad4a38eccc39dc54c)", "pattern": "[file:hashes.SHA1 = 'da9b18ff7f24fb9c80cab35bf93b7269416ed761']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:03:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89f2e-297c-48df-b8be-437d950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T15:03:10.000Z", "modified": "2016-08-08T15:03:10.000Z", "description": "Automatically added (via 676ea2b87029e18edf3a1b221e5173cbc7a5dc73da9e48b09644eac65ab544f0)", "pattern": "[file:hashes.SHA1 = 'ebeef25bc783181cdb52f287c4dea3cc870e7bf2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:03:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89f32-0920-44c2-bc0b-4570950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T15:03:14.000Z", "modified": "2016-08-08T15:03:14.000Z", "description": "Automatically added (via a5881a71d46346224e3d23d49a0577ea898fab3ea619d0e1acc77c982787fca0)", "pattern": "[file:hashes.SHA1 = '5bd373b0c41890881a4e0e6b51452291fb63df62']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:03:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89f34-ad98-4946-badd-43fe950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T15:03:16.000Z", "modified": "2016-08-08T15:03:16.000Z", "description": "Automatically added (via b46408cefa56cd09faa2d994271f03fcae9aa27dee279ea2eb71e163a15c3d44)", "pattern": "[file:hashes.SHA1 = '6da1337d040189ea6d5c869e6aedd7baf5762cd8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:03:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89f37-f7ac-408c-ace5-4609950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T15:03:19.000Z", "modified": "2016-08-08T15:03:19.000Z", "description": "Automatically added (via e06b753aa98e1b8fdc7c8ee1cbd07f5d46b2bbf88ebc8d450c8f24c6e79520a4)", "pattern": "[file:hashes.SHA1 = '63ed0f2fda0005f302b4ca9a810a76011cbe7045']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:03:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57a89f3a-58cc-4f61-b95b-446a950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-08T15:03:22.000Z", "modified": "2016-08-08T15:03:22.000Z", "description": "Automatically added (via e7febe0cdfa798c3bb78e5ca8fd143b4721b04ff4d81cfea2b4c7b9da039fa19)", "pattern": "[file:hashes.SHA1 = 'e52ecfdca76e20d8fa23957388e0ce3043047c98']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-08T15:03:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }