{ "type": "bundle", "id": "bundle--5a3c2fcd-8328-42bb-a95e-4f4402de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T13:17:25.000Z", "modified": "2017-12-22T13:17:25.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "grouping", "spec_version": "2.1", "id": "grouping--5a3c2fcd-8328-42bb-a95e-4f4402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T13:17:25.000Z", "modified": "2017-12-22T13:17:25.000Z", "name": "OSINT - Sednit update: How Fancy Bear Spent the Year", "context": "suspicious-activity", "object_refs": [ "observed-data--5a3c2fda-78f4-44b7-8366-46da02de0b81", "url--5a3c2fda-78f4-44b7-8366-46da02de0b81", "x-misp-attribute--5a3c2fee-7c8c-438a-8f7f-465402de0b81", "indicator--5a3c3045-ab0c-4d38-8efe-459002de0b81", "indicator--5a3c3045-61dc-495c-ae8a-471e02de0b81", "indicator--5a3c3045-e354-4978-a6b4-49ad02de0b81", "indicator--5a3c3045-968c-4572-9f64-491502de0b81", "indicator--5a3c3045-eb44-433f-a13a-44b902de0b81", "indicator--5a3c3045-6a88-479d-b799-4d3d02de0b81", "indicator--5a3c3045-7480-4831-a5c4-48c802de0b81", "indicator--5a3cd5b6-9568-4342-b2ab-4c62950d210f", "indicator--5a3cd604-e11c-4de5-bbbf-c170950d210f", "indicator--5a3cd693-fd9c-4fcf-b69a-439c950d210f", "indicator--5a3cd6c2-d290-4787-910f-4e6d950d210f", "indicator--5a3cd74e-1504-40ff-9a28-4501950d210f", "indicator--5a3cd775-e4cc-44bb-89b6-4c5a950d210f", "indicator--5a3cd82f-2788-4561-bbeb-5165950d210f", "indicator--5a3cd847-b5a0-42f7-ac4b-5165950d210f", "indicator--5a3cd861-65c0-4b69-9429-4f37950d210f", "indicator--5a3cd87d-f514-4071-a5f7-4ec2950d210f", "indicator--5a3cd896-f6cc-4e52-bcb2-442c950d210f", "indicator--5a3cd8ae-54d0-46bb-adbb-4c5a950d210f", "indicator--5a3cd8bb-a704-4f1d-a235-444e950d210f", "indicator--5a3cd8c9-6568-406a-853c-4862950d210f", "indicator--5a3cd8db-2838-4466-a986-4afb950d210f", "indicator--5a3cd8fb-cd14-4b00-9710-430c950d210f", "indicator--5a3cd90e-538c-4b7e-95dc-5276950d210f", "indicator--5a3cd927-e410-489c-abfc-4b63950d210f", "indicator--5a3cd93c-716c-4918-a00f-4671950d210f", "indicator--5a3cda96-85c4-45a1-82ea-c5ed950d210f", "indicator--5a3cdbc7-dbec-4b8c-8ba3-4c5a950d210f", "indicator--5a3cdbf6-f814-491f-9f93-4c59950d210f", "indicator--5a3cdc09-6fbc-4ca1-bfaa-c5ed950d210f", "indicator--5a3cdc21-856c-48bd-a757-4f4b950d210f", "indicator--5a3cdc37-89e8-4a2d-823a-4af8950d210f", "indicator--5a3cdc48-b9a0-4775-a03f-5156950d210f", "indicator--5a3cdc5a-8760-4efa-949a-4c5a950d210f", "indicator--5a3cdc72-1538-4c66-af46-427b950d210f", "indicator--5a3ce3a9-f070-4403-a1f6-4b8c950d210f", "indicator--5a3ce3c3-34b4-4e1f-b238-4399950d210f", "indicator--5a3ce3d4-07bc-4af3-90fc-4798950d210f", "indicator--5a3ce3ea-580c-477c-9b73-4e57950d210f", "indicator--5a3ce404-efc0-4f15-864e-55ea950d210f", "indicator--5a3ce417-7cd4-4c36-8a73-55ea950d210f", "indicator--5a3ce42b-2e0c-4a26-b6c8-47a3950d210f", "indicator--5a3ce43a-5478-4f65-95b2-4e1e950d210f", "indicator--5a3ce44a-ce70-42b7-80b8-c328950d210f", "indicator--5a3ce58a-3198-4cb8-9d51-44e5950d210f", "indicator--5a3ce5f8-3418-4f7b-ae41-4bca950d210f", "indicator--5a3ce60a-6db8-4212-b194-4339950d210f", "indicator--5a3ce61a-c1f0-4c7c-b815-4fa9950d210f", "indicator--5a3ce63e-0240-46f5-b9ed-4759950d210f", "indicator--5a3ce64e-8bf8-4dc6-be49-437f950d210f", "indicator--5a3ce65c-fc40-4585-817e-4ca3950d210f", "indicator--5a3ce66e-70b4-47e7-b965-46f6950d210f", "indicator--5a3ce680-90d4-478d-95db-48a6950d210f", "indicator--5a3ce68d-1940-4ea6-becd-44fe950d210f", "indicator--5a3ce6a1-3f1c-4d5d-bac7-406d950d210f", "indicator--5a3ce6ae-98d8-4270-b88f-47f2950d210f", "relationship--bb972efe-905e-4e27-ae87-e6a9ef1949e5", "relationship--c24bebab-8518-446f-8b8d-59eda908bf93", "relationship--14df0d51-8dfb-4280-adc8-90083c32c8e5", "relationship--39b7fc16-eb97-4590-85db-20aaefd51abf", "relationship--44c86514-4c60-452a-b303-ed47fbaf789b", "relationship--f712ad07-5c35-4815-989f-c0f652a3351f", "relationship--a354a0aa-0a47-4c14-8f08-e711d0c8a43f", "relationship--a969b7db-a3c8-4704-9553-64eadefd75f8", "relationship--a6dafa7e-3940-4684-a79d-effc529040d0", "relationship--02f6d3eb-f38d-4d6e-831c-2b2954407029", "relationship--17273fb5-40c9-43c8-974a-474e1da878bd", "relationship--73caebaf-02be-4bb0-8897-d2c352b1bdd4", "relationship--1395dee5-7c69-41bd-8337-03b18bc32e97", "relationship--bfd09e83-7026-49d3-9396-f51a3e12a754", "relationship--8d6a6c8c-dde0-4588-9efc-bcd63135e6c9", "relationship--54dce59f-6019-4ef3-af44-34e9c4641651", "relationship--39ce2c4b-d297-4027-9d10-a0fbf73662e3", "relationship--5a5307cd-ac4e-4f46-978a-9892ef212dff", "relationship--44571124-844a-4ab4-a575-7bed940273be", "relationship--2cc68a24-aa81-486f-b8b4-061ea51b1a9d" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "workflow:state=\"incomplete\"", "workflow:todo=\"create-missing-misp-galaxy-cluster-values\"", "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "misp-galaxy:threat-actor=\"Sofacy\"", "misp-galaxy:exploit-kit=\"Sednit EK\"", "misp-galaxy:tool=\"GAMEFISH\"", "misp-galaxy:mitre-malware=\"JHUHUGIT\"", "misp-galaxy:tool=\"X-Tunnel\"", "misp-galaxy:mitre-malware=\"XTunnel\"", "misp-galaxy:mitre-malware=\"ADVSTORESHELL\"", "misp-galaxy:tool=\"EVILTOSS\"", "misp-galaxy:mitre-malware=\"USBStealer\"", "misp-galaxy:tool=\"X-Agent\"", "misp-galaxy:mitre-malware=\"XAgentOSX\"", "misp-galaxy:mitre-malware=\"CHOPSTICK\"", "misp-galaxy:exploit-kit=\"DealersChoice\"", "misp-galaxy:mitre-malware=\"Downdelph\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a3c2fda-78f4-44b7-8366-46da02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-21T22:05:21.000Z", "modified": "2017-12-21T22:05:21.000Z", "first_observed": "2017-12-21T22:05:21Z", "last_observed": "2017-12-21T22:05:21Z", "number_observed": 1, "object_refs": [ "url--5a3c2fda-78f4-44b7-8366-46da02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"", "osint:certainty=\"93\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a3c2fda-78f4-44b7-8366-46da02de0b81", "value": "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5a3c2fee-7c8c-438a-8f7f-465402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-21T22:05:21.000Z", "modified": "2017-12-21T22:05:21.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"", "osint:certainty=\"93\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "The Sednit group \u2014 also known as Strontium, APT28, Fancy Bear or Sofacy\u2009\u2014\u2009is a group of attackers operating since 2004, if not earlier, and whose main objective is to steal confidential information from specific targets.\r\n\r\nThis article is a follow-up to ESET\u2019s presentation at BlueHat in November 2017. Late in 2016 we published a white paper covering Sednit activity between 2014 and 2016. Since then, we have continued to actively track Sednit\u2019s operations, and today we are publishing a brief overview of what our tracking uncovered in terms of the group\u2019s activities and updates to their toolset. The first section covers the update of their attack methodology: namely, the ways in which this group tries to compromise their targets systems. The second section covers the evolution of their tools, with a particular emphasis on a detailed analysis of a new version of their flagship malware: Xagent." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3c3045-ab0c-4d38-8efe-459002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-21T22:05:57.000Z", "modified": "2017-12-21T22:05:57.000Z", "description": "Xagent Samples", "pattern": "[domain-name:value = 'movieultimate.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-21T22:05:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3c3045-61dc-495c-ae8a-471e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-21T22:05:57.000Z", "modified": "2017-12-21T22:05:57.000Z", "description": "Xagent Samples", "pattern": "[domain-name:value = 'meteost.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-21T22:05:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3c3045-e354-4978-a6b4-49ad02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-21T22:05:57.000Z", "modified": "2017-12-21T22:05:57.000Z", "description": "Xagent Samples", "pattern": "[domain-name:value = 'faststoragefiles.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-21T22:05:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3c3045-968c-4572-9f64-491502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-21T22:05:57.000Z", "modified": "2017-12-21T22:05:57.000Z", "description": "Xagent Samples", "pattern": "[domain-name:value = 'nethostnet.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-21T22:05:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3c3045-eb44-433f-a13a-44b902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-21T22:05:57.000Z", "modified": "2017-12-21T22:05:57.000Z", "description": "Xagent Samples", "pattern": "[domain-name:value = 'fsportal.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-21T22:05:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3c3045-6a88-479d-b799-4d3d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-21T22:05:57.000Z", "modified": "2017-12-21T22:05:57.000Z", "description": "Xagent Samples", "pattern": "[domain-name:value = 'fastdataexchange.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-21T22:05:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3c3045-7480-4831-a5c4-48c802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-21T22:05:57.000Z", "modified": "2017-12-21T22:05:57.000Z", "description": "Xagent Samples", "pattern": "[domain-name:value = 'newfilmts.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-21T22:05:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cd5b6-9568-4342-b2ab-4c62950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T09:51:50.000Z", "modified": "2017-12-22T09:51:50.000Z", "description": "Win32/Sednit.AX", "pattern": "[file:hashes.SHA1 = '68064fc152e23d56e541714af52651cb4ba81aaf' AND file:name = 'Bulletin.doc' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T09:51:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cd604-e11c-4de5-bbbf-c170950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T09:53:08.000Z", "modified": "2017-12-22T09:53:08.000Z", "description": "Win32/Exploit.CVE-2016-4117.A", "pattern": "[file:hashes.SHA1 = 'f3805382ae2e23ff1147301d131a06e00e4ff75f' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T09:53:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cd693-fd9c-4fcf-b69a-439c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T09:55:31.000Z", "modified": "2017-12-22T09:55:31.000Z", "description": "Win32/Exploit.Agent.NUB", "pattern": "[file:hashes.SHA1 = '512bdfe937314ac3f195c462c395feeb36932971' AND file:name = 'OC_PSO_2017.doc' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T09:55:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cd6c2-d290-4787-910f-4e6d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T09:56:18.000Z", "modified": "2017-12-22T09:56:18.000Z", "description": "Win32/Exploit.Agent.NTR", "pattern": "[file:hashes.SHA1 = '30b3e8c0f3f3cf200daa21c267ffab3cad64e68b' AND file:name = 'NASAMS.doc' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T09:56:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cd74e-1504-40ff-9a28-4501950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T09:58:38.000Z", "modified": "2017-12-22T09:58:38.000Z", "description": "Win32/Exploit.Agent.NTO", "pattern": "[file:hashes.SHA1 = '4173b29a251cd9c1cab135f67cb60acab4ace0c5' AND file:name = 'Programm_Details.doc' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T09:58:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cd775-e4cc-44bb-89b6-4c5a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T09:59:17.000Z", "modified": "2017-12-22T09:59:17.000Z", "description": "Win32/Exploit.Agent.NTR", "pattern": "[file:hashes.SHA1 = '12a37cfdd3f3671074dd5b0f354269cec028fb52' AND file:name = 'Operation_in_Mosul.rtf' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T09:59:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cd82f-2788-4561-bbeb-5165950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T10:02:23.000Z", "modified": "2017-12-22T10:02:23.000Z", "description": "SWF/Agent.L", "pattern": "[file:hashes.SHA1 = '15201766bd964b7c405aeb11db81457220c31e46' AND file:name = 'ARM-NATO_ENGLISH_30_NOV_2016.doc' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T10:02:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cd847-b5a0-42f7-ac4b-5165950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T10:02:47.000Z", "modified": "2017-12-22T10:02:47.000Z", "description": "Win32/Exploit.Agent.BL", "pattern": "[file:hashes.SHA1 = '8078e411fbe33864dfd8f87ad5105cc1fd26d62e' AND file:name = 'Olympic-Agenda-2020-20-20-Recommendations.doc' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T10:02:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cd861-65c0-4b69-9429-4f37950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T10:03:13.000Z", "modified": "2017-12-22T10:03:13.000Z", "description": "Win32/Exploit.Agent.NUG", "pattern": "[file:hashes.SHA1 = '33447383379ca99083442b852589111296f0c603' AND file:name = 'Merry_Christmas!.docx' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T10:03:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cd87d-f514-4071-a5f7-4ec2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T10:03:41.000Z", "modified": "2017-12-22T10:03:41.000Z", "description": "Win32/Exploit.Agent.NWZ", "pattern": "[file:hashes.SHA1 = 'd5235d136cfcadbef431eea7253d80bde414db9d' AND file:name = 'Trump\u2019s_Attack_on_Syria_English.docx' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T10:03:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cd896-f6cc-4e52-bcb2-442c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T10:04:06.000Z", "modified": "2017-12-22T10:04:06.000Z", "description": "Win32/Sednit.BN", "pattern": "[file:hashes.SHA1 = 'f293a2bfb728060c54efeeb03c5323893b5c80df' AND file:name = 'Hotel_Reservation_Form.doc' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T10:04:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cd8ae-54d0-46bb-adbb-4c5a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T10:04:30.000Z", "modified": "2017-12-22T10:04:30.000Z", "description": "Win32/Sednit.BN", "pattern": "[file:hashes.SHA1 = 'bb10ed5d59672fbc6178e35d0feac0562513e9f0' AND file:name = 'SB_Doc_2017-3_Implementation_of_Key_Taskings_and_Next_Steps.doc' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T10:04:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cd8bb-a704-4f1d-a235-444e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T10:04:43.000Z", "modified": "2017-12-22T10:04:43.000Z", "pattern": "[file:hashes.SHA1 = '4873bafe44cff06845faa0ce7c270c4ce3c9f7b9' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T10:04:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cd8c9-6568-406a-853c-4862950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T10:04:57.000Z", "modified": "2017-12-22T10:04:57.000Z", "pattern": "[file:hashes.SHA1 = '169c8f3e3d22e192c108bc95164d362ce5437465' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T10:04:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cd8db-2838-4466-a986-4afb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T10:05:15.000Z", "modified": "2017-12-22T10:05:15.000Z", "description": "Win32/Sednit.BN", "pattern": "[file:hashes.SHA1 = 'cc7607015cd7a1a4452acd3d87adabdd7e005bd7' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T10:05:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cd8fb-cd14-4b00-9710-430c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T10:05:47.000Z", "modified": "2017-12-22T10:05:47.000Z", "description": "Win32/Exploit.Agent.NTM", "pattern": "[file:hashes.SHA1 = '5d2c7d87995cc5b8184baba2c7a1900a48b2f42d' AND file:name = 'Caucasian_Eagle_ENG.docx' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T10:05:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cd90e-538c-4b7e-95dc-5276950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T10:06:06.000Z", "modified": "2017-12-22T10:06:06.000Z", "description": "SWF/Exploit.CVE-2017-11292.A", "pattern": "[file:hashes.SHA1 = '7aada8bcc0d1ab8ffb1f0fae4757789c6f5546a3' AND file:name = 'World War3.docx' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T10:06:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cd927-e410-489c-abfc-4b63950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T10:06:31.000Z", "modified": "2017-12-22T10:06:31.000Z", "description": "VBA/DDE.E", "pattern": "[file:hashes.SHA1 = '68c2809560c7623d2307d8797691abf3eafe319a' AND file:name = 'SaberGuardian2017.docx' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T10:06:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cd93c-716c-4918-a00f-4671950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T10:06:52.000Z", "modified": "2017-12-22T10:06:52.000Z", "description": "VBA/DDE.L", "pattern": "[file:hashes.SHA1 = '1c6c700ceebfbe799e115582665105caa03c5c9e' AND file:name = 'IsisAttackInNewYork.docx' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T10:06:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cda96-85c4-45a1-82ea-c5ed950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T10:17:09.000Z", "modified": "2017-12-22T10:17:09.000Z", "description": "Win64/Sednit.Z", "pattern": "[file:hashes.SHA1 = '6f0fc0ebba3e4c8b26a69cdf519edf8d1aa2f4bb' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T10:17:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cdbc7-dbec-4b8c-8ba3-4c5a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T10:21:34.000Z", "modified": "2017-12-22T10:21:34.000Z", "description": "Win64/Sednit.Z", "pattern": "[file:hashes.SHA1 = 'e19f753e514f6adec8f81bcdefb9117979e69627' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T10:21:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cdbf6-f814-491f-9f93-4c59950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T10:23:33.000Z", "modified": "2017-12-22T10:23:33.000Z", "description": "Win32/Sednit.BO", "pattern": "[file:hashes.SHA1 = '961468ddd3d0fa25beb8210c81ba620f9170ed30' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T10:23:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cdc09-6fbc-4ca1-bfaa-c5ed950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T10:22:52.000Z", "modified": "2017-12-22T10:22:52.000Z", "description": "Win32/Sednit.BO", "pattern": "[file:hashes.SHA1 = 'a0719b50265505c8432616c0a4e14ed206981e95' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T10:22:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cdc21-856c-48bd-a757-4f4b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T10:23:49.000Z", "modified": "2017-12-22T10:23:49.000Z", "description": "Win64/Sednit.Y", "pattern": "[file:hashes.SHA1 = '2cf6436b99d11d9d1e0c488af518e35162ecbc9c' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T10:23:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cdc37-89e8-4a2d-823a-4af8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T10:23:13.000Z", "modified": "2017-12-22T10:23:13.000Z", "description": "Win64/Sednit.Y", "pattern": "[file:hashes.SHA1 = 'fec29b4f4dccc59770c65c128dfe4564d7c13d33' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T10:23:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cdc48-b9a0-4775-a03f-5156950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T10:22:12.000Z", "modified": "2017-12-22T10:22:12.000Z", "description": "Win64/Sednit.Z", "pattern": "[file:hashes.SHA1 = '57d7f3d31c491f8aef4665ca4dd905c3c8a98795' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T10:22:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cdc5a-8760-4efa-949a-4c5a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T10:24:43.000Z", "modified": "2017-12-22T10:24:43.000Z", "description": "Win32/Sednit.BO", "pattern": "[file:hashes.SHA1 = 'a3bf5b5cf5a5ef438a198a6f61f7225c0a4a7138' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T10:24:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3cdc72-1538-4c66-af46-427b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T10:24:27.000Z", "modified": "2017-12-22T10:24:27.000Z", "description": "Win32/Sednit.BO", "pattern": "[file:hashes.SHA1 = '1958e722afd0dba266576922abc98aa505cf5f9a' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T10:24:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3ce3a9-f070-4403-a1f6-4b8c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T13:17:25.000Z", "modified": "2017-12-22T13:17:25.000Z", "description": "Win32/Sednit.AX\t", "pattern": "[file:hashes.SHA1 = '9f6bed7d7f4728490117cbc85819c2e6c494251b' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T13:17:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3ce3c3-34b4-4e1f-b238-4399950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T13:15:38.000Z", "modified": "2017-12-22T13:15:38.000Z", "description": "Win32/Sednit.BS", "pattern": "[file:hashes.SHA1 = '4bc722a9b0492a50bd86a1341f02c74c0d773db7' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T13:15:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3ce3d4-07bc-4af3-90fc-4798950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T13:16:40.000Z", "modified": "2017-12-22T13:16:40.000Z", "description": "Win32/Sednit.BS", "pattern": "[file:hashes.SHA1 = 'ab354807e687993fbeb1b325eb6e4ab38d428a1e' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T13:16:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3ce3ea-580c-477c-9b73-4e57950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T13:17:09.000Z", "modified": "2017-12-22T13:17:09.000Z", "description": "Win32/Sednit.BR", "pattern": "[file:hashes.SHA1 = '9c47ca3883196b3a84d67676a804ff50e22b0a9f' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T13:17:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3ce404-efc0-4f15-864e-55ea950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T13:07:56.000Z", "modified": "2017-12-22T13:07:56.000Z", "description": "Win32/Sednit.BN", "pattern": "[file:hashes.SHA1 = '8a68f26d01372114f660e32ac4c9117e5d0577f1' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T13:07:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3ce417-7cd4-4c36-8a73-55ea950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T13:15:01.000Z", "modified": "2017-12-22T13:15:01.000Z", "description": "Win32/Sednit.BN", "pattern": "[file:hashes.SHA1 = '476fc1d31722ac26b46154cbf0c631d60268b28a' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T13:15:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3ce42b-2e0c-4a26-b6c8-47a3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T13:08:51.000Z", "modified": "2017-12-22T13:08:51.000Z", "description": "Win32/Sednit.BN", "pattern": "[file:hashes.SHA1 = 'f9fd3f1d8da4ffd6a494228b934549d09e3c59d1' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T13:08:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3ce43a-5478-4f65-95b2-4e1e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T13:12:22.000Z", "modified": "2017-12-22T13:12:22.000Z", "description": "Win32/Sednit.BG", "pattern": "[file:hashes.SHA1 = 'e338d49c270baf64363879e5eecb8fa6bdde8ad9' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T13:12:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3ce44a-ce70-42b7-80b8-c328950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T11:05:56.000Z", "modified": "2017-12-22T11:05:56.000Z", "description": "Win32/Sednit.BG", "pattern": "[file:hashes.SHA1 = '6e167da3c5d887fa2e58da848a2245d11b6c5ad6' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T11:05:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3ce58a-3198-4cb8-9d51-44e5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T10:59:22.000Z", "modified": "2017-12-22T10:59:22.000Z", "pattern": "[domain-name:value = 'servicecdp.com' AND domain-name:resolves_to_refs[*].value = '87.236.211.182']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T10:59:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3ce5f8-3418-4f7b-ae41-4bca950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T11:01:12.000Z", "modified": "2017-12-22T11:01:12.000Z", "pattern": "[domain-name:value = 'wmdmediacodecs.com' AND domain-name:resolves_to_refs[*].value = '95.215.45.43']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T11:01:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3ce60a-6db8-4212-b194-4339950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T11:01:30.000Z", "modified": "2017-12-22T11:01:30.000Z", "pattern": "[domain-name:value = 'mvband.net' AND domain-name:resolves_to_refs[*].value = '89.45.67.144']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T11:01:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3ce61a-c1f0-4c7c-b815-4fa9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T11:01:46.000Z", "modified": "2017-12-22T11:01:46.000Z", "pattern": "[domain-name:value = 'mvtband.net' AND domain-name:resolves_to_refs[*].value = '89.33.246.117']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T11:01:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3ce63e-0240-46f5-b9ed-4759950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T11:02:22.000Z", "modified": "2017-12-22T11:02:22.000Z", "pattern": "[domain-name:value = 'servicecdp.com' AND domain-name:resolves_to_refs[*].value = '87.236.211.182']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T11:02:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3ce64e-8bf8-4dc6-be49-437f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T11:02:38.000Z", "modified": "2017-12-22T11:02:38.000Z", "pattern": "[domain-name:value = 'runvercheck.com' AND domain-name:resolves_to_refs[*].value = '185.156.173.70']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T11:02:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3ce65c-fc40-4585-817e-4ca3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T11:02:52.000Z", "modified": "2017-12-22T11:02:52.000Z", "pattern": "[domain-name:value = 'remsupport.org' AND domain-name:resolves_to_refs[*].value = '191.101.31.96']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T11:02:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3ce66e-70b4-47e7-b965-46f6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T11:03:10.000Z", "modified": "2017-12-22T11:03:10.000Z", "pattern": "[domain-name:value = 'viters.org' AND domain-name:resolves_to_refs[*].value = '89.187.150.44']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T11:03:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3ce680-90d4-478d-95db-48a6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T11:03:28.000Z", "modified": "2017-12-22T11:03:28.000Z", "pattern": "[domain-name:value = 'myinvestgroup.com' AND domain-name:resolves_to_refs[*].value = '146.185.253.132']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T11:03:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3ce68d-1940-4ea6-becd-44fe950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T11:03:41.000Z", "modified": "2017-12-22T11:03:41.000Z", "pattern": "[domain-name:value = 'space-delivery.com' AND domain-name:resolves_to_refs[*].value = '86.106.131.141']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T11:03:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3ce6a1-3f1c-4d5d-bac7-406d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T11:04:01.000Z", "modified": "2017-12-22T11:04:01.000Z", "pattern": "[domain-name:value = 'satellitedeluxpanorama.com' AND domain-name:resolves_to_refs[*].value = '89.34.111.160']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T11:04:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3ce6ae-98d8-4270-b88f-47f2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-22T11:04:14.000Z", "modified": "2017-12-22T11:04:14.000Z", "pattern": "[domain-name:value = 'webviewres.net' AND domain-name:resolves_to_refs[*].value = '185.216.35.26']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-22T11:04:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bb972efe-905e-4e27-ae87-e6a9ef1949e5", "created": "2017-12-22T10:17:06.000Z", "modified": "2017-12-22T10:17:06.000Z", "relationship_type": "communicates-with", "source_ref": "indicator--5a3cda96-85c4-45a1-82ea-c5ed950d210f", "target_ref": "indicator--5a3c3045-ab0c-4d38-8efe-459002de0b81" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c24bebab-8518-446f-8b8d-59eda908bf93", "created": "2017-12-22T10:21:31.000Z", "modified": "2017-12-22T10:21:31.000Z", "relationship_type": "communicates-with", "source_ref": "indicator--5a3cdbc7-dbec-4b8c-8ba3-4c5a950d210f", "target_ref": "indicator--5a3c3045-61dc-495c-ae8a-471e02de0b81" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--14df0d51-8dfb-4280-adc8-90083c32c8e5", "created": "2017-12-22T10:23:30.000Z", "modified": "2017-12-22T10:23:30.000Z", "relationship_type": "communicates-with", "source_ref": "indicator--5a3cdbf6-f814-491f-9f93-4c59950d210f", "target_ref": "indicator--5a3c3045-e354-4978-a6b4-49ad02de0b81" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--39b7fc16-eb97-4590-85db-20aaefd51abf", "created": "2017-12-22T10:22:49.000Z", "modified": "2017-12-22T10:22:49.000Z", "relationship_type": "communicates-with", "source_ref": "indicator--5a3cdc09-6fbc-4ca1-bfaa-c5ed950d210f", "target_ref": "indicator--5a3c3045-968c-4572-9f64-491502de0b81" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--44c86514-4c60-452a-b303-ed47fbaf789b", "created": "2017-12-22T10:23:46.000Z", "modified": "2017-12-22T10:23:46.000Z", "relationship_type": "communicates-with", "source_ref": "indicator--5a3cdc21-856c-48bd-a757-4f4b950d210f", "target_ref": "indicator--5a3c3045-e354-4978-a6b4-49ad02de0b81" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f712ad07-5c35-4815-989f-c0f652a3351f", "created": "2017-12-22T10:23:09.000Z", "modified": "2017-12-22T10:23:09.000Z", "relationship_type": "communicates-with", "source_ref": "indicator--5a3cdc37-89e8-4a2d-823a-4af8950d210f", "target_ref": "indicator--5a3c3045-eb44-433f-a13a-44b902de0b81" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a354a0aa-0a47-4c14-8f08-e711d0c8a43f", "created": "2017-12-22T10:22:09.000Z", "modified": "2017-12-22T10:22:09.000Z", "relationship_type": "communicates-with", "source_ref": "indicator--5a3cdc48-b9a0-4775-a03f-5156950d210f", "target_ref": "indicator--5a3c3045-6a88-479d-b799-4d3d02de0b81" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a969b7db-a3c8-4704-9553-64eadefd75f8", "created": "2017-12-22T10:24:40.000Z", "modified": "2017-12-22T10:24:40.000Z", "relationship_type": "communicates-with", "source_ref": "indicator--5a3cdc5a-8760-4efa-949a-4c5a950d210f", "target_ref": "indicator--5a3c3045-7480-4831-a5c4-48c802de0b81" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a6dafa7e-3940-4684-a79d-effc529040d0", "created": "2017-12-22T10:24:24.000Z", "modified": "2017-12-22T10:24:24.000Z", "relationship_type": "communicates-with", "source_ref": "indicator--5a3cdc72-1538-4c66-af46-427b950d210f", "target_ref": "indicator--5a3c3045-7480-4831-a5c4-48c802de0b81" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--02f6d3eb-f38d-4d6e-831c-2b2954407029", "created": "2017-12-22T12:57:39.000Z", "modified": "2017-12-22T12:57:39.000Z", "relationship_type": "communicates-with", "source_ref": "indicator--5a3ce3a9-f070-4403-a1f6-4b8c950d210f", "target_ref": "indicator--5a3ce58a-3198-4cb8-9d51-44e5950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--17273fb5-40c9-43c8-974a-474e1da878bd", "created": "2017-12-22T13:15:18.000Z", "modified": "2017-12-22T13:15:18.000Z", "relationship_type": "communicates-with", "source_ref": "indicator--5a3ce3c3-34b4-4e1f-b238-4399950d210f", "target_ref": "indicator--5a3ce6ae-98d8-4270-b88f-47f2950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--73caebaf-02be-4bb0-8897-d2c352b1bdd4", "created": "2017-12-22T13:15:28.000Z", "modified": "2017-12-22T13:15:28.000Z", "relationship_type": "communicates-with", "source_ref": "indicator--5a3ce3d4-07bc-4af3-90fc-4798950d210f", "target_ref": "indicator--5a3ce6a1-3f1c-4d5d-bac7-406d950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1395dee5-7c69-41bd-8337-03b18bc32e97", "created": "2017-12-22T13:16:54.000Z", "modified": "2017-12-22T13:16:54.000Z", "relationship_type": "communicates-with", "source_ref": "indicator--5a3ce3ea-580c-477c-9b73-4e57950d210f", "target_ref": "indicator--5a3ce68d-1940-4ea6-becd-44fe950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bfd09e83-7026-49d3-9396-f51a3e12a754", "created": "2017-12-22T13:07:24.000Z", "modified": "2017-12-22T13:07:24.000Z", "relationship_type": "communicates-with", "source_ref": "indicator--5a3ce404-efc0-4f15-864e-55ea950d210f", "target_ref": "indicator--5a3ce680-90d4-478d-95db-48a6950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8d6a6c8c-dde0-4588-9efc-bcd63135e6c9", "created": "2017-12-22T13:14:43.000Z", "modified": "2017-12-22T13:14:43.000Z", "relationship_type": "communicates-with", "source_ref": "indicator--5a3ce417-7cd4-4c36-8a73-55ea950d210f", "target_ref": "indicator--5a3ce66e-70b4-47e7-b965-46f6950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--54dce59f-6019-4ef3-af44-34e9c4641651", "created": "2017-12-22T13:08:26.000Z", "modified": "2017-12-22T13:08:26.000Z", "relationship_type": "communicates-with", "source_ref": "indicator--5a3ce42b-2e0c-4a26-b6c8-47a3950d210f", "target_ref": "indicator--5a3ce60a-6db8-4212-b194-4339950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--39ce2c4b-d297-4027-9d10-a0fbf73662e3", "created": "2017-12-22T13:08:37.000Z", "modified": "2017-12-22T13:08:37.000Z", "relationship_type": "communicates-with", "source_ref": "indicator--5a3ce42b-2e0c-4a26-b6c8-47a3950d210f", "target_ref": "indicator--5a3ce61a-c1f0-4c7c-b815-4fa9950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5a5307cd-ac4e-4f46-978a-9892ef212dff", "created": "2017-12-22T13:12:00.000Z", "modified": "2017-12-22T13:12:00.000Z", "relationship_type": "communicates-with", "source_ref": "indicator--5a3ce43a-5478-4f65-95b2-4e1e950d210f", "target_ref": "indicator--5a3ce5f8-3418-4f7b-ae41-4bca950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--44571124-844a-4ab4-a575-7bed940273be", "created": "2017-12-22T11:05:34.000Z", "modified": "2017-12-22T11:05:34.000Z", "relationship_type": "communicates-with", "source_ref": "indicator--5a3ce44a-ce70-42b7-80b8-c328950d210f", "target_ref": "indicator--5a3ce64e-8bf8-4dc6-be49-437f950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2cc68a24-aa81-486f-b8b4-061ea51b1a9d", "created": "2017-12-22T11:05:53.000Z", "modified": "2017-12-22T11:05:53.000Z", "relationship_type": "communicates-with", "source_ref": "indicator--5a3ce44a-ce70-42b7-80b8-c328950d210f", "target_ref": "indicator--5a3ce65c-fc40-4585-817e-4ca3950d210f" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }