{ "type": "bundle", "id": "bundle--5c3f3eca-3ce8-4bb0-8f24-43c0950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T11:00:37.000Z", "modified": "2019-01-17T11:00:37.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5c3f3eca-3ce8-4bb0-8f24-43c0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T11:00:37.000Z", "modified": "2019-01-17T11:00:37.000Z", "name": "OSINT - Threat Actor \u00e2\u20ac\u0153Cold River\u00e2\u20ac\u009d: Network Traffic Analysis and a Deep Dive on Agent Drable", "published": "2019-01-17T11:00:57Z", "object_refs": [ "observed-data--5c3f45a3-939c-4161-aced-4586950d210f", "url--5c3f45a3-939c-4161-aced-4586950d210f", "x-misp-attribute--5c3f4698-757c-4466-b3be-4457950d210f", "indicator--5c3f4cdc-9928-4d32-9ed1-82e5950d210f", "indicator--5c4035b9-a0e0-4a00-96c7-4f77950d210f", "indicator--5c4036e7-cde0-4795-b1e7-462c950d210f", "indicator--5c4036ed-7310-48ea-9f64-47e2950d210f", "indicator--5c4036ee-e8b0-470e-81f0-489a950d210f", "indicator--5c4036ee-b920-40ce-9802-4854950d210f", "indicator--5c4036ef-3818-4a57-bd3b-4d04950d210f", "indicator--5c403bbc-4d24-46a6-83eb-4eea950d210f", "indicator--5c403bbd-4f68-4256-bfa6-46e9950d210f", "indicator--5c403bbd-e298-4419-a1cd-4c2b950d210f", "indicator--5c403bbe-3ff8-4da5-b8a2-4604950d210f", "indicator--5c403bbe-99d4-47e6-8cb0-4e86950d210f", "indicator--5c403bbf-f648-4156-85e6-42ce950d210f", "indicator--5c403bbf-b8b0-4e0c-92f0-4757950d210f", "indicator--5c403bc0-dfcc-49a1-850c-48b7950d210f", "indicator--5c403e29-35cc-497d-8e69-4aa7950d210f", "indicator--5c403ed9-c76c-4390-8782-4dc3950d210f", "indicator--5c403ed9-aa4c-4740-b455-464f950d210f", "indicator--5c403eda-9444-4932-a982-43d7950d210f", "indicator--5c403eda-c210-49b8-8d66-4ede950d210f", "indicator--5c403edb-bb74-4ec9-82d6-4f31950d210f", "indicator--5c403edb-feb8-401a-93fd-4dbd950d210f", "indicator--5c403edc-6934-4289-a417-4377950d210f", "indicator--5c403edd-93ac-4c08-9d81-4c37950d210f", "indicator--5c403edd-7dac-49a4-81a4-44e0950d210f", "indicator--5c404095-60e0-405d-88e5-4073950d210f", "indicator--5c404096-b05c-4197-8887-4a82950d210f", "indicator--5c404096-1914-44d6-a9fb-4415950d210f", "observed-data--5c404188-ffa8-4fe9-a371-4b3c950d210f", "windows-registry-key--5c404188-ffa8-4fe9-a371-4b3c950d210f", "indicator--5c404189-6988-4169-9f92-466a950d210f", "observed-data--5c404189-0f60-45c0-876e-41e6950d210f", "windows-registry-key--5c404189-0f60-45c0-876e-41e6950d210f", "indicator--5c40418a-91d4-48fb-a083-4180950d210f", "indicator--5c40418a-8778-48f9-a9dd-468e950d210f", "indicator--5c40418b-6908-412b-bb68-4620950d210f", "observed-data--5c40418b-17e8-4969-910d-41a5950d210f", "windows-registry-key--5c40418b-17e8-4969-910d-41a5950d210f", "indicator--5c3f46f9-f208-4ad9-9ce1-4c08950d210f", "indicator--5c3f4980-f148-4b82-bbb4-4fc6950d210f", "x-misp-object--5c402de1-c87c-479a-9aad-45dd950d210f", "indicator--5c402e8c-09f8-42f0-b7a0-4d0c950d210f", "indicator--5c403100-1104-4b24-9e5a-441f950d210f", "indicator--5c40331a-a4c4-44ed-9774-4a0a950d210f", "indicator--5c403585-b7e8-47f2-ad7d-44ee950d210f", "indicator--5c403f9a-39c8-4cad-bac3-452a950d210f", "indicator--3865d658-4ec2-4ccf-8437-2cf9ecdd8dac", "x-misp-object--3c8bf6c1-e76a-4d68-95ec-8f98f353c35f", "indicator--d866b492-3e79-4f62-ae4b-8fcfe1ec0a05", "x-misp-object--28884802-adc0-41dd-85c5-f37b24623600", "indicator--b8c3e2c4-dd23-4d42-8f1e-83832c52602b", "x-misp-object--fa573724-154a-4d4e-84a1-f36c91f5422e", "indicator--e672e426-1d42-42e0-b1d0-fbc9d846b35c", "x-misp-object--553ba70d-9782-43f5-8355-434287122d90", "relationship--ff4d7cdb-997a-46f2-88eb-8f72fb1231d3", "relationship--319172e1-0043-4839-9ce0-262278e8bf25", "relationship--78b856ed-4776-474d-a400-5bb00f25d1cc", "relationship--a6b00c7a-436c-49af-ade3-66d0fd574642" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "osint:source-type=\"blog-post\"", "misp-galaxy:threat-actor=\"Cold River\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5c3f45a3-939c-4161-aced-4586950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:59:23.000Z", "modified": "2019-01-17T08:59:23.000Z", "first_observed": "2019-01-17T08:59:23Z", "last_observed": "2019-01-17T08:59:23Z", "number_observed": 1, "object_refs": [ "url--5c3f45a3-939c-4161-aced-4586950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5c3f45a3-939c-4161-aced-4586950d210f", "value": "https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5c3f4698-757c-4466-b3be-4457950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:59:22.000Z", "modified": "2019-01-17T08:59:22.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "While reviewing some network anomalies, we recently uncovered Cold River, a sophisticated threat actor making malicious use of DNS tunneling for command and control activities. We have been able to decode the raw traffic in command and control, find sophisticated lure documents used in the campaign, connect other previously unknown samples, and associate a number of legitimate organizations whose infrastructure is referenced and used in the campaign.\r\n\r\nThe campaign targets Middle Eastern organizations largely from the Lebanon and United Arab Emirates, though, Indian and Canadian companies with interests in those Middle Eastern countries are also targeted. There are new TTPs used in this attack \u00e2\u20ac\u201c for example Agent_Drable is leveraging the Django python framework for command and control infrastructure, the technical details of which are outlined later in the blog." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c3f4cdc-9928-4d32-9ed1-82e5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-16T15:25:16.000Z", "modified": "2019-01-16T15:25:16.000Z", "description": "callback domain", "pattern": "[domain-name:value = '0ffice36o.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-16T15:25:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c4035b9-a0e0-4a00-96c7-4f77950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:12:20.000Z", "modified": "2019-01-17T08:12:20.000Z", "description": "Hardcoded HTTP CnC, not used at the time of the analysis.", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.161.211.72']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:12:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c4036e7-cde0-4795-b1e7-462c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:03:51.000Z", "modified": "2019-01-17T08:03:51.000Z", "description": "DNS queries from different victims", "pattern": "[domain-name:value = 'crzugfdhsmrqgq4hy000.0ffice36o.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:03:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c4036ed-7310-48ea-9f64-47e2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:03:57.000Z", "modified": "2019-01-17T08:03:57.000Z", "description": "DNS queries from different victims", "pattern": "[domain-name:value = 'gyc3gfmhomrqgq4hy.0ffice36o.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:03:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c4036ee-e8b0-470e-81f0-489a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:03:58.000Z", "modified": "2019-01-17T08:03:58.000Z", "description": "DNS queries from different victims", "pattern": "[domain-name:value = 'svg4gf2ugmrqgq4hy.0ffice36o.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:03:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c4036ee-b920-40ce-9802-4854950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:03:58.000Z", "modified": "2019-01-17T08:03:58.000Z", "description": "DNS queries from different victims", "pattern": "[domain-name:value = 'hnahgfmg4mrqgq4hy.0ffice36o.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:03:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c4036ef-3818-4a57-bd3b-4d04950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:03:59.000Z", "modified": "2019-01-17T08:03:59.000Z", "description": "DNS queries from different victims", "pattern": "[domain-name:value = '6ghzgf2ugmd4ji2vor2tgvkeutkf.0ffice36o.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:03:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c403bbc-4d24-46a6-83eb-4eea950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:24:28.000Z", "modified": "2019-01-17T08:24:28.000Z", "description": "Mostly used to generate Let\u00e2\u20ac\u2122s Encrypt certificates. Port 443 still answers with memail.mea.com[.]lb. Port 444 has a \u00e2\u20ac\u0153GlobalSign\u00e2\u20ac\u009d certificate of memail.mea.com[.]lb.", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.20.187.8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:24:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c403bbd-4f68-4256-bfa6-46e9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:24:29.000Z", "modified": "2019-01-17T08:24:29.000Z", "pattern": "[domain-name:value = 'memail.mea.com.lb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:24:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c403bbd-e298-4419-a1cd-4c2b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:24:29.000Z", "modified": "2019-01-17T08:24:29.000Z", "description": "Live HTTP CnC. Ports 80 and 443 return interesting Django debug info.", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.20.184.138']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:24:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c403bbe-3ff8-4da5-b8a2-4604950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:24:30.000Z", "modified": "2019-01-17T08:24:30.000Z", "description": "Unknown usage. Basic authentication protected page on port 7070 with https, cert CN is \u00e2\u20ac\u009d kerteros \u00e2\u20ac\u0153. Port 8083 hosts a webserver , but only returns a blank page.", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.20.184.157']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:24:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c403bbe-99d4-47e6-8cb0-4e86950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:24:30.000Z", "modified": "2019-01-17T08:24:30.000Z", "description": "Hosted the HR phishing domains hr-suncor[.]com and hr-wipro[.]com, now redirect to the legitimate website.", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.161.211.79']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:24:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c403bbf-f648-4156-85e6-42ce950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:24:31.000Z", "modified": "2019-01-17T08:24:31.000Z", "pattern": "[domain-name:value = 'hr-suncor.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:24:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c403bbf-b8b0-4e0c-92f0-4757950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:24:31.000Z", "modified": "2019-01-17T08:24:31.000Z", "pattern": "[domain-name:value = 'hr-wipro.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:24:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c403bc0-dfcc-49a1-850c-48b7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:24:31.000Z", "modified": "2019-01-17T08:24:31.000Z", "description": "Openconnect VPN used to reach the HTTP CnC.", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '194.9.177.22']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:24:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c403e29-35cc-497d-8e69-4aa7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:34:49.000Z", "modified": "2019-01-17T08:34:49.000Z", "pattern": "[domain-name:value = 'files-sender.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:34:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c403ed9-c76c-4390-8782-4dc3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:37:45.000Z", "modified": "2019-01-17T08:37:45.000Z", "pattern": "[url:value = 'https://crt.sh/?id=923463758']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:37:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c403ed9-aa4c-4740-b455-464f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:37:45.000Z", "modified": "2019-01-17T08:37:45.000Z", "pattern": "[domain-name:value = 'webmail.finance.gov.lb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:37:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c403eda-9444-4932-a982-43d7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:37:46.000Z", "modified": "2019-01-17T08:37:46.000Z", "pattern": "[url:value = 'https://crt.sh/?id=922787406']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:37:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c403eda-c210-49b8-8d66-4ede950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:37:46.000Z", "modified": "2019-01-17T08:37:46.000Z", "pattern": "[domain-name:value = 'mail.apc.gov.ae']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:37:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c403edb-bb74-4ec9-82d6-4f31950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:37:47.000Z", "modified": "2019-01-17T08:37:47.000Z", "pattern": "[url:value = 'https://crt.sh/?id=782678542']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:37:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c403edb-feb8-401a-93fd-4dbd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:37:47.000Z", "modified": "2019-01-17T08:37:47.000Z", "pattern": "[domain-name:value = 'mail.mgov.ae']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:37:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c403edc-6934-4289-a417-4377950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:37:48.000Z", "modified": "2019-01-17T08:37:48.000Z", "pattern": "[url:value = 'https://crt.sh/?id=750443611']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:37:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c403edd-93ac-4c08-9d81-4c37950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:37:49.000Z", "modified": "2019-01-17T08:37:49.000Z", "pattern": "[domain-name:value = 'adpvpn.adpolice.gov.ae']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:37:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c403edd-7dac-49a4-81a4-44e0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:37:49.000Z", "modified": "2019-01-17T08:37:49.000Z", "pattern": "[url:value = 'https://crt.sh/?id=741047630']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:37:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c404095-60e0-405d-88e5-4073950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:45:09.000Z", "modified": "2019-01-17T08:45:09.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.20.184.15']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:45:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c404096-b05c-4197-8887-4a82950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:45:10.000Z", "modified": "2019-01-17T08:45:10.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.148.109.193']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:45:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c404096-1914-44d6-a9fb-4415950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:45:10.000Z", "modified": "2019-01-17T08:45:10.000Z", "pattern": "[domain-name:value = 'microsoftonedrive.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:45:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5c404188-ffa8-4fe9-a371-4b3c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:49:12.000Z", "modified": "2019-01-17T08:49:12.000Z", "first_observed": "2019-01-17T08:49:12Z", "last_observed": "2019-01-17T08:49:12Z", "number_observed": 1, "object_refs": [ "windows-registry-key--5c404188-ffa8-4fe9-a371-4b3c950d210f" ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"Persistence mechanism\"" ] }, { "type": "windows-registry-key", "spec_version": "2.1", "id": "windows-registry-key--5c404188-ffa8-4fe9-a371-4b3c950d210f", "key": "%userprofile%\\.oracleServices\\Apps\\" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c404189-6988-4169-9f92-466a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:49:13.000Z", "modified": "2019-01-17T08:49:13.000Z", "description": "Filesystem artifacts", "pattern": "[file:name = '\\\\%userprofile\\\\%\\\\.oracleServices\\\\Configure.txt']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:49:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5c404189-0f60-45c0-876e-41e6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:49:13.000Z", "modified": "2019-01-17T08:49:13.000Z", "first_observed": "2019-01-17T08:49:13Z", "last_observed": "2019-01-17T08:49:13Z", "number_observed": 1, "object_refs": [ "windows-registry-key--5c404189-0f60-45c0-876e-41e6950d210f" ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"Persistence mechanism\"" ] }, { "type": "windows-registry-key", "spec_version": "2.1", "id": "windows-registry-key--5c404189-0f60-45c0-876e-41e6950d210f", "key": "%userprofile%\\.oracleServices\\Downloads\\" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c40418a-91d4-48fb-a083-4180950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:49:14.000Z", "modified": "2019-01-17T08:49:14.000Z", "description": "Filesystem artifacts", "pattern": "[file:name = '\\\\%userprofile\\\\%\\\\.oracleServices\\\\log.txt']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:49:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c40418a-8778-48f9-a9dd-468e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:49:14.000Z", "modified": "2019-01-17T08:49:14.000Z", "description": "Filesystem artifacts", "pattern": "[file:name = '\\\\%userprofile\\\\%\\\\.oracleServices\\\\svshost_serv.doc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:49:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c40418b-6908-412b-bb68-4620950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:49:15.000Z", "modified": "2019-01-17T08:49:15.000Z", "description": "Filesystem artifacts", "pattern": "[file:name = '\\\\%userprofile\\\\%\\\\.oracleServices\\\\svshost_serv.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:49:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5c40418b-17e8-4969-910d-41a5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:49:15.000Z", "modified": "2019-01-17T08:49:15.000Z", "first_observed": "2019-01-17T08:49:15Z", "last_observed": "2019-01-17T08:49:15Z", "number_observed": 1, "object_refs": [ "windows-registry-key--5c40418b-17e8-4969-910d-41a5950d210f" ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"Persistence mechanism\"" ] }, { "type": "windows-registry-key", "spec_version": "2.1", "id": "windows-registry-key--5c40418b-17e8-4969-910d-41a5950d210f", "key": "%userprofile%\\.oracleServices\\Uploads\\" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c3f46f9-f208-4ad9-9ce1-4c08950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-16T15:00:09.000Z", "modified": "2019-01-16T15:00:09.000Z", "description": "weaponized empty document", "pattern": "[file:hashes.SHA1 = '1f007ab17b62cca88a5681f02089ab33adc10eec' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-16T15:00:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c3f4980-f148-4b82-bbb4-4fc6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-16T15:10:56.000Z", "modified": "2019-01-16T15:10:56.000Z", "description": "HR document from Suncor", "pattern": "[file:hashes.SHA1 = '9ea865e000e3e15cec15efc466801bb181ba40a1' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-16T15:10:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5c402de1-c87c-479a-9aad-45dd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T07:25:21.000Z", "modified": "2019-01-17T07:25:21.000Z", "labels": [ "misp:name=\"microblog\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "post", "value": "@securitydoggo @James_inthe_box @malwrhunterteam @Malwageddon Possible DNS tunneler/stager with 0ffice36o[.]com C2. Anyone speak Russian? https://www.sendspace.com/file/69a6bc", "category": "Other", "uuid": "5c402de1-116c-4d24-ae84-46d2950d210f" }, { "type": "text", "object_relation": "type", "value": "Twitter", "category": "Other", "uuid": "5c402de1-8bf8-4b46-8284-4149950d210f" }, { "type": "url", "object_relation": "url", "value": "https://twitter.com/KorbenD_Intel/status/1053037793012781061", "category": "Network activity", "to_ids": true, "uuid": "5c402de1-8c20-4156-a2ca-441c950d210f" }, { "type": "text", "object_relation": "username-quoted", "value": "@securitydoggo", "category": "Other", "uuid": "5c402de2-b470-4625-899a-42d8950d210f" }, { "type": "text", "object_relation": "username-quoted", "value": "@James_inthe_box", "category": "Other", "uuid": "5c402de2-6b7c-4f2b-9ab6-438e950d210f" }, { "type": "text", "object_relation": "username-quoted", "value": "@Malwageddon", "category": "Other", "uuid": "5c402de3-a27c-4dc8-9dd9-42e3950d210f" }, { "type": "text", "object_relation": "username-quoted", "value": "@malwrhunterteam", "category": "Other", "uuid": "5c402de3-aad8-4803-bf02-415a950d210f" }, { "type": "url", "object_relation": "link", "value": "https://www.sendspace.com/file/69a6bc", "category": "Network activity", "to_ids": true, "uuid": "5c402de4-8fc0-4cc4-a3f9-496d950d210f" }, { "type": "datetime", "object_relation": "creation-date", "value": "2018-10-18T14:39:00", "category": "Other", "uuid": "5c402de4-3e70-478a-b932-442e950d210f" }, { "type": "text", "object_relation": "username", "value": "@KorbenD_Intel", "category": "Other", "uuid": "5c402de5-0364-4a8d-a8e7-45ff950d210f" } ], "x_misp_meta_category": "misc", "x_misp_name": "microblog" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c402e8c-09f8-42f0-b7a0-4d0c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T07:28:12.000Z", "modified": "2019-01-17T07:28:12.000Z", "description": "Empty doc", "pattern": "[file:hashes.SHA1 = '1f007ab17b62cca88a5681f02089ab33adc10eec' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T07:28:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c403100-1104-4b24-9e5a-441f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T07:38:40.000Z", "modified": "2019-01-17T07:38:40.000Z", "description": "Suncor decoy", "pattern": "[file:hashes.SHA1 = '9ea865e000e3e15cec15efc466801bb181ba40a1' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T07:38:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c40331a-a4c4-44ed-9774-4a0a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T07:47:38.000Z", "modified": "2019-01-17T07:47:38.000Z", "description": "Payload with logs information", "pattern": "[file:hashes.SHA1 = '1c1fbda6ffc4d19be63a630bd2483f3d2f7aa1f5' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T07:47:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c403585-b7e8-47f2-ad7d-44ee950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T07:57:57.000Z", "modified": "2019-01-17T07:57:57.000Z", "description": "Payload without logs information", "pattern": "[file:hashes.SHA1 = '1022620da25db2497dc237adedb53755e6b859e3' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T07:57:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c403f9a-39c8-4cad-bac3-452a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T08:40:58.000Z", "modified": "2019-01-17T08:40:58.000Z", "description": "Dropper (maldoc)", "pattern": "[file:hashes.SHA1 = '678ea06ebf058f33fffa1237d40b89b47f0e45e1' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T08:40:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3865d658-4ec2-4ccf-8437-2cf9ecdd8dac", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T11:00:09.000Z", "modified": "2019-01-17T11:00:09.000Z", "pattern": "[file:hashes.MD5 = '48320f502811645fa1f2f614bd8a385a' AND file:hashes.SHA1 = '1f007ab17b62cca88a5681f02089ab33adc10eec' AND file:hashes.SHA256 = '15fe5dbcd31be15f98aa9ba18755ee6264a26f5ea0877730b00ca0646d0f25fa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T11:00:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--3c8bf6c1-e76a-4d68-95ec-8f98f353c35f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T11:00:11.000Z", "modified": "2019-01-17T11:00:11.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-01-15T07:47:18", "category": "Other", "uuid": "98d5929e-dcfd-441b-bfda-7b38ea435eec" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/15fe5dbcd31be15f98aa9ba18755ee6264a26f5ea0877730b00ca0646d0f25fa/analysis/1547538438/", "category": "External analysis", "uuid": "4fc92056-064b-472c-b77b-3f30cf915fca" }, { "type": "text", "object_relation": "detection-ratio", "value": "37/58", "category": "Other", "uuid": "a49850e2-6174-403b-8eac-8cad60a6e895" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d866b492-3e79-4f62-ae4b-8fcfe1ec0a05", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T11:00:12.000Z", "modified": "2019-01-17T11:00:12.000Z", "pattern": "[file:hashes.MD5 = 'c00c9f6ebf2979292d524acff19dd306' AND file:hashes.SHA1 = '1022620da25db2497dc237adedb53755e6b859e3' AND file:hashes.SHA256 = '45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T11:00:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--28884802-adc0-41dd-85c5-f37b24623600", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T11:00:14.000Z", "modified": "2019-01-17T11:00:14.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-12-21T08:26:31", "category": "Other", "uuid": "d2f9d666-d4b2-4ed5-b123-0ca8a51144cc" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff/analysis/1545380791/", "category": "External analysis", "uuid": "0180ce7c-4d8f-4dc2-a1c1-d69f89da88bb" }, { "type": "text", "object_relation": "detection-ratio", "value": "45/70", "category": "Other", "uuid": "be1bde68-c09d-49b2-bc65-75b1771d2b48" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b8c3e2c4-dd23-4d42-8f1e-83832c52602b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T11:00:15.000Z", "modified": "2019-01-17T11:00:15.000Z", "pattern": "[file:hashes.MD5 = '807482efce3397ece64a1ded3d436139' AND file:hashes.SHA1 = '9ea865e000e3e15cec15efc466801bb181ba40a1' AND file:hashes.SHA256 = '9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T11:00:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--fa573724-154a-4d4e-84a1-f36c91f5422e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T11:00:17.000Z", "modified": "2019-01-17T11:00:17.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-12-22T03:41:06", "category": "Other", "uuid": "b4ba042e-d5d3-47db-8839-1b8701adc6a0" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14/analysis/1545450066/", "category": "External analysis", "uuid": "0d61fdfd-883b-46d6-ad89-d1efb20fb53d" }, { "type": "text", "object_relation": "detection-ratio", "value": "36/60", "category": "Other", "uuid": "97e10fc5-576b-4edc-b0f6-0e18effdcf0c" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e672e426-1d42-42e0-b1d0-fbc9d846b35c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T11:00:18.000Z", "modified": "2019-01-17T11:00:18.000Z", "pattern": "[file:hashes.MD5 = 'd2052cb9016dab6592c532d5ea47cb7e' AND file:hashes.SHA1 = '1c1fbda6ffc4d19be63a630bd2483f3d2f7aa1f5' AND file:hashes.SHA256 = '2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-17T11:00:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--553ba70d-9782-43f5-8355-434287122d90", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-17T11:00:21.000Z", "modified": "2019-01-17T11:00:21.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-12-21T08:26:28", "category": "Other", "uuid": "39d91f37-902a-4939-be62-c55c26d410f1" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec/analysis/1545380788/", "category": "External analysis", "uuid": "bcc36707-9559-4949-8ac7-baa0bb6078b2" }, { "type": "text", "object_relation": "detection-ratio", "value": "47/69", "category": "Other", "uuid": "88168f7f-ef6b-466d-a831-053c528c2343" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ff4d7cdb-997a-46f2-88eb-8f72fb1231d3", "created": "2019-01-17T11:00:22.000Z", "modified": "2019-01-17T11:00:22.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--3865d658-4ec2-4ccf-8437-2cf9ecdd8dac", "target_ref": "x-misp-object--3c8bf6c1-e76a-4d68-95ec-8f98f353c35f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--319172e1-0043-4839-9ce0-262278e8bf25", "created": "2019-01-17T11:00:23.000Z", "modified": "2019-01-17T11:00:23.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--d866b492-3e79-4f62-ae4b-8fcfe1ec0a05", "target_ref": "x-misp-object--28884802-adc0-41dd-85c5-f37b24623600" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--78b856ed-4776-474d-a400-5bb00f25d1cc", "created": "2019-01-17T11:00:23.000Z", "modified": "2019-01-17T11:00:23.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--b8c3e2c4-dd23-4d42-8f1e-83832c52602b", "target_ref": "x-misp-object--fa573724-154a-4d4e-84a1-f36c91f5422e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a6b00c7a-436c-49af-ade3-66d0fd574642", "created": "2019-01-17T11:00:23.000Z", "modified": "2019-01-17T11:00:23.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--e672e426-1d42-42e0-b1d0-fbc9d846b35c", "target_ref": "x-misp-object--553ba70d-9782-43f5-8355-434287122d90" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }