{ "type": "bundle", "id": "bundle--5a29b981-af60-4e6f-af70-480b950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T10:11:11.000Z", "modified": "2018-10-26T10:11:11.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "grouping", "spec_version": "2.1", "id": "grouping--5a29b981-af60-4e6f-af70-480b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T10:11:11.000Z", "modified": "2018-10-26T10:11:11.000Z", "name": "OSINT - THE SHADOWS OF GHOSTS INSIDE THE RESPONSE OF A UNIQUE CARBANAK INTRUSION", "context": "suspicious-activity", "object_refs": [ "observed-data--5a29b997-3ed0-4604-bfc8-4dcd950d210f", "url--5a29b997-3ed0-4604-bfc8-4dcd950d210f", "indicator--5a2fa0b0-1dac-4180-866f-4933950d210f", "indicator--5a2fa0b1-bab4-4930-8497-4933950d210f", "indicator--5a2fa0b2-14b4-4773-ac02-4933950d210f", "indicator--5a2fa0b2-6704-405c-94d4-4933950d210f", "indicator--5a2fa0b2-b574-43d4-8765-4933950d210f", "indicator--5a2fa0b2-10f8-4461-9ea5-4933950d210f", "indicator--5a2fad90-0854-4508-9b1a-4889950d210f", "indicator--5a2fad91-5048-4a72-934e-471e950d210f", "indicator--5a2fad92-1bf0-4fc7-8825-409b950d210f", "indicator--5a2fad93-02fc-46f3-a23e-4bb5950d210f", "indicator--5a2fad93-bba0-45ef-a648-45e9950d210f", "indicator--5a2fad94-2034-4a1a-a49e-4826950d210f", "indicator--5a2fad95-d9d0-4aab-b427-4177950d210f", "indicator--5a2fad95-7e60-4860-b6fe-42b9950d210f", "indicator--5a2fad96-5484-48ce-b77e-47b3950d210f", "indicator--5a2fb05d-c778-4fbe-b043-4e56950d210f", "indicator--5a2fb05d-35b8-4ab7-a7f0-42e3950d210f", "indicator--5a2fb05e-ff64-4760-8516-43bc950d210f", "indicator--5a2fb05f-6cd0-45a2-99b2-4ff8950d210f", "indicator--5a2fb05f-6338-4c73-9185-4dcc950d210f", "indicator--5a2fb060-05d0-4bf6-a42d-4598950d210f", "indicator--5a2fb061-92fc-400e-a558-410a950d210f", "indicator--5a2fb061-28e4-4908-8d24-4c41950d210f", "indicator--5a310fac-7af4-44fd-b616-da3b02de0b81", "indicator--5a310fac-a020-462a-8ac7-da3b02de0b81", "observed-data--5a310fac-4260-4700-8a51-da3b02de0b81", "url--5a310fac-4260-4700-8a51-da3b02de0b81", "x-misp-attribute--5bd2e2ab-7b04-4327-acbb-4d71950d210f", "indicator--5a2f8bf2-f160-4b0f-9e7a-493e950d210f", "indicator--5a2f8c82-07a8-45b4-9457-4200950d210f", "indicator--5a2f8d2a-dec0-4067-b077-4e7d950d210f", "indicator--5a2f8d6f-5e3c-43b1-a21b-4f5b950d210f", "indicator--5a2f8dca-2278-4017-835c-4e9b950d210f", "indicator--5a2f8e07-cd40-4b64-9b3f-4cc0950d210f", "indicator--5a2f8e44-5d50-48a8-be17-4d0a950d210f", "indicator--5a2f950e-862c-4a2b-a94e-45a3950d210f", "indicator--5a2f9576-3c3c-4790-9339-397e950d210f", "indicator--5a2f95ab-28d4-49bf-ac64-1e00950d210f", "indicator--5a2f95f0-4c64-4b47-a395-4a58950d210f", "indicator--5a2f9643-08a8-4902-b7f4-4843950d210f", "indicator--5a2f99b1-a784-4add-bcf7-4933950d210f", "indicator--5a2f99dc-c454-41e9-a090-458d950d210f", "indicator--5a2f9a7d-1ccc-48f4-a0d0-1d7a950d210f", "indicator--5a2f9e7f-cbd0-4050-845b-4a58950d210f", "indicator--5a2f9e9a-48a0-4ed3-91fe-825f950d210f", "indicator--5a2f9f45-8874-4ec0-9e5f-7e7d950d210f", "indicator--5a2fa096-2e10-4212-81a1-4a63950d210f", "indicator--5a2fa0d4-3fd4-450d-9d4c-7e7b950d210f", "indicator--89923362-01fd-4462-9078-fa8ec72fb5d9", "x-misp-object--43dfa9b6-ada3-4c52-836c-b9472dacb095", "indicator--9bb176f2-bd20-46fc-b023-173cc70ca916", "x-misp-object--ed40b0bd-3168-4d2b-a6be-55ac4a22f043", "indicator--00aa97a0-e3ba-4abb-9f43-f1050891a7c9", "x-misp-object--24f8e29e-62a4-44f0-a621-8e49495fe6f5", "indicator--b542464d-5ee4-4028-8de3-db54d17c64ce", "x-misp-object--0f1de71f-46a2-475a-87ec-f980d6db213b", "indicator--91f0fa15-c3f6-41d7-bf1b-79bb33f8390b", "x-misp-object--e630b519-28d2-45d2-be53-c5cc2faef367", "indicator--d7de718f-c607-49dd-8c9e-563927bb5164", "x-misp-object--989b543e-eb41-458d-9ac8-e34620fc5226", "x-misp-object--c9a1352e-1cf8-4120-a36a-0ba1412edb36", "x-misp-object--f1c24a94-020b-4842-bd00-554487f85e0c", "x-misp-object--799449bf-c6a1-444f-9361-c8b81002729a", "x-misp-object--d3b462b9-f076-47dd-996e-7b92f83a871d", "x-misp-object--de299626-d70b-4856-8577-71a19b22be1c", "indicator--9bd18f1d-456c-4ba3-b22f-3ac0da8caacf", "x-misp-object--de2cafef-52b7-46ec-b981-f9a5dea89f65", "relationship--88ffb271-2a11-42e9-97c7-f802dae9480c", "relationship--47154b20-320c-4c8a-9ef0-d1af00d507de", "relationship--2493dc34-e7a9-40bc-8d07-6d3e114acf6a", "relationship--55133a6c-3372-49f4-88e8-722b7464e6d2", "relationship--5e671fe2-7c11-42e9-a511-705b781669b2", "relationship--8ae97c2d-9cef-4c83-9690-803e334e6450" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "workflow:state=\"incomplete\"", "workflow:todo=\"review-for-false-positive\"", "misp-galaxy:mitre-intrusion-set=\"Carbanak\"", "type:OSINT", "misp-galaxy:tool=\"SSHDoor\"", "misp-galaxy:malpedia=\"SSHDoor\"", "misp-galaxy:malpedia=\"MimiKatz\"", "misp-galaxy:tool=\"Mimikatz\"", "misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a29b997-3ed0-4604-bfc8-4dcd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:39.000Z", "modified": "2017-12-13T17:22:39.000Z", "first_observed": "2017-12-13T17:22:39Z", "last_observed": "2017-12-13T17:22:39Z", "number_observed": 1, "object_refs": [ "url--5a29b997-3ed0-4604-bfc8-4dcd950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a29b997-3ed0-4604-bfc8-4dcd950d210f", "value": "https://www.rsa.com/content/dam/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2fa0b0-1dac-4180-866f-4933950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:40.000Z", "modified": "2017-12-13T17:22:40.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.117.88.97']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T17:22:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2fa0b1-bab4-4930-8497-4933950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:40.000Z", "modified": "2017-12-13T17:22:40.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.215.45.116']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T17:22:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2fa0b2-14b4-4773-ac02-4933950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:40.000Z", "modified": "2017-12-13T17:22:40.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.215.46.116']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T17:22:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2fa0b2-6704-405c-94d4-4933950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:40.000Z", "modified": "2017-12-13T17:22:40.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.61.148.96']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T17:22:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2fa0b2-b574-43d4-8765-4933950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:40.000Z", "modified": "2017-12-13T17:22:40.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.61.148.145']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T17:22:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2fa0b2-10f8-4461-9ea5-4933950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:40.000Z", "modified": "2017-12-13T17:22:40.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.86.151.174']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T17:22:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2fad90-0854-4508-9b1a-4889950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:40.000Z", "modified": "2017-12-13T17:22:40.000Z", "description": "Network Indicators", "pattern": "[domain-name:value = 'slpar.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T17:22:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2fad91-5048-4a72-934e-471e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:40.000Z", "modified": "2017-12-13T17:22:40.000Z", "description": "Network Indicators", "pattern": "[domain-name:value = 'centos-repo.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T17:22:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2fad92-1bf0-4fc7-8825-409b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:40.000Z", "modified": "2017-12-13T17:22:40.000Z", "description": "Network Indicators", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.165.29.26']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T17:22:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2fad93-02fc-46f3-a23e-4bb5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:40.000Z", "modified": "2017-12-13T17:22:40.000Z", "description": "Network Indicators", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.165.29.27']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T17:22:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2fad93-bba0-45ef-a648-45e9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:40.000Z", "modified": "2017-12-13T17:22:40.000Z", "description": "Network Indicators", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.45.179.173']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T17:22:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2fad94-2034-4a1a-a49e-4826950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:40.000Z", "modified": "2017-12-13T17:22:40.000Z", "description": "Network Indicators", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.215.47.122']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T17:22:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2fad95-d9d0-4aab-b427-4177950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:40.000Z", "modified": "2017-12-13T17:22:40.000Z", "description": "Network Indicators", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.99.14.211']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T17:22:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2fad95-7e60-4860-b6fe-42b9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:40.000Z", "modified": "2017-12-13T17:22:40.000Z", "description": "Network Indicators", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.215.61.192']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T17:22:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2fad96-5484-48ce-b77e-47b3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:40.000Z", "modified": "2017-12-13T17:22:40.000Z", "description": "Network Indicators", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.215.44.129']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T17:22:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2fb05d-c778-4fbe-b043-4e56950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T11:31:56.000Z", "modified": "2017-12-13T11:31:56.000Z", "description": "Host Indicators", "pattern": "[file:hashes.MD5 = '1bd7d0c3023c55b5df0201cc5d7bbce1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T11:31:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2fb05d-35b8-4ab7-a7f0-42e3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T11:31:56.000Z", "modified": "2017-12-13T11:31:56.000Z", "description": "Host Indicators", "pattern": "[file:hashes.MD5 = 'c01fd758abb423c8336ee1bd5035a6c7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T11:31:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2fb05e-ff64-4760-8516-43bc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T11:31:56.000Z", "modified": "2017-12-13T11:31:56.000Z", "description": "Host Indicators", "pattern": "[file:hashes.MD5 = '0810d239169a13fc0e2e53fc72d2e5f0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T11:31:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2fb05f-6cd0-45a2-99b2-4ff8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T11:31:56.000Z", "modified": "2017-12-13T11:31:56.000Z", "description": "Host Indicators", "pattern": "[file:hashes.MD5 = 'd66e31794836dfd2c344d0be435c6d12']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T11:31:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2fb05f-6338-4c73-9185-4dcc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T11:31:56.000Z", "modified": "2017-12-13T11:31:56.000Z", "description": "Host Indicators", "pattern": "[file:hashes.MD5 = 'e3c061fa0450056e30285fd44a74cd2a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T11:31:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2fb060-05d0-4bf6-a42d-4598950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T11:31:56.000Z", "modified": "2017-12-13T11:31:56.000Z", "description": "Host Indicators", "pattern": "[file:hashes.MD5 = '90d4cc6d4b81b8c462f5aa7166fee6fb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T11:31:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2fb061-92fc-400e-a558-410a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T11:31:56.000Z", "modified": "2017-12-13T11:31:56.000Z", "description": "Host Indicators", "pattern": "[file:hashes.MD5 = 'eb87856732236e1ac7e168fe264f1b43']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T11:31:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2fb061-28e4-4908-8d24-4c41950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T11:31:56.000Z", "modified": "2017-12-13T11:31:56.000Z", "description": "Host Indicators", "pattern": "[file:hashes.MD5 = '209bc26396e838e4b665fe3d1ccf7787']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T11:31:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a310fac-7af4-44fd-b616-da3b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:40.000Z", "modified": "2017-12-13T17:22:40.000Z", "description": "Host Indicators - Xchecked via VT: e3c061fa0450056e30285fd44a74cd2a", "pattern": "[file:hashes.SHA256 = 'e0e2c7d0f740fe2a4e8658ce54dfb6eb3c47c37fe90a44a839e560c685f1f1fa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T17:22:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a310fac-a020-462a-8ac7-da3b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:40.000Z", "modified": "2017-12-13T17:22:40.000Z", "description": "Host Indicators - Xchecked via VT: e3c061fa0450056e30285fd44a74cd2a", "pattern": "[file:hashes.SHA1 = '8c7659e6ee9fe5ead17cae2969d3148730be509b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T17:22:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a310fac-4260-4700-8a51-da3b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:40.000Z", "modified": "2017-12-13T17:22:40.000Z", "first_observed": "2017-12-13T17:22:40Z", "last_observed": "2017-12-13T17:22:40Z", "number_observed": 1, "object_refs": [ "url--5a310fac-4260-4700-8a51-da3b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a310fac-4260-4700-8a51-da3b02de0b81", "value": "https://www.virustotal.com/file/e0e2c7d0f740fe2a4e8658ce54dfb6eb3c47c37fe90a44a839e560c685f1f1fa/analysis/1513123824/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5bd2e2ab-7b04-4327-acbb-4d71950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T09:47:23.000Z", "modified": "2018-10-26T09:47:23.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "This report shares actionable threat intelligence and proven threat hunting and incident response methods used by the RSA Incident Response (IR) Team to successfully respond to an intrusion in early-to-mid 2017 by the threat actor group known as CARBANAK, also known as FIN7. The methodology discussed in this report is designed, and has been tested, to be effective on several currently available security technologies. While the majority of examples shown in this document use the RSA NetWitness\u00ae Suite in their illustrations, the methodology, query logic, and behavioral indicators discussed can be used effectively with any security product providing the necessary visibility. The intrusion and response described in this paper highlight key behavioral tactics, techniques, and procedures (TTP) unique to this engagement, giving significant insight into the thought processes, preparation, and adaptive nature of actors within the CARBANAK threat actor group. This paper also illustrates the RSA Incident Response Team\u2019s Incident Response and Threat Hunting Methodology: an unorthodox, adaptive and highly effective methodology used to successfully detect, investigate, scope, track, contain, and ultimately expel these and many other advanced adversaries." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2f8bf2-f160-4b0f-9e7a-493e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-12T07:57:38.000Z", "modified": "2017-12-12T07:57:38.000Z", "pattern": "[file:hashes.MD5 = 'a365fd9076af4d841c84accd58287801' AND file:hashes.SHA1 = 'ba2f90f85cada4be24d925cbff0c2efea6e7f3a8' AND file:name = 'ssh' AND file:size = '1180521']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-12T07:57:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2f8c82-07a8-45b4-9457-4200950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-12T08:00:02.000Z", "modified": "2017-12-12T08:00:02.000Z", "pattern": "[file:hashes.MD5 = '9e2e4df27698615df92822646dc9e16b' AND file:hashes.SHA1 = '96e56c39f38b4ef5ac4196ca12742127f286c6fa' AND file:name = 'sshd' AND file:size = '1614437']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-12T08:00:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2f8d2a-dec0-4067-b077-4e7d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T10:07:35.000Z", "modified": "2018-10-26T10:07:35.000Z", "pattern": "[file:hashes.MD5 = 'b57dc2bc16dfdb3de55923aef9a98401' AND file:hashes.SHA1 = '1d3501b30183ba213fb4c22a00d89db6fd50cc34' AND file:name = 'auditd' AND file:size = '21616']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-10-26T10:07:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2f8d6f-5e3c-43b1-a21b-4f5b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-12T08:03:59.000Z", "modified": "2017-12-12T08:03:59.000Z", "pattern": "[file:hashes.MD5 = 'edce844a219c7534e6a1e7c77c3cb020' AND file:hashes.SHA1 = '286bf53934aa33ddf220d61c394af79221a152f1' AND file:name = 'winexe' AND file:size = '8126714']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-12T08:03:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2f8dca-2278-4017-835c-4e9b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-12T08:05:30.000Z", "modified": "2017-12-12T08:05:30.000Z", "pattern": "[file:hashes.MD5 = '771fa63231fb42ee97aa17818a53f432' AND file:hashes.SHA1 = '149a9270d9160120229b7c088975c2754e3b5333' AND file:name = 'l' AND file:size = '16333']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-12T08:05:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2f8e07-cd40-4b64-9b3f-4cc0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-12T08:06:31.000Z", "modified": "2017-12-12T08:06:31.000Z", "pattern": "[file:hashes.MD5 = '0f1c4a2a795fb58bd3c5724af6f1f71a' AND file:hashes.SHA1 = '039f814cdd4ac6f675c908067d5be1d6f9acc31f' AND file:name = 'pscan' AND file:size = '10340']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-12T08:06:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2f8e44-5d50-48a8-be17-4d0a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T10:07:36.000Z", "modified": "2018-10-26T10:07:36.000Z", "pattern": "[file:hashes.MD5 = '370d420948672e04ba8eac10bfe6fc9c' AND file:hashes.SHA1 = '450605b6761ff8dd025978f44724b11e0c5eadcc' AND file:name = 'ctlmon.exe' AND file:size = '4392448']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-10-26T10:07:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2f950e-862c-4a2b-a94e-45a3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-12T08:36:30.000Z", "modified": "2017-12-12T08:36:30.000Z", "pattern": "[file:hashes.MD5 = '5ddf9683692154986494ca9dd74b588f' AND file:hashes.SHA1 = '08f527bef45cb001150ef12ad9ab91d1822bb9c7' AND file:name = 'ctlmon_v2.exe' AND file:size = '4047691']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-12T08:36:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2f9576-3c3c-4790-9339-397e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-12T08:38:14.000Z", "modified": "2017-12-12T08:38:14.000Z", "pattern": "[file:hashes.MD5 = 'f9766140642c24d422e19e9cf35f2827' AND file:hashes.SHA1 = '7b27771de1a2540008758e9894bfe168f26bffa0' AND file:name = 'ctlmon_v3.exe' AND file:size = '4063744']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-12T08:38:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2f95ab-28d4-49bf-ac64-1e00950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-12T08:39:07.000Z", "modified": "2017-12-12T08:39:07.000Z", "pattern": "[file:hashes.MD5 = '8b3a91038ecb2f57de5bbd29848b6dc4' AND file:hashes.SHA1 = '54074b3934955d4121d1a01fe2ed5493c3f7f16d' AND file:name = 'svcmd.exe' AND file:size = '47104']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-12T08:39:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2f95f0-4c64-4b47-a395-4a58950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-12T08:40:16.000Z", "modified": "2017-12-12T08:40:16.000Z", "pattern": "[file:hashes.MD5 = '7393cb0f409f8f51b7745981ac30b8b6' AND file:hashes.SHA1 = '6c17113f66efa5115111a9e67c6ddd026ba9b55d' AND file:name = 'TINYP2.bin' AND file:size = '277504']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-12T08:40:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2f9643-08a8-4902-b7f4-4843950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-12T08:41:39.000Z", "modified": "2017-12-12T08:41:39.000Z", "pattern": "[file:hashes.MD5 = 'c4d746b8e5e8e12a50a18c9d61e01864' AND file:hashes.SHA1 = 'c020f8939f136b4785dda7b2e4b80ced96e23663' AND file:name = 'ps.exe' AND file:size = '234496']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-12T08:41:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2f99b1-a784-4add-bcf7-4933950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T10:07:36.000Z", "modified": "2018-10-26T10:07:36.000Z", "pattern": "[file:hashes.MD5 = 'bd126a7b59d5d1f97ba89a3e71425731' AND file:hashes.SHA1 = '457b1cd985ed07baffd8c66ff40e9c1b6da93753' AND file:name = 'UIAutomationCore.dll.bin' AND file:size = '401408']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-10-26T10:07:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2f99dc-c454-41e9-a090-458d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T10:07:36.000Z", "modified": "2018-10-26T10:07:36.000Z", "pattern": "[file:hashes.MD5 = 'b3135736bcfdab27f891dbe4009a8c80' AND file:hashes.SHA1 = '9240e1744e7272e59e482f68a10f126fdf501be0' AND file:name = 'pscp.bin' AND file:size = '359336']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-10-26T10:07:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2f9a7d-1ccc-48f4-a0d0-1d7a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-12T08:59:41.000Z", "modified": "2017-12-12T08:59:41.000Z", "pattern": "[file:hashes.MD5 = '6499863d47b68030f0c5ffafaffb1344' AND file:hashes.SHA1 = '2197e35f14ff9960985c982ed6d16d5bd5366062' AND file:name = 'xxx32.exe' AND file:size = '528896']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-12T08:59:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2f9e7f-cbd0-4050-845b-4a58950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-12T09:16:47.000Z", "modified": "2017-12-12T09:16:47.000Z", "pattern": "[file:hashes.MD5 = '752d245f1026482a967a763dae184569' AND file:hashes.SHA1 = '355603b1922886044884afbdfa9c9a6626b6669a' AND file:name = 'xxx64.exe' AND file:size = '589312']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-12T09:16:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2f9e9a-48a0-4ed3-91fe-825f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-12T09:17:14.000Z", "modified": "2017-12-12T09:17:14.000Z", "pattern": "[file:hashes.MD5 = 'd406e037f034b89c85758af1a98110be' AND file:hashes.SHA1 = '6bc46528da6cd224fa5e58ccd9df5b05c46c673d' AND file:name = 'ccs.bmp' AND file:size = '82944']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-12T09:17:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2f9f45-8874-4ec0-9e5f-7e7d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T10:07:36.000Z", "modified": "2018-10-26T10:07:36.000Z", "pattern": "[file:hashes.MD5 = 'ab8bed25f9ff64a4b07be5d3bc34f26b' AND file:hashes.SHA1 = '42ce9c2bd246a0243fa91309938042e434b39876' AND file:name = 'infos.bmp' AND file:size = '494080']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-10-26T10:07:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2fa096-2e10-4212-81a1-4a63950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-12T09:25:42.000Z", "modified": "2017-12-12T09:25:42.000Z", "pattern": "[file:hashes.MD5 = 'd825fbd90087d2350e89cbf205a1b71c' AND file:hashes.SHA1 = 'ca5e195692399dca99a4d8299dc9ff816168a6dc' AND file:name = 'pscan.bmp' AND file:size = '65024']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-12T09:25:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a2fa0d4-3fd4-450d-9d4c-7e7b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-12T09:26:44.000Z", "modified": "2017-12-12T09:26:44.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '107.181.246.146') AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-12T09:26:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--89923362-01fd-4462-9078-fa8ec72fb5d9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:43.000Z", "modified": "2017-12-13T17:22:43.000Z", "pattern": "[file:hashes.MD5 = 'e3c061fa0450056e30285fd44a74cd2a' AND file:hashes.SHA1 = '8c7659e6ee9fe5ead17cae2969d3148730be509b' AND file:hashes.SHA256 = 'e0e2c7d0f740fe2a4e8658ce54dfb6eb3c47c37fe90a44a839e560c685f1f1fa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T17:22:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--43dfa9b6-ada3-4c52-836c-b9472dacb095", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:40.000Z", "modified": "2017-12-13T17:22:40.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/e0e2c7d0f740fe2a4e8658ce54dfb6eb3c47c37fe90a44a839e560c685f1f1fa/analysis/1513180609/", "category": "External analysis", "comment": "Host Indicators", "uuid": "5a3161e0-7518-48ff-8668-464302de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "0/67", "category": "Other", "comment": "Host Indicators", "uuid": "5a3161e0-4a20-406c-8f4e-432702de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-12-13 15:56:49", "category": "Other", "comment": "Host Indicators", "uuid": "5a3161e0-2548-4a4e-a11f-461402de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9bb176f2-bd20-46fc-b023-173cc70ca916", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:43.000Z", "modified": "2017-12-13T17:22:43.000Z", "pattern": "[file:hashes.MD5 = 'ab8bed25f9ff64a4b07be5d3bc34f26b' AND file:hashes.SHA1 = '42ce9c2bd246a0243fa91309938042e434b39876' AND file:hashes.SHA256 = '91bde887f6956546c9a5e328e2bf90b1ca2fd28bc9fa39b84701891ee8230e81']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T17:22:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--ed40b0bd-3168-4d2b-a6be-55ac4a22f043", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:40.000Z", "modified": "2017-12-13T17:22:40.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/91bde887f6956546c9a5e328e2bf90b1ca2fd28bc9fa39b84701891ee8230e81/analysis/1512663932/", "category": "External analysis", "uuid": "5a3161e0-b6a4-44ba-9bc7-4a7002de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "0/67", "category": "Other", "uuid": "5a3161e0-2ffc-4265-a867-4c3202de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-12-07 16:25:32", "category": "Other", "uuid": "5a3161e0-3b04-46b9-a02c-4cf402de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--00aa97a0-e3ba-4abb-9f43-f1050891a7c9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:43.000Z", "modified": "2017-12-13T17:22:43.000Z", "pattern": "[file:hashes.MD5 = 'b57dc2bc16dfdb3de55923aef9a98401' AND file:hashes.SHA1 = '1d3501b30183ba213fb4c22a00d89db6fd50cc34' AND file:hashes.SHA256 = '3ed6749bba634ad0f5e888daf0323c85fe73f9cb8fc70c05fb42d53eb7a8b523']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T17:22:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--24f8e29e-62a4-44f0-a621-8e49495fe6f5", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:41.000Z", "modified": "2017-12-13T17:22:41.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/3ed6749bba634ad0f5e888daf0323c85fe73f9cb8fc70c05fb42d53eb7a8b523/analysis/1512654000/", "category": "External analysis", "uuid": "5a3161e1-b860-4724-ae56-4d9802de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "15/59", "category": "Other", "uuid": "5a3161e1-6e0c-4549-af43-450602de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-12-07 13:40:00", "category": "Other", "uuid": "5a3161e1-618c-4f11-bdac-4c7e02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b542464d-5ee4-4028-8de3-db54d17c64ce", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:44.000Z", "modified": "2017-12-13T17:22:44.000Z", "pattern": "[file:hashes.MD5 = 'b3135736bcfdab27f891dbe4009a8c80' AND file:hashes.SHA1 = '9240e1744e7272e59e482f68a10f126fdf501be0' AND file:hashes.SHA256 = 'b20ba6df30bbb27ae74b2567a81aef66e787591a5ef810bfc9ecd45cb6d3d51e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T17:22:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--0f1de71f-46a2-475a-87ec-f980d6db213b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:41.000Z", "modified": "2017-12-13T17:22:41.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/b20ba6df30bbb27ae74b2567a81aef66e787591a5ef810bfc9ecd45cb6d3d51e/analysis/1512431431/", "category": "External analysis", "uuid": "5a3161e2-673c-4d02-b7f1-460902de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "0/67", "category": "Other", "uuid": "5a3161e2-4c44-4f90-9448-461502de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-12-04 23:50:31", "category": "Other", "uuid": "5a3161e2-7180-4ce2-9e15-4f0d02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--91f0fa15-c3f6-41d7-bf1b-79bb33f8390b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:45.000Z", "modified": "2017-12-13T17:22:45.000Z", "pattern": "[file:hashes.MD5 = 'bd126a7b59d5d1f97ba89a3e71425731' AND file:hashes.SHA1 = '457b1cd985ed07baffd8c66ff40e9c1b6da93753' AND file:hashes.SHA256 = 'a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T17:22:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--e630b519-28d2-45d2-be53-c5cc2faef367", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:42.000Z", "modified": "2017-12-13T17:22:42.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599/analysis/1513176180/", "category": "External analysis", "uuid": "5a3161e2-ba9c-4b83-b774-4ee902de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "2/67", "category": "Other", "uuid": "5a3161e2-1ddc-4e37-a6e5-4a1d02de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-12-13 14:43:00", "category": "Other", "uuid": "5a3161e2-6204-4d87-bca0-4b1402de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d7de718f-c607-49dd-8c9e-563927bb5164", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:45.000Z", "modified": "2017-12-13T17:22:45.000Z", "pattern": "[file:hashes.MD5 = '370d420948672e04ba8eac10bfe6fc9c' AND file:hashes.SHA1 = '450605b6761ff8dd025978f44724b11e0c5eadcc' AND file:hashes.SHA256 = '9d42c2b6a10866842cbb6ab455ee2c3108e79fecbffb72eaf13f05215a826765']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-13T17:22:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--989b543e-eb41-458d-9ac8-e34620fc5226", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-13T17:22:42.000Z", "modified": "2017-12-13T17:22:42.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/9d42c2b6a10866842cbb6ab455ee2c3108e79fecbffb72eaf13f05215a826765/analysis/1512431431/", "category": "External analysis", "uuid": "5a3161e2-152c-4e9c-8885-4ae402de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "33/68", "category": "Other", "uuid": "5a3161e2-8d84-4fbd-8c38-490602de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-12-04 23:50:31", "category": "Other", "uuid": "5a3161e2-3fc8-4bbb-811c-478302de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--c9a1352e-1cf8-4120-a36a-0ba1412edb36", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T10:07:36.000Z", "modified": "2018-10-26T10:07:36.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-10-26 09:45:28", "category": "Other", "uuid": "aec805a5-83b1-4d39-add2-491096984907" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/b20ba6df30bbb27ae74b2567a81aef66e787591a5ef810bfc9ecd45cb6d3d51e/analysis/1540547128/", "category": "External analysis", "uuid": "74184839-2f88-4a23-b69d-0d13d8c62102" }, { "type": "text", "object_relation": "detection-ratio", "value": "0/67", "category": "Other", "uuid": "4f0e29fc-09d6-4152-9243-651af8bfb108" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--f1c24a94-020b-4842-bd00-554487f85e0c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T10:07:38.000Z", "modified": "2018-10-26T10:07:38.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2017-12-07 13:40:00", "category": "Other", "uuid": "a16db00e-858c-4e85-8cdd-3935eafb0e32" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/3ed6749bba634ad0f5e888daf0323c85fe73f9cb8fc70c05fb42d53eb7a8b523/analysis/1512654000/", "category": "External analysis", "uuid": "eb41cadf-ee59-43e8-9759-9579024141ff" }, { "type": "text", "object_relation": "detection-ratio", "value": "15/59", "category": "Other", "uuid": "967b51b7-7183-4d8c-8416-c4dd3f4a383c" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--799449bf-c6a1-444f-9361-c8b81002729a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T10:07:39.000Z", "modified": "2018-10-26T10:07:39.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-10-26 06:34:45", "category": "Other", "uuid": "1eca75fd-0135-4438-9b98-108913702714" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599/analysis/1540535685/", "category": "External analysis", "uuid": "0184c0bd-362e-47d3-87d3-392a1a875865" }, { "type": "text", "object_relation": "detection-ratio", "value": "1/65", "category": "Other", "uuid": "9b2ff29b-3590-4f10-973d-896279089abf" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--d3b462b9-f076-47dd-996e-7b92f83a871d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T10:07:40.000Z", "modified": "2018-10-26T10:07:40.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-06-18 00:06:58", "category": "Other", "uuid": "fe2d043e-f81e-41c8-94d5-780c68b08520" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/9d42c2b6a10866842cbb6ab455ee2c3108e79fecbffb72eaf13f05215a826765/analysis/1529280418/", "category": "External analysis", "uuid": "d7b94bd9-d044-4ba3-92d9-09fcf121b98f" }, { "type": "text", "object_relation": "detection-ratio", "value": "36/68", "category": "Other", "uuid": "63f46b9d-5d23-416f-bba8-76c30370b049" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--de299626-d70b-4856-8577-71a19b22be1c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T10:07:48.000Z", "modified": "2018-10-26T10:07:48.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2017-12-07 16:25:32", "category": "Other", "uuid": "c49a7d33-16db-499d-a52e-147a32818bbf" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/91bde887f6956546c9a5e328e2bf90b1ca2fd28bc9fa39b84701891ee8230e81/analysis/1512663932/", "category": "External analysis", "uuid": "07006736-b056-47cb-9f62-b5fc0da977cf" }, { "type": "text", "object_relation": "detection-ratio", "value": "0/67", "category": "Other", "uuid": "5e3c1df6-c79f-4d33-a8fc-0343fe4e14fb" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9bd18f1d-456c-4ba3-b22f-3ac0da8caacf", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T10:07:53.000Z", "modified": "2018-10-26T10:07:53.000Z", "pattern": "[file:hashes.MD5 = '7393cb0f409f8f51b7745981ac30b8b6' AND file:hashes.SHA1 = '6c17113f66efa5115111a9e67c6ddd026ba9b55d' AND file:hashes.SHA256 = 'a1d3fa684d406f82a2d93f4617c5b2dba5b70336db7e7a83b5a2822afe56fb0b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-10-26T10:07:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--de2cafef-52b7-46ec-b981-f9a5dea89f65", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-26T10:07:55.000Z", "modified": "2018-10-26T10:07:55.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-19 12:25:03", "category": "Other", "uuid": "5f0cc7ad-b6e0-408c-9006-8ae86e66228c" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/a1d3fa684d406f82a2d93f4617c5b2dba5b70336db7e7a83b5a2822afe56fb0b/analysis/1532003103/", "category": "External analysis", "uuid": "e35f9d09-6da2-4827-9556-c49ee43ef0bf" }, { "type": "text", "object_relation": "detection-ratio", "value": "21/67", "category": "Other", "uuid": "4406a5d5-7d31-43c6-bd2d-9ccad5886875" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--88ffb271-2a11-42e9-97c7-f802dae9480c", "created": "2017-12-13T17:22:42.000Z", "modified": "2017-12-13T17:22:42.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--89923362-01fd-4462-9078-fa8ec72fb5d9", "target_ref": "x-misp-object--43dfa9b6-ada3-4c52-836c-b9472dacb095" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--47154b20-320c-4c8a-9ef0-d1af00d507de", "created": "2017-12-13T17:22:42.000Z", "modified": "2017-12-13T17:22:42.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--9bb176f2-bd20-46fc-b023-173cc70ca916", "target_ref": "x-misp-object--ed40b0bd-3168-4d2b-a6be-55ac4a22f043" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2493dc34-e7a9-40bc-8d07-6d3e114acf6a", "created": "2017-12-13T17:22:42.000Z", "modified": "2017-12-13T17:22:42.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--00aa97a0-e3ba-4abb-9f43-f1050891a7c9", "target_ref": "x-misp-object--24f8e29e-62a4-44f0-a621-8e49495fe6f5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--55133a6c-3372-49f4-88e8-722b7464e6d2", "created": "2017-12-13T17:22:42.000Z", "modified": "2017-12-13T17:22:42.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--b542464d-5ee4-4028-8de3-db54d17c64ce", "target_ref": "x-misp-object--0f1de71f-46a2-475a-87ec-f980d6db213b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5e671fe2-7c11-42e9-a511-705b781669b2", "created": "2017-12-13T17:22:42.000Z", "modified": "2017-12-13T17:22:42.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--91f0fa15-c3f6-41d7-bf1b-79bb33f8390b", "target_ref": "x-misp-object--e630b519-28d2-45d2-be53-c5cc2faef367" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8ae97c2d-9cef-4c83-9690-803e334e6450", "created": "2017-12-13T17:22:42.000Z", "modified": "2017-12-13T17:22:42.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--d7de718f-c607-49dd-8c9e-563927bb5164", "target_ref": "x-misp-object--989b543e-eb41-458d-9ac8-e34620fc5226" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }