{ "type": "bundle", "id": "bundle--5cc209b3-82e0-4d0e-980d-4a6002de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-25T19:32:04.000Z", "modified": "2019-04-25T19:32:04.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5cc209b3-82e0-4d0e-980d-4a6002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-25T19:32:04.000Z", "modified": "2019-04-25T19:32:04.000Z", "name": "OSINT - Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware", "published": "2019-04-25T19:34:52Z", "object_refs": [ "indicator--5cc20a1e-8ef4-4468-bd53-48ca02de0b81", "indicator--5cc20a1e-20b0-4f51-a8f5-45cc02de0b81", "indicator--5cc20a1e-1184-4ed9-9d66-409a02de0b81", "indicator--5cc20a1e-0bb8-401f-9cbd-45a002de0b81", "indicator--5cc20a1e-35f8-49e0-b7d2-49a302de0b81", "indicator--5cc20a1e-7e0c-40f1-b9dd-429c02de0b81", "indicator--5cc20a1e-cfe4-459a-8837-4ce702de0b81", "indicator--5cc20a1e-0e98-4860-acf2-48e602de0b81", "observed-data--5cc20a2e-6408-4271-a41f-41da02de0b81", "url--5cc20a2e-6408-4271-a41f-41da02de0b81", "x-misp-attribute--5cc20a3f-8e84-4d6c-b3b0-47d702de0b81", "observed-data--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9", "network-traffic--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9", "ipv4-addr--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9", "indicator--2f52d11d-5df6-44ca-8934-12cce8d33395", "x-misp-object--5ea2997f-c82f-4ea7-88b8-c468ba4f136a", "indicator--60c23628-c767-4b08-9cb4-0d55c6432479", "x-misp-object--9ad338a8-5f89-44f4-becf-21bc9b8fb072", "indicator--b278e19f-e981-47bc-be90-072138554a61", "x-misp-object--7f6c6430-6be4-4b8a-907e-8e71dcedb01c", "indicator--e4b67b34-d84d-4e77-8453-814d9fa42d87", "x-misp-object--a6d17903-91e1-4a0c-9cf3-48ff6f7b22cd", "relationship--01212a6b-1c8e-431d-ae35-4f1ff584d3e3", "relationship--47ac67a2-058c-41b6-8bef-c5da6dde60c1", "relationship--e6761101-128c-4f37-8476-30fcf7f38f4c", "relationship--4cda8e46-04b4-41c3-98e7-5c0ecd98a0ee" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:threat-actor=\"TA505\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"", "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"", "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cc20a1e-8ef4-4468-bd53-48ca02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-25T19:27:26.000Z", "modified": "2019-04-25T19:27:26.000Z", "description": "011042019.xls", "pattern": "[file:hashes.SHA1 = '880b383532534e32f3fa49692d676d9488aabac1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-25T19:27:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cc20a1e-20b0-4f51-a8f5-45cc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-25T19:27:26.000Z", "modified": "2019-04-25T19:27:26.000Z", "pattern": "[file:hashes.SHA1 = '63aeb16b5d001cbd94b636e9f557fe97b8467c8d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-25T19:27:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cc20a1e-1184-4ed9-9d66-409a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-25T19:27:26.000Z", "modified": "2019-04-25T19:27:26.000Z", "description": "msie988.tmp", "pattern": "[file:hashes.SHA1 = 'ad35fa0b3799562931b4bfa3abd057214b8721ff']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-25T19:27:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cc20a1e-0bb8-401f-9cbd-45a002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-25T19:27:26.000Z", "modified": "2019-04-25T19:27:26.000Z", "description": "pegas.dll", "pattern": "[file:hashes.SHA1 = '06f232210e507f09f01155e7d0cb5389b8a31042']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-25T19:27:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cc20a1e-35f8-49e0-b7d2-49a302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-25T19:27:26.000Z", "modified": "2019-04-25T19:27:26.000Z", "description": "First C2", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '79.141.171.160']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-25T19:27:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cc20a1e-7e0c-40f1-b9dd-429c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-25T19:27:26.000Z", "modified": "2019-04-25T19:27:26.000Z", "description": "Second C2", "pattern": "[domain-name:value = 'aasdkkkdsa3442.icu']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-25T19:27:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cc20a1e-cfe4-459a-8837-4ce702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-25T19:27:26.000Z", "modified": "2019-04-25T19:27:26.000Z", "description": "Second C2", "pattern": "[domain-name:value = 'joisf333.icu']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-25T19:27:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cc20a1e-0e98-4860-acf2-48e602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-25T19:27:26.000Z", "modified": "2019-04-25T19:27:26.000Z", "description": "Second C2", "pattern": "[domain-name:value = 'zxskjkkjsk3232.pw']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-25T19:27:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cc20a2e-6408-4271-a41f-41da02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-25T19:27:42.000Z", "modified": "2019-04-25T19:27:42.000Z", "first_observed": "2019-04-25T19:27:42Z", "last_observed": "2019-04-25T19:27:42Z", "number_observed": 1, "object_refs": [ "url--5cc20a2e-6408-4271-a41f-41da02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5cc20a2e-6408-4271-a41f-41da02de0b81", "value": "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5cc20a3f-8e84-4d6c-b3b0-47d702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-25T19:27:59.000Z", "modified": "2019-04-25T19:27:59.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "The cybersecurity community has long known that any information technology tool that is used for legitimate purposes can also be manipulated by attackers to enhance their malware. Recently, however, many native Windows OS processes are being used for malicious purposes as well. \r\n\r\nIn this research, we introduce a meticulously planned, malicious operation against a financial institution in April of 2019. This advanced operation combines a targeted phishing attack with advanced tools that gather intel on the environment. The operation chooses whether or not to create persistence and installs a sophisticated backdoor called ServHelper used to take over the network.\r\nKey Aspects of TA505\u00e2\u20ac\u2122s Operation\r\n\r\n Highly targeted phishing campaign to a small number of specific accounts within the company.\r\n Signed and verified malicious code. This is an extra percussion taken to avoid detection.\r\n A deliberate timeline, indicated by the timing of the phishing attack and signing of the malicious code.\r\n A selective persistence mechanism and self destruct commands based on autonomous reconnaissance.\r\n Large emphasis on removal of evidence using self destruct commands and deleting scripts.\r\n Multiple C2 domains, in the event of blacklisting or inability to connect for another reason.\r\n The operation integrates four different LOLBins, which indicates the attackers continued, advanced attempts to avoid detection." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-25T19:34:31.000Z", "modified": "2019-04-25T19:34:31.000Z", "first_observed": "2019-04-25T19:34:31Z", "last_observed": "2019-04-25T19:34:31Z", "number_observed": 1, "object_refs": [ "network-traffic--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9", "ipv4-addr--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9" ], "labels": [ "misp:type=\"ip-src\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9", "src_ref": "ipv4-addr--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5cc20bc7-c4f8-4085-925e-4bc0e387cbd9", "value": "195.123.227.79" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2f52d11d-5df6-44ca-8934-12cce8d33395", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-25T19:28:25.000Z", "modified": "2019-04-25T19:28:25.000Z", "pattern": "[file:hashes.MD5 = '4ca90e372982c864b8eae6d95161a213' AND file:hashes.SHA1 = 'ad35fa0b3799562931b4bfa3abd057214b8721ff' AND file:hashes.SHA256 = '843578299d9e60e52f781ca487aa83f5df4c5f4ca71d3a941a8ea249476c5c3c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-25T19:28:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5ea2997f-c82f-4ea7-88b8-c468ba4f136a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-25T19:28:25.000Z", "modified": "2019-04-25T19:28:25.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-04-22T09:26:21", "category": "Other", "comment": "msie988.tmp", "uuid": "39e083d0-2e54-439d-92e0-bd5ceb8a6603" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/843578299d9e60e52f781ca487aa83f5df4c5f4ca71d3a941a8ea249476c5c3c/analysis/1555925181/", "category": "Payload delivery", "comment": "msie988.tmp", "uuid": "a83aa4df-1f72-4b3a-bdb2-cef656e4a0dc" }, { "type": "text", "object_relation": "detection-ratio", "value": "48/70", "category": "Payload delivery", "comment": "msie988.tmp", "uuid": "cebb4a53-f987-4755-b609-f65fc6721b4f" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--60c23628-c767-4b08-9cb4-0d55c6432479", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-25T19:28:25.000Z", "modified": "2019-04-25T19:28:25.000Z", "pattern": "[file:hashes.MD5 = '4acd155b901884134f01b383eb035c23' AND file:hashes.SHA1 = '63aeb16b5d001cbd94b636e9f557fe97b8467c8d' AND file:hashes.SHA256 = 'cd7bb7396f21c88742fefb278e6e7c9a564dfe109b434494d159518175739c40']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-25T19:28:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--9ad338a8-5f89-44f4-becf-21bc9b8fb072", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-25T19:28:25.000Z", "modified": "2019-04-25T19:28:25.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-04-25T13:10:17", "category": "Other", "uuid": "e018eb15-af9b-422d-8d19-cfb07e16b0c6" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/cd7bb7396f21c88742fefb278e6e7c9a564dfe109b434494d159518175739c40/analysis/1556197817/", "category": "Payload delivery", "uuid": "0097e14c-21ec-49da-b18d-d24ad3cb346c" }, { "type": "text", "object_relation": "detection-ratio", "value": "37/60", "category": "Payload delivery", "uuid": "3087c659-8379-415a-9da4-23b7eb460be2" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b278e19f-e981-47bc-be90-072138554a61", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-25T19:28:25.000Z", "modified": "2019-04-25T19:28:25.000Z", "pattern": "[file:hashes.MD5 = '2d3238185537429ea693a81a1c6ca4c0' AND file:hashes.SHA1 = '880b383532534e32f3fa49692d676d9488aabac1' AND file:hashes.SHA256 = 'c0bcd76c486a8c8994fc005d83d64716ed3604c8559463867412c446e5364169']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-25T19:28:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--7f6c6430-6be4-4b8a-907e-8e71dcedb01c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-25T19:28:25.000Z", "modified": "2019-04-25T19:28:25.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-04-25T16:23:40", "category": "Other", "comment": "011042019.xls", "uuid": "6cdfbbe1-b251-4207-84c5-870c9d1369ca" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/c0bcd76c486a8c8994fc005d83d64716ed3604c8559463867412c446e5364169/analysis/1556209420/", "category": "Payload delivery", "comment": "011042019.xls", "uuid": "202d31f1-719e-4245-a692-bdab4419e08e" }, { "type": "text", "object_relation": "detection-ratio", "value": "28/59", "category": "Payload delivery", "comment": "011042019.xls", "uuid": "4c3e9b5e-41d5-4fa6-8ed3-38a17934b789" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e4b67b34-d84d-4e77-8453-814d9fa42d87", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-25T19:28:25.000Z", "modified": "2019-04-25T19:28:25.000Z", "pattern": "[file:hashes.MD5 = '4a8198fca604a78dd210803aebd5cbba' AND file:hashes.SHA1 = '06f232210e507f09f01155e7d0cb5389b8a31042' AND file:hashes.SHA256 = '9dc1381816b8b18aead256bdc05486171968abbc6ff01766088fbfe7badd194e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-04-25T19:28:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--a6d17903-91e1-4a0c-9cf3-48ff6f7b22cd", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-04-25T19:28:25.000Z", "modified": "2019-04-25T19:28:25.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-04-22T13:10:47", "category": "Other", "comment": "pegas.dll", "uuid": "f0b9cbb0-ecd0-4c07-8d12-8d57a3086e89" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/9dc1381816b8b18aead256bdc05486171968abbc6ff01766088fbfe7badd194e/analysis/1555938647/", "category": "Payload delivery", "comment": "pegas.dll", "uuid": "ebbf25ae-2093-4f10-a4fe-742ed2f9c82f" }, { "type": "text", "object_relation": "detection-ratio", "value": "39/66", "category": "Payload delivery", "comment": "pegas.dll", "uuid": "30c4a904-f9c8-489f-ac44-b89617fd734b" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--01212a6b-1c8e-431d-ae35-4f1ff584d3e3", "created": "2019-04-25T19:28:26.000Z", "modified": "2019-04-25T19:28:26.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--2f52d11d-5df6-44ca-8934-12cce8d33395", "target_ref": "x-misp-object--5ea2997f-c82f-4ea7-88b8-c468ba4f136a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--47ac67a2-058c-41b6-8bef-c5da6dde60c1", "created": "2019-04-25T19:28:26.000Z", "modified": "2019-04-25T19:28:26.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--60c23628-c767-4b08-9cb4-0d55c6432479", "target_ref": "x-misp-object--9ad338a8-5f89-44f4-becf-21bc9b8fb072" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e6761101-128c-4f37-8476-30fcf7f38f4c", "created": "2019-04-25T19:28:26.000Z", "modified": "2019-04-25T19:28:26.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--b278e19f-e981-47bc-be90-072138554a61", "target_ref": "x-misp-object--7f6c6430-6be4-4b8a-907e-8e71dcedb01c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4cda8e46-04b4-41c3-98e7-5c0ecd98a0ee", "created": "2019-04-25T19:28:26.000Z", "modified": "2019-04-25T19:28:26.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--e4b67b34-d84d-4e77-8453-814d9fa42d87", "target_ref": "x-misp-object--a6d17903-91e1-4a0c-9cf3-48ff6f7b22cd" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }