{ "type": "bundle", "id": "bundle--5b6c44c2-e8cc-4c56-8eb9-4f0a950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T20:23:22.000Z", "modified": "2018-09-17T20:23:22.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5b6c44c2-e8cc-4c56-8eb9-4f0a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T20:23:22.000Z", "modified": "2018-09-17T20:23:22.000Z", "name": "OSINT - Familiar Feeling A Malware Campaign Targeting the Tibetan Diaspora Resurfaces", "published": "2018-09-17T20:24:35Z", "object_refs": [ "observed-data--5b6c44d2-6094-4926-a919-48a3950d210f", "url--5b6c44d2-6094-4926-a919-48a3950d210f", "indicator--5b9f6c0b-d8b4-4acd-a92e-d8a3950d210f", "indicator--5b9f6c0c-6bb8-4353-88d2-d8a3950d210f", "indicator--5b9f6c0c-f6c8-466a-b35f-d8a3950d210f", "indicator--5b9f6c0d-265c-4879-8048-d8a3950d210f", "indicator--5b9f6c0d-3360-4aae-a319-d8a3950d210f", "indicator--5b9f6c0e-5760-4610-8e19-d8a3950d210f", "indicator--5b9f71f3-d42c-46dc-a8df-d052950d210f", "indicator--5b9f71f4-bd0c-4a10-bafb-d052950d210f", "indicator--5b9f71f4-96d4-4c41-843c-d052950d210f", "indicator--5b9f7ca7-2330-438c-a9ba-43f1950d210f", "indicator--5b9f7caa-aa08-47db-af9c-479f950d210f", "indicator--5b9f7cae-9a30-4928-a17a-4f2d950d210f", "x-misp-attribute--5b9fa4dd-15a8-44c8-87a8-489f950d210f", "indicator--5b9fac2a-3ad4-456c-910f-408a950d210f", "indicator--5b9fac2a-60e0-4df7-b188-4000950d210f", "indicator--5b9fac2b-0454-4ae0-abe4-4f2a950d210f", "indicator--5b9fac2c-a7a8-400d-bee5-49fd950d210f", "indicator--5b9fac2d-32b8-451b-ad3d-4c50950d210f", "indicator--5b9fac2d-43a0-4cbd-bdd2-44ee950d210f", "indicator--5b9fac2e-2c38-4491-b0bd-471a950d210f", "indicator--5b9fac2f-ce44-4c61-8f50-427a950d210f", "indicator--5b9fac30-3800-4895-b7da-4795950d210f", "indicator--5b9fac31-4418-4328-9f94-4c82950d210f", "indicator--5b9fac32-3fa8-469e-82b7-4a14950d210f", "indicator--5b9fac33-2688-4056-b9a2-42bd950d210f", "indicator--5b9fac33-b9cc-492f-9271-4c9c950d210f", "indicator--5b9fac34-9494-4180-97f4-494a950d210f", "indicator--5b9f6007-36ec-49cc-b7cc-e30b950d210f", "vulnerability--5b9f6302-18e0-4459-a463-e6f4950d210f", "vulnerability--5b9f6b94-f650-4701-be1d-e6f5950d210f", "x-misp-object--5b9f78e4-1670-4c68-bcca-e3a7950d210f", "indicator--5b9f7e1f-8f14-4416-9f3a-452a950d210f", "indicator--5b9f7e47-4ddc-4470-987c-459e950d210f", "indicator--5b9f7e7d-f3ac-44cb-8d2a-4866950d210f", "indicator--5b9f8073-bb3c-481d-b7b1-dc87950d210f", "indicator--5b9f8086-5f30-4482-891d-475b950d210f", "indicator--5b9f8098-16dc-4483-8b05-d04e950d210f", "indicator--5b9faa1d-28a8-4957-b2ab-4b2b950d210f", "indicator--5b9fb486-9674-4e70-9077-4614950d210f", "indicator--5b9fbb80-f010-4a72-a7ab-4f41950d210f", "indicator--5b9fbb96-36dc-47c1-a0b3-4173950d210f", "indicator--5b9fbbab-e5b8-4120-99fd-40b2950d210f", "indicator--d2f5d552-96c4-43ad-84e1-fb8cebbf6000", "x-misp-object--857a21fc-b3c9-47ae-93e4-9e5fe62dc79b", "relationship--d08b5a8b-ab01-40bb-8ad0-65c741b8b5d7", "relationship--a87b6340-397a-472b-a08d-208221dcf23f", "relationship--04759adf-df54-4cdb-9dbf-6f81338e5990", "relationship--803df4d4-fb7c-4b34-be01-f1aa4fa3ba1d", "relationship--327a6877-11c6-4bd0-8391-94060860843a", "relationship--d20d513a-e61d-49dd-af0b-f23a54cee975", "relationship--7a088f64-82db-4225-9a56-2160e3f06160", "relationship--96224934-05f7-48c8-8a21-f2653827fbc1", "relationship--542ead70-c784-4e5f-9db5-8ba380f4893e" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "circl:incident-classification=\"malware\"", "osint:source-type=\"blog-post\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Attachment - T1193\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"PowerShell - T1086\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5b6c44d2-6094-4926-a919-48a3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T12:57:56.000Z", "modified": "2018-09-17T12:57:56.000Z", "first_observed": "2018-09-17T12:57:56Z", "last_observed": "2018-09-17T12:57:56Z", "number_observed": 1, "object_refs": [ "url--5b6c44d2-6094-4926-a919-48a3950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5b6c44d2-6094-4926-a919-48a3950d210f", "value": "https://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9f6c0b-d8b4-4acd-a92e-d8a3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T08:55:39.000Z", "modified": "2018-09-17T08:55:39.000Z", "pattern": "[domain-name:value = 'commail.co']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T08:55:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9f6c0c-6bb8-4353-88d2-d8a3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T08:55:40.000Z", "modified": "2018-09-17T08:55:40.000Z", "pattern": "[domain-name:value = 'tibetnews.info']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T08:55:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9f6c0c-f6c8-466a-b35f-d8a3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T08:55:40.000Z", "modified": "2018-09-17T08:55:40.000Z", "pattern": "[domain-name:value = 'comemails.email']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T08:55:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9f6c0d-265c-4879-8048-d8a3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T08:55:41.000Z", "modified": "2018-09-17T08:55:41.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.186.222']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T08:55:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9f6c0d-3360-4aae-a319-d8a3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T08:55:41.000Z", "modified": "2018-09-17T08:55:41.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.55.24.196']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T08:55:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9f6c0e-5760-4610-8e19-d8a3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T08:55:42.000Z", "modified": "2018-09-17T08:55:42.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.189.232.207']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T08:55:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9f71f3-d42c-46dc-a8df-d052950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T09:20:51.000Z", "modified": "2018-09-17T09:20:51.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.127.97.222']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T09:20:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9f71f4-bd0c-4a10-bafb-d052950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T09:20:52.000Z", "modified": "2018-09-17T09:20:52.000Z", "pattern": "[domain-name:value = 'tibetnews.today']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T09:20:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9f71f4-96d4-4c41-843c-d052950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T09:20:52.000Z", "modified": "2018-09-17T09:20:52.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '115.126.86.151']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T09:20:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9f7ca7-2330-438c-a9ba-43f1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T10:06:31.000Z", "modified": "2018-09-17T10:06:31.000Z", "pattern": "[domain-name:value = 'tibethouse.info']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T10:06:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9f7caa-aa08-47db-af9c-479f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T10:06:34.000Z", "modified": "2018-09-17T10:06:34.000Z", "pattern": "[domain-name:value = 'daynew.today']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T10:06:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9f7cae-9a30-4928-a17a-4f2d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T10:06:38.000Z", "modified": "2018-09-17T10:06:38.000Z", "pattern": "[domain-name:value = 'daynews.today']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T10:06:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5b9fa4dd-15a8-44c8-87a8-489f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T12:58:25.000Z", "modified": "2018-09-17T12:58:25.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "In January 2018, a Tibetan activist received a mundane-looking email purporting to be program updates from a human rights NGO. Attached to the message were a PowerPoint presentation and a document. The activist, like many in the Tibetan diaspora, had grown wary of unsolicited emails with attachments, and instead of opening the documents, shared the files with Citizen Lab researchers.\r\n\r\nThe suspicion was warranted: the attachments were malicious. If clicked, the files would run recent exploits to infect Windows computers with custom malware. This email was the start of a malware campaign active between January to March 2018 that targeted Tibetan activists, journalists, members of the Tibetan Parliament in exile, and the Central Tibetan Administration. We worked closely with the targeted groups to collect the malicious messages, and also engaged in incident response with a compromised organization. This collaboration enabled us to gain further insights into the tactics, techniques, and procedures used by the operators.\r\n\r\nThe campaign used social engineering to trick targets into opening exploit-laden PowerPoint (CVE-2017-0199) and Microsoft Rich Text Format (RTF) documents (CVE-2017-11882) attached to e-mail messages. The malware includes a PowerShell payload we call DMShell++, a backdoor known as TSSL, and a post-compromise tool we call DSNGInstaller.\r\n\r\nWe call this recent campaign the \u00e2\u20ac\u0153Resurfaced Campaign\u00e2\u20ac\u009d because of connections to a 2016 campaign that targeted Tibetan Parliamentarians (which we refer to as the \u00e2\u20ac\u0153Parliamentary Campaign\u00e2\u20ac\u009d). These connections suggest that the same group may be involved or tools and infrastructure are being shared between multiple groups." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9fac2a-3ad4-456c-910f-408a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T13:29:14.000Z", "modified": "2018-09-17T13:29:14.000Z", "pattern": "[url:value = 'commail.co:5453/qqqzqa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T13:29:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9fac2a-60e0-4df7-b188-4000950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T13:29:14.000Z", "modified": "2018-09-17T13:29:14.000Z", "description": "On port 6001", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.186.222' AND network-traffic:dst_port = '6001']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T13:29:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9fac2b-0454-4ae0-abe4-4f2a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T13:29:15.000Z", "modified": "2018-09-17T13:29:15.000Z", "description": "On port 6002", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.186.222' AND network-traffic:dst_port = '6002']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T13:29:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9fac2c-a7a8-400d-bee5-49fd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T13:29:16.000Z", "modified": "2018-09-17T13:29:16.000Z", "description": "On port 6003", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.186.222' AND network-traffic:dst_port = '6003']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T13:29:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9fac2d-32b8-451b-ad3d-4c50950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T13:29:17.000Z", "modified": "2018-09-17T13:29:17.000Z", "pattern": "[url:value = 'tibetnews.info:8026/qqqzqa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T13:29:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9fac2d-43a0-4cbd-bdd2-44ee950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T13:29:17.000Z", "modified": "2018-09-17T13:29:17.000Z", "description": "On port 80", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.55.24.196' AND network-traffic:dst_port = '80']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T13:29:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9fac2e-2c38-4491-b0bd-471a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T13:29:18.000Z", "modified": "2018-09-17T13:29:18.000Z", "description": "On port 443", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.55.24.196' AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T13:29:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9fac2f-ce44-4c61-8f50-427a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T13:29:19.000Z", "modified": "2018-09-17T13:29:19.000Z", "description": "On port 443", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.127.97.222' AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T13:29:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9fac30-3800-4895-b7da-4795950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T13:29:20.000Z", "modified": "2018-09-17T13:29:20.000Z", "description": "On port 80", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.186.222' AND network-traffic:dst_port = '80']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T13:29:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9fac31-4418-4328-9f94-4c82950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T13:29:21.000Z", "modified": "2018-09-17T13:29:21.000Z", "description": "On port 443", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.186.222' AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T13:29:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9fac32-3fa8-469e-82b7-4a14950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T13:29:22.000Z", "modified": "2018-09-17T13:29:22.000Z", "description": "On port 8080", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.186.222' AND network-traffic:dst_port = '8080']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T13:29:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9fac33-2688-4056-b9a2-42bd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T13:29:23.000Z", "modified": "2018-09-17T13:29:23.000Z", "pattern": "[url:value = 'comemails.email:1234/hgf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T13:29:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9fac33-b9cc-492f-9271-4c9c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T13:29:23.000Z", "modified": "2018-09-17T13:29:23.000Z", "description": "On port 80", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.189.232.207' AND network-traffic:dst_port = '80']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T13:29:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9fac34-9494-4180-97f4-494a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T13:29:24.000Z", "modified": "2018-09-17T13:29:24.000Z", "description": "On port 443", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.189.232.207' AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T13:29:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9f6007-36ec-49cc-b7cc-e30b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T08:04:23.000Z", "modified": "2018-09-17T08:04:23.000Z", "pattern": "[file:hashes.MD5 = '11e0f3e1c7d8855ed7f1dcfce4b7702a' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T08:04:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--5b9f6302-18e0-4459-a463-e6f4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T08:18:33.000Z", "modified": "2018-09-17T08:18:33.000Z", "name": "CVE-2017-11882", "description": "Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka \\\\\"Microsoft Office Memory Corruption Vulnerability\\\\\". This CVE ID is unique from CVE-2017-11884.", "labels": [ "misp:name=\"vulnerability\"", "misp:meta-category=\"vulnerability\"", "misp:to_ids=\"False\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2017-11882" }, { "source_name": "url", "url": "http://reversingminds-blog.logdown.com/posts/3907313-fileless-attack-in-word-without-macros-cve-2017-11882" }, { "source_name": "url", "url": "http://www.securityfocus.com/bid/101757" }, { "source_name": "url", "url": "http://www.securitytracker.com/id/1039783" }, { "source_name": "url", "url": "https://0patch.blogspot.com/2017/11/did-microsoft-just-manually-patch-their.html" }, { "source_name": "url", "url": "https://0patch.blogspot.com/2017/11/official-patch-for-cve-2017-11882-meets.html" } ], "x_misp_cvss_score": "9.3", "x_misp_modified": "2017-12-30T21:29:00", "x_misp_published": "2017-11-14T22:29:00", "x_misp_state": "Published", "x_misp_vulnerable_configuration": [ "Microsoft Office 2007 Service Pack 3", "cpe:2.3:a:microsoft:office:2010:sp2", "Microsoft Office 2013 SP1", "Microsoft Office 2016" ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--5b9f6b94-f650-4701-be1d-e6f5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T08:53:40.000Z", "modified": "2018-09-17T08:53:40.000Z", "name": "CVE-2017-0199", "description": "Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka \\\\\"Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API.", "labels": [ "misp:name=\"vulnerability\"", "misp:meta-category=\"vulnerability\"", "misp:to_ids=\"False\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2017-0199" }, { "source_name": "url", "url": "http://rewtin.blogspot.nl/2017/04/cve-2017-0199-practical-exploitation-poc.html" }, { "source_name": "url", "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02" }, { "source_name": "url", "url": "https://www.exploit-db.com/exploits/41934/" }, { "source_name": "url", "url": "https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html" }, { "source_name": "url", "url": "https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/" }, { "source_name": "url", "url": "http://www.securitytracker.com/id/1038224" }, { "source_name": "url", "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199" }, { "source_name": "url", "url": "http://www.securityfocus.com/bid/97498" }, { "source_name": "url", "url": "https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/" }, { "source_name": "url", "url": "https://www.exploit-db.com/exploits/42995/" }, { "source_name": "url", "url": "https://www.exploit-db.com/exploits/41894/" } ], "x_misp_cvss_score": "9.3", "x_misp_modified": "2018-03-27T21:29:00", "x_misp_published": "2017-12-04T10:59:00", "x_misp_state": "Published", "x_misp_vulnerable_configuration": [ "cpe:2.3:a:microsoft:office:2010:sp2", "Microsoft Office 2007 Service Pack 3", "Microsoft Windows Server 2008 Service Pack 2", "Microsoft Office 2016", "cpe:2.3:o:microsoft:windows_7:-:sp1", "Microsoft Windows Vista Service Pack 2", "Microsoft Windows Server 2008 R2 Service Pack 1", "Microsoft Office 2013 SP1", "Microsoft Windows Server 2012" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5b9f78e4-1670-4c68-bcca-e3a7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T09:53:59.000Z", "modified": "2018-09-17T09:53:59.000Z", "labels": [ "misp:name=\"whois\"", "misp:meta-category=\"network\"" ], "x_misp_attributes": [ { "type": "whois-registrant-email", "object_relation": "registrant-email", "value": "bqfkdrmnhh0623[@]gmail.com", "category": "Attribution", "uuid": "5b9f78e4-e480-487c-a060-e3a7950d210f" }, { "type": "whois-registrant-name", "object_relation": "registrant-name", "value": "huang ning", "category": "Attribution", "uuid": "5b9f78e6-19b8-4185-969d-e3a7950d210f" }, { "type": "whois-registrant-phone", "object_relation": "registrant-phone", "value": "8677687877", "category": "Attribution", "uuid": "5b9f78e9-0aa4-4e65-91e3-e3a7950d210f" } ], "x_misp_meta_category": "network", "x_misp_name": "whois" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9f7e1f-8f14-4416-9f3a-452a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T10:12:47.000Z", "modified": "2018-09-17T10:12:47.000Z", "pattern": "[domain-name:value = 'google.comemails.email' AND domain-name:resolves_to_refs[*].value = '115.126.86.29']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T10:12:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9f7e47-4ddc-4470-987c-459e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T10:13:27.000Z", "modified": "2018-09-17T10:13:27.000Z", "pattern": "[domain-name:value = 'mail.google.commail.co' AND domain-name:resolves_to_refs[*].value = '115.126.98.78']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T10:13:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9f7e7d-f3ac-44cb-8d2a-4866950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T10:14:21.000Z", "modified": "2018-09-17T10:14:21.000Z", "pattern": "[domain-name:value = 'google.comemail.email' AND domain-name:resolves_to_refs[*].value = '118.99.59.214']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T10:14:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9f8073-bb3c-481d-b7b1-dc87950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T12:46:24.000Z", "modified": "2018-09-17T12:46:24.000Z", "pattern": "[file:hashes.SHA1 = '6a4690f454c91fdc559a223d43f0a77d40b59b2a' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T12:46:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9f8086-5f30-4482-891d-475b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T12:33:09.000Z", "modified": "2018-09-17T12:33:09.000Z", "pattern": "[file:hashes.SHA1 = 'e55cea25ecc118fd798f84eb5395be0678bdbc51' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T12:33:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9f8098-16dc-4483-8b05-d04e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T12:26:45.000Z", "modified": "2018-09-17T12:26:45.000Z", "pattern": "[file:hashes.SHA1 = 'cdd2fd64a4996b7d901d4a899d660cc5ff118e73' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T12:26:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9faa1d-28a8-4957-b2ab-4b2b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T13:20:29.000Z", "modified": "2018-09-17T13:20:29.000Z", "pattern": "[email-message:from_ref.value = 'tibetanparliarnent@yahoo.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T13:20:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"email\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9fb486-9674-4e70-9077-4614950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T14:04:54.000Z", "modified": "2018-09-17T14:04:54.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.186.222') AND network-traffic:dst_port = '6001' AND network-traffic:dst_port = '6002' AND network-traffic:dst_port = '6003' AND network-traffic:dst_port = '80' AND network-traffic:dst_port = '8080' AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T14:04:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9fbb80-f010-4a72-a7ab-4f41950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T14:34:40.000Z", "modified": "2018-09-17T14:34:40.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.55.24.196') AND network-traffic:dst_port = '443' AND network-traffic:dst_port = '80']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T14:34:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9fbb96-36dc-47c1-a0b3-4173950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T14:35:02.000Z", "modified": "2018-09-17T14:35:02.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.127.97.222') AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T14:35:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9fbbab-e5b8-4120-99fd-40b2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T14:35:23.000Z", "modified": "2018-09-17T14:35:23.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.189.232.207') AND network-traffic:dst_port = '443' AND network-traffic:dst_port = '80']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T14:35:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d2f5d552-96c4-43ad-84e1-fb8cebbf6000", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T20:22:39.000Z", "modified": "2018-09-17T20:22:39.000Z", "pattern": "[file:hashes.MD5 = '11e0f3e1c7d8855ed7f1dcfce4b7702a' AND file:hashes.SHA1 = '9bb47262664b10b60a853002eace4db083ee10af' AND file:hashes.SHA256 = '1b156c7d2cc651d0a58c8dac1353332614b489e4d21e51ca7a0a929295e6ad40']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-17T20:22:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--857a21fc-b3c9-47ae-93e4-9e5fe62dc79b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-17T20:22:45.000Z", "modified": "2018-09-17T20:22:45.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-08-10T08:33:52", "category": "Other", "uuid": "87f7f5c5-40a4-465d-ba91-e82e4595f4e7" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/1b156c7d2cc651d0a58c8dac1353332614b489e4d21e51ca7a0a929295e6ad40/analysis/1533890032/", "category": "External analysis", "uuid": "2236a126-0d1a-4f18-b8b4-87d5424a7b7b" }, { "type": "text", "object_relation": "detection-ratio", "value": "24/67", "category": "Other", "uuid": "4e295ad5-8545-422f-8c7d-683e1a2de6f4" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d08b5a8b-ab01-40bb-8ad0-65c741b8b5d7", "created": "2018-09-17T09:53:14.000Z", "modified": "2018-09-17T09:53:14.000Z", "relationship_type": "uses", "source_ref": "x-misp-object--5b9f78e4-1670-4c68-bcca-e3a7950d210f", "target_ref": "indicator--5b9f6c0b-d8b4-4acd-a92e-d8a3950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a87b6340-397a-472b-a08d-208221dcf23f", "created": "2018-09-17T09:53:39.000Z", "modified": "2018-09-17T09:53:39.000Z", "relationship_type": "derived-from", "source_ref": "x-misp-object--5b9f78e4-1670-4c68-bcca-e3a7950d210f", "target_ref": "indicator--5b9f6c0c-6bb8-4353-88d2-d8a3950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--04759adf-df54-4cdb-9dbf-6f81338e5990", "created": "2018-09-17T09:53:49.000Z", "modified": "2018-09-17T09:53:49.000Z", "relationship_type": "uses", "source_ref": "x-misp-object--5b9f78e4-1670-4c68-bcca-e3a7950d210f", "target_ref": "indicator--5b9f6c0c-6bb8-4353-88d2-d8a3950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--803df4d4-fb7c-4b34-be01-f1aa4fa3ba1d", "created": "2018-09-17T09:53:56.000Z", "modified": "2018-09-17T09:53:56.000Z", "relationship_type": "uses", "source_ref": "x-misp-object--5b9f78e4-1670-4c68-bcca-e3a7950d210f", "target_ref": "indicator--5b9f71f4-bd0c-4a10-bafb-d052950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--327a6877-11c6-4bd0-8391-94060860843a", "created": "2018-09-17T12:46:20.000Z", "modified": "2018-09-17T12:46:20.000Z", "relationship_type": "related-to", "source_ref": "indicator--5b9f8073-bb3c-481d-b7b1-dc87950d210f", "target_ref": "indicator--5b9f7e1f-8f14-4416-9f3a-452a950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d20d513a-e61d-49dd-af0b-f23a54cee975", "created": "2018-09-17T12:33:06.000Z", "modified": "2018-09-17T12:33:06.000Z", "relationship_type": "derived-from", "source_ref": "indicator--5b9f8086-5f30-4482-891d-475b950d210f", "target_ref": "indicator--5b9f7e47-4ddc-4470-987c-459e950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7a088f64-82db-4225-9a56-2160e3f06160", "created": "2018-09-17T12:32:59.000Z", "modified": "2018-09-17T12:32:59.000Z", "relationship_type": "related-to", "source_ref": "indicator--5b9f8086-5f30-4482-891d-475b950d210f", "target_ref": "indicator--5b9f7e47-4ddc-4470-987c-459e950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--96224934-05f7-48c8-8a21-f2653827fbc1", "created": "2018-09-17T12:26:42.000Z", "modified": "2018-09-17T12:26:42.000Z", "relationship_type": "related-to", "source_ref": "indicator--5b9f8098-16dc-4483-8b05-d04e950d210f", "target_ref": "indicator--5b9f7e7d-f3ac-44cb-8d2a-4866950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--542ead70-c784-4e5f-9db5-8ba380f4893e", "created": "2018-09-17T20:22:52.000Z", "modified": "2018-09-17T20:22:52.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--d2f5d552-96c4-43ad-84e1-fb8cebbf6000", "target_ref": "x-misp-object--857a21fc-b3c9-47ae-93e4-9e5fe62dc79b" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }