{ "type": "bundle", "id": "bundle--588a6de9-e2f4-4fbc-b09d-427f02de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:54:25.000Z", "modified": "2017-01-26T21:54:25.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--588a6de9-e2f4-4fbc-b09d-427f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:54:25.000Z", "modified": "2017-01-26T21:54:25.000Z", "name": "OSINT - EITest Nabbing Chrome Users with a \u00e2\u20ac\u0153Chrome Font\u00e2\u20ac\u009d Social Engineering Scheme", "published": "2017-01-26T21:57:34Z", "object_refs": [ "x-misp-attribute--588a6dfd-19b8-44c8-b297-4f2002de0b81", "observed-data--588a6e0b-3338-442b-8f7f-4c5802de0b81", "url--588a6e0b-3338-442b-8f7f-4c5802de0b81", "indicator--588a6e2f-3b0c-4d91-a1fe-4e9002de0b81", "indicator--588a6e30-685c-41ed-9ec3-454802de0b81", "indicator--588a6e31-83cc-43f7-8097-4dc702de0b81", "indicator--588a6e31-fff8-407a-bc77-448e02de0b81", "indicator--588a6e3c-f8cc-4b96-97e0-4dd802de0b81", "indicator--588a6e74-1650-4d05-9d6c-425502de0b81", "indicator--588a6e8d-6b48-4294-9a19-43b202de0b81", "indicator--588a6e9a-75e8-4fbf-bd55-427202de0b81", "indicator--588a6ebb-28e4-481f-9e5b-496602de0b81", "indicator--588a6ebc-2270-4929-9c16-42d102de0b81", "indicator--588a6ebc-9c9c-4d54-b445-40d702de0b81", "indicator--588a6ebd-1900-4657-8b7a-481802de0b81", "indicator--588a6edb-e2ec-49c0-8ea7-215902de0b81", "indicator--588a6edc-657c-46f4-90de-215902de0b81", "indicator--588a6edd-0234-472b-b99e-215902de0b81", "indicator--588a6edd-d158-4416-98c6-215902de0b81", "observed-data--588a6f1c-3404-4dc5-afc0-6dcc02de0b81", "domain-name--588a6f1c-3404-4dc5-afc0-6dcc02de0b81", "observed-data--588a6f1d-ccfc-4512-aa8a-6dcc02de0b81", "network-traffic--588a6f1d-ccfc-4512-aa8a-6dcc02de0b81", "ipv4-addr--588a6f1d-ccfc-4512-aa8a-6dcc02de0b81", "observed-data--588a6f1e-0260-4424-b74c-6dcc02de0b81", "domain-name--588a6f1e-0260-4424-b74c-6dcc02de0b81", "observed-data--588a6f1f-b9e0-4c96-9721-6dcc02de0b81", "network-traffic--588a6f1f-b9e0-4c96-9721-6dcc02de0b81", "ipv4-addr--588a6f1f-b9e0-4c96-9721-6dcc02de0b81", "observed-data--588a6f20-1df4-4b3b-90a8-6dcc02de0b81", "domain-name--588a6f20-1df4-4b3b-90a8-6dcc02de0b81", "observed-data--588a6f20-1810-4702-a053-6dcc02de0b81", "network-traffic--588a6f20-1810-4702-a053-6dcc02de0b81", "ipv4-addr--588a6f20-1810-4702-a053-6dcc02de0b81", "observed-data--588a6f21-37d4-481d-b427-6dcc02de0b81", "domain-name--588a6f21-37d4-481d-b427-6dcc02de0b81", "observed-data--588a6f22-11d0-4190-ae0a-6dcc02de0b81", "network-traffic--588a6f22-11d0-4190-ae0a-6dcc02de0b81", "ipv4-addr--588a6f22-11d0-4190-ae0a-6dcc02de0b81", "observed-data--588a6f23-4e18-48b4-abd1-6dcc02de0b81", "domain-name--588a6f23-4e18-48b4-abd1-6dcc02de0b81", "observed-data--588a6f23-05c4-4c29-a4b4-6dcc02de0b81", "network-traffic--588a6f23-05c4-4c29-a4b4-6dcc02de0b81", "ipv4-addr--588a6f23-05c4-4c29-a4b4-6dcc02de0b81", "indicator--588a6f39-4c88-464d-8774-471002de0b81", "indicator--588a6f3a-a320-4e32-9621-46c102de0b81", "indicator--588a6f3b-45c4-40ae-b38e-428502de0b81", "indicator--588a6f3b-7134-464a-861f-450902de0b81", "indicator--588a6f3c-9764-4977-8e02-456f02de0b81", "indicator--588a6f3d-8528-42b0-9af6-450802de0b81", "indicator--588a7011-c36c-48ed-9abc-40e502de0b81", "indicator--588a7011-31fc-4d7b-a442-473702de0b81", "observed-data--588a7012-f1e8-4f25-a7c8-455602de0b81", "url--588a7012-f1e8-4f25-a7c8-455602de0b81", "indicator--588a7013-f6b4-487c-a1ae-4fc602de0b81", "indicator--588a7013-e0d0-431e-ace0-4fc002de0b81", "observed-data--588a7014-6648-4d5b-ae8e-4b7b02de0b81", "url--588a7014-6648-4d5b-ae8e-4b7b02de0b81", "indicator--588a7015-72d4-4d87-b1f3-4c9b02de0b81", "indicator--588a7016-1130-4783-8732-421502de0b81", "observed-data--588a7016-1bdc-4229-a0fa-414c02de0b81", "url--588a7016-1bdc-4229-a0fa-414c02de0b81", "indicator--588a7017-ae5c-4778-8d55-422702de0b81", "indicator--588a7018-94e0-438b-bf8f-4b3d02de0b81", "observed-data--588a7018-60ec-4202-a54f-4a9e02de0b81", "url--588a7018-60ec-4202-a54f-4a9e02de0b81", "indicator--588a7019-96d0-4507-81b2-4fbf02de0b81", "indicator--588a701a-9664-423c-85d8-435102de0b81", "observed-data--588a701a-9ff8-4e32-bea2-4bdf02de0b81", "url--588a701a-9ff8-4e32-bea2-4bdf02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "estimative-language:likelihood-probability=\"very-likely\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--588a6dfd-19b8-44c8-b297-4f2002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:52:12.000Z", "modified": "2017-01-26T21:52:12.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "\u00e2\u20ac\u0153EITest\u00e2\u20ac\u009d is a well-documented infection chain that generally relies on compromised websites to direct users to exploit kit (EK) landing pages. EITest has been involved in the delivery of a variety of ransomware, information stealers, and other malware, with clear evidence of its use dating back to 2014. Elements of EITest may be much older, though, with hints pointing to EITest being an evolution of the \u00e2\u20ac\u0153Glazunov\u00e2\u20ac\u009d infection chain from 2011 [1]. The first server side documentation of this evolution came from Sucuri in July 2014 [2] associated with waves of Wordpress exploitation via the MailPoet plugin vulnerability. KahuSecurity recently analyzed the server side script in October 2016 [3]." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--588a6e0b-3338-442b-8f7f-4c5802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:52:03.000Z", "modified": "2017-01-26T21:52:03.000Z", "first_observed": "2017-01-26T21:52:03Z", "last_observed": "2017-01-26T21:52:03Z", "number_observed": 1, "object_refs": [ "url--588a6e0b-3338-442b-8f7f-4c5802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--588a6e0b-3338-442b-8f7f-4c5802de0b81", "value": "https://www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a6e2f-3b0c-4d91-a1fe-4e9002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:46:23.000Z", "modified": "2017-01-26T21:46:23.000Z", "description": "Fleercivet C&C", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '198.37.112.248']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:46:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a6e30-685c-41ed-9ec3-454802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:46:24.000Z", "modified": "2017-01-26T21:46:24.000Z", "description": "Server initiating Fleercivet Fraud Scheme (potentially legitimate)", "pattern": "[file:name = 'searchtopresults.com|209.126.122.139']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:46:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a6e31-83cc-43f7-8097-4dc702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:46:25.000Z", "modified": "2017-01-26T21:46:25.000Z", "description": "Initial Call before Fleercivet clickfraud", "pattern": "[url:value = 'searchtopresults.com/search.php?aff=8320']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:46:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a6e31-fff8-407a-bc77-448e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:46:25.000Z", "modified": "2017-01-26T21:46:25.000Z", "description": "Later Call tied to Fleercivet activity", "pattern": "[url:value = 'searchtopresults.com/search.php?aff=8170&saff=1203']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:46:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a6e3c-f8cc-4b96-97e0-4dd802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:46:36.000Z", "modified": "2017-01-26T21:46:36.000Z", "description": "Fiddler capture (index and post)", "pattern": "[file:hashes.SHA256 = '7a444891c642ec17459471be40bcc1ea9eef6aeb478318a679908f94bf1e7e74']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:46:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a6e74-1650-4d05-9d6c-425502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:47:32.000Z", "modified": "2017-01-26T21:47:32.000Z", "description": "2014-07-14 - Early \u00e2\u20ac\u0153flash redirecting\u00e2\u20ac\u009d EITest Domain", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '48.251.102.176']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:47:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a6e8d-6b48-4294-9a19-43b202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:47:57.000Z", "modified": "2017-01-26T21:47:57.000Z", "description": "2014-07-14 - Early \u00e2\u20ac\u0153flash redirecting\u00e2\u20ac\u009d EITest Domain", "pattern": "[domain-name:value = 'vidvi.cf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:47:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a6e9a-75e8-4fbf-bd55-427202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:48:10.000Z", "modified": "2017-01-26T21:48:10.000Z", "description": "EITest node replying to Compromised Server", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '31.184.192.163']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:48:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a6ebb-28e4-481f-9e5b-496602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:48:43.000Z", "modified": "2017-01-26T21:48:43.000Z", "description": "EITest node replying to Compromised Server", "pattern": "[domain-name:value = '54dfa1cb.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:48:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a6ebc-2270-4929-9c16-42d102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:48:44.000Z", "modified": "2017-01-26T21:48:44.000Z", "description": "EITest node replying to Compromised Server", "pattern": "[domain-name:value = 'e5b57288.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:48:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a6ebc-9c9c-4d54-b445-40d702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:48:44.000Z", "modified": "2017-01-26T21:48:44.000Z", "description": "EITest node replying to Compromised Server", "pattern": "[domain-name:value = '33db9538.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:48:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a6ebd-1900-4657-8b7a-481802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:48:45.000Z", "modified": "2017-01-26T21:48:45.000Z", "description": "EITest node replying to Compromised Server", "pattern": "[domain-name:value = '9507c4e8.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:48:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a6edb-e2ec-49c0-8ea7-215902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:49:15.000Z", "modified": "2017-01-26T21:49:15.000Z", "description": "FleerCivet 2017-01-15", "pattern": "[file:hashes.SHA256 = '7fc9721cc648de138a61ec3452d63a83fc76ef527d41f4a7aba78f52df13338a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:49:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a6edc-657c-46f4-90de-215902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:49:16.000Z", "modified": "2017-01-26T21:49:16.000Z", "description": "FleerCivet 2017-01-15", "pattern": "[file:hashes.SHA256 = '7bb7848270e76aa1fcb9d11acb46c8421b86c7d528c108d8f179ec829ff977fc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:49:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a6edd-0234-472b-b99e-215902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:49:17.000Z", "modified": "2017-01-26T21:49:17.000Z", "description": "FleerCivet 2017-01-16", "pattern": "[file:hashes.SHA256 = '9190c865c214cf2b1c602edcfe4ab8858806298ca4b6de16bfbd0377385ffe63']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:49:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a6edd-d158-4416-98c6-215902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:49:17.000Z", "modified": "2017-01-26T21:49:17.000Z", "description": "FleerCivet 2017-01-17", "pattern": "[file:hashes.SHA256 = 'ebeaaef3323331e7ea0e47eac6437dcf5548d9fd759943d2e5c1f3d1fb786167']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:49:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--588a6f1c-3404-4dc5-afc0-6dcc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:50:20.000Z", "modified": "2017-01-26T21:50:20.000Z", "first_observed": "2017-01-26T21:50:20Z", "last_observed": "2017-01-26T21:50:20Z", "number_observed": 1, "object_refs": [ "domain-name--588a6f1c-3404-4dc5-afc0-6dcc02de0b81" ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--588a6f1c-3404-4dc5-afc0-6dcc02de0b81", "value": "starrer.com" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--588a6f1d-ccfc-4512-aa8a-6dcc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:50:21.000Z", "modified": "2017-01-26T21:50:21.000Z", "first_observed": "2017-01-26T21:50:21Z", "last_observed": "2017-01-26T21:50:21Z", "number_observed": 1, "object_refs": [ "network-traffic--588a6f1d-ccfc-4512-aa8a-6dcc02de0b81", "ipv4-addr--588a6f1d-ccfc-4512-aa8a-6dcc02de0b81" ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--588a6f1d-ccfc-4512-aa8a-6dcc02de0b81", "dst_ref": "ipv4-addr--588a6f1d-ccfc-4512-aa8a-6dcc02de0b81", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--588a6f1d-ccfc-4512-aa8a-6dcc02de0b81", "value": "209.126.118.146" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--588a6f1e-0260-4424-b74c-6dcc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:50:22.000Z", "modified": "2017-01-26T21:50:22.000Z", "first_observed": "2017-01-26T21:50:22Z", "last_observed": "2017-01-26T21:50:22Z", "number_observed": 1, "object_refs": [ "domain-name--588a6f1e-0260-4424-b74c-6dcc02de0b81" ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--588a6f1e-0260-4424-b74c-6dcc02de0b81", "value": "askcom.me" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--588a6f1f-b9e0-4c96-9721-6dcc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:50:23.000Z", "modified": "2017-01-26T21:50:23.000Z", "first_observed": "2017-01-26T21:50:23Z", "last_observed": "2017-01-26T21:50:23Z", "number_observed": 1, "object_refs": [ "network-traffic--588a6f1f-b9e0-4c96-9721-6dcc02de0b81", "ipv4-addr--588a6f1f-b9e0-4c96-9721-6dcc02de0b81" ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--588a6f1f-b9e0-4c96-9721-6dcc02de0b81", "dst_ref": "ipv4-addr--588a6f1f-b9e0-4c96-9721-6dcc02de0b81", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--588a6f1f-b9e0-4c96-9721-6dcc02de0b81", "value": "209.126.123.39" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--588a6f20-1df4-4b3b-90a8-6dcc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:50:24.000Z", "modified": "2017-01-26T21:50:24.000Z", "first_observed": "2017-01-26T21:50:24Z", "last_observed": "2017-01-26T21:50:24Z", "number_observed": 1, "object_refs": [ "domain-name--588a6f20-1df4-4b3b-90a8-6dcc02de0b81" ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--588a6f20-1df4-4b3b-90a8-6dcc02de0b81", "value": "twittertravels.com" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--588a6f20-1810-4702-a053-6dcc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:50:24.000Z", "modified": "2017-01-26T21:50:24.000Z", "first_observed": "2017-01-26T21:50:24Z", "last_observed": "2017-01-26T21:50:24Z", "number_observed": 1, "object_refs": [ "network-traffic--588a6f20-1810-4702-a053-6dcc02de0b81", "ipv4-addr--588a6f20-1810-4702-a053-6dcc02de0b81" ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--588a6f20-1810-4702-a053-6dcc02de0b81", "dst_ref": "ipv4-addr--588a6f20-1810-4702-a053-6dcc02de0b81", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--588a6f20-1810-4702-a053-6dcc02de0b81", "value": "173.224.124.110" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--588a6f21-37d4-481d-b427-6dcc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:50:25.000Z", "modified": "2017-01-26T21:50:25.000Z", "first_observed": "2017-01-26T21:50:25Z", "last_observed": "2017-01-26T21:50:25Z", "number_observed": 1, "object_refs": [ "domain-name--588a6f21-37d4-481d-b427-6dcc02de0b81" ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--588a6f21-37d4-481d-b427-6dcc02de0b81", "value": "shareyourfashion.net" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--588a6f22-11d0-4190-ae0a-6dcc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:50:26.000Z", "modified": "2017-01-26T21:50:26.000Z", "first_observed": "2017-01-26T21:50:26Z", "last_observed": "2017-01-26T21:50:26Z", "number_observed": 1, "object_refs": [ "network-traffic--588a6f22-11d0-4190-ae0a-6dcc02de0b81", "ipv4-addr--588a6f22-11d0-4190-ae0a-6dcc02de0b81" ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--588a6f22-11d0-4190-ae0a-6dcc02de0b81", "dst_ref": "ipv4-addr--588a6f22-11d0-4190-ae0a-6dcc02de0b81", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--588a6f22-11d0-4190-ae0a-6dcc02de0b81", "value": "209.126.103.104" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--588a6f23-4e18-48b4-abd1-6dcc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:50:27.000Z", "modified": "2017-01-26T21:50:27.000Z", "first_observed": "2017-01-26T21:50:27Z", "last_observed": "2017-01-26T21:50:27Z", "number_observed": 1, "object_refs": [ "domain-name--588a6f23-4e18-48b4-abd1-6dcc02de0b81" ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--588a6f23-4e18-48b4-abd1-6dcc02de0b81", "value": "techgnews.com" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--588a6f23-05c4-4c29-a4b4-6dcc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:50:27.000Z", "modified": "2017-01-26T21:50:27.000Z", "first_observed": "2017-01-26T21:50:27Z", "last_observed": "2017-01-26T21:50:27Z", "number_observed": 1, "object_refs": [ "network-traffic--588a6f23-05c4-4c29-a4b4-6dcc02de0b81", "ipv4-addr--588a6f23-05c4-4c29-a4b4-6dcc02de0b81" ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--588a6f23-05c4-4c29-a4b4-6dcc02de0b81", "dst_ref": "ipv4-addr--588a6f23-05c4-4c29-a4b4-6dcc02de0b81", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--588a6f23-05c4-4c29-a4b4-6dcc02de0b81", "value": "209.239.115.50" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a6f39-4c88-464d-8774-471002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:52:30.000Z", "modified": "2017-01-26T21:52:30.000Z", "description": "Exemple of EITest compromised Website acting as download server (POST request with MZ as reply)", "pattern": "[url:value = 'kyle.dark7.org/download.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:52:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"", "adversary:infrastructure-status=\"compromised\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a6f3a-a320-4e32-9621-46c102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:52:41.000Z", "modified": "2017-01-26T21:52:41.000Z", "description": "Exemple of EITest compromised Website acting as download server (POST request with MZ as reply)", "pattern": "[url:value = 'oblubienica.odnowa.org/download.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:52:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"", "adversary:infrastructure-status=\"compromised\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a6f3b-45c4-40ae-b38e-428502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:53:00.000Z", "modified": "2017-01-26T21:53:00.000Z", "description": "Exemple of EITest compromised Website acting as download server (POST request with MZ as reply)", "pattern": "[url:value = 'sriswamidikshananda.org/download.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:53:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"", "adversary:infrastructure-status=\"compromised\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a6f3b-7134-464a-861f-450902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:53:13.000Z", "modified": "2017-01-26T21:53:13.000Z", "description": "Exemple of EITest compromised Website acting as download server (POST request with MZ as reply)", "pattern": "[url:value = 'demo.signgo.com/help.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:53:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"", "adversary:infrastructure-status=\"compromised\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a6f3c-9764-4977-8e02-456f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:53:23.000Z", "modified": "2017-01-26T21:53:23.000Z", "description": "Exemple of EITest compromised Website acting as download server (POST request with MZ as reply)", "pattern": "[url:value = 'retail.uvapoint.com/help.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:53:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"", "adversary:infrastructure-status=\"compromised\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a6f3d-8528-42b0-9af6-450802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:53:37.000Z", "modified": "2017-01-26T21:53:37.000Z", "description": "Exemple of EITest compromised Website acting as download server (POST request with MZ as reply)", "pattern": "[url:value = 'chovek5.lozenetz.org/download.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:53:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"", "adversary:infrastructure-status=\"compromised\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a7011-c36c-48ed-9abc-40e502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:54:25.000Z", "modified": "2017-01-26T21:54:25.000Z", "description": "FleerCivet 2017-01-17 - Xchecked via VT: ebeaaef3323331e7ea0e47eac6437dcf5548d9fd759943d2e5c1f3d1fb786167", "pattern": "[file:hashes.SHA1 = '35c7f51fcf445ac0a2be0dfc81ec653e3eec6068']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:54:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a7011-31fc-4d7b-a442-473702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:54:25.000Z", "modified": "2017-01-26T21:54:25.000Z", "description": "FleerCivet 2017-01-17 - Xchecked via VT: ebeaaef3323331e7ea0e47eac6437dcf5548d9fd759943d2e5c1f3d1fb786167", "pattern": "[file:hashes.MD5 = '62cfd5f9a600809c9e53ea089920d988']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:54:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--588a7012-f1e8-4f25-a7c8-455602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:54:26.000Z", "modified": "2017-01-26T21:54:26.000Z", "first_observed": "2017-01-26T21:54:26Z", "last_observed": "2017-01-26T21:54:26Z", "number_observed": 1, "object_refs": [ "url--588a7012-f1e8-4f25-a7c8-455602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--588a7012-f1e8-4f25-a7c8-455602de0b81", "value": "https://www.virustotal.com/file/ebeaaef3323331e7ea0e47eac6437dcf5548d9fd759943d2e5c1f3d1fb786167/analysis/1484834402/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a7013-f6b4-487c-a1ae-4fc602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:54:27.000Z", "modified": "2017-01-26T21:54:27.000Z", "description": "FleerCivet 2017-01-16 - Xchecked via VT: 9190c865c214cf2b1c602edcfe4ab8858806298ca4b6de16bfbd0377385ffe63", "pattern": "[file:hashes.SHA1 = '0779fa9caa48b4fd978bf732f8450668eea13f39']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:54:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a7013-e0d0-431e-ace0-4fc002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:54:27.000Z", "modified": "2017-01-26T21:54:27.000Z", "description": "FleerCivet 2017-01-16 - Xchecked via VT: 9190c865c214cf2b1c602edcfe4ab8858806298ca4b6de16bfbd0377385ffe63", "pattern": "[file:hashes.MD5 = '7b9aae9a506fc9e19cc127b5c74bfba1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:54:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--588a7014-6648-4d5b-ae8e-4b7b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:54:28.000Z", "modified": "2017-01-26T21:54:28.000Z", "first_observed": "2017-01-26T21:54:28Z", "last_observed": "2017-01-26T21:54:28Z", "number_observed": 1, "object_refs": [ "url--588a7014-6648-4d5b-ae8e-4b7b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--588a7014-6648-4d5b-ae8e-4b7b02de0b81", "value": "https://www.virustotal.com/file/9190c865c214cf2b1c602edcfe4ab8858806298ca4b6de16bfbd0377385ffe63/analysis/1484886904/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a7015-72d4-4d87-b1f3-4c9b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:54:29.000Z", "modified": "2017-01-26T21:54:29.000Z", "description": "FleerCivet 2017-01-15 - Xchecked via VT: 7bb7848270e76aa1fcb9d11acb46c8421b86c7d528c108d8f179ec829ff977fc", "pattern": "[file:hashes.SHA1 = '5a95dc982879b78fc44ca6e3d473aab2eafa5012']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:54:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a7016-1130-4783-8732-421502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:54:30.000Z", "modified": "2017-01-26T21:54:30.000Z", "description": "FleerCivet 2017-01-15 - Xchecked via VT: 7bb7848270e76aa1fcb9d11acb46c8421b86c7d528c108d8f179ec829ff977fc", "pattern": "[file:hashes.MD5 = 'f9e1f0083e0e42833c5dfa7faa4a0281']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:54:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--588a7016-1bdc-4229-a0fa-414c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:54:30.000Z", "modified": "2017-01-26T21:54:30.000Z", "first_observed": "2017-01-26T21:54:30Z", "last_observed": "2017-01-26T21:54:30Z", "number_observed": 1, "object_refs": [ "url--588a7016-1bdc-4229-a0fa-414c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--588a7016-1bdc-4229-a0fa-414c02de0b81", "value": "https://www.virustotal.com/file/7bb7848270e76aa1fcb9d11acb46c8421b86c7d528c108d8f179ec829ff977fc/analysis/1484541299/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a7017-ae5c-4778-8d55-422702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:54:31.000Z", "modified": "2017-01-26T21:54:31.000Z", "description": "FleerCivet 2017-01-15 - Xchecked via VT: 7fc9721cc648de138a61ec3452d63a83fc76ef527d41f4a7aba78f52df13338a", "pattern": "[file:hashes.SHA1 = 'a13b63b53ffd8bf90665f6109b7f6294f6219dd7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:54:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a7018-94e0-438b-bf8f-4b3d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:54:32.000Z", "modified": "2017-01-26T21:54:32.000Z", "description": "FleerCivet 2017-01-15 - Xchecked via VT: 7fc9721cc648de138a61ec3452d63a83fc76ef527d41f4a7aba78f52df13338a", "pattern": "[file:hashes.MD5 = 'b9ec73f2406d87f69a6c8dfc46ed3a28']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:54:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--588a7018-60ec-4202-a54f-4a9e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:54:32.000Z", "modified": "2017-01-26T21:54:32.000Z", "first_observed": "2017-01-26T21:54:32Z", "last_observed": "2017-01-26T21:54:32Z", "number_observed": 1, "object_refs": [ "url--588a7018-60ec-4202-a54f-4a9e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--588a7018-60ec-4202-a54f-4a9e02de0b81", "value": "https://www.virustotal.com/file/7fc9721cc648de138a61ec3452d63a83fc76ef527d41f4a7aba78f52df13338a/analysis/1485239703/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a7019-96d0-4507-81b2-4fbf02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:54:33.000Z", "modified": "2017-01-26T21:54:33.000Z", "description": "Fiddler capture (index and post) - Xchecked via VT: 7a444891c642ec17459471be40bcc1ea9eef6aeb478318a679908f94bf1e7e74", "pattern": "[file:hashes.SHA1 = 'b38e12e5346fb02d41e18574d10fbf96f085a7c0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:54:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588a701a-9664-423c-85d8-435102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:54:34.000Z", "modified": "2017-01-26T21:54:34.000Z", "description": "Fiddler capture (index and post) - Xchecked via VT: 7a444891c642ec17459471be40bcc1ea9eef6aeb478318a679908f94bf1e7e74", "pattern": "[file:hashes.MD5 = 'e8a36364b057d2ca6ea79061188591c0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-26T21:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--588a701a-9ff8-4e32-bea2-4bdf02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-26T21:54:34.000Z", "modified": "2017-01-26T21:54:34.000Z", "first_observed": "2017-01-26T21:54:34Z", "last_observed": "2017-01-26T21:54:34Z", "number_observed": 1, "object_refs": [ "url--588a701a-9ff8-4e32-bea2-4bdf02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--588a701a-9ff8-4e32-bea2-4bdf02de0b81", "value": "https://www.virustotal.com/file/7a444891c642ec17459471be40bcc1ea9eef6aeb478318a679908f94bf1e7e74/analysis/1484822761/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }