{ "type": "bundle", "id": "bundle--5cd14624-0b24-4386-85f5-4e5e950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T09:38:46.000Z", "modified": "2019-05-08T09:38:46.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5cd14624-0b24-4386-85f5-4e5e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T09:38:46.000Z", "modified": "2019-05-08T09:38:46.000Z", "name": "OSINT - CARBANAK Week - Fire Eye", "published": "2019-05-08T11:22:43Z", "object_refs": [ "observed-data--5cd1464b-5c38-40b2-bab2-44a3950d210f", "url--5cd1464b-5c38-40b2-bab2-44a3950d210f", "observed-data--5cd1464b-f590-4342-96f5-4204950d210f", "url--5cd1464b-f590-4342-96f5-4204950d210f", "observed-data--5cd1464b-6008-4101-a704-4016950d210f", "url--5cd1464b-6008-4101-a704-4016950d210f", "observed-data--5cd1464b-b6f8-4ea7-bf52-4cc2950d210f", "url--5cd1464b-b6f8-4ea7-bf52-4cc2950d210f", "indicator--5cd18a3a-c808-4674-8acc-41f8950d210f", "indicator--5cd18a3a-3210-4ab0-9d58-4e65950d210f", "indicator--5cd18a3a-9b74-4426-838f-44e7950d210f", "indicator--5cd18a3a-8f68-448a-83bf-40c8950d210f", "indicator--5cd18a3a-6860-4dc8-a3f9-42c3950d210f", "indicator--5cd18a3a-8a48-4dbf-886f-4ee9950d210f", "indicator--5cd18a3a-e23c-4ee0-b712-465d950d210f", "indicator--5cd18a3a-78d4-45fd-b116-411e950d210f", "indicator--5cd18a3a-f414-49d6-b595-44b3950d210f", "x-misp-attribute--5cd27588-6cbc-4373-a9d7-4e5d950d210f", "observed-data--5cd28d32-4770-466b-b8c6-4655e387cbd9", "network-traffic--5cd28d32-4770-466b-b8c6-4655e387cbd9", "ipv4-addr--5cd28d32-4770-466b-b8c6-4655e387cbd9", "observed-data--5cd28d35-7a48-4b05-b933-4fd2e387cbd9", "network-traffic--5cd28d35-7a48-4b05-b933-4fd2e387cbd9", "ipv4-addr--5cd28d35-7a48-4b05-b933-4fd2e387cbd9", "indicator--5cd14a64-a478-4a1d-bcaa-4af8950d210f", "indicator--5cd14f02-6a40-4948-8120-41b7950d210f", "indicator--5cd14f7c-ed6c-4396-a8b8-48e9950d210f", "indicator--5cd14fc8-cc7c-46e2-8498-456e950d210f", "indicator--5cd15297-7048-4712-9572-4258950d210f", "indicator--5cd152e1-b8a0-4bcf-9ea3-4ca4950d210f", "indicator--5cd15d47-ed54-49b9-aeaa-4471950d210f", "indicator--5cd15d6a-b964-4779-8f3a-43b5950d210f", "indicator--5cd1837d-0694-4391-8cb9-364f950d210f", "indicator--5cd18724-ce4c-410f-95db-b3d7950d210f", "observed-data--5cd18771-bac0-47c3-9a8c-a966950d210f", "network-traffic--5cd18771-bac0-47c3-9a8c-a966950d210f", "ipv4-addr--5cd18771-9f18-4005-a613-a966950d210f", "observed-data--5cd187b5-1eb8-474a-ae22-a97c950d210f", "network-traffic--5cd187b5-1eb8-474a-ae22-a97c950d210f", "ipv4-addr--5cd187b5-d93c-4c9a-9658-a97c950d210f", "indicator--5cd189c9-dd18-4b41-9ad4-b3d7950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:malpedia=\"Carbanak\"", "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Carbanak - G0008\"", "misp-galaxy:mitre-enterprise-attack-malware=\"Carbanak - S0030\"", "misp-galaxy:mitre-enterprise-attack-relationship=\"FIN7 uses Carbanak\"", "misp-galaxy:mitre-intrusion-set=\"Carbanak - G0008\"", "misp-galaxy:mitre-malware=\"Carbanak - S0030\"", "misp-galaxy:threat-actor=\"Anunak\"", "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"FIN7 - G0046\"", "misp-galaxy:mitre-intrusion-set=\"FIN7\"", "misp-galaxy:mitre-intrusion-set=\"FIN7 - G0046\"", "ecsirt:intrusions=\"backdoor\"", "veris:action:malware:variety=\"Backdoor\"", "ms-caro-malware:malware-type=\"Backdoor\"", "ms-caro-malware-full:malware-type=\"Backdoor\"", "circl:incident-classification=\"malware\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cd1464b-5c38-40b2-bab2-44a3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T08:48:11.000Z", "modified": "2019-05-07T08:48:11.000Z", "first_observed": "2019-05-07T08:48:11Z", "last_observed": "2019-05-07T08:48:11Z", "number_observed": 1, "object_refs": [ "url--5cd1464b-5c38-40b2-bab2-44a3950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5cd1464b-5c38-40b2-bab2-44a3950d210f", "value": "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cd1464b-f590-4342-96f5-4204950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T08:48:11.000Z", "modified": "2019-05-07T08:48:11.000Z", "first_observed": "2019-05-07T08:48:11Z", "last_observed": "2019-05-07T08:48:11Z", "number_observed": 1, "object_refs": [ "url--5cd1464b-f590-4342-96f5-4204950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5cd1464b-f590-4342-96f5-4204950d210f", "value": "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cd1464b-6008-4101-a704-4016950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T08:48:11.000Z", "modified": "2019-05-07T08:48:11.000Z", "first_observed": "2019-05-07T08:48:11Z", "last_observed": "2019-05-07T08:48:11Z", "number_observed": 1, "object_refs": [ "url--5cd1464b-6008-4101-a704-4016950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5cd1464b-6008-4101-a704-4016950d210f", "value": "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cd1464b-b6f8-4ea7-bf52-4cc2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T08:48:11.000Z", "modified": "2019-05-07T08:48:11.000Z", "first_observed": "2019-05-07T08:48:11Z", "last_observed": "2019-05-07T08:48:11Z", "number_observed": 1, "object_refs": [ "url--5cd1464b-b6f8-4ea7-bf52-4cc2950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5cd1464b-b6f8-4ea7-bf52-4cc2950d210f", "value": "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-four-desktop-video-player.html" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd18a3a-c808-4674-8acc-41f8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T13:38:02.000Z", "modified": "2019-05-07T13:38:02.000Z", "description": "Status: Commented out - Threat Group Association: Earlier CARBANAK activity", "pattern": "[domain-name:value = 'comixed.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-07T13:38:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd18a3a-3210-4ab0-9d58-4e65950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T13:38:02.000Z", "modified": "2019-05-07T13:38:02.000Z", "description": "Status: Commented out - Threat Group Association: Earlier CARBANAK activity", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '194.146.180.40']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-07T13:38:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd18a3a-9b74-4426-838f-44e7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T13:38:02.000Z", "modified": "2019-05-07T13:38:02.000Z", "description": "Status: Active", "pattern": "[domain-name:value = 'aaaabbbbccccc.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-07T13:38:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd18a3a-8f68-448a-83bf-40c8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T13:38:02.000Z", "modified": "2019-05-07T13:38:02.000Z", "description": "Status: Commented out - Threat Group Association: FIN7", "pattern": "[domain-name:value = 'stats10-google.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-07T13:38:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd18a3a-6860-4dc8-a3f9-42c3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T13:38:02.000Z", "modified": "2019-05-07T13:38:02.000Z", "description": "Status: Commented out", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '85.25.84.223']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-07T13:38:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd18a3a-8a48-4dbf-886f-4ee9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T13:38:02.000Z", "modified": "2019-05-07T13:38:02.000Z", "description": "Status: Active", "pattern": "[domain-name:value = 'qwqreererwere.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-07T13:38:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd18a3a-e23c-4ee0-b712-465d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T13:38:02.000Z", "modified": "2019-05-07T13:38:02.000Z", "description": "Status: Commented out - Threat Group Association: Earlier CARBANAK activity", "pattern": "[domain-name:value = 'akamai-technologies.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-07T13:38:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd18a3a-78d4-45fd-b116-411e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T13:38:02.000Z", "modified": "2019-05-07T13:38:02.000Z", "description": "Status: Compiled", "pattern": "[domain-name:value = 'hhklhlkhkjhjkjk.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-07T13:38:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd18a3a-f414-49d6-b595-44b3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T13:38:02.000Z", "modified": "2019-05-07T13:38:02.000Z", "description": "Status: Compiled - Threat Group Association: DNS infrastructure overlap with later FIN7 associated POWERSOURCE activity", "pattern": "[domain-name:value = 'aaa.stage.4463714.news.meteonovosti.info']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-07T13:38:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5cd27588-6cbc-4373-a9d7-4e5d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T06:22:00.000Z", "modified": "2019-05-08T06:22:00.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "CARBANAK is one of the most full-featured backdoors around. It was used to perpetrate millions of dollars in financial crimes, largely by the group we track as FIN7. In 2017, Tom Bennett and Barry Vengerik published Behind the CARBANAK Backdoor, which was the product of a deep and broad analysis of CARBANAK samples and FIN7 activity across several years. On the heels of that publication, our colleague Nick Carr uncovered a pair of RAR archives containing CARBANAK source code, builders, and other tools (both available in VirusTotal: kb3r1p and apwmie)." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cd28d32-4770-466b-b8c6-4655e387cbd9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T08:02:58.000Z", "modified": "2019-05-08T08:02:58.000Z", "first_observed": "2019-05-08T08:02:58Z", "last_observed": "2019-05-08T08:02:58Z", "number_observed": 1, "object_refs": [ "network-traffic--5cd28d32-4770-466b-b8c6-4655e387cbd9", "ipv4-addr--5cd28d32-4770-466b-b8c6-4655e387cbd9" ], "labels": [ "misp:type=\"ip-src\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5cd28d32-4770-466b-b8c6-4655e387cbd9", "src_ref": "ipv4-addr--5cd28d32-4770-466b-b8c6-4655e387cbd9", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5cd28d32-4770-466b-b8c6-4655e387cbd9", "value": "107.181.155.151" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cd28d35-7a48-4b05-b933-4fd2e387cbd9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T08:03:01.000Z", "modified": "2019-05-08T08:03:01.000Z", "first_observed": "2019-05-08T08:03:01Z", "last_observed": "2019-05-08T08:03:01Z", "number_observed": 1, "object_refs": [ "network-traffic--5cd28d35-7a48-4b05-b933-4fd2e387cbd9", "ipv4-addr--5cd28d35-7a48-4b05-b933-4fd2e387cbd9" ], "labels": [ "misp:type=\"ip-src\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5cd28d35-7a48-4b05-b933-4fd2e387cbd9", "src_ref": "ipv4-addr--5cd28d35-7a48-4b05-b933-4fd2e387cbd9", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5cd28d35-7a48-4b05-b933-4fd2e387cbd9", "value": "23.253.126.58" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd14a64-a478-4a1d-bcaa-4af8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T09:05:40.000Z", "modified": "2019-05-07T09:05:40.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.193.252.151') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'vds2.system-host.net') AND network-traffic:dst_port = '443' AND network-traffic:end = '2019-04-26T14:49:12']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-07T09:05:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd14f02-6a40-4948-8120-41b7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T09:25:22.000Z", "modified": "2019-05-07T09:25:22.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.180.196.35') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'customer.clientshostname.com') AND network-traffic:dst_port = '443' AND network-traffic:end = '2019-04-24T07:44:30']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-07T09:25:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd14f7c-ed6c-4396-a8b8-48e9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T09:27:24.000Z", "modified": "2019-05-07T09:27:24.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '213.227.155.8') AND network-traffic:dst_port = '443' AND network-traffic:end = '2019-04-24T04:33:52']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-07T09:27:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd14fc8-cc7c-46e2-8498-456e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T09:28:40.000Z", "modified": "2019-05-07T09:28:40.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '94.156.133.69') AND network-traffic:dst_port = '443' AND network-traffic:end = '2018-11-15T10:27:07']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-07T09:28:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd15297-7048-4712-9572-4258950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T09:40:39.000Z", "modified": "2019-05-07T09:40:39.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.174.172.241') AND network-traffic:dst_port = '443' AND network-traffic:end = '2019-04-27T13:24:36']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-07T09:40:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd152e1-b8a0-4bcf-9ea3-4ca4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T09:41:53.000Z", "modified": "2019-05-07T09:41:53.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '109.230.199.227') AND network-traffic:dst_port = '443' AND network-traffic:end = '2019-04-27T13:24:36']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-07T09:41:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd15d47-ed54-49b9-aeaa-4471950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T10:26:15.000Z", "modified": "2019-05-07T10:26:15.000Z", "description": "Status: Commented out", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '37.1.212.100') AND network-traffic:dst_port = '700']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-07T10:26:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd15d6a-b964-4779-8f3a-43b5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T10:26:50.000Z", "modified": "2019-05-07T10:26:50.000Z", "description": "Status: Commented out - Threat Group Association: Earlier CARBANAK activity", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.138.98.105') AND network-traffic:dst_port = '710']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-07T10:26:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd1837d-0694-4391-8cb9-364f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T13:09:17.000Z", "modified": "2019-05-07T13:09:17.000Z", "description": "Status: Commented out", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '80.84.49.50') AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-07T13:09:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd18724-ce4c-410f-95db-b3d7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T13:24:52.000Z", "modified": "2019-05-07T13:24:52.000Z", "description": "Status: Commented out", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '52.11.125.44') AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-07T13:24:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cd18771-bac0-47c3-9a8c-a966950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T13:26:09.000Z", "modified": "2019-05-07T13:26:09.000Z", "first_observed": "2019-05-07T13:26:09Z", "last_observed": "2019-05-07T13:26:09Z", "number_observed": 1, "object_refs": [ "network-traffic--5cd18771-bac0-47c3-9a8c-a966950d210f", "ipv4-addr--5cd18771-9f18-4005-a613-a966950d210f" ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"False\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5cd18771-bac0-47c3-9a8c-a966950d210f", "dst_ref": "ipv4-addr--5cd18771-9f18-4005-a613-a966950d210f", "dst_port": 700, "protocols": [ "ipv4" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5cd18771-9f18-4005-a613-a966950d210f", "value": "192.168.0.100" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cd187b5-1eb8-474a-ae22-a97c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T13:27:17.000Z", "modified": "2019-05-07T13:27:17.000Z", "first_observed": "2019-05-07T13:27:17Z", "last_observed": "2019-05-07T13:27:17Z", "number_observed": 1, "object_refs": [ "network-traffic--5cd187b5-1eb8-474a-ae22-a97c950d210f", "ipv4-addr--5cd187b5-d93c-4c9a-9658-a97c950d210f" ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"False\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5cd187b5-1eb8-474a-ae22-a97c950d210f", "dst_ref": "ipv4-addr--5cd187b5-d93c-4c9a-9658-a97c950d210f", "dst_port": 700, "protocols": [ "ipv4" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5cd187b5-d93c-4c9a-9658-a97c950d210f", "value": "192.168.0.100" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd189c9-dd18-4b41-9ad4-b3d7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-07T13:36:09.000Z", "modified": "2019-05-07T13:36:09.000Z", "description": "Status: Active - Threat Group Association: Earlier CARBANAK activity", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '193.203.48.23') AND network-traffic:dst_port = '800']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-07T13:36:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }