{ "type": "bundle", "id": "bundle--5d9b5933-964c-433c-b84f-4c680a2fe004", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2021-05-24T10:03:35.000Z", "modified": "2021-05-24T10:03:35.000Z", "name": "MiSOC", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5d9b5933-964c-433c-b84f-4c680a2fe004", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2021-05-24T10:03:35.000Z", "modified": "2021-05-24T10:03:35.000Z", "name": "Emotet in Depth TTP 10-07-19", "published": "2020-06-17T01:40:12Z", "object_refs": [ "indicator--5d9b5bdf-36e8-494f-9bda-4522a63f8736", "indicator--5d9b5bdf-b5ac-4550-8ee8-4491a63f8736", "indicator--5d9b5bdf-b0a8-4c75-a2b0-49b4a63f8736", "indicator--5d9b5bdf-b654-4401-9164-4f6ba63f8736", "indicator--5d9b5bdf-9bf0-4a3f-8387-404ca63f8736", "indicator--5da79ead-879c-49ef-846b-315974656a8a", "indicator--5da79ead-325c-4d0b-a401-315974656a8a", "indicator--5da79ead-7ae4-4276-abff-315974656a8a", "indicator--5da79ead-90e4-4122-9476-315974656a8a", "indicator--5da79ead-f444-4981-917b-315974656a8a", "indicator--5da79ead-558c-4548-a83c-315974656a8a", "indicator--5da79ead-3d98-416c-9ff5-315974656a8a", "indicator--5da79ead-94f8-4ae2-9a3b-315974656a8a", "indicator--5da79ead-4208-483c-badc-315974656a8a", "indicator--5da79ead-e7d4-4ece-94ac-315974656a8a", "indicator--5da79ead-3188-4a7f-8e13-315974656a8a", "indicator--5da79ead-9f88-43a2-9b73-315974656a8a", "indicator--5da79ead-5b0c-49d0-802a-315974656a8a", "indicator--5da79ead-4e48-4b7d-ba67-315974656a8a", "indicator--5da79ead-47a0-4480-a429-315974656a8a", "indicator--5da79ead-6acc-48a8-abba-315974656a8a", "indicator--5da79ead-04f8-46df-bf49-315974656a8a", "indicator--5da79ead-cb88-445a-8eaa-315974656a8a", "indicator--5da79ead-3910-4501-8065-315974656a8a", "indicator--5da79ead-4910-4e43-9939-315974656a8a", "indicator--5da79ead-55f8-4fd0-807a-315974656a8a", "indicator--5da79ead-24e0-4062-9bba-315974656a8a", "indicator--5da79ead-560c-4070-b46f-315974656a8a", "indicator--5da79ead-dec8-4574-9ced-315974656a8a", "indicator--5da79ead-048c-4da7-92c0-315974656a8a", "observed-data--5df8d9e5-f7a0-45b8-87c3-45ea950d210f", "url--5df8d9e5-f7a0-45b8-87c3-45ea950d210f", "indicator--5d9b5a7c-7204-4384-9512-48970a2fe004", "indicator--5d9b5aa8-9a10-4649-bfd4-4dff0a2fe004", "indicator--5d9b6d2a-f048-4333-a71b-4f830a2fe004", "indicator--5d9b80b5-67ac-4570-8958-4ea90a2fe004", "indicator--5d9b8142-6bd0-484e-8a8f-43410a2fe004", "indicator--5d9b8162-9658-45ba-897f-4cdd0a2fe004", "indicator--5d9b817a-8320-4f3b-afee-43650a2fe004", "indicator--5d9b8302-b1ec-49b1-8c31-46d50a2fe004", "indicator--5d9b8343-9d98-442f-b331-4a9a0a2fe004" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "Emotet", "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"", "misp-galaxy:mitre-attack-pattern=\"Command-Line Interface - T1059\"", "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053\"", "misp-galaxy:mitre-attack-pattern=\"Scripting - T1064\"", "misp-galaxy:mitre-attack-pattern=\"Windows Management Instrumentation - T1047\"", "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1060\"", "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\"", "misp-galaxy:mitre-attack-pattern=\"Domain Trust Discovery - T1482\"", "misp-galaxy:mitre-attack-pattern=\"System Owner/User Discovery - T1033\"", "misp-galaxy:mitre-attack-pattern=\"Commonly Used Port - T1043\"", "misp-galaxy:mitre-attack-pattern=\"Standard Application Layer Protocol - T1071\"", "misp-galaxy:mitre-attack-pattern=\"Standard Cryptographic Protocol - T1032\"", "misp-galaxy:mitre-tool=\"Empire - S0363\"", "misp-galaxy:tool=\"Emotet\"", "misp-galaxy:mitre-tool=\"Cobalt Strike - S0154\"", "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1086\"", "misp-galaxy:mitre-attack-pattern=\"New Service - T1050\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d9b5bdf-36e8-494f-9bda-4522a63f8736", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-07T15:38:07.000Z", "modified": "2019-10-07T15:38:07.000Z", "description": "Maldoc 1st stage Download URL's", "pattern": "[url:value = 'http://dulich.goasiatravel.com/calendar/u8hsm_46c4yi-6024747470/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-07T15:38:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d9b5bdf-b5ac-4550-8ee8-4491a63f8736", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-07T15:38:07.000Z", "modified": "2019-10-07T15:38:07.000Z", "description": "Maldoc 1st stage Download URL's", "pattern": "[url:value = 'https://drewnianazagroda.pl/c0nm/PtlOoIWOzs/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-07T15:38:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d9b5bdf-b0a8-4c75-a2b0-49b4a63f8736", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-07T15:38:07.000Z", "modified": "2019-10-07T15:38:07.000Z", "description": "Maldoc 1st stage Download URL's", "pattern": "[url:value = 'http://latestgovernment.com/pramodchoudhary.examqualify.com/CKBOIhWtjs/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-07T15:38:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d9b5bdf-b654-4401-9164-4f6ba63f8736", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-07T15:38:07.000Z", "modified": "2019-10-07T15:38:07.000Z", "description": "Maldoc 1st stage Download URL's", "pattern": "[url:value = 'https://kurumsalinternetsitesi.com/wp-content/wgSCKDClY/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-07T15:38:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d9b5bdf-9bf0-4a3f-8387-404ca63f8736", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-07T15:38:07.000Z", "modified": "2019-10-07T15:38:07.000Z", "description": "Maldoc 1st stage Download URL's", "pattern": "[url:value = 'https://edealsadvisor.com/wp-includes/ZqLAroEkK/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-07T15:38:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da79ead-879c-49ef-846b-315974656a8a", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-16T22:50:21.000Z", "modified": "2019-10-16T22:50:21.000Z", "pattern": "[url:value = 'http://201.184.105.242/ban/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-16T22:50:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da79ead-325c-4d0b-a401-315974656a8a", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-16T22:50:21.000Z", "modified": "2019-10-16T22:50:21.000Z", "pattern": "[url:value = 'http://201.184.105.242/cone/dma/arizona/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-16T22:50:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da79ead-7ae4-4276-abff-315974656a8a", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-16T22:50:21.000Z", "modified": "2019-10-16T22:50:21.000Z", "pattern": "[url:value = 'http://201.184.105.242/health/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-16T22:50:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da79ead-90e4-4122-9476-315974656a8a", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-16T22:50:21.000Z", "modified": "2019-10-16T22:50:21.000Z", "pattern": "[url:value = 'http://201.184.105.242/iplk/enable/loadan/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-16T22:50:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da79ead-f444-4981-917b-315974656a8a", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-16T22:50:21.000Z", "modified": "2019-10-16T22:50:21.000Z", "pattern": "[url:value = 'http://201.184.105.242/loadan/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-16T22:50:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da79ead-558c-4548-a83c-315974656a8a", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-16T22:50:21.000Z", "modified": "2019-10-16T22:50:21.000Z", "pattern": "[url:value = 'http://201.184.105.242/sess/pnp/ringin/merge/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-16T22:50:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da79ead-3d98-416c-9ff5-315974656a8a", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-16T22:50:21.000Z", "modified": "2019-10-16T22:50:21.000Z", "pattern": "[url:value = 'http://201.184.105.242/site/vermont/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-16T22:50:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da79ead-94f8-4ae2-9a3b-315974656a8a", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-16T22:50:21.000Z", "modified": "2019-10-16T22:50:21.000Z", "pattern": "[url:value = 'http://201.184.105.242/symbols/schema/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-16T22:50:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da79ead-4208-483c-badc-315974656a8a", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-16T22:50:21.000Z", "modified": "2019-10-16T22:50:21.000Z", "pattern": "[url:value = 'http://45.123.3.54/badge/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-16T22:50:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da79ead-e7d4-4ece-94ac-315974656a8a", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-16T22:50:21.000Z", "modified": "2019-10-16T22:50:21.000Z", "pattern": "[url:value = 'http://45.123.3.54/publish/acquire/enabled/merge/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-16T22:50:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da79ead-3188-4a7f-8e13-315974656a8a", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-16T22:50:21.000Z", "modified": "2019-10-16T22:50:21.000Z", "pattern": "[url:value = 'http://45.123.3.54/site/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-16T22:50:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da79ead-9f88-43a2-9b73-315974656a8a", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-16T22:50:21.000Z", "modified": "2019-10-16T22:50:21.000Z", "pattern": "[url:value = 'http://80.79.23.144/free/schema/scripts/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-16T22:50:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da79ead-5b0c-49d0-802a-315974656a8a", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-16T22:50:21.000Z", "modified": "2019-10-16T22:50:21.000Z", "pattern": "[url:value = 'http://80.79.23.144/results/cone/window/merge/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-16T22:50:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da79ead-4e48-4b7d-ba67-315974656a8a", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-16T22:50:21.000Z", "modified": "2019-10-16T22:50:21.000Z", "pattern": "[url:value = 'http://80.79.23.144/splash/prov/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-16T22:50:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da79ead-47a0-4480-a429-315974656a8a", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-16T22:50:21.000Z", "modified": "2019-10-16T22:50:21.000Z", "pattern": "[url:value = 'http://104.131.11.150/cookies/usbccid/enabled/merge/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-16T22:50:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da79ead-6acc-48a8-abba-315974656a8a", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-16T22:50:21.000Z", "modified": "2019-10-16T22:50:21.000Z", "pattern": "[url:value = 'http://104.131.11.150/dma/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-16T22:50:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da79ead-04f8-46df-bf49-315974656a8a", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-16T22:50:21.000Z", "modified": "2019-10-16T22:50:21.000Z", "pattern": "[url:value = 'http://104.131.11.150/img/enabled/scripts/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-16T22:50:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da79ead-cb88-445a-8eaa-315974656a8a", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-16T22:50:21.000Z", "modified": "2019-10-16T22:50:21.000Z", "pattern": "[url:value = 'http://142.44.162.209/pnp/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-16T22:50:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da79ead-3910-4501-8065-315974656a8a", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-16T22:50:21.000Z", "modified": "2019-10-16T22:50:21.000Z", "pattern": "[url:value = 'http://142.44.162.209/report/chunk/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-16T22:50:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da79ead-4910-4e43-9939-315974656a8a", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-16T22:50:21.000Z", "modified": "2019-10-16T22:50:21.000Z", "pattern": "[url:value = 'http://142.44.162.209/results/glitch/merge/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-16T22:50:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da79ead-55f8-4fd0-807a-315974656a8a", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-16T22:50:21.000Z", "modified": "2019-10-16T22:50:21.000Z", "pattern": "[url:value = 'http://178.254.6.27/site/results/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-16T22:50:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da79ead-24e0-4062-9bba-315974656a8a", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-16T22:50:21.000Z", "modified": "2019-10-16T22:50:21.000Z", "pattern": "[url:value = 'http://178.254.6.27/stubs/pnp/window/merge/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-16T22:50:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da79ead-560c-4070-b46f-315974656a8a", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-16T22:50:21.000Z", "modified": "2019-10-16T22:50:21.000Z", "pattern": "[url:value = 'http://178.254.6.27/taskbar/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-16T22:50:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da79ead-dec8-4574-9ced-315974656a8a", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-16T22:50:21.000Z", "modified": "2019-10-16T22:50:21.000Z", "pattern": "[url:value = 'http://192.254.173.31/child/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-16T22:50:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5da79ead-048c-4da7-92c0-315974656a8a", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-16T22:50:21.000Z", "modified": "2019-10-16T22:50:21.000Z", "pattern": "[url:value = 'http://192.254.173.31/json/add/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-16T22:50:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5df8d9e5-f7a0-45b8-87c3-45ea950d210f", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-12-17T13:36:37.000Z", "modified": "2019-12-17T13:36:37.000Z", "first_observed": "2019-12-17T13:36:37Z", "last_observed": "2019-12-17T13:36:37Z", "number_observed": 1, "object_refs": [ "url--5df8d9e5-f7a0-45b8-87c3-45ea950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5df8d9e5-f7a0-45b8-87c3-45ea950d210f", "value": "https://github.com/Hestat/intel-sharing/blob/master/powershell-empire-12-16-19/misp.event.7941.json" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d9b5a7c-7204-4384-9512-48970a2fe004", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-07T15:32:12.000Z", "modified": "2019-10-07T15:32:12.000Z", "description": "Selected Malware Document for sandbox run", "pattern": "[file:hashes.MD5 = '9ce5126ffcbc936ad6c0155763898f19' AND file:hashes.SHA1 = '284534ae3c3ca467f098115d07cd7e14cbec9583' AND file:hashes.SHA256 = 'dd007df90f91857a9efe65008cf015f7955ff05a5b243017e4931087f5742355' AND file:name = 'SCAN_10079460983_IB_1007.doc' AND file:size = '175104' AND (file:content_ref.x_misp_filename = 'SCAN_10079460983_IB_1007.doc' AND file:content_ref.hashes.MD5 = '9ce5126ffcbc936ad6c0155763898f19' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected')]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-07T15:32:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d9b5aa8-9a10-4649-bfd4-4dff0a2fe004", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-07T15:32:56.000Z", "modified": "2019-10-07T15:32:56.000Z", "description": "Cobalt strike payload called by powershell", "pattern": "[file:hashes.MD5 = '26017e97acce09276f3b4c6800dec256' AND file:hashes.SHA1 = 'b49b6719495f8398f72e18c0e9450feacb0f9bd9' AND file:hashes.SHA256 = '3306d41a09840db2e94e7497c911e8d61d15776b44346f02bbb6a88f5bd51caa' AND file:name = 'ikillyou.txt' AND file:size = '2789' AND (file:content_ref.x_misp_filename = 'ikillyou.txt' AND file:content_ref.hashes.MD5 = '26017e97acce09276f3b4c6800dec256' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected')]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-07T15:32:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d9b6d2a-f048-4333-a71b-4f830a2fe004", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-07T16:51:54.000Z", "modified": "2019-10-07T16:51:54.000Z", "pattern": "[(file:content_ref.x_misp_filename = '26017e97acce09276f3b4c6800dec256_unzipped_decoded.zip' AND file:content_ref.hashes.MD5 = '0e8c5174646dcd87ac893271b80c9633' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected')]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-07T16:51:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d9b80b5-67ac-4570-8958-4ea90a2fe004", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-07T18:15:17.000Z", "modified": "2019-10-07T18:15:17.000Z", "description": "Emotet Exe", "pattern": "[file:hashes.MD5 = '9afcbf6f4f13a40791d368df767b4304' AND file:hashes.SHA1 = '019a178ee95b34980a2f07ee624528de5f4eae44' AND file:hashes.SHA256 = '16d007d650d117c68da005747378f16cebe820e75a2565be70602fad2cb6e1fe' AND file:name = 'pixelproc.exe' AND file:size = '221184' AND (file:content_ref.x_misp_filename = 'pixelproc.exe' AND file:content_ref.hashes.MD5 = '9afcbf6f4f13a40791d368df767b4304' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected')]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-07T18:15:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"", "misp-galaxy:tool=\"Emotet\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d9b8142-6bd0-484e-8a8f-43410a2fe004", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-07T18:17:38.000Z", "modified": "2019-10-07T18:17:38.000Z", "description": "Trickbot Exe", "pattern": "[file:hashes.MD5 = '9240845226d22642cbe5e0d39205d869' AND file:hashes.SHA1 = '10dae0bced984456d3d7a2b059cd71a4762f1c5b' AND file:hashes.SHA256 = '4cbe34dc9928a6b93786a69bea92b3df0e04fd67d116fc1746d817496314de9e' AND file:name = '.exe' AND file:size = '393309' AND (file:content_ref.x_misp_filename = '.exe' AND file:content_ref.hashes.MD5 = '9240845226d22642cbe5e0d39205d869' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected')]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-07T18:17:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d9b8162-9658-45ba-897f-4cdd0a2fe004", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-07T18:18:10.000Z", "modified": "2019-10-07T18:18:10.000Z", "description": "Trickbot artifact", "pattern": "[file:hashes.MD5 = '03dfc482ccecbbbc16c5c208ae55d49a' AND file:hashes.SHA1 = '46b1ad83e2bbf22b08462656e979bca53afff6ba' AND file:hashes.SHA256 = 'e23033b26e459f6987fb65b9dd8a975a14c2ea9d903a720d4a67a32d43bff293' AND file:name = 'settings.ini' AND file:size = '63950' AND (file:content_ref.x_misp_filename = 'settings.ini' AND file:content_ref.hashes.MD5 = '03dfc482ccecbbbc16c5c208ae55d49a' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected')]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-07T18:18:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d9b817a-8320-4f3b-afee-43650a2fe004", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-07T18:18:34.000Z", "modified": "2019-10-07T18:18:34.000Z", "description": "Exchange DB file from trickbot", "pattern": "[file:hashes.MD5 = 'b65e8c666af6ff39c67552e0c98f55d5' AND file:hashes.SHA1 = '844ce6691b66a81237a592ec6bd2c59c8dbd52a0' AND file:hashes.SHA256 = '2826263cc5a3199167970f988c628c177ec45cee60618ae40e9fe84ec9167b73' AND file:name = 'grabber_temp.INTEG.RAW' AND file:size = '138246' AND (file:content_ref.x_misp_filename = 'grabber_temp.INTEG.RAW' AND file:content_ref.hashes.MD5 = 'b65e8c666af6ff39c67552e0c98f55d5' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected')]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-07T18:18:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d9b8302-b1ec-49b1-8c31-46d50a2fe004", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-07T18:25:06.000Z", "modified": "2019-10-07T18:25:06.000Z", "description": "Cobalt Strike C2 Server", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '144.202.75.93') AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-07T18:25:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d9b8343-9d98-442f-b331-4a9a0a2fe004", "created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45", "created": "2019-10-07T18:26:11.000Z", "modified": "2019-10-07T18:26:11.000Z", "description": "Powershell Empire C2", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '91.200.102.245') AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-10-07T18:26:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }