780 lines
No EOL
32 KiB
JSON
780 lines
No EOL
32 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--55014970-d82c-4b60-ba8e-0958950d210b",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T09:10:31.000Z",
|
|
"modified": "2015-03-12T09:10:31.000Z",
|
|
"name": "CthulhuSPRL.be",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--55014970-d82c-4b60-ba8e-0958950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T09:10:31.000Z",
|
|
"modified": "2015-03-12T09:10:31.000Z",
|
|
"name": "OSINT Hacking Team Reloaded? US-Based Ethiopian Journalists Again Targeted with Spyware by Citizen Lab",
|
|
"published": "2015-03-12T10:27:51Z",
|
|
"object_refs": [
|
|
"observed-data--5501497e-f5b4-4d6b-92bf-0ff5950d210b",
|
|
"url--5501497e-f5b4-4d6b-92bf-0ff5950d210b",
|
|
"x-misp-attribute--55014987-3a78-406d-aa41-9778950d210b",
|
|
"observed-data--55014abc-9460-4b8b-a820-42d2950d210b",
|
|
"email-message--55014abc-9460-4b8b-a820-42d2950d210b",
|
|
"file--55014abc-9460-4b8b-a820-42d2950d210b",
|
|
"indicator--55014ad9-d5b8-4fe7-bf8a-1c3d950d210b",
|
|
"indicator--55014ad9-e458-4f10-b3ac-1c3d950d210b",
|
|
"indicator--55014ad9-a528-4287-a16c-1c3d950d210b",
|
|
"indicator--55014af5-d320-4de2-b480-0958950d210b",
|
|
"indicator--55014af5-5ea8-43de-8acb-0958950d210b",
|
|
"indicator--55014af5-d6f4-4664-96ed-0958950d210b",
|
|
"x-misp-attribute--55014b5b-1f84-4f2c-be35-4822950d210b",
|
|
"x-misp-attribute--55014b8b-151c-42a3-a79f-0ff5950d210b",
|
|
"x-misp-attribute--55014b8b-d5dc-499f-9195-0ff5950d210b",
|
|
"indicator--55014bbd-ba10-4461-adaf-094a950d210b",
|
|
"indicator--55014bbd-ead8-48e6-bc6b-094a950d210b",
|
|
"indicator--55014c70-ccec-4df0-aef8-1c3d950d210b",
|
|
"indicator--55014c70-a0ec-449f-a810-1c3d950d210b",
|
|
"indicator--55014c8e-3628-4ee7-88df-0959950d210b",
|
|
"indicator--55014cb9-e1b0-4579-8dac-9778950d210b",
|
|
"indicator--55014cd5-a430-42d2-a64a-0958950d210b",
|
|
"indicator--55014ce9-1a58-4546-8f32-0ff5950d210b",
|
|
"indicator--55014d39-e548-4875-8c18-9778950d210b",
|
|
"indicator--55014d39-d250-462a-ac15-9778950d210b",
|
|
"indicator--55014d61-8b34-4970-879e-0958950d210b",
|
|
"indicator--55014d61-80e0-4a38-96f4-0958950d210b",
|
|
"indicator--55014d61-edf4-4c05-99e9-0958950d210b",
|
|
"indicator--55014d7e-02e4-48a2-9e51-9778950d210b",
|
|
"indicator--55014d7e-1624-4baf-8040-9778950d210b",
|
|
"indicator--55014d7e-7a88-4f1e-af39-9778950d210b",
|
|
"indicator--55014da1-60c4-4a27-8eba-2983950d210b",
|
|
"indicator--55014da1-c904-4a5f-8b8d-2983950d210b",
|
|
"indicator--55014da2-1340-4185-a32c-2983950d210b"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"type:OSINT"
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5501497e-f5b4-4d6b-92bf-0ff5950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:08:30.000Z",
|
|
"modified": "2015-03-12T08:08:30.000Z",
|
|
"first_observed": "2015-03-12T08:08:30Z",
|
|
"last_observed": "2015-03-12T08:08:30Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5501497e-f5b4-4d6b-92bf-0ff5950d210b"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5501497e-f5b4-4d6b-92bf-0ff5950d210b",
|
|
"value": "https://citizenlab.org/2015/03/hacking-team-reloaded-us-based-ethiopian-journalists-targeted-spyware/"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--55014987-3a78-406d-aa41-9778950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:08:39.000Z",
|
|
"modified": "2015-03-12T08:08:39.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "Hacking Team"
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--55014abc-9460-4b8b-a820-42d2950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:13:48.000Z",
|
|
"modified": "2015-03-12T08:13:48.000Z",
|
|
"first_observed": "2015-03-12T08:13:48Z",
|
|
"last_observed": "2015-03-12T08:13:48Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"email-message--55014abc-9460-4b8b-a820-42d2950d210b",
|
|
"file--55014abc-9460-4b8b-a820-42d2950d210b"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-attachment\"",
|
|
"misp:category=\"Payload delivery\""
|
|
]
|
|
},
|
|
{
|
|
"type": "email-message",
|
|
"spec_version": "2.1",
|
|
"id": "email-message--55014abc-9460-4b8b-a820-42d2950d210b",
|
|
"is_multipart": true,
|
|
"body_multipart": [
|
|
{
|
|
"body_raw_ref": "file--55014abc-9460-4b8b-a820-42d2950d210b",
|
|
"content_disposition": "attachment; filename='u121Du122Du132B 2007.doc'"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"type": "file",
|
|
"spec_version": "2.1",
|
|
"id": "file--55014abc-9460-4b8b-a820-42d2950d210b",
|
|
"name": "u121Du122Du132B 2007.doc"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--55014ad9-d5b8-4fe7-bf8a-1c3d950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:14:17.000Z",
|
|
"modified": "2015-03-12T08:14:17.000Z",
|
|
"pattern": "[file:hashes.SHA256 = 'b2683b3a214cda3f741fe5ff0850e69420d94174852a194ce9fc5f0db05c1633']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-03-12T08:14:17Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--55014ad9-e458-4f10-b3ac-1c3d950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:14:17.000Z",
|
|
"modified": "2015-03-12T08:14:17.000Z",
|
|
"pattern": "[file:hashes.SHA1 = '03ae6619c2e6dc93d1d3cd218db337aa797b480a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-03-12T08:14:17Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--55014ad9-a528-4287-a16c-1c3d950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:14:17.000Z",
|
|
"modified": "2015-03-12T08:14:17.000Z",
|
|
"pattern": "[file:hashes.MD5 = '91961aad912dc790943a1cb23b6e8297']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-03-12T08:14:17Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--55014af5-d320-4de2-b480-0958950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:14:45.000Z",
|
|
"modified": "2015-03-12T08:14:45.000Z",
|
|
"pattern": "[file:hashes.SHA256 = '5509462906e832350ea48f37e2e399669214c90b18023c94949036b254f7a681']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-03-12T08:14:45Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--55014af5-5ea8-43de-8acb-0958950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:14:45.000Z",
|
|
"modified": "2015-03-12T08:14:45.000Z",
|
|
"pattern": "[file:hashes.SHA1 = 'f9bebcc72bf7bb51e3e3cbd002bf7f8eea398f2c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-03-12T08:14:45Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--55014af5-d6f4-4664-96ed-0958950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:14:45.000Z",
|
|
"modified": "2015-03-12T08:14:45.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'f6a793a177447e3cab4108a707db65cd']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-03-12T08:14:45Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--55014b5b-1f84-4f2c-be35-4822950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:16:27.000Z",
|
|
"modified": "2015-03-12T08:16:27.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "The payload is signed by the following code signing certificate:\r\n\r\nSerial Number: 4fc13d6220c629043a26f81b1cad72d8\r\n\r\nIssuer\r\nCN = Certum Level III CA\r\nOU = Certum Certification Authority\r\nO = Unizeto Technologies S.A.\r\nC = PL\r\n\r\nSubject\r\nE = meicunge@gmail.com\r\nCN = Open Source Developer, meicun ge\r\nO = Meicun Ge\r\nC = CN"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--55014b8b-151c-42a3-a79f-0ff5950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:17:15.000Z",
|
|
"modified": "2015-03-12T08:17:15.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"Attribution\""
|
|
],
|
|
"x_misp_category": "Attribution",
|
|
"x_misp_comment": "Code signing certificate subject email",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "meicunge@gmail.com"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--55014b8b-d5dc-499f-9195-0ff5950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:17:33.000Z",
|
|
"modified": "2015-03-12T08:17:33.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"Attribution\""
|
|
],
|
|
"x_misp_category": "Attribution",
|
|
"x_misp_comment": "Code signing certificate serial number",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "4fc13d6220c629043a26f81b1cad72d8"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--55014bbd-ba10-4461-adaf-094a950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:18:05.000Z",
|
|
"modified": "2015-03-12T08:18:05.000Z",
|
|
"description": "Samples on VT signed with same certificate",
|
|
"pattern": "[file:hashes.SHA256 = 'e5cc130dbea95c78cf88807852fad7dcca3a1d6bd7ec86488b6157ba3451a0c9']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-03-12T08:18:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--55014bbd-ead8-48e6-bc6b-094a950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:18:05.000Z",
|
|
"modified": "2015-03-12T08:18:05.000Z",
|
|
"description": "Samples on VT signed with same certificate",
|
|
"pattern": "[file:hashes.SHA256 = '299f1f25c268d814a85b37fb36e83b891b094baee95c8b739c04b5c134db84c8']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-03-12T08:18:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--55014c70-ccec-4df0-aef8-1c3d950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:21:04.000Z",
|
|
"modified": "2015-03-12T08:21:04.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '176.74.178.202']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-03-12T08:21:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--55014c70-a0ec-449f-a810-1c3d950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:21:04.000Z",
|
|
"modified": "2015-03-12T08:21:04.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '176.74.178.203']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-03-12T08:21:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--55014c8e-3628-4ee7-88df-0959950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:21:34.000Z",
|
|
"modified": "2015-03-12T08:21:34.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '46.4.69.25']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-03-12T08:21:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--55014cb9-e1b0-4579-8dac-9778950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:22:17.000Z",
|
|
"modified": "2015-03-12T08:22:17.000Z",
|
|
"pattern": "[email-message:from_ref.value = 'fretar19@yahoo.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-03-12T08:22:17Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-src\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--55014cd5-a430-42d2-a64a-0958950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:22:45.000Z",
|
|
"modified": "2015-03-12T08:22:45.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '197.156.68.130']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-03-12T08:22:45Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--55014ce9-1a58-4546-8f32-0ff5950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:23:05.000Z",
|
|
"modified": "2015-03-12T08:23:05.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '216.118.233.250']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-03-12T08:23:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--55014d39-e548-4875-8c18-9778950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:24:25.000Z",
|
|
"modified": "2015-03-12T08:24:25.000Z",
|
|
"pattern": "[email-message:body_multipart[*].body_raw_ref.name = 'Seminar Anti G7 Movement.doc']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-03-12T08:24:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-attachment\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--55014d39-d250-462a-ac15-9778950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:24:25.000Z",
|
|
"modified": "2015-03-12T08:24:25.000Z",
|
|
"pattern": "[email-message:body_multipart[*].body_raw_ref.name = 'Please save our dad from execution.doc']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-03-12T08:24:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-attachment\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--55014d61-8b34-4970-879e-0958950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:25:05.000Z",
|
|
"modified": "2015-03-12T08:25:05.000Z",
|
|
"pattern": "[file:hashes.SHA256 = '47f9a2daa161eeb0f7c88af92d3b346ee140ffbb0c310d0e6fbc7c91d42faace']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-03-12T08:25:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--55014d61-80e0-4a38-96f4-0958950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:25:05.000Z",
|
|
"modified": "2015-03-12T08:25:05.000Z",
|
|
"pattern": "[file:hashes.SHA1 = 'b39dcf93c88d202a582ab4a589cacae3e5d6650c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-03-12T08:25:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--55014d61-edf4-4c05-99e9-0958950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:25:05.000Z",
|
|
"modified": "2015-03-12T08:25:05.000Z",
|
|
"pattern": "[file:hashes.MD5 = '4faeaed1065815e40bc7c4d9b943f439']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-03-12T08:25:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--55014d7e-02e4-48a2-9e51-9778950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:25:34.000Z",
|
|
"modified": "2015-03-12T08:25:34.000Z",
|
|
"pattern": "[file:hashes.SHA256 = 'af6137a1fe785cc865ea5ba2310cb81b4c6996f224dda2425d0c5b6995983e3d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-03-12T08:25:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--55014d7e-1624-4baf-8040-9778950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:25:34.000Z",
|
|
"modified": "2015-03-12T08:25:34.000Z",
|
|
"pattern": "[file:hashes.SHA1 = '519bb2b2c3d0c7e67be735c4d384d832fcc89d67']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-03-12T08:25:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--55014d7e-7a88-4f1e-af39-9778950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:25:34.000Z",
|
|
"modified": "2015-03-12T08:25:34.000Z",
|
|
"pattern": "[file:hashes.MD5 = '3a7ef9a8c216bcdbbfecef934196d9c1']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-03-12T08:25:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--55014da1-60c4-4a27-8eba-2983950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:26:09.000Z",
|
|
"modified": "2015-03-12T08:26:09.000Z",
|
|
"pattern": "[file:hashes.SHA256 = '84f87c6d85211fe7c7f7fb1321e7f4db917bc6a7f2e51b7a8357fb4351b5a58d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-03-12T08:26:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--55014da1-c904-4a5f-8b8d-2983950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:26:09.000Z",
|
|
"modified": "2015-03-12T08:26:09.000Z",
|
|
"pattern": "[file:hashes.SHA1 = '669246636ec6e3422a81ee2cb77c78c8420f9006']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-03-12T08:26:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--55014da2-1340-4185-a32c-2983950d210b",
|
|
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
|
|
"created": "2015-03-12T08:26:10.000Z",
|
|
"modified": "2015-03-12T08:26:10.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'b7f54924450ae0675ce67c5edad1f243']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2015-03-12T08:26:10Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Artifacts dropped"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Artifacts dropped\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:GREEN",
|
|
"definition": {
|
|
"tlp": "green"
|
|
}
|
|
}
|
|
]
|
|
} |