adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/552e76b6-3b44-410e-a0a9-4fec950d210b.json

1157 lines
No EOL
48 KiB
JSON
Raw Permalink Blame History

{
"type": "bundle",
"id": "bundle--552e76b6-3b44-410e-a0a9-4fec950d210b",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T15:12:41.000Z",
"modified": "2015-04-15T15:12:41.000Z",
"name": "CthulhuSPRL.be",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--552e76b6-3b44-410e-a0a9-4fec950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T15:12:41.000Z",
"modified": "2015-04-15T15:12:41.000Z",
"name": "OSINT Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets by Palo Alto Unit42",
"published": "2017-11-20T14:59:37Z",
"object_refs": [
"observed-data--552e76cd-5a6c-4b3f-aec9-47d1950d210b",
"url--552e76cd-5a6c-4b3f-aec9-47d1950d210b",
"x-misp-attribute--552e76db-3ebc-4327-9550-494a950d210b",
"observed-data--552e76fb-e018-49be-97dc-4cd9950d210b",
"url--552e76fb-e018-49be-97dc-4cd9950d210b",
"indicator--552e79a3-0ea4-4d0b-8d76-44b8950d210b",
"indicator--552e79a3-0e0c-4f40-a40c-4b59950d210b",
"indicator--552e79a3-3b78-4e06-bae5-4a96950d210b",
"indicator--552e79a3-c120-47fa-83d8-450d950d210b",
"indicator--552e7b3c-c450-426d-9943-4cce950d210b",
"x-misp-attribute--552e7b51-39a0-48d3-ad1f-4a62950d210b",
"indicator--552e7b5f-957c-4e45-8481-1539950d210b",
"indicator--552e7b94-e1dc-4594-9221-4592950d210b",
"indicator--552e7b94-2958-4692-a665-452f950d210b",
"indicator--552e7b95-0a3c-4522-8850-4805950d210b",
"indicator--552e7b95-f2cc-4a4e-8f4b-45c1950d210b",
"indicator--552e7bb2-d774-42b7-94b6-47d6950d210b",
"indicator--552e7bc6-5210-4bc3-9c59-4cf4950d210b",
"indicator--552e7bdb-eb54-485d-aee5-1534950d210b",
"indicator--552e7bfa-c7f8-4207-92dd-4cb1950d210b",
"indicator--552e7c0d-8e70-4165-85a4-4fb8950d210b",
"indicator--552e7c55-d884-4920-8b49-4843950d210b",
"indicator--552e7c71-9a24-4abe-aef2-1534950d210b",
"indicator--552e7c9e-207c-4efc-bf4a-403c950d210b",
"indicator--552e7cae-34e8-4e05-9cee-4b50950d210b",
"indicator--552e7cc6-2928-42c4-ab4a-468c950d210b",
"indicator--552e7d5d-cdec-4afb-a0ae-484b950d210b",
"indicator--552e7fe9-4294-4638-954e-2d3d950d210b",
"indicator--56c65a7c-1364-4f10-a9c9-c652950d210f",
"indicator--56c65a7e-ca60-48d9-a6a1-5f51950d210f",
"indicator--56c65a80-01d8-42ca-b19d-599e950d210f",
"indicator--56c65a7d-8344-42ac-8777-c651950d210f",
"indicator--56c65a7f-25cc-4ced-b707-599f950d210f",
"indicator--56c65a81-0c80-4738-8bfa-c650950d210f",
"indicator--59b15050-20b4-4439-bab6-4cd5950d210f",
"indicator--59b14f9f-34e0-4d67-a264-429c950d210f",
"indicator--59b14f3d-6e74-4d60-bbf6-fc46950d210f",
"indicator--59b14d83-618c-4a64-925a-43ad950d210f",
"x-misp-attribute--59b15148-7220-4e76-a29d-4638950d210f",
"indicator--59b151ae-6c70-461a-8aa1-430f950d210f",
"x-misp-attribute--59b151eb-c048-4ae7-af03-4e28950d210f",
"indicator--59b1521b-a8d4-4a9c-a26e-4fac950d210f",
"x-misp-attribute--59b155bb-9a94-4af4-baba-4472950d210f",
"x-misp-attribute--59b15546-37f4-4980-bd47-4976950d210f",
"x-misp-attribute--59b1537d-79c4-456b-bec4-4f9b950d210f",
"indicator--59b1530e-77e4-4484-9645-4972950d210f",
"indicator--59b1529d-2ab0-429b-a8ae-45e8950d210f",
"x-misp-attribute--59b15578-0c2c-445f-a3de-4d1a950d210f",
"indicator--59b1529d-6e80-4824-991b-4be5950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"APT"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--552e76cd-5a6c-4b3f-aec9-47d1950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T14:33:49.000Z",
"modified": "2015-04-15T14:33:49.000Z",
"first_observed": "2015-04-15T14:33:49Z",
"last_observed": "2015-04-15T14:33:49Z",
"number_observed": 1,
"object_refs": [
"url--552e76cd-5a6c-4b3f-aec9-47d1950d210b"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--552e76cd-5a6c-4b3f-aec9-47d1950d210b",
"value": "http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--552e76db-3ebc-4327-9550-494a950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T14:34:03.000Z",
"modified": "2015-04-15T14:34:03.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "DragonOK"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--552e76fb-e018-49be-97dc-4cd9950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T14:34:35.000Z",
"modified": "2015-04-15T14:34:35.000Z",
"first_observed": "2015-04-15T14:34:35Z",
"last_observed": "2015-04-15T14:34:35Z",
"number_observed": 1,
"object_refs": [
"url--552e76fb-e018-49be-97dc-4cd9950d210b"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--552e76fb-e018-49be-97dc-4cd9950d210b",
"value": "https://www.fireeye.com/resources/pdfs/white-papers/fireeye-operation-quantum-entanglement.pdf"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--552e79a3-0ea4-4d0b-8d76-44b8950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T14:45:55.000Z",
"modified": "2015-04-15T14:45:55.000Z",
"pattern": "[url:value = '/news/STravel.asp']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-15T14:45:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--552e79a3-0e0c-4f40-a40c-4b59950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T14:45:55.000Z",
"modified": "2015-04-15T14:45:55.000Z",
"pattern": "[url:value = '/news/SJobs.asp']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-15T14:45:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--552e79a3-3b78-4e06-bae5-4a96950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T14:45:55.000Z",
"modified": "2015-04-15T14:45:55.000Z",
"pattern": "[url:value = '/news/SSports.asp']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-15T14:45:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--552e79a3-c120-47fa-83d8-450d950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T14:45:55.000Z",
"modified": "2015-04-15T14:45:55.000Z",
"pattern": "[url:value = '/news/SWeather.asp']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-15T14:45:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--552e7b3c-c450-426d-9943-4cce950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T14:52:44.000Z",
"modified": "2015-04-15T14:52:44.000Z",
"description": "Sysget/HelloBridge",
"pattern": "[domain-name:value = 'biosnews.info']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-15T14:52:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--552e7b51-39a0-48d3-ad1f-4a62950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T14:53:48.000Z",
"modified": "2015-04-15T14:53:48.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Attribution\""
],
"x_misp_category": "Attribution",
"x_misp_comment": "Debug symbols Sysget/HelloBridge",
"x_misp_type": "text",
"x_misp_value": "D:\\Work\\1021WinInetGEnc1\\Release\\WinInetG.pdb"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--552e7b5f-957c-4e45-8481-1539950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T14:53:34.000Z",
"modified": "2015-04-15T14:53:34.000Z",
"description": "Sysget/HelloBridge",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '23.229.234.160']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-15T14:53:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--552e7b94-e1dc-4594-9221-4592950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T14:54:12.000Z",
"modified": "2015-04-15T14:54:12.000Z",
"description": "Sysget/HelloBridge",
"pattern": "[file:hashes.SHA256 = '227de988efdcf886bc0be7dc3df9f51a727664593de47352df31757853e42968']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-15T14:54:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--552e7b94-2958-4692-a665-452f950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T14:54:12.000Z",
"modified": "2015-04-15T14:54:12.000Z",
"description": "Sysget/HelloBridge",
"pattern": "[file:hashes.SHA256 = '35784ec1968d322092cb6826f7795f65eeb0b8365ac8c7d8756851c92acf31ae']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-15T14:54:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--552e7b95-0a3c-4522-8850-4805950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T14:54:12.000Z",
"modified": "2015-04-15T14:54:12.000Z",
"description": "Sysget/HelloBridge",
"pattern": "[file:hashes.SHA256 = '0b97ced3fabb14dbffa641d9bd1cc9dd8c97eab9cb6160d43202ee078e017989']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-15T14:54:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--552e7b95-f2cc-4a4e-8f4b-45c1950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T14:54:13.000Z",
"modified": "2015-04-15T14:54:13.000Z",
"description": "Sysget/HelloBridge",
"pattern": "[file:hashes.SHA256 = '287e29ca7b2177fdaa561a96284726ada636dbbdaadfdbeadf88164e625ed88e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-15T14:54:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--552e7bb2-d774-42b7-94b6-47d6950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T14:54:42.000Z",
"modified": "2015-04-15T14:54:42.000Z",
"description": "PlugX",
"pattern": "[file:hashes.SHA256 = '70ac649d31db748c4396a9a3f7a9c619c8d09e6400492ab3447520fb726083c4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-15T14:54:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--552e7bc6-5210-4bc3-9c59-4cf4950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T14:55:02.000Z",
"modified": "2015-04-15T14:55:02.000Z",
"description": "PlugX",
"pattern": "[domain-name:value = 'http.tourecord.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-15T14:55:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--552e7bdb-eb54-485d-aee5-1534950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T14:58:08.000Z",
"modified": "2015-04-15T14:58:08.000Z",
"description": "PlugX & Poison Ivy & FirstFormerRAT",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.20.193.62']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-15T14:58:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--552e7bfa-c7f8-4207-92dd-4cb1950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T14:55:54.000Z",
"modified": "2015-04-15T14:55:54.000Z",
"description": "PoisonIvy",
"pattern": "[file:hashes.SHA256 = '6e95215a52e1cbf4a58cb24c91750151170ea3d59fa9dbfe566e33a2ffc04f4c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-15T14:55:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--552e7c0d-8e70-4165-85a4-4fb8950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T14:56:13.000Z",
"modified": "2015-04-15T14:56:13.000Z",
"description": "Poison Ivy",
"pattern": "[domain-name:value = 'bbs.reweblink.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-15T14:56:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--552e7c55-d884-4920-8b49-4843950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T14:57:35.000Z",
"modified": "2015-04-15T14:57:35.000Z",
"description": "FirstFormerRAT",
"pattern": "[file:name = 'RpcRtRemote.dll' AND file:hashes.SHA256 = 'e68b70eaaf45fa43e726a29ce956f0e6ea26ece51165a1989e22597aebba244f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-15T14:57:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename|sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--552e7c71-9a24-4abe-aef2-1534950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T14:57:53.000Z",
"modified": "2015-04-15T14:57:53.000Z",
"pattern": "[domain-name:value = 'https.reweblink.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-15T14:57:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--552e7c9e-207c-4efc-bf4a-403c950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T14:58:38.000Z",
"modified": "2015-04-15T14:58:38.000Z",
"description": "Nflog",
"pattern": "[file:hashes.SHA256 = '64cbcb1f5b8a9d98b3543e3bf342e8c799e0f74f582a5eb0dc383abac7692f63']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-15T14:58:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--552e7cae-34e8-4e05-9cee-4b50950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T14:58:54.000Z",
"modified": "2015-04-15T14:58:54.000Z",
"description": "Nflog",
"pattern": "[domain-name:value = 'new.hotpmsn.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-15T14:58:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--552e7cc6-2928-42c4-ab4a-468c950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T14:59:18.000Z",
"modified": "2015-04-15T14:59:18.000Z",
"description": "Nflog",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '58.64.156.140']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-15T14:59:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--552e7d5d-cdec-4afb-a0ae-484b950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T15:01:49.000Z",
"modified": "2015-04-15T15:01:49.000Z",
"description": "NewCT",
"pattern": "[domain-name:value = 'bbs.jpaols.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-15T15:01:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--552e7fe9-4294-4638-954e-2d3d950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-04-15T15:12:41.000Z",
"modified": "2015-04-15T15:12:41.000Z",
"pattern": "[domain-name:value = 'jpaols.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-04-15T15:12:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c65a7c-1364-4f10-a9c9-c652950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:57:48.000Z",
"modified": "2016-02-18T23:57:48.000Z",
"description": "Automatically added (via 227de988efdcf886bc0be7dc3df9f51a727664593de47352df31757853e42968)",
"pattern": "[file:hashes.MD5 = '5a656afcd99ffac80db0b256e150e69c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:57:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c65a7e-ca60-48d9-a6a1-5f51950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:57:50.000Z",
"modified": "2016-02-18T23:57:50.000Z",
"description": "Automatically added (via 35784ec1968d322092cb6826f7795f65eeb0b8365ac8c7d8756851c92acf31ae)",
"pattern": "[file:hashes.MD5 = 'da1d2288aab04a4f97d594d8dd2b8249']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:57:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c65a80-01d8-42ca-b19d-599e950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:57:52.000Z",
"modified": "2016-02-18T23:57:52.000Z",
"description": "Automatically added (via 287e29ca7b2177fdaa561a96284726ada636dbbdaadfdbeadf88164e625ed88e)",
"pattern": "[file:hashes.MD5 = '9d10cc1cb4a0fd8d94c02fc5d7ba8bd1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:57:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c65a7d-8344-42ac-8777-c651950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:57:49.000Z",
"modified": "2016-02-18T23:57:49.000Z",
"description": "Automatically added (via 227de988efdcf886bc0be7dc3df9f51a727664593de47352df31757853e42968)",
"pattern": "[file:hashes.SHA1 = 'd698174f2bee6665edda571865d2d6ce4c9995df']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:57:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c65a7f-25cc-4ced-b707-599f950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:57:51.000Z",
"modified": "2016-02-18T23:57:51.000Z",
"description": "Automatically added (via 35784ec1968d322092cb6826f7795f65eeb0b8365ac8c7d8756851c92acf31ae)",
"pattern": "[file:hashes.SHA1 = '4f405b7d13748327d1d1737c0b050b104a39fba4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:57:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c65a81-0c80-4738-8bfa-c650950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:57:53.000Z",
"modified": "2016-02-18T23:57:53.000Z",
"description": "Automatically added (via 287e29ca7b2177fdaa561a96284726ada636dbbdaadfdbeadf88164e625ed88e)",
"pattern": "[file:hashes.SHA1 = 'd2e1b0e27d0f134b4bab6bf9437067fdf6a16618']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:57:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59b15050-20b4-4439-bab6-4cd5950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2017-09-07T13:57:36.000Z",
"modified": "2017-09-07T13:57:36.000Z",
"description": "Sysget/HelloBrige HTTP GET request in response from a getinto command from the C2 server to download a file",
"pattern": "[url:value = 'http://biosnews.info//index.php?fn=s3&file=']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-07T13:57:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59b14f9f-34e0-4d67-a264-429c950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2017-09-07T13:54:39.000Z",
"modified": "2017-09-07T13:54:39.000Z",
"description": "Sysget/HelloBridge HTTP POST request in response to a file upload response received from the C2 server",
"pattern": "[url:value = 'http://biosnews.info//index.php?fn=s2&item=']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-07T13:54:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59b14f3d-6e74-4d60-bbf6-fc46950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2017-09-07T13:53:01.000Z",
"modified": "2017-09-07T13:53:01.000Z",
"description": "Sysget/HelloBridge Inital dropper HTTP GET request to C2 server",
"pattern": "[url:value = 'http://biosnews.info/index.php?fn=s4&name=']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-07T13:53:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59b14d83-618c-4a64-925a-43ad950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2017-09-07T13:45:39.000Z",
"modified": "2017-09-07T13:45:39.000Z",
"description": "Sysget/HelloBridge configuration file",
"pattern": "[file:name = '\\\\%temp\\\\%\\\\ibmCon6.tmp']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-07T13:45:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59b15148-7220-4e76-a29d-4638950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2017-09-07T14:01:44.000Z",
"modified": "2017-09-07T14:01:44.000Z",
"labels": [
"misp:type=\"other\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "External analysis",
"x_misp_comment": "PlugX - windows-service-displayname",
"x_misp_type": "other",
"x_misp_value": "RasTls"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59b151ae-6c70-461a-8aa1-430f950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2017-09-07T14:03:26.000Z",
"modified": "2017-09-07T14:03:26.000Z",
"description": "PlugX - persistence mechanism",
"pattern": "[windows-registry-key:key = 'HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\RasTls' AND windows-registry-key:values.data = '\\\\%windir\\\\%\\\\system32\\\\svchost.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-07T14:03:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"regkey|value\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59b151eb-c048-4ae7-af03-4e28950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2017-09-07T14:04:27.000Z",
"modified": "2017-09-07T14:04:27.000Z",
"labels": [
"misp:type=\"other\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "External analysis",
"x_misp_comment": "Sysget/HelloBridge - event object name",
"x_misp_type": "other",
"x_misp_value": "mcsong[]"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59b1521b-a8d4-4a9c-a26e-4fac950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2017-09-07T14:05:15.000Z",
"modified": "2017-09-07T14:05:15.000Z",
"description": "Sysget/HelloBrisge - persistence mechanism",
"pattern": "[windows-registry-key:key = 'HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run' AND windows-registry-key:values.data = '\\\\%temp\\\\%\\\\notilv.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-07T14:05:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"regkey|value\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59b155bb-9a94-4af4-baba-4472950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2017-09-07T14:20:43.000Z",
"modified": "2017-09-07T14:20:43.000Z",
"labels": [
"misp:type=\"other\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "External analysis",
"x_misp_comment": "FormerFirstRAT - hostname|port",
"x_misp_type": "other",
"x_misp_value": "https.reweblink.com|443"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59b15546-37f4-4980-bd47-4976950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2017-09-07T14:18:46.000Z",
"modified": "2017-09-07T14:18:46.000Z",
"labels": [
"misp:type=\"other\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_comment": "FormerFirstRAT - AES-128 encryption key",
"x_misp_type": "other",
"x_misp_value": "tucwatkins"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59b1537d-79c4-456b-bec4-4f9b950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2017-09-07T14:11:09.000Z",
"modified": "2017-09-07T14:11:09.000Z",
"labels": [
"misp:type=\"other\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_comment": "NFlog - event object name",
"x_misp_type": "other",
"x_misp_value": "GoogleZCM"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59b1530e-77e4-4484-9645-4972950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2017-09-07T14:09:18.000Z",
"modified": "2017-09-07T14:09:18.000Z",
"description": "NFlog - persistence mechanism",
"pattern": "[windows-registry-key:key = 'HKCU\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\update']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-07T14:09:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"regkey\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59b1529d-2ab0-429b-a8ae-45e8950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2017-09-07T14:07:25.000Z",
"modified": "2017-09-07T14:07:25.000Z",
"description": "FormerFirstRAT - persistence mechanism",
"pattern": "[windows-registry-key:key = 'HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\WmdmPmSp']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-07T14:07:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"regkey\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59b15578-0c2c-445f-a3de-4d1a950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2017-09-07T14:19:36.000Z",
"modified": "2017-09-07T14:19:36.000Z",
"labels": [
"misp:type=\"other\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "External analysis",
"x_misp_comment": "FormerFirstRAT - protocol|port for protocol anomaly detection",
"x_misp_type": "other",
"x_misp_value": "HTTP|443"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59b1529d-6e80-4824-991b-4be5950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2017-09-07T14:07:25.000Z",
"modified": "2017-09-07T14:07:25.000Z",
"description": "FormerFirstRAT - persistence mechanism",
"pattern": "[windows-registry-key:key = 'HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\WmdmPmSp']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-07T14:07:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"regkey\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink