misp-circl-feed/feeds/circl/stix-2.1/56f58bcc-96e4-49d2-bc8b-faf7950d210f.json

312 lines
No EOL
13 KiB
JSON

{
"type": "bundle",
"id": "bundle--56f58bcc-96e4-49d2-bc8b-faf7950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-25T19:07:51.000Z",
"modified": "2016-03-25T19:07:51.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--56f58bcc-96e4-49d2-bc8b-faf7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-25T19:07:51.000Z",
"modified": "2016-03-25T19:07:51.000Z",
"name": "OSINT - SURGE IN SPAM CAMPAIGN DELIVERING LOCKY RANSOMWARE DOWNLOADERS",
"published": "2016-03-25T19:08:07Z",
"object_refs": [
"observed-data--56f58bf1-3870-4b38-b851-faf0950d210f",
"url--56f58bf1-3870-4b38-b851-faf0950d210f",
"x-misp-attribute--56f58c05-770c-4455-9aaa-46d2950d210f",
"indicator--56f58c18-9e90-4c3c-8985-faf7950d210f",
"indicator--56f58c19-5bf8-4657-b19b-faf7950d210f",
"indicator--56f58c19-5dd4-4fc0-ac9d-faf7950d210f",
"indicator--56f58c19-bd84-4fee-a4d8-faf7950d210f",
"indicator--56f58c3b-4968-4f48-9cbf-faf1950d210f",
"indicator--56f58c5c-e06c-4aab-9e08-faee950d210f",
"indicator--56f58c87-0e18-4b86-96be-4fc502de0b81",
"indicator--56f58c88-2e54-4f15-87dc-43f802de0b81",
"observed-data--56f58c88-b490-4c7f-ae54-469c02de0b81",
"url--56f58c88-b490-4c7f-ae54-469c02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56f58bf1-3870-4b38-b851-faf0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-25T19:05:21.000Z",
"modified": "2016-03-25T19:05:21.000Z",
"first_observed": "2016-03-25T19:05:21Z",
"last_observed": "2016-03-25T19:05:21Z",
"number_observed": 1,
"object_refs": [
"url--56f58bf1-3870-4b38-b851-faf0950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56f58bf1-3870-4b38-b851-faf0950d210f",
"value": "https://www.fireeye.com/blog/threat-research/2016/03/surge_in_spam_campai.html"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--56f58c05-770c-4455-9aaa-46d2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-25T19:05:41.000Z",
"modified": "2016-03-25T19:05:41.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "FireEye Labs is detecting a significant spike in Locky ransomware downloaders due to a pair of concurrent email spam campaigns impacting users in over 50 countries. Some of the top affected countries are depicted in Figure 1."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56f58c18-9e90-4c3c-8985-faf7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-25T19:06:00.000Z",
"modified": "2016-03-25T19:06:00.000Z",
"description": "C&C",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.138.88.184']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-25T19:06:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56f58c19-5bf8-4657-b19b-faf7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-25T19:06:01.000Z",
"modified": "2016-03-25T19:06:01.000Z",
"description": "C&C",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '31.41.47.37']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-25T19:06:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56f58c19-5dd4-4fc0-ac9d-faf7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-25T19:06:01.000Z",
"modified": "2016-03-25T19:06:01.000Z",
"description": "C&C",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.34.183.136']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-25T19:06:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56f58c19-bd84-4fee-a4d8-faf7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-25T19:06:01.000Z",
"modified": "2016-03-25T19:06:01.000Z",
"description": "C&C",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '91.121.97.170']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-25T19:06:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56f58c3b-4968-4f48-9cbf-faf1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-25T19:06:35.000Z",
"modified": "2016-03-25T19:06:35.000Z",
"pattern": "[file:hashes.MD5 = '3f118d0b888430ab9f58fc2589207988']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-25T19:06:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56f58c5c-e06c-4aab-9e08-faee950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-25T19:07:08.000Z",
"modified": "2016-03-25T19:07:08.000Z",
"pattern": "[windows-registry-key:key = 'HKCU\\\\Control Panel\\\\Desktop\\\\Wallpaper' AND windows-registry-key:values.data = '\\\\%CSIDL_DESKTOPDIRECTORY\\\\%\\\\_Locky_recover_instructions.bmp']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-25T19:07:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"regkey|value\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56f58c87-0e18-4b86-96be-4fc502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-25T19:07:51.000Z",
"modified": "2016-03-25T19:07:51.000Z",
"description": "- Xchecked via VT: 3f118d0b888430ab9f58fc2589207988",
"pattern": "[file:hashes.SHA256 = 'f927efd7cd2da3a052d857632f78ccf04b673e2774f6ce9a075e654dfd77d940']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-25T19:07:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56f58c88-2e54-4f15-87dc-43f802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-25T19:07:52.000Z",
"modified": "2016-03-25T19:07:52.000Z",
"description": "- Xchecked via VT: 3f118d0b888430ab9f58fc2589207988",
"pattern": "[file:hashes.SHA1 = '1231e4a00c3da3ae8001a0620bae1242ef95d095']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-25T19:07:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56f58c88-b490-4c7f-ae54-469c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-25T19:07:52.000Z",
"modified": "2016-03-25T19:07:52.000Z",
"first_observed": "2016-03-25T19:07:52Z",
"last_observed": "2016-03-25T19:07:52Z",
"number_observed": 1,
"object_refs": [
"url--56f58c88-b490-4c7f-ae54-469c02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56f58c88-b490-4c7f-ae54-469c02de0b81",
"value": "https://www.virustotal.com/file/f927efd7cd2da3a052d857632f78ccf04b673e2774f6ce9a075e654dfd77d940/analysis/1458838562/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}