adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/571a7cdc-c078-482d-98dc-4e42950d210f.json

182 lines
No EOL
7.7 KiB
JSON
Raw Permalink Blame History

{
"type": "bundle",
"id": "bundle--571a7cdc-c078-482d-98dc-4e42950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T19:40:43.000Z",
"modified": "2016-04-22T19:40:43.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--571a7cdc-c078-482d-98dc-4e42950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T19:40:43.000Z",
"modified": "2016-04-22T19:40:43.000Z",
"name": "OSINT - powershell used for spreading trojan.laziok through google docs",
"published": "2016-04-22T19:41:39Z",
"object_refs": [
"observed-data--571a7d1a-3c00-4f54-b5b6-4782950d210f",
"url--571a7d1a-3c00-4f54-b5b6-4782950d210f",
"x-misp-attribute--571a7d2e-e64c-4deb-9edd-4c34950d210f",
"indicator--571a7ddc-f4c4-4bf6-a50d-41a9950d210f",
"vulnerability--571a7df4-0acc-4202-a834-4ef6950d210f",
"indicator--571a7e30-257c-42e3-a297-4bb0950d210f",
"indicator--571a7e3b-75d0-4c6b-b9cc-433b950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571a7d1a-3c00-4f54-b5b6-4782950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T19:35:54.000Z",
"modified": "2016-04-22T19:35:54.000Z",
"first_observed": "2016-04-22T19:35:54Z",
"last_observed": "2016-04-22T19:35:54Z",
"number_observed": 1,
"object_refs": [
"url--571a7d1a-3c00-4f54-b5b6-4782950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571a7d1a-3c00-4f54-b5b6-4782950d210f",
"value": "https://www.fireeye.com/blog/threat-research/2016/04/powershell_used_for.html"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--571a7d2e-e64c-4deb-9edd-4c34950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T19:36:14.000Z",
"modified": "2016-04-22T19:36:14.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Through our multi-flow detection capability, we recently identified malicious actors spreading Trojan.Laziok malware via Google Docs. We observed that the attackers managed to upload the payload to Google Docs in March 2016. During the brief time it was live, users accessing the malicious page from Internet Explorer (versions 3 to 11) would have become the unwilling hosts for the infostealer payload without any security warning. After we alerted Google about its presence, they quickly cleaned it and the original URL involved in propagation also went down."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a7ddc-f4c4-4bf6-a50d-41a9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T19:39:08.000Z",
"modified": "2016-04-22T19:39:08.000Z",
"description": "the first stage initiates the attack by running obfuscated JavaScript from",
"pattern": "[url:value = 'www.younglean.cba.pl/lean/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T19:39:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--571a7df4-0acc-4202-a834-4ef6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T19:39:32.000Z",
"modified": "2016-04-22T19:39:32.000Z",
"name": "CVE-2014-6332",
"labels": [
"misp:type=\"vulnerability\"",
"misp:category=\"Payload delivery\""
],
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2014-6332"
}
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a7e30-257c-42e3-a297-4bb0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T19:40:32.000Z",
"modified": "2016-04-22T19:40:32.000Z",
"description": "The payload attempts to call back to a known bad Polish server",
"pattern": "[url:value = 'http://193.189.117.36']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T19:40:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a7e3b-75d0-4c6b-b9cc-433b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T19:40:43.000Z",
"modified": "2016-04-22T19:40:43.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '193.189.117.36']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T19:40:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink