537 lines
No EOL
24 KiB
JSON
537 lines
No EOL
24 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--58d39c29-8244-4fcf-a48b-40db950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-23T10:01:17.000Z",
|
|
"modified": "2017-03-23T10:01:17.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--58d39c29-8244-4fcf-a48b-40db950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-23T10:01:17.000Z",
|
|
"modified": "2017-03-23T10:01:17.000Z",
|
|
"name": "OSINT - Hunt Case Study: Hunting Campaign Indicators on Privacy Protected Attack Infrastructure",
|
|
"published": "2017-03-23T10:02:09Z",
|
|
"object_refs": [
|
|
"observed-data--58d39c3d-8908-4925-8b24-418c950d210f",
|
|
"url--58d39c3d-8908-4925-8b24-418c950d210f",
|
|
"x-misp-attribute--58d39c4e-1eec-4a83-96da-474c950d210f",
|
|
"indicator--58d39c5f-bb60-44f1-a30f-42f8950d210f",
|
|
"indicator--58d39c60-3e70-4d30-8732-41e4950d210f",
|
|
"indicator--58d39c7e-32e0-4558-911b-4358950d210f",
|
|
"indicator--58d39c80-c7b4-44e7-9a70-4d03950d210f",
|
|
"indicator--58d39c80-26d8-4afd-a1fa-444c950d210f",
|
|
"indicator--58d39c81-8f4c-443e-b5b8-4624950d210f",
|
|
"indicator--58d39ca6-c634-4226-82c4-494e950d210f",
|
|
"indicator--58d39ca7-64c0-4cae-8562-45e9950d210f",
|
|
"indicator--58d39cb8-c2c8-4923-9ef1-4507950d210f",
|
|
"indicator--58d39cf9-44d0-4837-847e-4bb402de0b81",
|
|
"indicator--58d39cfa-8a84-40f4-8652-40d002de0b81",
|
|
"observed-data--58d39cfb-e1fc-4ef3-8864-45e002de0b81",
|
|
"url--58d39cfb-e1fc-4ef3-8864-45e002de0b81",
|
|
"indicator--58d39cfc-62b8-493e-bac9-450e02de0b81",
|
|
"indicator--58d39cfd-4738-4014-ac84-413302de0b81",
|
|
"observed-data--58d39cfe-7a60-4250-b08d-480602de0b81",
|
|
"url--58d39cfe-7a60-4250-b08d-480602de0b81",
|
|
"indicator--58d39cff-dbec-4aef-8012-4bd502de0b81",
|
|
"indicator--58d39d00-7e14-464a-9970-455f02de0b81",
|
|
"observed-data--58d39d02-b5d8-437e-9cf0-4ddc02de0b81",
|
|
"url--58d39d02-b5d8-437e-9cf0-4ddc02de0b81"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58d39c3d-8908-4925-8b24-418c950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-23T10:01:17.000Z",
|
|
"modified": "2017-03-23T10:01:17.000Z",
|
|
"first_observed": "2017-03-23T10:01:17Z",
|
|
"last_observed": "2017-03-23T10:01:17Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58d39c3d-8908-4925-8b24-418c950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58d39c3d-8908-4925-8b24-418c950d210f",
|
|
"value": "https://blog.domaintools.com/2017/03/hunt-case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastructure/"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--58d39c4e-1eec-4a83-96da-474c950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-23T10:01:17.000Z",
|
|
"modified": "2017-03-23T10:01:17.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "As a researcher, when I find an attacker working, one of the first places I start to pivot is the command and control infrastructure. I do this because I want to see if I can find additional binaries, indicators of attack, or additional infrastructure being used by an adversary.\r\n\r\nWhen looking at attacker infrastructure, one of the things that annoys analysts the most is attackers using Whois protection services for registering domains that are used as attack infrastructure. At first glance, many analysts will abandon an investigation when finding privacy protected domains. So, in this blog, I intend to show just how you can pivot on a privacy protected indicator of attack infrastructure, and ultimately find good intelligence data.\r\n\r\nPlease keep in mind, in this blog I will not be attributing this activity to any specific nation state. We have indicators that point to a specific actor group, but nation-state attribution is a tricky and near impossible endeavor, therefore we shy away from making any nation-state attribution claims."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58d39c5f-bb60-44f1-a30f-42f8950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-23T10:01:17.000Z",
|
|
"modified": "2017-03-23T10:01:17.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '212.199.61.51']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-23T10:01:17Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58d39c60-3e70-4d30-8732-41e4950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-23T10:01:17.000Z",
|
|
"modified": "2017-03-23T10:01:17.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '86.105.18.5']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-23T10:01:17Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58d39c7e-32e0-4558-911b-4358950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-23T10:01:17.000Z",
|
|
"modified": "2017-03-23T10:01:17.000Z",
|
|
"pattern": "[domain-name:value = 'primeminister-goverment-techcenter.tech']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-23T10:01:17Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58d39c80-c7b4-44e7-9a70-4d03950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-23T10:01:17.000Z",
|
|
"modified": "2017-03-23T10:01:17.000Z",
|
|
"pattern": "[url:value = 'http://ssl.pmo.gov.il-dana-naauthurl1-welcome.cgi.primeminister-goverment-techcenter.tech']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-23T10:01:17Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58d39c80-26d8-4afd-a1fa-444c950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-23T10:01:17.000Z",
|
|
"modified": "2017-03-23T10:01:17.000Z",
|
|
"pattern": "[domain-name:value = 'static.dyn-usr.f-login-me.c19.a23.akamaitechnology.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-23T10:01:17Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58d39c81-8f4c-443e-b5b8-4624950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-23T10:01:17.000Z",
|
|
"modified": "2017-03-23T10:01:17.000Z",
|
|
"pattern": "[domain-name:value = '212.199.61.51.static.012.net.il']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-23T10:01:17Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58d39ca6-c634-4226-82c4-494e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-23T10:01:17.000Z",
|
|
"modified": "2017-03-23T10:01:17.000Z",
|
|
"description": "Annual Survey.docx and/or \u00d7\u00a1\u00d7\u00a7\u00d7\u00a8\u00d7\u00a9\u00d7\u00a0\u00d7\u00aa\u00d7\u2122.docx",
|
|
"pattern": "[file:hashes.SHA256 = '5fe0e156a308b48fb2f9577ed3e3b09768976fdd99f6b2d2db5658b138676902']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-23T10:01:17Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58d39ca7-64c0-4cae-8562-45e9950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-23T10:01:17.000Z",
|
|
"modified": "2017-03-23T10:01:17.000Z",
|
|
"description": "PDFOPENER_CONSOLE.exe",
|
|
"pattern": "[file:hashes.SHA256 = '4d657793ddc9c49abe7e4afcf9abb43626e91a18a925223555070c53fd672b59']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-23T10:01:17Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58d39cb8-c2c8-4923-9ef1-4507950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-23T10:01:17.000Z",
|
|
"modified": "2017-03-23T10:01:17.000Z",
|
|
"description": "oleObject1.bin",
|
|
"pattern": "[file:hashes.SHA256 = '7651f0d886e1c1054eb716352468ec6aedab06ed61e1eebd02bca4efbb974fb6']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-23T10:01:17Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58d39cf9-44d0-4837-847e-4bb402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-23T10:01:29.000Z",
|
|
"modified": "2017-03-23T10:01:29.000Z",
|
|
"description": "oleObject1.bin - Xchecked via VT: 7651f0d886e1c1054eb716352468ec6aedab06ed61e1eebd02bca4efbb974fb6",
|
|
"pattern": "[file:hashes.SHA1 = '59c448abaa6cd20ce7af33d6c0ae27e4a853d2bd']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-23T10:01:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58d39cfa-8a84-40f4-8652-40d002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-23T10:01:30.000Z",
|
|
"modified": "2017-03-23T10:01:30.000Z",
|
|
"description": "oleObject1.bin - Xchecked via VT: 7651f0d886e1c1054eb716352468ec6aedab06ed61e1eebd02bca4efbb974fb6",
|
|
"pattern": "[file:hashes.MD5 = 'b34721e53599286a1093c90a9dd0b789']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-23T10:01:30Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58d39cfb-e1fc-4ef3-8864-45e002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-23T10:01:31.000Z",
|
|
"modified": "2017-03-23T10:01:31.000Z",
|
|
"first_observed": "2017-03-23T10:01:31Z",
|
|
"last_observed": "2017-03-23T10:01:31Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58d39cfb-e1fc-4ef3-8864-45e002de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58d39cfb-e1fc-4ef3-8864-45e002de0b81",
|
|
"value": "https://www.virustotal.com/file/7651f0d886e1c1054eb716352468ec6aedab06ed61e1eebd02bca4efbb974fb6/analysis/1480095398/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58d39cfc-62b8-493e-bac9-450e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-23T10:01:32.000Z",
|
|
"modified": "2017-03-23T10:01:32.000Z",
|
|
"description": "PDFOPENER_CONSOLE.exe - Xchecked via VT: 4d657793ddc9c49abe7e4afcf9abb43626e91a18a925223555070c53fd672b59",
|
|
"pattern": "[file:hashes.SHA1 = '15cac8196cc1cec4d3909698fc5d8a5250d826b5']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-23T10:01:32Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58d39cfd-4738-4014-ac84-413302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-23T10:01:33.000Z",
|
|
"modified": "2017-03-23T10:01:33.000Z",
|
|
"description": "PDFOPENER_CONSOLE.exe - Xchecked via VT: 4d657793ddc9c49abe7e4afcf9abb43626e91a18a925223555070c53fd672b59",
|
|
"pattern": "[file:hashes.MD5 = '62f8f45c5f10647af0040f965a3ea96d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-23T10:01:33Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58d39cfe-7a60-4250-b08d-480602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-23T10:01:34.000Z",
|
|
"modified": "2017-03-23T10:01:34.000Z",
|
|
"first_observed": "2017-03-23T10:01:34Z",
|
|
"last_observed": "2017-03-23T10:01:34Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58d39cfe-7a60-4250-b08d-480602de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58d39cfe-7a60-4250-b08d-480602de0b81",
|
|
"value": "https://www.virustotal.com/file/4d657793ddc9c49abe7e4afcf9abb43626e91a18a925223555070c53fd672b59/analysis/1480095399/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58d39cff-dbec-4aef-8012-4bd502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-23T10:01:35.000Z",
|
|
"modified": "2017-03-23T10:01:35.000Z",
|
|
"description": "Annual Survey.docx and/or \u00d7\u00a1\u00d7\u00a7\u00d7\u00a8\u00d7\u00a9\u00d7\u00a0\u00d7\u00aa\u00d7\u2122.docx - Xchecked via VT: 5fe0e156a308b48fb2f9577ed3e3b09768976fdd99f6b2d2db5658b138676902",
|
|
"pattern": "[file:hashes.SHA1 = '341c920ec47efa4fd1bfcd1859a7fb98945f9d85']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-23T10:01:35Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58d39d00-7e14-464a-9970-455f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-23T10:01:36.000Z",
|
|
"modified": "2017-03-23T10:01:36.000Z",
|
|
"description": "Annual Survey.docx and/or \u00d7\u00a1\u00d7\u00a7\u00d7\u00a8\u00d7\u00a9\u00d7\u00a0\u00d7\u00aa\u00d7\u2122.docx - Xchecked via VT: 5fe0e156a308b48fb2f9577ed3e3b09768976fdd99f6b2d2db5658b138676902",
|
|
"pattern": "[file:hashes.MD5 = '871efc9ecd8a446a7aa06351604a9bf4']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-23T10:01:36Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58d39d02-b5d8-437e-9cf0-4ddc02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-23T10:01:38.000Z",
|
|
"modified": "2017-03-23T10:01:38.000Z",
|
|
"first_observed": "2017-03-23T10:01:38Z",
|
|
"last_observed": "2017-03-23T10:01:38Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58d39d02-b5d8-437e-9cf0-4ddc02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58d39d02-b5d8-437e-9cf0-4ddc02de0b81",
|
|
"value": "https://www.virustotal.com/file/5fe0e156a308b48fb2f9577ed3e3b09768976fdd99f6b2d2db5658b138676902/analysis/1486642481/"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |