1149 lines
No EOL
46 KiB
JSON
1149 lines
No EOL
46 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--59f049c0-aae0-47d2-a888-4021950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-11-22T21:19:47.000Z",
|
|
"modified": "2017-11-22T21:19:47.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--59f049c0-aae0-47d2-a888-4021950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-11-22T21:19:47.000Z",
|
|
"modified": "2017-11-22T21:19:47.000Z",
|
|
"name": "OSINT - Bad Rabbit: Not-Petya is back with improved ransomware",
|
|
"published": "2017-12-28T13:20:54Z",
|
|
"object_refs": [
|
|
"observed-data--59f049cf-329c-4504-a63c-4974950d210f",
|
|
"url--59f049cf-329c-4504-a63c-4974950d210f",
|
|
"indicator--59f04b31-f73c-4d20-95b5-4edf950d210f",
|
|
"x-misp-attribute--59f04b48-223c-4642-a5cf-412c950d210f",
|
|
"indicator--59f04b70-32f4-4c4b-bd74-4775950d210f",
|
|
"indicator--59f04b70-a00c-47a5-903e-44f2950d210f",
|
|
"indicator--59f04c8f-fba0-4775-913a-4a4f950d210f",
|
|
"indicator--59f04c8f-046c-41dc-a600-4306950d210f",
|
|
"indicator--59f04d24-9424-49ec-86bc-403c950d210f",
|
|
"indicator--59f04d24-f6a4-4278-b3b5-406d950d210f",
|
|
"indicator--59f04d24-0348-4b41-8e40-4887950d210f",
|
|
"indicator--59f04ddf-4f04-4174-a93d-4c9d950d210f",
|
|
"indicator--59f04ddf-3e78-47fc-ad92-4866950d210f",
|
|
"indicator--59f04ddf-9890-46f0-b252-4884950d210f",
|
|
"indicator--59f04ddf-de28-4f39-a955-43c6950d210f",
|
|
"indicator--59f04ddf-7564-446e-80f5-4717950d210f",
|
|
"indicator--59f04ddf-d780-4e3e-a215-44b3950d210f",
|
|
"indicator--59f04ddf-bcc0-415d-9588-4111950d210f",
|
|
"indicator--59f04ddf-4838-45fc-b75c-48b9950d210f",
|
|
"indicator--59f04ddf-4dc8-470d-9268-45bd950d210f",
|
|
"indicator--59f04ddf-0600-4c83-8d3a-41ae950d210f",
|
|
"indicator--59f04ddf-7eb8-4933-a170-4c3e950d210f",
|
|
"indicator--59f04ddf-7b94-4be1-a497-42c2950d210f",
|
|
"indicator--59f04ddf-fe88-4850-b260-4b7d950d210f",
|
|
"indicator--59f04ddf-8294-4d84-862f-46d7950d210f",
|
|
"indicator--59f04ddf-3198-4485-8eae-4833950d210f",
|
|
"indicator--59f04ddf-9858-4feb-ad80-4183950d210f",
|
|
"indicator--59f04ddf-7448-4f85-b71a-48d7950d210f",
|
|
"indicator--59f04ddf-7d48-426d-9d85-4d32950d210f",
|
|
"indicator--59f04ddf-fc80-4ddf-822f-47b2950d210f",
|
|
"indicator--59f04ddf-c6e8-4de1-a60a-42c8950d210f",
|
|
"indicator--59f04ddf-b9c0-485f-b2c3-42cb950d210f",
|
|
"indicator--59f04ddf-4fc4-4b03-927f-4c92950d210f",
|
|
"indicator--59f04ddf-e83c-4d61-b9ab-43ea950d210f",
|
|
"indicator--59f0514a-7310-4dad-b3b1-490002de0b81",
|
|
"indicator--59f0514a-df70-416c-bfae-445f02de0b81",
|
|
"observed-data--59f0514a-7f84-4846-ba38-449302de0b81",
|
|
"url--59f0514a-7f84-4846-ba38-449302de0b81",
|
|
"indicator--59f0514a-b3d0-4191-a490-440802de0b81",
|
|
"indicator--59f0514a-1be4-4e5c-8fff-48cc02de0b81",
|
|
"observed-data--59f0514a-f0d8-4972-9b45-40cb02de0b81",
|
|
"url--59f0514a-f0d8-4972-9b45-40cb02de0b81",
|
|
"indicator--59f04c50-0864-406b-b9fd-4797950d210f",
|
|
"indicator--59f04c7a-1ee8-472b-93b7-4f06950d210f",
|
|
"indicator--59f04cab-7520-4c5d-b6d7-4f46950d210f",
|
|
"indicator--59f04cf4-0f54-4525-8d29-453f950d210f",
|
|
"relationship--8f61cc0f-e736-4a5e-b732-9a1dc5fdf25c",
|
|
"relationship--7e9f0d94-e9a1-4bf0-929b-90fdcde3de81",
|
|
"relationship--52e9375e-b591-43d6-9439-cddfb4b154a1"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"misp-galaxy:ransomware=\"Bad Rabbit\"",
|
|
"type:OSINT",
|
|
"malware_classification:malware-category=\"Ransomware\"",
|
|
"osint:source-type=\"blog-post\"",
|
|
"misp-galaxy:preventive-measure=\"Backup and Restore Process\"",
|
|
"misp-galaxy:preventive-measure=\"Restrict Workstation Communication\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59f049cf-329c-4504-a63c-4974950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:33.000Z",
|
|
"modified": "2017-10-25T08:54:33.000Z",
|
|
"first_observed": "2017-10-25T08:54:33Z",
|
|
"last_observed": "2017-10-25T08:54:33Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59f049cf-329c-4504-a63c-4974950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59f049cf-329c-4504-a63c-4974950d210f",
|
|
"value": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04b31-f73c-4d20-95b5-4edf950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.149.120.3']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--59f04b48-223c-4642-a5cf-412c950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "A new ransomware outbreak today and has hit some major infrastructure in Ukraine including Kiev metro."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04b70-32f4-4c4b-bd74-4775950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"pattern": "[domain-name:value = '1dnscontrol.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04b70-a00c-47a5-903e-44f2950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:29:36.000Z",
|
|
"modified": "2017-10-25T08:29:36.000Z",
|
|
"pattern": "[file:name = 'install_flash_player.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:29:36Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04c8f-fba0-4775-913a-4a4f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "Mimikatz (32-bits)",
|
|
"pattern": "[file:hashes.SHA1 = '413eba3973a15c1a6429d9f170f3e8287f98c21c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04c8f-046c-41dc-a600-4306950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "Mimikatz (64-bits)",
|
|
"pattern": "[file:hashes.SHA1 = '16605a4a29a101208457c47ebfde788487be788d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04d24-9424-49ec-86bc-403c950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"pattern": "[url:value = 'http://caforssztxqzf2nm.onion']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04d24-f6a4-4278-b3b5-406d950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"pattern": "[url:value = 'http://185.149.120.3/scholargoogle/']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04d24-0348-4b41-8e40-4887950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"pattern": "[url:value = 'http://1dnscontrol.com/flash_install.php']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04ddf-4f04-4174-a93d-4c9d950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "compromised site",
|
|
"pattern": "[url:value = 'http://argumentiru.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04ddf-3e78-47fc-ad92-4866950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "compromised site",
|
|
"pattern": "[url:value = 'http://www.fontanka.ru']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04ddf-9890-46f0-b252-4884950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "compromised site",
|
|
"pattern": "[url:value = 'http://grupovo.bg']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04ddf-de28-4f39-a955-43c6950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "compromised site",
|
|
"pattern": "[url:value = 'http://www.sinematurk.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04ddf-7564-446e-80f5-4717950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "compromised site",
|
|
"pattern": "[url:value = 'http://www.aica.co.jp']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04ddf-d780-4e3e-a215-44b3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "compromised site",
|
|
"pattern": "[url:value = 'http://spbvoditel.ru']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04ddf-bcc0-415d-9588-4111950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "compromised site",
|
|
"pattern": "[url:value = 'http://argumenti.ru']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04ddf-4838-45fc-b75c-48b9950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "compromised site",
|
|
"pattern": "[url:value = 'http://www.mediaport.ua']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04ddf-4dc8-470d-9268-45bd950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "compromised site",
|
|
"pattern": "[url:value = 'http://blog.fontanka.ru']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04ddf-0600-4c83-8d3a-41ae950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "compromised site",
|
|
"pattern": "[url:value = 'http://an-crimea.ru']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04ddf-7eb8-4933-a170-4c3e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "compromised site",
|
|
"pattern": "[url:value = 'http://www.t.ks.ua']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04ddf-7b94-4be1-a497-42c2950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "compromised site",
|
|
"pattern": "[url:value = 'http://most-dnepr.info']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04ddf-fe88-4850-b260-4b7d950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "compromised site",
|
|
"pattern": "[url:value = 'http://osvitaportal.com.ua']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04ddf-8294-4d84-862f-46d7950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "compromised site",
|
|
"pattern": "[url:value = 'http://www.otbrana.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04ddf-3198-4485-8eae-4833950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "compromised site",
|
|
"pattern": "[url:value = 'http://calendar.fontanka.ru']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04ddf-9858-4feb-ad80-4183950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "compromised site",
|
|
"pattern": "[url:value = 'http://www.grupovo.bg']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04ddf-7448-4f85-b71a-48d7950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "compromised site",
|
|
"pattern": "[url:value = 'http://www.pensionhotel.cz']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04ddf-7d48-426d-9d85-4d32950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "compromised site",
|
|
"pattern": "[url:value = 'http://www.online812.ru']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04ddf-fc80-4ddf-822f-47b2950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "compromised site",
|
|
"pattern": "[url:value = 'http://www.imer.ro']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04ddf-c6e8-4de1-a60a-42c8950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "compromised site",
|
|
"pattern": "[url:value = 'http://novayagazeta.spb.ru']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04ddf-b9c0-485f-b2c3-42cb950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "compromised site",
|
|
"pattern": "[url:value = 'http://i24.com.ua']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04ddf-4fc4-4b03-927f-4c92950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "compromised site",
|
|
"pattern": "[url:value = 'http://bg.pensionhotel.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04ddf-e83c-4d61-b9ab-43ea950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "compromised site",
|
|
"pattern": "[url:value = 'http://ankerch-crimea.ru']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f0514a-7310-4dad-b3b1-490002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "Mimikatz (64-bits) - Xchecked via VT: 16605a4a29a101208457c47ebfde788487be788d",
|
|
"pattern": "[file:hashes.SHA256 = '2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f0514a-df70-416c-bfae-445f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "Mimikatz (64-bits) - Xchecked via VT: 16605a4a29a101208457c47ebfde788487be788d",
|
|
"pattern": "[file:hashes.MD5 = '37945c44a897aa42a66adcab68f560e0']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59f0514a-7f84-4846-ba38-449302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"first_observed": "2017-10-25T08:54:34Z",
|
|
"last_observed": "2017-10-25T08:54:34Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59f0514a-7f84-4846-ba38-449302de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59f0514a-7f84-4846-ba38-449302de0b81",
|
|
"value": "https://www.virustotal.com/file/2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035/analysis/1508915760/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f0514a-b3d0-4191-a490-440802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "Mimikatz (32-bits) - Xchecked via VT: 413eba3973a15c1a6429d9f170f3e8287f98c21c",
|
|
"pattern": "[file:hashes.SHA256 = '301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f0514a-1be4-4e5c-8fff-48cc02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"description": "Mimikatz (32-bits) - Xchecked via VT: 413eba3973a15c1a6429d9f170f3e8287f98c21c",
|
|
"pattern": "[file:hashes.MD5 = '347ac3b6b791054de3e5720a7144a977']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:54:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--59f0514a-f0d8-4972-9b45-40cb02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:54:34.000Z",
|
|
"modified": "2017-10-25T08:54:34.000Z",
|
|
"first_observed": "2017-10-25T08:54:34Z",
|
|
"last_observed": "2017-10-25T08:54:34Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--59f0514a-f0d8-4972-9b45-40cb02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--59f0514a-f0d8-4972-9b45-40cb02de0b81",
|
|
"value": "https://www.virustotal.com/file/301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c/analysis/1508918790/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04c50-0864-406b-b9fd-4797950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:57:41.000Z",
|
|
"modified": "2017-10-25T08:57:41.000Z",
|
|
"description": "Diskcoder",
|
|
"pattern": "[file:hashes.SHA1 = '79116fe99f2b421c52ef64097f0f39b815b20907' AND file:name = 'infpub.dat']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:57:41Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04c7a-1ee8-472b-93b7-4f06950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:59:32.000Z",
|
|
"modified": "2017-10-25T08:59:32.000Z",
|
|
"description": "Lockscreen",
|
|
"pattern": "[file:hashes.SHA1 = 'afeee8b4acff87bc469a6f0364a81ae5d60a2add' AND file:name = 'dispci.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:59:32Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04cab-7520-4c5d-b6d7-4f46950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:57:23.000Z",
|
|
"modified": "2017-10-25T08:57:23.000Z",
|
|
"description": "Dropper",
|
|
"pattern": "[file:hashes.SHA1 = 'de5c8d858e6e41da715dca1c019df0bfb92d32c0' AND file:name = 'install_flash_player.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:57:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--59f04cf4-0f54-4525-8d29-453f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-10-25T08:36:04.000Z",
|
|
"modified": "2017-10-25T08:36:04.000Z",
|
|
"description": "JavaScript on compromised sites",
|
|
"pattern": "[file:hashes.SHA1 = '4f61e154230a64902ae035434690bf2b96b4e018' AND file:name = 'page-main.js']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-10-25T08:36:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--8f61cc0f-e736-4a5e-b732-9a1dc5fdf25c",
|
|
"created": "2017-10-25T08:57:38.000Z",
|
|
"modified": "2017-10-25T08:57:38.000Z",
|
|
"relationship_type": "dropped-by",
|
|
"source_ref": "indicator--59f04c50-0864-406b-b9fd-4797950d210f",
|
|
"target_ref": "indicator--59f04cab-7520-4c5d-b6d7-4f46950d210f"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--7e9f0d94-e9a1-4bf0-929b-90fdcde3de81",
|
|
"created": "2017-10-25T08:59:29.000Z",
|
|
"modified": "2017-10-25T08:59:29.000Z",
|
|
"relationship_type": "dropped-by",
|
|
"source_ref": "indicator--59f04c7a-1ee8-472b-93b7-4f06950d210f",
|
|
"target_ref": "indicator--59f04c50-0864-406b-b9fd-4797950d210f"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--52e9375e-b591-43d6-9439-cddfb4b154a1",
|
|
"created": "2017-10-25T08:57:20.000Z",
|
|
"modified": "2017-10-25T08:57:20.000Z",
|
|
"relationship_type": "dropped-by",
|
|
"source_ref": "indicator--59f04cab-7520-4c5d-b6d7-4f46950d210f",
|
|
"target_ref": "indicator--59f04cf4-0f54-4525-8d29-453f950d210f"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |