705 lines
No EOL
29 KiB
JSON
705 lines
No EOL
29 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5a37ccac-13e4-4703-9487-4070950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T20:47:36.000Z",
|
|
"modified": "2017-12-18T20:47:36.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "grouping",
|
|
"spec_version": "2.1",
|
|
"id": "grouping--5a37ccac-13e4-4703-9487-4070950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T20:47:36.000Z",
|
|
"modified": "2017-12-18T20:47:36.000Z",
|
|
"name": "OSINT - Graftor - But I Never Asked for This\u2026",
|
|
"context": "suspicious-activity",
|
|
"object_refs": [
|
|
"observed-data--5a37ccc2-b818-4ea8-951f-4e6f950d210f",
|
|
"url--5a37ccc2-b818-4ea8-951f-4e6f950d210f",
|
|
"indicator--5a37cf9b-0f4c-41d8-bd86-4fec950d210f",
|
|
"indicator--5a37cf9b-0ac8-4fb2-aa7d-4f44950d210f",
|
|
"indicator--5a37cf9c-0980-4f21-b32c-478f950d210f",
|
|
"indicator--5a37cf9c-57b8-4fda-8d1d-4bf6950d210f",
|
|
"indicator--5a37cf9c-df28-41b5-b61a-4783950d210f",
|
|
"indicator--5a37d08d-4b94-4832-a1c2-4e00950d210f",
|
|
"indicator--5a37d146-e344-482b-9b62-416f950d210f",
|
|
"indicator--5a37d162-6368-40e2-8542-4c9b950d210f",
|
|
"observed-data--5a37d162-19a0-412b-b81d-40c3950d210f",
|
|
"domain-name--5a37d162-19a0-412b-b81d-40c3950d210f",
|
|
"observed-data--5a37d162-a1fc-4218-8a59-45ac950d210f",
|
|
"domain-name--5a37d162-a1fc-4218-8a59-45ac950d210f",
|
|
"indicator--5a37d162-54ac-4906-851c-4110950d210f",
|
|
"indicator--5a37d162-43cc-45b5-bdda-4ea7950d210f",
|
|
"indicator--5a37d162-5b44-4686-bbf2-4983950d210f",
|
|
"indicator--5a37d162-a7dc-4d9f-b7da-477a950d210f",
|
|
"indicator--5a37d162-e218-417a-85d7-46d2950d210f",
|
|
"indicator--5a37d162-14a0-49d3-9b41-4453950d210f",
|
|
"indicator--5a37d162-27a8-44bb-a11d-47b9950d210f",
|
|
"indicator--5a37d162-18b4-45c1-85f4-449e950d210f",
|
|
"indicator--5a37d162-c1e8-4a7f-ba5e-4ec6950d210f",
|
|
"indicator--5a37d162-e460-4ed8-bc65-4369950d210f",
|
|
"indicator--5a37d162-f288-4ae4-a01c-4ad7950d210f",
|
|
"indicator--5a37d162-0178-43d0-a643-4b31950d210f",
|
|
"indicator--5a37cfe7-03a8-43cf-91d9-4b46950d210f",
|
|
"indicator--5a37d02b-66d0-4d32-a418-4ae4950d210f",
|
|
"indicator--5a37d070-e818-4ed7-ab3b-4a9c950d210f"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"misp-galaxy:tool=\"Aumlib\"",
|
|
"type:OSINT",
|
|
"osint:source-type=\"blog-post\"",
|
|
"workflow:todo=\"expansion\"",
|
|
"workflow:todo=\"review-for-false-positive\"",
|
|
"workflow:todo=\"review-before-publication\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5a37ccc2-b818-4ea8-951f-4e6f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T14:16:07.000Z",
|
|
"modified": "2017-12-18T14:16:07.000Z",
|
|
"first_observed": "2017-12-18T14:16:07Z",
|
|
"last_observed": "2017-12-18T14:16:07Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5a37ccc2-b818-4ea8-951f-4e6f950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5a37ccc2-b818-4ea8-951f-4e6f950d210f",
|
|
"value": "http://blog.talosintelligence.com/2017/09/graftor-but-i-never-asked-for-this.html"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a37cf9b-0f4c-41d8-bd86-4fec950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T14:24:27.000Z",
|
|
"modified": "2017-12-18T14:24:27.000Z",
|
|
"description": "Alternate Data Streams(ADS)",
|
|
"pattern": "[file:name = 'C:UsersdexAppDataLocalTemp2263387661.exe:Zone.Identifier']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-18T14:24:27Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a37cf9b-0ac8-4fb2-aa7d-4f44950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T14:24:27.000Z",
|
|
"modified": "2017-12-18T14:24:27.000Z",
|
|
"description": "Alternate Data Streams(ADS)",
|
|
"pattern": "[file:name = 'C:UsersdexAppDataLocalTempQBPO5ppcuhJG.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-18T14:24:27Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a37cf9c-0980-4f21-b32c-478f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T14:24:28.000Z",
|
|
"modified": "2017-12-18T14:24:28.000Z",
|
|
"description": "Alternate Data Streams(ADS)",
|
|
"pattern": "[file:name = 'C:UsersdexAppDataLocalTemp2263387661.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-18T14:24:28Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a37cf9c-57b8-4fda-8d1d-4bf6950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T14:24:28.000Z",
|
|
"modified": "2017-12-18T14:24:28.000Z",
|
|
"description": "Alternate Data Streams(ADS)",
|
|
"pattern": "[file:name = 'C:UsersdexAppDataLocalTempAyWdp7tHPIeU.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-18T14:24:28Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a37cf9c-df28-41b5-b61a-4783950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T14:24:28.000Z",
|
|
"modified": "2017-12-18T14:24:28.000Z",
|
|
"description": "Alternate Data Streams(ADS)",
|
|
"pattern": "[file:name = 'C:WindowsSystem32regsvr32.exe:Zone.Identifier']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-18T14:24:28Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a37d08d-4b94-4832-a1c2-4e00950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T14:28:29.000Z",
|
|
"modified": "2017-12-18T14:28:29.000Z",
|
|
"description": "Command and Control Server GET Request",
|
|
"pattern": "[url:value = 'http://kskmasdqsjuzom.regularfood.gdn/J/ZGF0YV9maWxlcz0yMyZ0eXBlPXN0YXRpYyZuYW1lPVRlbXAlNUMyMjYzMzg3NjYxLmV4ZSZybmQ9ZTY5NjM5ZjJjYTdlNWNiNDU2ZmYwMDUyN2M2ODBlNDMxMTY0YmFhZGJlZWI3MTI5YjIwZGYzM2M3YzIzNTc1YQ']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-18T14:28:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a37d146-e344-482b-9b62-416f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T14:31:34.000Z",
|
|
"modified": "2017-12-18T14:31:34.000Z",
|
|
"description": "Command and Control Server POST Request",
|
|
"pattern": "[url:value = 'http://kskmasdqsjuzom.regularfood.gdn/J/ZGF0YV9maWxlcz0yMyZ0eXBlPXN0YXRpYyZuYW1lPVRlbXAlNUMyMjYzMzg3NjYxLmV4ZSZybmQ9ZTY5NjM5ZjJjYTdlNWNiNDU2ZmYwMDUyN2M2ODBlNDMxMTY0YmFhZGJlZWI3MTI5YjIwZGYzM2M3YzIzNTc1YSZkZWxheT0zODk']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-18T14:31:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a37d162-6368-40e2-8542-4c9b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T14:32:02.000Z",
|
|
"modified": "2017-12-18T14:32:02.000Z",
|
|
"description": "Domains from sandbox run",
|
|
"pattern": "[domain-name:value = 'arolina.torchpound.gdn']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-18T14:32:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5a37d162-19a0-412b-b81d-40c3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T20:47:00.000Z",
|
|
"modified": "2017-12-18T20:47:00.000Z",
|
|
"first_observed": "2017-12-18T20:47:00Z",
|
|
"last_observed": "2017-12-18T20:47:00Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"domain-name--5a37d162-19a0-412b-b81d-40c3950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\""
|
|
]
|
|
},
|
|
{
|
|
"type": "domain-name",
|
|
"spec_version": "2.1",
|
|
"id": "domain-name--5a37d162-19a0-412b-b81d-40c3950d210f",
|
|
"value": "binupdate.mail.ru"
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5a37d162-a1fc-4218-8a59-45ac950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T20:46:52.000Z",
|
|
"modified": "2017-12-18T20:46:52.000Z",
|
|
"first_observed": "2017-12-18T20:46:52Z",
|
|
"last_observed": "2017-12-18T20:46:52Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"domain-name--5a37d162-a1fc-4218-8a59-45ac950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\""
|
|
]
|
|
},
|
|
{
|
|
"type": "domain-name",
|
|
"spec_version": "2.1",
|
|
"id": "domain-name--5a37d162-a1fc-4218-8a59-45ac950d210f",
|
|
"value": "crl.microsoft.com"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a37d162-54ac-4906-851c-4110950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T14:32:02.000Z",
|
|
"modified": "2017-12-18T14:32:02.000Z",
|
|
"description": "Domains from sandbox run",
|
|
"pattern": "[domain-name:value = 'dreple.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-18T14:32:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a37d162-43cc-45b5-bdda-4ea7950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T14:32:02.000Z",
|
|
"modified": "2017-12-18T14:32:02.000Z",
|
|
"description": "Domains from sandbox run",
|
|
"pattern": "[domain-name:value = 'gambling577.xyz']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-18T14:32:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a37d162-5b44-4686-bbf2-4983950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T14:32:02.000Z",
|
|
"modified": "2017-12-18T14:32:02.000Z",
|
|
"description": "Domains from sandbox run",
|
|
"pattern": "[domain-name:value = 'jvusdtufhlreari.twiceprint.gdn']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-18T14:32:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a37d162-a7dc-4d9f-b7da-477a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T14:32:02.000Z",
|
|
"modified": "2017-12-18T14:32:02.000Z",
|
|
"description": "Domains from sandbox run",
|
|
"pattern": "[domain-name:value = 'kskmasdqsjuzom.regularfood.gdn']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-18T14:32:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a37d162-e218-417a-85d7-46d2950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T14:32:02.000Z",
|
|
"modified": "2017-12-18T14:32:02.000Z",
|
|
"description": "Domains from sandbox run",
|
|
"pattern": "[domain-name:value = 'mentalaware.gdn']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-18T14:32:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a37d162-14a0-49d3-9b41-4453950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T14:32:02.000Z",
|
|
"modified": "2017-12-18T14:32:02.000Z",
|
|
"description": "Domains from sandbox run",
|
|
"pattern": "[domain-name:value = 'mrds.mail.ru']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-18T14:32:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a37d162-27a8-44bb-a11d-47b9950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T14:32:02.000Z",
|
|
"modified": "2017-12-18T14:32:02.000Z",
|
|
"description": "Domains from sandbox run",
|
|
"pattern": "[domain-name:value = 'nottotrack.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-18T14:32:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a37d162-18b4-45c1-85f4-449e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T14:32:02.000Z",
|
|
"modified": "2017-12-18T14:32:02.000Z",
|
|
"description": "Domains from sandbox run",
|
|
"pattern": "[domain-name:value = 'plugpackdownload.net']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-18T14:32:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a37d162-c1e8-4a7f-ba5e-4ec6950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T14:32:02.000Z",
|
|
"modified": "2017-12-18T14:32:02.000Z",
|
|
"description": "Domains from sandbox run",
|
|
"pattern": "[domain-name:value = 's2.symcb.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-18T14:32:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a37d162-e460-4ed8-bc65-4369950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T14:32:02.000Z",
|
|
"modified": "2017-12-18T14:32:02.000Z",
|
|
"description": "Domains from sandbox run",
|
|
"pattern": "[domain-name:value = 'sputnikmailru.cdnmail.ru']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-18T14:32:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a37d162-f288-4ae4-a01c-4ad7950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T14:32:02.000Z",
|
|
"modified": "2017-12-18T14:32:02.000Z",
|
|
"description": "Domains from sandbox run",
|
|
"pattern": "[domain-name:value = 'ss.symcd.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-18T14:32:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a37d162-0178-43d0-a643-4b31950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T14:32:02.000Z",
|
|
"modified": "2017-12-18T14:32:02.000Z",
|
|
"description": "Domains from sandbox run",
|
|
"pattern": "[domain-name:value = 'xml.binupdate.mail.ru']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-18T14:32:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a37cfe7-03a8-43cf-91d9-4b46950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T14:25:43.000Z",
|
|
"modified": "2017-12-18T14:25:43.000Z",
|
|
"description": "Graftor Dropper",
|
|
"pattern": "[file:hashes.MD5 = '9b9ce661a764d84a4636812e1dfcb03b' AND file:hashes.SHA1 = 'fd3ccf65eab21a77d2e440bd23c59d52e96a03a4' AND file:hashes.SHA256 = '41474cd23ff0a861625ec1304f882891826829ed26ed1662aae2e7ebbe3605f2' AND file:name = '2263387661.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-18T14:25:43Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a37d02b-66d0-4d32-a418-4ae4950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T14:26:51.000Z",
|
|
"modified": "2017-12-18T14:26:51.000Z",
|
|
"description": "Dumped 2nd stage",
|
|
"pattern": "[file:hashes.MD5 = '40bde09fc059f205f67b181c34de666b' AND file:hashes.SHA1 = '99c7627708c4ab1fca3222738c573e7376ab4070' AND file:hashes.SHA256 = 'eefdbe891e35390b84181eabe0ace6e202f5b2a050e800fb8e82327d5e57336d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-18T14:26:51Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a37d070-e818-4ed7-ab3b-4a9c950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-18T14:28:00.000Z",
|
|
"modified": "2017-12-18T14:28:00.000Z",
|
|
"description": "Dumped 3rd stage",
|
|
"pattern": "[file:hashes.MD5 = '1e9f40e70ed3ab0ca9a52c216f807eff' AND file:hashes.SHA1 = '7c4cd0ff0e004a62c9ab7f8bd991094226eca842' AND file:hashes.SHA256 = '5eb2333956bebb81da365a26e56fea874797fa003107f95cda21273045d98385']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-18T14:28:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |