adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/5a96f935-0b24-47b8-b0a7-4fff02de0b81.json

574 lines
No EOL
25 KiB
JSON
Raw Permalink Blame History

{
"type": "bundle",
"id": "bundle--5a96f935-0b24-47b8-b0a7-4fff02de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-28T18:53:36.000Z",
"modified": "2018-02-28T18:53:36.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5a96f935-0b24-47b8-b0a7-4fff02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-28T18:53:36.000Z",
"modified": "2018-02-28T18:53:36.000Z",
"name": "OSINT - Sofacy Attacks Multiple Government Entities",
"published": "2018-02-28T18:54:29Z",
"object_refs": [
"x-misp-attribute--5a96f942-14cc-4704-b7bf-498502de0b81",
"observed-data--5a96f94d-5a5c-4c6e-af00-4f5d02de0b81",
"url--5a96f94d-5a5c-4c6e-af00-4f5d02de0b81",
"indicator--5a96f9a4-b05c-4b29-bb64-cc4302de0b81",
"indicator--5a96f9a4-f0fc-4ce7-b5ac-cc4302de0b81",
"indicator--5a96f9a5-19fc-4235-a3fd-cc4302de0b81",
"indicator--5a96f9a5-0f8c-4997-87e4-cc4302de0b81",
"indicator--5a96f9f3-548c-494e-82e6-451202de0b81",
"indicator--5a96fa18-6d2c-48e6-9d3d-4d5c02de0b81",
"indicator--5a96fa2c-f7ac-4d1c-9fe9-cc4302de0b81",
"indicator--5a96faac-c9cc-49d9-b08f-a2ac02de0b81",
"indicator--3a3a5634-7788-4951-adea-a060896c5315",
"x-misp-object--988368d2-22c9-4bde-a9f8-ad5500255513",
"indicator--f1420c02-11ef-4439-90cf-d43f40ae89dd",
"x-misp-object--e5d785de-6c7f-4956-a86d-5a7402d45de1",
"indicator--cc27a1e8-563a-4861-9364-893e483254d0",
"x-misp-object--6bcda4f7-7a38-490b-b7f6-adc285652eb9",
"indicator--30244c7f-5815-4434-9169-08ff43a5c2cd",
"x-misp-object--a0a39fa0-fab2-4a6c-9b5b-8eb73b363b3c",
"relationship--d075c0a8-4c51-4e01-8608-55d5b6d5e088",
"relationship--79761d6b-09fb-48bf-b101-300dc581f4df",
"relationship--d86b95fb-b85e-4baa-a33a-25d835b94976",
"relationship--c1a94f28-a99a-42a1-b958-ab6c9ba42404"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\"",
"misp-galaxy:threat-actor=\"Sofacy\"",
"misp-galaxy:mitre-intrusion-set=\"APT28\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5a96f942-14cc-4704-b7bf-498502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-28T18:50:07.000Z",
"modified": "2018-02-28T18:50:07.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "The Sofacy group (AKA APT28, Fancy Bear, STRONTIUM, Sednit, Tsar Team, Pawn Storm) is a well-known adversary that remains highly active in the new calendar year of 2018. Unit 42 actively monitors this group due to their persistent nature globally across all industry verticals. Recently, we discovered a campaign launched at various Ministries of Foreign Affairs around the world. Interestingly, there appear to be two parallel efforts within the campaign, with each effort using a completely different toolset for the attacks. In this blog, we will discuss one of the efforts which leveraged tools that have been known to be associated with the Sofacy group."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5a96f94d-5a5c-4c6e-af00-4f5d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-28T18:50:08.000Z",
"modified": "2018-02-28T18:50:08.000Z",
"first_observed": "2018-02-28T18:50:08Z",
"last_observed": "2018-02-28T18:50:08Z",
"number_observed": 1,
"object_refs": [
"url--5a96f94d-5a5c-4c6e-af00-4f5d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5a96f94d-5a5c-4c6e-af00-4f5d02de0b81",
"value": "https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a96f9a4-b05c-4b29-bb64-cc4302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-28T18:49:08.000Z",
"modified": "2018-02-28T18:49:08.000Z",
"pattern": "[file:hashes.SHA256 = 'ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-02-28T18:49:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a96f9a4-f0fc-4ce7-b5ac-cc4302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-28T18:49:08.000Z",
"modified": "2018-02-28T18:49:08.000Z",
"pattern": "[file:hashes.SHA256 = '12e6642cf6413bdf5388bee663080fa299591b2ba023d069286f3be9647547c8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-02-28T18:49:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a96f9a5-19fc-4235-a3fd-cc4302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-28T18:49:09.000Z",
"modified": "2018-02-28T18:49:09.000Z",
"pattern": "[file:hashes.SHA256 = 'cb85072e6ca66a29cb0b73659a0fe5ba2456d9ba0b52e3a4c89e86549bc6e2c7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-02-28T18:49:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a96f9a5-0f8c-4997-87e4-cc4302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-28T18:49:09.000Z",
"modified": "2018-02-28T18:49:09.000Z",
"pattern": "[file:hashes.SHA256 = '23411bb30042c9357ac4928dc6fca6955390361e660fec7ac238bbdcc8b83701']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-02-28T18:49:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a96f9f3-548c-494e-82e6-451202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-28T18:50:27.000Z",
"modified": "2018-02-28T18:50:27.000Z",
"pattern": "[domain-name:value = 'cdnverify.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-02-28T18:50:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a96fa18-6d2c-48e6-9d3d-4d5c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-28T18:51:04.000Z",
"modified": "2018-02-28T18:51:04.000Z",
"pattern": "[email-message:subject = 'Upcoming Defense events February 2018']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-02-28T18:51:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-subject\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a96fa2c-f7ac-4d1c-9fe9-cc4302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-28T18:51:24.000Z",
"modified": "2018-02-28T18:51:24.000Z",
"pattern": "[email-message:body_multipart[*].body_raw_ref.name = 'Upcoming Events February 2018.xls']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-02-28T18:51:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-attachment\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5a96faac-c9cc-49d9-b08f-a2ac02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-28T18:53:32.000Z",
"modified": "2018-02-28T18:53:32.000Z",
"pattern": "[domain-name:value = 'hotfixmsupload.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-02-28T18:53:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3a3a5634-7788-4951-adea-a060896c5315",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-28T18:50:12.000Z",
"modified": "2018-02-28T18:50:12.000Z",
"pattern": "[file:hashes.MD5 = 'aa2cd9d9fc5d196caa6f8fd5979e3f14' AND file:hashes.SHA1 = '5bb9f53636efafdd30023d44be1be55bf7c7b7d5' AND file:hashes.SHA256 = '12e6642cf6413bdf5388bee663080fa299591b2ba023d069286f3be9647547c8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-02-28T18:50:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--988368d2-22c9-4bde-a9f8-ad5500255513",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-28T18:50:13.000Z",
"modified": "2018-02-28T18:50:13.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/12e6642cf6413bdf5388bee663080fa299591b2ba023d069286f3be9647547c8/analysis/1518023007/",
"category": "External analysis",
"uuid": "5a96f9e6-1bf0-46f3-957f-4a2802de0b81"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "38/66",
"category": "Other",
"uuid": "5a96f9e7-dd80-4575-bc61-4a5d02de0b81"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-02-07T17:03:27",
"category": "Other",
"uuid": "5a96f9e7-ca8c-4adc-91a7-449302de0b81"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f1420c02-11ef-4439-90cf-d43f40ae89dd",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-28T18:50:20.000Z",
"modified": "2018-02-28T18:50:20.000Z",
"pattern": "[file:hashes.MD5 = '56f98e3ed00e48ff9cb89dea5f6e11c1' AND file:hashes.SHA1 = 'b06930c9809ab5e4cb6659089ac6fcec470c9c16' AND file:hashes.SHA256 = 'cb85072e6ca66a29cb0b73659a0fe5ba2456d9ba0b52e3a4c89e86549bc6e2c7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-02-28T18:50:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--e5d785de-6c7f-4956-a86d-5a7402d45de1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-28T18:50:20.000Z",
"modified": "2018-02-28T18:50:20.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/cb85072e6ca66a29cb0b73659a0fe5ba2456d9ba0b52e3a4c89e86549bc6e2c7/analysis/1518446184/",
"category": "External analysis",
"uuid": "5a96f9ec-049c-4d4a-9963-47e302de0b81"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "36/59",
"category": "Other",
"uuid": "5a96f9ed-fb0c-48bb-9e60-4b3002de0b81"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-02-12T14:36:24",
"category": "Other",
"uuid": "5a96f9ed-1a50-4b58-9bb5-417302de0b81"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--cc27a1e8-563a-4861-9364-893e483254d0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-28T18:50:25.000Z",
"modified": "2018-02-28T18:50:25.000Z",
"pattern": "[file:hashes.MD5 = '7c43b406119ade8f1f2a2a5a93c94248' AND file:hashes.SHA1 = 'd7ddb9a511a50edd6b1093a9477a6c7830fc84c3' AND file:hashes.SHA256 = '23411bb30042c9357ac4928dc6fca6955390361e660fec7ac238bbdcc8b83701']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-02-28T18:50:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--6bcda4f7-7a38-490b-b7f6-adc285652eb9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-28T18:50:24.000Z",
"modified": "2018-02-28T18:50:24.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/23411bb30042c9357ac4928dc6fca6955390361e660fec7ac238bbdcc8b83701/analysis/1518309936/",
"category": "External analysis",
"uuid": "5a96f9f0-367c-420d-97d5-4cd002de0b81"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "36/66",
"category": "Other",
"uuid": "5a96f9f1-a2c4-4143-b8b4-441302de0b81"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-02-11T00:45:36",
"category": "Other",
"uuid": "5a96f9f1-f488-4847-94ae-400802de0b81"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--30244c7f-5815-4434-9169-08ff43a5c2cd",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-28T18:50:29.000Z",
"modified": "2018-02-28T18:50:29.000Z",
"pattern": "[file:hashes.MD5 = '36524c90ca1fac2102e7653dfadb31b2' AND file:hashes.SHA1 = '8d6db316ea4e348021cb59cf3c6ec65c390f0497' AND file:hashes.SHA256 = 'ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-02-28T18:50:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--a0a39fa0-fab2-4a6c-9b5b-8eb73b363b3c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-02-28T18:50:30.000Z",
"modified": "2018-02-28T18:50:30.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8/analysis/1518448247/",
"category": "External analysis",
"uuid": "5a96f9f6-c63c-41e5-9384-4f5c02de0b81"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "43/67",
"category": "Other",
"uuid": "5a96f9f7-1b34-4913-ad01-401f02de0b81"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-02-12T15:10:47",
"category": "Other",
"uuid": "5a96f9f7-f5e8-4296-943b-4c3602de0b81"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--d075c0a8-4c51-4e01-8608-55d5b6d5e088",
"created": "2018-02-28T18:50:32.000Z",
"modified": "2018-02-28T18:50:32.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--3a3a5634-7788-4951-adea-a060896c5315",
"target_ref": "x-misp-object--988368d2-22c9-4bde-a9f8-ad5500255513"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--79761d6b-09fb-48bf-b101-300dc581f4df",
"created": "2018-02-28T18:50:32.000Z",
"modified": "2018-02-28T18:50:32.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--f1420c02-11ef-4439-90cf-d43f40ae89dd",
"target_ref": "x-misp-object--e5d785de-6c7f-4956-a86d-5a7402d45de1"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--d86b95fb-b85e-4baa-a33a-25d835b94976",
"created": "2018-02-28T18:50:32.000Z",
"modified": "2018-02-28T18:50:32.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--cc27a1e8-563a-4861-9364-893e483254d0",
"target_ref": "x-misp-object--6bcda4f7-7a38-490b-b7f6-adc285652eb9"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c1a94f28-a99a-42a1-b958-ab6c9ba42404",
"created": "2018-02-28T18:50:32.000Z",
"modified": "2018-02-28T18:50:32.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--30244c7f-5815-4434-9169-08ff43a5c2cd",
"target_ref": "x-misp-object--a0a39fa0-fab2-4a6c-9b5b-8eb73b363b3c"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink