adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/5cc023e7-9c7c-418e-b908-4d46950d210f.json

772 lines
No EOL
34 KiB
JSON
Raw Permalink Blame History

{
"type": "bundle",
"id": "bundle--5cc023e7-9c7c-418e-b908-4d46950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-24T11:21:10.000Z",
"modified": "2019-04-24T11:21:10.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5cc023e7-9c7c-418e-b908-4d46950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-24T11:21:10.000Z",
"modified": "2019-04-24T11:21:10.000Z",
"name": "OSINT - DNSpionage brings out the Karkoff",
"published": "2019-04-24T11:21:35Z",
"object_refs": [
"observed-data--5cc023f7-8650-4b3b-b631-4d52950d210f",
"url--5cc023f7-8650-4b3b-b631-4d52950d210f",
"x-misp-attribute--5cc0240c-fb80-4eb2-99bb-4040950d210f",
"indicator--5cc0242b-2ba8-419f-8d14-42e7950d210f",
"indicator--5cc0242b-e1cc-4aec-a163-471f950d210f",
"indicator--5cc0242b-1ac0-448a-a3c9-45ff950d210f",
"indicator--5cc0242b-d758-44d4-9614-4759950d210f",
"indicator--5cc02456-7350-4263-bbc9-4205950d210f",
"indicator--5cc02456-7a84-49a2-b073-4ea8950d210f",
"indicator--5cc02456-b618-4f07-9281-4404950d210f",
"observed-data--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9",
"network-traffic--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9",
"ipv4-addr--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9",
"observed-data--5cc024b9-0c94-42a4-820b-1bc4e387cbd9",
"network-traffic--5cc024b9-0c94-42a4-820b-1bc4e387cbd9",
"ipv4-addr--5cc024b9-0c94-42a4-820b-1bc4e387cbd9",
"indicator--5cc02a7b-08f8-493b-b253-247f950d210f",
"indicator--5cc02ab1-70b0-446f-8b28-2497950d210f",
"indicator--3148bbb8-f76e-4556-b973-3dea9cf89820",
"x-misp-object--5f8b1fcb-d5e4-4e95-adc0-253f765c8f61",
"indicator--6393b267-5ff7-4204-85cf-709530bc110d",
"x-misp-object--5baaf36e-74f0-4e6b-b18a-377bc301867e",
"indicator--52ca9602-5ef6-4de3-b528-058d33844ea3",
"x-misp-object--993871f0-b786-4813-9811-7f60eb385014",
"indicator--9daaf5c9-c7e0-444d-b551-ff231e16521a",
"x-misp-object--fd6fe17b-18a9-4729-9276-796667da59b6",
"indicator--1fc50c0d-6a22-4c8f-9823-229fb2334f2e",
"x-misp-object--71ee7c63-f4fa-463e-8a7d-054b9920e0a3",
"relationship--a3a3a4ed-995b-4de0-87f3-0d3cbe1f3c21",
"relationship--a14a409f-30f9-423c-ab4a-9057106dd130",
"relationship--f5172c29-d4c5-48b8-96f4-f05263e43885",
"relationship--6d4c07a4-69f9-4f5e-8c86-1e3e791af666",
"relationship--01c847bb-e1b1-4d80-9796-3ef80d9ee2c7"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:malpedia=\"DNSpionage\"",
"misp-galaxy:threat-actor=\"DNSpionage\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"misp-galaxy:tool=\"Karkoff\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5cc023f7-8650-4b3b-b631-4d52950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-24T08:53:11.000Z",
"modified": "2019-04-24T08:53:11.000Z",
"first_observed": "2019-04-24T08:53:11Z",
"last_observed": "2019-04-24T08:53:11Z",
"number_observed": 1,
"object_refs": [
"url--5cc023f7-8650-4b3b-b631-4d52950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5cc023f7-8650-4b3b-b631-4d52950d210f",
"value": "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5cc0240c-fb80-4eb2-99bb-4040950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-24T08:53:32.000Z",
"modified": "2019-04-24T08:53:32.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "In November 2018, Cisco Talos discovered an attack campaign, called DNSpionage, in which threat actors created a new remote administrative tool that supports HTTP and DNS communication with the attackers' command and control(C2). Since then, there have been several other public reports of additional DNSpionage attacks, and in January, the U.S. Department of Homeland Security issued an alert warning users about this threat activity.\r\n\r\nIn addition to increased reports of threat activity, we have also discovered new evidence that the threat actors behind the DNSpionage campaign continue to change their tactics, likely in an attempt to improve the efficacy of their operations. In February, we discovered some changes to the actors' tactics, techniques and procedures (TTPs), including the use of a new reconnaissance phase that selectively chooses which targets to infect with malware. In April 2019, we also discovered the actors using a new malware, which we are calling \"Karkoff.\"\r\n\r\nThis post will cover the aforementioned DNSpionage updates, the discovery of the Karkoff malware and an analysis of the recent Oilrig malware toolset leak \u00e2\u20ac\u201d and how it could be connected to these two attacks."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cc0242b-2ba8-419f-8d14-42e7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-24T08:54:03.000Z",
"modified": "2019-04-24T08:54:03.000Z",
"description": "Karkoff sample",
"pattern": "[file:hashes.SHA256 = '5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-24T08:54:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cc0242b-e1cc-4aec-a163-471f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-24T08:54:03.000Z",
"modified": "2019-04-24T08:54:03.000Z",
"description": "Karkoff sample",
"pattern": "[file:hashes.SHA256 = '6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-24T08:54:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cc0242b-1ac0-448a-a3c9-45ff950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-24T08:54:03.000Z",
"modified": "2019-04-24T08:54:03.000Z",
"description": "Karkoff sample",
"pattern": "[file:hashes.SHA256 = 'b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-24T08:54:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cc0242b-d758-44d4-9614-4759950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-24T08:54:03.000Z",
"modified": "2019-04-24T08:54:03.000Z",
"description": "Karkoff sample",
"pattern": "[file:hashes.SHA256 = 'cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-24T08:54:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cc02456-7350-4263-bbc9-4205950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-24T08:54:46.000Z",
"modified": "2019-04-24T08:54:46.000Z",
"description": "C2 server",
"pattern": "[domain-name:value = 'coldfart.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-24T08:54:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cc02456-7a84-49a2-b073-4ea8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-24T08:54:46.000Z",
"modified": "2019-04-24T08:54:46.000Z",
"description": "C2 server",
"pattern": "[domain-name:value = 'rimrun.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-24T08:54:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cc02456-b618-4f07-9281-4404950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-24T08:54:46.000Z",
"modified": "2019-04-24T08:54:46.000Z",
"description": "C2 server",
"pattern": "[domain-name:value = 'kuternull.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-24T08:54:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-24T08:56:10.000Z",
"modified": "2019-04-24T08:56:10.000Z",
"first_observed": "2019-04-24T08:56:10Z",
"last_observed": "2019-04-24T08:56:10Z",
"number_observed": 1,
"object_refs": [
"network-traffic--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9",
"ipv4-addr--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9"
],
"labels": [
"misp:type=\"ip-src\"",
"misp:category=\"Network activity\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9",
"src_ref": "ipv4-addr--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9",
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--5cc024aa-ff04-4ef8-8acd-1bc4e387cbd9",
"value": "108.62.141.247"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5cc024b9-0c94-42a4-820b-1bc4e387cbd9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-24T08:56:25.000Z",
"modified": "2019-04-24T08:56:25.000Z",
"first_observed": "2019-04-24T08:56:25Z",
"last_observed": "2019-04-24T08:56:25Z",
"number_observed": 1,
"object_refs": [
"network-traffic--5cc024b9-0c94-42a4-820b-1bc4e387cbd9",
"ipv4-addr--5cc024b9-0c94-42a4-820b-1bc4e387cbd9"
],
"labels": [
"misp:type=\"ip-src\"",
"misp:category=\"Network activity\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--5cc024b9-0c94-42a4-820b-1bc4e387cbd9",
"src_ref": "ipv4-addr--5cc024b9-0c94-42a4-820b-1bc4e387cbd9",
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--5cc024b9-0c94-42a4-820b-1bc4e387cbd9",
"value": "74.118.138.192"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cc02a7b-08f8-493b-b253-247f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-24T09:20:59.000Z",
"modified": "2019-04-24T09:20:59.000Z",
"description": "DNSpionage XLS document",
"pattern": "[file:hashes.SHA256 = '2fa19292f353b4078a9bf398f8837d991e383c99e147727eaa6a03ce0259b3c5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-24T09:20:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cc02ab1-70b0-446f-8b28-2497950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-24T09:21:53.000Z",
"modified": "2019-04-24T09:21:53.000Z",
"description": "DNSpionage",
"pattern": "[file:hashes.SHA256 = 'e398dac59f604d42362ffe8a2947d4351a652516ebfb25ddf0838dd2c8523be8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-24T09:21:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3148bbb8-f76e-4556-b973-3dea9cf89820",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-24T09:22:50.000Z",
"modified": "2019-04-24T09:22:50.000Z",
"pattern": "[file:hashes.MD5 = 'a583430c9c504fb216c9f976401ecd13' AND file:hashes.SHA1 = 'cd3b6c517227ad356264ff076cf0ea106b67fc13' AND file:hashes.SHA256 = 'cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-24T09:22:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5f8b1fcb-d5e4-4e95-adc0-253f765c8f61",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-24T09:22:51.000Z",
"modified": "2019-04-24T09:22:51.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-24T08:58:49",
"category": "Other",
"comment": "Karkoff sample",
"uuid": "cb98656d-453e-40aa-b337-e83a5c473a20"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5/analysis/1556096329/",
"category": "Payload delivery",
"comment": "Karkoff sample",
"uuid": "28a8b196-6a06-44d6-962b-6efc4d4f3945"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "38/71",
"category": "Payload delivery",
"comment": "Karkoff sample",
"uuid": "b29d31d3-c624-4c4c-99cd-626101e0d47b"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6393b267-5ff7-4204-85cf-709530bc110d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-24T09:22:51.000Z",
"modified": "2019-04-24T09:22:51.000Z",
"pattern": "[file:hashes.MD5 = '530606b66bcd5a776f2cdecb34ee0fd1' AND file:hashes.SHA1 = '72ada4db1c70214e19eece2021669d95b94c0d4f' AND file:hashes.SHA256 = 'e398dac59f604d42362ffe8a2947d4351a652516ebfb25ddf0838dd2c8523be8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-24T09:22:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5baaf36e-74f0-4e6b-b18a-377bc301867e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-24T09:22:51.000Z",
"modified": "2019-04-24T09:22:51.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-24T09:05:37",
"category": "Other",
"comment": "DNSpionage",
"uuid": "6e2a7b92-867b-4c11-8b30-b925221ce51a"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/e398dac59f604d42362ffe8a2947d4351a652516ebfb25ddf0838dd2c8523be8/analysis/1556096737/",
"category": "Payload delivery",
"comment": "DNSpionage",
"uuid": "9eda0fba-ebc8-494e-81a2-3c45135c591e"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "48/69",
"category": "Payload delivery",
"comment": "DNSpionage",
"uuid": "ee3f4732-30c5-49fc-9b1d-a6a732cb4f42"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--52ca9602-5ef6-4de3-b528-058d33844ea3",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-24T09:22:51.000Z",
"modified": "2019-04-24T09:22:51.000Z",
"pattern": "[file:hashes.MD5 = 'a37703a0d08996a5fc04db52b71b9bcd' AND file:hashes.SHA1 = '7c7e1179eb3cd9effa92f303dd5e45ba881db15d' AND file:hashes.SHA256 = '6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-24T09:22:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--993871f0-b786-4813-9811-7f60eb385014",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-24T09:22:51.000Z",
"modified": "2019-04-24T09:22:51.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-24T07:39:13",
"category": "Other",
"comment": "Karkoff sample",
"uuid": "a0e51f81-2cc5-438d-96d0-de19d5e93442"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11/analysis/1556091553/",
"category": "Payload delivery",
"comment": "Karkoff sample",
"uuid": "ccb7b733-4e20-4840-9ee4-be4b8451f1e1"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "39/66",
"category": "Payload delivery",
"comment": "Karkoff sample",
"uuid": "c6600e9e-5bf0-402c-8666-df0823154fe9"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9daaf5c9-c7e0-444d-b551-ff231e16521a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-24T09:22:51.000Z",
"modified": "2019-04-24T09:22:51.000Z",
"pattern": "[file:hashes.MD5 = '5733afe71bd0a32328d6ed9978260fa4' AND file:hashes.SHA1 = '5dbaaf4b338471ad58065fcdf335673977b2b261' AND file:hashes.SHA256 = '5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-24T09:22:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--fd6fe17b-18a9-4729-9276-796667da59b6",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-24T09:22:51.000Z",
"modified": "2019-04-24T09:22:51.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-24T07:39:16",
"category": "Other",
"comment": "Karkoff sample",
"uuid": "287255d9-5d0f-49f7-afd9-256da7290db1"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c/analysis/1556091556/",
"category": "Payload delivery",
"comment": "Karkoff sample",
"uuid": "d2ae94de-8869-48a0-bff0-acf3465c6a74"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "42/71",
"category": "Payload delivery",
"comment": "Karkoff sample",
"uuid": "7c4854e3-0c44-4143-b133-8273c30bf122"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--1fc50c0d-6a22-4c8f-9823-229fb2334f2e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-24T09:22:51.000Z",
"modified": "2019-04-24T09:22:51.000Z",
"pattern": "[file:hashes.MD5 = '85a3a5f55fcbe63d2181cfa753f35fe1' AND file:hashes.SHA1 = 'd9844a1845446367822944464ba65965b1b70c4f' AND file:hashes.SHA256 = 'b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-04-24T09:22:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--71ee7c63-f4fa-463e-8a7d-054b9920e0a3",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-04-24T09:22:51.000Z",
"modified": "2019-04-24T09:22:51.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-04-24T07:39:18",
"category": "Other",
"comment": "Karkoff sample",
"uuid": "4ab8fa22-de5b-4d45-b328-a28f6ca4bc4f"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04/analysis/1556091558/",
"category": "Payload delivery",
"comment": "Karkoff sample",
"uuid": "2490a445-4913-49ad-9366-9cecf26b7505"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "41/65",
"category": "Payload delivery",
"comment": "Karkoff sample",
"uuid": "3d31e031-8726-4941-a004-143375bd7aa0"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a3a3a4ed-995b-4de0-87f3-0d3cbe1f3c21",
"created": "2019-04-24T09:22:51.000Z",
"modified": "2019-04-24T09:22:51.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--3148bbb8-f76e-4556-b973-3dea9cf89820",
"target_ref": "x-misp-object--5f8b1fcb-d5e4-4e95-adc0-253f765c8f61"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a14a409f-30f9-423c-ab4a-9057106dd130",
"created": "2019-04-24T09:22:52.000Z",
"modified": "2019-04-24T09:22:52.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--6393b267-5ff7-4204-85cf-709530bc110d",
"target_ref": "x-misp-object--5baaf36e-74f0-4e6b-b18a-377bc301867e"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--f5172c29-d4c5-48b8-96f4-f05263e43885",
"created": "2019-04-24T09:22:52.000Z",
"modified": "2019-04-24T09:22:52.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--52ca9602-5ef6-4de3-b528-058d33844ea3",
"target_ref": "x-misp-object--993871f0-b786-4813-9811-7f60eb385014"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--6d4c07a4-69f9-4f5e-8c86-1e3e791af666",
"created": "2019-04-24T09:22:52.000Z",
"modified": "2019-04-24T09:22:52.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--9daaf5c9-c7e0-444d-b551-ff231e16521a",
"target_ref": "x-misp-object--fd6fe17b-18a9-4729-9276-796667da59b6"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--01c847bb-e1b1-4d80-9796-3ef80d9ee2c7",
"created": "2019-04-24T09:22:52.000Z",
"modified": "2019-04-24T09:22:52.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--1fc50c0d-6a22-4c8f-9823-229fb2334f2e",
"target_ref": "x-misp-object--71ee7c63-f4fa-463e-8a7d-054b9920e0a3"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink