misp-circl-feed/feeds/circl/misp/56f8e7c3-74b4-4789-9e6a-6f2302de0b81.json

372 lines
No EOL
15 KiB
JSON

{
"type": "bundle",
"id": "bundle--56f8e7c3-74b4-4789-9e6a-6f2302de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-28T08:23:37.000Z",
"modified": "2016-03-28T08:23:37.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--56f8e7c3-74b4-4789-9e6a-6f2302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-28T08:23:37.000Z",
"modified": "2016-03-28T08:23:37.000Z",
"name": "OSINT - Malware Employs PowerShell to Infect Systems",
"published": "2016-03-28T08:25:54Z",
"object_refs": [
"observed-data--56f8e7e8-4670-4d0f-a2db-3f2f02de0b81",
"url--56f8e7e8-4670-4d0f-a2db-3f2f02de0b81",
"indicator--56f8e800-3adc-4174-9cc1-3f2d02de0b81",
"indicator--56f8e800-e618-40e3-9da4-3f2d02de0b81",
"indicator--56f8e83a-044c-4f04-b0c8-3f2c02de0b81",
"indicator--56f8e83a-8ba4-426b-b457-3f2c02de0b81",
"observed-data--56f8e83a-2f44-473f-b5a0-3f2c02de0b81",
"url--56f8e83a-2f44-473f-b5a0-3f2c02de0b81",
"indicator--56f8e83b-1a50-4f31-9c66-3f2c02de0b81",
"indicator--56f8e83b-64fc-4a7e-acd1-3f2c02de0b81",
"observed-data--56f8e83b-60fc-4d9f-9478-3f2c02de0b81",
"url--56f8e83b-60fc-4d9f-9478-3f2c02de0b81",
"indicator--56f8e933-1844-4f61-9380-3f2b02de0b81",
"indicator--56f8e95a-ed68-4cae-bbfb-74ad02de0b81",
"indicator--56f8e984-bddc-4161-a586-3f2a02de0b81",
"indicator--56f8ea09-0720-4335-922e-74ad02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"malware_classification:malware-category=\"Ransomware\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56f8e7e8-4670-4d0f-a2db-3f2f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-28T08:14:32.000Z",
"modified": "2016-03-28T08:14:32.000Z",
"first_observed": "2016-03-28T08:14:32Z",
"last_observed": "2016-03-28T08:14:32Z",
"number_observed": 1,
"object_refs": [
"url--56f8e7e8-4670-4d0f-a2db-3f2f02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56f8e7e8-4670-4d0f-a2db-3f2f02de0b81",
"value": "https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56f8e800-3adc-4174-9cc1-3f2d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-28T08:14:56.000Z",
"modified": "2016-03-28T08:14:56.000Z",
"description": "Sample",
"pattern": "[file:hashes.SHA1 = '846e9c0631139cfdcbf270f8bdc08cdd39e9a89d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-28T08:14:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56f8e800-e618-40e3-9da4-3f2d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-28T08:14:56.000Z",
"modified": "2016-03-28T08:14:56.000Z",
"description": "Sample",
"pattern": "[file:hashes.SHA1 = '6c41bf5ead73e98c56397c37114f2c5a46fd2640']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-28T08:14:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56f8e83a-044c-4f04-b0c8-3f2c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-28T08:15:54.000Z",
"modified": "2016-03-28T08:15:54.000Z",
"description": "Sample - Xchecked via VT: 846e9c0631139cfdcbf270f8bdc08cdd39e9a89d",
"pattern": "[file:hashes.SHA256 = 'e50bd23ece199e4cee6fcf145fd17141ac10f2f1bfc8e4dd7806134896045614']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-28T08:15:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56f8e83a-8ba4-426b-b457-3f2c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-28T08:15:54.000Z",
"modified": "2016-03-28T08:15:54.000Z",
"description": "Sample - Xchecked via VT: 846e9c0631139cfdcbf270f8bdc08cdd39e9a89d",
"pattern": "[file:hashes.MD5 = 'bbd877a68b3d4aa4117d829f03d164be']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-28T08:15:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56f8e83a-2f44-473f-b5a0-3f2c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-28T08:15:54.000Z",
"modified": "2016-03-28T08:15:54.000Z",
"first_observed": "2016-03-28T08:15:54Z",
"last_observed": "2016-03-28T08:15:54Z",
"number_observed": 1,
"object_refs": [
"url--56f8e83a-2f44-473f-b5a0-3f2c02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56f8e83a-2f44-473f-b5a0-3f2c02de0b81",
"value": "https://www.virustotal.com/file/e50bd23ece199e4cee6fcf145fd17141ac10f2f1bfc8e4dd7806134896045614/analysis/1458376259/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56f8e83b-1a50-4f31-9c66-3f2c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-28T08:15:55.000Z",
"modified": "2016-03-28T08:15:55.000Z",
"description": "Sample - Xchecked via VT: 6c41bf5ead73e98c56397c37114f2c5a46fd2640",
"pattern": "[file:hashes.SHA256 = '77df37445d2a8951a876df6457f4ff869a6ee0f34a50ef472a30392673da5ec9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-28T08:15:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56f8e83b-64fc-4a7e-acd1-3f2c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-28T08:15:55.000Z",
"modified": "2016-03-28T08:15:55.000Z",
"description": "Sample - Xchecked via VT: 6c41bf5ead73e98c56397c37114f2c5a46fd2640",
"pattern": "[file:hashes.MD5 = '7f58d7dddec4b72bab0fb27cd852593e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-28T08:15:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56f8e83b-60fc-4d9f-9478-3f2c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-28T08:15:55.000Z",
"modified": "2016-03-28T08:15:55.000Z",
"first_observed": "2016-03-28T08:15:55Z",
"last_observed": "2016-03-28T08:15:55Z",
"number_observed": 1,
"object_refs": [
"url--56f8e83b-60fc-4d9f-9478-3f2c02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56f8e83b-60fc-4d9f-9478-3f2c02de0b81",
"value": "https://www.virustotal.com/file/77df37445d2a8951a876df6457f4ff869a6ee0f34a50ef472a30392673da5ec9/analysis/1458289786/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56f8e933-1844-4f61-9380-3f2b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-28T08:20:03.000Z",
"modified": "2016-03-28T08:20:03.000Z",
"description": "\" .lnk file downloading\"",
"pattern": "[url:value = 'http://anonfile.xyz/f/7f58d7dddec4b72bab0fb27cd852593e.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-28T08:20:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56f8e95a-ed68-4cae-bbfb-74ad02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-28T08:20:42.000Z",
"modified": "2016-03-28T08:20:42.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.127.99.183']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-28T08:20:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56f8e984-bddc-4161-a586-3f2a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-28T08:21:24.000Z",
"modified": "2016-03-28T08:21:24.000Z",
"pattern": "[file:hashes.MD5 = '7f58d7dddec4b72bab0fb27cd852593e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-28T08:21:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56f8ea09-0720-4335-922e-74ad02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-28T08:23:37.000Z",
"modified": "2016-03-28T08:23:37.000Z",
"pattern": "[file:hashes.SHA1 = '6c41bf5ead73e98c56397c37114f2c5a46fd2640']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-28T08:23:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}