misp-circl-feed/feeds/circl/misp/59f049c0-aae0-47d2-a888-4021950d210f.json

1149 lines
No EOL
46 KiB
JSON

{
"type": "bundle",
"id": "bundle--59f049c0-aae0-47d2-a888-4021950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-22T21:19:47.000Z",
"modified": "2017-11-22T21:19:47.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--59f049c0-aae0-47d2-a888-4021950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-22T21:19:47.000Z",
"modified": "2017-11-22T21:19:47.000Z",
"name": "OSINT - Bad Rabbit: Not-Petya is back with improved ransomware",
"published": "2017-12-28T13:20:54Z",
"object_refs": [
"observed-data--59f049cf-329c-4504-a63c-4974950d210f",
"url--59f049cf-329c-4504-a63c-4974950d210f",
"indicator--59f04b31-f73c-4d20-95b5-4edf950d210f",
"x-misp-attribute--59f04b48-223c-4642-a5cf-412c950d210f",
"indicator--59f04b70-32f4-4c4b-bd74-4775950d210f",
"indicator--59f04b70-a00c-47a5-903e-44f2950d210f",
"indicator--59f04c8f-fba0-4775-913a-4a4f950d210f",
"indicator--59f04c8f-046c-41dc-a600-4306950d210f",
"indicator--59f04d24-9424-49ec-86bc-403c950d210f",
"indicator--59f04d24-f6a4-4278-b3b5-406d950d210f",
"indicator--59f04d24-0348-4b41-8e40-4887950d210f",
"indicator--59f04ddf-4f04-4174-a93d-4c9d950d210f",
"indicator--59f04ddf-3e78-47fc-ad92-4866950d210f",
"indicator--59f04ddf-9890-46f0-b252-4884950d210f",
"indicator--59f04ddf-de28-4f39-a955-43c6950d210f",
"indicator--59f04ddf-7564-446e-80f5-4717950d210f",
"indicator--59f04ddf-d780-4e3e-a215-44b3950d210f",
"indicator--59f04ddf-bcc0-415d-9588-4111950d210f",
"indicator--59f04ddf-4838-45fc-b75c-48b9950d210f",
"indicator--59f04ddf-4dc8-470d-9268-45bd950d210f",
"indicator--59f04ddf-0600-4c83-8d3a-41ae950d210f",
"indicator--59f04ddf-7eb8-4933-a170-4c3e950d210f",
"indicator--59f04ddf-7b94-4be1-a497-42c2950d210f",
"indicator--59f04ddf-fe88-4850-b260-4b7d950d210f",
"indicator--59f04ddf-8294-4d84-862f-46d7950d210f",
"indicator--59f04ddf-3198-4485-8eae-4833950d210f",
"indicator--59f04ddf-9858-4feb-ad80-4183950d210f",
"indicator--59f04ddf-7448-4f85-b71a-48d7950d210f",
"indicator--59f04ddf-7d48-426d-9d85-4d32950d210f",
"indicator--59f04ddf-fc80-4ddf-822f-47b2950d210f",
"indicator--59f04ddf-c6e8-4de1-a60a-42c8950d210f",
"indicator--59f04ddf-b9c0-485f-b2c3-42cb950d210f",
"indicator--59f04ddf-4fc4-4b03-927f-4c92950d210f",
"indicator--59f04ddf-e83c-4d61-b9ab-43ea950d210f",
"indicator--59f0514a-7310-4dad-b3b1-490002de0b81",
"indicator--59f0514a-df70-416c-bfae-445f02de0b81",
"observed-data--59f0514a-7f84-4846-ba38-449302de0b81",
"url--59f0514a-7f84-4846-ba38-449302de0b81",
"indicator--59f0514a-b3d0-4191-a490-440802de0b81",
"indicator--59f0514a-1be4-4e5c-8fff-48cc02de0b81",
"observed-data--59f0514a-f0d8-4972-9b45-40cb02de0b81",
"url--59f0514a-f0d8-4972-9b45-40cb02de0b81",
"indicator--59f04c50-0864-406b-b9fd-4797950d210f",
"indicator--59f04c7a-1ee8-472b-93b7-4f06950d210f",
"indicator--59f04cab-7520-4c5d-b6d7-4f46950d210f",
"indicator--59f04cf4-0f54-4525-8d29-453f950d210f",
"relationship--ef1adb75-000a-4e4e-943f-8e2bbcda05db",
"relationship--f1f3c1c9-a449-4189-8d9a-cd41054b1f7a",
"relationship--820b5b4f-804f-4cfa-a4ce-6531e77b5cdc"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:ransomware=\"Bad Rabbit\"",
"type:OSINT",
"malware_classification:malware-category=\"Ransomware\"",
"osint:source-type=\"blog-post\"",
"misp-galaxy:preventive-measure=\"Backup and Restore Process\"",
"misp-galaxy:preventive-measure=\"Restrict Workstation Communication\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59f049cf-329c-4504-a63c-4974950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:33.000Z",
"modified": "2017-10-25T08:54:33.000Z",
"first_observed": "2017-10-25T08:54:33Z",
"last_observed": "2017-10-25T08:54:33Z",
"number_observed": 1,
"object_refs": [
"url--59f049cf-329c-4504-a63c-4974950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59f049cf-329c-4504-a63c-4974950d210f",
"value": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04b31-f73c-4d20-95b5-4edf950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.149.120.3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59f04b48-223c-4642-a5cf-412c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "A new ransomware outbreak today and has hit some major infrastructure in Ukraine including Kiev metro."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04b70-32f4-4c4b-bd74-4775950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"pattern": "[domain-name:value = '1dnscontrol.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04b70-a00c-47a5-903e-44f2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:29:36.000Z",
"modified": "2017-10-25T08:29:36.000Z",
"pattern": "[file:name = 'install_flash_player.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:29:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04c8f-fba0-4775-913a-4a4f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "Mimikatz (32-bits)",
"pattern": "[file:hashes.SHA1 = '413eba3973a15c1a6429d9f170f3e8287f98c21c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04c8f-046c-41dc-a600-4306950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "Mimikatz (64-bits)",
"pattern": "[file:hashes.SHA1 = '16605a4a29a101208457c47ebfde788487be788d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04d24-9424-49ec-86bc-403c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"pattern": "[url:value = 'http://caforssztxqzf2nm.onion']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04d24-f6a4-4278-b3b5-406d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"pattern": "[url:value = 'http://185.149.120.3/scholargoogle/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04d24-0348-4b41-8e40-4887950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"pattern": "[url:value = 'http://1dnscontrol.com/flash_install.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04ddf-4f04-4174-a93d-4c9d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "compromised site",
"pattern": "[url:value = 'http://argumentiru.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04ddf-3e78-47fc-ad92-4866950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "compromised site",
"pattern": "[url:value = 'http://www.fontanka.ru']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04ddf-9890-46f0-b252-4884950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "compromised site",
"pattern": "[url:value = 'http://grupovo.bg']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04ddf-de28-4f39-a955-43c6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "compromised site",
"pattern": "[url:value = 'http://www.sinematurk.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04ddf-7564-446e-80f5-4717950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "compromised site",
"pattern": "[url:value = 'http://www.aica.co.jp']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04ddf-d780-4e3e-a215-44b3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "compromised site",
"pattern": "[url:value = 'http://spbvoditel.ru']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04ddf-bcc0-415d-9588-4111950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "compromised site",
"pattern": "[url:value = 'http://argumenti.ru']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04ddf-4838-45fc-b75c-48b9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "compromised site",
"pattern": "[url:value = 'http://www.mediaport.ua']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04ddf-4dc8-470d-9268-45bd950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "compromised site",
"pattern": "[url:value = 'http://blog.fontanka.ru']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04ddf-0600-4c83-8d3a-41ae950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "compromised site",
"pattern": "[url:value = 'http://an-crimea.ru']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04ddf-7eb8-4933-a170-4c3e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "compromised site",
"pattern": "[url:value = 'http://www.t.ks.ua']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04ddf-7b94-4be1-a497-42c2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "compromised site",
"pattern": "[url:value = 'http://most-dnepr.info']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04ddf-fe88-4850-b260-4b7d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "compromised site",
"pattern": "[url:value = 'http://osvitaportal.com.ua']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04ddf-8294-4d84-862f-46d7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "compromised site",
"pattern": "[url:value = 'http://www.otbrana.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04ddf-3198-4485-8eae-4833950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "compromised site",
"pattern": "[url:value = 'http://calendar.fontanka.ru']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04ddf-9858-4feb-ad80-4183950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "compromised site",
"pattern": "[url:value = 'http://www.grupovo.bg']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04ddf-7448-4f85-b71a-48d7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "compromised site",
"pattern": "[url:value = 'http://www.pensionhotel.cz']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04ddf-7d48-426d-9d85-4d32950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "compromised site",
"pattern": "[url:value = 'http://www.online812.ru']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04ddf-fc80-4ddf-822f-47b2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "compromised site",
"pattern": "[url:value = 'http://www.imer.ro']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04ddf-c6e8-4de1-a60a-42c8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "compromised site",
"pattern": "[url:value = 'http://novayagazeta.spb.ru']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04ddf-b9c0-485f-b2c3-42cb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "compromised site",
"pattern": "[url:value = 'http://i24.com.ua']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04ddf-4fc4-4b03-927f-4c92950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "compromised site",
"pattern": "[url:value = 'http://bg.pensionhotel.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04ddf-e83c-4d61-b9ab-43ea950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "compromised site",
"pattern": "[url:value = 'http://ankerch-crimea.ru']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f0514a-7310-4dad-b3b1-490002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "Mimikatz (64-bits) - Xchecked via VT: 16605a4a29a101208457c47ebfde788487be788d",
"pattern": "[file:hashes.SHA256 = '2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f0514a-df70-416c-bfae-445f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "Mimikatz (64-bits) - Xchecked via VT: 16605a4a29a101208457c47ebfde788487be788d",
"pattern": "[file:hashes.MD5 = '37945c44a897aa42a66adcab68f560e0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59f0514a-7f84-4846-ba38-449302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"first_observed": "2017-10-25T08:54:34Z",
"last_observed": "2017-10-25T08:54:34Z",
"number_observed": 1,
"object_refs": [
"url--59f0514a-7f84-4846-ba38-449302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59f0514a-7f84-4846-ba38-449302de0b81",
"value": "https://www.virustotal.com/file/2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035/analysis/1508915760/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f0514a-b3d0-4191-a490-440802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "Mimikatz (32-bits) - Xchecked via VT: 413eba3973a15c1a6429d9f170f3e8287f98c21c",
"pattern": "[file:hashes.SHA256 = '301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f0514a-1be4-4e5c-8fff-48cc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"description": "Mimikatz (32-bits) - Xchecked via VT: 413eba3973a15c1a6429d9f170f3e8287f98c21c",
"pattern": "[file:hashes.MD5 = '347ac3b6b791054de3e5720a7144a977']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:54:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59f0514a-f0d8-4972-9b45-40cb02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:54:34.000Z",
"modified": "2017-10-25T08:54:34.000Z",
"first_observed": "2017-10-25T08:54:34Z",
"last_observed": "2017-10-25T08:54:34Z",
"number_observed": 1,
"object_refs": [
"url--59f0514a-f0d8-4972-9b45-40cb02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59f0514a-f0d8-4972-9b45-40cb02de0b81",
"value": "https://www.virustotal.com/file/301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c/analysis/1508918790/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04c50-0864-406b-b9fd-4797950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:57:41.000Z",
"modified": "2017-10-25T08:57:41.000Z",
"description": "Diskcoder",
"pattern": "[file:hashes.SHA1 = '79116fe99f2b421c52ef64097f0f39b815b20907' AND file:name = 'infpub.dat']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:57:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04c7a-1ee8-472b-93b7-4f06950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:59:32.000Z",
"modified": "2017-10-25T08:59:32.000Z",
"description": "Lockscreen",
"pattern": "[file:hashes.SHA1 = 'afeee8b4acff87bc469a6f0364a81ae5d60a2add' AND file:name = 'dispci.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:59:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04cab-7520-4c5d-b6d7-4f46950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:57:23.000Z",
"modified": "2017-10-25T08:57:23.000Z",
"description": "Dropper",
"pattern": "[file:hashes.SHA1 = 'de5c8d858e6e41da715dca1c019df0bfb92d32c0' AND file:name = 'install_flash_player.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:57:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59f04cf4-0f54-4525-8d29-453f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-10-25T08:36:04.000Z",
"modified": "2017-10-25T08:36:04.000Z",
"description": "JavaScript on compromised sites",
"pattern": "[file:hashes.SHA1 = '4f61e154230a64902ae035434690bf2b96b4e018' AND file:name = 'page-main.js']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-10-25T08:36:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ef1adb75-000a-4e4e-943f-8e2bbcda05db",
"created": "2017-10-25T08:57:38.000Z",
"modified": "2017-10-25T08:57:38.000Z",
"relationship_type": "dropped-by",
"source_ref": "indicator--59f04c50-0864-406b-b9fd-4797950d210f",
"target_ref": "indicator--59f04cab-7520-4c5d-b6d7-4f46950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--f1f3c1c9-a449-4189-8d9a-cd41054b1f7a",
"created": "2017-10-25T08:59:29.000Z",
"modified": "2017-10-25T08:59:29.000Z",
"relationship_type": "dropped-by",
"source_ref": "indicator--59f04c7a-1ee8-472b-93b7-4f06950d210f",
"target_ref": "indicator--59f04c50-0864-406b-b9fd-4797950d210f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--820b5b4f-804f-4cfa-a4ce-6531e77b5cdc",
"created": "2017-10-25T08:57:20.000Z",
"modified": "2017-10-25T08:57:20.000Z",
"relationship_type": "dropped-by",
"source_ref": "indicator--59f04cab-7520-4c5d-b6d7-4f46950d210f",
"target_ref": "indicator--59f04cf4-0f54-4525-8d29-453f950d210f"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}