1515 lines
No EOL
64 KiB
JSON
1515 lines
No EOL
64 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5c3f3eca-3ce8-4bb0-8f24-43c0950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T11:00:37.000Z",
|
|
"modified": "2019-01-17T11:00:37.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--5c3f3eca-3ce8-4bb0-8f24-43c0950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T11:00:37.000Z",
|
|
"modified": "2019-01-17T11:00:37.000Z",
|
|
"name": "OSINT - Threat Actor \u00e2\u20ac\u0153Cold River\u00e2\u20ac\u009d: Network Traffic Analysis and a Deep Dive on Agent Drable",
|
|
"published": "2019-01-17T11:00:57Z",
|
|
"object_refs": [
|
|
"observed-data--5c3f45a3-939c-4161-aced-4586950d210f",
|
|
"url--5c3f45a3-939c-4161-aced-4586950d210f",
|
|
"x-misp-attribute--5c3f4698-757c-4466-b3be-4457950d210f",
|
|
"indicator--5c3f4cdc-9928-4d32-9ed1-82e5950d210f",
|
|
"indicator--5c4035b9-a0e0-4a00-96c7-4f77950d210f",
|
|
"indicator--5c4036e7-cde0-4795-b1e7-462c950d210f",
|
|
"indicator--5c4036ed-7310-48ea-9f64-47e2950d210f",
|
|
"indicator--5c4036ee-e8b0-470e-81f0-489a950d210f",
|
|
"indicator--5c4036ee-b920-40ce-9802-4854950d210f",
|
|
"indicator--5c4036ef-3818-4a57-bd3b-4d04950d210f",
|
|
"indicator--5c403bbc-4d24-46a6-83eb-4eea950d210f",
|
|
"indicator--5c403bbd-4f68-4256-bfa6-46e9950d210f",
|
|
"indicator--5c403bbd-e298-4419-a1cd-4c2b950d210f",
|
|
"indicator--5c403bbe-3ff8-4da5-b8a2-4604950d210f",
|
|
"indicator--5c403bbe-99d4-47e6-8cb0-4e86950d210f",
|
|
"indicator--5c403bbf-f648-4156-85e6-42ce950d210f",
|
|
"indicator--5c403bbf-b8b0-4e0c-92f0-4757950d210f",
|
|
"indicator--5c403bc0-dfcc-49a1-850c-48b7950d210f",
|
|
"indicator--5c403e29-35cc-497d-8e69-4aa7950d210f",
|
|
"indicator--5c403ed9-c76c-4390-8782-4dc3950d210f",
|
|
"indicator--5c403ed9-aa4c-4740-b455-464f950d210f",
|
|
"indicator--5c403eda-9444-4932-a982-43d7950d210f",
|
|
"indicator--5c403eda-c210-49b8-8d66-4ede950d210f",
|
|
"indicator--5c403edb-bb74-4ec9-82d6-4f31950d210f",
|
|
"indicator--5c403edb-feb8-401a-93fd-4dbd950d210f",
|
|
"indicator--5c403edc-6934-4289-a417-4377950d210f",
|
|
"indicator--5c403edd-93ac-4c08-9d81-4c37950d210f",
|
|
"indicator--5c403edd-7dac-49a4-81a4-44e0950d210f",
|
|
"indicator--5c404095-60e0-405d-88e5-4073950d210f",
|
|
"indicator--5c404096-b05c-4197-8887-4a82950d210f",
|
|
"indicator--5c404096-1914-44d6-a9fb-4415950d210f",
|
|
"observed-data--5c404188-ffa8-4fe9-a371-4b3c950d210f",
|
|
"windows-registry-key--5c404188-ffa8-4fe9-a371-4b3c950d210f",
|
|
"indicator--5c404189-6988-4169-9f92-466a950d210f",
|
|
"observed-data--5c404189-0f60-45c0-876e-41e6950d210f",
|
|
"windows-registry-key--5c404189-0f60-45c0-876e-41e6950d210f",
|
|
"indicator--5c40418a-91d4-48fb-a083-4180950d210f",
|
|
"indicator--5c40418a-8778-48f9-a9dd-468e950d210f",
|
|
"indicator--5c40418b-6908-412b-bb68-4620950d210f",
|
|
"observed-data--5c40418b-17e8-4969-910d-41a5950d210f",
|
|
"windows-registry-key--5c40418b-17e8-4969-910d-41a5950d210f",
|
|
"indicator--5c3f46f9-f208-4ad9-9ce1-4c08950d210f",
|
|
"indicator--5c3f4980-f148-4b82-bbb4-4fc6950d210f",
|
|
"x-misp-object--5c402de1-c87c-479a-9aad-45dd950d210f",
|
|
"indicator--5c402e8c-09f8-42f0-b7a0-4d0c950d210f",
|
|
"indicator--5c403100-1104-4b24-9e5a-441f950d210f",
|
|
"indicator--5c40331a-a4c4-44ed-9774-4a0a950d210f",
|
|
"indicator--5c403585-b7e8-47f2-ad7d-44ee950d210f",
|
|
"indicator--5c403f9a-39c8-4cad-bac3-452a950d210f",
|
|
"indicator--3865d658-4ec2-4ccf-8437-2cf9ecdd8dac",
|
|
"x-misp-object--3c8bf6c1-e76a-4d68-95ec-8f98f353c35f",
|
|
"indicator--d866b492-3e79-4f62-ae4b-8fcfe1ec0a05",
|
|
"x-misp-object--28884802-adc0-41dd-85c5-f37b24623600",
|
|
"indicator--b8c3e2c4-dd23-4d42-8f1e-83832c52602b",
|
|
"x-misp-object--fa573724-154a-4d4e-84a1-f36c91f5422e",
|
|
"indicator--e672e426-1d42-42e0-b1d0-fbc9d846b35c",
|
|
"x-misp-object--553ba70d-9782-43f5-8355-434287122d90",
|
|
"relationship--77c2ecaa-7d39-4245-88fa-4a65f2f43622",
|
|
"relationship--39ed752e-d95e-415b-8808-b3b915068dfb",
|
|
"relationship--54a29ceb-19f7-416a-bf1f-acda30818525",
|
|
"relationship--8aa504e9-35e9-40e7-b8c5-eb99471723d8"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"osint:source-type=\"blog-post\"",
|
|
"misp-galaxy:threat-actor=\"Cold River\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5c3f45a3-939c-4161-aced-4586950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:59:23.000Z",
|
|
"modified": "2019-01-17T08:59:23.000Z",
|
|
"first_observed": "2019-01-17T08:59:23Z",
|
|
"last_observed": "2019-01-17T08:59:23Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5c3f45a3-939c-4161-aced-4586950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5c3f45a3-939c-4161-aced-4586950d210f",
|
|
"value": "https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--5c3f4698-757c-4466-b3be-4457950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:59:22.000Z",
|
|
"modified": "2019-01-17T08:59:22.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "While reviewing some network anomalies, we recently uncovered Cold River, a sophisticated threat actor making malicious use of DNS tunneling for command and control activities. We have been able to decode the raw traffic in command and control, find sophisticated lure documents used in the campaign, connect other previously unknown samples, and associate a number of legitimate organizations whose infrastructure is referenced and used in the campaign.\r\n\r\nThe campaign targets Middle Eastern organizations largely from the Lebanon and United Arab Emirates, though, Indian and Canadian companies with interests in those Middle Eastern countries are also targeted. There are new TTPs used in this attack \u00e2\u20ac\u201c for example Agent_Drable is leveraging the Django python framework for command and control infrastructure, the technical details of which are outlined later in the blog."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c3f4cdc-9928-4d32-9ed1-82e5950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-16T15:25:16.000Z",
|
|
"modified": "2019-01-16T15:25:16.000Z",
|
|
"description": "callback domain",
|
|
"pattern": "[domain-name:value = '0ffice36o.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-16T15:25:16Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c4035b9-a0e0-4a00-96c7-4f77950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:12:20.000Z",
|
|
"modified": "2019-01-17T08:12:20.000Z",
|
|
"description": "Hardcoded HTTP CnC, not used at the time of the analysis.",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.161.211.72']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:12:20Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c4036e7-cde0-4795-b1e7-462c950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:03:51.000Z",
|
|
"modified": "2019-01-17T08:03:51.000Z",
|
|
"description": "DNS queries from different victims",
|
|
"pattern": "[domain-name:value = 'crzugfdhsmrqgq4hy000.0ffice36o.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:03:51Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c4036ed-7310-48ea-9f64-47e2950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:03:57.000Z",
|
|
"modified": "2019-01-17T08:03:57.000Z",
|
|
"description": "DNS queries from different victims",
|
|
"pattern": "[domain-name:value = 'gyc3gfmhomrqgq4hy.0ffice36o.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:03:57Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c4036ee-e8b0-470e-81f0-489a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:03:58.000Z",
|
|
"modified": "2019-01-17T08:03:58.000Z",
|
|
"description": "DNS queries from different victims",
|
|
"pattern": "[domain-name:value = 'svg4gf2ugmrqgq4hy.0ffice36o.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:03:58Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c4036ee-b920-40ce-9802-4854950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:03:58.000Z",
|
|
"modified": "2019-01-17T08:03:58.000Z",
|
|
"description": "DNS queries from different victims",
|
|
"pattern": "[domain-name:value = 'hnahgfmg4mrqgq4hy.0ffice36o.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:03:58Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c4036ef-3818-4a57-bd3b-4d04950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:03:59.000Z",
|
|
"modified": "2019-01-17T08:03:59.000Z",
|
|
"description": "DNS queries from different victims",
|
|
"pattern": "[domain-name:value = '6ghzgf2ugmd4ji2vor2tgvkeutkf.0ffice36o.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:03:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c403bbc-4d24-46a6-83eb-4eea950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:24:28.000Z",
|
|
"modified": "2019-01-17T08:24:28.000Z",
|
|
"description": "Mostly used to generate Let\u00e2\u20ac\u2122s Encrypt certificates. Port 443 still answers with memail.mea.com[.]lb. Port 444 has a \u00e2\u20ac\u0153GlobalSign\u00e2\u20ac\u009d certificate of memail.mea.com[.]lb.",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.20.187.8']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:24:28Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c403bbd-4f68-4256-bfa6-46e9950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:24:29.000Z",
|
|
"modified": "2019-01-17T08:24:29.000Z",
|
|
"pattern": "[domain-name:value = 'memail.mea.com.lb']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:24:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c403bbd-e298-4419-a1cd-4c2b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:24:29.000Z",
|
|
"modified": "2019-01-17T08:24:29.000Z",
|
|
"description": "Live HTTP CnC. Ports 80 and 443 return interesting Django debug info.",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.20.184.138']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:24:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c403bbe-3ff8-4da5-b8a2-4604950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:24:30.000Z",
|
|
"modified": "2019-01-17T08:24:30.000Z",
|
|
"description": "Unknown usage. Basic authentication protected page on port 7070 with https, cert CN is \u00e2\u20ac\u009d kerteros \u00e2\u20ac\u0153. Port 8083 hosts a webserver , but only returns a blank page.",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.20.184.157']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:24:30Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c403bbe-99d4-47e6-8cb0-4e86950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:24:30.000Z",
|
|
"modified": "2019-01-17T08:24:30.000Z",
|
|
"description": "Hosted the HR phishing domains hr-suncor[.]com and hr-wipro[.]com, now redirect to the legitimate website.",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.161.211.79']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:24:30Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c403bbf-f648-4156-85e6-42ce950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:24:31.000Z",
|
|
"modified": "2019-01-17T08:24:31.000Z",
|
|
"pattern": "[domain-name:value = 'hr-suncor.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:24:31Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c403bbf-b8b0-4e0c-92f0-4757950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:24:31.000Z",
|
|
"modified": "2019-01-17T08:24:31.000Z",
|
|
"pattern": "[domain-name:value = 'hr-wipro.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:24:31Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c403bc0-dfcc-49a1-850c-48b7950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:24:31.000Z",
|
|
"modified": "2019-01-17T08:24:31.000Z",
|
|
"description": "Openconnect VPN used to reach the HTTP CnC.",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '194.9.177.22']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:24:31Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c403e29-35cc-497d-8e69-4aa7950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:34:49.000Z",
|
|
"modified": "2019-01-17T08:34:49.000Z",
|
|
"pattern": "[domain-name:value = 'files-sender.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:34:49Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c403ed9-c76c-4390-8782-4dc3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:37:45.000Z",
|
|
"modified": "2019-01-17T08:37:45.000Z",
|
|
"pattern": "[url:value = 'https://crt.sh/?id=923463758']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:37:45Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c403ed9-aa4c-4740-b455-464f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:37:45.000Z",
|
|
"modified": "2019-01-17T08:37:45.000Z",
|
|
"pattern": "[domain-name:value = 'webmail.finance.gov.lb']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:37:45Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c403eda-9444-4932-a982-43d7950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:37:46.000Z",
|
|
"modified": "2019-01-17T08:37:46.000Z",
|
|
"pattern": "[url:value = 'https://crt.sh/?id=922787406']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:37:46Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c403eda-c210-49b8-8d66-4ede950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:37:46.000Z",
|
|
"modified": "2019-01-17T08:37:46.000Z",
|
|
"pattern": "[domain-name:value = 'mail.apc.gov.ae']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:37:46Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c403edb-bb74-4ec9-82d6-4f31950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:37:47.000Z",
|
|
"modified": "2019-01-17T08:37:47.000Z",
|
|
"pattern": "[url:value = 'https://crt.sh/?id=782678542']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:37:47Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c403edb-feb8-401a-93fd-4dbd950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:37:47.000Z",
|
|
"modified": "2019-01-17T08:37:47.000Z",
|
|
"pattern": "[domain-name:value = 'mail.mgov.ae']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:37:47Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c403edc-6934-4289-a417-4377950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:37:48.000Z",
|
|
"modified": "2019-01-17T08:37:48.000Z",
|
|
"pattern": "[url:value = 'https://crt.sh/?id=750443611']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:37:48Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c403edd-93ac-4c08-9d81-4c37950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:37:49.000Z",
|
|
"modified": "2019-01-17T08:37:49.000Z",
|
|
"pattern": "[domain-name:value = 'adpvpn.adpolice.gov.ae']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:37:49Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c403edd-7dac-49a4-81a4-44e0950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:37:49.000Z",
|
|
"modified": "2019-01-17T08:37:49.000Z",
|
|
"pattern": "[url:value = 'https://crt.sh/?id=741047630']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:37:49Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c404095-60e0-405d-88e5-4073950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:45:09.000Z",
|
|
"modified": "2019-01-17T08:45:09.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.20.184.15']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:45:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c404096-b05c-4197-8887-4a82950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:45:10.000Z",
|
|
"modified": "2019-01-17T08:45:10.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.148.109.193']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:45:10Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c404096-1914-44d6-a9fb-4415950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:45:10.000Z",
|
|
"modified": "2019-01-17T08:45:10.000Z",
|
|
"pattern": "[domain-name:value = 'microsoftonedrive.org']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:45:10Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5c404188-ffa8-4fe9-a371-4b3c950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:49:12.000Z",
|
|
"modified": "2019-01-17T08:49:12.000Z",
|
|
"first_observed": "2019-01-17T08:49:12Z",
|
|
"last_observed": "2019-01-17T08:49:12Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"windows-registry-key--5c404188-ffa8-4fe9-a371-4b3c950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"regkey\"",
|
|
"misp:category=\"Persistence mechanism\""
|
|
]
|
|
},
|
|
{
|
|
"type": "windows-registry-key",
|
|
"spec_version": "2.1",
|
|
"id": "windows-registry-key--5c404188-ffa8-4fe9-a371-4b3c950d210f",
|
|
"key": "%userprofile%\\.oracleServices\\Apps\\"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c404189-6988-4169-9f92-466a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:49:13.000Z",
|
|
"modified": "2019-01-17T08:49:13.000Z",
|
|
"description": "Filesystem artifacts",
|
|
"pattern": "[file:name = '\\\\%userprofile\\\\%\\\\.oracleServices\\\\Configure.txt']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:49:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5c404189-0f60-45c0-876e-41e6950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:49:13.000Z",
|
|
"modified": "2019-01-17T08:49:13.000Z",
|
|
"first_observed": "2019-01-17T08:49:13Z",
|
|
"last_observed": "2019-01-17T08:49:13Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"windows-registry-key--5c404189-0f60-45c0-876e-41e6950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"regkey\"",
|
|
"misp:category=\"Persistence mechanism\""
|
|
]
|
|
},
|
|
{
|
|
"type": "windows-registry-key",
|
|
"spec_version": "2.1",
|
|
"id": "windows-registry-key--5c404189-0f60-45c0-876e-41e6950d210f",
|
|
"key": "%userprofile%\\.oracleServices\\Downloads\\"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c40418a-91d4-48fb-a083-4180950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:49:14.000Z",
|
|
"modified": "2019-01-17T08:49:14.000Z",
|
|
"description": "Filesystem artifacts",
|
|
"pattern": "[file:name = '\\\\%userprofile\\\\%\\\\.oracleServices\\\\log.txt']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:49:14Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c40418a-8778-48f9-a9dd-468e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:49:14.000Z",
|
|
"modified": "2019-01-17T08:49:14.000Z",
|
|
"description": "Filesystem artifacts",
|
|
"pattern": "[file:name = '\\\\%userprofile\\\\%\\\\.oracleServices\\\\svshost_serv.doc']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:49:14Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c40418b-6908-412b-bb68-4620950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:49:15.000Z",
|
|
"modified": "2019-01-17T08:49:15.000Z",
|
|
"description": "Filesystem artifacts",
|
|
"pattern": "[file:name = '\\\\%userprofile\\\\%\\\\.oracleServices\\\\svshost_serv.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:49:15Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5c40418b-17e8-4969-910d-41a5950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:49:15.000Z",
|
|
"modified": "2019-01-17T08:49:15.000Z",
|
|
"first_observed": "2019-01-17T08:49:15Z",
|
|
"last_observed": "2019-01-17T08:49:15Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"windows-registry-key--5c40418b-17e8-4969-910d-41a5950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"regkey\"",
|
|
"misp:category=\"Persistence mechanism\""
|
|
]
|
|
},
|
|
{
|
|
"type": "windows-registry-key",
|
|
"spec_version": "2.1",
|
|
"id": "windows-registry-key--5c40418b-17e8-4969-910d-41a5950d210f",
|
|
"key": "%userprofile%\\.oracleServices\\Uploads\\"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c3f46f9-f208-4ad9-9ce1-4c08950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-16T15:00:09.000Z",
|
|
"modified": "2019-01-16T15:00:09.000Z",
|
|
"description": "weaponized empty document",
|
|
"pattern": "[file:hashes.SHA1 = '1f007ab17b62cca88a5681f02089ab33adc10eec' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-16T15:00:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c3f4980-f148-4b82-bbb4-4fc6950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-16T15:10:56.000Z",
|
|
"modified": "2019-01-16T15:10:56.000Z",
|
|
"description": "HR document from Suncor",
|
|
"pattern": "[file:hashes.SHA1 = '9ea865e000e3e15cec15efc466801bb181ba40a1' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-16T15:10:56Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--5c402de1-c87c-479a-9aad-45dd950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T07:25:21.000Z",
|
|
"modified": "2019-01-17T07:25:21.000Z",
|
|
"labels": [
|
|
"misp:name=\"microblog\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "post",
|
|
"value": "@securitydoggo @James_inthe_box @malwrhunterteam @Malwageddon Possible DNS tunneler/stager with 0ffice36o[.]com C2. Anyone speak Russian? https://www.sendspace.com/file/69a6bc",
|
|
"category": "Other",
|
|
"uuid": "5c402de1-116c-4d24-ae84-46d2950d210f"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "type",
|
|
"value": "Twitter",
|
|
"category": "Other",
|
|
"uuid": "5c402de1-8bf8-4b46-8284-4149950d210f"
|
|
},
|
|
{
|
|
"type": "url",
|
|
"object_relation": "url",
|
|
"value": "https://twitter.com/KorbenD_Intel/status/1053037793012781061",
|
|
"category": "Network activity",
|
|
"to_ids": true,
|
|
"uuid": "5c402de1-8c20-4156-a2ca-441c950d210f"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "username-quoted",
|
|
"value": "@securitydoggo",
|
|
"category": "Other",
|
|
"uuid": "5c402de2-b470-4625-899a-42d8950d210f"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "username-quoted",
|
|
"value": "@James_inthe_box",
|
|
"category": "Other",
|
|
"uuid": "5c402de2-6b7c-4f2b-9ab6-438e950d210f"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "username-quoted",
|
|
"value": "@Malwageddon",
|
|
"category": "Other",
|
|
"uuid": "5c402de3-a27c-4dc8-9dd9-42e3950d210f"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "username-quoted",
|
|
"value": "@malwrhunterteam",
|
|
"category": "Other",
|
|
"uuid": "5c402de3-aad8-4803-bf02-415a950d210f"
|
|
},
|
|
{
|
|
"type": "url",
|
|
"object_relation": "link",
|
|
"value": "https://www.sendspace.com/file/69a6bc",
|
|
"category": "Network activity",
|
|
"to_ids": true,
|
|
"uuid": "5c402de4-8fc0-4cc4-a3f9-496d950d210f"
|
|
},
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "creation-date",
|
|
"value": "2018-10-18T14:39:00",
|
|
"category": "Other",
|
|
"uuid": "5c402de4-3e70-478a-b932-442e950d210f"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "username",
|
|
"value": "@KorbenD_Intel",
|
|
"category": "Other",
|
|
"uuid": "5c402de5-0364-4a8d-a8e7-45ff950d210f"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "microblog"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c402e8c-09f8-42f0-b7a0-4d0c950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T07:28:12.000Z",
|
|
"modified": "2019-01-17T07:28:12.000Z",
|
|
"description": "Empty doc",
|
|
"pattern": "[file:hashes.SHA1 = '1f007ab17b62cca88a5681f02089ab33adc10eec' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T07:28:12Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c403100-1104-4b24-9e5a-441f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T07:38:40.000Z",
|
|
"modified": "2019-01-17T07:38:40.000Z",
|
|
"description": "Suncor decoy",
|
|
"pattern": "[file:hashes.SHA1 = '9ea865e000e3e15cec15efc466801bb181ba40a1' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T07:38:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c40331a-a4c4-44ed-9774-4a0a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T07:47:38.000Z",
|
|
"modified": "2019-01-17T07:47:38.000Z",
|
|
"description": "Payload with logs information",
|
|
"pattern": "[file:hashes.SHA1 = '1c1fbda6ffc4d19be63a630bd2483f3d2f7aa1f5' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T07:47:38Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c403585-b7e8-47f2-ad7d-44ee950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T07:57:57.000Z",
|
|
"modified": "2019-01-17T07:57:57.000Z",
|
|
"description": "Payload without logs information",
|
|
"pattern": "[file:hashes.SHA1 = '1022620da25db2497dc237adedb53755e6b859e3' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T07:57:57Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c403f9a-39c8-4cad-bac3-452a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T08:40:58.000Z",
|
|
"modified": "2019-01-17T08:40:58.000Z",
|
|
"description": "Dropper (maldoc)",
|
|
"pattern": "[file:hashes.SHA1 = '678ea06ebf058f33fffa1237d40b89b47f0e45e1' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T08:40:58Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--3865d658-4ec2-4ccf-8437-2cf9ecdd8dac",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T11:00:09.000Z",
|
|
"modified": "2019-01-17T11:00:09.000Z",
|
|
"pattern": "[file:hashes.MD5 = '48320f502811645fa1f2f614bd8a385a' AND file:hashes.SHA1 = '1f007ab17b62cca88a5681f02089ab33adc10eec' AND file:hashes.SHA256 = '15fe5dbcd31be15f98aa9ba18755ee6264a26f5ea0877730b00ca0646d0f25fa']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T11:00:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--3c8bf6c1-e76a-4d68-95ec-8f98f353c35f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T11:00:11.000Z",
|
|
"modified": "2019-01-17T11:00:11.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-01-15T07:47:18",
|
|
"category": "Other",
|
|
"uuid": "98d5929e-dcfd-441b-bfda-7b38ea435eec"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/15fe5dbcd31be15f98aa9ba18755ee6264a26f5ea0877730b00ca0646d0f25fa/analysis/1547538438/",
|
|
"category": "External analysis",
|
|
"uuid": "4fc92056-064b-472c-b77b-3f30cf915fca"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "37/58",
|
|
"category": "Other",
|
|
"uuid": "a49850e2-6174-403b-8eac-8cad60a6e895"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--d866b492-3e79-4f62-ae4b-8fcfe1ec0a05",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T11:00:12.000Z",
|
|
"modified": "2019-01-17T11:00:12.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'c00c9f6ebf2979292d524acff19dd306' AND file:hashes.SHA1 = '1022620da25db2497dc237adedb53755e6b859e3' AND file:hashes.SHA256 = '45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T11:00:12Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--28884802-adc0-41dd-85c5-f37b24623600",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T11:00:14.000Z",
|
|
"modified": "2019-01-17T11:00:14.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-12-21T08:26:31",
|
|
"category": "Other",
|
|
"uuid": "d2f9d666-d4b2-4ed5-b123-0ca8a51144cc"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff/analysis/1545380791/",
|
|
"category": "External analysis",
|
|
"uuid": "0180ce7c-4d8f-4dc2-a1c1-d69f89da88bb"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "45/70",
|
|
"category": "Other",
|
|
"uuid": "be1bde68-c09d-49b2-bc65-75b1771d2b48"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--b8c3e2c4-dd23-4d42-8f1e-83832c52602b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T11:00:15.000Z",
|
|
"modified": "2019-01-17T11:00:15.000Z",
|
|
"pattern": "[file:hashes.MD5 = '807482efce3397ece64a1ded3d436139' AND file:hashes.SHA1 = '9ea865e000e3e15cec15efc466801bb181ba40a1' AND file:hashes.SHA256 = '9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T11:00:15Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--fa573724-154a-4d4e-84a1-f36c91f5422e",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T11:00:17.000Z",
|
|
"modified": "2019-01-17T11:00:17.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-12-22T03:41:06",
|
|
"category": "Other",
|
|
"uuid": "b4ba042e-d5d3-47db-8839-1b8701adc6a0"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14/analysis/1545450066/",
|
|
"category": "External analysis",
|
|
"uuid": "0d61fdfd-883b-46d6-ad89-d1efb20fb53d"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "36/60",
|
|
"category": "Other",
|
|
"uuid": "97e10fc5-576b-4edc-b0f6-0e18effdcf0c"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--e672e426-1d42-42e0-b1d0-fbc9d846b35c",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T11:00:18.000Z",
|
|
"modified": "2019-01-17T11:00:18.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'd2052cb9016dab6592c532d5ea47cb7e' AND file:hashes.SHA1 = '1c1fbda6ffc4d19be63a630bd2483f3d2f7aa1f5' AND file:hashes.SHA256 = '2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-01-17T11:00:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--553ba70d-9782-43f5-8355-434287122d90",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-01-17T11:00:21.000Z",
|
|
"modified": "2019-01-17T11:00:21.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-12-21T08:26:28",
|
|
"category": "Other",
|
|
"uuid": "39d91f37-902a-4939-be62-c55c26d410f1"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec/analysis/1545380788/",
|
|
"category": "External analysis",
|
|
"uuid": "bcc36707-9559-4949-8ac7-baa0bb6078b2"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "47/69",
|
|
"category": "Other",
|
|
"uuid": "88168f7f-ef6b-466d-a831-053c528c2343"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--77c2ecaa-7d39-4245-88fa-4a65f2f43622",
|
|
"created": "2019-01-17T11:00:22.000Z",
|
|
"modified": "2019-01-17T11:00:22.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--3865d658-4ec2-4ccf-8437-2cf9ecdd8dac",
|
|
"target_ref": "x-misp-object--3c8bf6c1-e76a-4d68-95ec-8f98f353c35f"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--39ed752e-d95e-415b-8808-b3b915068dfb",
|
|
"created": "2019-01-17T11:00:23.000Z",
|
|
"modified": "2019-01-17T11:00:23.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--d866b492-3e79-4f62-ae4b-8fcfe1ec0a05",
|
|
"target_ref": "x-misp-object--28884802-adc0-41dd-85c5-f37b24623600"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--54a29ceb-19f7-416a-bf1f-acda30818525",
|
|
"created": "2019-01-17T11:00:23.000Z",
|
|
"modified": "2019-01-17T11:00:23.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--b8c3e2c4-dd23-4d42-8f1e-83832c52602b",
|
|
"target_ref": "x-misp-object--fa573724-154a-4d4e-84a1-f36c91f5422e"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--8aa504e9-35e9-40e7-b8c5-eb99471723d8",
|
|
"created": "2019-01-17T11:00:23.000Z",
|
|
"modified": "2019-01-17T11:00:23.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--e672e426-1d42-42e0-b1d0-fbc9d846b35c",
|
|
"target_ref": "x-misp-object--553ba70d-9782-43f5-8355-434287122d90"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |