adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/54ec3439-7154-48e4-ae1e-4c1c950d210b.json

1180 lines
No EOL
50 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--54ec3439-7154-48e4-ae1e-4c1c950d210b",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-06-15T07:28:02.000Z",
"modified": "2015-06-15T07:28:02.000Z",
"name": "CthulhuSPRL.be",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--54ec3439-7154-48e4-ae1e-4c1c950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-06-15T07:28:02.000Z",
"modified": "2015-06-15T07:28:02.000Z",
"name": "OSINT A deeper look into ScanBox TLP:WHITE report from PWC UK",
"published": "2016-02-22T15:15:26Z",
"object_refs": [
"observed-data--54ec345f-6524-4783-bc45-41c5950d210b",
"url--54ec345f-6524-4783-bc45-41c5950d210b",
"observed-data--54ec345f-43d8-4a5a-b214-448c950d210b",
"url--54ec345f-43d8-4a5a-b214-448c950d210b",
"x-misp-attribute--54ec3477-e1a8-43b2-8731-4047950d210b",
"indicator--54ec34c0-ad7c-488c-ab16-42fc950d210b",
"indicator--54ec3633-164c-47a9-8693-4dad950d210b",
"indicator--54ec36b6-6678-4619-9169-4f79950d210b",
"indicator--54ec36d4-caf8-4d3d-83eb-4746950d210b",
"indicator--54ec3702-76c4-4368-b35e-4406950d210b",
"indicator--54ec3718-c068-4cdc-9cb6-510f950d210b",
"indicator--54ec376c-66f4-415a-b8ef-47e5950d210b",
"x-misp-attribute--54ec39be-9658-411d-9a63-43c5950d210b",
"indicator--54ec39d8-4934-47ac-aa10-479d950d210b",
"x-misp-attribute--54ec39ee-9854-4f56-b521-474b950d210b",
"indicator--54ec3a18-b9d4-4f76-93e7-4f99950d210b",
"indicator--54ec3a2a-0918-435c-a163-4b3e950d210b",
"indicator--54ec3b25-8f44-4071-9fdd-65e2950d210b",
"indicator--54ec3b25-4bf8-4707-9c47-65e2950d210b",
"indicator--54ec3b25-04c8-4824-a61e-65e2950d210b",
"indicator--54ec3b25-3ef8-4b3b-806b-65e2950d210b",
"indicator--54ec3b25-b1b4-40fd-ac2b-65e2950d210b",
"indicator--54ec3b25-1528-4ea9-bf00-65e2950d210b",
"indicator--54ec3b65-b04c-483f-8b0d-c5e6950d210b",
"indicator--54ec3b65-abc4-4227-8c5c-c5e6950d210b",
"indicator--54ec3b65-82ac-49a8-b2b2-c5e6950d210b",
"indicator--54ec3b65-28c0-4bd8-93e3-c5e6950d210b",
"indicator--54ec3b65-3d60-4126-ad34-c5e6950d210b",
"indicator--54ec3b95-14c8-409d-a793-48bb950d210b",
"indicator--54ec3b95-9fe8-4d24-be71-4665950d210b",
"indicator--54ec3b95-7118-461c-ba2c-4cfb950d210b",
"indicator--54ec3b95-5820-4cb3-b8dd-4c54950d210b",
"indicator--54ec3be3-cb88-4725-8231-41ca950d210b",
"indicator--54ec3be3-4954-479c-b579-422f950d210b",
"indicator--54ec3be4-7b64-4b7a-aab6-4de2950d210b",
"indicator--54ec3be4-2c04-47d0-8172-4e87950d210b",
"indicator--54ec4094-59d4-4b92-883c-4c9a950d210b",
"indicator--54ec4094-fc8c-4e3f-a701-40f4950d210b",
"indicator--54ec4095-baf4-4f93-bd14-430f950d210b",
"indicator--54ec40a9-18ac-4e47-a399-4941950d210b",
"indicator--54ec40a9-7220-4c16-979d-4913950d210b",
"indicator--54ec40bc-e490-4845-a9d6-65e2950d210b",
"observed-data--557e7e82-ee90-4a49-b920-3a74950d210b",
"url--557e7e82-ee90-4a49-b920-3a74950d210b",
"indicator--56c655a3-066c-40d9-847b-59a3950d210f",
"indicator--56c655a4-a164-4629-8286-599e950d210f",
"indicator--56c655a6-4ed4-4e67-93a4-4e9c950d210f",
"indicator--56c655a1-b548-42d5-8f06-c652950d210f",
"indicator--56c655a2-ca34-4a49-a2cb-59a1950d210f",
"indicator--56c655a4-fdec-4a71-abf7-4d79950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--54ec345f-6524-4783-bc45-41c5950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:20:47.000Z",
"modified": "2015-02-24T08:20:47.000Z",
"first_observed": "2015-02-24T08:20:47Z",
"last_observed": "2015-02-24T08:20:47Z",
"number_observed": 1,
"object_refs": [
"url--54ec345f-6524-4783-bc45-41c5950d210b"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--54ec345f-6524-4783-bc45-41c5950d210b",
"value": "http://pwc.blogs.com/cyber_security_updates/2015/02/my-entry.html"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--54ec345f-43d8-4a5a-b214-448c950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:20:47.000Z",
"modified": "2015-02-24T08:20:47.000Z",
"first_observed": "2015-02-24T08:20:47Z",
"last_observed": "2015-02-24T08:20:47Z",
"number_observed": 1,
"object_refs": [
"url--54ec345f-43d8-4a5a-b214-448c950d210b"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--54ec345f-43d8-4a5a-b214-448c950d210b",
"value": "http://pwc.blogs.com/files/2015-02-24--scanbox-ii---tlpwhite.pdf"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--54ec3477-e1a8-43b2-8731-4047950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:21:11.000Z",
"modified": "2015-02-24T08:21:11.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "ScanBox"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec34c0-ad7c-488c-ab16-42fc950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:22:24.000Z",
"modified": "2015-02-24T08:22:24.000Z",
"description": "Malware distribution point",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '88.80.190.133']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T08:22:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec3633-164c-47a9-8693-4dad950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:28:35.000Z",
"modified": "2015-02-24T08:28:35.000Z",
"pattern": "[domain-name:value = 'googlecaches.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T08:28:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec36b6-6678-4619-9169-4f79950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:30:45.000Z",
"modified": "2015-02-24T08:30:45.000Z",
"description": "Legitimate compromised site",
"pattern": "[domain-name:value = 'gokbayrak.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T08:30:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec36d4-caf8-4d3d-83eb-4746950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:31:43.000Z",
"modified": "2015-02-24T08:31:43.000Z",
"description": "Legitimate compromised site",
"pattern": "[domain-name:value = 'macanna.com.tw']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T08:31:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec3702-76c4-4368-b35e-4406950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:32:02.000Z",
"modified": "2015-02-24T08:32:02.000Z",
"pattern": "[file:hashes.MD5 = '3b8d7732de3b3c8823d241e7cd3185c4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T08:32:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec3718-c068-4cdc-9cb6-510f950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:32:24.000Z",
"modified": "2015-02-24T08:32:24.000Z",
"pattern": "[domain-name:value = 'happynewyear.dns04.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T08:32:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec376c-66f4-415a-b8ef-47e5950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:33:48.000Z",
"modified": "2015-02-24T08:33:48.000Z",
"description": "IP of happynewyear.dns04.com and hosts a lot of other malicious host names",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '115.23.172.151']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T08:33:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--54ec39be-9658-411d-9a63-43c5950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:43:42.000Z",
"modified": "2015-02-24T08:43:42.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "TH3Bug"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec39d8-4934-47ac-aa10-479d950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:52:19.000Z",
"modified": "2015-02-24T08:52:19.000Z",
"description": "Cluster 1",
"pattern": "[domain-name:value = 'news.foundationssl.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T08:52:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--54ec39ee-9854-4f56-b521-474b950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:44:30.000Z",
"modified": "2015-02-24T08:44:30.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Deep Panda"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec3a18-b9d4-4f76-93e7-4f99950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:45:11.000Z",
"modified": "2015-02-24T08:45:11.000Z",
"pattern": "[domain-name:value = 'qoog1e.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T08:45:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec3a2a-0918-435c-a163-4b3e950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:45:30.000Z",
"modified": "2015-02-24T08:45:30.000Z",
"pattern": "[domain-name:value = 'webmailgoogle.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T08:45:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec3b25-8f44-4071-9fdd-65e2950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:49:41.000Z",
"modified": "2015-02-24T08:49:41.000Z",
"pattern": "[alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"--[PwC CTD] -- MultiGroup - ScanBox and Targetted Watering Holes Content (plugin_pdf_ie())\"; flow:established,from_server; file_data; content:\"plugin_pdf_ie()\"; classtype:trojanactivity; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanboxframework- whos-affected-and-whos-using-it-1.html; metadata:tlp WHITE,author CDD; rev:2015021901;)]",
"pattern_type": "snort",
"valid_from": "2015-02-24T08:49:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"snort\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec3b25-4bf8-4707-9c47-65e2950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:49:41.000Z",
"modified": "2015-02-24T08:49:41.000Z",
"pattern": "[alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"--[PwC CTD] -- MultiGroup - ScanBox Watering Hole Content (.item(0).appendChild(iframe_tag))\"; flow:established,from_server; file_data; content:\".item(0).appendChild(iframe_tag)\"; classtype:trojan-activity; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected- and-whos-using-it-1.html; metadata:tlp WHITE,author CDD; rev:2015021901;)]",
"pattern_type": "snort",
"valid_from": "2015-02-24T08:49:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"snort\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec3b25-04c8-4824-a61e-65e2950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:49:41.000Z",
"modified": "2015-02-24T08:49:41.000Z",
"pattern": "[alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"--[PwC CTD] -- MultiGroup - ScanBox and Targetted Watering Holes Content (var version\\;var ax\\;var e\\;try{axo=new ActiveXObject)\"; flow:established,from_server; file_data; content:\"var version\\;var ax\\;var e\\;try{axo=new ActiveXObject\"; classtype:trojan-activity; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected- and-whos-using-it-1.html; metadata:tlp WHITE,author CDD; rev:2015021901;)]",
"pattern_type": "snort",
"valid_from": "2015-02-24T08:49:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"snort\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec3b25-3ef8-4b3b-806b-65e2950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:49:41.000Z",
"modified": "2015-02-24T08:49:41.000Z",
"pattern": "[alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"--[PwC CTD] -- MultiGroup - ScanBox Watering Hole Content (document.getElementsByTagName('head').item(0).appendChild(form_tag)\\;)\"; flow:established,from_server; file_data; content:\"document.getElementsByTagName('head').item(0).appendChild(form_tag)\\;\"; classtype:trojan-activity; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected- and-whos-using-it-1.html; metadata:tlp WHITE,author CDD; rev:2015021901;)]",
"pattern_type": "snort",
"valid_from": "2015-02-24T08:49:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"snort\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec3b25-b1b4-40fd-ac2b-65e2950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:49:41.000Z",
"modified": "2015-02-24T08:49:41.000Z",
"pattern": "[alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"--[PwC CTD] -- MultiGroup - ScanBox Watering Hole Content (return ((!a) ? 'x-': a) + Math.floor(Math.random() * 99999)\\;)\"; flow:established,from_server; file_data; content:\"return ((!a) ? 'x-': a) + Math.floor(Math.random() * 99999)\\;\"; classtype:trojan-activity; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected- and-whos-using-it-1.html; metadata:tlp WHITE,author CDD; rev:2015021901;)]",
"pattern_type": "snort",
"valid_from": "2015-02-24T08:49:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"snort\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec3b25-1528-4ea9-bf00-65e2950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:49:41.000Z",
"modified": "2015-02-24T08:49:41.000Z",
"pattern": "[alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"--[PwC CTD] -- MultiGroup - TH3BUG and Non-Targetted Groups Watering Hole Code (Chr(CInt(ns(i)) Xor n))\"; flow:established,from_server; file_data; content:\"Chr(CInt(ns(i)) Xor n)\"; classtype:trojan-activity; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected- and-whos-using-it-1.html; metadata:tlp WHITE,author CDD; rev:2015021901;)]",
"pattern_type": "snort",
"valid_from": "2015-02-24T08:49:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"snort\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec3b65-b04c-483f-8b0d-c5e6950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:50:45.000Z",
"modified": "2015-02-24T08:50:45.000Z",
"description": "Cluster 1",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '1.9.5.38']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T08:50:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec3b65-abc4-4227-8c5c-c5e6950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:50:45.000Z",
"modified": "2015-02-24T08:50:45.000Z",
"description": "Cluster 1",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.255.61.227']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T08:50:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec3b65-82ac-49a8-b2b2-c5e6950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:50:45.000Z",
"modified": "2015-02-24T08:50:45.000Z",
"description": "Cluster 1",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '118.193.153.221']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T08:50:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec3b65-28c0-4bd8-93e3-c5e6950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:50:45.000Z",
"modified": "2015-02-24T08:50:45.000Z",
"description": "Cluster 1",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '118.193.153.227']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T08:50:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec3b65-3d60-4126-ad34-c5e6950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:50:45.000Z",
"modified": "2015-02-24T08:50:45.000Z",
"description": "Cluster 1",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '174.121.122.73']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T08:50:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec3b95-14c8-409d-a793-48bb950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:52:19.000Z",
"modified": "2015-02-24T08:52:19.000Z",
"description": "Cluster 1",
"pattern": "[domain-name:value = 'file.googlecaches.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T08:52:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec3b95-9fe8-4d24-be71-4665950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:52:19.000Z",
"modified": "2015-02-24T08:52:19.000Z",
"description": "Cluster 1",
"pattern": "[domain-name:value = 'gtm.googlecaches.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T08:52:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec3b95-7118-461c-ba2c-4cfb950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:52:19.000Z",
"modified": "2015-02-24T08:52:19.000Z",
"description": "Cluster 1",
"pattern": "[domain-name:value = 'js.googlewebcache.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T08:52:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec3b95-5820-4cb3-b8dd-4c54950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:52:19.000Z",
"modified": "2015-02-24T08:52:19.000Z",
"description": "Cluster 1",
"pattern": "[domain-name:value = 'owa.outlookssl.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T08:52:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec3be3-cb88-4725-8231-41ca950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:52:51.000Z",
"modified": "2015-02-24T08:52:51.000Z",
"description": "Cluster 1",
"pattern": "[file:hashes.SHA256 = '4639c30b3666cb11b3927d5579790a88bff68e8137f18241f4693e0d4539c608']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T08:52:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec3be3-4954-479c-b579-422f950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:52:51.000Z",
"modified": "2015-02-24T08:52:51.000Z",
"description": "Cluster 1",
"pattern": "[file:hashes.SHA1 = '809959f390d5a49c8999ad6fff27fdc92ff1b2b0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T08:52:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec3be4-7b64-4b7a-aab6-4de2950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:52:52.000Z",
"modified": "2015-02-24T08:52:52.000Z",
"description": "Cluster 1",
"pattern": "[file:hashes.SHA256 = 'ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T08:52:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec3be4-2c04-47d0-8172-4e87950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T08:52:52.000Z",
"modified": "2015-02-24T08:52:52.000Z",
"description": "Cluster 1",
"pattern": "[file:hashes.SHA1 = 'e8a8ffe39040fe36e95217b4e4f1316177d675ed']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T08:52:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec4094-59d4-4b92-883c-4c9a950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T09:14:06.000Z",
"modified": "2015-02-24T09:14:06.000Z",
"description": "Cluster 4",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '122.10.10.161']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T09:14:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec4094-fc8c-4e3f-a701-40f4950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T09:14:06.000Z",
"modified": "2015-02-24T09:14:06.000Z",
"description": "Cluster 4",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '204.152.199.43']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T09:14:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec4095-baf4-4f93-bd14-430f950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T09:14:06.000Z",
"modified": "2015-02-24T09:14:06.000Z",
"description": "Cluster 4",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '50.2.24.211']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T09:14:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec40a9-18ac-4e47-a399-4941950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T09:14:06.000Z",
"modified": "2015-02-24T09:14:06.000Z",
"description": "Cluster 4",
"pattern": "[domain-name:value = 'bak.mailaunch.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T09:14:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec40a9-7220-4c16-979d-4913950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T09:14:06.000Z",
"modified": "2015-02-24T09:14:06.000Z",
"description": "Cluster 4",
"pattern": "[domain-name:value = 'us-mg6.mail.yahoo.mailaunch.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T09:14:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54ec40bc-e490-4845-a9d6-65e2950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-02-24T09:14:06.000Z",
"modified": "2015-02-24T09:14:06.000Z",
"description": "Cluster 4",
"pattern": "[file:hashes.SHA1 = 'f1890cc9d6dc84021426834063394539414f68d8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2015-02-24T09:14:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--557e7e82-ee90-4a49-b920-3a74950d210b",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2015-06-15T07:28:02.000Z",
"modified": "2015-06-15T07:28:02.000Z",
"first_observed": "2015-06-15T07:28:02Z",
"last_observed": "2015-06-15T07:28:02Z",
"number_observed": 1,
"object_refs": [
"url--557e7e82-ee90-4a49-b920-3a74950d210b"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--557e7e82-ee90-4a49-b920-3a74950d210b",
"value": "http://pwc.blogs.com/files/cto-tib-20150223-01a.pdf"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c655a3-066c-40d9-847b-59a3950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:37:07.000Z",
"modified": "2016-02-18T23:37:07.000Z",
"description": "Automatically added (via f1890cc9d6dc84021426834063394539414f68d8)",
"pattern": "[file:hashes.MD5 = 'be3a3daa7d0d11df2380d3401696624a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:37:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c655a4-a164-4629-8286-599e950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:37:08.000Z",
"modified": "2016-02-18T23:37:08.000Z",
"description": "Automatically added (via e8a8ffe39040fe36e95217b4e4f1316177d675ed)",
"pattern": "[file:hashes.MD5 = 'ef498ea09bf51b002fc7eb3dfd0d19d3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:37:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c655a6-4ed4-4e67-93a4-4e9c950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:37:10.000Z",
"modified": "2016-02-18T23:37:10.000Z",
"description": "Automatically added (via 809959f390d5a49c8999ad6fff27fdc92ff1b2b0)",
"pattern": "[file:hashes.MD5 = '9cf5523da799277a4d40881199eb8325']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:37:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c655a1-b548-42d5-8f06-c652950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:37:05.000Z",
"modified": "2016-02-18T23:37:05.000Z",
"description": "Automatically added (via 3b8d7732de3b3c8823d241e7cd3185c4)",
"pattern": "[file:hashes.SHA1 = '27a774e6bb82d4575598be00eb2ca44734d9bcf2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:37:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c655a2-ca34-4a49-a2cb-59a1950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:37:06.000Z",
"modified": "2016-02-18T23:37:06.000Z",
"description": "Automatically added (via 3b8d7732de3b3c8823d241e7cd3185c4)",
"pattern": "[file:hashes.SHA256 = '9dc7d24cf0e0426e0e882badd6145de57384206fd6be46dc31fdfc7ea2a072cc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:37:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56c655a4-fdec-4a71-abf7-4d79950d210f",
"created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"created": "2016-02-18T23:37:08.000Z",
"modified": "2016-02-18T23:37:08.000Z",
"description": "Automatically added (via f1890cc9d6dc84021426834063394539414f68d8)",
"pattern": "[file:hashes.SHA256 = '3112420afeb829a575ba46512314c0fab2fc80870c153de35cde4d3140a2dd26']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-02-18T23:37:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink