adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/588867a4-c470-4914-b854-d3f6950d210f.json

319 lines
No EOL
14 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--588867a4-c470-4914-b854-d3f6950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T14:35:40.000Z",
"modified": "2017-01-25T14:35:40.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--588867a4-c470-4914-b854-d3f6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T14:35:40.000Z",
"modified": "2017-01-25T14:35:40.000Z",
"name": "OSINT - Malicious SVG Files in the Wild",
"published": "2017-01-25T14:35:54Z",
"object_refs": [
"x-misp-attribute--58886c74-6c08-4ab2-8c2b-f8df950d210f",
"observed-data--58886ccc-507c-4c7e-87b0-5b46950d210f",
"url--58886ccc-507c-4c7e-87b0-5b46950d210f",
"indicator--58886d0f-7a80-4188-9ca9-2fc5950d210f",
"indicator--58886d10-9ca4-452d-a1e1-2fc5950d210f",
"indicator--58886d30-90dc-4a21-8d14-f8e5950d210f",
"indicator--5888b58a-9d84-49d9-9465-4e3f02de0b81",
"indicator--5888b58b-0fc8-4aee-bc0f-430f02de0b81",
"observed-data--5888b58b-879c-409a-8eaa-465b02de0b81",
"url--5888b58b-879c-409a-8eaa-465b02de0b81",
"indicator--5888b58c-eb80-46a8-8853-46a402de0b81",
"indicator--5888b58d-c0c8-406b-b0d1-41ae02de0b81",
"observed-data--5888b58e-0508-4f80-a64e-486102de0b81",
"url--5888b58e-0508-4f80-a64e-486102de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\"",
"misp-galaxy:tool=\"Snifula\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58886c74-6c08-4ab2-8c2b-f8df950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T09:14:28.000Z",
"modified": "2017-01-25T09:14:28.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "In November 2016, the Facebook messenger application was used to deliver malicious SVG files to people [1]. SVG files (or \"Scalable Vector Graphics\") are vector images that can be displayed in most modern browsers (natively or via a specific plugin). More precisely, Internet Explorer 9 supports the basic SVG feature sets and IE10 extended the support by adding SVG 1.1 support. In the Microsoft Windows operating system, SVG files are handled by Internet Explorer by default."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58886ccc-507c-4c7e-87b0-5b46950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T09:16:21.000Z",
"modified": "2017-01-25T09:16:21.000Z",
"first_observed": "2017-01-25T09:16:21Z",
"last_observed": "2017-01-25T09:16:21Z",
"number_observed": 1,
"object_refs": [
"url--58886ccc-507c-4c7e-87b0-5b46950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"admiralty-scale:source-reliability=\"b\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58886ccc-507c-4c7e-87b0-5b46950d210f",
"value": "https://isc.sans.edu/forums/diary/Malicious+SVG+Files+in+the+Wild/21971/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58886d0f-7a80-4188-9ca9-2fc5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T09:17:03.000Z",
"modified": "2017-01-25T09:17:03.000Z",
"description": "00967999543-(02).svg",
"pattern": "[file:hashes.MD5 = '6b9649531f35c7de78735aa45d25d1a7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-25T09:17:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58886d10-9ca4-452d-a1e1-2fc5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T09:17:04.000Z",
"modified": "2017-01-25T09:17:04.000Z",
"description": "P0039988439992_001.jpg.svg",
"pattern": "[file:hashes.MD5 = 'e2f7245d016c52fc9c56531e483e6cfb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-25T09:17:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58886d30-90dc-4a21-8d14-f8e5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T14:26:48.000Z",
"modified": "2017-01-25T14:26:48.000Z",
"description": "The second part is a classic obfuscated JavaScript that executes the following (de-obfuscated) code:",
"pattern": "[url:value = 'http://juanpedroperez.com/fotos/photos/xfs_extension.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-25T14:26:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"adversary:infrastructure-status=\"compromised\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5888b58a-9d84-49d9-9465-4e3f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T14:26:18.000Z",
"modified": "2017-01-25T14:26:18.000Z",
"description": "P0039988439992_001.jpg.svg - Xchecked via VT: e2f7245d016c52fc9c56531e483e6cfb",
"pattern": "[file:hashes.SHA256 = '7cd31c21f03d54f88de2d5ae715be416bfaa69b3230bdd93aba44c07963363df']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-25T14:26:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5888b58b-0fc8-4aee-bc0f-430f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T14:26:19.000Z",
"modified": "2017-01-25T14:26:19.000Z",
"description": "P0039988439992_001.jpg.svg - Xchecked via VT: e2f7245d016c52fc9c56531e483e6cfb",
"pattern": "[file:hashes.SHA1 = 'caf8d6099ed95d223993f43a156b703220d1a1c3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-25T14:26:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5888b58b-879c-409a-8eaa-465b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T14:26:19.000Z",
"modified": "2017-01-25T14:26:19.000Z",
"first_observed": "2017-01-25T14:26:19Z",
"last_observed": "2017-01-25T14:26:19Z",
"number_observed": 1,
"object_refs": [
"url--5888b58b-879c-409a-8eaa-465b02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5888b58b-879c-409a-8eaa-465b02de0b81",
"value": "https://www.virustotal.com/file/7cd31c21f03d54f88de2d5ae715be416bfaa69b3230bdd93aba44c07963363df/analysis/1484747652/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5888b58c-eb80-46a8-8853-46a402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T14:26:20.000Z",
"modified": "2017-01-25T14:26:20.000Z",
"description": "00967999543-(02).svg - Xchecked via VT: 6b9649531f35c7de78735aa45d25d1a7",
"pattern": "[file:hashes.SHA256 = '4682a3ad2c6ae46a8eb1190936583ebc69644b206e2e9103071c4630f081b3f2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-25T14:26:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5888b58d-c0c8-406b-b0d1-41ae02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T14:26:21.000Z",
"modified": "2017-01-25T14:26:21.000Z",
"description": "00967999543-(02).svg - Xchecked via VT: 6b9649531f35c7de78735aa45d25d1a7",
"pattern": "[file:hashes.SHA1 = '5837a4d288ac9d0065143a88f4899283b4603eee']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-25T14:26:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5888b58e-0508-4f80-a64e-486102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T14:26:22.000Z",
"modified": "2017-01-25T14:26:22.000Z",
"first_observed": "2017-01-25T14:26:22Z",
"last_observed": "2017-01-25T14:26:22Z",
"number_observed": 1,
"object_refs": [
"url--5888b58e-0508-4f80-a64e-486102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5888b58e-0508-4f80-a64e-486102de0b81",
"value": "https://www.virustotal.com/file/4682a3ad2c6ae46a8eb1190936583ebc69644b206e2e9103071c4630f081b3f2/analysis/1485160514/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink