adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/58ad3fed-cc40-4087-a6f8-3ca5950d210f.json

887 lines
No EOL
39 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--58ad3fed-cc40-4087-a6f8-3ca5950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:45:05.000Z",
"modified": "2017-02-22T07:45:05.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--58ad3fed-cc40-4087-a6f8-3ca5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:45:05.000Z",
"modified": "2017-02-22T07:45:05.000Z",
"name": "OSINT - Additional Insights on Shamoon2",
"published": "2017-02-22T07:45:31Z",
"object_refs": [
"x-misp-attribute--58ad4004-b954-44b5-8d14-335c950d210f",
"observed-data--58ad403a-c970-49f4-b47b-5539950d210f",
"url--58ad403a-c970-49f4-b47b-5539950d210f",
"indicator--58ad406c-cf78-4ace-ba79-335b950d210f",
"indicator--58ad406d-d99c-4c2a-bc72-335b950d210f",
"indicator--58ad406e-0cc0-4da1-af39-335b950d210f",
"indicator--58ad4086-91f0-4dad-aae5-5536950d210f",
"indicator--58ad4087-3b64-4bc7-8fd7-5536950d210f",
"indicator--58ad4088-fb40-4c7f-97ff-5536950d210f",
"indicator--58ad4098-8b48-4903-886b-5538950d210f",
"indicator--58ad4099-8c5c-4e46-9cc8-5538950d210f",
"indicator--58ad409a-49c8-4a8b-b273-5538950d210f",
"indicator--58ad40bc-d398-4ad9-82e5-3c9f950d210f",
"indicator--58ad40d4-f374-434d-97ac-366a950d210f",
"indicator--58ad40e7-b870-456b-9a2b-2cf1950d210f",
"indicator--58ad40e8-1c08-4c70-98f0-2cf1950d210f",
"indicator--58ad40e9-db2c-4e10-8743-2cf1950d210f",
"indicator--58ad4106-950c-4683-8c00-2cf0950d210f",
"indicator--58ad4117-5f84-4988-b400-2ceb950d210f",
"indicator--58ad4129-f6a8-4a80-bf76-2ceb950d210f",
"indicator--58ad4151-8700-49a5-9069-553302de0b81",
"indicator--58ad4152-e214-4ca0-812b-553302de0b81",
"observed-data--58ad4153-d088-415d-acd9-553302de0b81",
"url--58ad4153-d088-415d-acd9-553302de0b81",
"indicator--58ad4154-50f4-4730-921d-553302de0b81",
"indicator--58ad4154-3ef4-442d-a894-553302de0b81",
"observed-data--58ad4155-a0f0-4a87-87e5-553302de0b81",
"url--58ad4155-a0f0-4a87-87e5-553302de0b81",
"indicator--58ad4156-babc-4f9b-a085-553302de0b81",
"indicator--58ad4157-4d74-4ca2-8b01-553302de0b81",
"observed-data--58ad4158-bdb4-4a6b-884f-553302de0b81",
"url--58ad4158-bdb4-4a6b-884f-553302de0b81",
"indicator--58ad4159-6d60-4a11-9d8b-553302de0b81",
"indicator--58ad415a-0b28-431d-bee6-553302de0b81",
"observed-data--58ad415b-aadc-4052-a47c-553302de0b81",
"url--58ad415b-aadc-4052-a47c-553302de0b81",
"indicator--58ad415c-d784-4b33-b933-553302de0b81",
"indicator--58ad415c-ae28-4000-9834-553302de0b81",
"observed-data--58ad415d-8964-4516-8197-553302de0b81",
"url--58ad415d-8964-4516-8197-553302de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:tool=\"Shamoon\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58ad4004-b954-44b5-8d14-335c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:45:05.000Z",
"modified": "2017-02-22T07:45:05.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "IBM analysts recently unveiled a first look at how threat actors may have placed Shamoon2 malware on systems in Saudi Arabia. Researchers showcased a potential malware lifecycle which started with spear phishing and eventually led to the deployment of the disk-wiping malware known as Shamoon. Their research showcased a set of downloaders and domains that could potentially lead to a more extensive malware distribution campaign.\r\n\r\nWhile researching elements in the IBM report, ASERT discovered additional malicious domains, IP addresses, and artifacts. The basic functionality of the new documents and their PowerShell components matched what was previously disclosed. For more information on the overall capabilities of the malware, please review IBM\u00e2\u20ac\u2122s ongoing research. It is our hope that by providing additional indicators, end-point investigators and network defenders will be able to discover and mitigate more Shamoon2 related compromises."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58ad403a-c970-49f4-b47b-5539950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:57.000Z",
"modified": "2017-02-22T07:44:57.000Z",
"first_observed": "2017-02-22T07:44:57Z",
"last_observed": "2017-02-22T07:44:57Z",
"number_observed": 1,
"object_refs": [
"url--58ad403a-c970-49f4-b47b-5539950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"admiralty-scale:source-reliability=\"b\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58ad403a-c970-49f4-b47b-5539950d210f",
"value": "https://www.arbornetworks.com/blog/asert/additional-insights-shamoon2/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad406c-cf78-4ace-ba79-335b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:01.000Z",
"modified": "2017-02-22T07:44:01.000Z",
"description": "In this case, a sample from the IBM report indicated the document author \u00e2\u20ac\u02dcgerry.knight\u00e2\u20ac\u2122 which led us to the following three additional samples. MD5",
"pattern": "[file:hashes.MD5 = '2a0df97277ddb361cecf8726df6d78ac']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad406d-d99c-4c2a-bc72-335b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:01.000Z",
"modified": "2017-02-22T07:44:01.000Z",
"description": "In this case, a sample from the IBM report indicated the document author \u00e2\u20ac\u02dcgerry.knight\u00e2\u20ac\u2122 which led us to the following three additional samples. MD5",
"pattern": "[file:hashes.MD5 = '5e5ea1a67c2538dbc01df28e4ea87472']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad406e-0cc0-4da1-af39-335b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:01.000Z",
"modified": "2017-02-22T07:44:01.000Z",
"description": "In this case, a sample from the IBM report indicated the document author \u00e2\u20ac\u02dcgerry.knight\u00e2\u20ac\u2122 which led us to the following three additional samples. MD5",
"pattern": "[file:hashes.MD5 = 'd30b8468d16b631cafe458fd94cc3196']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad4086-91f0-4dad-aae5-5536950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:01.000Z",
"modified": "2017-02-22T07:44:01.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.218.120.128']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad4087-3b64-4bc7-8fd7-5536950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:01.000Z",
"modified": "2017-02-22T07:44:01.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '69.87.223.26']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad4088-fb40-4c7f-97ff-5536950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:01.000Z",
"modified": "2017-02-22T07:44:01.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.254.100.200']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad4098-8b48-4903-886b-5538950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:01.000Z",
"modified": "2017-02-22T07:44:01.000Z",
"pattern": "[url:value = 'analytics-google.org:69/checkFile.aspx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad4099-8c5c-4e46-9cc8-5538950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:01.000Z",
"modified": "2017-02-22T07:44:01.000Z",
"pattern": "[domain-name:value = 'analytics-google.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad409a-49c8-4a8b-b273-5538950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:01.000Z",
"modified": "2017-02-22T07:44:01.000Z",
"pattern": "[url:value = '69.87.223.26:8080/p']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad40bc-d398-4ad9-82e5-3c9f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:01.000Z",
"modified": "2017-02-22T07:44:01.000Z",
"description": "Pivoting on Passive DNS",
"pattern": "[file:hashes.MD5 = '83be35956e5d409306a81e88a1dc89fd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad40d4-f374-434d-97ac-366a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:01.000Z",
"modified": "2017-02-22T07:44:01.000Z",
"description": "Pivoting on Passive DNS",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.63.10.99']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad40e7-b870-456b-9a2b-2cf1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:01.000Z",
"modified": "2017-02-22T07:44:01.000Z",
"description": "Pivoting on Passive DNS",
"pattern": "[domain-name:value = 'go-microstf.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad40e8-1c08-4c70-98f0-2cf1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:01.000Z",
"modified": "2017-02-22T07:44:01.000Z",
"description": "Pivoting on Passive DNS",
"pattern": "[url:value = '69.87.223.26:8080/eiloShaegae1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad40e9-db2c-4e10-8743-2cf1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:01.000Z",
"modified": "2017-02-22T07:44:01.000Z",
"description": "Pivoting on Passive DNS",
"pattern": "[url:value = 'go-microstf.com/checkfile.aspx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad4106-950c-4683-8c00-2cf0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:01.000Z",
"modified": "2017-02-22T07:44:01.000Z",
"pattern": "[domain-name:value = 'get.adobe.go-microstf.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad4117-5f84-4988-b400-2ceb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:01.000Z",
"modified": "2017-02-22T07:44:01.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.238.184.252']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad4129-f6a8-4a80-bf76-2ceb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:01.000Z",
"modified": "2017-02-22T07:44:01.000Z",
"pattern": "[file:hashes.MD5 = '07d6406036d6e06dc8019e3ade6ee7de']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad4151-8700-49a5-9069-553302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:17.000Z",
"modified": "2017-02-22T07:44:17.000Z",
"description": "- Xchecked via VT: 07d6406036d6e06dc8019e3ade6ee7de",
"pattern": "[file:hashes.SHA256 = 'c21074f340665935e6afe2a972c8d1ab517954e2dd05cc73e5ff0e8df587b99d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad4152-e214-4ca0-812b-553302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:18.000Z",
"modified": "2017-02-22T07:44:18.000Z",
"description": "- Xchecked via VT: 07d6406036d6e06dc8019e3ade6ee7de",
"pattern": "[file:hashes.SHA1 = '25b09cdd135197ccd8981488f38b045000297439']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58ad4153-d088-415d-acd9-553302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:19.000Z",
"modified": "2017-02-22T07:44:19.000Z",
"first_observed": "2017-02-22T07:44:19Z",
"last_observed": "2017-02-22T07:44:19Z",
"number_observed": 1,
"object_refs": [
"url--58ad4153-d088-415d-acd9-553302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58ad4153-d088-415d-acd9-553302de0b81",
"value": "https://www.virustotal.com/file/c21074f340665935e6afe2a972c8d1ab517954e2dd05cc73e5ff0e8df587b99d/analysis/1487258163/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad4154-50f4-4730-921d-553302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:20.000Z",
"modified": "2017-02-22T07:44:20.000Z",
"description": "Pivoting on Passive DNS - Xchecked via VT: 83be35956e5d409306a81e88a1dc89fd",
"pattern": "[file:hashes.SHA256 = '924b4615ba6e6ed87fad81ad4c2ae876d10a9b34fb347210a2ec7621b92005cb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad4154-3ef4-442d-a894-553302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:20.000Z",
"modified": "2017-02-22T07:44:20.000Z",
"description": "Pivoting on Passive DNS - Xchecked via VT: 83be35956e5d409306a81e88a1dc89fd",
"pattern": "[file:hashes.SHA1 = '6b3453b85d4cf7cc9a795ed710440da54ce6788c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58ad4155-a0f0-4a87-87e5-553302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:21.000Z",
"modified": "2017-02-22T07:44:21.000Z",
"first_observed": "2017-02-22T07:44:21Z",
"last_observed": "2017-02-22T07:44:21Z",
"number_observed": 1,
"object_refs": [
"url--58ad4155-a0f0-4a87-87e5-553302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58ad4155-a0f0-4a87-87e5-553302de0b81",
"value": "https://www.virustotal.com/file/924b4615ba6e6ed87fad81ad4c2ae876d10a9b34fb347210a2ec7621b92005cb/analysis/1480935772/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad4156-babc-4f9b-a085-553302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:22.000Z",
"modified": "2017-02-22T07:44:22.000Z",
"description": "In this case, a sample from the IBM report indicated the document author \u00e2\u20ac\u02dcgerry.knight\u00e2\u20ac\u2122 which led us to the following three additional samples. MD5 - Xchecked via VT: d30b8468d16b631cafe458fd94cc3196",
"pattern": "[file:hashes.SHA256 = '33ee8a57e142e752a9c8960c4f38b5d3ff82bf17ec060e4114f5b15d22aa902e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad4157-4d74-4ca2-8b01-553302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:23.000Z",
"modified": "2017-02-22T07:44:23.000Z",
"description": "In this case, a sample from the IBM report indicated the document author \u00e2\u20ac\u02dcgerry.knight\u00e2\u20ac\u2122 which led us to the following three additional samples. MD5 - Xchecked via VT: d30b8468d16b631cafe458fd94cc3196",
"pattern": "[file:hashes.SHA1 = '2079aa6e288bda7af96a2aa03702a38c29b91479']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58ad4158-bdb4-4a6b-884f-553302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:24.000Z",
"modified": "2017-02-22T07:44:24.000Z",
"first_observed": "2017-02-22T07:44:24Z",
"last_observed": "2017-02-22T07:44:24Z",
"number_observed": 1,
"object_refs": [
"url--58ad4158-bdb4-4a6b-884f-553302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58ad4158-bdb4-4a6b-884f-553302de0b81",
"value": "https://www.virustotal.com/file/33ee8a57e142e752a9c8960c4f38b5d3ff82bf17ec060e4114f5b15d22aa902e/analysis/1487293998/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad4159-6d60-4a11-9d8b-553302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:25.000Z",
"modified": "2017-02-22T07:44:25.000Z",
"description": "In this case, a sample from the IBM report indicated the document author \u00e2\u20ac\u02dcgerry.knight\u00e2\u20ac\u2122 which led us to the following three additional samples. MD5 - Xchecked via VT: 5e5ea1a67c2538dbc01df28e4ea87472",
"pattern": "[file:hashes.SHA256 = '388b26e22f75a723ce69ad820b61dd8b75e260d3c61d74ff21d2073c56ea565d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad415a-0b28-431d-bee6-553302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:26.000Z",
"modified": "2017-02-22T07:44:26.000Z",
"description": "In this case, a sample from the IBM report indicated the document author \u00e2\u20ac\u02dcgerry.knight\u00e2\u20ac\u2122 which led us to the following three additional samples. MD5 - Xchecked via VT: 5e5ea1a67c2538dbc01df28e4ea87472",
"pattern": "[file:hashes.SHA1 = '175784206471985ed09f2c7f9d46b79ed6a9a6c6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58ad415b-aadc-4052-a47c-553302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:27.000Z",
"modified": "2017-02-22T07:44:27.000Z",
"first_observed": "2017-02-22T07:44:27Z",
"last_observed": "2017-02-22T07:44:27Z",
"number_observed": 1,
"object_refs": [
"url--58ad415b-aadc-4052-a47c-553302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58ad415b-aadc-4052-a47c-553302de0b81",
"value": "https://www.virustotal.com/file/388b26e22f75a723ce69ad820b61dd8b75e260d3c61d74ff21d2073c56ea565d/analysis/1487273714/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad415c-d784-4b33-b933-553302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:28.000Z",
"modified": "2017-02-22T07:44:28.000Z",
"description": "In this case, a sample from the IBM report indicated the document author \u00e2\u20ac\u02dcgerry.knight\u00e2\u20ac\u2122 which led us to the following three additional samples. MD5 - Xchecked via VT: 2a0df97277ddb361cecf8726df6d78ac",
"pattern": "[file:hashes.SHA256 = '71e584e7e1fb3cf2689f549192fe3a82fd4cd8ee7c42c15d736ebad47b028087']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58ad415c-ae28-4000-9834-553302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:28.000Z",
"modified": "2017-02-22T07:44:28.000Z",
"description": "In this case, a sample from the IBM report indicated the document author \u00e2\u20ac\u02dcgerry.knight\u00e2\u20ac\u2122 which led us to the following three additional samples. MD5 - Xchecked via VT: 2a0df97277ddb361cecf8726df6d78ac",
"pattern": "[file:hashes.SHA1 = 'd69fad4a24aade835197d060947719f65528fe84']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-22T07:44:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58ad415d-8964-4516-8197-553302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-22T07:44:29.000Z",
"modified": "2017-02-22T07:44:29.000Z",
"first_observed": "2017-02-22T07:44:29Z",
"last_observed": "2017-02-22T07:44:29Z",
"number_observed": 1,
"object_refs": [
"url--58ad415d-8964-4516-8197-553302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58ad415d-8964-4516-8197-553302de0b81",
"value": "https://www.virustotal.com/file/71e584e7e1fb3cf2689f549192fe3a82fd4cd8ee7c42c15d736ebad47b028087/analysis/1487589486/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink