adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/58d4c745-a110-4623-a9e6-497d950d210f.json

398 lines
No EOL
17 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--58d4c745-a110-4623-a9e6-497d950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:19:58.000Z",
"modified": "2017-03-24T07:19:58.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--58d4c745-a110-4623-a9e6-497d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:19:58.000Z",
"modified": "2017-03-24T07:19:58.000Z",
"name": "OSINT - New targeted attack against Saudi Arabia Government",
"published": "2017-03-24T07:20:29Z",
"object_refs": [
"observed-data--58d4c76a-f634-4a57-bcb3-464a950d210f",
"url--58d4c76a-f634-4a57-bcb3-464a950d210f",
"x-misp-attribute--58d4c781-4518-4271-a552-4672950d210f",
"indicator--58d4c7ca-4c18-44f8-b75d-43e1950d210f",
"indicator--58d4c7cb-575c-4396-8757-4020950d210f",
"indicator--58d4c7f4-6c64-41ca-bfa2-4314950d210f",
"indicator--58d4c7f5-678c-453a-9648-483f950d210f",
"indicator--58d4c826-ab38-491e-85d1-48f2950d210f",
"indicator--58d4c827-9264-4eeb-8d3c-4aef950d210f",
"indicator--58d4c834-23b4-4f6a-b87f-4729950d210f",
"indicator--58d4c835-5d98-4a80-9386-4ab1950d210f",
"indicator--58d4c8a7-306c-405e-aa6b-4e4102de0b81",
"observed-data--58d4c8a8-bf0c-4c05-9288-491a02de0b81",
"url--58d4c8a8-bf0c-4c05-9288-491a02de0b81",
"indicator--58d4c8a9-905c-4628-b347-4f3502de0b81",
"observed-data--58d4c8aa-f6e0-4953-b357-43a102de0b81",
"url--58d4c8aa-f6e0-4953-b357-43a102de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58d4c76a-f634-4a57-bcb3-464a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:19:58.000Z",
"modified": "2017-03-24T07:19:58.000Z",
"first_observed": "2017-03-24T07:19:58Z",
"last_observed": "2017-03-24T07:19:58Z",
"number_observed": 1,
"object_refs": [
"url--58d4c76a-f634-4a57-bcb3-464a950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"estimative-language:likelihood-probability=\"almost-certain\"",
"admiralty-scale:source-reliability=\"b\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58d4c76a-f634-4a57-bcb3-464a950d210f",
"value": "https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58d4c781-4518-4271-a552-4672950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:19:58.000Z",
"modified": "2017-03-24T07:19:58.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"estimative-language:likelihood-probability=\"almost-certain\"",
"admiralty-scale:source-reliability=\"b\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "A new spear phishing campaign is targeting Saudi Arabia governmental organizations. The attack originates from a phishing email containing a Word document in Arabic language. If the victim opens it up, it will not only infect their system but send the same phishing document to other contacts via their Outlook inbox.\r\n\r\nWe know that at least about a dozen Saudi agencies were targeted. As with most email-borne attacks, this one leverages social engineering to execute malicious code via a Macro."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d4c7ca-4c18-44f8-b75d-43e1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:19:58.000Z",
"modified": "2017-03-24T07:19:58.000Z",
"description": "C2 - potentialy compromised",
"pattern": "[url:value = 'mail.spa.gov.sa/ews/exchange/exchange.asmx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-24T07:19:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"adversary:infrastructure-status=\"compromised\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d4c7cb-575c-4396-8757-4020950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:19:58.000Z",
"modified": "2017-03-24T07:19:58.000Z",
"description": "C2 - potentialy compromised",
"pattern": "[url:value = 'webmail.ecra/ews/exchange/exchange.asmx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-24T07:19:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"adversary:infrastructure-status=\"compromised\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d4c7f4-6c64-41ca-bfa2-4314950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:19:58.000Z",
"modified": "2017-03-24T07:19:58.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '62.149.118.67']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-24T07:19:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"adversary:infrastructure-status=\"compromised\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d4c7f5-678c-453a-9648-483f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:19:58.000Z",
"modified": "2017-03-24T07:19:58.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '85.194.112.9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-24T07:19:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"adversary:infrastructure-status=\"compromised\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d4c826-ab38-491e-85d1-48f2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:19:58.000Z",
"modified": "2017-03-24T07:19:58.000Z",
"description": "Binary payload",
"pattern": "[file:hashes.MD5 = '4ed42233962a89deaa89fd7b989db081']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-24T07:19:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d4c827-9264-4eeb-8d3c-4aef950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:19:58.000Z",
"modified": "2017-03-24T07:19:58.000Z",
"description": "Binary payload",
"pattern": "[file:hashes.SHA256 = 'a96c57c35df18ac20d83b08a88e502071bd0033add0914b951adbd1639b0b873']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-24T07:19:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d4c834-23b4-4f6a-b87f-4729950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:19:58.000Z",
"modified": "2017-03-24T07:19:58.000Z",
"description": "Word dropper",
"pattern": "[file:hashes.MD5 = '3cd5fa46507657f723719b7809d2d1f9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-24T07:19:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d4c835-5d98-4a80-9386-4ab1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:19:58.000Z",
"modified": "2017-03-24T07:19:58.000Z",
"description": "Word dropper",
"pattern": "[file:hashes.SHA256 = 'a6dbc36c472b3ba70a98efd0db35e75c340086be15d3c3ab4e39033604d0bcf9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-24T07:19:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d4c8a7-306c-405e-aa6b-4e4102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:20:07.000Z",
"modified": "2017-03-24T07:20:07.000Z",
"description": "Word dropper - Xchecked via VT: a6dbc36c472b3ba70a98efd0db35e75c340086be15d3c3ab4e39033604d0bcf9",
"pattern": "[file:hashes.SHA1 = '34ddc14b9a04eba98c3aa1cb27033e12ec847e03']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-24T07:20:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58d4c8a8-bf0c-4c05-9288-491a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:20:08.000Z",
"modified": "2017-03-24T07:20:08.000Z",
"first_observed": "2017-03-24T07:20:08Z",
"last_observed": "2017-03-24T07:20:08Z",
"number_observed": 1,
"object_refs": [
"url--58d4c8a8-bf0c-4c05-9288-491a02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58d4c8a8-bf0c-4c05-9288-491a02de0b81",
"value": "https://www.virustotal.com/file/a6dbc36c472b3ba70a98efd0db35e75c340086be15d3c3ab4e39033604d0bcf9/analysis/1490338453/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d4c8a9-905c-4628-b347-4f3502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:20:09.000Z",
"modified": "2017-03-24T07:20:09.000Z",
"description": "Binary payload - Xchecked via VT: a96c57c35df18ac20d83b08a88e502071bd0033add0914b951adbd1639b0b873",
"pattern": "[file:hashes.SHA1 = 'cf731ee0af5c19231ff51af589f7434c0367d508']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-24T07:20:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58d4c8aa-f6e0-4953-b357-43a102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:20:10.000Z",
"modified": "2017-03-24T07:20:10.000Z",
"first_observed": "2017-03-24T07:20:10Z",
"last_observed": "2017-03-24T07:20:10Z",
"number_observed": 1,
"object_refs": [
"url--58d4c8aa-f6e0-4953-b357-43a102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58d4c8aa-f6e0-4953-b357-43a102de0b81",
"value": "https://www.virustotal.com/file/a96c57c35df18ac20d83b08a88e502071bd0033add0914b951adbd1639b0b873/analysis/1490319480/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink