1467 lines
No EOL
66 KiB
JSON
1467 lines
No EOL
66 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--58f0bb56-ce80-4f18-88b6-4577950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-19T06:28:14.000Z",
|
|
"modified": "2017-04-19T06:28:14.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--58f0bb56-ce80-4f18-88b6-4577950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-19T06:28:14.000Z",
|
|
"modified": "2017-04-19T06:28:14.000Z",
|
|
"name": "OSINT - Callisto Group",
|
|
"published": "2017-04-19T06:28:22Z",
|
|
"object_refs": [
|
|
"observed-data--58f0bbbe-e894-46cb-a3a4-4893950d210f",
|
|
"url--58f0bbbe-e894-46cb-a3a4-4893950d210f",
|
|
"x-misp-attribute--58f0bc0e-f638-48c5-bf34-4012950d210f",
|
|
"indicator--58f0bd25-d0b0-49c8-a4db-47c8950d210f",
|
|
"indicator--58f0bdbc-b000-4b18-862d-4b23950d210f",
|
|
"indicator--58f0bdbd-8168-40ce-a65e-4387950d210f",
|
|
"indicator--58f0bdbe-f9c0-454c-a9b7-41df950d210f",
|
|
"indicator--58f0bdbf-6c60-486a-8b7f-4843950d210f",
|
|
"indicator--58f0be72-d58c-4d76-a05b-4802950d210f",
|
|
"indicator--58f0c02e-97fc-4c35-9abc-4035950d210f",
|
|
"indicator--58f0c02f-8d18-45e3-bac9-4e64950d210f",
|
|
"indicator--58f0c030-4d0c-4283-9412-450b950d210f",
|
|
"indicator--58f0c031-b6e0-43af-861f-4daa950d210f",
|
|
"indicator--58f0c032-4e2c-4277-830c-43f7950d210f",
|
|
"indicator--58f0c033-3a68-44e6-be82-464a950d210f",
|
|
"indicator--58f0c034-31f8-4465-93a8-4176950d210f",
|
|
"indicator--58f0c035-2f80-4af8-8fc7-45c8950d210f",
|
|
"indicator--58f0c036-62a0-4d64-b29c-4d14950d210f",
|
|
"indicator--58f0c037-a0d0-4ef6-b82a-4d46950d210f",
|
|
"indicator--58f0c038-6688-4b84-a82b-46ff950d210f",
|
|
"indicator--58f0c039-445c-4146-a593-4f27950d210f",
|
|
"indicator--58f0c03a-b1e0-4d01-b936-4e2b950d210f",
|
|
"indicator--58f0c03b-8800-4562-b9c5-4616950d210f",
|
|
"indicator--58f0c03c-3ec0-454d-b1af-4e4b950d210f",
|
|
"indicator--58f0c03d-2640-484d-aa0c-46f5950d210f",
|
|
"indicator--58f0c03e-7a30-4b63-90da-4d4c950d210f",
|
|
"indicator--58f0c03f-4820-4b35-8f9c-4824950d210f",
|
|
"indicator--58f0c040-b1b8-4fb8-ab62-4242950d210f",
|
|
"indicator--58f0c041-3e9c-4436-8bc3-4115950d210f",
|
|
"indicator--58f0c042-e464-4d3b-a60e-4358950d210f",
|
|
"indicator--58f0c043-63e0-48c8-8c2b-43ea950d210f",
|
|
"indicator--58f0c044-ee88-4161-8b4b-483f950d210f",
|
|
"indicator--58f0c045-83f4-4750-9cf0-4696950d210f",
|
|
"indicator--58f0c046-cd24-4a4f-ab09-4e75950d210f",
|
|
"indicator--58f0c047-4028-43f3-8897-4b92950d210f",
|
|
"indicator--58f0c048-23f4-4ee5-98ec-421e950d210f",
|
|
"indicator--58f0c049-c9a8-47e6-9b31-4982950d210f",
|
|
"indicator--58f0c04a-adc8-4565-b72f-463d950d210f",
|
|
"indicator--58f0c04b-8c34-4099-853c-4c39950d210f",
|
|
"indicator--58f0c04c-e104-4f4f-9239-44c3950d210f",
|
|
"indicator--58f0c04d-6fa4-452e-9c1b-4d89950d210f",
|
|
"indicator--58f0c04e-a0cc-4462-9bc5-4b1a950d210f",
|
|
"indicator--58f0c04f-ba40-42e0-b686-49bb950d210f",
|
|
"indicator--58f0c050-7edc-426e-857f-47d9950d210f",
|
|
"indicator--58f0c051-6e4c-4036-8cc3-4adb950d210f",
|
|
"indicator--58f0c052-2368-4374-8de2-48cd950d210f",
|
|
"indicator--58f0c053-7140-4ee4-a008-4e0b950d210f",
|
|
"indicator--58f0c054-02c0-412e-949d-4a58950d210f",
|
|
"indicator--58f0c055-844c-4d2d-afde-451f950d210f",
|
|
"indicator--58f0c056-c3f8-4881-9b54-4cc2950d210f",
|
|
"indicator--58f0c057-cff0-4a37-a009-4d49950d210f",
|
|
"indicator--58f0c058-abd8-45d1-be03-4fb6950d210f",
|
|
"indicator--58f0c059-1c24-46c5-a097-4224950d210f",
|
|
"indicator--58f0c05a-f060-4e21-9353-4659950d210f",
|
|
"indicator--58f0c176-c274-4acf-af04-49b5950d210f",
|
|
"indicator--58f0c3f8-4404-450c-819d-4aed02de0b81",
|
|
"indicator--58f0c3fa-aa58-405c-a77f-419e02de0b81",
|
|
"observed-data--58f0c3fb-ad4c-4134-8a50-4a9202de0b81",
|
|
"url--58f0c3fb-ad4c-4134-8a50-4a9202de0b81"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"type:OSINT",
|
|
"osint:source-type=\"technical-report\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58f0bbbe-e894-46cb-a3a4-4893950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-19T06:28:05.000Z",
|
|
"modified": "2017-04-19T06:28:05.000Z",
|
|
"first_observed": "2017-04-19T06:28:05Z",
|
|
"last_observed": "2017-04-19T06:28:05Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58f0bbbe-e894-46cb-a3a4-4893950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58f0bbbe-e894-46cb-a3a4-4893950d210f",
|
|
"value": "https://www.f-secure.com/documents/996508/1030745/callisto-group"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--58f0bc0e-f638-48c5-bf34-4012950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-19T06:28:14.000Z",
|
|
"modified": "2017-04-19T06:28:14.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0bd25-d0b0-49c8-a4db-47c8950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "RCS Galileo",
|
|
"pattern": "[file:hashes.SHA1 = '07cdc67d211d175cd9d418dc5482b3f17d93526a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0bdbc-b000-4b18-862d-4b23950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "Upon infection, known samples of Callisto Group \u00e2\u20ac\u2122s RCS Galileo have stored copies of themselves in this file",
|
|
"pattern": "[file:name = '\\\\%TEMP\\\\%\\\\Microsoft Word.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0bdbd-8168-40ce-a65e-4387950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "Upon infection, known samples of Callisto Group \u00e2\u20ac\u2122s RCS Galileo have stored copies of themselves in this file",
|
|
"pattern": "[file:name = '\\\\%TEMP\\\\%\\\\WinWord.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0bdbe-f9c0-454c-a9b7-41df950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "Upon infection, known samples of Callisto Group \u00e2\u20ac\u2122s RCS Galileo have stored copies of themselves in this file",
|
|
"pattern": "[file:name = '>startup folder<\\\\bleachbit.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0bdbf-6c60-486a-8b7f-4843950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "Upon infection, known samples of Callisto Group \u00e2\u20ac\u2122s RCS Galileo have stored copies of themselves in this file",
|
|
"pattern": "[file:name = '>startup folder<\\\\BluetoothView.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0be72-d58c-4d76-a05b-4802950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "Known command & control server",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '89.46.102.43']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c02e-97fc-4c35-9abc-4035950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'accounts-google.eu']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c02f-8d18-45e3-bac9-4e64950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'accounts-mail.asia']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c030-4d0c-4283-9412-450b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'authentification-request.top']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c031-b6e0-43af-861f-4daa950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'auth-login.top']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c032-4e2c-4277-830c-43f7950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'drive-login.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c033-3a68-44e6-be82-464a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'drive-meet-goodle.ru']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c034-31f8-4465-93a8-4176950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'emailapp.pw']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c035-2f80-4af8-8fc7-45c8950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'fco-gov.pw']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c036-62a0-4d64-b29c-4d14950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'fco-net.pw']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c037-a0d0-4ef6-b82a-4d46950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'google-accounts.eu']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c038-6688-4b84-a82b-46ff950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'google-plus.top']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c039-445c-4146-a593-4f27950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'google-service.eu']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c03a-b1e0-4d01-b936-4e2b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'hotmail-online.eu']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c03b-8800-4562-b9c5-4616950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'icloud-service.pw']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c03c-3ec0-454d-b1af-4e4b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'live-com.pw']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c03d-2640-484d-aa0c-46f5950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'live-login.info']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c03e-7a30-4b63-90da-4d4c950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'login-access.top']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c03f-4820-4b35-8f9c-4824950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'login-live.review']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c040-b1b8-4fb8-ab62-4242950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'login-livecom.in']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c041-3e9c-4436-8bc3-4115950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'login-livecom.info']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c042-e464-4d3b-a60e-4358950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'login-live-com.pw']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c043-63e0-48c8-8c2b-43ea950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'misrcosofts.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c044-ee88-4161-8b4b-483f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'node005-prevention-aol.link']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c045-83f4-4750-9cf0-4696950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'node03-prevention-icloud.link']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c046-cd24-4a4f-ab09-4e75950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'platforma.link']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c047-4028-43f3-8897-4b92950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'prevention-aol.link']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c048-23f4-4ee5-98ec-421e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'prevention-aol.top']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c049-c9a8-47e6-9b31-4982950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'prevention-icloud.link']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c04a-adc8-4565-b72f-463d950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'qooqle-support-mail.pw']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c04b-8c34-4099-853c-4c39950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'screenname.click']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c04c-e104-4f4f-9239-44c3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'screenname-aol.pw']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c04d-6fa4-452e-9c1b-4d89950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'secure-lcloud.accountant']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c04e-a0cc-4462-9bc5-4b1a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'secure-store-lcloud.top']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c04f-ba40-42e0-b686-49bb950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'service-mail.asia']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c050-7edc-426e-857f-47d9950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'service-mail.in']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c051-6e4c-4036-8cc3-4adb950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'serv-login-com.pw']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c052-2368-4374-8de2-48cd950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'shared-docs.pw']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c053-7140-4ee4-a008-4e0b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'store-icloud.link']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c054-02c0-412e-949d-4a58950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'support-gmail.pw']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c055-844c-4d2d-afde-451f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'support-mail.pw']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c056-c3f8-4881-9b54-4cc2950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'support-mail.top']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c057-cff0-4a37-a009-4d49950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'updatemail.in']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c058-abd8-45d1-be03-4fb6950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'yahoocentermail.info']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c059-1c24-46c5-a097-4224950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'yahoocentermail.pw']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c05a-f060-4e21-9353-4659950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'yahoomailfree.pw']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c176-c274-4acf-af04-49b5950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:41:13.000Z",
|
|
"modified": "2017-04-14T12:41:13.000Z",
|
|
"description": "PHISHING INFRASTRUCTURE - Domains known or believed to be used in relation to phishing . These may be used as targets of links or as domains for sender email addresses.",
|
|
"pattern": "[domain-name:value = 'go-veryfication.link']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:41:13Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c3f8-4404-450c-819d-4aed02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:43:36.000Z",
|
|
"modified": "2017-04-14T12:43:36.000Z",
|
|
"description": "RCS Galileo - Xchecked via VT: 07cdc67d211d175cd9d418dc5482b3f17d93526a",
|
|
"pattern": "[file:hashes.SHA256 = '974f6ceebeb889bd97e6641100dddf823376561ddde9e4749f3ea3d77f63a8f9']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:43:36Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58f0c3fa-aa58-405c-a77f-419e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:43:38.000Z",
|
|
"modified": "2017-04-14T12:43:38.000Z",
|
|
"description": "RCS Galileo - Xchecked via VT: 07cdc67d211d175cd9d418dc5482b3f17d93526a",
|
|
"pattern": "[file:hashes.MD5 = '99a18bf3c04a491b256f7d60eb6e0f26']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-14T12:43:38Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58f0c3fb-ad4c-4134-8a50-4a9202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-14T12:43:39.000Z",
|
|
"modified": "2017-04-14T12:43:39.000Z",
|
|
"first_observed": "2017-04-14T12:43:39Z",
|
|
"last_observed": "2017-04-14T12:43:39Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58f0c3fb-ad4c-4134-8a50-4a9202de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58f0c3fb-ad4c-4134-8a50-4a9202de0b81",
|
|
"value": "https://www.virustotal.com/file/974f6ceebeb889bd97e6641100dddf823376561ddde9e4749f3ea3d77f63a8f9/analysis/1492108895/"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |