adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/596f75c0-9118-4b4c-958b-1921950d210f.json

1811 lines
No EOL
73 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--596f75c0-9118-4b4c-958b-1921950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--596f75c0-9118-4b4c-958b-1921950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"name": "OSINT - Recent Winnti Infrastructure and Samples",
"published": "2017-07-19T15:12:42Z",
"object_refs": [
"x-misp-attribute--596f75fd-3e14-4f9c-9b22-4f12950d210f",
"observed-data--596f7608-a51c-4471-a7cb-1921950d210f",
"url--596f7608-a51c-4471-a7cb-1921950d210f",
"indicator--596f7628-5e38-4179-b38d-463a950d210f",
"indicator--596f7628-b8d4-4a5f-acd2-49a5950d210f",
"indicator--596f7628-7f48-4b52-bb47-41ee950d210f",
"indicator--596f7628-c40c-4fa3-ba53-417d950d210f",
"indicator--596f7628-92d8-4d90-a228-45d9950d210f",
"indicator--596f7628-f05c-4dd0-81c8-4027950d210f",
"indicator--596f7628-108c-4bae-becc-4d38950d210f",
"indicator--596f7628-1e60-4a7e-ae6f-4760950d210f",
"indicator--596f7628-8030-4219-bd9f-419c950d210f",
"indicator--596f7628-24cc-4a79-92c8-440d950d210f",
"indicator--596f7628-bd8c-4e40-8c39-4184950d210f",
"indicator--596f7628-6e60-4fb8-b145-4321950d210f",
"indicator--596f7628-7fb0-4462-b7cf-4530950d210f",
"indicator--596f7628-4258-4a32-b4de-4c83950d210f",
"indicator--596f7628-35f8-44f9-b173-4c59950d210f",
"indicator--596f7628-baa8-4903-bb46-4c4f950d210f",
"indicator--596f7628-8544-4b5b-811b-4d83950d210f",
"indicator--596f7628-890c-430f-8d55-42a0950d210f",
"indicator--596f7628-91e8-4f75-90ce-4843950d210f",
"indicator--596f7628-7a58-447d-85a5-4448950d210f",
"indicator--596f7628-24ac-48ff-87ec-4577950d210f",
"indicator--596f7628-0c14-4477-885a-4d1d950d210f",
"indicator--596f7628-ae98-4e9c-be52-4804950d210f",
"indicator--596f7628-709c-4400-af3d-4b21950d210f",
"indicator--596f7628-4520-40e3-9e85-41c6950d210f",
"indicator--596f7628-1af4-435b-ad98-4f37950d210f",
"indicator--596f7628-acd0-4d76-8ecb-4c27950d210f",
"indicator--596f7628-3a3c-4cfd-bdc3-4e75950d210f",
"indicator--596f7628-77f8-454e-a5c0-4b68950d210f",
"observed-data--596f763e-d9b8-440f-ba05-4ae7950d210f",
"file--596f763e-d9b8-440f-ba05-4ae7950d210f",
"observed-data--596f763e-4da4-44fd-b644-449a950d210f",
"file--596f763e-4da4-44fd-b644-449a950d210f",
"observed-data--596f763e-554c-4b80-ad04-4572950d210f",
"file--596f763e-554c-4b80-ad04-4572950d210f",
"observed-data--596f763e-cff8-44b0-b491-43c7950d210f",
"file--596f763e-cff8-44b0-b491-43c7950d210f",
"observed-data--596f763e-f29c-4421-81d1-4cc3950d210f",
"file--596f763e-f29c-4421-81d1-4cc3950d210f",
"observed-data--596f763e-8a94-4675-8f54-4ee2950d210f",
"file--596f763e-8a94-4675-8f54-4ee2950d210f",
"observed-data--596f763e-fab4-4bc1-a5a6-4901950d210f",
"file--596f763e-fab4-4bc1-a5a6-4901950d210f",
"observed-data--596f763e-8adc-473a-903d-4aaf950d210f",
"file--596f763e-8adc-473a-903d-4aaf950d210f",
"observed-data--596f763e-af34-4d5f-bff2-4ff1950d210f",
"file--596f763e-af34-4d5f-bff2-4ff1950d210f",
"observed-data--596f763e-4e74-408a-8298-446f950d210f",
"file--596f763e-4e74-408a-8298-446f950d210f",
"observed-data--596f763e-0868-42fc-a1ba-4c9c950d210f",
"file--596f763e-0868-42fc-a1ba-4c9c950d210f",
"observed-data--596f763e-b320-4b8f-a99f-4f04950d210f",
"file--596f763e-b320-4b8f-a99f-4f04950d210f",
"observed-data--596f763e-3e98-4782-8f8a-462e950d210f",
"file--596f763e-3e98-4782-8f8a-462e950d210f",
"observed-data--596f763e-8e68-4af1-b6fc-49ff950d210f",
"file--596f763e-8e68-4af1-b6fc-49ff950d210f",
"observed-data--596f763e-9f78-4939-ac5d-4f93950d210f",
"file--596f763e-9f78-4939-ac5d-4f93950d210f",
"observed-data--596f763e-3854-402a-b7cd-4f9f950d210f",
"file--596f763e-3854-402a-b7cd-4f9f950d210f",
"indicator--596f7651-3758-4e1a-b72f-15a4950d210f",
"indicator--596f7651-8224-492c-9b12-15a4950d210f",
"indicator--596f7651-85c8-4ac5-a5a0-15a4950d210f",
"indicator--596f7651-7244-45b8-ae61-15a4950d210f",
"indicator--596f7651-19dc-4af7-bfe1-15a4950d210f",
"indicator--596f7651-7098-4c31-9b45-15a4950d210f",
"indicator--596f765b-cc6c-4409-96e0-15a4950d210f",
"indicator--596f765b-1e9c-4018-aa04-15a4950d210f",
"indicator--596f765b-f4f0-4766-875b-15a4950d210f",
"indicator--596f765b-d0e0-4dfe-abdb-15a4950d210f",
"indicator--596f765b-0518-420c-99ba-15a4950d210f",
"indicator--596f765b-15c4-4914-bcd1-15a4950d210f",
"indicator--596f765b-b334-4d4d-9991-15a4950d210f",
"indicator--596f765b-13b4-4ddd-abc8-15a4950d210f",
"indicator--596f765b-8050-4069-8070-15a4950d210f",
"indicator--596f765b-7ab8-43ee-a96e-15a4950d210f",
"indicator--596f7674-ceb4-4a2a-9cdb-4309950d210f",
"indicator--596f768c-8644-4678-9cac-4702950d210f",
"indicator--596f76b0-64f8-4079-8b95-19ef950d210f",
"indicator--596f76c4-cc14-4cc2-a849-442402de0b81",
"indicator--596f76c4-eff0-416f-8c82-4b0f02de0b81",
"observed-data--596f76c4-8b78-4bbf-8807-49d202de0b81",
"url--596f76c4-8b78-4bbf-8807-49d202de0b81",
"indicator--596f76c4-ddd0-4ed9-8610-472f02de0b81",
"indicator--596f76c4-7164-4eae-9ee1-486802de0b81",
"observed-data--596f76c4-0bc0-4aac-89f4-4dae02de0b81",
"url--596f76c4-0bc0-4aac-89f4-4dae02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:tool=\"Winnti\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--596f75fd-3e14-4f9c-9b22-4f12950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "On July 17, 2017, we detected a malicious document in VirusTotal exploiting CVE-2017-0199. By pivoting off of the infrastructure we learned that it is related to Winnti, a Chinese threat actor that is mostly targeting the gaming industry. Below we outline initial findings.\r\n\r\nThe malicious file, named curriculum vitae.rtf (58c66b3ddbc0df9810119bb688ea8fb0) was uploaded from Turkey."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f7608-a51c-4471-a7cb-1921950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"first_observed": "2017-07-19T15:12:03Z",
"last_observed": "2017-07-19T15:12:03Z",
"number_observed": 1,
"object_refs": [
"url--596f7608-a51c-4471-a7cb-1921950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--596f7608-a51c-4471-a7cb-1921950d210f",
"value": "http://www.clearskysec.com/winnti/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-5e38-4179-b38d-463a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'mess.googlerenewals.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-b8d4-4a5f-acd2-49a5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'us.igooglefiles.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-7f48-4b52-bb47-41ee950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'signup.facebooknavigation.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-c40c-4fa3-ba53-417d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'bot.new.googlecustomservice.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-92d8-4d90-a228-45d9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'jp.googlerenewals.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-f05c-4dd0-81c8-4027950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'xn--360tmp-k02m.new.googlecustomservice.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-108c-4bae-becc-4d38950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'cdn.igooglefiles.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-1e60-4a7e-ae6f-4760950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'xn--360tmp-k02m.tmp.googlecustomservice.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-8030-4219-bd9f-419c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'xn--360tmp-k02m.www.googlecustomservice.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-24cc-4a79-92c8-440d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'ftp.googlecustomservice.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-bd8c-4e40-8c39-4184950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'game.googlecustomservice.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-6e60-4fb8-b145-4321950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'www.googlecustomservice.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-7fb0-4462-b7cf-4530950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'new.googlecustomservice.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-4258-4a32-b4de-4c83950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'bot.googlecustomservice.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-35f8-44f9-b173-4c59950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'vnew.googlecustomservice.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-baa8-4903-bb46-4c4f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'tmp.googlecustomservice.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-8544-4b5b-811b-4d83950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'xn--360tmp-k02m.googlecustomservice.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-890c-430f-8d55-42a0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'hk.uk.igooglefiles.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-91e8-4f75-90ce-4843950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'us.uk.igooglefiles.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-7a58-447d-85a5-4448950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'www.uk.igooglefiles.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-24ac-48ff-87ec-4577950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'lead1.uk.igooglefiles.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-0c14-4477-885a-4d1d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'cdn.uk.igooglefiles.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-ae98-4e9c-be52-4804950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'show.uk.igooglefiles.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-709c-4400-af3d-4b21950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'uk.uk.igooglefiles.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-4520-40e3-9e85-41c6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'news.googlesoftservice.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-1af4-435b-ad98-4f37950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'news.facebooknavigation.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-acd0-4d76-8ecb-4c27950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'backup.aolonline.cc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-3a3c-4cfd-bdc3-4e75950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'uk.igooglefiles.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7628-77f8-454e-a5c0-4b68950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'news.aolonline.cc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f763e-d9b8-440f-ba05-4ae7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"first_observed": "2017-07-19T15:12:03Z",
"last_observed": "2017-07-19T15:12:03Z",
"number_observed": 1,
"object_refs": [
"file--596f763e-d9b8-440f-ba05-4ae7950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--596f763e-d9b8-440f-ba05-4ae7950d210f",
"name": "NSLS.dll"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f763e-4da4-44fd-b644-449a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"first_observed": "2017-07-19T15:12:03Z",
"last_observed": "2017-07-19T15:12:03Z",
"number_observed": 1,
"object_refs": [
"file--596f763e-4da4-44fd-b644-449a950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--596f763e-4da4-44fd-b644-449a950d210f",
"name": "HelpPane.exe"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f763e-554c-4b80-ad04-4572950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"first_observed": "2017-07-19T15:12:03Z",
"last_observed": "2017-07-19T15:12:03Z",
"number_observed": 1,
"object_refs": [
"file--596f763e-554c-4b80-ad04-4572950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--596f763e-554c-4b80-ad04-4572950d210f",
"name": "conf.exe"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f763e-cff8-44b0-b491-43c7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"first_observed": "2017-07-19T15:12:03Z",
"last_observed": "2017-07-19T15:12:03Z",
"number_observed": 1,
"object_refs": [
"file--596f763e-cff8-44b0-b491-43c7950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--596f763e-cff8-44b0-b491-43c7950d210f",
"name": "msimain17.sdb"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f763e-f29c-4421-81d1-4cc3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"first_observed": "2017-07-19T15:12:03Z",
"last_observed": "2017-07-19T15:12:03Z",
"number_observed": 1,
"object_refs": [
"file--596f763e-f29c-4421-81d1-4cc3950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--596f763e-f29c-4421-81d1-4cc3950d210f",
"name": "shell.exe"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f763e-8a94-4675-8f54-4ee2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"first_observed": "2017-07-19T15:12:03Z",
"last_observed": "2017-07-19T15:12:03Z",
"number_observed": 1,
"object_refs": [
"file--596f763e-8a94-4675-8f54-4ee2950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--596f763e-8a94-4675-8f54-4ee2950d210f",
"name": "715578187~.exe"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f763e-fab4-4bc1-a5a6-4901950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"first_observed": "2017-07-19T15:12:03Z",
"last_observed": "2017-07-19T15:12:03Z",
"number_observed": 1,
"object_refs": [
"file--596f763e-fab4-4bc1-a5a6-4901950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--596f763e-fab4-4bc1-a5a6-4901950d210f",
"name": "COMSysAppLauncher.exe"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f763e-8adc-473a-903d-4aaf950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"first_observed": "2017-07-19T15:12:03Z",
"last_observed": "2017-07-19T15:12:03Z",
"number_observed": 1,
"object_refs": [
"file--596f763e-8adc-473a-903d-4aaf950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--596f763e-8adc-473a-903d-4aaf950d210f",
"name": "SysAppLauncher.dll"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f763e-af34-4d5f-bff2-4ff1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"first_observed": "2017-07-19T15:12:03Z",
"last_observed": "2017-07-19T15:12:03Z",
"number_observed": 1,
"object_refs": [
"file--596f763e-af34-4d5f-bff2-4ff1950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--596f763e-af34-4d5f-bff2-4ff1950d210f",
"name": "curriculumvitae.rtf"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f763e-4e74-408a-8298-446f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"first_observed": "2017-07-19T15:12:03Z",
"last_observed": "2017-07-19T15:12:03Z",
"number_observed": 1,
"object_refs": [
"file--596f763e-4e74-408a-8298-446f950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--596f763e-4e74-408a-8298-446f950d210f",
"name": "cryptbase.exe"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f763e-0868-42fc-a1ba-4c9c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"first_observed": "2017-07-19T15:12:03Z",
"last_observed": "2017-07-19T15:12:03Z",
"number_observed": 1,
"object_refs": [
"file--596f763e-0868-42fc-a1ba-4c9c950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--596f763e-0868-42fc-a1ba-4c9c950d210f",
"name": "sign.exe"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f763e-b320-4b8f-a99f-4f04950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"first_observed": "2017-07-19T15:12:03Z",
"last_observed": "2017-07-19T15:12:03Z",
"number_observed": 1,
"object_refs": [
"file--596f763e-b320-4b8f-a99f-4f04950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--596f763e-b320-4b8f-a99f-4f04950d210f",
"name": "mess.exe"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f763e-3e98-4782-8f8a-462e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"first_observed": "2017-07-19T15:12:03Z",
"last_observed": "2017-07-19T15:12:03Z",
"number_observed": 1,
"object_refs": [
"file--596f763e-3e98-4782-8f8a-462e950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--596f763e-3e98-4782-8f8a-462e950d210f",
"name": "cryptbasesvc.dll"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f763e-8e68-4af1-b6fc-49ff950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"first_observed": "2017-07-19T15:12:03Z",
"last_observed": "2017-07-19T15:12:03Z",
"number_observed": 1,
"object_refs": [
"file--596f763e-8e68-4af1-b6fc-49ff950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--596f763e-8e68-4af1-b6fc-49ff950d210f",
"name": "video(20170201)_2.exe"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f763e-9f78-4939-ac5d-4f93950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"first_observed": "2017-07-19T15:12:03Z",
"last_observed": "2017-07-19T15:12:03Z",
"number_observed": 1,
"object_refs": [
"file--596f763e-9f78-4939-ac5d-4f93950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--596f763e-9f78-4939-ac5d-4f93950d210f",
"name": "cryptbase.dll"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f763e-3854-402a-b7cd-4f9f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"first_observed": "2017-07-19T15:12:03Z",
"last_observed": "2017-07-19T15:12:03Z",
"number_observed": 1,
"object_refs": [
"file--596f763e-3854-402a-b7cd-4f9f950d210f"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--596f763e-3854-402a-b7cd-4f9f950d210f",
"name": "COMSystemApplicationLauncher.dll"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7651-3758-4e1a-b72f-15a4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[email-message:from_ref.value = 'yytxconnecticut@gmail.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7651-8224-492c-9b12-15a4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[email-message:from_ref.value = 'sunware1@aol.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7651-85c8-4ac5-a5a0-15a4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[email-message:from_ref.value = 'lileminnesota@hotmail.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7651-7244-45b8-ae61-15a4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[email-message:from_ref.value = 'dsfsaf@gmail.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7651-19dc-4af7-bfe1-15a4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[email-message:from_ref.value = '13836469977@139.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7651-7098-4c31-9b45-15a4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[email-message:from_ref.value = 'fuckccddeefff@gmail.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f765b-cc6c-4409-96e0-15a4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'googlesoftservice.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f765b-1e9c-4018-aa04-15a4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'igooglefiles.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f765b-f4f0-4766-875b-15a4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'aolonline.cc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f765b-d0e0-4dfe-abdb-15a4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'facebooknavigation.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f765b-0518-420c-99ba-15a4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'googlecustomservice.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f765b-15c4-4914-bcd1-15a4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'find2find.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f765b-b334-4d4d-9991-15a4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'tiwwter.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f765b-13b4-4ddd-abc8-15a4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'luckhairs.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f765b-8050-4069-8070-15a4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'googlerenewals.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f765b-7ab8-43ee-a96e-15a4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"pattern": "[domain-name:value = 'pornsee.tv']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f7674-ceb4-4a2a-9cdb-4309950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"description": "curriculum vitae.rtf",
"pattern": "[file:hashes.MD5 = '58c66b3ddbc0df9810119bb688ea8fb0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f768c-8644-4678-9cac-4702950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"description": "The script downloads and runs an executable (a4b2a6883ba0451429df29506a1f6995)",
"pattern": "[file:hashes.MD5 = 'a4b2a6883ba0451429df29506a1f6995']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f76b0-64f8-4079-8b95-19ef950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:03.000Z",
"modified": "2017-07-19T15:12:03.000Z",
"description": "The script downloads and runs an executable (a4b2a6883ba0451429df29506a1f6995) from",
"pattern": "[url:value = 'http://54.245.195.101/shell.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f76c4-cc14-4cc2-a849-442402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:04.000Z",
"modified": "2017-07-19T15:12:04.000Z",
"description": "The script downloads and runs an executable (a4b2a6883ba0451429df29506a1f6995) - Xchecked via VT: a4b2a6883ba0451429df29506a1f6995",
"pattern": "[file:hashes.SHA256 = 'eee4b1c4621b0ca355dc677652dfd6449f1f230565da8cb5db59fa195e8f553f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f76c4-eff0-416f-8c82-4b0f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:04.000Z",
"modified": "2017-07-19T15:12:04.000Z",
"description": "The script downloads and runs an executable (a4b2a6883ba0451429df29506a1f6995) - Xchecked via VT: a4b2a6883ba0451429df29506a1f6995",
"pattern": "[file:hashes.SHA1 = '79daceed3c07eaeac39c69b5c40e03cedcaaaced']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f76c4-8b78-4bbf-8807-49d202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:04.000Z",
"modified": "2017-07-19T15:12:04.000Z",
"first_observed": "2017-07-19T15:12:04Z",
"last_observed": "2017-07-19T15:12:04Z",
"number_observed": 1,
"object_refs": [
"url--596f76c4-8b78-4bbf-8807-49d202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--596f76c4-8b78-4bbf-8807-49d202de0b81",
"value": "https://www.virustotal.com/file/eee4b1c4621b0ca355dc677652dfd6449f1f230565da8cb5db59fa195e8f553f/analysis/1500457177/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f76c4-ddd0-4ed9-8610-472f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:04.000Z",
"modified": "2017-07-19T15:12:04.000Z",
"description": "curriculum vitae.rtf - Xchecked via VT: 58c66b3ddbc0df9810119bb688ea8fb0",
"pattern": "[file:hashes.SHA256 = '1ada845dbf89024f4eee8409880ce21ece2262db3ad5129d2eed33a76d177d39']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--596f76c4-7164-4eae-9ee1-486802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:04.000Z",
"modified": "2017-07-19T15:12:04.000Z",
"description": "curriculum vitae.rtf - Xchecked via VT: 58c66b3ddbc0df9810119bb688ea8fb0",
"pattern": "[file:hashes.SHA1 = '5486fd254451d90f2f6acdbfa3330444f98dde68']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-19T15:12:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--596f76c4-0bc0-4aac-89f4-4dae02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-19T15:12:04.000Z",
"modified": "2017-07-19T15:12:04.000Z",
"first_observed": "2017-07-19T15:12:04Z",
"last_observed": "2017-07-19T15:12:04Z",
"number_observed": 1,
"object_refs": [
"url--596f76c4-0bc0-4aac-89f4-4dae02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--596f76c4-0bc0-4aac-89f4-4dae02de0b81",
"value": "https://www.virustotal.com/file/1ada845dbf89024f4eee8409880ce21ece2262db3ad5129d2eed33a76d177d39/analysis/1500445510/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink