misp-circl-feed/feeds/circl/stix-2.1/59d7d6ca-34f4-4bec-b700-4afa02de0b81.json

{
    "type": "bundle",
    "id": "bundle--59d7d6ca-34f4-4bec-b700-4afa02de0b81",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:23:27.000Z",
            "modified": "2017-10-06T19:23:27.000Z",
            "name": "CIRCL",
            "identity_class": "organization"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--59d7d6ca-34f4-4bec-b700-4afa02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:23:27.000Z",
            "modified": "2017-10-06T19:23:27.000Z",
            "name": "OSINT - Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea",
            "published": "2017-10-06T19:25:09Z",
            "object_refs": [
                "observed-data--59d7d6f3-d80c-4fbc-8d14-105502de0b81",
                "url--59d7d6f3-d80c-4fbc-8d14-105502de0b81",
                "x-misp-attribute--59d7d704-a774-46fd-8e57-4f4702de0b81",
                "indicator--59d7d733-a08c-48b4-8d9d-414102de0b81",
                "indicator--59d7d779-3220-4703-b1d2-43ee02de0b81",
                "indicator--59d7d779-e69c-4ad9-bd22-479102de0b81",
                "observed-data--59d7d779-5b08-4375-8c84-4b0202de0b81",
                "url--59d7d779-5b08-4375-8c84-4b0202de0b81",
                "indicator--59d7d797-55fc-4d13-968a-834402de0b81",
                "indicator--59d7d7af-587c-42e5-8e44-44ec02de0b81",
                "indicator--59d7d7db-6e5c-4c22-a550-49d602de0b81",
                "indicator--59d7d80e-4114-47b1-a1f7-4a6902de0b81",
                "indicator--59d7d80e-8414-436e-9f0d-488902de0b81",
                "indicator--59d7d80e-5fc0-4cde-b9bf-46ca02de0b81",
                "indicator--59d7d80e-a25c-4707-b368-404b02de0b81",
                "indicator--59d7d80e-eb38-4bb9-90b8-481d02de0b81",
                "indicator--59d7d80e-e1a8-4a93-b25e-4a2a02de0b81",
                "indicator--59d7d80e-f524-4012-a7ab-442002de0b81",
                "indicator--59d7d80e-8a90-4b5e-a2a9-4e4f02de0b81",
                "indicator--59d7d80e-b044-4165-ad23-4ce502de0b81",
                "indicator--59d7d80e-1d74-467a-9c5a-491b02de0b81",
                "indicator--59d7d80e-4774-4579-af6d-4cc002de0b81",
                "indicator--59d7d82f-e4c8-4f47-90b4-402602de0b81",
                "indicator--59d7d82f-3690-4709-9103-4e2402de0b81",
                "indicator--59d7d82f-f10c-4393-a2ec-48b202de0b81",
                "indicator--59d7d82f-ddd0-4fb9-9ddf-4e0e02de0b81",
                "indicator--59d7d82f-d114-447f-82e3-4be102de0b81"
            ],
            "labels": [
                "Threat-Report",
                "misp:tool=\"MISP-STIX-Converter\""
            ],
            "object_marking_refs": [
                "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--59d7d6f3-d80c-4fbc-8d14-105502de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:20:25.000Z",
            "modified": "2017-10-06T19:20:25.000Z",
            "first_observed": "2017-10-06T19:20:25Z",
            "last_observed": "2017-10-06T19:20:25Z",
            "number_observed": 1,
            "object_refs": [
                "url--59d7d6f3-d80c-4fbc-8d14-105502de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\"",
                "osint:source-type=\"blog-post\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--59d7d6f3-d80c-4fbc-8d14-105502de0b81",
            "value": "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html"
        },
        {
            "type": "x-misp-attribute",
            "spec_version": "2.1",
            "id": "x-misp-attribute--59d7d704-a774-46fd-8e57-4f4702de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:20:25.000Z",
            "modified": "2017-10-06T19:20:25.000Z",
            "labels": [
                "misp:type=\"text\"",
                "misp:category=\"External analysis\"",
                "osint:source-type=\"blog-post\""
            ],
            "x_misp_category": "External analysis",
            "x_misp_type": "text",
            "x_misp_value": "We observed several high-volume FormBook malware distribution campaigns primarily taking aim at Aerospace, Defense Contractor, and Manufacturing sectors within the U.S. and South Korea during the past few months. The attackers involved in these email campaigns leveraged a variety of distribution mechanisms to deliver the information stealing FormBook malware, including:\r\n\r\n    PDFs with download links\r\n    DOC and XLS files with malicious macros\r\n    Archive files (ZIP, RAR, ACE, and ISOs) containing EXE payloads\r\n\r\nThe PDF and DOC/XLS campaigns primarily impacted the United States and the Archive campaigns largely impacted the Unites States and South Korea."
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--59d7d733-a08c-48b4-8d9d-414102de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:20:25.000Z",
            "modified": "2017-10-06T19:20:25.000Z",
            "pattern": "[file:hashes.MD5 = 'ce84640c3228925cc4815116dde968cb']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-10-06T19:20:25Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"md5\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--59d7d779-3220-4703-b1d2-43ee02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:20:25.000Z",
            "modified": "2017-10-06T19:20:25.000Z",
            "description": "- Xchecked via VT: ce84640c3228925cc4815116dde968cb",
            "pattern": "[file:hashes.SHA256 = '6e4ec3712cf641a31f4e9e4af7d9d7a84fd7da4cc2875c6aceb9a283ed0330d7']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-10-06T19:20:25Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--59d7d779-e69c-4ad9-bd22-479102de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:20:25.000Z",
            "modified": "2017-10-06T19:20:25.000Z",
            "description": "- Xchecked via VT: ce84640c3228925cc4815116dde968cb",
            "pattern": "[file:hashes.SHA1 = '524e1011c26b6bf7e23f5d107222397129f9893d']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-10-06T19:20:25Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--59d7d779-5b08-4375-8c84-4b0202de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:20:25.000Z",
            "modified": "2017-10-06T19:20:25.000Z",
            "first_observed": "2017-10-06T19:20:25Z",
            "last_observed": "2017-10-06T19:20:25Z",
            "number_observed": 1,
            "object_refs": [
                "url--59d7d779-5b08-4375-8c84-4b0202de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--59d7d779-5b08-4375-8c84-4b0202de0b81",
            "value": "https://www.virustotal.com/file/6e4ec3712cf641a31f4e9e4af7d9d7a84fd7da4cc2875c6aceb9a283ed0330d7/analysis/1507239296/"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--59d7d797-55fc-4d13-968a-834402de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:20:55.000Z",
            "modified": "2017-10-06T19:20:55.000Z",
            "pattern": "[mutex:name = '8-3503835SZBFHHZ']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-10-06T19:20:55Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Artifacts dropped"
                }
            ],
            "labels": [
                "misp:type=\"mutex\"",
                "misp:category=\"Artifacts dropped\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--59d7d7af-587c-42e5-8e44-44ec02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:21:19.000Z",
            "modified": "2017-10-06T19:21:19.000Z",
            "pattern": "[mutex:name = 'LL9PSC56RW7Bx3A5']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-10-06T19:21:19Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Artifacts dropped"
                }
            ],
            "labels": [
                "misp:type=\"mutex\"",
                "misp:category=\"Artifacts dropped\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--59d7d7db-6e5c-4c22-a550-49d602de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:22:03.000Z",
            "modified": "2017-10-06T19:22:03.000Z",
            "description": "The malware communicates with the following C2 server using HTTP requests:",
            "pattern": "[url:value = 'www.clicks-track.info/list/hx28/']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-10-06T19:22:03Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"url\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--59d7d80e-4114-47b1-a1f7-4a6902de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:22:54.000Z",
            "modified": "2017-10-06T19:22:54.000Z",
            "description": "Shorted URLs",
            "pattern": "[url:value = 'tny.im/9TK']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-10-06T19:22:54Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"url\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--59d7d80e-8414-436e-9f0d-488902de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:22:54.000Z",
            "modified": "2017-10-06T19:22:54.000Z",
            "description": "Shorted URLs",
            "pattern": "[url:value = 'tny.im/9Uw']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-10-06T19:22:54Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"url\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--59d7d80e-5fc0-4cde-b9bf-46ca02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:22:54.000Z",
            "modified": "2017-10-06T19:22:54.000Z",
            "description": "Shorted URLs",
            "pattern": "[url:value = 'tny.im/9G1']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-10-06T19:22:54Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"url\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--59d7d80e-a25c-4707-b368-404b02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:22:54.000Z",
            "modified": "2017-10-06T19:22:54.000Z",
            "description": "Shorted URLs",
            "pattern": "[url:value = 'tny.im/9Q6']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-10-06T19:22:54Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"url\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--59d7d80e-eb38-4bb9-90b8-481d02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:22:54.000Z",
            "modified": "2017-10-06T19:22:54.000Z",
            "description": "Shorted URLs",
            "pattern": "[url:value = 'tny.im/9H1']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-10-06T19:22:54Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"url\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--59d7d80e-e1a8-4a93-b25e-4a2a02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:22:54.000Z",
            "modified": "2017-10-06T19:22:54.000Z",
            "description": "Shorted URLs",
            "pattern": "[url:value = 'tny.im/9R7']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-10-06T19:22:54Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"url\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--59d7d80e-f524-4012-a7ab-442002de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:22:54.000Z",
            "modified": "2017-10-06T19:22:54.000Z",
            "description": "Shorted URLs",
            "pattern": "[url:value = 'tny.im/9Tc']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-10-06T19:22:54Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"url\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--59d7d80e-8a90-4b5e-a2a9-4e4f02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:22:54.000Z",
            "modified": "2017-10-06T19:22:54.000Z",
            "description": "Shorted URLs",
            "pattern": "[url:value = 'tny.im/9RM']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-10-06T19:22:54Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"url\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--59d7d80e-b044-4165-ad23-4ce502de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:22:54.000Z",
            "modified": "2017-10-06T19:22:54.000Z",
            "description": "Shorted URLs",
            "pattern": "[url:value = 'tny.im/9G0']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-10-06T19:22:54Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"url\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--59d7d80e-1d74-467a-9c5a-491b02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:22:54.000Z",
            "modified": "2017-10-06T19:22:54.000Z",
            "description": "Shorted URLs",
            "pattern": "[url:value = 'tny.im/9Oq']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-10-06T19:22:54Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"url\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--59d7d80e-4774-4579-af6d-4cc002de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:22:54.000Z",
            "modified": "2017-10-06T19:22:54.000Z",
            "description": "Shorted URLs",
            "pattern": "[url:value = 'tny.im/9Oh']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-10-06T19:22:54Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"url\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--59d7d82f-e4c8-4f47-90b4-402602de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:23:27.000Z",
            "modified": "2017-10-06T19:23:27.000Z",
            "description": "Staging Servers (compromised hosts?)",
            "pattern": "[domain-name:value = 'maxsutton.co.uk']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-10-06T19:23:27Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"hostname\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--59d7d82f-3690-4709-9103-4e2402de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:23:27.000Z",
            "modified": "2017-10-06T19:23:27.000Z",
            "description": "Staging Servers (compromised hosts?)",
            "pattern": "[domain-name:value = 'solderie.dream3w.com']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-10-06T19:23:27Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"hostname\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--59d7d82f-f10c-4393-a2ec-48b202de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:23:27.000Z",
            "modified": "2017-10-06T19:23:27.000Z",
            "description": "Staging Servers (compromised hosts?)",
            "pattern": "[domain-name:value = 'lifekeeper.com.au']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-10-06T19:23:27Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"hostname\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--59d7d82f-ddd0-4fb9-9ddf-4e0e02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:23:27.000Z",
            "modified": "2017-10-06T19:23:27.000Z",
            "description": "Staging Servers (compromised hosts?)",
            "pattern": "[domain-name:value = 'brinematriscript.com']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-10-06T19:23:27Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"domain\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--59d7d82f-d114-447f-82e3-4be102de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-10-06T19:23:27.000Z",
            "modified": "2017-10-06T19:23:27.000Z",
            "description": "Staging Servers (compromised hosts?)",
            "pattern": "[domain-name:value = 'jaimagroup.com']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-10-06T19:23:27Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Network activity"
                }
            ],
            "labels": [
                "misp:type=\"domain\"",
                "misp:category=\"Network activity\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "marking-definition",
            "spec_version": "2.1",
            "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
            "created": "2017-01-20T00:00:00.000Z",
            "definition_type": "tlp",
            "name": "TLP:WHITE",
            "definition": {
                "tlp": "white"
            }
        }
    ]
}