adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/5c37406b-120c-4ecf-988c-4ef9950d210f.json

331 lines
No EOL
14 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--5c37406b-120c-4ecf-988c-4ef9950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-01-10T13:36:12.000Z",
"modified": "2019-01-10T13:36:12.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--5c37406b-120c-4ecf-988c-4ef9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-01-10T13:36:12.000Z",
"modified": "2019-01-10T13:36:12.000Z",
"name": "OSINT - Phishing template uses fake fonts to decode content and evade detection",
"context": "suspicious-activity",
"object_refs": [
"observed-data--5c374083-5b40-4c9c-bd38-412c950d210f",
"url--5c374083-5b40-4c9c-bd38-412c950d210f",
"observed-data--5c374083-2f78-496b-ab68-43b3950d210f",
"url--5c374083-2f78-496b-ab68-43b3950d210f",
"x-misp-attribute--5c37432f-4370-4f62-b4e8-4bb9950d210f",
"indicator--5c3747fa-f874-4489-8d80-4278950d210f",
"indicator--5c3747fa-8434-401c-aa5e-48e0950d210f",
"indicator--5c3747fb-9194-4a9a-baf7-4e93950d210f",
"indicator--5c3747fb-d9cc-4f39-97cb-4b09950d210f",
"indicator--5c3747fc-1b38-4ec9-ad36-46ff950d210f",
"indicator--5c3747fc-9190-439e-bcd2-451f950d210f",
"indicator--5c3747fd-cfe8-4af0-9366-4b75950d210f",
"indicator--5c3747fd-5a5c-4668-9fa8-4c23950d210f",
"indicator--5c3747fe-d584-4aa9-9c19-4fa8950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"circl:incident-classification=\"phishing\"",
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Obfuscated Files or Information - T1027\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5c374083-5b40-4c9c-bd38-412c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-01-10T12:54:27.000Z",
"modified": "2019-01-10T12:54:27.000Z",
"first_observed": "2019-01-10T12:54:27Z",
"last_observed": "2019-01-10T12:54:27Z",
"number_observed": 1,
"object_refs": [
"url--5c374083-5b40-4c9c-bd38-412c950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5c374083-5b40-4c9c-bd38-412c950d210f",
"value": "https://www.proofpoint.com/us/threat-insight/post/phishing-template-uses-fake-fonts-decode-content-and-evade-detection"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5c374083-2f78-496b-ab68-43b3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-01-10T12:54:27.000Z",
"modified": "2019-01-10T12:54:27.000Z",
"first_observed": "2019-01-10T12:54:27Z",
"last_observed": "2019-01-10T12:54:27Z",
"number_observed": 1,
"object_refs": [
"url--5c374083-2f78-496b-ab68-43b3950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5c374083-2f78-496b-ab68-43b3950d210f",
"value": "https://www.proofpoint.com/sites/default/files/proofpoint-obfuscation-techniques-phishing-attacks-threat-insight-en-v1.pdf"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5c37432f-4370-4f62-b4e8-4bb9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-01-10T13:05:50.000Z",
"modified": "2019-01-10T13:05:50.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Proofpoint researchers recently observed a phishing kit with peculiar encoding utilized in a credential harvesting scheme impersonating a major retail bank. While encoded source code and various obfuscation mechanisms have been well documented in phishing kits, this technique appears to be unique for the time being in its use of web fonts to implement the encoding."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c3747fa-f874-4489-8d80-4278950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-01-10T13:26:18.000Z",
"modified": "2019-01-10T13:26:18.000Z",
"pattern": "[email-message:from_ref.value = 'fatima133777@gmail.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-01-10T13:26:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c3747fa-8434-401c-aa5e-48e0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-01-10T13:26:18.000Z",
"modified": "2019-01-10T13:26:18.000Z",
"pattern": "[email-message:from_ref.value = 'fitgirlp0rtia@gmail.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-01-10T13:26:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c3747fb-9194-4a9a-baf7-4e93950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-01-10T13:26:19.000Z",
"modified": "2019-01-10T13:26:19.000Z",
"pattern": "[email-message:from_ref.value = 'hecklerkiller@yandex.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-01-10T13:26:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c3747fb-d9cc-4f39-97cb-4b09950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-01-10T13:26:19.000Z",
"modified": "2019-01-10T13:26:19.000Z",
"pattern": "[email-message:from_ref.value = 'netty6040@aol.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-01-10T13:26:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c3747fc-1b38-4ec9-ad36-46ff950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-01-10T13:26:20.000Z",
"modified": "2019-01-10T13:26:20.000Z",
"pattern": "[email-message:from_ref.value = 'nicholaklaus@yandex.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-01-10T13:26:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c3747fc-9190-439e-bcd2-451f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-01-10T13:26:20.000Z",
"modified": "2019-01-10T13:26:20.000Z",
"pattern": "[email-message:from_ref.value = 'oryodavied@gmail.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-01-10T13:26:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c3747fd-cfe8-4af0-9366-4b75950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-01-10T13:26:21.000Z",
"modified": "2019-01-10T13:26:21.000Z",
"pattern": "[email-message:from_ref.value = 'realunix00@gmail.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-01-10T13:26:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c3747fd-5a5c-4668-9fa8-4c23950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-01-10T13:26:21.000Z",
"modified": "2019-01-10T13:26:21.000Z",
"pattern": "[email-message:from_ref.value = 'slidigeek@gmail.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-01-10T13:26:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c3747fe-d584-4aa9-9c19-4fa8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-01-10T13:26:22.000Z",
"modified": "2019-01-10T13:26:22.000Z",
"pattern": "[email-message:from_ref.value = 'zerofautes@outlook.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-01-10T13:26:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink