adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/5cd14624-0b24-4386-85f5-4e5e950d210f.json

827 lines
No EOL
36 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--5cd14624-0b24-4386-85f5-4e5e950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T09:38:46.000Z",
"modified": "2019-05-08T09:38:46.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5cd14624-0b24-4386-85f5-4e5e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T09:38:46.000Z",
"modified": "2019-05-08T09:38:46.000Z",
"name": "OSINT - CARBANAK Week - Fire Eye",
"published": "2019-05-08T11:22:43Z",
"object_refs": [
"observed-data--5cd1464b-5c38-40b2-bab2-44a3950d210f",
"url--5cd1464b-5c38-40b2-bab2-44a3950d210f",
"observed-data--5cd1464b-f590-4342-96f5-4204950d210f",
"url--5cd1464b-f590-4342-96f5-4204950d210f",
"observed-data--5cd1464b-6008-4101-a704-4016950d210f",
"url--5cd1464b-6008-4101-a704-4016950d210f",
"observed-data--5cd1464b-b6f8-4ea7-bf52-4cc2950d210f",
"url--5cd1464b-b6f8-4ea7-bf52-4cc2950d210f",
"indicator--5cd18a3a-c808-4674-8acc-41f8950d210f",
"indicator--5cd18a3a-3210-4ab0-9d58-4e65950d210f",
"indicator--5cd18a3a-9b74-4426-838f-44e7950d210f",
"indicator--5cd18a3a-8f68-448a-83bf-40c8950d210f",
"indicator--5cd18a3a-6860-4dc8-a3f9-42c3950d210f",
"indicator--5cd18a3a-8a48-4dbf-886f-4ee9950d210f",
"indicator--5cd18a3a-e23c-4ee0-b712-465d950d210f",
"indicator--5cd18a3a-78d4-45fd-b116-411e950d210f",
"indicator--5cd18a3a-f414-49d6-b595-44b3950d210f",
"x-misp-attribute--5cd27588-6cbc-4373-a9d7-4e5d950d210f",
"observed-data--5cd28d32-4770-466b-b8c6-4655e387cbd9",
"network-traffic--5cd28d32-4770-466b-b8c6-4655e387cbd9",
"ipv4-addr--5cd28d32-4770-466b-b8c6-4655e387cbd9",
"observed-data--5cd28d35-7a48-4b05-b933-4fd2e387cbd9",
"network-traffic--5cd28d35-7a48-4b05-b933-4fd2e387cbd9",
"ipv4-addr--5cd28d35-7a48-4b05-b933-4fd2e387cbd9",
"indicator--5cd14a64-a478-4a1d-bcaa-4af8950d210f",
"indicator--5cd14f02-6a40-4948-8120-41b7950d210f",
"indicator--5cd14f7c-ed6c-4396-a8b8-48e9950d210f",
"indicator--5cd14fc8-cc7c-46e2-8498-456e950d210f",
"indicator--5cd15297-7048-4712-9572-4258950d210f",
"indicator--5cd152e1-b8a0-4bcf-9ea3-4ca4950d210f",
"indicator--5cd15d47-ed54-49b9-aeaa-4471950d210f",
"indicator--5cd15d6a-b964-4779-8f3a-43b5950d210f",
"indicator--5cd1837d-0694-4391-8cb9-364f950d210f",
"indicator--5cd18724-ce4c-410f-95db-b3d7950d210f",
"observed-data--5cd18771-bac0-47c3-9a8c-a966950d210f",
"network-traffic--5cd18771-bac0-47c3-9a8c-a966950d210f",
"ipv4-addr--5cd18771-9f18-4005-a613-a966950d210f",
"observed-data--5cd187b5-1eb8-474a-ae22-a97c950d210f",
"network-traffic--5cd187b5-1eb8-474a-ae22-a97c950d210f",
"ipv4-addr--5cd187b5-d93c-4c9a-9658-a97c950d210f",
"indicator--5cd189c9-dd18-4b41-9ad4-b3d7950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:malpedia=\"Carbanak\"",
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Carbanak - G0008\"",
"misp-galaxy:mitre-enterprise-attack-malware=\"Carbanak - S0030\"",
"misp-galaxy:mitre-enterprise-attack-relationship=\"FIN7 uses Carbanak\"",
"misp-galaxy:mitre-intrusion-set=\"Carbanak - G0008\"",
"misp-galaxy:mitre-malware=\"Carbanak - S0030\"",
"misp-galaxy:threat-actor=\"Anunak\"",
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"FIN7 - G0046\"",
"misp-galaxy:mitre-intrusion-set=\"FIN7\"",
"misp-galaxy:mitre-intrusion-set=\"FIN7 - G0046\"",
"ecsirt:intrusions=\"backdoor\"",
"veris:action:malware:variety=\"Backdoor\"",
"ms-caro-malware:malware-type=\"Backdoor\"",
"ms-caro-malware-full:malware-type=\"Backdoor\"",
"circl:incident-classification=\"malware\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5cd1464b-5c38-40b2-bab2-44a3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T08:48:11.000Z",
"modified": "2019-05-07T08:48:11.000Z",
"first_observed": "2019-05-07T08:48:11Z",
"last_observed": "2019-05-07T08:48:11Z",
"number_observed": 1,
"object_refs": [
"url--5cd1464b-5c38-40b2-bab2-44a3950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5cd1464b-5c38-40b2-bab2-44a3950d210f",
"value": "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5cd1464b-f590-4342-96f5-4204950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T08:48:11.000Z",
"modified": "2019-05-07T08:48:11.000Z",
"first_observed": "2019-05-07T08:48:11Z",
"last_observed": "2019-05-07T08:48:11Z",
"number_observed": 1,
"object_refs": [
"url--5cd1464b-f590-4342-96f5-4204950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5cd1464b-f590-4342-96f5-4204950d210f",
"value": "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5cd1464b-6008-4101-a704-4016950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T08:48:11.000Z",
"modified": "2019-05-07T08:48:11.000Z",
"first_observed": "2019-05-07T08:48:11Z",
"last_observed": "2019-05-07T08:48:11Z",
"number_observed": 1,
"object_refs": [
"url--5cd1464b-6008-4101-a704-4016950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5cd1464b-6008-4101-a704-4016950d210f",
"value": "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5cd1464b-b6f8-4ea7-bf52-4cc2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T08:48:11.000Z",
"modified": "2019-05-07T08:48:11.000Z",
"first_observed": "2019-05-07T08:48:11Z",
"last_observed": "2019-05-07T08:48:11Z",
"number_observed": 1,
"object_refs": [
"url--5cd1464b-b6f8-4ea7-bf52-4cc2950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5cd1464b-b6f8-4ea7-bf52-4cc2950d210f",
"value": "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-four-desktop-video-player.html"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd18a3a-c808-4674-8acc-41f8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T13:38:02.000Z",
"modified": "2019-05-07T13:38:02.000Z",
"description": "Status: Commented out - Threat Group Association: Earlier CARBANAK activity",
"pattern": "[domain-name:value = 'comixed.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-07T13:38:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd18a3a-3210-4ab0-9d58-4e65950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T13:38:02.000Z",
"modified": "2019-05-07T13:38:02.000Z",
"description": "Status: Commented out - Threat Group Association: Earlier CARBANAK activity",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '194.146.180.40']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-07T13:38:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd18a3a-9b74-4426-838f-44e7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T13:38:02.000Z",
"modified": "2019-05-07T13:38:02.000Z",
"description": "Status: Active",
"pattern": "[domain-name:value = 'aaaabbbbccccc.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-07T13:38:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd18a3a-8f68-448a-83bf-40c8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T13:38:02.000Z",
"modified": "2019-05-07T13:38:02.000Z",
"description": "Status: Commented out - Threat Group Association: FIN7",
"pattern": "[domain-name:value = 'stats10-google.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-07T13:38:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd18a3a-6860-4dc8-a3f9-42c3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T13:38:02.000Z",
"modified": "2019-05-07T13:38:02.000Z",
"description": "Status: Commented out",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '85.25.84.223']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-07T13:38:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd18a3a-8a48-4dbf-886f-4ee9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T13:38:02.000Z",
"modified": "2019-05-07T13:38:02.000Z",
"description": "Status: Active",
"pattern": "[domain-name:value = 'qwqreererwere.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-07T13:38:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd18a3a-e23c-4ee0-b712-465d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T13:38:02.000Z",
"modified": "2019-05-07T13:38:02.000Z",
"description": "Status: Commented out - Threat Group Association: Earlier CARBANAK activity",
"pattern": "[domain-name:value = 'akamai-technologies.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-07T13:38:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd18a3a-78d4-45fd-b116-411e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T13:38:02.000Z",
"modified": "2019-05-07T13:38:02.000Z",
"description": "Status: Compiled",
"pattern": "[domain-name:value = 'hhklhlkhkjhjkjk.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-07T13:38:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd18a3a-f414-49d6-b595-44b3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T13:38:02.000Z",
"modified": "2019-05-07T13:38:02.000Z",
"description": "Status: Compiled - Threat Group Association: DNS infrastructure overlap with later FIN7 associated POWERSOURCE activity",
"pattern": "[domain-name:value = 'aaa.stage.4463714.news.meteonovosti.info']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-07T13:38:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5cd27588-6cbc-4373-a9d7-4e5d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T06:22:00.000Z",
"modified": "2019-05-08T06:22:00.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "CARBANAK is one of the most full-featured backdoors around. It was used to perpetrate millions of dollars in financial crimes, largely by the group we track as FIN7. In 2017, Tom Bennett and Barry Vengerik published Behind the CARBANAK Backdoor, which was the product of a deep and broad analysis of CARBANAK samples and FIN7 activity across several years. On the heels of that publication, our colleague Nick Carr uncovered a pair of RAR archives containing CARBANAK source code, builders, and other tools (both available in VirusTotal: kb3r1p and apwmie)."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5cd28d32-4770-466b-b8c6-4655e387cbd9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:02:58.000Z",
"modified": "2019-05-08T08:02:58.000Z",
"first_observed": "2019-05-08T08:02:58Z",
"last_observed": "2019-05-08T08:02:58Z",
"number_observed": 1,
"object_refs": [
"network-traffic--5cd28d32-4770-466b-b8c6-4655e387cbd9",
"ipv4-addr--5cd28d32-4770-466b-b8c6-4655e387cbd9"
],
"labels": [
"misp:type=\"ip-src\"",
"misp:category=\"Network activity\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--5cd28d32-4770-466b-b8c6-4655e387cbd9",
"src_ref": "ipv4-addr--5cd28d32-4770-466b-b8c6-4655e387cbd9",
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--5cd28d32-4770-466b-b8c6-4655e387cbd9",
"value": "107.181.155.151"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5cd28d35-7a48-4b05-b933-4fd2e387cbd9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T08:03:01.000Z",
"modified": "2019-05-08T08:03:01.000Z",
"first_observed": "2019-05-08T08:03:01Z",
"last_observed": "2019-05-08T08:03:01Z",
"number_observed": 1,
"object_refs": [
"network-traffic--5cd28d35-7a48-4b05-b933-4fd2e387cbd9",
"ipv4-addr--5cd28d35-7a48-4b05-b933-4fd2e387cbd9"
],
"labels": [
"misp:type=\"ip-src\"",
"misp:category=\"Network activity\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--5cd28d35-7a48-4b05-b933-4fd2e387cbd9",
"src_ref": "ipv4-addr--5cd28d35-7a48-4b05-b933-4fd2e387cbd9",
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--5cd28d35-7a48-4b05-b933-4fd2e387cbd9",
"value": "23.253.126.58"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd14a64-a478-4a1d-bcaa-4af8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T09:05:40.000Z",
"modified": "2019-05-07T09:05:40.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.193.252.151') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'vds2.system-host.net') AND network-traffic:dst_port = '443' AND network-traffic:end = '2019-04-26T14:49:12']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-07T09:05:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd14f02-6a40-4948-8120-41b7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T09:25:22.000Z",
"modified": "2019-05-07T09:25:22.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.180.196.35') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'customer.clientshostname.com') AND network-traffic:dst_port = '443' AND network-traffic:end = '2019-04-24T07:44:30']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-07T09:25:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd14f7c-ed6c-4396-a8b8-48e9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T09:27:24.000Z",
"modified": "2019-05-07T09:27:24.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '213.227.155.8') AND network-traffic:dst_port = '443' AND network-traffic:end = '2019-04-24T04:33:52']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-07T09:27:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd14fc8-cc7c-46e2-8498-456e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T09:28:40.000Z",
"modified": "2019-05-07T09:28:40.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '94.156.133.69') AND network-traffic:dst_port = '443' AND network-traffic:end = '2018-11-15T10:27:07']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-07T09:28:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd15297-7048-4712-9572-4258950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T09:40:39.000Z",
"modified": "2019-05-07T09:40:39.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.174.172.241') AND network-traffic:dst_port = '443' AND network-traffic:end = '2019-04-27T13:24:36']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-07T09:40:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd152e1-b8a0-4bcf-9ea3-4ca4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T09:41:53.000Z",
"modified": "2019-05-07T09:41:53.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '109.230.199.227') AND network-traffic:dst_port = '443' AND network-traffic:end = '2019-04-27T13:24:36']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-07T09:41:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd15d47-ed54-49b9-aeaa-4471950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T10:26:15.000Z",
"modified": "2019-05-07T10:26:15.000Z",
"description": "Status: Commented out",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '37.1.212.100') AND network-traffic:dst_port = '700']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-07T10:26:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd15d6a-b964-4779-8f3a-43b5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T10:26:50.000Z",
"modified": "2019-05-07T10:26:50.000Z",
"description": "Status: Commented out - Threat Group Association: Earlier CARBANAK activity",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.138.98.105') AND network-traffic:dst_port = '710']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-07T10:26:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd1837d-0694-4391-8cb9-364f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T13:09:17.000Z",
"modified": "2019-05-07T13:09:17.000Z",
"description": "Status: Commented out",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '80.84.49.50') AND network-traffic:dst_port = '443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-07T13:09:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd18724-ce4c-410f-95db-b3d7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T13:24:52.000Z",
"modified": "2019-05-07T13:24:52.000Z",
"description": "Status: Commented out",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '52.11.125.44') AND network-traffic:dst_port = '443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-07T13:24:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5cd18771-bac0-47c3-9a8c-a966950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T13:26:09.000Z",
"modified": "2019-05-07T13:26:09.000Z",
"first_observed": "2019-05-07T13:26:09Z",
"last_observed": "2019-05-07T13:26:09Z",
"number_observed": 1,
"object_refs": [
"network-traffic--5cd18771-bac0-47c3-9a8c-a966950d210f",
"ipv4-addr--5cd18771-9f18-4005-a613-a966950d210f"
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"False\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--5cd18771-bac0-47c3-9a8c-a966950d210f",
"dst_ref": "ipv4-addr--5cd18771-9f18-4005-a613-a966950d210f",
"dst_port": 700,
"protocols": [
"ipv4"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--5cd18771-9f18-4005-a613-a966950d210f",
"value": "192.168.0.100"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5cd187b5-1eb8-474a-ae22-a97c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T13:27:17.000Z",
"modified": "2019-05-07T13:27:17.000Z",
"first_observed": "2019-05-07T13:27:17Z",
"last_observed": "2019-05-07T13:27:17Z",
"number_observed": 1,
"object_refs": [
"network-traffic--5cd187b5-1eb8-474a-ae22-a97c950d210f",
"ipv4-addr--5cd187b5-d93c-4c9a-9658-a97c950d210f"
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"False\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--5cd187b5-1eb8-474a-ae22-a97c950d210f",
"dst_ref": "ipv4-addr--5cd187b5-d93c-4c9a-9658-a97c950d210f",
"dst_port": 700,
"protocols": [
"ipv4"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--5cd187b5-d93c-4c9a-9658-a97c950d210f",
"value": "192.168.0.100"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd189c9-dd18-4b41-9ad4-b3d7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-07T13:36:09.000Z",
"modified": "2019-05-07T13:36:09.000Z",
"description": "Status: Active - Threat Group Association: Earlier CARBANAK activity",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '193.203.48.23') AND network-traffic:dst_port = '800']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-07T13:36:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink