adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/59cab250-1480-406f-8e7a-4c7e02de0b81.json

1046 lines
No EOL
45 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--59cab250-1480-406f-8e7a-4c7e02de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:46.000Z",
"modified": "2017-09-26T20:06:46.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--59cab250-1480-406f-8e7a-4c7e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:46.000Z",
"modified": "2017-09-26T20:06:46.000Z",
"name": "OSINT - Striking Oil: A Closer Look at Adversary Infrastructure",
"published": "2017-09-26T20:07:07Z",
"object_refs": [
"observed-data--59cab25e-8e18-492b-80fd-f69902de0b81",
"url--59cab25e-8e18-492b-80fd-f69902de0b81",
"x-misp-attribute--59cab279-6d8c-42b2-b5f1-476902de0b81",
"indicator--59cab2ae-ee3c-4fb0-bebc-4a3402de0b81",
"indicator--59cab2ae-e7fc-4fe2-9249-4f5c02de0b81",
"indicator--59cab2ae-dbc0-4cd4-8593-4b8702de0b81",
"indicator--59cab2ae-2d4c-4c7b-877a-4d0302de0b81",
"indicator--59cab2ae-6e70-4c00-b632-48eb02de0b81",
"indicator--59cab2ae-d2bc-45c8-9af5-425f02de0b81",
"indicator--59cab2ae-adc8-4820-b9c3-4c9f02de0b81",
"indicator--59cab2ae-2814-4ae0-84b3-499302de0b81",
"indicator--59cab2ae-2444-4dfe-bbbd-4f8702de0b81",
"indicator--59cab2ae-4ce8-4325-b940-4e6202de0b81",
"indicator--59cab2ae-9e74-4969-81e6-44d302de0b81",
"indicator--59cab2ae-27dc-420e-9693-49f802de0b81",
"indicator--59cab2c1-f358-42a9-9d5f-47fb02de0b81",
"indicator--59cab2c2-28e8-413c-bf16-4b7c02de0b81",
"indicator--59cab2c2-bd5c-4a38-b84d-465f02de0b81",
"indicator--59cab2c2-0c68-41cf-a8cb-4d0102de0b81",
"indicator--59cab2c2-c4e4-48f3-b732-44d202de0b81",
"indicator--59cab2c2-ea68-4b85-8e1e-48c402de0b81",
"indicator--59cab2c2-a804-4892-8444-439702de0b81",
"indicator--59cab32d-bc80-49d0-b801-480b02de0b81",
"indicator--59cab357-66cc-473d-a11d-4aaf02de0b81",
"indicator--59cab357-0e80-4b6a-b532-4f1e02de0b81",
"observed-data--59cab357-5428-4492-bfbf-412d02de0b81",
"url--59cab357-5428-4492-bfbf-412d02de0b81",
"indicator--59cab357-afb0-402d-8585-443e02de0b81",
"indicator--59cab357-c808-483b-9e09-4b3f02de0b81",
"observed-data--59cab357-c1ac-4ad8-8355-40e902de0b81",
"url--59cab357-c1ac-4ad8-8355-40e902de0b81",
"indicator--59cab357-febc-4bfa-9185-439902de0b81",
"indicator--59cab357-2330-4b9b-8b15-499b02de0b81",
"observed-data--59cab357-6040-49e1-9e31-4ad502de0b81",
"url--59cab357-6040-49e1-9e31-4ad502de0b81",
"indicator--59cab357-3b20-4868-9a21-471f02de0b81",
"indicator--59cab357-9130-4589-8b79-4edb02de0b81",
"observed-data--59cab357-adb8-4701-a11d-484102de0b81",
"url--59cab357-adb8-4701-a11d-484102de0b81",
"indicator--59cab357-24c4-4f12-8ec1-454502de0b81",
"indicator--59cab357-d410-4086-a717-4aad02de0b81",
"observed-data--59cab357-eb68-44ec-8d84-4d0e02de0b81",
"url--59cab357-eb68-44ec-8d84-4d0e02de0b81",
"indicator--59cab357-b434-4887-ae7c-41fc02de0b81",
"indicator--59cab357-c5c4-4fef-9d9a-468e02de0b81",
"observed-data--59cab357-4da0-4c0b-bfc2-42f002de0b81",
"url--59cab357-4da0-4c0b-bfc2-42f002de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:tool=\"TwoFace\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59cab25e-8e18-492b-80fd-f69902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"first_observed": "2017-09-26T20:06:47Z",
"last_observed": "2017-09-26T20:06:47Z",
"number_observed": 1,
"object_refs": [
"url--59cab25e-8e18-492b-80fd-f69902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59cab25e-8e18-492b-80fd-f69902de0b81",
"value": "https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59cab279-6d8c-42b2-b5f1-476902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "While expanding our research into the TwoFace webshell from this past July, we were able to uncover several IP addresses that logged in and directly interfaced with the shell we discovered and wrote about. Investigating deeper into these potential adversary IPs revealed a much larger infrastructure used to execute the attacks. We found the infrastructure was segregated into different functions for specific malicious objectives. We found some sites that were set up as credential harvesters (likely used in phishing attacks), a compromised system that was used to interact with a TwoFace webshell to hide the actor\u00e2\u20ac\u2122s location, and finally systems that interact with TwoFace webshell-compromised systems to provide command and control direction of those compromised systems.\r\n\r\nIn addition to uncovering the attack infrastructure for this adversary, we were able to determine a significant link between the operators of the set of attacks involving TwoFace and another attack campaign we have published on in detail: OilRig."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab2ae-ee3c-4fb0-bebc-4a3402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Post-exploitation Tools",
"pattern": "[file:hashes.SHA256 = '28a0db561ff5a525bc2696cf98d96f443f528afe63c5097c5e0ccad071fcb8c2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab2ae-e7fc-4fe2-9249-4f5c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Post-exploitation Tools",
"pattern": "[file:hashes.SHA256 = '744e0ce108598aaa8994f211e00769ac8a3f05324d3f07f7705277b9af7a7497']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab2ae-dbc0-4cd4-8593-4b8702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Post-exploitation Tools",
"pattern": "[file:hashes.SHA256 = 'caf5f9791ab3049811e16971b4673ec6d4baf35ffaadd7486ea4c5e318d10696']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab2ae-2d4c-4c7b-877a-4d0302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Post-exploitation Tools",
"pattern": "[file:hashes.SHA256 = '6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab2ae-6e70-4c00-b632-48eb02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Post-exploitation Tools",
"pattern": "[file:hashes.SHA256 = '3b08535b4add194f5661e1131c8e81af373ca322cf669674cf1272095e5cab95']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab2ae-d2bc-45c8-9af5-425f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Post-exploitation Tools",
"pattern": "[file:hashes.SHA256 = '450ebd66ba67bb46bf18d122823ff07ef4a7b11afe63b6f269aec9236a1790cd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab2ae-adc8-4820-b9c3-4c9f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Post-exploitation Tools",
"pattern": "[file:hashes.SHA256 = '5b7eb534a852c187eee7eb729056082eec7a028819191fc2bc3ba4d1127fbd12']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab2ae-2814-4ae0-84b3-499302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Post-exploitation Tools",
"pattern": "[file:hashes.SHA256 = '6e623311768f1c419b3f755248a3b3d4bf80d26606a74ed4cfd25547a67734c7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab2ae-2444-4dfe-bbbd-4f8702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Post-exploitation Tools",
"pattern": "[file:hashes.SHA256 = '497e6965120a7ca6644da9b8291c65901e78d302139d221fcf0a3ec6c5cf9de3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab2ae-4ce8-4325-b940-4e6202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Post-exploitation Tools",
"pattern": "[file:hashes.SHA256 = 'd3b03c0da854102802c21c0fa8736910ea039bbe93a140c09689fc802435ea31']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab2ae-9e74-4969-81e6-44d302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Post-exploitation Tools",
"pattern": "[file:hashes.SHA256 = '5ead94f12c307438e6475e49f02bedaee0cd09ce6cebb7939f9a2830f913212c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab2ae-27dc-420e-9693-49f802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Post-exploitation Tools",
"pattern": "[file:hashes.SHA256 = 'bb9b4e088eb99100156f56bbd35a21ff7e96981ffe78ca9132781e9b3f064f44']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab2c1-f358-42a9-9d5f-47fb02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Credential Harvesting Domains",
"pattern": "[domain-name:value = 'owa-insss-org-ill-owa-authen.ml']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab2c2-28e8-413c-bf16-4b7c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:46.000Z",
"modified": "2017-09-26T20:06:46.000Z",
"description": "Credential Harvesting Domains",
"pattern": "[domain-name:value = 'webmaiil-tau-ac-il.ml']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab2c2-bd5c-4a38-b84d-465f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Credential Harvesting Domains",
"pattern": "[domain-name:value = 'mail-macroadvisorypartners.ml']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab2c2-0c68-41cf-a8cb-4d0102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:46.000Z",
"modified": "2017-09-26T20:06:46.000Z",
"description": "Credential Harvesting Domains",
"pattern": "[domain-name:value = 'webmail-tidhar-co-il.ml']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab2c2-c4e4-48f3-b732-44d202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:46.000Z",
"modified": "2017-09-26T20:06:46.000Z",
"description": "Credential Harvesting Domains",
"pattern": "[domain-name:value = 'my-mailcoil.ml']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab2c2-ea68-4b85-8e1e-48c402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:46.000Z",
"modified": "2017-09-26T20:06:46.000Z",
"description": "Credential Harvesting Domains",
"pattern": "[domain-name:value = 'logn-micrsftonine-con.ml']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab2c2-a804-4892-8444-439702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:46.000Z",
"modified": "2017-09-26T20:06:46.000Z",
"description": "Credential Harvesting Domains",
"pattern": "[domain-name:value = 'so-cc-hujii-ac-il.ml']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab32d-bc80-49d0-b801-480b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:46.000Z",
"modified": "2017-09-26T20:06:46.000Z",
"description": "We observed the IP address 137.74.131[.]208 interacting with the TwoFace webshell as described in our previous blog.",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '137.74.131.208']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab357-66cc-473d-a11d-4aaf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Post-exploitation Tools - Xchecked via VT: 28a0db561ff5a525bc2696cf98d96f443f528afe63c5097c5e0ccad071fcb8c2",
"pattern": "[file:hashes.SHA1 = 'fd095248cc300eb60c758a8f51f6050b2fe56520']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab357-0e80-4b6a-b532-4f1e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Post-exploitation Tools - Xchecked via VT: 28a0db561ff5a525bc2696cf98d96f443f528afe63c5097c5e0ccad071fcb8c2",
"pattern": "[file:hashes.MD5 = '28089bfa4a1991ae98a7230f055a6081']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59cab357-5428-4492-bfbf-412d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"first_observed": "2017-09-26T20:06:47Z",
"last_observed": "2017-09-26T20:06:47Z",
"number_observed": 1,
"object_refs": [
"url--59cab357-5428-4492-bfbf-412d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59cab357-5428-4492-bfbf-412d02de0b81",
"value": "https://www.virustotal.com/file/28a0db561ff5a525bc2696cf98d96f443f528afe63c5097c5e0ccad071fcb8c2/analysis/1500337719/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab357-afb0-402d-8585-443e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Post-exploitation Tools - Xchecked via VT: 6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301",
"pattern": "[file:hashes.SHA1 = '5221c2ce846d9cbc8ab73142b51414f31544289f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab357-c808-483b-9e09-4b3f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Post-exploitation Tools - Xchecked via VT: 6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301",
"pattern": "[file:hashes.MD5 = 'b5450c8553def4996426ab46996b2e55']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59cab357-c1ac-4ad8-8355-40e902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"first_observed": "2017-09-26T20:06:47Z",
"last_observed": "2017-09-26T20:06:47Z",
"number_observed": 1,
"object_refs": [
"url--59cab357-c1ac-4ad8-8355-40e902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59cab357-c1ac-4ad8-8355-40e902de0b81",
"value": "https://www.virustotal.com/file/6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301/analysis/1497352004/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab357-febc-4bfa-9185-439902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Post-exploitation Tools - Xchecked via VT: 3b08535b4add194f5661e1131c8e81af373ca322cf669674cf1272095e5cab95",
"pattern": "[file:hashes.SHA1 = 'b5c62d79eda4f7e4b60a9caa5736a3fdc2f1b27e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab357-2330-4b9b-8b15-499b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Post-exploitation Tools - Xchecked via VT: 3b08535b4add194f5661e1131c8e81af373ca322cf669674cf1272095e5cab95",
"pattern": "[file:hashes.MD5 = 'a7f7a0f74c8b48f1699858b3b6c11eda']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59cab357-6040-49e1-9e31-4ad502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"first_observed": "2017-09-26T20:06:47Z",
"last_observed": "2017-09-26T20:06:47Z",
"number_observed": 1,
"object_refs": [
"url--59cab357-6040-49e1-9e31-4ad502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59cab357-6040-49e1-9e31-4ad502de0b81",
"value": "https://www.virustotal.com/file/3b08535b4add194f5661e1131c8e81af373ca322cf669674cf1272095e5cab95/analysis/1506412272/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab357-3b20-4868-9a21-471f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Post-exploitation Tools - Xchecked via VT: 450ebd66ba67bb46bf18d122823ff07ef4a7b11afe63b6f269aec9236a1790cd",
"pattern": "[file:hashes.SHA1 = '289f3bfe297923507cf4c26ca500ae01819c6a95']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab357-9130-4589-8b79-4edb02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Post-exploitation Tools - Xchecked via VT: 450ebd66ba67bb46bf18d122823ff07ef4a7b11afe63b6f269aec9236a1790cd",
"pattern": "[file:hashes.MD5 = '081e2ce7e2a603a78cc6c20a05b08ca8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59cab357-adb8-4701-a11d-484102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"first_observed": "2017-09-26T20:06:47Z",
"last_observed": "2017-09-26T20:06:47Z",
"number_observed": 1,
"object_refs": [
"url--59cab357-adb8-4701-a11d-484102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59cab357-adb8-4701-a11d-484102de0b81",
"value": "https://www.virustotal.com/file/450ebd66ba67bb46bf18d122823ff07ef4a7b11afe63b6f269aec9236a1790cd/analysis/1500539163/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab357-24c4-4f12-8ec1-454502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Post-exploitation Tools - Xchecked via VT: 497e6965120a7ca6644da9b8291c65901e78d302139d221fcf0a3ec6c5cf9de3",
"pattern": "[file:hashes.SHA1 = '5447283518473ea8b9d35424532a94e2966f7a90']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab357-d410-4086-a717-4aad02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Post-exploitation Tools - Xchecked via VT: 497e6965120a7ca6644da9b8291c65901e78d302139d221fcf0a3ec6c5cf9de3",
"pattern": "[file:hashes.MD5 = '0f9d0b03254830714654c2ceb11a7f5d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59cab357-eb68-44ec-8d84-4d0e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"first_observed": "2017-09-26T20:06:47Z",
"last_observed": "2017-09-26T20:06:47Z",
"number_observed": 1,
"object_refs": [
"url--59cab357-eb68-44ec-8d84-4d0e02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59cab357-eb68-44ec-8d84-4d0e02de0b81",
"value": "https://www.virustotal.com/file/497e6965120a7ca6644da9b8291c65901e78d302139d221fcf0a3ec6c5cf9de3/analysis/1505921769/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab357-b434-4887-ae7c-41fc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Post-exploitation Tools - Xchecked via VT: 5ead94f12c307438e6475e49f02bedaee0cd09ce6cebb7939f9a2830f913212c",
"pattern": "[file:hashes.SHA1 = '0c91a56f61c0365f56dc7b2b4e17bbf1e4cb134b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59cab357-c5c4-4fef-9d9a-468e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"description": "Post-exploitation Tools - Xchecked via VT: 5ead94f12c307438e6475e49f02bedaee0cd09ce6cebb7939f9a2830f913212c",
"pattern": "[file:hashes.MD5 = 'a56abdaa3438378bf16b3eccf317af8a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-26T20:06:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59cab357-4da0-4c0b-bfc2-42f002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-26T20:06:47.000Z",
"modified": "2017-09-26T20:06:47.000Z",
"first_observed": "2017-09-26T20:06:47Z",
"last_observed": "2017-09-26T20:06:47Z",
"number_observed": 1,
"object_refs": [
"url--59cab357-4da0-4c0b-bfc2-42f002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59cab357-4da0-4c0b-bfc2-42f002de0b81",
"value": "https://www.virustotal.com/file/5ead94f12c307438e6475e49f02bedaee0cd09ce6cebb7939f9a2830f913212c/analysis/1483030641/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink