852 lines
No EOL
36 KiB
JSON
852 lines
No EOL
36 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5b3b7b6f-6234-45ea-be4f-ab8202de0b81",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T14:00:12.000Z",
|
|
"modified": "2018-07-03T14:00:12.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--5b3b7b6f-6234-45ea-be4f-ab8202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T14:00:12.000Z",
|
|
"modified": "2018-07-03T14:00:12.000Z",
|
|
"name": "OSINT - Down but Not Out: A Look Into Recent Exploit Kit Activities",
|
|
"published": "2018-07-03T14:03:14Z",
|
|
"object_refs": [
|
|
"observed-data--5b3b7b80-2e20-4f5a-b8a8-ab8202de0b81",
|
|
"url--5b3b7b80-2e20-4f5a-b8a8-ab8202de0b81",
|
|
"x-misp-attribute--5b3b7ba2-e47c-404d-928f-415002de0b81",
|
|
"indicator--5b3b7e1c-756c-4e5a-aa63-46d002de0b81",
|
|
"indicator--5b3b7e1c-a6c0-44b4-b4e7-415f02de0b81",
|
|
"indicator--5b3b7e1d-bbec-4f67-aef5-40d702de0b81",
|
|
"indicator--5b3b7e37-a474-4145-94c3-4b1402de0b81",
|
|
"indicator--5b3b7e78-3d10-4fee-842a-ae7e02de0b81",
|
|
"indicator--5b3b7e78-63a8-46d0-b8df-ae7e02de0b81",
|
|
"indicator--5b3b7e79-0498-40d8-b851-ae7e02de0b81",
|
|
"indicator--5b3b7f41-9ca8-45cb-b4f8-ab8202de0b81",
|
|
"indicator--5b3b7f41-b204-4a20-a7e2-ab8202de0b81",
|
|
"indicator--5b3b7f41-cd24-4412-969c-ab8202de0b81",
|
|
"indicator--5b3b7f42-acc0-4282-98f3-ab8202de0b81",
|
|
"indicator--5b3b7f42-db68-451e-8a47-ab8202de0b81",
|
|
"indicator--5b3b7f43-c578-46ca-acbb-ab8202de0b81",
|
|
"indicator--5b3b7f43-ab28-4653-b8ea-ab8202de0b81",
|
|
"indicator--5b3b7f44-3a94-4042-ab95-ab8202de0b81",
|
|
"indicator--5b3b7f44-7518-4f82-a1fb-ab8202de0b81",
|
|
"indicator--5b3b7f45-c1d8-47e7-b326-ab8202de0b81",
|
|
"indicator--5b3b8010-54e0-4e3c-85bb-ae8f02de0b81",
|
|
"indicator--5b3b8010-0738-42da-8b4e-ae8f02de0b81",
|
|
"indicator--5b3b8011-1f14-4735-9bc2-ae8f02de0b81",
|
|
"indicator--5b3b8078-ec74-4cff-bfa6-4b9d02de0b81",
|
|
"indicator--5b3b8078-ad54-4d3b-9cd0-424d02de0b81",
|
|
"indicator--5b3b8079-b7f4-4277-858a-432902de0b81",
|
|
"indicator--5b3b8079-8bb0-447f-ae3d-4d3d02de0b81",
|
|
"x-misp-object--73665dc3-b0f2-4564-91b8-2932403695d7",
|
|
"x-misp-object--d02d31c4-8128-41d2-bd3b-825b2389df8c",
|
|
"x-misp-object--1924a25c-c807-4fa6-a14c-d8061c3c72a3",
|
|
"x-misp-object--bcc933cf-b284-4ab8-b1fa-2e2c8a2e1613",
|
|
"x-misp-object--25e765d8-e066-4981-a075-0912806c404c",
|
|
"x-misp-object--87ffa5a2-5445-4088-81a6-13475f44401a",
|
|
"x-misp-object--a23c9b1d-82e5-4df2-9308-78f86d3e7f59",
|
|
"x-misp-object--1c6f0eb3-95ce-493b-96b4-33424617a396",
|
|
"relationship--25cd6ab2-8947-41ce-ae3f-302baad84cc6",
|
|
"relationship--6b6f4503-8ac7-41ae-840e-76e9a372299b",
|
|
"relationship--c7dd7a4c-7068-4293-954e-333ccd5887cf",
|
|
"relationship--cc2aeb84-6165-4bcd-a4e2-a152e8d1e9a7"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"misp-galaxy:exploit-kit=\"RIG\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5b3b7b80-2e20-4f5a-b8a8-ab8202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:34:56.000Z",
|
|
"modified": "2018-07-03T13:34:56.000Z",
|
|
"first_observed": "2018-07-03T13:34:56Z",
|
|
"last_observed": "2018-07-03T13:34:56Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5b3b7b80-2e20-4f5a-b8a8-ab8202de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5b3b7b80-2e20-4f5a-b8a8-ab8202de0b81",
|
|
"value": "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-recent-exploit-kit-activities/"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--5b3b7ba2-e47c-404d-928f-415002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:35:30.000Z",
|
|
"modified": "2018-07-03T13:35:30.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "Exploit kits may be down, but they\u00e2\u20ac\u2122re not out. While they\u00e2\u20ac\u2122re still using the same techniques that involve malvertisements or embedding links in spam and malicious or compromised websites, their latest activities are making them significant factors in the threat landscape again. This is the case with Rig and GrandSoft, as well as the private exploit kit Magnitude \u00e2\u20ac\u201d exploit kits we found roping in relatively recent vulnerabilities to deliver cryptocurrency-mining malware, ransomware, botnet loaders, and banking trojans.\r\n\r\nBased on the exploit kits\u00e2\u20ac\u2122 latest activities, it appears they and their users are shifting tactics by joining the bandwagon, like capitalizing on cryptocurrency\u00e2\u20ac\u2122s popularity or using off-the-rack malware. We expect this to be the status quo this year, given the profitability of using cryptocurrency miners and the convenience of using ready-made malware. We also foresee more exploits that work on other software, such as CVE-2018-8174, which can be exploited via Microsoft Word and Internet Explorer."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b3b7e1c-756c-4e5a-aa63-46d002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:46:04.000Z",
|
|
"modified": "2018-07-03T13:46:04.000Z",
|
|
"description": "Malicious domains and IP addresses related to GrandSoft exploit kit",
|
|
"pattern": "[domain-name:value = 'ethical-buyback.lesbianssahgbrewingqzw.xyz']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-03T13:46:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b3b7e1c-a6c0-44b4-b4e7-415f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:46:04.000Z",
|
|
"modified": "2018-07-03T13:46:04.000Z",
|
|
"description": "Malicious domains and IP addresses related to GrandSoft exploit kit",
|
|
"pattern": "[url:value = 'ethical-buyback.lesbianssahgbrewingqzw.xyz/masking_celebration-skies']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-03T13:46:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b3b7e1d-bbec-4f67-aef5-40d702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:46:05.000Z",
|
|
"modified": "2018-07-03T13:46:05.000Z",
|
|
"description": "Malicious domains and IP addresses related to GrandSoft exploit kit",
|
|
"pattern": "[url:value = 'papconnecting.net/wp-content/traffic.php']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-03T13:46:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b3b7e37-a474-4145-94c3-4b1402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:46:31.000Z",
|
|
"modified": "2018-07-03T13:46:31.000Z",
|
|
"description": "GandCrab C&C",
|
|
"pattern": "[domain-name:value = 'carder.bit']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-03T13:46:31Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b3b7e78-3d10-4fee-842a-ae7e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:47:36.000Z",
|
|
"modified": "2018-07-03T13:47:36.000Z",
|
|
"pattern": "[url:value = '91.210.104.247/debug.txt']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-03T13:47:36Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b3b7e78-63a8-46d0-b8df-ae7e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:47:36.000Z",
|
|
"modified": "2018-07-03T13:47:36.000Z",
|
|
"description": "GandCrab Ransomware",
|
|
"pattern": "[url:value = '91.210.104.247/putty.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-03T13:47:36Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b3b7e79-0498-40d8-b851-ae7e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:47:37.000Z",
|
|
"modified": "2018-07-03T13:47:37.000Z",
|
|
"description": "(BlackTDS IP)",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '200.74.240.219']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-03T13:47:37Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b3b7f41-9ca8-45cb-b4f8-ab8202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:50:57.000Z",
|
|
"modified": "2018-07-03T13:50:57.000Z",
|
|
"description": "Magniber Payment Server",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '54.37.57.152']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-03T13:50:57Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b3b7f41-b204-4a20-a7e2-ab8202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:50:57.000Z",
|
|
"modified": "2018-07-03T13:50:57.000Z",
|
|
"description": "Magniber Payment Server",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '64.188.10.44']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-03T13:50:57Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b3b7f41-cd24-4412-969c-ab8202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:50:57.000Z",
|
|
"modified": "2018-07-03T13:50:57.000Z",
|
|
"description": "Magniber Payment Server",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '139.60.161.51']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-03T13:50:57Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b3b7f42-acc0-4282-98f3-ab8202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:50:58.000Z",
|
|
"modified": "2018-07-03T13:50:58.000Z",
|
|
"description": "Magnigate Step 1",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '149.56.159.203']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-03T13:50:58Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b3b7f42-db68-451e-8a47-ab8202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:50:58.000Z",
|
|
"modified": "2018-07-03T13:50:58.000Z",
|
|
"description": "Magnitude EK",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '167.114.191.124']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-03T13:50:58Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b3b7f43-c578-46ca-acbb-ab8202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:50:59.000Z",
|
|
"modified": "2018-07-03T13:50:59.000Z",
|
|
"description": "Magnigate Step 2",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '167.114.33.110']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-03T13:50:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b3b7f43-ab28-4653-b8ea-ab8202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:50:59.000Z",
|
|
"modified": "2018-07-03T13:50:59.000Z",
|
|
"description": "Magniber Payment Server",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.244.150.110']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-03T13:50:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b3b7f44-3a94-4042-ab95-ab8202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:51:00.000Z",
|
|
"modified": "2018-07-03T13:51:00.000Z",
|
|
"description": "Magnigate Step 2",
|
|
"pattern": "[domain-name:value = 'fedpart.website']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-03T13:51:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b3b7f44-7518-4f82-a1fb-ab8202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:51:00.000Z",
|
|
"modified": "2018-07-03T13:51:00.000Z",
|
|
"description": "Magnitude landing page",
|
|
"pattern": "[domain-name:value = 'addrole.space']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-03T13:51:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b3b7f45-c1d8-47e7-b326-ab8202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:51:01.000Z",
|
|
"modified": "2018-07-03T13:51:01.000Z",
|
|
"description": "Magnigate Step 1b",
|
|
"pattern": "[domain-name:value = 'taxhuge.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-03T13:51:01Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b3b8010-54e0-4e3c-85bb-ae8f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:54:24.000Z",
|
|
"modified": "2018-07-03T13:54:24.000Z",
|
|
"description": "Rig EK; also where Kardon Loader was downloaded",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.225.37.242']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-03T13:54:24Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b3b8010-0738-42da-8b4e-ae8f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:54:24.000Z",
|
|
"modified": "2018-07-03T13:54:24.000Z",
|
|
"description": "Malicious domains and IP addresses related to Rig exploit kit",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '193.23.181.154']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-03T13:54:24Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b3b8011-1f14-4735-9bc2-ae8f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:54:25.000Z",
|
|
"modified": "2018-07-03T13:54:25.000Z",
|
|
"description": "Malicious domains and IP addresses related to Rig exploit kit",
|
|
"pattern": "[url:value = '193.23.181.154/crypto/?placement=198395354']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-03T13:54:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b3b8078-ec74-4cff-bfa6-4b9d02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:56:08.000Z",
|
|
"modified": "2018-07-03T13:56:08.000Z",
|
|
"description": "TROJ_DLOADR.SULQ",
|
|
"pattern": "[file:hashes.SHA256 = '69ec63646a589127c573fed9498a11d3e75009751ac5e16a80e7aa684ad66240']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-03T13:56:08Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b3b8078-ad54-4d3b-9cd0-424d02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:56:08.000Z",
|
|
"modified": "2018-07-03T13:56:08.000Z",
|
|
"description": "TROJ_KARDONLDR.A",
|
|
"pattern": "[file:hashes.SHA256 = 'aca8e9ecb7c8797c1bc03202a738a0ad586b00968f6c21ab83b9bb43b5c49243']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-03T13:56:08Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b3b8079-b7f4-4277-858a-432902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:56:09.000Z",
|
|
"modified": "2018-07-03T13:56:09.000Z",
|
|
"description": "TROJ_KARIUS.A",
|
|
"pattern": "[file:hashes.SHA256 = '5f7d3d7bf2ad424b8552ae78682a4f89080b41fedbcc34edce2b2a2c8baf47d4']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-03T13:56:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b3b8079-8bb0-447f-ae3d-4d3d02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:56:09.000Z",
|
|
"modified": "2018-07-03T13:56:09.000Z",
|
|
"description": "COINMINER_MALXMR.SM4-WIN32",
|
|
"pattern": "[file:hashes.SHA256 = '24d17158531180849f5b0819ac965d796886b8238d8a690e2a7ecb3d7fd3bf2b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-03T13:56:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--73665dc3-b0f2-4564-91b8-2932403695d7",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:57:55.000Z",
|
|
"modified": "2018-07-03T13:57:55.000Z",
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\""
|
|
],
|
|
"x_misp_meta_category": "file",
|
|
"x_misp_name": "file"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--d02d31c4-8128-41d2-bd3b-825b2389df8c",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:57:53.000Z",
|
|
"modified": "2018-07-03T13:57:53.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--1924a25c-c807-4fa6-a14c-d8061c3c72a3",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:57:57.000Z",
|
|
"modified": "2018-07-03T13:57:57.000Z",
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\""
|
|
],
|
|
"x_misp_meta_category": "file",
|
|
"x_misp_name": "file"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--bcc933cf-b284-4ab8-b1fa-2e2c8a2e1613",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:57:56.000Z",
|
|
"modified": "2018-07-03T13:57:56.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--25e765d8-e066-4981-a075-0912806c404c",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:58:00.000Z",
|
|
"modified": "2018-07-03T13:58:00.000Z",
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\""
|
|
],
|
|
"x_misp_meta_category": "file",
|
|
"x_misp_name": "file"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--87ffa5a2-5445-4088-81a6-13475f44401a",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:57:58.000Z",
|
|
"modified": "2018-07-03T13:57:58.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--a23c9b1d-82e5-4df2-9308-78f86d3e7f59",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:58:02.000Z",
|
|
"modified": "2018-07-03T13:58:02.000Z",
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\""
|
|
],
|
|
"x_misp_meta_category": "file",
|
|
"x_misp_name": "file"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--1c6f0eb3-95ce-493b-96b4-33424617a396",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-03T13:58:01.000Z",
|
|
"modified": "2018-07-03T13:58:01.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--25cd6ab2-8947-41ce-ae3f-302baad84cc6",
|
|
"created": "2018-07-03T13:58:02.000Z",
|
|
"modified": "2018-07-03T13:58:02.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "x-misp-object--73665dc3-b0f2-4564-91b8-2932403695d7",
|
|
"target_ref": "x-misp-object--d02d31c4-8128-41d2-bd3b-825b2389df8c"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--6b6f4503-8ac7-41ae-840e-76e9a372299b",
|
|
"created": "2018-07-03T13:58:02.000Z",
|
|
"modified": "2018-07-03T13:58:02.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "x-misp-object--1924a25c-c807-4fa6-a14c-d8061c3c72a3",
|
|
"target_ref": "x-misp-object--bcc933cf-b284-4ab8-b1fa-2e2c8a2e1613"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--c7dd7a4c-7068-4293-954e-333ccd5887cf",
|
|
"created": "2018-07-03T13:58:02.000Z",
|
|
"modified": "2018-07-03T13:58:02.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "x-misp-object--25e765d8-e066-4981-a075-0912806c404c",
|
|
"target_ref": "x-misp-object--87ffa5a2-5445-4088-81a6-13475f44401a"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--cc2aeb84-6165-4bcd-a4e2-a152e8d1e9a7",
|
|
"created": "2018-07-03T13:58:02.000Z",
|
|
"modified": "2018-07-03T13:58:02.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "x-misp-object--a23c9b1d-82e5-4df2-9308-78f86d3e7f59",
|
|
"target_ref": "x-misp-object--1c6f0eb3-95ce-493b-96b4-33424617a396"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |