774 lines
No EOL
34 KiB
JSON
774 lines
No EOL
34 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5b43ce0c-47e8-476c-97d6-f56402de0b81",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-10T06:56:08.000Z",
|
|
"modified": "2018-07-10T06:56:08.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--5b43ce0c-47e8-476c-97d6-f56402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-10T06:56:08.000Z",
|
|
"modified": "2018-07-10T06:56:08.000Z",
|
|
"name": "OSINT - APT Attack In the Middle East: The Big Bang",
|
|
"published": "2018-07-10T07:10:59Z",
|
|
"object_refs": [
|
|
"observed-data--5b43ce1c-edb4-491d-95c5-43fd02de0b81",
|
|
"url--5b43ce1c-edb4-491d-95c5-43fd02de0b81",
|
|
"indicator--5b43ce38-f8ec-46cf-a6e1-4c6502de0b81",
|
|
"indicator--5b43ce39-f540-4bca-96c8-472d02de0b81",
|
|
"indicator--5b43ce39-cb38-4f9d-85b0-420802de0b81",
|
|
"indicator--5b43ce3a-9dbc-485b-9b5b-483902de0b81",
|
|
"indicator--5b43ce3a-4c8c-4399-b52e-429e02de0b81",
|
|
"indicator--5b43ce3b-e330-4f8c-9fcd-4d4e02de0b81",
|
|
"indicator--5b43ce3b-b098-4156-9bb1-489002de0b81",
|
|
"indicator--5b43ce3b-a5bc-4932-9030-43d902de0b81",
|
|
"indicator--5b43ce3c-3a70-4e79-a245-404402de0b81",
|
|
"indicator--5b43ce3c-447c-4bcc-a5d7-452402de0b81",
|
|
"indicator--5b43ce3d-bcb0-4078-9fb7-486c02de0b81",
|
|
"indicator--5b43ce3d-8b4c-4b04-b52f-485602de0b81",
|
|
"indicator--5b43ce3e-5608-466a-962a-408902de0b81",
|
|
"x-misp-attribute--5b4454b3-ec70-438e-b9e3-4d7d950d210f",
|
|
"indicator--5f89b9d8-fb5e-455c-8d75-74f4ded612c2",
|
|
"x-misp-object--6ac23322-10a0-43c4-9004-c2c0991b2fb2",
|
|
"indicator--67b678dd-a046-4e24-bfee-0003c0b29ec8",
|
|
"x-misp-object--13a19efc-0f75-4608-a95b-b689504221ea",
|
|
"indicator--e84f13a0-0878-494a-b532-2946d911523e",
|
|
"x-misp-object--59ee6b52-0b6b-4f05-861c-ea6ded4e92f8",
|
|
"indicator--5c62dfe6-83e5-470f-9fb9-37872d575e76",
|
|
"x-misp-object--d7518f97-54c8-44e2-9bf8-db42b1a973c3",
|
|
"indicator--9468ee5c-a526-4bba-92a5-0ca6ffda79e4",
|
|
"x-misp-object--e694ba51-5a6f-4130-acf4-6b9dab32543a",
|
|
"relationship--6c35e5d9-4fab-4a77-8c13-6717dcc18437",
|
|
"relationship--48542ffe-46fc-465a-995a-8d0379ea22bc",
|
|
"relationship--b3aa65a4-920f-424d-bd9c-d714c6418416",
|
|
"relationship--66e578e8-d5f6-40cd-9d49-553e714ec368",
|
|
"relationship--b998729e-63f7-4b6b-9060-e79b5e8e39b3"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Attachment - T1193\"",
|
|
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Screen Capture - T1113\"",
|
|
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data from Information Repositories - T1213\"",
|
|
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Commonly Used Port - T1043\"",
|
|
"osint:source-type=\"blog-post\"",
|
|
"misp-galaxy:threat-actor=\"The Big Bang\"",
|
|
"osint:lifetime=\"perpetual\"",
|
|
"estimative-language:confidence-in-analytic-judgment=\"moderate\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5b43ce1c-edb4-491d-95c5-43fd02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-10T06:56:05.000Z",
|
|
"modified": "2018-07-10T06:56:05.000Z",
|
|
"first_observed": "2018-07-10T06:56:05Z",
|
|
"last_observed": "2018-07-10T06:56:05Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5b43ce1c-edb4-491d-95c5-43fd02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5b43ce1c-edb4-491d-95c5-43fd02de0b81",
|
|
"value": "https://research.checkpoint.com/apt-attack-middle-east-big-bang/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b43ce38-f8ec-46cf-a6e1-4c6502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-10T06:56:05.000Z",
|
|
"modified": "2018-07-10T06:56:05.000Z",
|
|
"pattern": "[file:hashes.SHA1 = 'a210ac6ea0406d81fa5682e86997be25c73e9d1b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-10T06:56:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b43ce39-f540-4bca-96c8-472d02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-10T06:56:05.000Z",
|
|
"modified": "2018-07-10T06:56:05.000Z",
|
|
"pattern": "[file:hashes.SHA1 = '994ebbe444183e0d67b13f91d75b0f9bcfb011db']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-10T06:56:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b43ce39-cb38-4f9d-85b0-420802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-10T06:56:05.000Z",
|
|
"modified": "2018-07-10T06:56:05.000Z",
|
|
"pattern": "[file:hashes.SHA1 = '74ea60b4e269817168e107bdccc42b3a1193c1e6']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-10T06:56:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b43ce3a-9dbc-485b-9b5b-483902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-10T06:56:05.000Z",
|
|
"modified": "2018-07-10T06:56:05.000Z",
|
|
"pattern": "[file:hashes.SHA1 = '511bec782be41e85a013cbea95725d5807e3c2f2']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-10T06:56:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b43ce3a-4c8c-4399-b52e-429e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-10T06:56:05.000Z",
|
|
"modified": "2018-07-10T06:56:05.000Z",
|
|
"pattern": "[file:hashes.SHA1 = '9e093a5b34c4e5dea59e374b409173565dc3b05b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-10T06:56:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b43ce3b-e330-4f8c-9fcd-4d4e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-10T06:56:05.000Z",
|
|
"modified": "2018-07-10T06:56:05.000Z",
|
|
"pattern": "[domain-name:value = 'lindamullins.info']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-10T06:56:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b43ce3b-b098-4156-9bb1-489002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-10T06:56:05.000Z",
|
|
"modified": "2018-07-10T06:56:05.000Z",
|
|
"pattern": "[domain-name:value = 'spgbotup.club']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-10T06:56:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b43ce3b-a5bc-4932-9030-43d902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-10T06:56:05.000Z",
|
|
"modified": "2018-07-10T06:56:05.000Z",
|
|
"pattern": "[domain-name:value = 'namyyeatop.club']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-10T06:56:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b43ce3c-3a70-4e79-a245-404402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-10T06:56:05.000Z",
|
|
"modified": "2018-07-10T06:56:05.000Z",
|
|
"pattern": "[domain-name:value = 'namybotter.info']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-10T06:56:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b43ce3c-447c-4bcc-a5d7-452402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-10T06:56:05.000Z",
|
|
"modified": "2018-07-10T06:56:05.000Z",
|
|
"pattern": "[domain-name:value = 'sanjynono.website']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-10T06:56:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b43ce3d-bcb0-4078-9fb7-486c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-10T06:56:05.000Z",
|
|
"modified": "2018-07-10T06:56:05.000Z",
|
|
"pattern": "[domain-name:value = 'exvsnomy.club']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-10T06:56:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b43ce3d-8b4c-4b04-b52f-485602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-10T06:56:05.000Z",
|
|
"modified": "2018-07-10T06:56:05.000Z",
|
|
"pattern": "[domain-name:value = 'ezofiezo.website']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-10T06:56:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b43ce3e-5608-466a-962a-408902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-10T06:56:05.000Z",
|
|
"modified": "2018-07-10T06:56:05.000Z",
|
|
"pattern": "[domain-name:value = 'hitmesanjjoy.pro']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-10T06:56:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--5b4454b3-ec70-438e-b9e3-4d7d950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-10T06:56:05.000Z",
|
|
"modified": "2018-07-10T06:56:05.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "Over the last few weeks, the Check Point Threat Intelligence Team discovered the comeback of an APT surveillance attack against institutions across the Middle East, specifically the Palestinian Authority.\r\n\r\nThe attack begins with a phishing email sent to targets that includes an attachment of a self-extracting archive containing two files: a Word document and a malicious executable. Posing to be from the Palestinian Political and National Guidance Commission, the Word document serves as a decoy, distracting victims while the malware is installed in the background.\r\n\r\nThe malware has several modules, some of which are:\r\n\r\n Taking a screenshot of the infected machine and sending it to the C&C server.\r\n Sending a list of documents with file extensions including .doc, .odt, .xls, .ppt, .pdf and more.\r\n Logging details about the system.\r\n Rebooting the system.\r\n Self-destructing the executable.\r\n\r\nWhile it is not clear exactly what the attacker is looking for, what is clear is that once he finds it, a second stage of the attack awaits, fetching additional modules and/or malware from the Command and Control server. This then is a surveillance attack in progress and has been dubbed \u00e2\u20ac\u02dcBig Bang\u00e2\u20ac\u2122 due to the attacker\u00e2\u20ac\u2122s fondness for the \u00e2\u20ac\u02dcBig Bang Theory\u00e2\u20ac\u2122 TV show, after which some of the malware\u00e2\u20ac\u2122s modules are named.\r\n\r\nA previous campaign of this APT group was uncovered by Talos in June 2017, and since then very little of this operation was seen in the wild. The Big Bang campaign described below incorporates improved capabilities and offensive infrastructure, and seems to be even more targeted."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5f89b9d8-fb5e-455c-8d75-74f4ded612c2",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-09T21:10:57.000Z",
|
|
"modified": "2018-07-09T21:10:57.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'a3dc31c456508df7dfac8349eb0d2b65' AND file:hashes.SHA1 = '74ea60b4e269817168e107bdccc42b3a1193c1e6' AND file:hashes.SHA256 = '63a73cf005eb328f3c7e99f0d28da65980d9620b66d8c41939f6db023418c864']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-09T21:10:57Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--6ac23322-10a0-43c4-9004-c2c0991b2fb2",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-09T21:10:55.000Z",
|
|
"modified": "2018-07-09T21:10:55.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-07-09T20:54:06",
|
|
"category": "Other",
|
|
"uuid": "d8dba617-c8c4-466d-99b9-0bc760fc64f6"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/63a73cf005eb328f3c7e99f0d28da65980d9620b66d8c41939f6db023418c864/analysis/1531169646/",
|
|
"category": "External analysis",
|
|
"uuid": "32da8334-bef5-4dd2-9c11-4bde99a3e834"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "0/58",
|
|
"category": "Other",
|
|
"uuid": "f06cc6f8-9d16-4237-9edf-f22bffa514f1"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--67b678dd-a046-4e24-bfee-0003c0b29ec8",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-09T21:10:59.000Z",
|
|
"modified": "2018-07-09T21:10:59.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'fd8c8ae6a261b0e88df06236c5b70be6' AND file:hashes.SHA1 = '511bec782be41e85a013cbea95725d5807e3c2f2' AND file:hashes.SHA256 = 'ac6462e9e26362f711783b9874d46fefce198c4c3ca947a5d4df7842a6c51224']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-09T21:10:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--13a19efc-0f75-4608-a95b-b689504221ea",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-09T21:10:58.000Z",
|
|
"modified": "2018-07-09T21:10:58.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-07-09T10:06:12",
|
|
"category": "Other",
|
|
"uuid": "f6c73d92-dd22-4ecd-b81d-82dce73c212d"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/ac6462e9e26362f711783b9874d46fefce198c4c3ca947a5d4df7842a6c51224/analysis/1531130772/",
|
|
"category": "External analysis",
|
|
"uuid": "8f99dadd-67ca-4199-97e6-19277a85fcfb"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "41/67",
|
|
"category": "Other",
|
|
"uuid": "db260972-06f4-4105-8732-a2a5e05b2b36"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--e84f13a0-0878-494a-b532-2946d911523e",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-09T21:11:02.000Z",
|
|
"modified": "2018-07-09T21:11:02.000Z",
|
|
"pattern": "[file:hashes.MD5 = '18864d22331fc6503641f128226aaea8' AND file:hashes.SHA1 = '994ebbe444183e0d67b13f91d75b0f9bcfb011db' AND file:hashes.SHA256 = 'e1f52ea30d25289f7a4a5c9d15be97c8a4dfe10eb68ac9d031edcc7275c23dbc']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-09T21:11:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--59ee6b52-0b6b-4f05-861c-ea6ded4e92f8",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-09T21:11:00.000Z",
|
|
"modified": "2018-07-09T21:11:00.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-07-09T10:06:11",
|
|
"category": "Other",
|
|
"uuid": "30bf9981-32fa-4aeb-b1a4-0f98d2e5f0c3"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/e1f52ea30d25289f7a4a5c9d15be97c8a4dfe10eb68ac9d031edcc7275c23dbc/analysis/1531130771/",
|
|
"category": "External analysis",
|
|
"uuid": "7130664a-5360-49d3-b551-c9dddafd4c17"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "47/68",
|
|
"category": "Other",
|
|
"uuid": "a2025a9a-ca8a-48a6-a3a4-a3118ec625f3"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5c62dfe6-83e5-470f-9fb9-37872d575e76",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-09T21:11:04.000Z",
|
|
"modified": "2018-07-09T21:11:04.000Z",
|
|
"pattern": "[file:hashes.MD5 = '81881a0841deaa0ef1ea92c51d8c8845' AND file:hashes.SHA1 = '9e093a5b34c4e5dea59e374b409173565dc3b05b' AND file:hashes.SHA256 = '4db68522600f2d8aabd255e2da999a9d9c9f1f18491cfce9dadf2296269a172b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-09T21:11:04Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--d7518f97-54c8-44e2-9bf8-db42b1a973c3",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-09T21:11:03.000Z",
|
|
"modified": "2018-07-09T21:11:03.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-07-09T20:34:31",
|
|
"category": "Other",
|
|
"uuid": "cd137230-b3bb-4d53-b429-a0ccd6981c67"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/4db68522600f2d8aabd255e2da999a9d9c9f1f18491cfce9dadf2296269a172b/analysis/1531168471/",
|
|
"category": "External analysis",
|
|
"uuid": "b23e43db-c16a-4207-962e-3c2d632da209"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "42/67",
|
|
"category": "Other",
|
|
"uuid": "89eed594-20f3-4eff-a527-7b02e13a4eae"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--9468ee5c-a526-4bba-92a5-0ca6ffda79e4",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-09T21:11:06.000Z",
|
|
"modified": "2018-07-09T21:11:06.000Z",
|
|
"pattern": "[file:hashes.MD5 = '2f8face85084bea8adacac36ee2f641f' AND file:hashes.SHA1 = 'a210ac6ea0406d81fa5682e86997be25c73e9d1b' AND file:hashes.SHA256 = '0ed777075d67d00720021e4703bde809900f4715ccf0a2d4383e285801dca5ba']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-07-09T21:11:06Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--e694ba51-5a6f-4130-acf4-6b9dab32543a",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-07-09T21:11:05.000Z",
|
|
"modified": "2018-07-09T21:11:05.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-07-09T10:08:43",
|
|
"category": "Other",
|
|
"uuid": "d0f2ac63-e02e-4edb-beb2-73acd376f9ae"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/0ed777075d67d00720021e4703bde809900f4715ccf0a2d4383e285801dca5ba/analysis/1531130923/",
|
|
"category": "External analysis",
|
|
"uuid": "ea7e49cd-c2d2-4b91-bcb8-e57fd9782019"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "47/67",
|
|
"category": "Other",
|
|
"uuid": "2ce142ab-e375-46a2-bd2d-8118b5ce9054"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--6c35e5d9-4fab-4a77-8c13-6717dcc18437",
|
|
"created": "2018-07-09T21:11:06.000Z",
|
|
"modified": "2018-07-09T21:11:06.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--5f89b9d8-fb5e-455c-8d75-74f4ded612c2",
|
|
"target_ref": "x-misp-object--6ac23322-10a0-43c4-9004-c2c0991b2fb2"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--48542ffe-46fc-465a-995a-8d0379ea22bc",
|
|
"created": "2018-07-09T21:11:06.000Z",
|
|
"modified": "2018-07-09T21:11:06.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--67b678dd-a046-4e24-bfee-0003c0b29ec8",
|
|
"target_ref": "x-misp-object--13a19efc-0f75-4608-a95b-b689504221ea"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--b3aa65a4-920f-424d-bd9c-d714c6418416",
|
|
"created": "2018-07-09T21:11:07.000Z",
|
|
"modified": "2018-07-09T21:11:07.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--e84f13a0-0878-494a-b532-2946d911523e",
|
|
"target_ref": "x-misp-object--59ee6b52-0b6b-4f05-861c-ea6ded4e92f8"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--66e578e8-d5f6-40cd-9d49-553e714ec368",
|
|
"created": "2018-07-09T21:11:07.000Z",
|
|
"modified": "2018-07-09T21:11:07.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--5c62dfe6-83e5-470f-9fb9-37872d575e76",
|
|
"target_ref": "x-misp-object--d7518f97-54c8-44e2-9bf8-db42b1a973c3"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--b998729e-63f7-4b6b-9060-e79b5e8e39b3",
|
|
"created": "2018-07-09T21:11:07.000Z",
|
|
"modified": "2018-07-09T21:11:07.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--9468ee5c-a526-4bba-92a5-0ca6ffda79e4",
|
|
"target_ref": "x-misp-object--e694ba51-5a6f-4130-acf4-6b9dab32543a"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |