misp-circl-feed/feeds/circl/stix-2.1/5b4f5308-42c0-434a-a8c5-48ae950d210f.json

170 lines
No EOL
9.7 KiB
JSON

{
"type": "bundle",
"id": "bundle--5b4f5308-42c0-434a-a8c5-48ae950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-20T14:02:51.000Z",
"modified": "2018-07-20T14:02:51.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5b4f5308-42c0-434a-a8c5-48ae950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-20T14:02:51.000Z",
"modified": "2018-07-20T14:02:51.000Z",
"name": "OVH Phishing",
"published": "2018-07-20T14:03:10Z",
"object_refs": [
"indicator--d64b0aa2-2712-440f-ae2d-405b02afe37f",
"indicator--8a483d15-8731-46eb-802a-4dad004e29ad",
"observed-data--f5cfa131-4703-426c-a7b5-cbe616e76ea7",
"email-message--f5cfa131-4703-426c-a7b5-cbe616e76ea7",
"email-addr--76432d08-a77d-4cdb-9fbb-3c2d12e7b6b9",
"email-addr--334cb4ea-384c-43f2-ab65-de6c244bbe55",
"relationship--9c01da10-f847-4e7b-8689-ec85ea9c1745",
"relationship--d2ee001f-e3aa-418e-8e92-7f20e96a4a5e"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d64b0aa2-2712-440f-ae2d-405b02afe37f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-20T14:02:48.000Z",
"modified": "2018-07-20T14:02:48.000Z",
"pattern": "[url:value = 'https://xyu7564.phpnet.org/?page0=rafi0t.fr#https://www.ovh.com/fr/cgi-bin/order/renew.cgi']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-20T14:02:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8a483d15-8731-46eb-802a-4dad004e29ad",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-18T14:47:40.000Z",
"modified": "2018-07-18T14:47:40.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '195.144.11.40') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'xyu7564.phpnet.org')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-18T14:47:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--f5cfa131-4703-426c-a7b5-cbe616e76ea7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-18T14:47:44.000Z",
"modified": "2018-07-18T14:47:44.000Z",
"first_observed": "2018-07-18T14:47:44Z",
"last_observed": "2018-07-18T14:47:44Z",
"number_observed": 1,
"object_refs": [
"email-message--f5cfa131-4703-426c-a7b5-cbe616e76ea7",
"email-addr--76432d08-a77d-4cdb-9fbb-3c2d12e7b6b9",
"email-addr--334cb4ea-384c-43f2-ab65-de6c244bbe55"
],
"labels": [
"misp:name=\"email\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"False\""
]
},
{
"type": "email-message",
"spec_version": "2.1",
"id": "email-message--f5cfa131-4703-426c-a7b5-cbe616e76ea7",
"is_multipart": false,
"from_ref": "email-addr--76432d08-a77d-4cdb-9fbb-3c2d12e7b6b9",
"to_refs": [
"email-addr--334cb4ea-384c-43f2-ab65-de6c244bbe55"
],
"message_id": "<15319105661d91a508966dcc5f602c73b4f97fa392_540455@ovh.com>",
"subject": "[OVH-WEB] Suspension du nom de domaine rafi0t.fr",
"additional_header_fields": {
"Reply-To": "support@ovh.com"
},
"x_misp_email_body": "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\">\n<HTML><HEAD><META http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\">\n</HEAD>\n<BODY>\n<DIV><FONT size=2 face=Tahoma>SAS OVH - </FONT><A\nhref=\"http://www.ovh.com/\"><FONT size=2\nface=Tahoma>http://www.ovh.com</FONT></A><BR><FONT size=2 face=Tahoma>2 rue\nKellermann<BR>BP 80157<BR>59100 Roubaix</FONT></DIV>\n<DIV>&nbsp;</DIV>\n<DIV>&nbsp;</DIV>\n<DIV>&nbsp;</DIV>\n<DIV>&nbsp;</DIV>\n<DIV><FONT size=2 face=Tahoma>Cher(e) Client(e),</FONT></DIV>\n<DIV>&nbsp;</DIV>\n<DIV><FONT size=2 face=Tahoma>Votre nom de domaine rafi0t.fr est actuellement\nenregistr\u00c3\u00a9 chez OVH.<BR>Notre syst\u00c3\u00a8me de facturation a d\u00c3\u00a9tect\u00c3\u00a9 que ce service\nest expir\u00c3\u00a9, non renouvel\u00c3\u00a9.</FONT></DIV>\n<DIV>&nbsp;</DIV>\n<DIV><FONT size=2 face=Tahoma>Votre nom de domaine rafi0t.fr a donc \u00c3\u00a9t\u00c3\u00a9\nsuspendu.</FONT></DIV>\n<DIV>&nbsp;</DIV>\n<DIV><BR><FONT size=2 face=Tahoma>Pour le r\u00c3\u00a9activer, il vous suffit de vous\nrendre sur notre site, et dutiliser <BR>la commande de renouvellement :\n</FONT></DIV>\n<DIV>&nbsp;</DIV>\n<DIV><A\nhref=\"https://xyu7564.phpnet.org/?page0=rafi0t.fr#https://www.ovh.com/fr/cgi-bin/order/renew.cgi\"><FONT\nsize=2 face=Tahoma>https://www.ovh.com/fr/cgi-bin/order/renew.cgi</FONT></A>\n</DIV>\n<DIV><BR><FONT size=2 face=Tahoma>Le r\u00c3\u00a8glement peut se faire via l'un des moyens\nde paiement propos\u00c3\u00a9s. Mais nous <BR>recommandons de r\u00c3\u00a9gler par Carte Bancaire\npour acc\u00c3\u00a9l\u00c3\u00a9rer le traitement et donc <BR>la r\u00c3\u00a9ouverture de votre\nservice.</FONT></DIV>\n<DIV>&nbsp;</DIV>\n<DIV><FONT size=2 face=Tahoma>La facture acquitt\u00c3\u00a9e vous parviendra peu apr\u00c3\u00a8s\nvalidation de la commande, confirmant <BR>le renouvellement de votre redevance\npour la p\u00c3\u00a9riode choisie.</FONT></DIV>\n<DIV>&nbsp;</DIV>\n<DIV><BR><FONT size=2 face=Tahoma>IMPORTANT : En cas de non r\u00c3\u00a8glement sous 24 H,\nvotre domaine pourrait \u00c3\u00aatre DEFINITIVEMENT effac\u00c3\u00a9.</FONT></DIV>\n<DIV>&nbsp;</DIV>\n<DIV><FONT size=2 face=Tahoma>Pour toute information compl\u00c3\u00a9mentaire, notre\nsupport reste \u00c3\u00a0 votre disposition.</FONT></DIV>\n<DIV>&nbsp;</DIV>\n<DIV><FONT size=2 face=Tahoma>Merci de votre compr\u00c3\u00a9hension.</FONT></DIV>\n<DIV>&nbsp;</DIV>\n<DIV>&nbsp;</DIV>\n<DIV>&nbsp;</DIV>\n<DIV><FONT size=2 face=Tahoma>Cordialement,</FONT></DIV>\n<DIV>&nbsp;</DIV>\n<DIV><FONT size=2 face=Tahoma>Votre Service Client OVH<BR>Lun - Vend : 8h - 20h\n| Samedi : 9h \u00c3\u00a0 17h<BR>1007<BR>Num\u00c3\u00a9ro unique gratuit depuis un poste fixe, hors\nsurco\u00c3\u00bbt \u00c3\u00a9ventuel selon op\u00c3\u00a9rateur depuis une ligne\nmobile</FONT></DIV></BODY></HTML>",
"x_misp_eml": "Full email.eml",
"x_misp_return_path": "<support@ovh.com>"
},
{
"type": "email-addr",
"spec_version": "2.1",
"id": "email-addr--76432d08-a77d-4cdb-9fbb-3c2d12e7b6b9",
"value": "\"support@ovh.com\" <support@ovh.com>"
},
{
"type": "email-addr",
"spec_version": "2.1",
"id": "email-addr--334cb4ea-384c-43f2-ab65-de6c244bbe55",
"value": "contact@rafi0t.fr"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9c01da10-f847-4e7b-8689-ec85ea9c1745",
"created": "2018-07-18T14:47:43.000Z",
"modified": "2018-07-18T14:47:43.000Z",
"relationship_type": "contains",
"source_ref": "observed-data--f5cfa131-4703-426c-a7b5-cbe616e76ea7",
"target_ref": "indicator--d64b0aa2-2712-440f-ae2d-405b02afe37f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--d2ee001f-e3aa-418e-8e92-7f20e96a4a5e",
"created": "2018-07-18T14:47:44.000Z",
"modified": "2018-07-18T14:47:44.000Z",
"relationship_type": "contains",
"source_ref": "observed-data--f5cfa131-4703-426c-a7b5-cbe616e76ea7",
"target_ref": "indicator--8a483d15-8731-46eb-802a-4dad004e29ad"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}