1348 lines
No EOL
59 KiB
JSON
1348 lines
No EOL
59 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5b6c44c2-e8cc-4c56-8eb9-4f0a950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T20:23:22.000Z",
|
|
"modified": "2018-09-17T20:23:22.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--5b6c44c2-e8cc-4c56-8eb9-4f0a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T20:23:22.000Z",
|
|
"modified": "2018-09-17T20:23:22.000Z",
|
|
"name": "OSINT - Familiar Feeling A Malware Campaign Targeting the Tibetan Diaspora Resurfaces",
|
|
"published": "2018-09-17T20:24:35Z",
|
|
"object_refs": [
|
|
"observed-data--5b6c44d2-6094-4926-a919-48a3950d210f",
|
|
"url--5b6c44d2-6094-4926-a919-48a3950d210f",
|
|
"indicator--5b9f6c0b-d8b4-4acd-a92e-d8a3950d210f",
|
|
"indicator--5b9f6c0c-6bb8-4353-88d2-d8a3950d210f",
|
|
"indicator--5b9f6c0c-f6c8-466a-b35f-d8a3950d210f",
|
|
"indicator--5b9f6c0d-265c-4879-8048-d8a3950d210f",
|
|
"indicator--5b9f6c0d-3360-4aae-a319-d8a3950d210f",
|
|
"indicator--5b9f6c0e-5760-4610-8e19-d8a3950d210f",
|
|
"indicator--5b9f71f3-d42c-46dc-a8df-d052950d210f",
|
|
"indicator--5b9f71f4-bd0c-4a10-bafb-d052950d210f",
|
|
"indicator--5b9f71f4-96d4-4c41-843c-d052950d210f",
|
|
"indicator--5b9f7ca7-2330-438c-a9ba-43f1950d210f",
|
|
"indicator--5b9f7caa-aa08-47db-af9c-479f950d210f",
|
|
"indicator--5b9f7cae-9a30-4928-a17a-4f2d950d210f",
|
|
"x-misp-attribute--5b9fa4dd-15a8-44c8-87a8-489f950d210f",
|
|
"indicator--5b9fac2a-3ad4-456c-910f-408a950d210f",
|
|
"indicator--5b9fac2a-60e0-4df7-b188-4000950d210f",
|
|
"indicator--5b9fac2b-0454-4ae0-abe4-4f2a950d210f",
|
|
"indicator--5b9fac2c-a7a8-400d-bee5-49fd950d210f",
|
|
"indicator--5b9fac2d-32b8-451b-ad3d-4c50950d210f",
|
|
"indicator--5b9fac2d-43a0-4cbd-bdd2-44ee950d210f",
|
|
"indicator--5b9fac2e-2c38-4491-b0bd-471a950d210f",
|
|
"indicator--5b9fac2f-ce44-4c61-8f50-427a950d210f",
|
|
"indicator--5b9fac30-3800-4895-b7da-4795950d210f",
|
|
"indicator--5b9fac31-4418-4328-9f94-4c82950d210f",
|
|
"indicator--5b9fac32-3fa8-469e-82b7-4a14950d210f",
|
|
"indicator--5b9fac33-2688-4056-b9a2-42bd950d210f",
|
|
"indicator--5b9fac33-b9cc-492f-9271-4c9c950d210f",
|
|
"indicator--5b9fac34-9494-4180-97f4-494a950d210f",
|
|
"indicator--5b9f6007-36ec-49cc-b7cc-e30b950d210f",
|
|
"vulnerability--5b9f6302-18e0-4459-a463-e6f4950d210f",
|
|
"vulnerability--5b9f6b94-f650-4701-be1d-e6f5950d210f",
|
|
"x-misp-object--5b9f78e4-1670-4c68-bcca-e3a7950d210f",
|
|
"indicator--5b9f7e1f-8f14-4416-9f3a-452a950d210f",
|
|
"indicator--5b9f7e47-4ddc-4470-987c-459e950d210f",
|
|
"indicator--5b9f7e7d-f3ac-44cb-8d2a-4866950d210f",
|
|
"indicator--5b9f8073-bb3c-481d-b7b1-dc87950d210f",
|
|
"indicator--5b9f8086-5f30-4482-891d-475b950d210f",
|
|
"indicator--5b9f8098-16dc-4483-8b05-d04e950d210f",
|
|
"indicator--5b9faa1d-28a8-4957-b2ab-4b2b950d210f",
|
|
"indicator--5b9fb486-9674-4e70-9077-4614950d210f",
|
|
"indicator--5b9fbb80-f010-4a72-a7ab-4f41950d210f",
|
|
"indicator--5b9fbb96-36dc-47c1-a0b3-4173950d210f",
|
|
"indicator--5b9fbbab-e5b8-4120-99fd-40b2950d210f",
|
|
"indicator--d2f5d552-96c4-43ad-84e1-fb8cebbf6000",
|
|
"x-misp-object--857a21fc-b3c9-47ae-93e4-9e5fe62dc79b",
|
|
"relationship--36c58523-56fe-4e9c-accd-278692971c7b",
|
|
"relationship--d8ec70fc-8b39-43cd-a22f-0ed4c05733a7",
|
|
"relationship--cebfefd7-b1d6-474e-961e-7d6cf6609863",
|
|
"relationship--9e971da0-243d-4c2a-b5f0-70dfe7f3c079",
|
|
"relationship--844a249e-1012-4dc5-94ec-17a0186608df",
|
|
"relationship--9966f84d-57e2-4969-81e4-7cefc4c226db",
|
|
"relationship--28d57c86-4b7f-449a-b58c-525190e5248a",
|
|
"relationship--790bc493-fdcf-4633-bdc0-8adccf37e87e",
|
|
"relationship--b8f23387-e0c4-479b-94f6-612aef3418fb"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"circl:incident-classification=\"malware\"",
|
|
"osint:source-type=\"blog-post\"",
|
|
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Attachment - T1193\"",
|
|
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"PowerShell - T1086\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5b6c44d2-6094-4926-a919-48a3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T12:57:56.000Z",
|
|
"modified": "2018-09-17T12:57:56.000Z",
|
|
"first_observed": "2018-09-17T12:57:56Z",
|
|
"last_observed": "2018-09-17T12:57:56Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5b6c44d2-6094-4926-a919-48a3950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5b6c44d2-6094-4926-a919-48a3950d210f",
|
|
"value": "https://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9f6c0b-d8b4-4acd-a92e-d8a3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T08:55:39.000Z",
|
|
"modified": "2018-09-17T08:55:39.000Z",
|
|
"pattern": "[domain-name:value = 'commail.co']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T08:55:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9f6c0c-6bb8-4353-88d2-d8a3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T08:55:40.000Z",
|
|
"modified": "2018-09-17T08:55:40.000Z",
|
|
"pattern": "[domain-name:value = 'tibetnews.info']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T08:55:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9f6c0c-f6c8-466a-b35f-d8a3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T08:55:40.000Z",
|
|
"modified": "2018-09-17T08:55:40.000Z",
|
|
"pattern": "[domain-name:value = 'comemails.email']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T08:55:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9f6c0d-265c-4879-8048-d8a3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T08:55:41.000Z",
|
|
"modified": "2018-09-17T08:55:41.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.186.222']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T08:55:41Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9f6c0d-3360-4aae-a319-d8a3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T08:55:41.000Z",
|
|
"modified": "2018-09-17T08:55:41.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.55.24.196']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T08:55:41Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9f6c0e-5760-4610-8e19-d8a3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T08:55:42.000Z",
|
|
"modified": "2018-09-17T08:55:42.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.189.232.207']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T08:55:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9f71f3-d42c-46dc-a8df-d052950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T09:20:51.000Z",
|
|
"modified": "2018-09-17T09:20:51.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.127.97.222']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T09:20:51Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9f71f4-bd0c-4a10-bafb-d052950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T09:20:52.000Z",
|
|
"modified": "2018-09-17T09:20:52.000Z",
|
|
"pattern": "[domain-name:value = 'tibetnews.today']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T09:20:52Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9f71f4-96d4-4c41-843c-d052950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T09:20:52.000Z",
|
|
"modified": "2018-09-17T09:20:52.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '115.126.86.151']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T09:20:52Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9f7ca7-2330-438c-a9ba-43f1950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T10:06:31.000Z",
|
|
"modified": "2018-09-17T10:06:31.000Z",
|
|
"pattern": "[domain-name:value = 'tibethouse.info']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T10:06:31Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9f7caa-aa08-47db-af9c-479f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T10:06:34.000Z",
|
|
"modified": "2018-09-17T10:06:34.000Z",
|
|
"pattern": "[domain-name:value = 'daynew.today']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T10:06:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9f7cae-9a30-4928-a17a-4f2d950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T10:06:38.000Z",
|
|
"modified": "2018-09-17T10:06:38.000Z",
|
|
"pattern": "[domain-name:value = 'daynews.today']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T10:06:38Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--5b9fa4dd-15a8-44c8-87a8-489f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T12:58:25.000Z",
|
|
"modified": "2018-09-17T12:58:25.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "In January 2018, a Tibetan activist received a mundane-looking email purporting to be program updates from a human rights NGO. Attached to the message were a PowerPoint presentation and a document. The activist, like many in the Tibetan diaspora, had grown wary of unsolicited emails with attachments, and instead of opening the documents, shared the files with Citizen Lab researchers.\r\n\r\nThe suspicion was warranted: the attachments were malicious. If clicked, the files would run recent exploits to infect Windows computers with custom malware. This email was the start of a malware campaign active between January to March 2018 that targeted Tibetan activists, journalists, members of the Tibetan Parliament in exile, and the Central Tibetan Administration. We worked closely with the targeted groups to collect the malicious messages, and also engaged in incident response with a compromised organization. This collaboration enabled us to gain further insights into the tactics, techniques, and procedures used by the operators.\r\n\r\nThe campaign used social engineering to trick targets into opening exploit-laden PowerPoint (CVE-2017-0199) and Microsoft Rich Text Format (RTF) documents (CVE-2017-11882) attached to e-mail messages. The malware includes a PowerShell payload we call DMShell++, a backdoor known as TSSL, and a post-compromise tool we call DSNGInstaller.\r\n\r\nWe call this recent campaign the \u00e2\u20ac\u0153Resurfaced Campaign\u00e2\u20ac\u009d because of connections to a 2016 campaign that targeted Tibetan Parliamentarians (which we refer to as the \u00e2\u20ac\u0153Parliamentary Campaign\u00e2\u20ac\u009d). These connections suggest that the same group may be involved or tools and infrastructure are being shared between multiple groups."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9fac2a-3ad4-456c-910f-408a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T13:29:14.000Z",
|
|
"modified": "2018-09-17T13:29:14.000Z",
|
|
"pattern": "[url:value = 'commail.co:5453/qqqzqa']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T13:29:14Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9fac2a-60e0-4df7-b188-4000950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T13:29:14.000Z",
|
|
"modified": "2018-09-17T13:29:14.000Z",
|
|
"description": "On port 6001",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.186.222' AND network-traffic:dst_port = '6001']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T13:29:14Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst|port\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9fac2b-0454-4ae0-abe4-4f2a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T13:29:15.000Z",
|
|
"modified": "2018-09-17T13:29:15.000Z",
|
|
"description": "On port 6002",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.186.222' AND network-traffic:dst_port = '6002']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T13:29:15Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst|port\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9fac2c-a7a8-400d-bee5-49fd950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T13:29:16.000Z",
|
|
"modified": "2018-09-17T13:29:16.000Z",
|
|
"description": "On port 6003",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.186.222' AND network-traffic:dst_port = '6003']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T13:29:16Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst|port\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9fac2d-32b8-451b-ad3d-4c50950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T13:29:17.000Z",
|
|
"modified": "2018-09-17T13:29:17.000Z",
|
|
"pattern": "[url:value = 'tibetnews.info:8026/qqqzqa']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T13:29:17Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9fac2d-43a0-4cbd-bdd2-44ee950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T13:29:17.000Z",
|
|
"modified": "2018-09-17T13:29:17.000Z",
|
|
"description": "On port 80",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.55.24.196' AND network-traffic:dst_port = '80']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T13:29:17Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst|port\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9fac2e-2c38-4491-b0bd-471a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T13:29:18.000Z",
|
|
"modified": "2018-09-17T13:29:18.000Z",
|
|
"description": "On port 443",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.55.24.196' AND network-traffic:dst_port = '443']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T13:29:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst|port\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9fac2f-ce44-4c61-8f50-427a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T13:29:19.000Z",
|
|
"modified": "2018-09-17T13:29:19.000Z",
|
|
"description": "On port 443",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.127.97.222' AND network-traffic:dst_port = '443']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T13:29:19Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst|port\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9fac30-3800-4895-b7da-4795950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T13:29:20.000Z",
|
|
"modified": "2018-09-17T13:29:20.000Z",
|
|
"description": "On port 80",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.186.222' AND network-traffic:dst_port = '80']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T13:29:20Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst|port\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9fac31-4418-4328-9f94-4c82950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T13:29:21.000Z",
|
|
"modified": "2018-09-17T13:29:21.000Z",
|
|
"description": "On port 443",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.186.222' AND network-traffic:dst_port = '443']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T13:29:21Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst|port\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9fac32-3fa8-469e-82b7-4a14950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T13:29:22.000Z",
|
|
"modified": "2018-09-17T13:29:22.000Z",
|
|
"description": "On port 8080",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.186.222' AND network-traffic:dst_port = '8080']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T13:29:22Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst|port\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9fac33-2688-4056-b9a2-42bd950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T13:29:23.000Z",
|
|
"modified": "2018-09-17T13:29:23.000Z",
|
|
"pattern": "[url:value = 'comemails.email:1234/hgf']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T13:29:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9fac33-b9cc-492f-9271-4c9c950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T13:29:23.000Z",
|
|
"modified": "2018-09-17T13:29:23.000Z",
|
|
"description": "On port 80",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.189.232.207' AND network-traffic:dst_port = '80']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T13:29:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst|port\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9fac34-9494-4180-97f4-494a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T13:29:24.000Z",
|
|
"modified": "2018-09-17T13:29:24.000Z",
|
|
"description": "On port 443",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.189.232.207' AND network-traffic:dst_port = '443']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T13:29:24Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst|port\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9f6007-36ec-49cc-b7cc-e30b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T08:04:23.000Z",
|
|
"modified": "2018-09-17T08:04:23.000Z",
|
|
"pattern": "[file:hashes.MD5 = '11e0f3e1c7d8855ed7f1dcfce4b7702a' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T08:04:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "vulnerability",
|
|
"spec_version": "2.1",
|
|
"id": "vulnerability--5b9f6302-18e0-4459-a463-e6f4950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T08:18:33.000Z",
|
|
"modified": "2018-09-17T08:18:33.000Z",
|
|
"name": "CVE-2017-11882",
|
|
"description": "Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka \\\\\"Microsoft Office Memory Corruption Vulnerability\\\\\". This CVE ID is unique from CVE-2017-11884.",
|
|
"labels": [
|
|
"misp:name=\"vulnerability\"",
|
|
"misp:meta-category=\"vulnerability\"",
|
|
"misp:to_ids=\"False\""
|
|
],
|
|
"external_references": [
|
|
{
|
|
"source_name": "cve",
|
|
"external_id": "CVE-2017-11882"
|
|
},
|
|
{
|
|
"source_name": "url",
|
|
"url": "http://reversingminds-blog.logdown.com/posts/3907313-fileless-attack-in-word-without-macros-cve-2017-11882"
|
|
},
|
|
{
|
|
"source_name": "url",
|
|
"url": "http://www.securityfocus.com/bid/101757"
|
|
},
|
|
{
|
|
"source_name": "url",
|
|
"url": "http://www.securitytracker.com/id/1039783"
|
|
},
|
|
{
|
|
"source_name": "url",
|
|
"url": "https://0patch.blogspot.com/2017/11/did-microsoft-just-manually-patch-their.html"
|
|
},
|
|
{
|
|
"source_name": "url",
|
|
"url": "https://0patch.blogspot.com/2017/11/official-patch-for-cve-2017-11882-meets.html"
|
|
}
|
|
],
|
|
"x_misp_cvss_score": "9.3",
|
|
"x_misp_modified": "2017-12-30T21:29:00",
|
|
"x_misp_published": "2017-11-14T22:29:00",
|
|
"x_misp_state": "Published",
|
|
"x_misp_vulnerable_configuration": [
|
|
"Microsoft Office 2007 Service Pack 3",
|
|
"cpe:2.3:a:microsoft:office:2010:sp2",
|
|
"Microsoft Office 2013 SP1",
|
|
"Microsoft Office 2016"
|
|
]
|
|
},
|
|
{
|
|
"type": "vulnerability",
|
|
"spec_version": "2.1",
|
|
"id": "vulnerability--5b9f6b94-f650-4701-be1d-e6f5950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T08:53:40.000Z",
|
|
"modified": "2018-09-17T08:53:40.000Z",
|
|
"name": "CVE-2017-0199",
|
|
"description": "Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka \\\\\"Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API.",
|
|
"labels": [
|
|
"misp:name=\"vulnerability\"",
|
|
"misp:meta-category=\"vulnerability\"",
|
|
"misp:to_ids=\"False\""
|
|
],
|
|
"external_references": [
|
|
{
|
|
"source_name": "cve",
|
|
"external_id": "CVE-2017-0199"
|
|
},
|
|
{
|
|
"source_name": "url",
|
|
"url": "http://rewtin.blogspot.nl/2017/04/cve-2017-0199-practical-exploitation-poc.html"
|
|
},
|
|
{
|
|
"source_name": "url",
|
|
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02"
|
|
},
|
|
{
|
|
"source_name": "url",
|
|
"url": "https://www.exploit-db.com/exploits/41934/"
|
|
},
|
|
{
|
|
"source_name": "url",
|
|
"url": "https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html"
|
|
},
|
|
{
|
|
"source_name": "url",
|
|
"url": "https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/"
|
|
},
|
|
{
|
|
"source_name": "url",
|
|
"url": "http://www.securitytracker.com/id/1038224"
|
|
},
|
|
{
|
|
"source_name": "url",
|
|
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199"
|
|
},
|
|
{
|
|
"source_name": "url",
|
|
"url": "http://www.securityfocus.com/bid/97498"
|
|
},
|
|
{
|
|
"source_name": "url",
|
|
"url": "https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/"
|
|
},
|
|
{
|
|
"source_name": "url",
|
|
"url": "https://www.exploit-db.com/exploits/42995/"
|
|
},
|
|
{
|
|
"source_name": "url",
|
|
"url": "https://www.exploit-db.com/exploits/41894/"
|
|
}
|
|
],
|
|
"x_misp_cvss_score": "9.3",
|
|
"x_misp_modified": "2018-03-27T21:29:00",
|
|
"x_misp_published": "2017-12-04T10:59:00",
|
|
"x_misp_state": "Published",
|
|
"x_misp_vulnerable_configuration": [
|
|
"cpe:2.3:a:microsoft:office:2010:sp2",
|
|
"Microsoft Office 2007 Service Pack 3",
|
|
"Microsoft Windows Server 2008 Service Pack 2",
|
|
"Microsoft Office 2016",
|
|
"cpe:2.3:o:microsoft:windows_7:-:sp1",
|
|
"Microsoft Windows Vista Service Pack 2",
|
|
"Microsoft Windows Server 2008 R2 Service Pack 1",
|
|
"Microsoft Office 2013 SP1",
|
|
"Microsoft Windows Server 2012"
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--5b9f78e4-1670-4c68-bcca-e3a7950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T09:53:59.000Z",
|
|
"modified": "2018-09-17T09:53:59.000Z",
|
|
"labels": [
|
|
"misp:name=\"whois\"",
|
|
"misp:meta-category=\"network\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "whois-registrant-email",
|
|
"object_relation": "registrant-email",
|
|
"value": "bqfkdrmnhh0623[@]gmail.com",
|
|
"category": "Attribution",
|
|
"uuid": "5b9f78e4-e480-487c-a060-e3a7950d210f"
|
|
},
|
|
{
|
|
"type": "whois-registrant-name",
|
|
"object_relation": "registrant-name",
|
|
"value": "huang ning",
|
|
"category": "Attribution",
|
|
"uuid": "5b9f78e6-19b8-4185-969d-e3a7950d210f"
|
|
},
|
|
{
|
|
"type": "whois-registrant-phone",
|
|
"object_relation": "registrant-phone",
|
|
"value": "8677687877",
|
|
"category": "Attribution",
|
|
"uuid": "5b9f78e9-0aa4-4e65-91e3-e3a7950d210f"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "network",
|
|
"x_misp_name": "whois"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9f7e1f-8f14-4416-9f3a-452a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T10:12:47.000Z",
|
|
"modified": "2018-09-17T10:12:47.000Z",
|
|
"pattern": "[domain-name:value = 'google.comemails.email' AND domain-name:resolves_to_refs[*].value = '115.126.86.29']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T10:12:47Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "network"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"domain-ip\"",
|
|
"misp:meta-category=\"network\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9f7e47-4ddc-4470-987c-459e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T10:13:27.000Z",
|
|
"modified": "2018-09-17T10:13:27.000Z",
|
|
"pattern": "[domain-name:value = 'mail.google.commail.co' AND domain-name:resolves_to_refs[*].value = '115.126.98.78']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T10:13:27Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "network"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"domain-ip\"",
|
|
"misp:meta-category=\"network\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9f7e7d-f3ac-44cb-8d2a-4866950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T10:14:21.000Z",
|
|
"modified": "2018-09-17T10:14:21.000Z",
|
|
"pattern": "[domain-name:value = 'google.comemail.email' AND domain-name:resolves_to_refs[*].value = '118.99.59.214']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T10:14:21Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "network"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"domain-ip\"",
|
|
"misp:meta-category=\"network\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9f8073-bb3c-481d-b7b1-dc87950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T12:46:24.000Z",
|
|
"modified": "2018-09-17T12:46:24.000Z",
|
|
"pattern": "[file:hashes.SHA1 = '6a4690f454c91fdc559a223d43f0a77d40b59b2a' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T12:46:24Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9f8086-5f30-4482-891d-475b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T12:33:09.000Z",
|
|
"modified": "2018-09-17T12:33:09.000Z",
|
|
"pattern": "[file:hashes.SHA1 = 'e55cea25ecc118fd798f84eb5395be0678bdbc51' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T12:33:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9f8098-16dc-4483-8b05-d04e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T12:26:45.000Z",
|
|
"modified": "2018-09-17T12:26:45.000Z",
|
|
"pattern": "[file:hashes.SHA1 = 'cdd2fd64a4996b7d901d4a899d660cc5ff118e73' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T12:26:45Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9faa1d-28a8-4957-b2ab-4b2b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T13:20:29.000Z",
|
|
"modified": "2018-09-17T13:20:29.000Z",
|
|
"pattern": "[email-message:from_ref.value = 'tibetanparliarnent@yahoo.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T13:20:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "network"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"email\"",
|
|
"misp:meta-category=\"network\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9fb486-9674-4e70-9077-4614950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T14:04:54.000Z",
|
|
"modified": "2018-09-17T14:04:54.000Z",
|
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '27.126.186.222') AND network-traffic:dst_port = '6001' AND network-traffic:dst_port = '6002' AND network-traffic:dst_port = '6003' AND network-traffic:dst_port = '80' AND network-traffic:dst_port = '8080' AND network-traffic:dst_port = '443']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T14:04:54Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "network"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"ip-port\"",
|
|
"misp:meta-category=\"network\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9fbb80-f010-4a72-a7ab-4f41950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T14:34:40.000Z",
|
|
"modified": "2018-09-17T14:34:40.000Z",
|
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.55.24.196') AND network-traffic:dst_port = '443' AND network-traffic:dst_port = '80']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T14:34:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "network"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"ip-port\"",
|
|
"misp:meta-category=\"network\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9fbb96-36dc-47c1-a0b3-4173950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T14:35:02.000Z",
|
|
"modified": "2018-09-17T14:35:02.000Z",
|
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '45.127.97.222') AND network-traffic:dst_port = '443']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T14:35:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "network"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"ip-port\"",
|
|
"misp:meta-category=\"network\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b9fbbab-e5b8-4120-99fd-40b2950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T14:35:23.000Z",
|
|
"modified": "2018-09-17T14:35:23.000Z",
|
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.189.232.207') AND network-traffic:dst_port = '443' AND network-traffic:dst_port = '80']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T14:35:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "network"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"ip-port\"",
|
|
"misp:meta-category=\"network\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--d2f5d552-96c4-43ad-84e1-fb8cebbf6000",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T20:22:39.000Z",
|
|
"modified": "2018-09-17T20:22:39.000Z",
|
|
"pattern": "[file:hashes.MD5 = '11e0f3e1c7d8855ed7f1dcfce4b7702a' AND file:hashes.SHA1 = '9bb47262664b10b60a853002eace4db083ee10af' AND file:hashes.SHA256 = '1b156c7d2cc651d0a58c8dac1353332614b489e4d21e51ca7a0a929295e6ad40']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-09-17T20:22:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--857a21fc-b3c9-47ae-93e4-9e5fe62dc79b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-09-17T20:22:45.000Z",
|
|
"modified": "2018-09-17T20:22:45.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-08-10T08:33:52",
|
|
"category": "Other",
|
|
"uuid": "87f7f5c5-40a4-465d-ba91-e82e4595f4e7"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/1b156c7d2cc651d0a58c8dac1353332614b489e4d21e51ca7a0a929295e6ad40/analysis/1533890032/",
|
|
"category": "External analysis",
|
|
"uuid": "2236a126-0d1a-4f18-b8b4-87d5424a7b7b"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "24/67",
|
|
"category": "Other",
|
|
"uuid": "4e295ad5-8545-422f-8c7d-683e1a2de6f4"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--36c58523-56fe-4e9c-accd-278692971c7b",
|
|
"created": "2018-09-17T09:53:14.000Z",
|
|
"modified": "2018-09-17T09:53:14.000Z",
|
|
"relationship_type": "uses",
|
|
"source_ref": "x-misp-object--5b9f78e4-1670-4c68-bcca-e3a7950d210f",
|
|
"target_ref": "indicator--5b9f6c0b-d8b4-4acd-a92e-d8a3950d210f"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--d8ec70fc-8b39-43cd-a22f-0ed4c05733a7",
|
|
"created": "2018-09-17T09:53:39.000Z",
|
|
"modified": "2018-09-17T09:53:39.000Z",
|
|
"relationship_type": "derived-from",
|
|
"source_ref": "x-misp-object--5b9f78e4-1670-4c68-bcca-e3a7950d210f",
|
|
"target_ref": "indicator--5b9f6c0c-6bb8-4353-88d2-d8a3950d210f"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--cebfefd7-b1d6-474e-961e-7d6cf6609863",
|
|
"created": "2018-09-17T09:53:49.000Z",
|
|
"modified": "2018-09-17T09:53:49.000Z",
|
|
"relationship_type": "uses",
|
|
"source_ref": "x-misp-object--5b9f78e4-1670-4c68-bcca-e3a7950d210f",
|
|
"target_ref": "indicator--5b9f6c0c-6bb8-4353-88d2-d8a3950d210f"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--9e971da0-243d-4c2a-b5f0-70dfe7f3c079",
|
|
"created": "2018-09-17T09:53:56.000Z",
|
|
"modified": "2018-09-17T09:53:56.000Z",
|
|
"relationship_type": "uses",
|
|
"source_ref": "x-misp-object--5b9f78e4-1670-4c68-bcca-e3a7950d210f",
|
|
"target_ref": "indicator--5b9f71f4-bd0c-4a10-bafb-d052950d210f"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--844a249e-1012-4dc5-94ec-17a0186608df",
|
|
"created": "2018-09-17T12:46:20.000Z",
|
|
"modified": "2018-09-17T12:46:20.000Z",
|
|
"relationship_type": "related-to",
|
|
"source_ref": "indicator--5b9f8073-bb3c-481d-b7b1-dc87950d210f",
|
|
"target_ref": "indicator--5b9f7e1f-8f14-4416-9f3a-452a950d210f"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--9966f84d-57e2-4969-81e4-7cefc4c226db",
|
|
"created": "2018-09-17T12:33:06.000Z",
|
|
"modified": "2018-09-17T12:33:06.000Z",
|
|
"relationship_type": "derived-from",
|
|
"source_ref": "indicator--5b9f8086-5f30-4482-891d-475b950d210f",
|
|
"target_ref": "indicator--5b9f7e47-4ddc-4470-987c-459e950d210f"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--28d57c86-4b7f-449a-b58c-525190e5248a",
|
|
"created": "2018-09-17T12:32:59.000Z",
|
|
"modified": "2018-09-17T12:32:59.000Z",
|
|
"relationship_type": "related-to",
|
|
"source_ref": "indicator--5b9f8086-5f30-4482-891d-475b950d210f",
|
|
"target_ref": "indicator--5b9f7e47-4ddc-4470-987c-459e950d210f"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--790bc493-fdcf-4633-bdc0-8adccf37e87e",
|
|
"created": "2018-09-17T12:26:42.000Z",
|
|
"modified": "2018-09-17T12:26:42.000Z",
|
|
"relationship_type": "related-to",
|
|
"source_ref": "indicator--5b9f8098-16dc-4483-8b05-d04e950d210f",
|
|
"target_ref": "indicator--5b9f7e7d-f3ac-44cb-8d2a-4866950d210f"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--b8f23387-e0c4-479b-94f6-612aef3418fb",
|
|
"created": "2018-09-17T20:22:52.000Z",
|
|
"modified": "2018-09-17T20:22:52.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--d2f5d552-96c4-43ad-84e1-fb8cebbf6000",
|
|
"target_ref": "x-misp-object--857a21fc-b3c9-47ae-93e4-9e5fe62dc79b"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |