misp-circl-feed/feeds/circl/misp/0fadc113-6e22-4524-96b1-7b8fc98fa64c.json

652 lines
No EOL
26 KiB
JSON

{
"type": "bundle",
"id": "bundle--0fadc113-6e22-4524-96b1-7b8fc98fa64c",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:40:28.000Z",
"modified": "2020-11-09T09:40:28.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--0fadc113-6e22-4524-96b1-7b8fc98fa64c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:40:28.000Z",
"modified": "2020-11-09T09:40:28.000Z",
"name": "OSINT - Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware \"one\" Group via Cobalt Strike",
"published": "2020-11-09T09:42:55Z",
"object_refs": [
"indicator--6b0610ec-fe93-41e9-b23b-379b25e2f544",
"indicator--2536fb8b-dd20-41ef-a580-55deb79446af",
"indicator--399d130a-0c71-4194-9d11-b3483a5e9041",
"indicator--b382bd4c-76c3-4ec2-b768-eb45849ce068",
"indicator--1e625f9b-493c-4015-ab47-72b1971202cd",
"indicator--4fc21643-6cb7-4e5f-aea7-bad4024e54df",
"indicator--c41b1b8f-50e8-45d1-8542-1e26b9908f94",
"indicator--3101bc91-74a3-4163-b5ee-2207f757c20c",
"indicator--48935a10-cc47-4880-af23-4364c7e7ae37",
"indicator--f75c74f9-f2b5-4b5a-8404-57e33c04c014",
"indicator--b4c14a73-44cf-4d93-aabc-6175f062786a",
"indicator--8459d57b-4d03-4a94-8bec-78cfa1a318a1",
"indicator--b177c07b-94c6-4c88-851d-3d3e36bf604b",
"indicator--fb90a640-17e3-4c26-b50f-e0861295c262",
"indicator--beab0436-d5bf-4625-a71d-9d9bdaf10ad0",
"indicator--da14c486-89e5-44c8-8722-0989f7691ecf",
"indicator--83bc6856-3a5b-49c7-866a-c8e05d8f49f2",
"indicator--a670a832-fa18-4cfb-8e9c-4f4f788542f7",
"indicator--f56a75d5-db37-4b15-b8d7-5d09d1f078a2",
"indicator--207008f3-f173-4774-86d1-5c1be1cc383b",
"indicator--05a70842-6bbc-4441-b5c6-fac100840497",
"indicator--128049f4-898d-4d60-821c-b9e80f5b335e",
"indicator--f0ef8f00-71d4-411c-96f6-5e3409677484",
"indicator--64c4fe90-54c0-49d0-ac60-dbdc6d0015fe",
"observed-data--01b3d607-413e-4343-a336-c4684d0aa060",
"url--01b3d607-413e-4343-a336-c4684d0aa060"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:ransomware=\"Ryuk ransomware\"",
"misp-galaxy:malpedia=\"Cobalt Strike\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6b0610ec-fe93-41e9-b23b-379b25e2f544",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:33:54.000Z",
"modified": "2020-11-09T09:33:54.000Z",
"pattern": "[domain-name:value = 'check1domains.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-11-09T09:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2536fb8b-dd20-41ef-a580-55deb79446af",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:33:54.000Z",
"modified": "2020-11-09T09:33:54.000Z",
"pattern": "[domain-name:value = 'sweetmonsterr.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-11-09T09:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--399d130a-0c71-4194-9d11-b3483a5e9041",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:33:54.000Z",
"modified": "2020-11-09T09:33:54.000Z",
"pattern": "[domain-name:value = 'qascker.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-11-09T09:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b382bd4c-76c3-4ec2-b768-eb45849ce068",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:33:54.000Z",
"modified": "2020-11-09T09:33:54.000Z",
"pattern": "[domain-name:value = 'remotessa.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-11-09T09:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--1e625f9b-493c-4015-ab47-72b1971202cd",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:33:54.000Z",
"modified": "2020-11-09T09:33:54.000Z",
"pattern": "[domain-name:value = 'havemosts.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-11-09T09:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4fc21643-6cb7-4e5f-aea7-bad4024e54df",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:33:54.000Z",
"modified": "2020-11-09T09:33:54.000Z",
"pattern": "[domain-name:value = 'unlockwsa.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-11-09T09:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c41b1b8f-50e8-45d1-8542-1e26b9908f94",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:33:54.000Z",
"modified": "2020-11-09T09:33:54.000Z",
"pattern": "[domain-name:value = 'sobcase.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-11-09T09:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3101bc91-74a3-4163-b5ee-2207f757c20c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:33:54.000Z",
"modified": "2020-11-09T09:33:54.000Z",
"pattern": "[domain-name:value = 'zhameharden.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-11-09T09:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--48935a10-cc47-4880-af23-4364c7e7ae37",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:33:54.000Z",
"modified": "2020-11-09T09:33:54.000Z",
"pattern": "[domain-name:value = 'mixunderax.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-11-09T09:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f75c74f9-f2b5-4b5a-8404-57e33c04c014",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:33:54.000Z",
"modified": "2020-11-09T09:33:54.000Z",
"pattern": "[domain-name:value = 'bugsbunnyy.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-11-09T09:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b4c14a73-44cf-4d93-aabc-6175f062786a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:33:54.000Z",
"modified": "2020-11-09T09:33:54.000Z",
"pattern": "[domain-name:value = 'fastbloodhunter.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-11-09T09:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8459d57b-4d03-4a94-8bec-78cfa1a318a1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:33:54.000Z",
"modified": "2020-11-09T09:33:54.000Z",
"pattern": "[domain-name:value = 'serviceboosterr.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-11-09T09:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b177c07b-94c6-4c88-851d-3d3e36bf604b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:33:54.000Z",
"modified": "2020-11-09T09:33:54.000Z",
"pattern": "[domain-name:value = 'servicewikii.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-11-09T09:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--fb90a640-17e3-4c26-b50f-e0861295c262",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:33:54.000Z",
"modified": "2020-11-09T09:33:54.000Z",
"pattern": "[domain-name:value = 'secondlivve.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-11-09T09:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--beab0436-d5bf-4625-a71d-9d9bdaf10ad0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:33:54.000Z",
"modified": "2020-11-09T09:33:54.000Z",
"pattern": "[domain-name:value = 'luckyhunterrs.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-11-09T09:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--da14c486-89e5-44c8-8722-0989f7691ecf",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:33:54.000Z",
"modified": "2020-11-09T09:33:54.000Z",
"pattern": "[domain-name:value = 'wodemayaa.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-11-09T09:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--83bc6856-3a5b-49c7-866a-c8e05d8f49f2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:33:54.000Z",
"modified": "2020-11-09T09:33:54.000Z",
"pattern": "[domain-name:value = 'hybriqdjs.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-11-09T09:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a670a832-fa18-4cfb-8e9c-4f4f788542f7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:33:54.000Z",
"modified": "2020-11-09T09:33:54.000Z",
"pattern": "[domain-name:value = 'gunsdrag.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-11-09T09:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f56a75d5-db37-4b15-b8d7-5d09d1f078a2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:33:54.000Z",
"modified": "2020-11-09T09:33:54.000Z",
"pattern": "[domain-name:value = 'gungameon.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-11-09T09:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--207008f3-f173-4774-86d1-5c1be1cc383b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:33:54.000Z",
"modified": "2020-11-09T09:33:54.000Z",
"pattern": "[domain-name:value = 'servicemount.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-11-09T09:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--05a70842-6bbc-4441-b5c6-fac100840497",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:33:54.000Z",
"modified": "2020-11-09T09:33:54.000Z",
"pattern": "[domain-name:value = 'servicesupdater.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-11-09T09:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--128049f4-898d-4d60-821c-b9e80f5b335e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:33:54.000Z",
"modified": "2020-11-09T09:33:54.000Z",
"pattern": "[domain-name:value = 'service-boosterr.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-11-09T09:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f0ef8f00-71d4-411c-96f6-5e3409677484",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:33:54.000Z",
"modified": "2020-11-09T09:33:54.000Z",
"pattern": "[domain-name:value = 'serviceupdatter.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-11-09T09:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--64c4fe90-54c0-49d0-ac60-dbdc6d0015fe",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:33:54.000Z",
"modified": "2020-11-09T09:33:54.000Z",
"pattern": "[domain-name:value = 'dotmaingame.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-11-09T09:33:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--01b3d607-413e-4343-a336-c4684d0aa060",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2020-11-09T09:36:33.000Z",
"modified": "2020-11-09T09:36:33.000Z",
"first_observed": "2020-11-09T09:36:33Z",
"last_observed": "2020-11-09T09:36:33Z",
"number_observed": 1,
"object_refs": [
"url--01b3d607-413e-4343-a336-c4684d0aa060"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--01b3d607-413e-4343-a336-c4684d0aa060",
"value": "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}