838 lines
No EOL
36 KiB
JSON
838 lines
No EOL
36 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5845344a-80bc-4c94-9ea8-4f39950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-13T03:00:43.000Z",
|
|
"modified": "2018-01-13T03:00:43.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--5845344a-80bc-4c94-9ea8-4f39950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-13T03:00:43.000Z",
|
|
"modified": "2018-01-13T03:00:43.000Z",
|
|
"name": "OSINT - MMD-0033-2015 - Linux/XorDDoS infection incident report (CNC: HOSTASA.ORG)",
|
|
"published": "2018-02-16T08:48:09Z",
|
|
"object_refs": [
|
|
"observed-data--58453471-130c-4e59-bd91-43e3950d210f",
|
|
"url--58453471-130c-4e59-bd91-43e3950d210f",
|
|
"x-misp-attribute--584534e9-6130-4419-8a7e-480e950d210f",
|
|
"indicator--584535cc-3170-42af-a962-46f0950d210f",
|
|
"indicator--584535cc-7c64-47d1-bece-41cd950d210f",
|
|
"indicator--584535cc-55c0-45a4-845f-444f950d210f",
|
|
"indicator--584535cc-09f8-4ff3-b148-4f0a950d210f",
|
|
"indicator--584535cd-8664-47ce-ac71-4edb950d210f",
|
|
"indicator--584535cd-feb0-4d4d-a5df-48df950d210f",
|
|
"indicator--584535cd-a058-4e65-950c-4b2d950d210f",
|
|
"indicator--584535cd-7c0c-447d-a65a-4a97950d210f",
|
|
"indicator--584535cd-df28-43d2-b262-480c950d210f",
|
|
"indicator--584535ce-b260-4fe1-a494-4ed3950d210f",
|
|
"indicator--584535ce-d284-492d-ad13-4854950d210f",
|
|
"indicator--584535ce-dc00-43a9-a9f0-47e0950d210f",
|
|
"indicator--584535ce-062c-4524-883e-4266950d210f",
|
|
"indicator--584535cf-641c-411a-b5e6-412f950d210f",
|
|
"indicator--584535cf-5070-4869-9b6e-43e4950d210f",
|
|
"indicator--584535d0-0390-464c-ac22-4afd950d210f",
|
|
"indicator--a2f1551a-ffc6-439a-8ed9-5eb83308cc80",
|
|
"x-misp-object--8c404d5c-48e0-4cb4-a64d-2b89af2399ee",
|
|
"indicator--075320ce-9dca-48cd-a4ca-085096e80a7a",
|
|
"x-misp-object--e865f3a2-beea-4193-a717-991bbb031ae0",
|
|
"indicator--dcb939f0-8874-48f7-bce3-b8bbad431c41",
|
|
"x-misp-object--63ddf759-d832-4a3d-a389-1462c56dc4cb",
|
|
"indicator--4af33ce3-3a10-4c2e-bcb2-67bd4626e18b",
|
|
"x-misp-object--c976c2d7-cfaf-48b4-bd93-827f80aa378b",
|
|
"indicator--f3c99c36-0463-4296-80ff-5c8407bd7d95",
|
|
"x-misp-object--176aed31-3194-43c2-90ce-8711f4450e5d",
|
|
"relationship--6fb8ef1e-d99d-4a72-82bc-f7e3a8f09ebe",
|
|
"relationship--f71fc7df-377e-4e83-91b3-78488270a492",
|
|
"relationship--80f9a510-195a-4a5b-abb8-0b6d05321c19",
|
|
"relationship--e94fe414-7837-4188-a02e-f687deeacdda",
|
|
"relationship--2e9710f9-bbf0-4d50-949b-7ae170c589d6"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"type:OSINT"
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58453471-130c-4e59-bd91-43e3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-12T09:44:34.000Z",
|
|
"modified": "2018-01-12T09:44:34.000Z",
|
|
"first_observed": "2018-01-12T09:44:34Z",
|
|
"last_observed": "2018-01-12T09:44:34Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58453471-130c-4e59-bd91-43e3950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58453471-130c-4e59-bd91-43e3950d210f",
|
|
"value": "http://blog.malwaremustdie.org/2015/06/mmd-0033-2015-linuxxorddos-infection_23.html"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--584534e9-6130-4419-8a7e-480e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-12T09:44:34.000Z",
|
|
"modified": "2018-01-12T09:44:34.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "Background\r\nThis post is an actual malware infection incident of the\"Linux/XOR.DDoS\" malware (please see previous post as reference-->[LINK]) and malware was in attempt to infect a real Linux server.\r\n\r\nIncident details:\r\n\r\nSource of attack:\r\nAn attack was coming from 107.182.141.40 with the below GeoIP details:\r\nThe attacker was compromising a Linux host via ssh password bruting to then executing a one liner shell (sh) command line and then the malware initiation commands was executed on the compromised system:"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584535cc-3170-42af-a962-46f0950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-12T09:44:34.000Z",
|
|
"modified": "2018-01-12T09:44:34.000Z",
|
|
"description": "On port 41625",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '107.182.141.40']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-12T09:44:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584535cc-7c64-47d1-bece-41cd950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-12T09:44:34.000Z",
|
|
"modified": "2018-01-12T09:44:34.000Z",
|
|
"pattern": "[domain-name:value = '44ro4.cn']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-12T09:44:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584535cc-55c0-45a4-845f-444f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-12T09:44:34.000Z",
|
|
"modified": "2018-01-12T09:44:34.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '198.15.234.66']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-12T09:44:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584535cc-09f8-4ff3-b148-4f0a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-12T09:44:34.000Z",
|
|
"modified": "2018-01-12T09:44:34.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.240.140.152']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-12T09:44:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584535cd-8664-47ce-ac71-4edb950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-12T09:44:34.000Z",
|
|
"modified": "2018-01-12T09:44:34.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.240.141.54']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-12T09:44:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584535cd-feb0-4d4d-a5df-48df950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-12T09:44:34.000Z",
|
|
"modified": "2018-01-12T09:44:34.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.126.126.64']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-12T09:44:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584535cd-a058-4e65-950c-4b2d950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-12T09:44:34.000Z",
|
|
"modified": "2018-01-12T09:44:34.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '23.234.60.143']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-12T09:44:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584535cd-7c0c-447d-a65a-4a97950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-12T09:44:34.000Z",
|
|
"modified": "2018-01-12T09:44:34.000Z",
|
|
"pattern": "[domain-name:value = 'aa.hostasa.org']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-12T09:44:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584535cd-df28-43d2-b262-480c950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-12T09:44:34.000Z",
|
|
"modified": "2018-01-12T09:44:34.000Z",
|
|
"pattern": "[domain-name:value = 'ns4.hostasa.org']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-12T09:44:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584535ce-b260-4fe1-a494-4ed3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-12T09:44:34.000Z",
|
|
"modified": "2018-01-12T09:44:34.000Z",
|
|
"pattern": "[domain-name:value = 'ns3.hostasa.org']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-12T09:44:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584535ce-d284-492d-ad13-4854950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-12T09:44:34.000Z",
|
|
"modified": "2018-01-12T09:44:34.000Z",
|
|
"pattern": "[domain-name:value = 'ns2.hostasa.org']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-12T09:44:34Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584535ce-dc00-43a9-a9f0-47e0950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-05T09:39:26.000Z",
|
|
"modified": "2016-12-05T09:39:26.000Z",
|
|
"pattern": "[file:name = 'a06.zip' AND file:hashes.MD5 = '3c49b5160b981f06bd5242662f8d0a54']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-05T09:39:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename|md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584535ce-062c-4524-883e-4266950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-05T09:39:26.000Z",
|
|
"modified": "2016-12-05T09:39:26.000Z",
|
|
"pattern": "[file:name = 'a07.zip' AND file:hashes.MD5 = 'bcb6b83a4e6e20ffe0ce3c750360ddf5']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-05T09:39:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename|md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584535cf-641c-411a-b5e6-412f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-05T09:39:27.000Z",
|
|
"modified": "2016-12-05T09:39:27.000Z",
|
|
"pattern": "[file:name = 'a08.zip' AND file:hashes.MD5 = 'a99c10cb9713770b9e7dda376cddee3a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-05T09:39:27Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename|md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584535cf-5070-4869-9b6e-43e4950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-05T09:39:27.000Z",
|
|
"modified": "2016-12-05T09:39:27.000Z",
|
|
"pattern": "[file:name = 'a09.zip' AND file:hashes.MD5 = 'd1b5b4b4b5a118e384c7ff487e14ac3f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-05T09:39:27Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename|md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584535d0-0390-464c-ac22-4afd950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-05T09:39:28.000Z",
|
|
"modified": "2016-12-05T09:39:28.000Z",
|
|
"pattern": "[file:name = 'a10.zip' AND file:hashes.MD5 = '83eea5625ca2affd3e841d3b374e88eb']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-05T09:39:28Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename|md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--a2f1551a-ffc6-439a-8ed9-5eb83308cc80",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-12T09:44:37.000Z",
|
|
"modified": "2018-01-12T09:44:37.000Z",
|
|
"pattern": "[file:hashes.MD5 = '3c49b5160b981f06bd5242662f8d0a54' AND file:hashes.SHA1 = 'c50933e1f8a194e608049839707d8d698dd5caa5' AND file:hashes.SHA256 = 'c394440c56fdcda9739fbb966e9ac2eab9e11e2eeff0720eb4c850a05b33eefc']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-12T09:44:37Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--8c404d5c-48e0-4cb4-a64d-2b89af2399ee",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-12T09:44:34.000Z",
|
|
"modified": "2018-01-12T09:44:34.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/c394440c56fdcda9739fbb966e9ac2eab9e11e2eeff0720eb4c850a05b33eefc/analysis/1495044102/",
|
|
"category": "External analysis",
|
|
"uuid": "5a588382-5a9c-4f0e-8ee9-4a1e02de0b81"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "41/55",
|
|
"category": "Other",
|
|
"uuid": "5a588382-47d4-494f-a42c-484b02de0b81"
|
|
},
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2017-05-17T18:01:42",
|
|
"category": "Other",
|
|
"uuid": "5a588382-2fe4-4634-a2d8-4fd302de0b81"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--075320ce-9dca-48cd-a4ca-085096e80a7a",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-12T09:44:37.000Z",
|
|
"modified": "2018-01-12T09:44:37.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'd1b5b4b4b5a118e384c7ff487e14ac3f' AND file:hashes.SHA1 = '038b7e9406fe5cb0a0be8f95ac935923c6d83c28' AND file:hashes.SHA256 = '0a312a4154dcec2bc6ce1d3b51c037b122ace5848ec99c2b861ab6124addae9b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-12T09:44:37Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--e865f3a2-beea-4193-a717-991bbb031ae0",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-12T09:44:35.000Z",
|
|
"modified": "2018-01-12T09:44:35.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/0a312a4154dcec2bc6ce1d3b51c037b122ace5848ec99c2b861ab6124addae9b/analysis/1494973480/",
|
|
"category": "External analysis",
|
|
"uuid": "5a588383-6004-4f2d-928d-4ffd02de0b81"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "39/56",
|
|
"category": "Other",
|
|
"uuid": "5a588383-cc48-4b4e-acfc-458302de0b81"
|
|
},
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2017-05-16T22:24:40",
|
|
"category": "Other",
|
|
"uuid": "5a588383-f040-4fc0-8f07-47e202de0b81"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--dcb939f0-8874-48f7-bce3-b8bbad431c41",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-12T09:44:38.000Z",
|
|
"modified": "2018-01-12T09:44:38.000Z",
|
|
"pattern": "[file:hashes.MD5 = '83eea5625ca2affd3e841d3b374e88eb' AND file:hashes.SHA1 = 'dca946f677a1be95fb3ef6adc950730b4736a405' AND file:hashes.SHA256 = 'fd6060b963d1b5ca7a07b5a283ad99105298a6708e44d286440a506738a17e34']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-12T09:44:38Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--63ddf759-d832-4a3d-a389-1462c56dc4cb",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-12T09:44:35.000Z",
|
|
"modified": "2018-01-12T09:44:35.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/fd6060b963d1b5ca7a07b5a283ad99105298a6708e44d286440a506738a17e34/analysis/1495062664/",
|
|
"category": "External analysis",
|
|
"uuid": "5a588383-b518-43b4-a9c0-461202de0b81"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "42/57",
|
|
"category": "Other",
|
|
"uuid": "5a588383-8f60-4231-a75c-45bf02de0b81"
|
|
},
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2017-05-17T23:11:04",
|
|
"category": "Other",
|
|
"uuid": "5a588383-d874-40f3-aaeb-403602de0b81"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--4af33ce3-3a10-4c2e-bcb2-67bd4626e18b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-12T09:44:38.000Z",
|
|
"modified": "2018-01-12T09:44:38.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'a99c10cb9713770b9e7dda376cddee3a' AND file:hashes.SHA1 = '1f1dd4d74eba8949fb1d2316c13f77b3ffa96f98' AND file:hashes.SHA256 = '92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-12T09:44:38Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--c976c2d7-cfaf-48b4-bd93-827f80aa378b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-12T09:44:35.000Z",
|
|
"modified": "2018-01-12T09:44:35.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86/analysis/1495027397/",
|
|
"category": "External analysis",
|
|
"uuid": "5a588383-0dc8-446d-bf84-405502de0b81"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "40/57",
|
|
"category": "Other",
|
|
"uuid": "5a588383-7a18-4f91-82a5-4c7202de0b81"
|
|
},
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2017-05-17T13:23:17",
|
|
"category": "Other",
|
|
"uuid": "5a588383-bce4-46b2-a6eb-401f02de0b81"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--f3c99c36-0463-4296-80ff-5c8407bd7d95",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-12T09:44:38.000Z",
|
|
"modified": "2018-01-12T09:44:38.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'bcb6b83a4e6e20ffe0ce3c750360ddf5' AND file:hashes.SHA1 = 'd88755b78834e87418aa3cb3bfee5de5c378bd2f' AND file:hashes.SHA256 = '61b0107a7a06ecbb8cc1d323967291d15450df7e8bab5d96c822a98c9399a521']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-12T09:44:38Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--176aed31-3194-43c2-90ce-8711f4450e5d",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-12T09:44:35.000Z",
|
|
"modified": "2018-01-12T09:44:35.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/61b0107a7a06ecbb8cc1d323967291d15450df7e8bab5d96c822a98c9399a521/analysis/1495007597/",
|
|
"category": "External analysis",
|
|
"uuid": "5a588383-a874-4dbe-9820-466402de0b81"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "42/57",
|
|
"category": "Other",
|
|
"uuid": "5a588383-e9b0-4feb-ab0c-40d802de0b81"
|
|
},
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2017-05-17T07:53:17",
|
|
"category": "Other",
|
|
"uuid": "5a588383-8f98-40a9-a0a8-41e502de0b81"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--6fb8ef1e-d99d-4a72-82bc-f7e3a8f09ebe",
|
|
"created": "2018-02-16T08:48:09.000Z",
|
|
"modified": "2018-02-16T08:48:09.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--a2f1551a-ffc6-439a-8ed9-5eb83308cc80",
|
|
"target_ref": "x-misp-object--8c404d5c-48e0-4cb4-a64d-2b89af2399ee"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--f71fc7df-377e-4e83-91b3-78488270a492",
|
|
"created": "2018-02-16T08:48:09.000Z",
|
|
"modified": "2018-02-16T08:48:09.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--075320ce-9dca-48cd-a4ca-085096e80a7a",
|
|
"target_ref": "x-misp-object--e865f3a2-beea-4193-a717-991bbb031ae0"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--80f9a510-195a-4a5b-abb8-0b6d05321c19",
|
|
"created": "2018-02-16T08:48:09.000Z",
|
|
"modified": "2018-02-16T08:48:09.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--dcb939f0-8874-48f7-bce3-b8bbad431c41",
|
|
"target_ref": "x-misp-object--63ddf759-d832-4a3d-a389-1462c56dc4cb"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--e94fe414-7837-4188-a02e-f687deeacdda",
|
|
"created": "2018-02-16T08:48:09.000Z",
|
|
"modified": "2018-02-16T08:48:09.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--4af33ce3-3a10-4c2e-bcb2-67bd4626e18b",
|
|
"target_ref": "x-misp-object--c976c2d7-cfaf-48b4-bd93-827f80aa378b"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--2e9710f9-bbf0-4d50-949b-7ae170c589d6",
|
|
"created": "2018-02-16T08:48:09.000Z",
|
|
"modified": "2018-02-16T08:48:09.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--f3c99c36-0463-4296-80ff-5c8407bd7d95",
|
|
"target_ref": "x-misp-object--176aed31-3194-43c2-90ce-8711f4450e5d"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |