misp-circl-feed/feeds/circl/misp/588867a4-c470-4914-b854-d3f6950d210f.json

319 lines
No EOL
14 KiB
JSON

{
"type": "bundle",
"id": "bundle--588867a4-c470-4914-b854-d3f6950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T14:35:40.000Z",
"modified": "2017-01-25T14:35:40.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--588867a4-c470-4914-b854-d3f6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T14:35:40.000Z",
"modified": "2017-01-25T14:35:40.000Z",
"name": "OSINT - Malicious SVG Files in the Wild",
"published": "2017-01-25T14:35:54Z",
"object_refs": [
"x-misp-attribute--58886c74-6c08-4ab2-8c2b-f8df950d210f",
"observed-data--58886ccc-507c-4c7e-87b0-5b46950d210f",
"url--58886ccc-507c-4c7e-87b0-5b46950d210f",
"indicator--58886d0f-7a80-4188-9ca9-2fc5950d210f",
"indicator--58886d10-9ca4-452d-a1e1-2fc5950d210f",
"indicator--58886d30-90dc-4a21-8d14-f8e5950d210f",
"indicator--5888b58a-9d84-49d9-9465-4e3f02de0b81",
"indicator--5888b58b-0fc8-4aee-bc0f-430f02de0b81",
"observed-data--5888b58b-879c-409a-8eaa-465b02de0b81",
"url--5888b58b-879c-409a-8eaa-465b02de0b81",
"indicator--5888b58c-eb80-46a8-8853-46a402de0b81",
"indicator--5888b58d-c0c8-406b-b0d1-41ae02de0b81",
"observed-data--5888b58e-0508-4f80-a64e-486102de0b81",
"url--5888b58e-0508-4f80-a64e-486102de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\"",
"misp-galaxy:tool=\"Snifula\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58886c74-6c08-4ab2-8c2b-f8df950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T09:14:28.000Z",
"modified": "2017-01-25T09:14:28.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "In November 2016, the Facebook messenger application was used to deliver malicious SVG files to people [1]. SVG files (or \"Scalable Vector Graphics\") are vector images that can be displayed in most modern browsers (natively or via a specific plugin). More precisely, Internet Explorer 9 supports the basic SVG feature sets and IE10 extended the support by adding SVG 1.1 support. In the Microsoft Windows operating system, SVG files are handled by Internet Explorer by default."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58886ccc-507c-4c7e-87b0-5b46950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T09:16:21.000Z",
"modified": "2017-01-25T09:16:21.000Z",
"first_observed": "2017-01-25T09:16:21Z",
"last_observed": "2017-01-25T09:16:21Z",
"number_observed": 1,
"object_refs": [
"url--58886ccc-507c-4c7e-87b0-5b46950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"admiralty-scale:source-reliability=\"b\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58886ccc-507c-4c7e-87b0-5b46950d210f",
"value": "https://isc.sans.edu/forums/diary/Malicious+SVG+Files+in+the+Wild/21971/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58886d0f-7a80-4188-9ca9-2fc5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T09:17:03.000Z",
"modified": "2017-01-25T09:17:03.000Z",
"description": "00967999543-(02).svg",
"pattern": "[file:hashes.MD5 = '6b9649531f35c7de78735aa45d25d1a7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-25T09:17:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58886d10-9ca4-452d-a1e1-2fc5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T09:17:04.000Z",
"modified": "2017-01-25T09:17:04.000Z",
"description": "P0039988439992_001.jpg.svg",
"pattern": "[file:hashes.MD5 = 'e2f7245d016c52fc9c56531e483e6cfb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-25T09:17:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58886d30-90dc-4a21-8d14-f8e5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T14:26:48.000Z",
"modified": "2017-01-25T14:26:48.000Z",
"description": "The second part is a classic obfuscated JavaScript that executes the following (de-obfuscated) code:",
"pattern": "[url:value = 'http://juanpedroperez.com/fotos/photos/xfs_extension.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-25T14:26:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"adversary:infrastructure-status=\"compromised\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5888b58a-9d84-49d9-9465-4e3f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T14:26:18.000Z",
"modified": "2017-01-25T14:26:18.000Z",
"description": "P0039988439992_001.jpg.svg - Xchecked via VT: e2f7245d016c52fc9c56531e483e6cfb",
"pattern": "[file:hashes.SHA256 = '7cd31c21f03d54f88de2d5ae715be416bfaa69b3230bdd93aba44c07963363df']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-25T14:26:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5888b58b-0fc8-4aee-bc0f-430f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T14:26:19.000Z",
"modified": "2017-01-25T14:26:19.000Z",
"description": "P0039988439992_001.jpg.svg - Xchecked via VT: e2f7245d016c52fc9c56531e483e6cfb",
"pattern": "[file:hashes.SHA1 = 'caf8d6099ed95d223993f43a156b703220d1a1c3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-25T14:26:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5888b58b-879c-409a-8eaa-465b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T14:26:19.000Z",
"modified": "2017-01-25T14:26:19.000Z",
"first_observed": "2017-01-25T14:26:19Z",
"last_observed": "2017-01-25T14:26:19Z",
"number_observed": 1,
"object_refs": [
"url--5888b58b-879c-409a-8eaa-465b02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5888b58b-879c-409a-8eaa-465b02de0b81",
"value": "https://www.virustotal.com/file/7cd31c21f03d54f88de2d5ae715be416bfaa69b3230bdd93aba44c07963363df/analysis/1484747652/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5888b58c-eb80-46a8-8853-46a402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T14:26:20.000Z",
"modified": "2017-01-25T14:26:20.000Z",
"description": "00967999543-(02).svg - Xchecked via VT: 6b9649531f35c7de78735aa45d25d1a7",
"pattern": "[file:hashes.SHA256 = '4682a3ad2c6ae46a8eb1190936583ebc69644b206e2e9103071c4630f081b3f2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-25T14:26:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5888b58d-c0c8-406b-b0d1-41ae02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T14:26:21.000Z",
"modified": "2017-01-25T14:26:21.000Z",
"description": "00967999543-(02).svg - Xchecked via VT: 6b9649531f35c7de78735aa45d25d1a7",
"pattern": "[file:hashes.SHA1 = '5837a4d288ac9d0065143a88f4899283b4603eee']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-25T14:26:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5888b58e-0508-4f80-a64e-486102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-25T14:26:22.000Z",
"modified": "2017-01-25T14:26:22.000Z",
"first_observed": "2017-01-25T14:26:22Z",
"last_observed": "2017-01-25T14:26:22Z",
"number_observed": 1,
"object_refs": [
"url--5888b58e-0508-4f80-a64e-486102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5888b58e-0508-4f80-a64e-486102de0b81",
"value": "https://www.virustotal.com/file/4682a3ad2c6ae46a8eb1190936583ebc69644b206e2e9103071c4630f081b3f2/analysis/1485160514/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}