misp-circl-feed/feeds/circl/misp/58d4c745-a110-4623-a9e6-497d950d210f.json

398 lines
No EOL
17 KiB
JSON

{
"type": "bundle",
"id": "bundle--58d4c745-a110-4623-a9e6-497d950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:19:58.000Z",
"modified": "2017-03-24T07:19:58.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--58d4c745-a110-4623-a9e6-497d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:19:58.000Z",
"modified": "2017-03-24T07:19:58.000Z",
"name": "OSINT - New targeted attack against Saudi Arabia Government",
"published": "2017-03-24T07:20:29Z",
"object_refs": [
"observed-data--58d4c76a-f634-4a57-bcb3-464a950d210f",
"url--58d4c76a-f634-4a57-bcb3-464a950d210f",
"x-misp-attribute--58d4c781-4518-4271-a552-4672950d210f",
"indicator--58d4c7ca-4c18-44f8-b75d-43e1950d210f",
"indicator--58d4c7cb-575c-4396-8757-4020950d210f",
"indicator--58d4c7f4-6c64-41ca-bfa2-4314950d210f",
"indicator--58d4c7f5-678c-453a-9648-483f950d210f",
"indicator--58d4c826-ab38-491e-85d1-48f2950d210f",
"indicator--58d4c827-9264-4eeb-8d3c-4aef950d210f",
"indicator--58d4c834-23b4-4f6a-b87f-4729950d210f",
"indicator--58d4c835-5d98-4a80-9386-4ab1950d210f",
"indicator--58d4c8a7-306c-405e-aa6b-4e4102de0b81",
"observed-data--58d4c8a8-bf0c-4c05-9288-491a02de0b81",
"url--58d4c8a8-bf0c-4c05-9288-491a02de0b81",
"indicator--58d4c8a9-905c-4628-b347-4f3502de0b81",
"observed-data--58d4c8aa-f6e0-4953-b357-43a102de0b81",
"url--58d4c8aa-f6e0-4953-b357-43a102de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58d4c76a-f634-4a57-bcb3-464a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:19:58.000Z",
"modified": "2017-03-24T07:19:58.000Z",
"first_observed": "2017-03-24T07:19:58Z",
"last_observed": "2017-03-24T07:19:58Z",
"number_observed": 1,
"object_refs": [
"url--58d4c76a-f634-4a57-bcb3-464a950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"estimative-language:likelihood-probability=\"almost-certain\"",
"admiralty-scale:source-reliability=\"b\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58d4c76a-f634-4a57-bcb3-464a950d210f",
"value": "https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58d4c781-4518-4271-a552-4672950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:19:58.000Z",
"modified": "2017-03-24T07:19:58.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"estimative-language:likelihood-probability=\"almost-certain\"",
"admiralty-scale:source-reliability=\"b\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "A new spear phishing campaign is targeting Saudi Arabia governmental organizations. The attack originates from a phishing email containing a Word document in Arabic language. If the victim opens it up, it will not only infect their system but send the same phishing document to other contacts via their Outlook inbox.\r\n\r\nWe know that at least about a dozen Saudi agencies were targeted. As with most email-borne attacks, this one leverages social engineering to execute malicious code via a Macro."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d4c7ca-4c18-44f8-b75d-43e1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:19:58.000Z",
"modified": "2017-03-24T07:19:58.000Z",
"description": "C2 - potentialy compromised",
"pattern": "[url:value = 'mail.spa.gov.sa/ews/exchange/exchange.asmx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-24T07:19:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"adversary:infrastructure-status=\"compromised\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d4c7cb-575c-4396-8757-4020950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:19:58.000Z",
"modified": "2017-03-24T07:19:58.000Z",
"description": "C2 - potentialy compromised",
"pattern": "[url:value = 'webmail.ecra/ews/exchange/exchange.asmx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-24T07:19:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"adversary:infrastructure-status=\"compromised\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d4c7f4-6c64-41ca-bfa2-4314950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:19:58.000Z",
"modified": "2017-03-24T07:19:58.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '62.149.118.67']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-24T07:19:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"adversary:infrastructure-status=\"compromised\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d4c7f5-678c-453a-9648-483f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:19:58.000Z",
"modified": "2017-03-24T07:19:58.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '85.194.112.9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-24T07:19:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"adversary:infrastructure-status=\"compromised\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d4c826-ab38-491e-85d1-48f2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:19:58.000Z",
"modified": "2017-03-24T07:19:58.000Z",
"description": "Binary payload",
"pattern": "[file:hashes.MD5 = '4ed42233962a89deaa89fd7b989db081']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-24T07:19:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d4c827-9264-4eeb-8d3c-4aef950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:19:58.000Z",
"modified": "2017-03-24T07:19:58.000Z",
"description": "Binary payload",
"pattern": "[file:hashes.SHA256 = 'a96c57c35df18ac20d83b08a88e502071bd0033add0914b951adbd1639b0b873']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-24T07:19:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d4c834-23b4-4f6a-b87f-4729950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:19:58.000Z",
"modified": "2017-03-24T07:19:58.000Z",
"description": "Word dropper",
"pattern": "[file:hashes.MD5 = '3cd5fa46507657f723719b7809d2d1f9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-24T07:19:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d4c835-5d98-4a80-9386-4ab1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:19:58.000Z",
"modified": "2017-03-24T07:19:58.000Z",
"description": "Word dropper",
"pattern": "[file:hashes.SHA256 = 'a6dbc36c472b3ba70a98efd0db35e75c340086be15d3c3ab4e39033604d0bcf9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-24T07:19:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d4c8a7-306c-405e-aa6b-4e4102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:20:07.000Z",
"modified": "2017-03-24T07:20:07.000Z",
"description": "Word dropper - Xchecked via VT: a6dbc36c472b3ba70a98efd0db35e75c340086be15d3c3ab4e39033604d0bcf9",
"pattern": "[file:hashes.SHA1 = '34ddc14b9a04eba98c3aa1cb27033e12ec847e03']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-24T07:20:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58d4c8a8-bf0c-4c05-9288-491a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:20:08.000Z",
"modified": "2017-03-24T07:20:08.000Z",
"first_observed": "2017-03-24T07:20:08Z",
"last_observed": "2017-03-24T07:20:08Z",
"number_observed": 1,
"object_refs": [
"url--58d4c8a8-bf0c-4c05-9288-491a02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58d4c8a8-bf0c-4c05-9288-491a02de0b81",
"value": "https://www.virustotal.com/file/a6dbc36c472b3ba70a98efd0db35e75c340086be15d3c3ab4e39033604d0bcf9/analysis/1490338453/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58d4c8a9-905c-4628-b347-4f3502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:20:09.000Z",
"modified": "2017-03-24T07:20:09.000Z",
"description": "Binary payload - Xchecked via VT: a96c57c35df18ac20d83b08a88e502071bd0033add0914b951adbd1639b0b873",
"pattern": "[file:hashes.SHA1 = 'cf731ee0af5c19231ff51af589f7434c0367d508']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-03-24T07:20:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58d4c8aa-f6e0-4953-b357-43a102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-03-24T07:20:10.000Z",
"modified": "2017-03-24T07:20:10.000Z",
"first_observed": "2017-03-24T07:20:10Z",
"last_observed": "2017-03-24T07:20:10Z",
"number_observed": 1,
"object_refs": [
"url--58d4c8aa-f6e0-4953-b357-43a102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58d4c8aa-f6e0-4953-b357-43a102de0b81",
"value": "https://www.virustotal.com/file/a96c57c35df18ac20d83b08a88e502071bd0033add0914b951adbd1639b0b873/analysis/1490319480/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}