adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/599d5067-8168-43bf-971f-497a950d210f.json

441 lines
No EOL
19 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--599d5067-8168-43bf-971f-497a950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-23T12:00:23.000Z",
"modified": "2017-08-23T12:00:23.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--599d5067-8168-43bf-971f-497a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-23T12:00:23.000Z",
"modified": "2017-08-23T12:00:23.000Z",
"name": "OSINT - Malicious script dropping an executable signed by Avast?",
"context": "suspicious-activity",
"object_refs": [
"observed-data--599d5076-3860-4293-803d-4bd5950d210f",
"url--599d5076-3860-4293-803d-4bd5950d210f",
"x-misp-attribute--599d508f-0070-49fe-82ad-474b950d210f",
"observed-data--599d50c1-3250-4e6c-887d-42b2950d210f",
"email-message--599d50c1-3250-4e6c-887d-42b2950d210f",
"indicator--599d512d-3dec-4480-ad56-45bb950d210f",
"indicator--599d5169-8bcc-47ae-b5f4-42e4950d210f",
"indicator--599d521f-5cb8-40a6-ad5b-4eb9950d210f",
"indicator--599d52e1-1e84-4c24-9ee7-1992950d210f",
"indicator--599d530d-27b4-424a-819a-426d950d210f",
"observed-data--599d5475-c4d4-4400-984a-4a96950d210f",
"url--599d5475-c4d4-4400-984a-4a96950d210f",
"observed-data--599d5475-03a8-4fa8-b299-48de950d210f",
"url--599d5475-03a8-4fa8-b299-48de950d210f",
"indicator--599d6e3f-5458-4c0b-94f0-904802de0b81",
"indicator--599d6e3f-540c-486e-83ab-904802de0b81",
"observed-data--599d6e3f-d8f4-4e01-a929-904802de0b81",
"url--599d6e3f-d8f4-4e01-a929-904802de0b81",
"indicator--599d6e3f-b368-4103-936e-904802de0b81",
"indicator--599d6e3f-24c8-4b3b-a62a-904802de0b81",
"observed-data--599d6e3f-35b4-4889-b8a8-904802de0b81",
"url--599d6e3f-35b4-4889-b8a8-904802de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--599d5076-3860-4293-803d-4bd5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-23T12:00:23.000Z",
"modified": "2017-08-23T12:00:23.000Z",
"first_observed": "2017-08-23T12:00:23Z",
"last_observed": "2017-08-23T12:00:23Z",
"number_observed": 1,
"object_refs": [
"url--599d5076-3860-4293-803d-4bd5950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--599d5076-3860-4293-803d-4bd5950d210f",
"value": "https://isc.sans.edu/forums/diary/Malicious+script+dropping+an+executable+signed+by+Avast/22748/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--599d508f-0070-49fe-82ad-474b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-23T11:59:59.000Z",
"modified": "2017-08-23T11:59:59.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Yesterday, I found an interesting sample that I started to analyze\u2026 It reached my spam trap attached to an email in Portuguese with the subject: \"Venho por meio desta solicitar or\u00e7amento dos produtos\u201d (\"I hereby request the products budget\u201d). There was one attached ZIP archive: PanilhaOrcamento.zip (SHA1: 3c159f65ba88bb208df30822d2a88b6531e4d0a7) with a VT score of 0/58."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--599d50c1-3250-4e6c-887d-42b2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-23T11:59:59.000Z",
"modified": "2017-08-23T11:59:59.000Z",
"first_observed": "2017-08-23T11:59:59Z",
"last_observed": "2017-08-23T11:59:59Z",
"number_observed": 1,
"object_refs": [
"email-message--599d50c1-3250-4e6c-887d-42b2950d210f"
],
"labels": [
"misp:type=\"email-subject\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "email-message",
"spec_version": "2.1",
"id": "email-message--599d50c1-3250-4e6c-887d-42b2950d210f",
"is_multipart": false,
"subject": "Venho por meio desta solicitar or\u00e7amento dos produtos"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--599d512d-3dec-4480-ad56-45bb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-23T11:59:59.000Z",
"modified": "2017-08-23T11:59:59.000Z",
"pattern": "[file:name = 'PanilhaOrcamento.zip' AND file:hashes.SHA1 = '3c159f65ba88bb208df30822d2a88b6531e4d0a7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-23T11:59:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--599d5169-8bcc-47ae-b5f4-42e4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-23T11:59:59.000Z",
"modified": "2017-08-23T11:59:59.000Z",
"pattern": "[file:name = 'Panilha Orcamento Contabil 32f5.bat' AND file:hashes.SHA1 = 'c191821ddb1db46349afdb08789312ce418696d1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-23T11:59:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--599d521f-5cb8-40a6-ad5b-4eb9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-23T11:59:59.000Z",
"modified": "2017-08-23T11:59:59.000Z",
"pattern": "[url:value = 'https://1591523753.rsc.cdn77.org/p2r.php?']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-23T11:59:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--599d52e1-1e84-4c24-9ee7-1992950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-23T11:59:59.000Z",
"modified": "2017-08-23T11:59:59.000Z",
"description": "file signed by Avast",
"pattern": "[file:name = 'C:\\\\rx hsdj\\\\o\\\\i\\\\x\\\\ffax bnzx\\\\fvenotify.exe' AND file:hashes.SHA256 = '6d28d5453d0c2ca132ba3b3d7f0a121427090c1eb52f7d2a5c3e4e5440411bc7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-23T11:59:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--599d530d-27b4-424a-819a-426d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-23T11:59:59.000Z",
"modified": "2017-08-23T11:59:59.000Z",
"pattern": "[file:name = 'C:\\\\rx hsdj\\\\o\\\\i\\\\x\\\\ffax bnzx\\\\secur32.dll' AND file:hashes.SHA256 = '2ee0c761a25310e34c9d3c9d3e810192d8bbd10d4051522e3eefdc1bd71a17bb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-23T11:59:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--599d5475-c4d4-4400-984a-4a96950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-23T11:59:59.000Z",
"modified": "2017-08-23T11:59:59.000Z",
"first_observed": "2017-08-23T11:59:59Z",
"last_observed": "2017-08-23T11:59:59Z",
"number_observed": 1,
"object_refs": [
"url--599d5475-c4d4-4400-984a-4a96950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--599d5475-c4d4-4400-984a-4a96950d210f",
"value": "https://www.virustotal.com/#/file/9329de591b51c367908f2916307a4d2277caa2c766f2cecac8d06e02a2416246/detection"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--599d5475-03a8-4fa8-b299-48de950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-23T11:59:59.000Z",
"modified": "2017-08-23T11:59:59.000Z",
"first_observed": "2017-08-23T11:59:59Z",
"last_observed": "2017-08-23T11:59:59Z",
"number_observed": 1,
"object_refs": [
"url--599d5475-03a8-4fa8-b299-48de950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--599d5475-03a8-4fa8-b299-48de950d210f",
"value": "https://www.virustotal.com/#/file/6d28d5453d0c2ca132ba3b3d7f0a121427090c1eb52f7d2a5c3e4e5440411bc7/detection"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--599d6e3f-5458-4c0b-94f0-904802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-23T11:59:59.000Z",
"modified": "2017-08-23T11:59:59.000Z",
"description": "file signed by Avast - Xchecked via VT: 6d28d5453d0c2ca132ba3b3d7f0a121427090c1eb52f7d2a5c3e4e5440411bc7",
"pattern": "[file:hashes.SHA1 = 'da7d5d84ec06da830330601077f5d01075de2ed5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-23T11:59:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--599d6e3f-540c-486e-83ab-904802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-23T11:59:59.000Z",
"modified": "2017-08-23T11:59:59.000Z",
"description": "file signed by Avast - Xchecked via VT: 6d28d5453d0c2ca132ba3b3d7f0a121427090c1eb52f7d2a5c3e4e5440411bc7",
"pattern": "[file:hashes.MD5 = '5fd9e7a51f49eae4d722cabd84999ef5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-23T11:59:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--599d6e3f-d8f4-4e01-a929-904802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-23T11:59:59.000Z",
"modified": "2017-08-23T11:59:59.000Z",
"first_observed": "2017-08-23T11:59:59Z",
"last_observed": "2017-08-23T11:59:59Z",
"number_observed": 1,
"object_refs": [
"url--599d6e3f-d8f4-4e01-a929-904802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--599d6e3f-d8f4-4e01-a929-904802de0b81",
"value": "https://www.virustotal.com/file/6d28d5453d0c2ca132ba3b3d7f0a121427090c1eb52f7d2a5c3e4e5440411bc7/analysis/1503339647/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--599d6e3f-b368-4103-936e-904802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-23T11:59:59.000Z",
"modified": "2017-08-23T11:59:59.000Z",
"description": "- Xchecked via VT: 3c159f65ba88bb208df30822d2a88b6531e4d0a7",
"pattern": "[file:hashes.SHA256 = '9329de591b51c367908f2916307a4d2277caa2c766f2cecac8d06e02a2416246']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-23T11:59:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--599d6e3f-24c8-4b3b-a62a-904802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-23T11:59:59.000Z",
"modified": "2017-08-23T11:59:59.000Z",
"description": "- Xchecked via VT: 3c159f65ba88bb208df30822d2a88b6531e4d0a7",
"pattern": "[file:hashes.MD5 = '6fcaa7422eceea72bff4e663e4ce708e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-23T11:59:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--599d6e3f-35b4-4889-b8a8-904802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-23T11:59:59.000Z",
"modified": "2017-08-23T11:59:59.000Z",
"first_observed": "2017-08-23T11:59:59Z",
"last_observed": "2017-08-23T11:59:59Z",
"number_observed": 1,
"object_refs": [
"url--599d6e3f-35b4-4889-b8a8-904802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--599d6e3f-35b4-4889-b8a8-904802de0b81",
"value": "https://www.virustotal.com/file/9329de591b51c367908f2916307a4d2277caa2c766f2cecac8d06e02a2416246/analysis/1503343138/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink