1914 lines
No EOL
83 KiB
JSON
1914 lines
No EOL
83 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5a29b981-af60-4e6f-af70-480b950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-10-26T10:11:11.000Z",
|
|
"modified": "2018-10-26T10:11:11.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "grouping",
|
|
"spec_version": "2.1",
|
|
"id": "grouping--5a29b981-af60-4e6f-af70-480b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-10-26T10:11:11.000Z",
|
|
"modified": "2018-10-26T10:11:11.000Z",
|
|
"name": "OSINT - THE SHADOWS OF GHOSTS INSIDE THE RESPONSE OF A UNIQUE CARBANAK INTRUSION",
|
|
"context": "suspicious-activity",
|
|
"object_refs": [
|
|
"observed-data--5a29b997-3ed0-4604-bfc8-4dcd950d210f",
|
|
"url--5a29b997-3ed0-4604-bfc8-4dcd950d210f",
|
|
"indicator--5a2fa0b0-1dac-4180-866f-4933950d210f",
|
|
"indicator--5a2fa0b1-bab4-4930-8497-4933950d210f",
|
|
"indicator--5a2fa0b2-14b4-4773-ac02-4933950d210f",
|
|
"indicator--5a2fa0b2-6704-405c-94d4-4933950d210f",
|
|
"indicator--5a2fa0b2-b574-43d4-8765-4933950d210f",
|
|
"indicator--5a2fa0b2-10f8-4461-9ea5-4933950d210f",
|
|
"indicator--5a2fad90-0854-4508-9b1a-4889950d210f",
|
|
"indicator--5a2fad91-5048-4a72-934e-471e950d210f",
|
|
"indicator--5a2fad92-1bf0-4fc7-8825-409b950d210f",
|
|
"indicator--5a2fad93-02fc-46f3-a23e-4bb5950d210f",
|
|
"indicator--5a2fad93-bba0-45ef-a648-45e9950d210f",
|
|
"indicator--5a2fad94-2034-4a1a-a49e-4826950d210f",
|
|
"indicator--5a2fad95-d9d0-4aab-b427-4177950d210f",
|
|
"indicator--5a2fad95-7e60-4860-b6fe-42b9950d210f",
|
|
"indicator--5a2fad96-5484-48ce-b77e-47b3950d210f",
|
|
"indicator--5a2fb05d-c778-4fbe-b043-4e56950d210f",
|
|
"indicator--5a2fb05d-35b8-4ab7-a7f0-42e3950d210f",
|
|
"indicator--5a2fb05e-ff64-4760-8516-43bc950d210f",
|
|
"indicator--5a2fb05f-6cd0-45a2-99b2-4ff8950d210f",
|
|
"indicator--5a2fb05f-6338-4c73-9185-4dcc950d210f",
|
|
"indicator--5a2fb060-05d0-4bf6-a42d-4598950d210f",
|
|
"indicator--5a2fb061-92fc-400e-a558-410a950d210f",
|
|
"indicator--5a2fb061-28e4-4908-8d24-4c41950d210f",
|
|
"indicator--5a310fac-7af4-44fd-b616-da3b02de0b81",
|
|
"indicator--5a310fac-a020-462a-8ac7-da3b02de0b81",
|
|
"observed-data--5a310fac-4260-4700-8a51-da3b02de0b81",
|
|
"url--5a310fac-4260-4700-8a51-da3b02de0b81",
|
|
"x-misp-attribute--5bd2e2ab-7b04-4327-acbb-4d71950d210f",
|
|
"indicator--5a2f8bf2-f160-4b0f-9e7a-493e950d210f",
|
|
"indicator--5a2f8c82-07a8-45b4-9457-4200950d210f",
|
|
"indicator--5a2f8d2a-dec0-4067-b077-4e7d950d210f",
|
|
"indicator--5a2f8d6f-5e3c-43b1-a21b-4f5b950d210f",
|
|
"indicator--5a2f8dca-2278-4017-835c-4e9b950d210f",
|
|
"indicator--5a2f8e07-cd40-4b64-9b3f-4cc0950d210f",
|
|
"indicator--5a2f8e44-5d50-48a8-be17-4d0a950d210f",
|
|
"indicator--5a2f950e-862c-4a2b-a94e-45a3950d210f",
|
|
"indicator--5a2f9576-3c3c-4790-9339-397e950d210f",
|
|
"indicator--5a2f95ab-28d4-49bf-ac64-1e00950d210f",
|
|
"indicator--5a2f95f0-4c64-4b47-a395-4a58950d210f",
|
|
"indicator--5a2f9643-08a8-4902-b7f4-4843950d210f",
|
|
"indicator--5a2f99b1-a784-4add-bcf7-4933950d210f",
|
|
"indicator--5a2f99dc-c454-41e9-a090-458d950d210f",
|
|
"indicator--5a2f9a7d-1ccc-48f4-a0d0-1d7a950d210f",
|
|
"indicator--5a2f9e7f-cbd0-4050-845b-4a58950d210f",
|
|
"indicator--5a2f9e9a-48a0-4ed3-91fe-825f950d210f",
|
|
"indicator--5a2f9f45-8874-4ec0-9e5f-7e7d950d210f",
|
|
"indicator--5a2fa096-2e10-4212-81a1-4a63950d210f",
|
|
"indicator--5a2fa0d4-3fd4-450d-9d4c-7e7b950d210f",
|
|
"indicator--89923362-01fd-4462-9078-fa8ec72fb5d9",
|
|
"x-misp-object--43dfa9b6-ada3-4c52-836c-b9472dacb095",
|
|
"indicator--9bb176f2-bd20-46fc-b023-173cc70ca916",
|
|
"x-misp-object--ed40b0bd-3168-4d2b-a6be-55ac4a22f043",
|
|
"indicator--00aa97a0-e3ba-4abb-9f43-f1050891a7c9",
|
|
"x-misp-object--24f8e29e-62a4-44f0-a621-8e49495fe6f5",
|
|
"indicator--b542464d-5ee4-4028-8de3-db54d17c64ce",
|
|
"x-misp-object--0f1de71f-46a2-475a-87ec-f980d6db213b",
|
|
"indicator--91f0fa15-c3f6-41d7-bf1b-79bb33f8390b",
|
|
"x-misp-object--e630b519-28d2-45d2-be53-c5cc2faef367",
|
|
"indicator--d7de718f-c607-49dd-8c9e-563927bb5164",
|
|
"x-misp-object--989b543e-eb41-458d-9ac8-e34620fc5226",
|
|
"x-misp-object--c9a1352e-1cf8-4120-a36a-0ba1412edb36",
|
|
"x-misp-object--f1c24a94-020b-4842-bd00-554487f85e0c",
|
|
"x-misp-object--799449bf-c6a1-444f-9361-c8b81002729a",
|
|
"x-misp-object--d3b462b9-f076-47dd-996e-7b92f83a871d",
|
|
"x-misp-object--de299626-d70b-4856-8577-71a19b22be1c",
|
|
"indicator--9bd18f1d-456c-4ba3-b22f-3ac0da8caacf",
|
|
"x-misp-object--de2cafef-52b7-46ec-b981-f9a5dea89f65",
|
|
"relationship--cfcd7c04-8a44-4d8f-84f5-61b1ca72a0e0",
|
|
"relationship--b4c0698f-791b-4ee4-8e65-dc590a9320ef",
|
|
"relationship--8aad2980-f536-495a-923a-1d951d9fa353",
|
|
"relationship--d6d77702-726d-48c1-94a2-0cca599c1e58",
|
|
"relationship--5ce46697-19e0-4810-8160-b412c9317a1a",
|
|
"relationship--88d656f5-88f2-4119-9e0b-4cefe047112e"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"workflow:state=\"incomplete\"",
|
|
"workflow:todo=\"review-for-false-positive\"",
|
|
"misp-galaxy:mitre-intrusion-set=\"Carbanak\"",
|
|
"type:OSINT",
|
|
"misp-galaxy:tool=\"SSHDoor\"",
|
|
"misp-galaxy:malpedia=\"SSHDoor\"",
|
|
"misp-galaxy:malpedia=\"MimiKatz\"",
|
|
"misp-galaxy:tool=\"Mimikatz\"",
|
|
"misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5a29b997-3ed0-4604-bfc8-4dcd950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:39.000Z",
|
|
"modified": "2017-12-13T17:22:39.000Z",
|
|
"first_observed": "2017-12-13T17:22:39Z",
|
|
"last_observed": "2017-12-13T17:22:39Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5a29b997-3ed0-4604-bfc8-4dcd950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5a29b997-3ed0-4604-bfc8-4dcd950d210f",
|
|
"value": "https://www.rsa.com/content/dam/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2fa0b0-1dac-4180-866f-4933950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:40.000Z",
|
|
"modified": "2017-12-13T17:22:40.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.117.88.97']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T17:22:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2fa0b1-bab4-4930-8497-4933950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:40.000Z",
|
|
"modified": "2017-12-13T17:22:40.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.215.45.116']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T17:22:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2fa0b2-14b4-4773-ac02-4933950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:40.000Z",
|
|
"modified": "2017-12-13T17:22:40.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.215.46.116']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T17:22:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2fa0b2-6704-405c-94d4-4933950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:40.000Z",
|
|
"modified": "2017-12-13T17:22:40.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.61.148.96']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T17:22:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2fa0b2-b574-43d4-8765-4933950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:40.000Z",
|
|
"modified": "2017-12-13T17:22:40.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.61.148.145']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T17:22:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2fa0b2-10f8-4461-9ea5-4933950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:40.000Z",
|
|
"modified": "2017-12-13T17:22:40.000Z",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.86.151.174']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T17:22:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2fad90-0854-4508-9b1a-4889950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:40.000Z",
|
|
"modified": "2017-12-13T17:22:40.000Z",
|
|
"description": "Network Indicators",
|
|
"pattern": "[domain-name:value = 'slpar.org']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T17:22:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2fad91-5048-4a72-934e-471e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:40.000Z",
|
|
"modified": "2017-12-13T17:22:40.000Z",
|
|
"description": "Network Indicators",
|
|
"pattern": "[domain-name:value = 'centos-repo.org']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T17:22:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2fad92-1bf0-4fc7-8825-409b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:40.000Z",
|
|
"modified": "2017-12-13T17:22:40.000Z",
|
|
"description": "Network Indicators",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.165.29.26']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T17:22:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2fad93-02fc-46f3-a23e-4bb5950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:40.000Z",
|
|
"modified": "2017-12-13T17:22:40.000Z",
|
|
"description": "Network Indicators",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.165.29.27']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T17:22:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2fad93-bba0-45ef-a648-45e9950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:40.000Z",
|
|
"modified": "2017-12-13T17:22:40.000Z",
|
|
"description": "Network Indicators",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.45.179.173']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T17:22:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2fad94-2034-4a1a-a49e-4826950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:40.000Z",
|
|
"modified": "2017-12-13T17:22:40.000Z",
|
|
"description": "Network Indicators",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.215.47.122']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T17:22:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2fad95-d9d0-4aab-b427-4177950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:40.000Z",
|
|
"modified": "2017-12-13T17:22:40.000Z",
|
|
"description": "Network Indicators",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.99.14.211']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T17:22:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2fad95-7e60-4860-b6fe-42b9950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:40.000Z",
|
|
"modified": "2017-12-13T17:22:40.000Z",
|
|
"description": "Network Indicators",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.215.61.192']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T17:22:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2fad96-5484-48ce-b77e-47b3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:40.000Z",
|
|
"modified": "2017-12-13T17:22:40.000Z",
|
|
"description": "Network Indicators",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.215.44.129']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T17:22:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2fb05d-c778-4fbe-b043-4e56950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T11:31:56.000Z",
|
|
"modified": "2017-12-13T11:31:56.000Z",
|
|
"description": "Host Indicators",
|
|
"pattern": "[file:hashes.MD5 = '1bd7d0c3023c55b5df0201cc5d7bbce1']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T11:31:56Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2fb05d-35b8-4ab7-a7f0-42e3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T11:31:56.000Z",
|
|
"modified": "2017-12-13T11:31:56.000Z",
|
|
"description": "Host Indicators",
|
|
"pattern": "[file:hashes.MD5 = 'c01fd758abb423c8336ee1bd5035a6c7']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T11:31:56Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2fb05e-ff64-4760-8516-43bc950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T11:31:56.000Z",
|
|
"modified": "2017-12-13T11:31:56.000Z",
|
|
"description": "Host Indicators",
|
|
"pattern": "[file:hashes.MD5 = '0810d239169a13fc0e2e53fc72d2e5f0']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T11:31:56Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2fb05f-6cd0-45a2-99b2-4ff8950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T11:31:56.000Z",
|
|
"modified": "2017-12-13T11:31:56.000Z",
|
|
"description": "Host Indicators",
|
|
"pattern": "[file:hashes.MD5 = 'd66e31794836dfd2c344d0be435c6d12']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T11:31:56Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2fb05f-6338-4c73-9185-4dcc950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T11:31:56.000Z",
|
|
"modified": "2017-12-13T11:31:56.000Z",
|
|
"description": "Host Indicators",
|
|
"pattern": "[file:hashes.MD5 = 'e3c061fa0450056e30285fd44a74cd2a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T11:31:56Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2fb060-05d0-4bf6-a42d-4598950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T11:31:56.000Z",
|
|
"modified": "2017-12-13T11:31:56.000Z",
|
|
"description": "Host Indicators",
|
|
"pattern": "[file:hashes.MD5 = '90d4cc6d4b81b8c462f5aa7166fee6fb']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T11:31:56Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2fb061-92fc-400e-a558-410a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T11:31:56.000Z",
|
|
"modified": "2017-12-13T11:31:56.000Z",
|
|
"description": "Host Indicators",
|
|
"pattern": "[file:hashes.MD5 = 'eb87856732236e1ac7e168fe264f1b43']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T11:31:56Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2fb061-28e4-4908-8d24-4c41950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T11:31:56.000Z",
|
|
"modified": "2017-12-13T11:31:56.000Z",
|
|
"description": "Host Indicators",
|
|
"pattern": "[file:hashes.MD5 = '209bc26396e838e4b665fe3d1ccf7787']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T11:31:56Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a310fac-7af4-44fd-b616-da3b02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:40.000Z",
|
|
"modified": "2017-12-13T17:22:40.000Z",
|
|
"description": "Host Indicators - Xchecked via VT: e3c061fa0450056e30285fd44a74cd2a",
|
|
"pattern": "[file:hashes.SHA256 = 'e0e2c7d0f740fe2a4e8658ce54dfb6eb3c47c37fe90a44a839e560c685f1f1fa']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T17:22:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a310fac-a020-462a-8ac7-da3b02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:40.000Z",
|
|
"modified": "2017-12-13T17:22:40.000Z",
|
|
"description": "Host Indicators - Xchecked via VT: e3c061fa0450056e30285fd44a74cd2a",
|
|
"pattern": "[file:hashes.SHA1 = '8c7659e6ee9fe5ead17cae2969d3148730be509b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T17:22:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5a310fac-4260-4700-8a51-da3b02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:40.000Z",
|
|
"modified": "2017-12-13T17:22:40.000Z",
|
|
"first_observed": "2017-12-13T17:22:40Z",
|
|
"last_observed": "2017-12-13T17:22:40Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5a310fac-4260-4700-8a51-da3b02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5a310fac-4260-4700-8a51-da3b02de0b81",
|
|
"value": "https://www.virustotal.com/file/e0e2c7d0f740fe2a4e8658ce54dfb6eb3c47c37fe90a44a839e560c685f1f1fa/analysis/1513123824/"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--5bd2e2ab-7b04-4327-acbb-4d71950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-10-26T09:47:23.000Z",
|
|
"modified": "2018-10-26T09:47:23.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "This report shares actionable threat intelligence and proven threat hunting and incident response methods used by the RSA Incident Response (IR) Team to successfully respond to an intrusion in early-to-mid 2017 by the threat actor group known as CARBANAK, also known as FIN7. The methodology discussed in this report is designed, and has been tested, to be effective on several currently available security technologies. While the majority of examples shown in this document use the RSA NetWitness\u00ae Suite in their illustrations, the methodology, query logic, and behavioral indicators discussed can be used effectively with any security product providing the necessary visibility. The intrusion and response described in this paper highlight key behavioral tactics, techniques, and procedures (TTP) unique to this engagement, giving significant insight into the thought processes, preparation, and adaptive nature of actors within the CARBANAK threat actor group. This paper also illustrates the RSA Incident Response Team\u2019s Incident Response and Threat Hunting Methodology: an unorthodox, adaptive and highly effective methodology used to successfully detect, investigate, scope, track, contain, and ultimately expel these and many other advanced adversaries."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2f8bf2-f160-4b0f-9e7a-493e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-12T07:57:38.000Z",
|
|
"modified": "2017-12-12T07:57:38.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'a365fd9076af4d841c84accd58287801' AND file:hashes.SHA1 = 'ba2f90f85cada4be24d925cbff0c2efea6e7f3a8' AND file:name = 'ssh' AND file:size = '1180521']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-12T07:57:38Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2f8c82-07a8-45b4-9457-4200950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-12T08:00:02.000Z",
|
|
"modified": "2017-12-12T08:00:02.000Z",
|
|
"pattern": "[file:hashes.MD5 = '9e2e4df27698615df92822646dc9e16b' AND file:hashes.SHA1 = '96e56c39f38b4ef5ac4196ca12742127f286c6fa' AND file:name = 'sshd' AND file:size = '1614437']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-12T08:00:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2f8d2a-dec0-4067-b077-4e7d950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-10-26T10:07:35.000Z",
|
|
"modified": "2018-10-26T10:07:35.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'b57dc2bc16dfdb3de55923aef9a98401' AND file:hashes.SHA1 = '1d3501b30183ba213fb4c22a00d89db6fd50cc34' AND file:name = 'auditd' AND file:size = '21616']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-10-26T10:07:35Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2f8d6f-5e3c-43b1-a21b-4f5b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-12T08:03:59.000Z",
|
|
"modified": "2017-12-12T08:03:59.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'edce844a219c7534e6a1e7c77c3cb020' AND file:hashes.SHA1 = '286bf53934aa33ddf220d61c394af79221a152f1' AND file:name = 'winexe' AND file:size = '8126714']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-12T08:03:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2f8dca-2278-4017-835c-4e9b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-12T08:05:30.000Z",
|
|
"modified": "2017-12-12T08:05:30.000Z",
|
|
"pattern": "[file:hashes.MD5 = '771fa63231fb42ee97aa17818a53f432' AND file:hashes.SHA1 = '149a9270d9160120229b7c088975c2754e3b5333' AND file:name = 'l' AND file:size = '16333']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-12T08:05:30Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2f8e07-cd40-4b64-9b3f-4cc0950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-12T08:06:31.000Z",
|
|
"modified": "2017-12-12T08:06:31.000Z",
|
|
"pattern": "[file:hashes.MD5 = '0f1c4a2a795fb58bd3c5724af6f1f71a' AND file:hashes.SHA1 = '039f814cdd4ac6f675c908067d5be1d6f9acc31f' AND file:name = 'pscan' AND file:size = '10340']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-12T08:06:31Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2f8e44-5d50-48a8-be17-4d0a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-10-26T10:07:36.000Z",
|
|
"modified": "2018-10-26T10:07:36.000Z",
|
|
"pattern": "[file:hashes.MD5 = '370d420948672e04ba8eac10bfe6fc9c' AND file:hashes.SHA1 = '450605b6761ff8dd025978f44724b11e0c5eadcc' AND file:name = 'ctlmon.exe' AND file:size = '4392448']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-10-26T10:07:36Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2f950e-862c-4a2b-a94e-45a3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-12T08:36:30.000Z",
|
|
"modified": "2017-12-12T08:36:30.000Z",
|
|
"pattern": "[file:hashes.MD5 = '5ddf9683692154986494ca9dd74b588f' AND file:hashes.SHA1 = '08f527bef45cb001150ef12ad9ab91d1822bb9c7' AND file:name = 'ctlmon_v2.exe' AND file:size = '4047691']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-12T08:36:30Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2f9576-3c3c-4790-9339-397e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-12T08:38:14.000Z",
|
|
"modified": "2017-12-12T08:38:14.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'f9766140642c24d422e19e9cf35f2827' AND file:hashes.SHA1 = '7b27771de1a2540008758e9894bfe168f26bffa0' AND file:name = 'ctlmon_v3.exe' AND file:size = '4063744']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-12T08:38:14Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2f95ab-28d4-49bf-ac64-1e00950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-12T08:39:07.000Z",
|
|
"modified": "2017-12-12T08:39:07.000Z",
|
|
"pattern": "[file:hashes.MD5 = '8b3a91038ecb2f57de5bbd29848b6dc4' AND file:hashes.SHA1 = '54074b3934955d4121d1a01fe2ed5493c3f7f16d' AND file:name = 'svcmd.exe' AND file:size = '47104']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-12T08:39:07Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2f95f0-4c64-4b47-a395-4a58950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-12T08:40:16.000Z",
|
|
"modified": "2017-12-12T08:40:16.000Z",
|
|
"pattern": "[file:hashes.MD5 = '7393cb0f409f8f51b7745981ac30b8b6' AND file:hashes.SHA1 = '6c17113f66efa5115111a9e67c6ddd026ba9b55d' AND file:name = 'TINYP2.bin' AND file:size = '277504']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-12T08:40:16Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2f9643-08a8-4902-b7f4-4843950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-12T08:41:39.000Z",
|
|
"modified": "2017-12-12T08:41:39.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'c4d746b8e5e8e12a50a18c9d61e01864' AND file:hashes.SHA1 = 'c020f8939f136b4785dda7b2e4b80ced96e23663' AND file:name = 'ps.exe' AND file:size = '234496']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-12T08:41:39Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2f99b1-a784-4add-bcf7-4933950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-10-26T10:07:36.000Z",
|
|
"modified": "2018-10-26T10:07:36.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'bd126a7b59d5d1f97ba89a3e71425731' AND file:hashes.SHA1 = '457b1cd985ed07baffd8c66ff40e9c1b6da93753' AND file:name = 'UIAutomationCore.dll.bin' AND file:size = '401408']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-10-26T10:07:36Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2f99dc-c454-41e9-a090-458d950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-10-26T10:07:36.000Z",
|
|
"modified": "2018-10-26T10:07:36.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'b3135736bcfdab27f891dbe4009a8c80' AND file:hashes.SHA1 = '9240e1744e7272e59e482f68a10f126fdf501be0' AND file:name = 'pscp.bin' AND file:size = '359336']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-10-26T10:07:36Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2f9a7d-1ccc-48f4-a0d0-1d7a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-12T08:59:41.000Z",
|
|
"modified": "2017-12-12T08:59:41.000Z",
|
|
"pattern": "[file:hashes.MD5 = '6499863d47b68030f0c5ffafaffb1344' AND file:hashes.SHA1 = '2197e35f14ff9960985c982ed6d16d5bd5366062' AND file:name = 'xxx32.exe' AND file:size = '528896']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-12T08:59:41Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2f9e7f-cbd0-4050-845b-4a58950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-12T09:16:47.000Z",
|
|
"modified": "2017-12-12T09:16:47.000Z",
|
|
"pattern": "[file:hashes.MD5 = '752d245f1026482a967a763dae184569' AND file:hashes.SHA1 = '355603b1922886044884afbdfa9c9a6626b6669a' AND file:name = 'xxx64.exe' AND file:size = '589312']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-12T09:16:47Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2f9e9a-48a0-4ed3-91fe-825f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-12T09:17:14.000Z",
|
|
"modified": "2017-12-12T09:17:14.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'd406e037f034b89c85758af1a98110be' AND file:hashes.SHA1 = '6bc46528da6cd224fa5e58ccd9df5b05c46c673d' AND file:name = 'ccs.bmp' AND file:size = '82944']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-12T09:17:14Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2f9f45-8874-4ec0-9e5f-7e7d950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-10-26T10:07:36.000Z",
|
|
"modified": "2018-10-26T10:07:36.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'ab8bed25f9ff64a4b07be5d3bc34f26b' AND file:hashes.SHA1 = '42ce9c2bd246a0243fa91309938042e434b39876' AND file:name = 'infos.bmp' AND file:size = '494080']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-10-26T10:07:36Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2fa096-2e10-4212-81a1-4a63950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-12T09:25:42.000Z",
|
|
"modified": "2017-12-12T09:25:42.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'd825fbd90087d2350e89cbf205a1b71c' AND file:hashes.SHA1 = 'ca5e195692399dca99a4d8299dc9ff816168a6dc' AND file:name = 'pscan.bmp' AND file:size = '65024']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-12T09:25:42Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a2fa0d4-3fd4-450d-9d4c-7e7b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-12T09:26:44.000Z",
|
|
"modified": "2017-12-12T09:26:44.000Z",
|
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '107.181.246.146') AND network-traffic:dst_port = '443']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-12T09:26:44Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "network"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"ip-port\"",
|
|
"misp:meta-category=\"network\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--89923362-01fd-4462-9078-fa8ec72fb5d9",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:43.000Z",
|
|
"modified": "2017-12-13T17:22:43.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'e3c061fa0450056e30285fd44a74cd2a' AND file:hashes.SHA1 = '8c7659e6ee9fe5ead17cae2969d3148730be509b' AND file:hashes.SHA256 = 'e0e2c7d0f740fe2a4e8658ce54dfb6eb3c47c37fe90a44a839e560c685f1f1fa']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T17:22:43Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--43dfa9b6-ada3-4c52-836c-b9472dacb095",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:40.000Z",
|
|
"modified": "2017-12-13T17:22:40.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/e0e2c7d0f740fe2a4e8658ce54dfb6eb3c47c37fe90a44a839e560c685f1f1fa/analysis/1513180609/",
|
|
"category": "External analysis",
|
|
"comment": "Host Indicators",
|
|
"uuid": "5a3161e0-7518-48ff-8668-464302de0b81"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "0/67",
|
|
"category": "Other",
|
|
"comment": "Host Indicators",
|
|
"uuid": "5a3161e0-4a20-406c-8f4e-432702de0b81"
|
|
},
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2017-12-13 15:56:49",
|
|
"category": "Other",
|
|
"comment": "Host Indicators",
|
|
"uuid": "5a3161e0-2548-4a4e-a11f-461402de0b81"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--9bb176f2-bd20-46fc-b023-173cc70ca916",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:43.000Z",
|
|
"modified": "2017-12-13T17:22:43.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'ab8bed25f9ff64a4b07be5d3bc34f26b' AND file:hashes.SHA1 = '42ce9c2bd246a0243fa91309938042e434b39876' AND file:hashes.SHA256 = '91bde887f6956546c9a5e328e2bf90b1ca2fd28bc9fa39b84701891ee8230e81']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T17:22:43Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--ed40b0bd-3168-4d2b-a6be-55ac4a22f043",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:40.000Z",
|
|
"modified": "2017-12-13T17:22:40.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/91bde887f6956546c9a5e328e2bf90b1ca2fd28bc9fa39b84701891ee8230e81/analysis/1512663932/",
|
|
"category": "External analysis",
|
|
"uuid": "5a3161e0-b6a4-44ba-9bc7-4a7002de0b81"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "0/67",
|
|
"category": "Other",
|
|
"uuid": "5a3161e0-2ffc-4265-a867-4c3202de0b81"
|
|
},
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2017-12-07 16:25:32",
|
|
"category": "Other",
|
|
"uuid": "5a3161e0-3b04-46b9-a02c-4cf402de0b81"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--00aa97a0-e3ba-4abb-9f43-f1050891a7c9",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:43.000Z",
|
|
"modified": "2017-12-13T17:22:43.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'b57dc2bc16dfdb3de55923aef9a98401' AND file:hashes.SHA1 = '1d3501b30183ba213fb4c22a00d89db6fd50cc34' AND file:hashes.SHA256 = '3ed6749bba634ad0f5e888daf0323c85fe73f9cb8fc70c05fb42d53eb7a8b523']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T17:22:43Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--24f8e29e-62a4-44f0-a621-8e49495fe6f5",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:41.000Z",
|
|
"modified": "2017-12-13T17:22:41.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/3ed6749bba634ad0f5e888daf0323c85fe73f9cb8fc70c05fb42d53eb7a8b523/analysis/1512654000/",
|
|
"category": "External analysis",
|
|
"uuid": "5a3161e1-b860-4724-ae56-4d9802de0b81"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "15/59",
|
|
"category": "Other",
|
|
"uuid": "5a3161e1-6e0c-4549-af43-450602de0b81"
|
|
},
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2017-12-07 13:40:00",
|
|
"category": "Other",
|
|
"uuid": "5a3161e1-618c-4f11-bdac-4c7e02de0b81"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--b542464d-5ee4-4028-8de3-db54d17c64ce",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:44.000Z",
|
|
"modified": "2017-12-13T17:22:44.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'b3135736bcfdab27f891dbe4009a8c80' AND file:hashes.SHA1 = '9240e1744e7272e59e482f68a10f126fdf501be0' AND file:hashes.SHA256 = 'b20ba6df30bbb27ae74b2567a81aef66e787591a5ef810bfc9ecd45cb6d3d51e']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T17:22:44Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--0f1de71f-46a2-475a-87ec-f980d6db213b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:41.000Z",
|
|
"modified": "2017-12-13T17:22:41.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/b20ba6df30bbb27ae74b2567a81aef66e787591a5ef810bfc9ecd45cb6d3d51e/analysis/1512431431/",
|
|
"category": "External analysis",
|
|
"uuid": "5a3161e2-673c-4d02-b7f1-460902de0b81"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "0/67",
|
|
"category": "Other",
|
|
"uuid": "5a3161e2-4c44-4f90-9448-461502de0b81"
|
|
},
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2017-12-04 23:50:31",
|
|
"category": "Other",
|
|
"uuid": "5a3161e2-7180-4ce2-9e15-4f0d02de0b81"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--91f0fa15-c3f6-41d7-bf1b-79bb33f8390b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:45.000Z",
|
|
"modified": "2017-12-13T17:22:45.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'bd126a7b59d5d1f97ba89a3e71425731' AND file:hashes.SHA1 = '457b1cd985ed07baffd8c66ff40e9c1b6da93753' AND file:hashes.SHA256 = 'a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T17:22:45Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--e630b519-28d2-45d2-be53-c5cc2faef367",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:42.000Z",
|
|
"modified": "2017-12-13T17:22:42.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599/analysis/1513176180/",
|
|
"category": "External analysis",
|
|
"uuid": "5a3161e2-ba9c-4b83-b774-4ee902de0b81"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "2/67",
|
|
"category": "Other",
|
|
"uuid": "5a3161e2-1ddc-4e37-a6e5-4a1d02de0b81"
|
|
},
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2017-12-13 14:43:00",
|
|
"category": "Other",
|
|
"uuid": "5a3161e2-6204-4d87-bca0-4b1402de0b81"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--d7de718f-c607-49dd-8c9e-563927bb5164",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:45.000Z",
|
|
"modified": "2017-12-13T17:22:45.000Z",
|
|
"pattern": "[file:hashes.MD5 = '370d420948672e04ba8eac10bfe6fc9c' AND file:hashes.SHA1 = '450605b6761ff8dd025978f44724b11e0c5eadcc' AND file:hashes.SHA256 = '9d42c2b6a10866842cbb6ab455ee2c3108e79fecbffb72eaf13f05215a826765']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-12-13T17:22:45Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--989b543e-eb41-458d-9ac8-e34620fc5226",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-12-13T17:22:42.000Z",
|
|
"modified": "2017-12-13T17:22:42.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/9d42c2b6a10866842cbb6ab455ee2c3108e79fecbffb72eaf13f05215a826765/analysis/1512431431/",
|
|
"category": "External analysis",
|
|
"uuid": "5a3161e2-152c-4e9c-8885-4ae402de0b81"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "33/68",
|
|
"category": "Other",
|
|
"uuid": "5a3161e2-8d84-4fbd-8c38-490602de0b81"
|
|
},
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2017-12-04 23:50:31",
|
|
"category": "Other",
|
|
"uuid": "5a3161e2-3fc8-4bbb-811c-478302de0b81"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--c9a1352e-1cf8-4120-a36a-0ba1412edb36",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-10-26T10:07:36.000Z",
|
|
"modified": "2018-10-26T10:07:36.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-10-26 09:45:28",
|
|
"category": "Other",
|
|
"uuid": "aec805a5-83b1-4d39-add2-491096984907"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/b20ba6df30bbb27ae74b2567a81aef66e787591a5ef810bfc9ecd45cb6d3d51e/analysis/1540547128/",
|
|
"category": "External analysis",
|
|
"uuid": "74184839-2f88-4a23-b69d-0d13d8c62102"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "0/67",
|
|
"category": "Other",
|
|
"uuid": "4f0e29fc-09d6-4152-9243-651af8bfb108"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--f1c24a94-020b-4842-bd00-554487f85e0c",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-10-26T10:07:38.000Z",
|
|
"modified": "2018-10-26T10:07:38.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2017-12-07 13:40:00",
|
|
"category": "Other",
|
|
"uuid": "a16db00e-858c-4e85-8cdd-3935eafb0e32"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/3ed6749bba634ad0f5e888daf0323c85fe73f9cb8fc70c05fb42d53eb7a8b523/analysis/1512654000/",
|
|
"category": "External analysis",
|
|
"uuid": "eb41cadf-ee59-43e8-9759-9579024141ff"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "15/59",
|
|
"category": "Other",
|
|
"uuid": "967b51b7-7183-4d8c-8416-c4dd3f4a383c"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--799449bf-c6a1-444f-9361-c8b81002729a",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-10-26T10:07:39.000Z",
|
|
"modified": "2018-10-26T10:07:39.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-10-26 06:34:45",
|
|
"category": "Other",
|
|
"uuid": "1eca75fd-0135-4438-9b98-108913702714"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599/analysis/1540535685/",
|
|
"category": "External analysis",
|
|
"uuid": "0184c0bd-362e-47d3-87d3-392a1a875865"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "1/65",
|
|
"category": "Other",
|
|
"uuid": "9b2ff29b-3590-4f10-973d-896279089abf"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--d3b462b9-f076-47dd-996e-7b92f83a871d",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-10-26T10:07:40.000Z",
|
|
"modified": "2018-10-26T10:07:40.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-06-18 00:06:58",
|
|
"category": "Other",
|
|
"uuid": "fe2d043e-f81e-41c8-94d5-780c68b08520"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/9d42c2b6a10866842cbb6ab455ee2c3108e79fecbffb72eaf13f05215a826765/analysis/1529280418/",
|
|
"category": "External analysis",
|
|
"uuid": "d7b94bd9-d044-4ba3-92d9-09fcf121b98f"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "36/68",
|
|
"category": "Other",
|
|
"uuid": "63f46b9d-5d23-416f-bba8-76c30370b049"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--de299626-d70b-4856-8577-71a19b22be1c",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-10-26T10:07:48.000Z",
|
|
"modified": "2018-10-26T10:07:48.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2017-12-07 16:25:32",
|
|
"category": "Other",
|
|
"uuid": "c49a7d33-16db-499d-a52e-147a32818bbf"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/91bde887f6956546c9a5e328e2bf90b1ca2fd28bc9fa39b84701891ee8230e81/analysis/1512663932/",
|
|
"category": "External analysis",
|
|
"uuid": "07006736-b056-47cb-9f62-b5fc0da977cf"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "0/67",
|
|
"category": "Other",
|
|
"uuid": "5e3c1df6-c79f-4d33-a8fc-0343fe4e14fb"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--9bd18f1d-456c-4ba3-b22f-3ac0da8caacf",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-10-26T10:07:53.000Z",
|
|
"modified": "2018-10-26T10:07:53.000Z",
|
|
"pattern": "[file:hashes.MD5 = '7393cb0f409f8f51b7745981ac30b8b6' AND file:hashes.SHA1 = '6c17113f66efa5115111a9e67c6ddd026ba9b55d' AND file:hashes.SHA256 = 'a1d3fa684d406f82a2d93f4617c5b2dba5b70336db7e7a83b5a2822afe56fb0b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-10-26T10:07:53Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--de2cafef-52b7-46ec-b981-f9a5dea89f65",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-10-26T10:07:55.000Z",
|
|
"modified": "2018-10-26T10:07:55.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-07-19 12:25:03",
|
|
"category": "Other",
|
|
"uuid": "5f0cc7ad-b6e0-408c-9006-8ae86e66228c"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/a1d3fa684d406f82a2d93f4617c5b2dba5b70336db7e7a83b5a2822afe56fb0b/analysis/1532003103/",
|
|
"category": "External analysis",
|
|
"uuid": "e35f9d09-6da2-4827-9556-c49ee43ef0bf"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "21/67",
|
|
"category": "Other",
|
|
"uuid": "4406a5d5-7d31-43c6-bd2d-9ccad5886875"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--cfcd7c04-8a44-4d8f-84f5-61b1ca72a0e0",
|
|
"created": "2017-12-13T17:22:42.000Z",
|
|
"modified": "2017-12-13T17:22:42.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--89923362-01fd-4462-9078-fa8ec72fb5d9",
|
|
"target_ref": "x-misp-object--43dfa9b6-ada3-4c52-836c-b9472dacb095"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--b4c0698f-791b-4ee4-8e65-dc590a9320ef",
|
|
"created": "2017-12-13T17:22:42.000Z",
|
|
"modified": "2017-12-13T17:22:42.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--9bb176f2-bd20-46fc-b023-173cc70ca916",
|
|
"target_ref": "x-misp-object--ed40b0bd-3168-4d2b-a6be-55ac4a22f043"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--8aad2980-f536-495a-923a-1d951d9fa353",
|
|
"created": "2017-12-13T17:22:42.000Z",
|
|
"modified": "2017-12-13T17:22:42.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--00aa97a0-e3ba-4abb-9f43-f1050891a7c9",
|
|
"target_ref": "x-misp-object--24f8e29e-62a4-44f0-a621-8e49495fe6f5"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--d6d77702-726d-48c1-94a2-0cca599c1e58",
|
|
"created": "2017-12-13T17:22:42.000Z",
|
|
"modified": "2017-12-13T17:22:42.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--b542464d-5ee4-4028-8de3-db54d17c64ce",
|
|
"target_ref": "x-misp-object--0f1de71f-46a2-475a-87ec-f980d6db213b"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--5ce46697-19e0-4810-8160-b412c9317a1a",
|
|
"created": "2017-12-13T17:22:42.000Z",
|
|
"modified": "2017-12-13T17:22:42.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--91f0fa15-c3f6-41d7-bf1b-79bb33f8390b",
|
|
"target_ref": "x-misp-object--e630b519-28d2-45d2-be53-c5cc2faef367"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--88d656f5-88f2-4119-9e0b-4cefe047112e",
|
|
"created": "2017-12-13T17:22:42.000Z",
|
|
"modified": "2017-12-13T17:22:42.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--d7de718f-c607-49dd-8c9e-563927bb5164",
|
|
"target_ref": "x-misp-object--989b543e-eb41-458d-9ac8-e34620fc5226"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |