misp-circl-feed/feeds/circl/misp/5d9b5933-964c-433c-b84f-4c680a2fe004.json

1043 lines
No EOL
46 KiB
JSON

{
"type": "bundle",
"id": "bundle--5d9b5933-964c-433c-b84f-4c680a2fe004",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2021-05-24T10:03:35.000Z",
"modified": "2021-05-24T10:03:35.000Z",
"name": "MiSOC",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5d9b5933-964c-433c-b84f-4c680a2fe004",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2021-05-24T10:03:35.000Z",
"modified": "2021-05-24T10:03:35.000Z",
"name": "Emotet in Depth TTP 10-07-19",
"published": "2020-06-17T01:40:12Z",
"object_refs": [
"indicator--5d9b5bdf-36e8-494f-9bda-4522a63f8736",
"indicator--5d9b5bdf-b5ac-4550-8ee8-4491a63f8736",
"indicator--5d9b5bdf-b0a8-4c75-a2b0-49b4a63f8736",
"indicator--5d9b5bdf-b654-4401-9164-4f6ba63f8736",
"indicator--5d9b5bdf-9bf0-4a3f-8387-404ca63f8736",
"indicator--5da79ead-879c-49ef-846b-315974656a8a",
"indicator--5da79ead-325c-4d0b-a401-315974656a8a",
"indicator--5da79ead-7ae4-4276-abff-315974656a8a",
"indicator--5da79ead-90e4-4122-9476-315974656a8a",
"indicator--5da79ead-f444-4981-917b-315974656a8a",
"indicator--5da79ead-558c-4548-a83c-315974656a8a",
"indicator--5da79ead-3d98-416c-9ff5-315974656a8a",
"indicator--5da79ead-94f8-4ae2-9a3b-315974656a8a",
"indicator--5da79ead-4208-483c-badc-315974656a8a",
"indicator--5da79ead-e7d4-4ece-94ac-315974656a8a",
"indicator--5da79ead-3188-4a7f-8e13-315974656a8a",
"indicator--5da79ead-9f88-43a2-9b73-315974656a8a",
"indicator--5da79ead-5b0c-49d0-802a-315974656a8a",
"indicator--5da79ead-4e48-4b7d-ba67-315974656a8a",
"indicator--5da79ead-47a0-4480-a429-315974656a8a",
"indicator--5da79ead-6acc-48a8-abba-315974656a8a",
"indicator--5da79ead-04f8-46df-bf49-315974656a8a",
"indicator--5da79ead-cb88-445a-8eaa-315974656a8a",
"indicator--5da79ead-3910-4501-8065-315974656a8a",
"indicator--5da79ead-4910-4e43-9939-315974656a8a",
"indicator--5da79ead-55f8-4fd0-807a-315974656a8a",
"indicator--5da79ead-24e0-4062-9bba-315974656a8a",
"indicator--5da79ead-560c-4070-b46f-315974656a8a",
"indicator--5da79ead-dec8-4574-9ced-315974656a8a",
"indicator--5da79ead-048c-4da7-92c0-315974656a8a",
"observed-data--5df8d9e5-f7a0-45b8-87c3-45ea950d210f",
"url--5df8d9e5-f7a0-45b8-87c3-45ea950d210f",
"indicator--5d9b5a7c-7204-4384-9512-48970a2fe004",
"indicator--5d9b5aa8-9a10-4649-bfd4-4dff0a2fe004",
"indicator--5d9b6d2a-f048-4333-a71b-4f830a2fe004",
"indicator--5d9b80b5-67ac-4570-8958-4ea90a2fe004",
"indicator--5d9b8142-6bd0-484e-8a8f-43410a2fe004",
"indicator--5d9b8162-9658-45ba-897f-4cdd0a2fe004",
"indicator--5d9b817a-8320-4f3b-afee-43650a2fe004",
"indicator--5d9b8302-b1ec-49b1-8c31-46d50a2fe004",
"indicator--5d9b8343-9d98-442f-b331-4a9a0a2fe004"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"Emotet",
"misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"",
"misp-galaxy:mitre-attack-pattern=\"Command-Line Interface - T1059\"",
"misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053\"",
"misp-galaxy:mitre-attack-pattern=\"Scripting - T1064\"",
"misp-galaxy:mitre-attack-pattern=\"Windows Management Instrumentation - T1047\"",
"misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1060\"",
"misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"",
"misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\"",
"misp-galaxy:mitre-attack-pattern=\"Domain Trust Discovery - T1482\"",
"misp-galaxy:mitre-attack-pattern=\"System Owner/User Discovery - T1033\"",
"misp-galaxy:mitre-attack-pattern=\"Commonly Used Port - T1043\"",
"misp-galaxy:mitre-attack-pattern=\"Standard Application Layer Protocol - T1071\"",
"misp-galaxy:mitre-attack-pattern=\"Standard Cryptographic Protocol - T1032\"",
"misp-galaxy:mitre-tool=\"Empire - S0363\"",
"misp-galaxy:tool=\"Emotet\"",
"misp-galaxy:mitre-tool=\"Cobalt Strike - S0154\"",
"misp-galaxy:mitre-attack-pattern=\"PowerShell - T1086\"",
"misp-galaxy:mitre-attack-pattern=\"New Service - T1050\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d9b5bdf-36e8-494f-9bda-4522a63f8736",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-07T15:38:07.000Z",
"modified": "2019-10-07T15:38:07.000Z",
"description": "Maldoc 1st stage Download URL's",
"pattern": "[url:value = 'http://dulich.goasiatravel.com/calendar/u8hsm_46c4yi-6024747470/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-07T15:38:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d9b5bdf-b5ac-4550-8ee8-4491a63f8736",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-07T15:38:07.000Z",
"modified": "2019-10-07T15:38:07.000Z",
"description": "Maldoc 1st stage Download URL's",
"pattern": "[url:value = 'https://drewnianazagroda.pl/c0nm/PtlOoIWOzs/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-07T15:38:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d9b5bdf-b0a8-4c75-a2b0-49b4a63f8736",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-07T15:38:07.000Z",
"modified": "2019-10-07T15:38:07.000Z",
"description": "Maldoc 1st stage Download URL's",
"pattern": "[url:value = 'http://latestgovernment.com/pramodchoudhary.examqualify.com/CKBOIhWtjs/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-07T15:38:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d9b5bdf-b654-4401-9164-4f6ba63f8736",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-07T15:38:07.000Z",
"modified": "2019-10-07T15:38:07.000Z",
"description": "Maldoc 1st stage Download URL's",
"pattern": "[url:value = 'https://kurumsalinternetsitesi.com/wp-content/wgSCKDClY/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-07T15:38:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d9b5bdf-9bf0-4a3f-8387-404ca63f8736",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-07T15:38:07.000Z",
"modified": "2019-10-07T15:38:07.000Z",
"description": "Maldoc 1st stage Download URL's",
"pattern": "[url:value = 'https://edealsadvisor.com/wp-includes/ZqLAroEkK/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-07T15:38:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5da79ead-879c-49ef-846b-315974656a8a",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-16T22:50:21.000Z",
"modified": "2019-10-16T22:50:21.000Z",
"pattern": "[url:value = 'http://201.184.105.242/ban/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-16T22:50:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5da79ead-325c-4d0b-a401-315974656a8a",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-16T22:50:21.000Z",
"modified": "2019-10-16T22:50:21.000Z",
"pattern": "[url:value = 'http://201.184.105.242/cone/dma/arizona/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-16T22:50:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5da79ead-7ae4-4276-abff-315974656a8a",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-16T22:50:21.000Z",
"modified": "2019-10-16T22:50:21.000Z",
"pattern": "[url:value = 'http://201.184.105.242/health/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-16T22:50:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5da79ead-90e4-4122-9476-315974656a8a",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-16T22:50:21.000Z",
"modified": "2019-10-16T22:50:21.000Z",
"pattern": "[url:value = 'http://201.184.105.242/iplk/enable/loadan/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-16T22:50:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5da79ead-f444-4981-917b-315974656a8a",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-16T22:50:21.000Z",
"modified": "2019-10-16T22:50:21.000Z",
"pattern": "[url:value = 'http://201.184.105.242/loadan/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-16T22:50:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5da79ead-558c-4548-a83c-315974656a8a",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-16T22:50:21.000Z",
"modified": "2019-10-16T22:50:21.000Z",
"pattern": "[url:value = 'http://201.184.105.242/sess/pnp/ringin/merge/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-16T22:50:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5da79ead-3d98-416c-9ff5-315974656a8a",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-16T22:50:21.000Z",
"modified": "2019-10-16T22:50:21.000Z",
"pattern": "[url:value = 'http://201.184.105.242/site/vermont/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-16T22:50:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5da79ead-94f8-4ae2-9a3b-315974656a8a",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-16T22:50:21.000Z",
"modified": "2019-10-16T22:50:21.000Z",
"pattern": "[url:value = 'http://201.184.105.242/symbols/schema/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-16T22:50:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5da79ead-4208-483c-badc-315974656a8a",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-16T22:50:21.000Z",
"modified": "2019-10-16T22:50:21.000Z",
"pattern": "[url:value = 'http://45.123.3.54/badge/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-16T22:50:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5da79ead-e7d4-4ece-94ac-315974656a8a",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-16T22:50:21.000Z",
"modified": "2019-10-16T22:50:21.000Z",
"pattern": "[url:value = 'http://45.123.3.54/publish/acquire/enabled/merge/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-16T22:50:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5da79ead-3188-4a7f-8e13-315974656a8a",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-16T22:50:21.000Z",
"modified": "2019-10-16T22:50:21.000Z",
"pattern": "[url:value = 'http://45.123.3.54/site/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-16T22:50:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5da79ead-9f88-43a2-9b73-315974656a8a",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-16T22:50:21.000Z",
"modified": "2019-10-16T22:50:21.000Z",
"pattern": "[url:value = 'http://80.79.23.144/free/schema/scripts/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-16T22:50:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5da79ead-5b0c-49d0-802a-315974656a8a",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-16T22:50:21.000Z",
"modified": "2019-10-16T22:50:21.000Z",
"pattern": "[url:value = 'http://80.79.23.144/results/cone/window/merge/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-16T22:50:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5da79ead-4e48-4b7d-ba67-315974656a8a",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-16T22:50:21.000Z",
"modified": "2019-10-16T22:50:21.000Z",
"pattern": "[url:value = 'http://80.79.23.144/splash/prov/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-16T22:50:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5da79ead-47a0-4480-a429-315974656a8a",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-16T22:50:21.000Z",
"modified": "2019-10-16T22:50:21.000Z",
"pattern": "[url:value = 'http://104.131.11.150/cookies/usbccid/enabled/merge/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-16T22:50:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5da79ead-6acc-48a8-abba-315974656a8a",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-16T22:50:21.000Z",
"modified": "2019-10-16T22:50:21.000Z",
"pattern": "[url:value = 'http://104.131.11.150/dma/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-16T22:50:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5da79ead-04f8-46df-bf49-315974656a8a",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-16T22:50:21.000Z",
"modified": "2019-10-16T22:50:21.000Z",
"pattern": "[url:value = 'http://104.131.11.150/img/enabled/scripts/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-16T22:50:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5da79ead-cb88-445a-8eaa-315974656a8a",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-16T22:50:21.000Z",
"modified": "2019-10-16T22:50:21.000Z",
"pattern": "[url:value = 'http://142.44.162.209/pnp/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-16T22:50:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5da79ead-3910-4501-8065-315974656a8a",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-16T22:50:21.000Z",
"modified": "2019-10-16T22:50:21.000Z",
"pattern": "[url:value = 'http://142.44.162.209/report/chunk/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-16T22:50:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5da79ead-4910-4e43-9939-315974656a8a",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-16T22:50:21.000Z",
"modified": "2019-10-16T22:50:21.000Z",
"pattern": "[url:value = 'http://142.44.162.209/results/glitch/merge/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-16T22:50:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5da79ead-55f8-4fd0-807a-315974656a8a",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-16T22:50:21.000Z",
"modified": "2019-10-16T22:50:21.000Z",
"pattern": "[url:value = 'http://178.254.6.27/site/results/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-16T22:50:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5da79ead-24e0-4062-9bba-315974656a8a",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-16T22:50:21.000Z",
"modified": "2019-10-16T22:50:21.000Z",
"pattern": "[url:value = 'http://178.254.6.27/stubs/pnp/window/merge/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-16T22:50:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5da79ead-560c-4070-b46f-315974656a8a",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-16T22:50:21.000Z",
"modified": "2019-10-16T22:50:21.000Z",
"pattern": "[url:value = 'http://178.254.6.27/taskbar/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-16T22:50:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5da79ead-dec8-4574-9ced-315974656a8a",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-16T22:50:21.000Z",
"modified": "2019-10-16T22:50:21.000Z",
"pattern": "[url:value = 'http://192.254.173.31/child/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-16T22:50:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5da79ead-048c-4da7-92c0-315974656a8a",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-16T22:50:21.000Z",
"modified": "2019-10-16T22:50:21.000Z",
"pattern": "[url:value = 'http://192.254.173.31/json/add/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-16T22:50:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5df8d9e5-f7a0-45b8-87c3-45ea950d210f",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-12-17T13:36:37.000Z",
"modified": "2019-12-17T13:36:37.000Z",
"first_observed": "2019-12-17T13:36:37Z",
"last_observed": "2019-12-17T13:36:37Z",
"number_observed": 1,
"object_refs": [
"url--5df8d9e5-f7a0-45b8-87c3-45ea950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5df8d9e5-f7a0-45b8-87c3-45ea950d210f",
"value": "https://github.com/Hestat/intel-sharing/blob/master/powershell-empire-12-16-19/misp.event.7941.json"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d9b5a7c-7204-4384-9512-48970a2fe004",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-07T15:32:12.000Z",
"modified": "2019-10-07T15:32:12.000Z",
"description": "Selected Malware Document for sandbox run",
"pattern": "[file:hashes.MD5 = '9ce5126ffcbc936ad6c0155763898f19' AND file:hashes.SHA1 = '284534ae3c3ca467f098115d07cd7e14cbec9583' AND file:hashes.SHA256 = 'dd007df90f91857a9efe65008cf015f7955ff05a5b243017e4931087f5742355' AND file:name = 'SCAN_10079460983_IB_1007.doc' AND file:size = '175104' AND (file:content_ref.x_misp_filename = 'SCAN_10079460983_IB_1007.doc' AND file:content_ref.hashes.MD5 = '9ce5126ffcbc936ad6c0155763898f19' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-07T15:32:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d9b5aa8-9a10-4649-bfd4-4dff0a2fe004",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-07T15:32:56.000Z",
"modified": "2019-10-07T15:32:56.000Z",
"description": "Cobalt strike payload called by powershell",
"pattern": "[file:hashes.MD5 = '26017e97acce09276f3b4c6800dec256' AND file:hashes.SHA1 = 'b49b6719495f8398f72e18c0e9450feacb0f9bd9' AND file:hashes.SHA256 = '3306d41a09840db2e94e7497c911e8d61d15776b44346f02bbb6a88f5bd51caa' AND file:name = 'ikillyou.txt' AND file:size = '2789' AND (file:content_ref.x_misp_filename = 'ikillyou.txt' AND file:content_ref.hashes.MD5 = '26017e97acce09276f3b4c6800dec256' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-07T15:32:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d9b6d2a-f048-4333-a71b-4f830a2fe004",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-07T16:51:54.000Z",
"modified": "2019-10-07T16:51:54.000Z",
"pattern": "[(file:content_ref.x_misp_filename = '26017e97acce09276f3b4c6800dec256_unzipped_decoded.zip' AND file:content_ref.hashes.MD5 = '0e8c5174646dcd87ac893271b80c9633' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-07T16:51:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d9b80b5-67ac-4570-8958-4ea90a2fe004",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-07T18:15:17.000Z",
"modified": "2019-10-07T18:15:17.000Z",
"description": "Emotet Exe",
"pattern": "[file:hashes.MD5 = '9afcbf6f4f13a40791d368df767b4304' AND file:hashes.SHA1 = '019a178ee95b34980a2f07ee624528de5f4eae44' AND file:hashes.SHA256 = '16d007d650d117c68da005747378f16cebe820e75a2565be70602fad2cb6e1fe' AND file:name = 'pixelproc.exe' AND file:size = '221184' AND (file:content_ref.x_misp_filename = 'pixelproc.exe' AND file:content_ref.hashes.MD5 = '9afcbf6f4f13a40791d368df767b4304' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-07T18:15:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\"",
"misp-galaxy:tool=\"Emotet\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d9b8142-6bd0-484e-8a8f-43410a2fe004",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-07T18:17:38.000Z",
"modified": "2019-10-07T18:17:38.000Z",
"description": "Trickbot Exe",
"pattern": "[file:hashes.MD5 = '9240845226d22642cbe5e0d39205d869' AND file:hashes.SHA1 = '10dae0bced984456d3d7a2b059cd71a4762f1c5b' AND file:hashes.SHA256 = '4cbe34dc9928a6b93786a69bea92b3df0e04fd67d116fc1746d817496314de9e' AND file:name = '.exe' AND file:size = '393309' AND (file:content_ref.x_misp_filename = '.exe' AND file:content_ref.hashes.MD5 = '9240845226d22642cbe5e0d39205d869' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-07T18:17:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d9b8162-9658-45ba-897f-4cdd0a2fe004",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-07T18:18:10.000Z",
"modified": "2019-10-07T18:18:10.000Z",
"description": "Trickbot artifact",
"pattern": "[file:hashes.MD5 = '03dfc482ccecbbbc16c5c208ae55d49a' AND file:hashes.SHA1 = '46b1ad83e2bbf22b08462656e979bca53afff6ba' AND file:hashes.SHA256 = 'e23033b26e459f6987fb65b9dd8a975a14c2ea9d903a720d4a67a32d43bff293' AND file:name = 'settings.ini' AND file:size = '63950' AND (file:content_ref.x_misp_filename = 'settings.ini' AND file:content_ref.hashes.MD5 = '03dfc482ccecbbbc16c5c208ae55d49a' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-07T18:18:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d9b817a-8320-4f3b-afee-43650a2fe004",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-07T18:18:34.000Z",
"modified": "2019-10-07T18:18:34.000Z",
"description": "Exchange DB file from trickbot",
"pattern": "[file:hashes.MD5 = 'b65e8c666af6ff39c67552e0c98f55d5' AND file:hashes.SHA1 = '844ce6691b66a81237a592ec6bd2c59c8dbd52a0' AND file:hashes.SHA256 = '2826263cc5a3199167970f988c628c177ec45cee60618ae40e9fe84ec9167b73' AND file:name = 'grabber_temp.INTEG.RAW' AND file:size = '138246' AND (file:content_ref.x_misp_filename = 'grabber_temp.INTEG.RAW' AND file:content_ref.hashes.MD5 = 'b65e8c666af6ff39c67552e0c98f55d5' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-07T18:18:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d9b8302-b1ec-49b1-8c31-46d50a2fe004",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-07T18:25:06.000Z",
"modified": "2019-10-07T18:25:06.000Z",
"description": "Cobalt Strike C2 Server",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '144.202.75.93') AND network-traffic:dst_port = '443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-07T18:25:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5d9b8343-9d98-442f-b331-4a9a0a2fe004",
"created_by_ref": "identity--5d49b744-1ef4-4480-b486-40f06b08ac45",
"created": "2019-10-07T18:26:11.000Z",
"modified": "2019-10-07T18:26:11.000Z",
"description": "Powershell Empire C2",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '91.200.102.245') AND network-traffic:dst_port = '443']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-10-07T18:26:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}