misp-circl-feed/feeds/circl/stix-2.1/595ffeba-0eac-4c22-953c-c6c402de0b81.json

594 lines
No EOL
26 KiB
JSON

{
"type": "bundle",
"id": "bundle--595ffeba-0eac-4c22-953c-c6c402de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-23T06:23:48.000Z",
"modified": "2017-11-23T06:23:48.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--595ffeba-0eac-4c22-953c-c6c402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-11-23T06:23:48.000Z",
"modified": "2017-11-23T06:23:48.000Z",
"name": "OSINT - Attack on Critical Infrastructure Leverages Template Injection",
"context": "suspicious-activity",
"object_refs": [
"observed-data--595ffec5-ab90-496e-8edf-41bc02de0b81",
"url--595ffec5-ab90-496e-8edf-41bc02de0b81",
"x-misp-attribute--595ffed7-8f20-4ae7-839f-419c02de0b81",
"indicator--595fff2d-3c18-4ae2-98c6-46f902de0b81",
"indicator--595fff2d-b108-4f78-bd75-437a02de0b81",
"indicator--595fff2d-e9fc-439a-b74a-417c02de0b81",
"indicator--595fff43-ea00-4f5c-b80d-478f02de0b81",
"indicator--595fff43-ef64-46c8-a17f-42e302de0b81",
"indicator--595fff43-90e4-4bab-896b-41df02de0b81",
"indicator--595fff5c-5e24-4630-851a-4a4b02de0b81",
"indicator--595fff5c-89b0-40fc-83ce-498702de0b81",
"indicator--595fff83-90dc-49bb-adfb-474102de0b81",
"indicator--595fff83-4b40-4ca6-b436-4b7b02de0b81",
"observed-data--595fff83-6fa4-4702-8563-40cf02de0b81",
"url--595fff83-6fa4-4702-8563-40cf02de0b81",
"indicator--595fff83-099c-4d69-8fd3-4ff202de0b81",
"indicator--595fff83-6c80-4097-a592-449902de0b81",
"observed-data--595fff83-28d8-4599-ab7e-411a02de0b81",
"url--595fff83-28d8-4599-ab7e-411a02de0b81",
"indicator--595fff83-f46c-47e4-9a96-45d202de0b81",
"indicator--595fff83-bab4-47da-ae9a-492602de0b81",
"observed-data--595fff83-9aa8-4361-bf50-42a502de0b81",
"url--595fff83-9aa8-4361-bf50-42a502de0b81",
"indicator--595fff83-72e0-4302-9540-494302de0b81",
"indicator--595fff83-5cac-4e37-8a69-447502de0b81",
"observed-data--595fff83-fbdc-41f5-b908-47cf02de0b81",
"url--595fff83-fbdc-41f5-b908-47cf02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"certsi:critical-sector=\"energy\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--595ffec5-ab90-496e-8edf-41bc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-07T21:39:48.000Z",
"modified": "2017-07-07T21:39:48.000Z",
"first_observed": "2017-07-07T21:39:48Z",
"last_observed": "2017-07-07T21:39:48Z",
"number_observed": 1,
"object_refs": [
"url--595ffec5-ab90-496e-8edf-41bc02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--595ffec5-ab90-496e-8edf-41bc02de0b81",
"value": "http://blog.talosintelligence.com/2017/07/template-injection.html"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--595ffed7-8f20-4ae7-839f-419c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-07T21:39:48.000Z",
"modified": "2017-07-07T21:39:48.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Attackers are continually trying to find new ways to target users with malware sent via email. Talos has identified an email-based attack targeting the energy sector, including nuclear power, that puts a new spin on the classic word document attachment phish. Typically, malicious Word documents that are sent as attachments to phishing emails will themselves contain a script or macro that executes malicious code. In this case, there is no malicious code in the attachment itself. The attachment instead tries to download a template file over an SMB connection so that the user's credentials can be silently harvested. In addition, this template file could also potentially be used to download other malicious payloads to the victim's computer."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595fff2d-3c18-4ae2-98c6-46f902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-07T21:39:15.000Z",
"modified": "2017-07-07T21:39:15.000Z",
"description": "Related IP Address",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '184.154.150.66']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-07T21:39:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595fff2d-b108-4f78-bd75-437a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-07T21:39:15.000Z",
"modified": "2017-07-07T21:39:15.000Z",
"description": "Related IP Address",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.153.58.45']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-07T21:39:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595fff2d-e9fc-439a-b74a-417c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-07T21:39:15.000Z",
"modified": "2017-07-07T21:39:15.000Z",
"description": "Related IP Address",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '62.8.193.206']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-07T21:39:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595fff43-ea00-4f5c-b80d-478f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-07T21:39:15.000Z",
"modified": "2017-07-07T21:39:15.000Z",
"description": "Controls Engineer.docx",
"pattern": "[file:hashes.SHA256 = 'b02508baf8567e62f3c0fd14833c82fb24e8ba4f0dc84aeb7690d9ea83385baa']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-07T21:39:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595fff43-ef64-46c8-a17f-42e302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-07T21:39:15.000Z",
"modified": "2017-07-07T21:39:15.000Z",
"description": "Controls Engineer.docx",
"pattern": "[file:hashes.SHA256 = '3d6eadf0f0b3fb7f996e6eb3d540945c2d736822df1a37dcd0e25371fa2d75a0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-07T21:39:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595fff43-90e4-4bab-896b-41df02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-07T21:39:15.000Z",
"modified": "2017-07-07T21:39:15.000Z",
"description": "Controls Engineer.docx",
"pattern": "[file:hashes.SHA256 = 'ac6c1df3895af63b864bb33bf30cb31059e247443ddb8f23517849362ec94f08']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-07T21:39:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595fff5c-5e24-4630-851a-4a4b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-07T21:39:15.000Z",
"modified": "2017-07-07T21:39:15.000Z",
"pattern": "[file:name = 'Report03-23-2017.docx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-07T21:39:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595fff5c-89b0-40fc-83ce-498702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-07T21:39:15.000Z",
"modified": "2017-07-07T21:39:15.000Z",
"description": "Report03-23-2017.docx",
"pattern": "[file:hashes.SHA256 = '93cd6696e150caf6106e6066b58107372dcf43377bf4420c848007c10ff80bc9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-07T21:39:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595fff83-90dc-49bb-adfb-474102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-07T21:39:15.000Z",
"modified": "2017-07-07T21:39:15.000Z",
"description": "Report03-23-2017.docx - Xchecked via VT: 93cd6696e150caf6106e6066b58107372dcf43377bf4420c848007c10ff80bc9",
"pattern": "[file:hashes.SHA1 = '67175f1de3a911958e4c075336160462df3ea7b1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-07T21:39:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595fff83-4b40-4ca6-b436-4b7b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-07T21:39:15.000Z",
"modified": "2017-07-07T21:39:15.000Z",
"description": "Report03-23-2017.docx - Xchecked via VT: 93cd6696e150caf6106e6066b58107372dcf43377bf4420c848007c10ff80bc9",
"pattern": "[file:hashes.MD5 = '3c432a21cfd05f976af8c47a007928f7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-07T21:39:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--595fff83-6fa4-4702-8563-40cf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-07T21:39:15.000Z",
"modified": "2017-07-07T21:39:15.000Z",
"first_observed": "2017-07-07T21:39:15Z",
"last_observed": "2017-07-07T21:39:15Z",
"number_observed": 1,
"object_refs": [
"url--595fff83-6fa4-4702-8563-40cf02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--595fff83-6fa4-4702-8563-40cf02de0b81",
"value": "https://www.virustotal.com/file/93cd6696e150caf6106e6066b58107372dcf43377bf4420c848007c10ff80bc9/analysis/1499449645/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595fff83-099c-4d69-8fd3-4ff202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-07T21:39:15.000Z",
"modified": "2017-07-07T21:39:15.000Z",
"description": "Controls Engineer.docx - Xchecked via VT: ac6c1df3895af63b864bb33bf30cb31059e247443ddb8f23517849362ec94f08",
"pattern": "[file:hashes.SHA1 = '2872dcdf108563d16b6cf2ed383626861fc541d2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-07T21:39:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595fff83-6c80-4097-a592-449902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-07T21:39:15.000Z",
"modified": "2017-07-07T21:39:15.000Z",
"description": "Controls Engineer.docx - Xchecked via VT: ac6c1df3895af63b864bb33bf30cb31059e247443ddb8f23517849362ec94f08",
"pattern": "[file:hashes.MD5 = '722154a36f32ba10e98020a8ad758a7a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-07T21:39:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--595fff83-28d8-4599-ab7e-411a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-07T21:39:15.000Z",
"modified": "2017-07-07T21:39:15.000Z",
"first_observed": "2017-07-07T21:39:15Z",
"last_observed": "2017-07-07T21:39:15Z",
"number_observed": 1,
"object_refs": [
"url--595fff83-28d8-4599-ab7e-411a02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--595fff83-28d8-4599-ab7e-411a02de0b81",
"value": "https://www.virustotal.com/file/ac6c1df3895af63b864bb33bf30cb31059e247443ddb8f23517849362ec94f08/analysis/1499451984/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595fff83-f46c-47e4-9a96-45d202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-07T21:39:15.000Z",
"modified": "2017-07-07T21:39:15.000Z",
"description": "Controls Engineer.docx - Xchecked via VT: 3d6eadf0f0b3fb7f996e6eb3d540945c2d736822df1a37dcd0e25371fa2d75a0",
"pattern": "[file:hashes.SHA1 = '421eecdfe4f6987bb9ff7a6d65827563e53eafbb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-07T21:39:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595fff83-bab4-47da-ae9a-492602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-07T21:39:15.000Z",
"modified": "2017-07-07T21:39:15.000Z",
"description": "Controls Engineer.docx - Xchecked via VT: 3d6eadf0f0b3fb7f996e6eb3d540945c2d736822df1a37dcd0e25371fa2d75a0",
"pattern": "[file:hashes.MD5 = '4e4e9aac289f1c55e50227e2de66463b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-07T21:39:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--595fff83-9aa8-4361-bf50-42a502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-07T21:39:15.000Z",
"modified": "2017-07-07T21:39:15.000Z",
"first_observed": "2017-07-07T21:39:15Z",
"last_observed": "2017-07-07T21:39:15Z",
"number_observed": 1,
"object_refs": [
"url--595fff83-9aa8-4361-bf50-42a502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--595fff83-9aa8-4361-bf50-42a502de0b81",
"value": "https://www.virustotal.com/file/3d6eadf0f0b3fb7f996e6eb3d540945c2d736822df1a37dcd0e25371fa2d75a0/analysis/1499463315/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595fff83-72e0-4302-9540-494302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-07T21:39:15.000Z",
"modified": "2017-07-07T21:39:15.000Z",
"description": "Controls Engineer.docx - Xchecked via VT: b02508baf8567e62f3c0fd14833c82fb24e8ba4f0dc84aeb7690d9ea83385baa",
"pattern": "[file:hashes.SHA1 = '5df2cb4b3a29adad4ba0a8f0b7eab5b6ae633977']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-07T21:39:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--595fff83-5cac-4e37-8a69-447502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-07T21:39:15.000Z",
"modified": "2017-07-07T21:39:15.000Z",
"description": "Controls Engineer.docx - Xchecked via VT: b02508baf8567e62f3c0fd14833c82fb24e8ba4f0dc84aeb7690d9ea83385baa",
"pattern": "[file:hashes.MD5 = '4909db36f71106379832c8ca57ba5be8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-07-07T21:39:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--595fff83-fbdc-41f5-b908-47cf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-07-07T21:39:15.000Z",
"modified": "2017-07-07T21:39:15.000Z",
"first_observed": "2017-07-07T21:39:15Z",
"last_observed": "2017-07-07T21:39:15Z",
"number_observed": 1,
"object_refs": [
"url--595fff83-fbdc-41f5-b908-47cf02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--595fff83-fbdc-41f5-b908-47cf02de0b81",
"value": "https://www.virustotal.com/file/b02508baf8567e62f3c0fd14833c82fb24e8ba4f0dc84aeb7690d9ea83385baa/analysis/1499445440/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}