misp-circl-feed/feeds/circl/stix-2.1/5c502e8e-09e8-4c7c-9135-4c1b950d210f.json

270 lines
No EOL
11 KiB
JSON

{
"type": "bundle",
"id": "bundle--5c502e8e-09e8-4c7c-9135-4c1b950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-01-29T13:19:12.000Z",
"modified": "2019-01-29T13:19:12.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5c502e8e-09e8-4c7c-9135-4c1b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-01-29T13:19:12.000Z",
"modified": "2019-01-29T13:19:12.000Z",
"name": "2019-01-28: Turla Kazuar RAT",
"published": "2019-01-29T13:19:37Z",
"object_refs": [
"indicator--5c5037a7-d6f4-47ee-bb67-4cc3950d210f",
"indicator--5c5037a8-fcf8-4d3c-bab5-4c1e950d210f",
"x-misp-object--5c5032b0-5a34-4e58-bcf7-0435950d210f",
"indicator--5c5038be-fe38-403c-a413-0435950d210f",
"indicator--8670f30a-fed5-4ecf-8486-544baa950b1d",
"x-misp-object--9001b360-5644-40b6-8310-2c8aa8711aab",
"relationship--37897fbf-2e68-47c7-8bb3-f2fae0075132"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:malpedia=\"Turla RAT\"",
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla\"",
"misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla - G0010\"",
"misp-galaxy:threat-actor=\"Turla Group\"",
"misp-galaxy:tool=\"Turla\"",
"misp-galaxy:malpedia=\"Kazuar\"",
"misp-galaxy:mitre-malware=\"Kazuar - S0265\"",
"misp-galaxy:tool=\"Kazuar\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"ms-caro-malware:malware-type=\"RemoteAccess\"",
"enisa:nefarious-activity-abuse=\"remote-access-tool\"",
"veris:asset:variety=\"S - Remote access\"",
"veris:action:misuse:vector=\"Remote access\"",
"ms-caro-malware-full:malware-type=\"RemoteAccess\"",
"CERT-XLM:malicious-code=\"spyware-rat\"",
"osint:source-type=\"microblog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c5037a7-d6f4-47ee-bb67-4cc3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-01-29T11:23:19.000Z",
"modified": "2019-01-29T11:23:19.000Z",
"description": "C2",
"pattern": "[url:value = 'northviewcanada.com/wp-content/galler/slider/']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-01-29T11:23:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c5037a8-fcf8-4d3c-bab5-4c1e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-01-29T11:23:20.000Z",
"modified": "2019-01-29T11:23:20.000Z",
"description": "C2",
"pattern": "[url:value = 'zycie-chotomowa.pl/wp-content/languages/index.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-01-29T11:23:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5c5032b0-5a34-4e58-bcf7-0435950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-01-29T11:02:08.000Z",
"modified": "2019-01-29T11:02:08.000Z",
"labels": [
"misp:name=\"microblog\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "post",
"value": "2019-01-28: #Turla #Kazuar #RAT: Component: { loader, service, solver, sender, singler, scripter } C2: { northviewcanada[.com/wp-content/galler/slider/, zycie-chotomowa[.pl/wp-content/languages/index.php } MD5: 988df2967a7239a4b916cc9fcedaff68 cc @DrunkBinary",
"category": "Other",
"uuid": "5c5032b0-929c-4c5c-bd49-0435950d210f"
},
{
"type": "text",
"object_relation": "type",
"value": "Twitter",
"category": "Other",
"uuid": "5c5032b0-6b0c-42df-8c8b-0435950d210f"
},
{
"type": "url",
"object_relation": "url",
"value": "https://twitter.com/VK_Intel/status/1089959988116799491",
"category": "Network activity",
"to_ids": true,
"uuid": "5c5032b0-ea2c-4c6f-9ba0-0435950d210f"
},
{
"type": "text",
"object_relation": "username-quoted",
"value": "DrunkBinary",
"category": "Other",
"uuid": "5c5032b0-e2a8-4d81-a227-0435950d210f"
},
{
"type": "datetime",
"object_relation": "creation-date",
"value": "2019-01-28T10:54:00",
"category": "Other",
"uuid": "5c5032b0-6d34-4368-8ba7-0435950d210f"
},
{
"type": "text",
"object_relation": "username",
"value": "VK_Intel",
"category": "Other",
"uuid": "5c5032b0-4528-4080-bbb4-0435950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "microblog"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c5038be-fe38-403c-a413-0435950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-01-29T11:27:58.000Z",
"modified": "2019-01-29T11:27:58.000Z",
"pattern": "[file:hashes.MD5 = '988df2967a7239a4b916cc9fcedaff68' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-01-29T11:27:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8670f30a-fed5-4ecf-8486-544baa950b1d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-01-29T13:19:03.000Z",
"modified": "2019-01-29T13:19:03.000Z",
"pattern": "[file:hashes.MD5 = '988df2967a7239a4b916cc9fcedaff68' AND file:hashes.SHA1 = '321fac7d4cabce35ce0adc67c700f47d47359021' AND file:hashes.SHA256 = '44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-01-29T13:19:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--9001b360-5644-40b6-8310-2c8aa8711aab",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-01-29T13:19:03.000Z",
"modified": "2019-01-29T13:19:03.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2019-01-29T07:35:34",
"category": "Other",
"uuid": "d510388b-8e85-4a4d-90a3-54861f1c0110"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac/analysis/1548747334/",
"category": "External analysis",
"uuid": "c8f2c1f7-80d2-4ea5-9750-e9a85809f91d"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "42/69",
"category": "Other",
"uuid": "c977a42a-64e2-4f6d-b065-86ac107beec4"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--37897fbf-2e68-47c7-8bb3-f2fae0075132",
"created": "2019-01-29T13:19:03.000Z",
"modified": "2019-01-29T13:19:03.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--8670f30a-fed5-4ecf-8486-544baa950b1d",
"target_ref": "x-misp-object--9001b360-5644-40b6-8310-2c8aa8711aab"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}