763 lines
No EOL
32 KiB
JSON
763 lines
No EOL
32 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5a3cc84d-2434-4ae6-8d76-c328950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-16T03:00:22.000Z",
|
|
"modified": "2018-01-16T03:00:22.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--5a3cc84d-2434-4ae6-8d76-c328950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-16T03:00:22.000Z",
|
|
"modified": "2018-01-16T03:00:22.000Z",
|
|
"name": "OSINT - Sednit espionage group now using custom exploit kit",
|
|
"published": "2018-02-16T08:50:00Z",
|
|
"object_refs": [
|
|
"observed-data--5a3cc85e-39cc-4aaf-8eec-4c5c950d210f",
|
|
"url--5a3cc85e-39cc-4aaf-8eec-4c5c950d210f",
|
|
"indicator--5a5c62c4-5fa8-47a1-ac11-42d1950d210f",
|
|
"indicator--5a5c62c4-d124-4726-be84-4da3950d210f",
|
|
"x-misp-attribute--5a5c62d9-9f74-422c-8f34-4b01950d210f",
|
|
"indicator--5a5c638d-0124-4863-9ec0-4887950d210f",
|
|
"indicator--5a5c638e-8a7c-43e1-937f-4b3b950d210f",
|
|
"indicator--5a5c638e-bf5c-4a8b-95a1-46b8950d210f",
|
|
"indicator--5a5c638f-4cec-4f74-827a-4e65950d210f",
|
|
"indicator--5a5c638f-4558-4ffb-84e6-4e5c950d210f",
|
|
"indicator--5a5c638f-aad4-4cda-b677-420f950d210f",
|
|
"indicator--5a5c6390-a4a4-408c-ad20-45a1950d210f",
|
|
"indicator--5a5c6390-ffd0-4f5b-a8e9-4b66950d210f",
|
|
"indicator--5a5c6391-5ec8-4f4d-9dd1-4195950d210f",
|
|
"observed-data--5a5c64c3-16fc-4549-ba11-46fb950d210f",
|
|
"mutex--5a5c64c3-16fc-4549-ba11-46fb950d210f",
|
|
"indicator--5a5c658d-553c-4781-b2b4-42e0950d210f",
|
|
"indicator--5a5c658d-692c-41e7-bff7-4273950d210f",
|
|
"indicator--5a5c658e-b0c0-4b6c-95b3-4a10950d210f",
|
|
"indicator--5a5c65a4-a200-44f5-8df6-416f950d210f",
|
|
"indicator--5a5c65a4-acbc-44bd-84eb-4716950d210f",
|
|
"indicator--5a5c65ee-e860-4444-911d-4da6950d210f",
|
|
"indicator--5a5c65ef-8130-414c-95a8-4513950d210f",
|
|
"indicator--5a5c65ef-25c8-40c4-bcca-4adc950d210f",
|
|
"indicator--5a5c65ef-9280-45a6-8a0d-40df950d210f",
|
|
"indicator--935f70e3-fd7e-4dcd-80a9-71f5122d366e",
|
|
"x-misp-object--6fb315f6-2c07-4d90-a911-0e19777e1ece",
|
|
"indicator--a480344a-22a8-4fc6-9f8e-40ca8337e6f7",
|
|
"x-misp-object--644f91bf-274d-4743-ae1e-075b0118c184",
|
|
"relationship--c937e21c-55ff-4ea6-8fd7-9a0260bf14e3",
|
|
"relationship--c3a55e8a-ded1-4b84-a189-5cdcbf1968a5"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"misp-galaxy:exploit-kit=\"Sednit EK\"",
|
|
"veris:actor:motive=\"Espionage\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5a3cc85e-39cc-4aaf-8eec-4c5c950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:33:18.000Z",
|
|
"modified": "2018-01-15T09:33:18.000Z",
|
|
"first_observed": "2018-01-15T09:33:18Z",
|
|
"last_observed": "2018-01-15T09:33:18Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5a3cc85e-39cc-4aaf-8eec-4c5c950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5a3cc85e-39cc-4aaf-8eec-4c5c950d210f",
|
|
"value": "https://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a5c62c4-5fa8-47a1-ac11-42d1950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:33:19.000Z",
|
|
"modified": "2018-01-15T09:33:19.000Z",
|
|
"pattern": "[url:value = 'http://defenceiq.us/2rfKZL_BGwEQ']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T09:33:19Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a5c62c4-d124-4726-be84-4da3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:33:19.000Z",
|
|
"modified": "2018-01-15T09:33:19.000Z",
|
|
"pattern": "[url:value = 'http://cntt.akcdndata.com/gpw?file=stat.js']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T09:33:19Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--5a5c62d9-9f74-422c-8f34-4b01950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:33:20.000Z",
|
|
"modified": "2018-01-15T09:33:20.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "For at least five years the Sednit group has been relentlessly attacking various institutions, most notably in Eastern Europe. The group used several advanced pieces of malware for these targeted attacks, in particular the one we named Win32/Sednit, also known as Sofacy.\r\n\r\nWe recently came across cases of legitimate financial websites being redirected to a custom exploit kit. Based on our research and on some information provided by the Google Security Team, we were able to establish that it is used by the Sednit group. This is a new strategy for this group which has relied mostly on spear-phishing emails up until now.\r\n\r\nIn this blog, we will first examine on recent cases of spear-phishing emails using the CVE-2014-1761 Microsoft Word exploit. We will then focus on the exploit kit, which appears to still be in development and testing phase, and briefly describe the actual payload."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a5c638d-0124-4863-9ec0-4887950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:33:20.000Z",
|
|
"modified": "2018-01-15T09:33:20.000Z",
|
|
"description": "Military news",
|
|
"pattern": "[domain-name:value = 'defenceiq.us']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T09:33:20Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a5c638e-8a7c-43e1-937f-4b3b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:33:20.000Z",
|
|
"modified": "2018-01-15T09:33:20.000Z",
|
|
"description": "Military news",
|
|
"pattern": "[domain-name:value = 'defenceiq.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T09:33:20Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a5c638e-bf5c-4a8b-95a1-46b8950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:33:20.000Z",
|
|
"modified": "2018-01-15T09:33:20.000Z",
|
|
"description": "Military news",
|
|
"pattern": "[domain-name:value = 'armypress.org']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T09:33:20Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a5c638f-4cec-4f74-827a-4e65950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:33:21.000Z",
|
|
"modified": "2018-01-15T09:33:21.000Z",
|
|
"description": "Military news",
|
|
"pattern": "[domain-name:value = 'armytime.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T09:33:21Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a5c638f-4558-4ffb-84e6-4e5c950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:33:21.000Z",
|
|
"modified": "2018-01-15T09:33:21.000Z",
|
|
"description": "Foreign Affairs magazine",
|
|
"pattern": "[domain-name:value = 'mfapress.org']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T09:33:21Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a5c638f-aad4-4cda-b677-420f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:33:22.000Z",
|
|
"modified": "2018-01-15T09:33:22.000Z",
|
|
"description": "Foreign Affairs magazine",
|
|
"pattern": "[domain-name:value = 'foreignaffairs.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T09:33:22Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a5c6390-a4a4-408c-ad20-45a1950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:33:22.000Z",
|
|
"modified": "2018-01-15T09:33:22.000Z",
|
|
"description": "Foreign Affairs magazine",
|
|
"pattern": "[domain-name:value = 'mfapress.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T09:33:22Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a5c6390-ffd0-4f5b-a8e9-4b66950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:33:22.000Z",
|
|
"modified": "2018-01-15T09:33:22.000Z",
|
|
"description": "CACI International, defense & cyber security contractor",
|
|
"pattern": "[domain-name:value = 'caciltd.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T09:33:22Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a5c6391-5ec8-4f4d-9dd1-4195950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:33:23.000Z",
|
|
"modified": "2018-01-15T09:33:23.000Z",
|
|
"description": "CACI International, defense & cyber security contractor",
|
|
"pattern": "[domain-name:value = 'caci.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T09:33:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5a5c64c3-16fc-4549-ba11-46fb950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:33:23.000Z",
|
|
"modified": "2018-01-15T09:33:23.000Z",
|
|
"first_observed": "2018-01-15T09:33:23Z",
|
|
"last_observed": "2018-01-15T09:33:23Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"mutex--5a5c64c3-16fc-4549-ba11-46fb950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"mutex\"",
|
|
"misp:category=\"Artifacts dropped\""
|
|
]
|
|
},
|
|
{
|
|
"type": "mutex",
|
|
"spec_version": "2.1",
|
|
"id": "mutex--5a5c64c3-16fc-4549-ba11-46fb950d210f",
|
|
"name": "XSQWERSystemCriticalSection_for_1232321"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a5c658d-553c-4781-b2b4-42e0950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:33:23.000Z",
|
|
"modified": "2018-01-15T09:33:23.000Z",
|
|
"pattern": "[domain-name:value = 'msonlinelive.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T09:33:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a5c658d-692c-41e7-bff7-4273950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:33:24.000Z",
|
|
"modified": "2018-01-15T09:33:24.000Z",
|
|
"pattern": "[domain-name:value = 'windows-updater.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T09:33:24Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a5c658e-b0c0-4b6c-95b3-4a10950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:33:24.000Z",
|
|
"modified": "2018-01-15T09:33:24.000Z",
|
|
"pattern": "[domain-name:value = 'azureon-line.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T09:33:24Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"domain\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a5c65a4-a200-44f5-8df6-416f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:33:25.000Z",
|
|
"modified": "2018-01-15T09:33:25.000Z",
|
|
"pattern": "[file:name = 'edg6EF885E2.tmp']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T09:33:25Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a5c65a4-acbc-44bd-84eb-4716950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:33:26.000Z",
|
|
"modified": "2018-01-15T09:33:26.000Z",
|
|
"pattern": "[file:name = 'edg6E85F98675.tmp']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T09:33:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a5c65ee-e860-4444-911d-4da6950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T08:27:26.000Z",
|
|
"modified": "2018-01-15T08:27:26.000Z",
|
|
"description": "Word exploit",
|
|
"pattern": "[file:hashes.SHA1 = '86092636e7ffa22481ca89ac1b023c32c56b24cf']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T08:27:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a5c65ef-8130-414c-95a8-4513950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T08:27:27.000Z",
|
|
"modified": "2018-01-15T08:27:27.000Z",
|
|
"description": "Word exploit",
|
|
"pattern": "[file:hashes.SHA1 = '12223f098ba3088379ec1dc59440c662752ddabd']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T08:27:27Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a5c65ef-25c8-40c4-bcca-4adc950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T08:27:27.000Z",
|
|
"modified": "2018-01-15T08:27:27.000Z",
|
|
"description": "Dropper",
|
|
"pattern": "[file:hashes.SHA1 = 'd61ee0b0d4ed95f3300735c81740a21b8beef337']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T08:27:27Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5a5c65ef-9280-45a6-8a0d-40df950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T08:27:27.000Z",
|
|
"modified": "2018-01-15T08:27:27.000Z",
|
|
"description": "Payload",
|
|
"pattern": "[file:hashes.SHA1 = 'd0db619a7a160949528d46d20fc0151bf9775c32']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T08:27:27Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--935f70e3-fd7e-4dcd-80a9-71f5122d366e",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:33:29.000Z",
|
|
"modified": "2018-01-15T09:33:29.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'df895e6479abf85c4c65d7d3a2451ddb' AND file:hashes.SHA1 = 'd61ee0b0d4ed95f3300735c81740a21b8beef337' AND file:hashes.SHA256 = '6ffaa374cfa9504b061b52a353913c6c120bd4fe43e1a79f69fba7f964e30a4e']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T09:33:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--6fb315f6-2c07-4d90-a911-0e19777e1ece",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:33:28.000Z",
|
|
"modified": "2018-01-15T09:33:28.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/6ffaa374cfa9504b061b52a353913c6c120bd4fe43e1a79f69fba7f964e30a4e/analysis/1515795459/",
|
|
"category": "External analysis",
|
|
"comment": "Dropper",
|
|
"uuid": "5a5c7568-9fa0-46fb-b5e0-482d02de0b81"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "51/68",
|
|
"category": "Other",
|
|
"comment": "Dropper",
|
|
"uuid": "5a5c7568-b834-46be-af37-4b5f02de0b81"
|
|
},
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2018-01-12T22:17:39",
|
|
"category": "Other",
|
|
"comment": "Dropper",
|
|
"uuid": "5a5c7568-8aec-4806-9c81-425c02de0b81"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--a480344a-22a8-4fc6-9f8e-40ca8337e6f7",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:33:32.000Z",
|
|
"modified": "2018-01-15T09:33:32.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'ee64d3273f9b4d80020c24edcbbf961e' AND file:hashes.SHA1 = 'd0db619a7a160949528d46d20fc0151bf9775c32' AND file:hashes.SHA256 = 'e031299fa1381b40c660b8cd831bb861654f900a1e2952b1a76bedf140972a81']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-01-15T09:33:32Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--644f91bf-274d-4743-ae1e-075b0118c184",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-01-15T09:33:30.000Z",
|
|
"modified": "2018-01-15T09:33:30.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/e031299fa1381b40c660b8cd831bb861654f900a1e2952b1a76bedf140972a81/analysis/1490591462/",
|
|
"category": "External analysis",
|
|
"comment": "Payload",
|
|
"uuid": "5a5c756a-6948-4c29-89dc-443c02de0b81"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "44/61",
|
|
"category": "Other",
|
|
"comment": "Payload",
|
|
"uuid": "5a5c756a-63e8-4ebb-af6b-49f602de0b81"
|
|
},
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2017-03-27T05:11:02",
|
|
"category": "Other",
|
|
"comment": "Payload",
|
|
"uuid": "5a5c756b-c6a8-4d3b-9ab5-426302de0b81"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--c937e21c-55ff-4ea6-8fd7-9a0260bf14e3",
|
|
"created": "2018-02-16T08:50:00.000Z",
|
|
"modified": "2018-02-16T08:50:00.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--935f70e3-fd7e-4dcd-80a9-71f5122d366e",
|
|
"target_ref": "x-misp-object--6fb315f6-2c07-4d90-a911-0e19777e1ece"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--c3a55e8a-ded1-4b84-a189-5cdcbf1968a5",
|
|
"created": "2018-02-16T08:50:00.000Z",
|
|
"modified": "2018-02-16T08:50:00.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--a480344a-22a8-4fc6-9f8e-40ca8337e6f7",
|
|
"target_ref": "x-misp-object--644f91bf-274d-4743-ae1e-075b0118c184"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |