Last active
December 9, 2021 10:24
-
-
Save traut/05d70be673133b0b4c938057fb38da04 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "type": "bundle", | |
| "id": "bundle--a6fb81b8-46c7-40de-85be-bee510f08d1b", | |
| "objects": [ | |
| { | |
| "type": "campaign", | |
| "spec_version": "2.1", | |
| "id": "campaign--12a111f0-b824-4baf-a224-83b80237a094", | |
| "lang": "en", | |
| "created": "2017-02-08T21:31:22.007Z", | |
| "modified": "2017-02-08T21:31:22.007Z", | |
| "name": "Bank Attack", | |
| "description": "Some description about attack on the Bank", | |
| "created_by_ref": "identity--e5f1b90a-d9b6-40ab-81a9-8a29df4b6b65", | |
| "granular_markings": [ | |
| { | |
| "selectors": ["description"], | |
| "lang": "de" | |
| } | |
| ], | |
| "object_marking_refs": [ | |
| "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82" | |
| ], | |
| "granular_markings": [ | |
| { | |
| "marking_ref": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da", | |
| "selectors": ["description", "name"] | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "artifact", | |
| "spec_version": "2.1", | |
| "id": "artifact--6f437177-6e48-5cf8-9d9e-872a2bddd641", | |
| "mime_type": "application/zip", | |
| "payload_bin": "dGVzdC1iaW4tcGF5bG9hZA==", | |
| "encryption_algorithm": "mime-type-indicated", | |
| "decryption_key": "My voice is my passport" | |
| }, | |
| { | |
| "type": "autonomous-system", | |
| "spec_version": "2.1", | |
| "id": "autonomous-system--f720c34b-98ae-597f-ade5-27dc241e8c74", | |
| "number": 15139, | |
| "name": "Slime Industries", | |
| "rir": "ARIN" | |
| }, | |
| { | |
| "type": "directory", | |
| "spec_version": "2.1", | |
| "id": "directory--93c0a9b0-520d-545d-9094-1a08ddf46b05", | |
| "path": "C:\\Windows\\System32" | |
| }, | |
| { | |
| "type": "domain-name", | |
| "spec_version": "2.1", | |
| "id": "domain-name--3c10e93f-798e-5a26-a0c1-08156efab7f5", | |
| "value": "example.com" | |
| }, | |
| { | |
| "type": "ipv4-addr", | |
| "spec_version": "2.1", | |
| "id": "ipv4-addr--ff26c055-6336-5bc5-b98d-13d6226742dd", | |
| "value": "198.51.100.3" | |
| }, | |
| { | |
| "type": "ipv4-addr", | |
| "spec_version": "2.1", | |
| "id": "ipv4-addr--61cd40a7-0547-553e-8127-c9ee44ec47b3", | |
| "value": "198.127.0.123" | |
| }, | |
| { | |
| "type": "relationship", | |
| "spec_version": "2.1", | |
| "id": "relationship--ecca811f-f6ce-4c46-86c6-1ea1b1d58a0a", | |
| "created": "2018-11-23T08:17:27.000Z", | |
| "modified": "2018-11-23T08:17:27.000Z", | |
| "relationship_type": "resolves-to", | |
| "source_ref": "domain-name--3c10e93f-798e-5a26-a0c1-08156efab7f5", | |
| "target_ref": "ipv4-addr--ff26c055-6336-5bc5-b98d-13d6226742dd" | |
| }, | |
| { | |
| "type": "email-addr", | |
| "spec_version": "2.1", | |
| "id": "email-addr--2d77a846-6264-5d51-b586-e43822ea1ea3", | |
| "value": "john@example.com", | |
| "display_name": "John Doe", | |
| "belongs_to_ref": "user-account--9bd3afcf-deee-54f9-83e2-520653cb6bba" | |
| }, | |
| { | |
| "type": "email-message", | |
| "spec_version": "2.1", | |
| "id": "email-message--e2846b57-e113-5272-8a16-9059d4a6784e", | |
| "from_ref": "email-addr--2d77a846-6264-5d51-b586-e43822ea1ea3", | |
| "subject": "Dummy email subject", | |
| "is_multipart": false, | |
| "body": "Dummy email body", | |
| "date": "2004-04-19T12:22:23.000Z", | |
| "additional_header_fields": { | |
| "Reply-To": [ | |
| "steve@example.com", | |
| "jane@example.com" | |
| ] | |
| } | |
| }, | |
| { | |
| "type": "file", | |
| "spec_version": "2.1", | |
| "id": "file--66156fad-2a0d-5237-bba4-ba1912887cfe", | |
| "hashes": { | |
| "SHA-256": "ceafbfd424be2ca4a5f0402cae090dda2fb0526cf521b60b60077c0f622b285a" | |
| }, | |
| "parent_directory_ref": "directory--93c0a9b0-520d-545d-9094-1a08ddf46b05", | |
| "name": "qwerty.dll" | |
| }, | |
| { | |
| "type": "file", | |
| "spec_version": "2.1", | |
| "id": "file--9a1f834d-2506-5367-baec-7aa63996ac43", | |
| "name": "foo.zip", | |
| "hashes": { | |
| "SHA-256": "35a01331e9ad96f751278b891b6ea09699806faedfa237d40513d92ad1b7100f" | |
| }, | |
| "mime_type": "application/zip", | |
| "parent_directory_ref": "directory--93c0a9b0-520d-545d-9094-1a08ddf46b05", | |
| "extensions": { | |
| "archive-ext": { | |
| "contains_refs": [ | |
| "file--66156fad-2a0d-5237-bba4-ba1912887cfe", | |
| "file--e04f22d1-be2c-59de-add8-10f61d15fe20" | |
| ] | |
| }, | |
| "ntfs-ext": { | |
| "sid": "S-1-5-32-544", | |
| "alternate_data_streams": [ | |
| { | |
| "name": "second.stream", | |
| "size": 25536 | |
| } | |
| ] | |
| } | |
| } | |
| }, | |
| { | |
| "type": "file", | |
| "spec_version": "2.1", | |
| "id": "file--ec3415cc-5f4f-5ec8-bdb1-6f86996ae66d", | |
| "parent_directory_ref": "directory--93c0a9b0-520d-545d-9094-1a08ddf46b05", | |
| "extensions": { | |
| "pdf-ext": { | |
| "version": "1.7", | |
| "document_info_dict": { | |
| "Title": "Sample document", | |
| "Author": "Adobe Systems Incorporated", | |
| "Creator": "Adobe FrameMaker 5.5.3 for Power Macintosh", | |
| "Producer": "Acrobat Distiller 3.01 for Power Macintosh", | |
| "CreationDate": "20070412090123-02" | |
| }, | |
| "pdfid0": "DFCE52BD827ECF765649852119D", | |
| "pdfid1": "57A1E0F9ED2AE523E313C" | |
| } | |
| } | |
| }, | |
| { | |
| "type": "file", | |
| "spec_version": "2.1", | |
| "id": "file--c7d1e135-8b34-549a-bb47-302f5cf998ed", | |
| "name": "picture.jpg", | |
| "parent_directory_ref": "directory--93c0a9b0-520d-545d-9094-1a08ddf46b05", | |
| "hashes": { | |
| "SHA-256": "4bac27393bdd9777ce02453256c5577cd02275510b2227f473d03f533924f877" | |
| }, | |
| "extensions": { | |
| "raster-image-ext": { | |
| "exif_tags": { | |
| "Make": "Nikon", | |
| "Model": "D7000", | |
| "XResolution": 4928, | |
| "YResolution": 3264 | |
| } | |
| } | |
| } | |
| }, | |
| { | |
| "type": "file", | |
| "spec_version": "2.1", | |
| "id": "file--fb0419a8-f09c-57f8-be64-71a80417591c", | |
| "parent_directory_ref": "directory--93c0a9b0-520d-545d-9094-1a08ddf46b05", | |
| "extensions": { | |
| "windows-pebinary-ext": { | |
| "pe_type": "exe", | |
| "machine_hex": "014c", | |
| "number_of_sections": 4, | |
| "time_date_stamp": "2016-01-22T12:31:12Z", | |
| "pointer_to_symbol_table_hex": "74726144", | |
| "number_of_symbols": 4542568, | |
| "size_of_optional_header": 224, | |
| "characteristics_hex": "818f", | |
| "optional_header": { | |
| "magic_hex": "010b", | |
| "major_linker_version": 2, | |
| "minor_linker_version": 25, | |
| "size_of_code": 512, | |
| "size_of_initialized_data": 283648, | |
| "size_of_uninitialized_data": 0, | |
| "address_of_entry_point": 4096, | |
| "base_of_code": 4096, | |
| "base_of_data": 8192, | |
| "image_base": 14548992, | |
| "section_alignment": 4096, | |
| "file_alignment": 4096, | |
| "major_os_version": 1, | |
| "minor_os_version": 0, | |
| "major_image_version": 0, | |
| "minor_image_version": 0, | |
| "major_subsystem_version": 4, | |
| "minor_subsystem_version": 0, | |
| "win32_version_value_hex": "00", | |
| "size_of_image": 299008, | |
| "size_of_headers": 4096, | |
| "checksum_hex": "00", | |
| "subsystem_hex": "03", | |
| "dll_characteristics_hex": "00", | |
| "size_of_stack_reserve": 100000, | |
| "size_of_stack_commit": 8192, | |
| "size_of_heap_reserve": 100000, | |
| "size_of_heap_commit": 4096, | |
| "loader_flags_hex": "abdbffde", | |
| "number_of_rva_and_sizes": 3758087646 | |
| }, | |
| "sections": [ | |
| { | |
| "name": "CODE", | |
| "entropy": 0.061089 | |
| }, | |
| { | |
| "name": "DATA", | |
| "entropy": 7.980693 | |
| }, | |
| { | |
| "name": "NicolasB", | |
| "entropy": 0.607433 | |
| }, | |
| { | |
| "name": ".idata", | |
| "entropy": 0.607433 | |
| } | |
| ] | |
| } | |
| } | |
| }, | |
| { | |
| "type": "ipv6-addr", | |
| "spec_version": "2.1", | |
| "id": "ipv6-addr--1e61d36c-a16c-53b7-a80f-2a00161c96b1", | |
| "value": "2001:0db8:85a3:0000:0000:8a2e:0370:7334" | |
| }, | |
| { | |
| "type": "relationship", | |
| "spec_version": "2.1", | |
| "id": "relationship--8b3c6eb4-9e22-4193-9e16-e297a593e50b", | |
| "created": "2016-05-12T08:17:27.000Z", | |
| "modified": "2016-05-12T08:17:27.000Z", | |
| "relationship_type": "belongs-to", | |
| "source_ref": "ipv6-addr--1e61d36c-a16c-53b7-a80f-2a00161c96b1", | |
| "target_ref": "autonomous-system--f720c34b-98ae-597f-ade5-27dc241e8c74" | |
| }, | |
| { | |
| "type": "relationship", | |
| "spec_version": "2.1", | |
| "id": "relationship--9bd32ea7-3110-4699-86d5-3ddb29b66304", | |
| "created": "2016-05-12T08:17:27.000Z", | |
| "modified": "2016-05-12T08:17:27.000Z", | |
| "relationship_type": "resolves-to", | |
| "source_ref": "ipv6-addr--1e61d36c-a16c-53b7-a80f-2a00161c96b1", | |
| "target_ref": "mac-addr--65cfcf98-8a6e-5a1b-8f61-379ac4f92d00" | |
| }, | |
| { | |
| "type": "ipv6-addr", | |
| "spec_version": "2.1", | |
| "id": "ipv6-addr--5daf7456-8863-5481-9d42-237d477697f4", | |
| "value": "2001:0db8::/96" | |
| }, | |
| { | |
| "type": "relationship", | |
| "spec_version": "2.1", | |
| "id": "relationship--c333de37-0930-4d33-b4b8-892e75961dc2", | |
| "created": "2016-05-12T08:17:27.000Z", | |
| "modified": "2016-05-12T08:17:27.000Z", | |
| "relationship_type": "belongs-to", | |
| "source_ref": "ipv6-addr--5daf7456-8863-5481-9d42-237d477697f4", | |
| "target_ref": "autonomous-system--f720c34b-98ae-597f-ade5-27dc241e8c74" | |
| }, | |
| { | |
| "type": "mac-addr", | |
| "spec_version": "2.1", | |
| "id": "mac-addr--65cfcf98-8a6e-5a1b-8f61-379ac4f92d00", | |
| "value": "d2:fb:49:24:37:18" | |
| }, | |
| { | |
| "type": "mutex", | |
| "spec_version": "2.1", | |
| "id": "mutex--eba44954-d4e4-5d3b-814c-2b17dd8de300", | |
| "name": "__CLEANSWEEP__" | |
| }, | |
| { | |
| "type": "network-traffic", | |
| "spec_version": "2.1", | |
| "id": "network-traffic--2568d22a-8998-58eb-99ec-3c8ca74f527d", | |
| "src_ref": "ipv6-addr--1e61d36c-a16c-53b7-a80f-2a00161c96b1", | |
| "dst_ref": "ipv6-addr--5daf7456-8863-5481-9d42-237d477697f4", | |
| "protocols": ["ipv6", "tcp", "ssl", "https"], | |
| "src_port": 12188, | |
| "dst_port": 443, | |
| "src_byte_count": 147600, | |
| "src_packets": 100, | |
| "encapsulated_by_ref": "network-traffic--b4a8c150-e214-57a3-9017-e85dfa345f46" | |
| }, | |
| { | |
| "type": "network-traffic", | |
| "spec_version": "2.1", | |
| "id": "network-traffic--b4a8c150-e214-57a3-9017-e85dfa345f46", | |
| "src_ref": "ipv4-addr--ff26c055-6336-5bc5-b98d-13d6226742dd", | |
| "dst_ref": "ipv4-addr--61cd40a7-0547-553e-8127-c9ee44ec47b3", | |
| "src_port": 2487, | |
| "dst_port": 53, | |
| "protocols": [ | |
| "ipv4", | |
| "udp", | |
| "dns" | |
| ], | |
| "src_byte_count": 35779, | |
| "dst_byte_count": 935750, | |
| "encapsulates_refs": [ | |
| "network-traffic--2568d22a-8998-58eb-99ec-3c8ca74f527d" | |
| ] | |
| }, | |
| { | |
| "type": "process", | |
| "spec_version": "2.1", | |
| "id": "process--f52a906a-0dfc-40bd-92f1-e7778ead38a9", | |
| "pid": 1221, | |
| "created_time": "2016-01-20T14:11:25.55Z", | |
| "command_line": "./gedit-bin --new-window", | |
| "image_ref": "file--e04f22d1-be2c-59de-add8-10f61d15fe20", | |
| "extensions": { | |
| "windows-process-ext": { | |
| "aslr_enabled": true, | |
| "dep_enabled": true, | |
| "priority": "HIGH_PRIORITY_CLASS", | |
| "owner_sid": "S-1-5-21-186985262-1144665072-74031268-1309" | |
| } | |
| } | |
| }, | |
| { | |
| "type": "file", | |
| "spec_version": "2.1", | |
| "id": "file--e04f22d1-be2c-59de-add8-10f61d15fe20", | |
| "name": "gedit-bin", | |
| "hashes": { | |
| "SHA-256": "aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f" | |
| } | |
| }, | |
| { | |
| "type": "software", | |
| "spec_version": "2.1", | |
| "id": "software--a1827f6d-ca53-5605-9e93-4316cd22a00a", | |
| "name": "Word", | |
| "cpe": "cpe:2.3:a:microsoft:word:2000:*:*:*:*:*:*:*", | |
| "version": "2002", | |
| "vendor": "Microsoft" | |
| }, | |
| { | |
| "type": "url", | |
| "spec_version": "2.1", | |
| "id": "url--c1477287-23ac-5971-a010-5c287877fa60", | |
| "value": "https://example.com/research/index.html" | |
| }, | |
| { | |
| "type": "user-account", | |
| "spec_version": "2.1", | |
| "id": "user-account--0d5b424b-93b8-5cd8-ac36-306e1789d63c", | |
| "user_id": "1001", | |
| "account_login": "jdoe", | |
| "account_type": "unix", | |
| "display_name": "John Doe", | |
| "is_service_account": false, | |
| "is_privileged": false, | |
| "can_escalate_privs": true, | |
| "account_created": "2016-01-20T12:31:12Z", | |
| "credential_last_changed": "2016-01-20T14:27:43Z", | |
| "account_first_login": "2016-01-20T14:26:07Z", | |
| "account_last_login": "2016-07-22T16:08:28Z", | |
| "extensions": { | |
| "unix-account-ext": { | |
| "gid": 1001, | |
| "groups": ["wheel"], | |
| "home_dir": "/home/jdoe", | |
| "shell": "/bin/bash" | |
| } | |
| } | |
| }, | |
| { | |
| "type": "user-account", | |
| "spec_version": "2.1", | |
| "id": "user-account--9bd3afcf-deee-54f9-83e2-520653cb6bba", | |
| "user_id": "thegrugq_ebooks", | |
| "account_login": "thegrugq_ebooks", | |
| "account_type": "twitter", | |
| "display_name": "the grugq" | |
| }, | |
| { | |
| "type": "windows-registry-key", | |
| "spec_version": "2.1", | |
| "id": "windows-registry-key--9d60798d-4e3e-5fe4-af8a-0e4986f0f90b", | |
| "key": "HKEY_LOCAL_MACHINE\\System\\Foo\\Bar", | |
| "values": [ | |
| { | |
| "name": "Foo", | |
| "data": "qwerty", | |
| "data_type": "REG_SZ" | |
| }, | |
| { | |
| "name": "Bar", | |
| "data": "42", | |
| "data_type": "REG_DWORD" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "x509-certificate", | |
| "spec_version": "2.1", | |
| "id": "x509-certificate--463d7b2a-8516-5a50-a3d7-6f801465d5de", | |
| "issuer": "C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/emailAddress=server-certs@thawte.com", | |
| "validity_not_before": "2016-03-12T12:00:00Z", | |
| "validity_not_after": "2016-08-21T12:00:00Z", | |
| "subject": "C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN=www.freesoft.org/emailAddress=baccala@freesoft.org", | |
| "serial_number": "36:f7:d4:32:f4:ab:70:ea:d3:ce:98:6e:ea:99:93:49:32:0a:b7:06" | |
| }, | |
| { | |
| "type": "language-content", | |
| "id": "language-content--b86bd89f-98bb-4fa9-8cb2-9ad421da981d", | |
| "spec_version": "2.1", | |
| "created": "2017-02-08T21:31:22.007Z", | |
| "modified": "2017-02-08T21:31:22.007Z", | |
| "object_ref": "campaign--12a111f0-b824-4baf-a224-83b80237a094", | |
| "object_modified": "2017-02-08T21:31:22.007Z", | |
| "contents": { | |
| "de": { | |
| "name": "Bank Angriff", | |
| "description": "Weitere Informationen über Banküberfall" | |
| }, | |
| "fr": { | |
| "name": "Attaque Bank", | |
| "description": "Plus d'informations sur la crise bancaire" | |
| } | |
| } | |
| }, | |
| { | |
| "type": "marking-definition", | |
| "spec_version": "2.1", | |
| "id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da", | |
| "created": "2016-08-01T00:00:00.000Z", | |
| "definition_type": "statement", | |
| "definition": { | |
| "statement": "Copyright 2019, Example Corp" | |
| } | |
| }, | |
| { | |
| "type": "marking-definition", | |
| "spec_version": "2.1", | |
| "id": "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82", | |
| "created": "2017-01-20T00:00:00.000Z", | |
| "definition_type": "tlp", | |
| "name": "TLP:AMBER", | |
| "definition": { | |
| "tlp": "amber" | |
| } | |
| }, | |
| { | |
| "type": "attack-pattern", | |
| "spec_version": "2.1", | |
| "id": "attack-pattern--7e33a43e-e34b-40ec-89da-36c9bb2cacd5", | |
| "created": "2016-05-12T08:17:27.000Z", | |
| "modified": "2016-05-12T08:17:27.000Z", | |
| "name": "Spear Phishing as Practiced by Adversary X", | |
| "description": "A particular form of spear phishing where the attacker claims that the target had won a contest, including personal details, to get them to click on a link.", | |
| "external_references": [ | |
| { | |
| "source_name": "capec", | |
| "external_id": "CAPEC-163" | |
| } | |
| ], | |
| "object_marking_refs": [ | |
| "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" | |
| ] | |
| }, | |
| { | |
| "type": "relationship", | |
| "spec_version": "2.1", | |
| "id": "relationship--57b56a43-b8b0-4cba-9deb-34e3e1faed9e", | |
| "created": "2016-05-12T08:17:27.000Z", | |
| "modified": "2016-05-12T08:17:27.000Z", | |
| "relationship_type": "uses", | |
| "source_ref": "intrusion-set--0c7e22ad-b099-4dc3-b0df-2ea3f49ae2e6", | |
| "target_ref": "attack-pattern--7e33a43e-e34b-40ec-89da-36c9bb2cacd5" | |
| }, | |
| { | |
| "type": "relationship", | |
| "spec_version": "2.1", | |
| "id": "relationship--1c620a2e-2a75-4a23-a617-eb4ed9d8ad0c", | |
| "created": "2016-05-12T08:17:27.000Z", | |
| "modified": "2016-05-12T08:17:27.000Z", | |
| "relationship_type": "owns", | |
| "source_ref": "intrusion-set--0c7e22ad-b099-4dc3-b0df-2ea3f49ae2e6", | |
| "target_ref": "infrastructure--38c47d93-d984-4fd9-b87b-d69d0841628d" | |
| }, | |
| { | |
| "type": "intrusion-set", | |
| "spec_version": "2.1", | |
| "id": "intrusion-set--0c7e22ad-b099-4dc3-b0df-2ea3f49ae2e6", | |
| "created": "2016-05-12T08:17:27.000Z", | |
| "modified": "2016-05-12T08:17:27.000Z", | |
| "name": "Bobcat Scare", | |
| "description": "Incidents usually feature a shared TTP of a obcat being released within the building containing network access, scaring users to leave their computers without locking them first. Still determining where the threat actors are getting the bobcats.", | |
| "aliases": ["Zookeeper"], | |
| "goals": ["acquisition-theft", "harassment", "damage"], | |
| "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", | |
| "object_marking_refs": [ | |
| "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" | |
| ] | |
| }, | |
| { | |
| "type": "course-of-action", | |
| "spec_version": "2.1", | |
| "id": "course-of-action--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", | |
| "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", | |
| "created": "2016-04-06T20:03:48.000Z", | |
| "modified": "2016-04-06T20:03:48.000Z", | |
| "name": "Mitigation for a malware in a firewall", | |
| "description": "This action points to a recommended set of steps to respond to the Poison Ivy malware on a Cisco firewall device", | |
| "action_type": "cisco:ios", | |
| "action_reference": { | |
| "source_name": "internet", | |
| "url": "https://www.stopthebad.com/poisonivyresponse.asa" | |
| }, | |
| "object_marking_refs": [ | |
| "marking-definition--5e57c739-391a-4eb3-b6be-7d15ca92d5ed" | |
| ] | |
| }, | |
| { | |
| "type": "malware", | |
| "spec_version": "2.1", | |
| "id": "malware--31b940d4-6f7f-459a-80ea-9c1f17b5891b", | |
| "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", | |
| "created": "2016-04-06T20:07:09.000Z", | |
| "modified": "2016-04-06T20:07:09.000Z", | |
| "is_family": true, | |
| "name": "Poison Ivy", | |
| "malware_types": ["trojan"], | |
| "object_marking_refs": [ | |
| "marking-definition--5e57c739-391a-4eb3-b6be-7d15ca92d5ed" | |
| ] | |
| }, | |
| { | |
| "type": "malware-analysis", | |
| "spec_version": "2.1", | |
| "id": "malware-analysis--31b940d4-6f7f-459a-80ea-9c1f17b5891b", | |
| "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", | |
| "created": "2016-04-06T20:07:09.000Z", | |
| "modified": "2016-04-06T20:07:09.000Z", | |
| "product": "malware-analysis-suite", | |
| "version": "0.1", | |
| "av_result": "malicious", | |
| "installed_software_refs": [ | |
| "software--a1827f6d-ca53-5605-9e93-4316cd22a00a" | |
| ] | |
| }, | |
| { | |
| "type": "relationship", | |
| "spec_version": "2.1", | |
| "id": "relationship--db484eaf-0f91-434c-9f9a-64c6fb5c98c7", | |
| "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", | |
| "created": "2016-04-06T20:07:10.000Z", | |
| "modified": "2016-04-06T20:07:10.000Z", | |
| "relationship_type": "av-analysis-of", | |
| "source_ref": "malware-analysis--31b940d4-6f7f-459a-80ea-9c1f17b5891b", | |
| "target_ref": "malware--31b940d4-6f7f-459a-80ea-9c1f17b5891b" | |
| }, | |
| { | |
| "type": "relationship", | |
| "spec_version": "2.1", | |
| "id": "relationship--d628a168-4b1c-45c8-9324-59f1bf1ce618", | |
| "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", | |
| "created": "2016-04-06T20:07:10.000Z", | |
| "modified": "2016-04-06T20:07:10.000Z", | |
| "relationship_type": "targets", | |
| "source_ref": "malware--31b940d4-6f7f-459a-80ea-9c1f17b5891b", | |
| "target_ref": "location--a6e9345f-5a15-4c29-8bb3-7dcc5d168d64" | |
| }, | |
| { | |
| "type": "relationship", | |
| "spec_version": "2.1", | |
| "id": "relationship--44298a74-ba52-4f0c-87a3-1824e67d7fad", | |
| "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", | |
| "created": "2016-04-06T20:07:10.000Z", | |
| "modified": "2016-04-06T20:07:10.000Z", | |
| "relationship_type": "mitigates", | |
| "source_ref": "course-of-action--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", | |
| "target_ref": "malware--31b940d4-6f7f-459a-80ea-9c1f17b5891b" | |
| }, | |
| { | |
| "type": "relationship", | |
| "spec_version": "2.1", | |
| "id": "relationship--803fe1e3-56e8-46b7-a945-54f85fc55c2a", | |
| "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", | |
| "created": "2016-04-06T20:07:10.000Z", | |
| "modified": "2016-04-06T20:07:10.000Z", | |
| "relationship_type": "uses", | |
| "source_ref": "campaign--12a111f0-b824-4baf-a224-83b80237a094", | |
| "target_ref": "attack-pattern--7e33a43e-e34b-40ec-89da-36c9bb2cacd5" | |
| }, | |
| { | |
| "type": "grouping", | |
| "spec_version": "2.1", | |
| "id": "grouping--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcb3", | |
| "created_by_ref": "identity--e5f1b90a-d9b6-40ab-81a9-8a29df4b6b65", | |
| "created": "2015-12-21T19:59:11.000Z", | |
| "modified": "2015-12-21T19:59:11.000Z", | |
| "name": "The Black Vine Cyberespionage Group", | |
| "description": "A simple collection of Black Vine Cyberespionage Group attributed intel", | |
| "context": "suspicious-activity", | |
| "object_refs": [ | |
| "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", | |
| "campaign--12a111f0-b824-4baf-a224-83b80237a094", | |
| "relationship--44298a74-ba52-4f0c-87a3-1824e67d7fad", | |
| "file--9a1f834d-2506-5367-baec-7aa63996ac43" | |
| ] | |
| }, | |
| { | |
| "type": "identity", | |
| "spec_version": "2.1", | |
| "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", | |
| "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", | |
| "created": "2016-04-06T20:03:00.000Z", | |
| "modified": "2016-04-06T20:03:00.000Z", | |
| "name": "John Smith", | |
| "identity_class": "individual" | |
| }, | |
| { | |
| "type": "identity", | |
| "spec_version": "2.1", | |
| "id": "identity--e5f1b90a-d9b6-40ab-81a9-8a29df4b6b65", | |
| "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", | |
| "created": "2016-04-06T20:03:00.000Z", | |
| "modified": "2016-04-06T20:03:00.000Z", | |
| "name": "ComputerSecurity, Inc.", | |
| "identity_class": "organization" | |
| }, | |
| { | |
| "type": "indicator", | |
| "spec_version": "2.1", | |
| "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", | |
| "created_by_ref": "identity--e5f1b90a-d9b6-40ab-81a9-8a29df4b6b65", | |
| "created": "2016-04-06T20:03:48.000Z", | |
| "modified": "2016-04-06T20:03:48.000Z", | |
| "indicator_types": ["malicious-activity"], | |
| "name": "Poison Ivy Malware", | |
| "description": "This file is part of Poison Ivy", | |
| "pattern": "[ file:hashes.'SHA-256' = '4bac27393bdd9777ce02453256c5577cd02275510b2227f473d03f533924f877' ]", | |
| "pattern_type": "stix", | |
| "valid_from": "2016-01-01T00:00:00Z" | |
| }, | |
| { | |
| "type": "relationship", | |
| "spec_version": "2.1", | |
| "id": "relationship--44298a74-ba52-4f0c-87a3-1824e67d7fad", | |
| "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", | |
| "created": "2016-04-06T20:06:37.000Z", | |
| "modified": "2016-04-06T20:06:37.000Z", | |
| "relationship_type": "indicates", | |
| "source_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", | |
| "target_ref": "malware--31b940d4-6f7f-459a-80ea-9c1f17b5891b" | |
| }, | |
| { | |
| "type":"infrastructure", | |
| "spec_version": "2.1", | |
| "id":"infrastructure--38c47d93-d984-4fd9-b87b-d69d0841628d", | |
| "created":"2016-05-07T11:22:30.000Z", | |
| "modified":"2016-05-07T11:22:30.000Z", | |
| "name":"Poison Ivy C2", | |
| "infrastructure_types": ["command-and-control"] | |
| }, | |
| { | |
| "type": "relationship", | |
| "spec_version": "2.1", | |
| "id": "relationship--7aebe2f0-28d6-48a2-9c3e-b0aaa60266ef", | |
| "created": "2016-05-09T08:17:27.000Z", | |
| "modified": "2016-05-09T08:17:27.000Z", | |
| "relationship_type": "consists-of", | |
| "source_ref": "infrastructure--38c47d93-d984-4fd9-b87b-d69d0841628d", | |
| "target_ref": "ipv4-addr--ff26c055-6336-5bc5-b98d-13d6226742dd" | |
| }, | |
| { | |
| "type": "relationship", | |
| "spec_version": "2.1", | |
| "id": "relationship--60e35813-2a7f-4c8e-8d9d-ccb8e4fa481e", | |
| "created": "2016-05-09T08:17:27.000Z", | |
| "modified": "2016-05-09T08:17:27.000Z", | |
| "relationship_type": "consists-of", | |
| "source_ref": "infrastructure--38c47d93-d984-4fd9-b87b-d69d0841628d", | |
| "target_ref": "ipv6-addr--5daf7456-8863-5481-9d42-237d477697f4" | |
| }, | |
| { | |
| "type": "location", | |
| "spec_version": "2.1", | |
| "id": "location--a6e9345f-5a15-4c29-8bb3-7dcc5d168d64", | |
| "created_by_ref": "identity--e5f1b90a-d9b6-40ab-81a9-8a29df4b6b65", | |
| "created": "2016-04-06T20:03:00.000Z", | |
| "modified": "2016-04-06T20:03:00.000Z", | |
| "region": "northern-america" | |
| }, | |
| { | |
| "type": "relationship", | |
| "spec_version": "2.1", | |
| "id": "relationship--7d9d2fa1-8518-4367-b43f-890f0025be5b", | |
| "created": "2016-05-09T08:17:27.000Z", | |
| "modified": "2016-05-09T08:17:27.000Z", | |
| "relationship_type": "located-at", | |
| "source_ref": "identity--e5f1b90a-d9b6-40ab-81a9-8a29df4b6b65", | |
| "target_ref": "location--a6e9345f-5a15-4c29-8bb3-7dcc5d168d64" | |
| }, | |
| { | |
| "type": "note", | |
| "spec_version": "2.1", | |
| "id": "note--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061", | |
| "created": "2016-05-12T08:17:27.000Z", | |
| "modified": "2016-05-12T08:17:27.000Z", | |
| "external_references": [ | |
| { | |
| "source_name": "job-tracker", | |
| "external_id": "job-id-1234" | |
| } | |
| ], | |
| "abstract": "Tracking Team Note#1", | |
| "content": "This note indicates the various steps taken by the threat analyst team to investigate this specific campaign. Step 1) Do a scan 2) Review scanned results for identified hosts not known by external intel….etc", | |
| "authors": ["John Doe"], | |
| "object_refs": ["campaign--12a111f0-b824-4baf-a224-83b80237a094"] | |
| }, | |
| { | |
| "type": "observed-data", | |
| "spec_version": "2.1", | |
| "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf", | |
| "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", | |
| "created": "2016-04-06T19:58:16.000Z", | |
| "modified": "2016-04-06T19:58:16.000Z", | |
| "first_observed": "2015-12-21T19:00:00Z", | |
| "last_observed": "2015-12-21T19:00:00Z", | |
| "number_observed": 50, | |
| "object_refs": [ | |
| "ipv4-addr--ff26c055-6336-5bc5-b98d-13d6226742dd", | |
| "domain-name--3c10e93f-798e-5a26-a0c1-08156efab7f5", | |
| "ipv6-addr--1e61d36c-a16c-53b7-a80f-2a00161c96b1", | |
| "x509-certificate--463d7b2a-8516-5a50-a3d7-6f801465d5de", | |
| "artifact--6f437177-6e48-5cf8-9d9e-872a2bddd641", | |
| "windows-registry-key--9d60798d-4e3e-5fe4-af8a-0e4986f0f90b", | |
| "user-account--9bd3afcf-deee-54f9-83e2-520653cb6bba", | |
| "user-account--0d5b424b-93b8-5cd8-ac36-306e1789d63c", | |
| "url--c1477287-23ac-5971-a010-5c287877fa60", | |
| "mutex--eba44954-d4e4-5d3b-814c-2b17dd8de300" | |
| ] | |
| }, | |
| { | |
| "type": "opinion", | |
| "spec_version": "2.1", | |
| "id": "opinion--b01efc25-77b4-4003-b18b-f6e24b5cd9f7", | |
| "created_by_ref": "identity--e5f1b90a-d9b6-40ab-81a9-8a29df4b6b65", | |
| "created": "2016-05-12T08:17:27.000Z", | |
| "modified": "2016-05-12T08:17:27.000Z", | |
| "object_refs": ["relationship--44298a74-ba52-4f0c-87a3-1824e67d7fad"], | |
| "opinion": "strongly-disagree", | |
| "explanation": "This doesn't seem like it is feasible. We've seen how PandaCat has attacked Spanish infrastructure over the last 3 years, so this change in targeting seems too great to be viable. The methods used are more commonly associated with the FlameDragonCrew." | |
| }, | |
| { | |
| "type": "report", | |
| "spec_version": "2.1", | |
| "id": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcb3", | |
| "created_by_ref": "identity--e5f1b90a-d9b6-40ab-81a9-8a29df4b6b65", | |
| "created": "2015-12-21T19:59:11.000Z", | |
| "modified": "2015-12-21T19:59:11.000Z", | |
| "name": "The Black Vine Cyberespionage Group", | |
| "description": "A simple report with an indicator, a campaign and an opinion", | |
| "published": "2016-01-20T17:00:00.000Z", | |
| "report_types": ["campaign"], | |
| "object_refs": [ | |
| "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", | |
| "campaign--12a111f0-b824-4baf-a224-83b80237a094", | |
| "opinion--b01efc25-77b4-4003-b18b-f6e24b5cd9f7" | |
| ] | |
| }, | |
| { | |
| "type": "threat-actor", | |
| "spec_version": "2.1", | |
| "id": "threat-actor--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", | |
| "created_by_ref": "identity--e5f1b90a-d9b6-40ab-81a9-8a29df4b6b65", | |
| "created": "2016-04-06T20:03:48.000Z", | |
| "modified": "2016-04-06T20:03:48.000Z", | |
| "threat_actor_types": ["crime-syndicate"], | |
| "name": "Evil Org", | |
| "description": "The Evil Org threat actor group", | |
| "aliases": ["Syndicate 1", "Evil Syndicate 99"], | |
| "roles": ["director", "sponsor"], | |
| "goals": ["Steal bank money", "Steal credit cards"], | |
| "sophistication": "advanced", | |
| "resource_level": "team", | |
| "primary_motivation": "organizational-gain" | |
| }, | |
| { | |
| "type": "relationship", | |
| "spec_version": "2.1", | |
| "id": "relationship--2b7c094b-dacc-40ee-8ffc-06b20bf5562b", | |
| "created": "2016-05-09T08:17:27.000Z", | |
| "modified": "2016-05-09T08:17:27.000Z", | |
| "relationship_type": "authored-by", | |
| "source_ref": "malware--31b940d4-6f7f-459a-80ea-9c1f17b5891b", | |
| "target_ref": "threat-actor--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f" | |
| }, | |
| { | |
| "type": "relationship", | |
| "spec_version": "2.1", | |
| "id": "relationship--3f1befad-ff3c-45c3-995c-459334a132bb", | |
| "created": "2016-05-09T08:17:27.000Z", | |
| "modified": "2016-05-09T08:17:27.000Z", | |
| "relationship_type": "based-on", | |
| "source_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", | |
| "target_ref": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf" | |
| }, | |
| { | |
| "type": "tool", | |
| "spec_version": "2.1", | |
| "id": "tool--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", | |
| "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", | |
| "created": "2016-04-06T20:03:48.000Z", | |
| "modified": "2016-04-06T20:03:48.000Z", | |
| "tool_types": ["remote-access"], | |
| "name": "VNC" | |
| }, | |
| { | |
| "type": "relationship", | |
| "spec_version": "2.1", | |
| "id": "relationship--08da2890-ae07-4a42-980b-0f157851163a", | |
| "created": "2016-05-09T08:17:27.000Z", | |
| "modified": "2016-05-09T08:17:27.000Z", | |
| "relationship_type": "downloads", | |
| "source_ref": "malware--31b940d4-6f7f-459a-80ea-9c1f17b5891b", | |
| "target_ref": "tool--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f" | |
| }, | |
| { | |
| "type": "vulnerability", | |
| "spec_version": "2.1", | |
| "id": "vulnerability--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061", | |
| "created": "2016-05-12T08:17:27.000Z", | |
| "modified": "2016-05-12T08:17:27.000Z", | |
| "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", | |
| "name": "CVE-2016-1234", | |
| "external_references": [ | |
| { | |
| "source_name": "cve", | |
| "external_id": "CVE-2016-1234" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "relationship", | |
| "spec_version": "2.1", | |
| "id": "relationship--307be661-2003-489b-8afc-911454497091", | |
| "created": "2016-05-09T08:17:27.000Z", | |
| "modified": "2016-05-09T08:17:27.000Z", | |
| "relationship_type": "exploits", | |
| "source_ref": "malware--31b940d4-6f7f-459a-80ea-9c1f17b5891b", | |
| "target_ref": "vulnerability--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061" | |
| }, | |
| { | |
| "type": "sighting", | |
| "spec_version": "2.1", | |
| "id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75", | |
| "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", | |
| "created": "2016-04-06T20:08:31.000Z", | |
| "modified": "2016-04-06T20:08:31.000Z", | |
| "first_seen": "2015-12-21T19:00:00Z", | |
| "last_seen": "2015-12-21T19:00:00Z", | |
| "count": 50, | |
| "sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", | |
| "observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"], | |
| "where_sighted_refs": ["identity--e5f1b90a-d9b6-40ab-81a9-8a29df4b6b65"] | |
| } | |
| ] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment