misp-circl-feed/feeds/circl/stix-2.1/56e2d5fc-4238-4b3a-9d7b-4539950d210f.json

312 lines
108 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--56e2d5fc-4238-4b3a-9d7b-4539950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-11T14:55:05.000Z",
"modified": "2016-03-11T14:55:05.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--56e2d5fc-4238-4b3a-9d7b-4539950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-11T14:55:05.000Z",
"modified": "2016-03-11T14:55:05.000Z",
"name": "'Surprise' Ransomware (2016-03-11)",
"published": "2016-03-11T15:10:51Z",
"object_refs": [
"indicator--56e2d71c-af30-4ac8-9fbc-4e49950d210f",
"indicator--56e2d71d-89cc-4680-ae77-4a86950d210f",
"indicator--56e2d71d-4fb4-4b25-997e-49e6950d210f",
"indicator--56e2d71d-79dc-4caa-8432-453a950d210f",
"indicator--56e2d729-5444-4dc8-a042-48f4950d210f",
"indicator--56e2d73d-3838-4a28-9bd1-414a950d210f",
"indicator--56e2d73e-cfc4-4c5c-93cb-405b950d210f",
"indicator--56e2d73e-6d5c-4891-b2c5-4b1b950d210f",
"x-misp-attribute--56e2d848-0f6c-41cc-b03f-6599950d210f",
"observed-data--56e2db4b-2904-45ab-a9c0-4ac702de0b81",
"url--56e2db4b-2904-45ab-a9c0-4ac702de0b81",
"indicator--56e2dd1a-1830-4809-9765-4f01950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"circl:incident-classification=\"malware\"",
"malware_classification:malware-category=\"Ransomware\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e2d71c-af30-4ac8-9fbc-4e49950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-11T14:33:00.000Z",
"modified": "2016-03-11T14:33:00.000Z",
"description": "C&C (down)",
"pattern": "[url:value = 'http://pulseaudio.duckdns.org/pull.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-11T14:33:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e2d71d-89cc-4680-ae77-4a86950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-11T14:54:58.000Z",
"modified": "2016-03-11T14:54:58.000Z",
"description": "Email to request payment info",
"pattern": "[email-message:to_refs[*].value = 'nowayout@protonmail.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-11T14:54:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"email-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e2d71d-4fb4-4b25-997e-49e6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-11T14:55:05.000Z",
"modified": "2016-03-11T14:55:05.000Z",
"description": "Email to request payment info",
"pattern": "[email-message:to_refs[*].value = 'nowayout@sigaint.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-11T14:55:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"email-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e2d71d-79dc-4caa-8432-453a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-11T14:33:01.000Z",
"modified": "2016-03-11T14:33:01.000Z",
"description": "File displaying information",
"pattern": "[file:name = 'DECRYPTION_HOWTO.Notepad']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-11T14:33:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e2d729-5444-4dc8-a042-48f4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-11T14:33:13.000Z",
"modified": "2016-03-11T14:33:13.000Z",
"description": "Imported via the freetext import.",
"pattern": "[domain-name:value = 'pulseaudio.duckdns.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-11T14:33:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e2d73d-3838-4a28-9bd1-414a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-11T14:33:33.000Z",
"modified": "2016-03-11T14:33:33.000Z",
"pattern": "[file:content_ref.payload_bin = 'UEsDBBQACQAIADF0a0hTELHf2BkBAABAAgAgABwAYzM0ZmIxNWM1ZjkzYzJiZDFiOGExYmEyOTU2NjgzN2ZVVAkAAz3X4lY91+JWdXgLAAEEIQAAAAQhAAAAmW2z+XzWuerAC1uiIPcueUaSEKAy23rPTQ3BBDMTlPNHeIiKZb47e/uFh/ZiMQeLnSuXGx4TUq1cNfGIxnxX/LFORj7zPihbuaj0QvpFW+1CjoITfe8i/bYDKugMYOeSV/2gm/yhli9pMckE3AAEiwndMo48CmDCP7XTGmftzQKqX4/rAYXQeqeVTmb1xOSkZp1kCJ+8fS+1+x8FArZ5QNzGgNdcHAvLkvDM8WHd9soESX/8ShslgnZAUSDC0WtuPHjTH4bnaYTPfeqzUGdg2PO3CUc0xt2+9JbaktxiS/vMzrhe10ntyI+/o+mZWkSEkr/JZU321OKPjviDdjkYG7lbOS1BVNjZtnJDkULpsRmTFtHPJpaFzc4a3DCSTqjnRBc5gTisp4BY5oZJxfaxRVINB5N+X/fgodUSQb1OjiB/KUdSS/2OJ8OTBBl2PpGbOjk5msb9ysaroASXvf4h1P2E0btJR3X07gimjyC7kJ5hs/qZD+abIv7bkgskKBX2wQ89+ww7RiesICyZvni2d5xfv6Sfg/R6kIkA4OPfSflbamjcV+zDFD1H3p4FrcQ0zhCGajmhDlwI89xcolIpIK6tSV3OmeyaAXXoBEv2g1zMRFyCZH7mxaR/2/AlEA96jWFsuSpOZppFmdaG0QeR3CoDOjvwu+4PDXwUqapnIH8RdUlhWNjelPHmgpqstLzXJ/6+V8udVregfot8KwRt+AzSXQG1HW7/AiEu6wM3GdI5muUteAY/ZqfEnphwOK0UbAJPTBPs2cn7H9NvaPpJ40cvdXYOWCTDhc2nhiEzy2/YXjF0/Q1FBPEZX6Tbdb0FVgVeOd70RPJg1hsmOfme6ZW57GsRAiIIwk4l6Mz99sz3b3q1uGydsendZIqIzMEJnOQwL6v1/+tdlyZys3sWNuRPlo3ID4+IILy/107mkHzEUKkqiXff9KFrbP1yNl11xSFvj3O54NGPI9tdF1x3b48DIIa1OBU8nwOC25kz+/kfUF5AYD9Xg4x/vEDO7/lGw5O54VEP0BBhmp8jN6PC+gs0d6bNWedTQ5oy6t/8ueHs+V6dZnMSq9d0RsY73g3In0pIPWARPxXllIr5kHmFC3fqCxTLZawmsZYXmcIe2aXijX2+TipTfXrQiTB39IeeMg3uY/DR3elW3JJFhTwlaHVDyVSt9j3omxhI8fNpxiID+Ua/oRgN8yLrFcNGOV9KB7jDgIC5m3yO9r0Xt/LT9MUB4AAwdNNhtGd02kpKb2H1XAGSNvs0yAdFjslhjZogxxoOYUcVUNo5WEokAuvzioV87/G2U4m8t5AxMQ2HuJJa7qbYxoHyRQP0QvZElgWyw19X1PC+KagZ7RuTZsZt6pxTHv/ontwrlPdr6LMBDejeDqA3qBlVd6Xv0E9T7Rqo9+RG1SJHNFUCa4ZMz3COGMZv/n+XhgJrEP+wNGSuEu182mdDqtgoSMRnIacY3h+xXXfV8mMcq0M2aBN9zcMvxzfd+sHZWNHgK4DCYfqG0wtqHF+jOarRojbdBFDhiDghqrBVWjPdRd1EjbvHjjyo4LolwiOm2/6YsYz9RK5lZAb5688Lofev9vHTHAa+Y6q4EneNovBHS6eFlGhKXBF3GpHsWGvNuXhHXo1M4mKPzmycwpIT/yBQCOfbQL+4EITh7ZgRUa+Vi0R7dELewtq/Diuh7/zuLJ/a++EQUXNPdq3ZshxbRsAf98smfx1YRqvCJYUUvewcWfykxLFDDHFWJ8/ooDf9WQIEq9t7wWOQ3Oesj3P02Jyf9UQvFEnA6W8xgk2rPB/pcjo3hUmFAgqyjfy6cz0yESKi3yvv1ZbIkTkGV207sZtJL6Y4A9MnAh7+S2/MprweIVAPLSbBrJsb3mtP3P8Rm1Uljj3MV+EOZWE5HxUmIvE1hLaG3aSkIrC2PFILfLuzo6bcVzLhKB3vqWSNuQyoibTpv2yAb2Iih8/6S5sWMfikTzwRSQAZvLoo6xBbCo83rhn7bk2qR1Za4WPuOtG6AldcpXRPDiYzh5x7D6ROT/+P6ME25+oSrUbScw6XFz6s8Hc6ZtJQG9mJSu7nnH1da7uzzfFn5Ye1v55Os62mFzHuTEn3ndEBzatSMxXnVPs14sVw//YVHdvZfyJVMaD8vR5bN0NL6bgH3Y/A0PkIX0E9aiUYnEKB0vkpfO7c/ytmJhlFoDROW9YSlGb3HCeogqkb+iYLR8qxvk0SWS2TQSA6VGzJHqnVnu49LqznPDyOEQRnIi7sUacMPkKuPcy2+neY1QT0a07/sIkePzam/hgcE4sQrXkyk+iIHCIdkblo0VHUFuEzESh4Kdo7rb4Ouo3O9F9v+msKrbcijl45Z4aXZT1o7RS3wnffQ3wYrOPKfw3dOsbNWaUA8jfkI+0N5NQsOC6kmvKD73uYPETC6qqC30y901B6sTuH3ECOabAdYWxGdwbCWxdD4U6o2B3LRC+ua7nwTEVmXdJX7s3EWqZnw76+czCJRvcMBIbEyPJcv4rhokoVv2/klK9azhZWeqdeYmaSRiADhJQBRTrP9JYVnRi8i8gw2cJ8RI8kwgHlK3uANXz2Cgkfk/K4TT4EvINrGI0y3GIxYCWsSmYxdES4DO7MtEOZUHR8q8bZ75E0P9mOfmw/ecjO8x9jjGgkg9a503Knm15T0rFnT4pgGc/7Ab8XqJeDNAYNpPbK/vfCoHDRXBOkdAU6pDU/V+aLRE9l6SaVC3A2/kcoYjiJDuVdhzeH8m/paXq0hXD1qe+YypwPzPqKTl7vJY8zINt+pORHW3clg7dM9b7phcLJWUOzjQfcshu9tlMERdfPl53KYv3uhhqbUXGWgiEpENF6Cf3Cs6BDi3AzB6xQGRN0iL67wCzPK/cnTh41LY61S/CuD/NKrUfLNNp/dIfw0uP6ckvqd5nxh7Jl1AKRmQLdUaLhwB/gi4MLQUWMPi/QsgNK5zT+UgPrOpzvMAiMxJ+ffxrzYssyU1iwdzntX7JbB86StpAzW3VPJVpJ5W6V0Dg3Rc2mf3OqmXXylPKYKTw+vI0ydmvp4mGdePICrfugpPk0TSEexlsMtKcSZ7u4PkEGoyTDoDbsWsDr6ZPA9P9nq1aVv4II6svHy7dkFjbJNyMGHzjf1N8k/VrSjjHOCh8KFkQ3sx7wRHDeVduuu/WgCPMUelkJEmM12upIcZ0elcK+L2bAkAnid4OS2EH5Qk6wf5FCqWFPlTzEArFqZyAdDuFKAfekiDMpVZl6w52YvhYPAfsc7pSSsbdMceGP/ZhL+b2TY0rJjz5OE4qkn3GEHYVNW14hOjWzFJ2s0IEIekpV6zMhJcMmedrsPxs0ZyzqOi3nR7wUsV5Rc2qs/NKaIWT28UciQnj/863/0Y0n6W/oKbjVEij4r0rMQ0at8Sn0I9/8dv+o267WpUPY8ILrI3Y0LTcLCrpI33/xLdjPEG3lGOMJzZQ3wBPVg4HizTJXuIo99WVBH0042rTaSfh+R+HqHqfPlHeGhcaEZ3zd60UR9BRJ6ugK3TOwmz7hLzC46xTEWn0eUvibC+kYaYW9lYbJnxnA5XUHaBLrE7uQvQnKRS0trDPDdJDOqaAN4e+NJ7u+7ylcQsFxiWHxSK5Ls97p/Z1YC59CPUCT852Bw4hDw+F8nc8H1uiX6K2o7h5co35qNsub4IDQw5WOinoimUdkF0oj16gKK2VyeJXejM4lEtmeYZKV1pgkBMCpnhE+qbnlzf0L7GwoeQWFPjwrha3oZwsBKJ4xYErL2bMjr7KnaJFA1kfstzYWJxXM9WUp4W5lwKNiZIw3YcOkoY29mxjjPlmaedcQTsmZcc6ysp9haiuYMaxcRyPD7n0oV2jb3cTjrALZ4X5VrKH2ArE9UcmCvOGcvGKUxh38TCiiIpFUKKjyv69R3BnmFqb1YS6VthIh00
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-11T14:33:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"malware-sample\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e2d73e-cfc4-4c5c-93cb-405b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-11T14:33:34.000Z",
"modified": "2016-03-11T14:33:34.000Z",
"pattern": "[file:name = 'surprise.exe' AND file:hashes.SHA1 = 'bee22913ad9d6c9a37152aa65daa6bd9beca00eb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-11T14:33:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e2d73e-6d5c-4891-b2c5-4b1b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-11T14:33:34.000Z",
"modified": "2016-03-11T14:33:34.000Z",
"pattern": "[file:name = 'surprise.exe' AND file:hashes.SHA256 = 'ddb0c54759fada5cff7bb60237ace601fcbd526208627fdee170d9ed41e91c7a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-11T14:33:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--56e2d848-0f6c-41cc-b03f-6599950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-11T14:43:34.000Z",
"modified": "2016-03-11T14:43:34.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Payload installation\""
],
"x_misp_category": "Payload installation",
"x_misp_comment": "DECRYPTION_HOWTO.Notepad",
"x_misp_type": "text",
"x_misp_value": "What happened to your files ?\r\nAll of your files were protected by a strong encryption.\r\nThere is no way to decrypt your files without the key.\r\nIf your files not important for you just reinstall your system.\r\nIf your files is important just email us to discuss the price and how to decrypt your files.\r\nYou can email us to nowayout@protonmail.com and nowayout@sigaint.org \r\nWrite your Email to both email addresses PLS\r\nWe accept just BITCOIN if you dont know what it is just google it.\r\nWe will give instructions where and how you buy bitcoin in your country.\r\nPrice depends on how important your files and network is.it could be 0.5 bitcoin to 25 bitcoin.\r\nYou can send us a 1 encrypted file for decryption.\r\nFeel free to email us with your country and computer name and username of the infected system."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56e2db4b-2904-45ab-a9c0-4ac702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-11T14:50:51.000Z",
"modified": "2016-03-11T14:50:51.000Z",
"first_observed": "2016-03-11T14:50:51Z",
"last_observed": "2016-03-11T14:50:51Z",
"number_observed": 1,
"object_refs": [
"url--56e2db4b-2904-45ab-a9c0-4ac702de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56e2db4b-2904-45ab-a9c0-4ac702de0b81",
"value": "https://www.virustotal.com/file/ddb0c54759fada5cff7bb60237ace601fcbd526208627fdee170d9ed41e91c7a/analysis/1457588432/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56e2dd1a-1830-4809-9765-4f01950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-11T14:58:34.000Z",
"modified": "2016-03-11T14:58:34.000Z",
"description": "Automatically added (via surprise.exe|bee22913ad9d6c9a37152aa65daa6bd9beca00eb)",
"pattern": "[file:name = 'surprise.exe' AND file:hashes.MD5 = 'c34fb15c5f93c2bd1b8a1ba29566837f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-11T14:58:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename|md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}