misp-circl-feed/feeds/circl/stix-2.1/580b201b-3e30-4bb1-ac2e-427202de0b81.json

362 lines
16 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--580b201b-3e30-4bb1-ac2e-427202de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-22T08:19:03.000Z",
"modified": "2016-10-22T08:19:03.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--580b201b-3e30-4bb1-ac2e-427202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-22T08:19:03.000Z",
"modified": "2016-10-22T08:19:03.000Z",
"name": "OSINT - The new .LNK between spam and Locky infection",
"published": "2016-10-22T08:22:23Z",
"object_refs": [
"x-misp-attribute--580b202f-2940-44d0-ab6c-4eb202de0b81",
"observed-data--580b203c-83c4-4298-b23b-42fd02de0b81",
"url--580b203c-83c4-4298-b23b-42fd02de0b81",
"x-misp-attribute--580b204e-62e0-47ed-9414-4d0d02de0b81",
"indicator--580b2072-2bd0-4a88-8f41-4a3702de0b81",
"indicator--580b208b-7124-46a8-83f9-411302de0b81",
"indicator--580b20b1-6aac-4a6a-8fc1-4d9102de0b81",
"indicator--580b20ce-4470-478f-b52a-463702de0b81",
"indicator--580b20f7-f558-4ece-ac93-406302de0b81",
"indicator--580b20f7-b5c4-4453-b6bf-406a02de0b81",
"observed-data--580b20f8-76c8-410f-905e-44ae02de0b81",
"url--580b20f8-76c8-410f-905e-44ae02de0b81",
"indicator--580b20f8-11e0-4df3-b3ed-42d902de0b81",
"indicator--580b20f8-d5f8-4ac9-916e-42be02de0b81",
"observed-data--580b20f8-9078-49f7-94bf-4e2502de0b81",
"url--580b20f8-9078-49f7-94bf-4e2502de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"dnc:malware-type=\"Ransomware\"",
"ecsirt:malicious-code=\"ransomware\"",
"enisa:nefarious-activity-abuse=\"ransomware\"",
"ms-caro-malware:malware-type=\"Ransom\"",
"malware_classification:malware-category=\"Ransomware\"",
"veris:action:malware:variety=\"Ransomware\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--580b202f-2940-44d0-ab6c-4eb202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-22T08:15:43.000Z",
"modified": "2016-10-22T08:15:43.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Just when it seems the Ransom:Win32/Locky activity has slowed down, our continuous monitoring of the ransomware family reveals a new workaround that the authors might be using to keep it going.\r\n\r\nThe decline in Locky activity can be attributed to the slowdown of detections of Nemucod, which Locky uses to infect computers. Nemucod is a .wsf file contained in .zip attachments in spam email (see our Nemucod WSF blog for details). Locky has also been previously distributed by exploit kits and spam email attachments with other extensions such as .js, .hta, etc."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--580b203c-83c4-4298-b23b-42fd02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-22T08:15:56.000Z",
"modified": "2016-10-22T08:15:56.000Z",
"first_observed": "2016-10-22T08:15:56Z",
"last_observed": "2016-10-22T08:15:56Z",
"number_observed": 1,
"object_refs": [
"url--580b203c-83c4-4298-b23b-42fd02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--580b203c-83c4-4298-b23b-42fd02de0b81",
"value": "https://blogs.technet.microsoft.com/mmpc/2016/10/19/the-new-lnk-between-spam-and-locky-infection/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--580b204e-62e0-47ed-9414-4d0d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-22T08:16:14.000Z",
"modified": "2016-10-22T08:16:14.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Antivirus detection\""
],
"x_misp_category": "Antivirus detection",
"x_misp_type": "text",
"x_misp_value": "TrojanDownloader:PowerShell/Ploprolo.A"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--580b2072-2bd0-4a88-8f41-4a3702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-22T08:16:50.000Z",
"modified": "2016-10-22T08:16:50.000Z",
"description": "Hard coded C&C addresses used",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '93.170.104.126']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-22T08:16:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--580b208b-7124-46a8-83f9-411302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-22T08:17:15.000Z",
"modified": "2016-10-22T08:17:15.000Z",
"description": "Hard coded C&C addresses used",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.46.11.73']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-22T08:17:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--580b20b1-6aac-4a6a-8fc1-4d9102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-22T08:17:53.000Z",
"modified": "2016-10-22T08:17:53.000Z",
"description": "TrojanDownloader:PowerShell/Ploprolo.A",
"pattern": "[file:hashes.SHA1 = '3dcf2f116af0a548e88022baa1f41f61f362ae39']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-22T08:17:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--580b20ce-4470-478f-b52a-463702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-22T08:18:22.000Z",
"modified": "2016-10-22T08:18:22.000Z",
"description": "Ransom:Win32/Locky",
"pattern": "[file:hashes.SHA1 = 'c1ee00884c0f872767992d5348e4de576935d8da']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-22T08:18:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--580b20f7-f558-4ece-ac93-406302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-22T08:19:03.000Z",
"modified": "2016-10-22T08:19:03.000Z",
"description": "TrojanDownloader:PowerShell/Ploprolo.A - Xchecked via VT: 3dcf2f116af0a548e88022baa1f41f61f362ae39",
"pattern": "[file:hashes.SHA256 = 'a393cf8d2ec5811d976cff0972069d73a98d33f6d3004b8f11beaf21086ac848']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-22T08:19:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--580b20f7-b5c4-4453-b6bf-406a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-22T08:19:03.000Z",
"modified": "2016-10-22T08:19:03.000Z",
"description": "TrojanDownloader:PowerShell/Ploprolo.A - Xchecked via VT: 3dcf2f116af0a548e88022baa1f41f61f362ae39",
"pattern": "[file:hashes.MD5 = 'ee0f3310fecae257f1902beabe8b90fd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-22T08:19:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--580b20f8-76c8-410f-905e-44ae02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-22T08:19:04.000Z",
"modified": "2016-10-22T08:19:04.000Z",
"first_observed": "2016-10-22T08:19:04Z",
"last_observed": "2016-10-22T08:19:04Z",
"number_observed": 1,
"object_refs": [
"url--580b20f8-76c8-410f-905e-44ae02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--580b20f8-76c8-410f-905e-44ae02de0b81",
"value": "https://www.virustotal.com/file/a393cf8d2ec5811d976cff0972069d73a98d33f6d3004b8f11beaf21086ac848/analysis/1477114649/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--580b20f8-11e0-4df3-b3ed-42d902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-22T08:19:04.000Z",
"modified": "2016-10-22T08:19:04.000Z",
"description": "Ransom:Win32/Locky - Xchecked via VT: c1ee00884c0f872767992d5348e4de576935d8da",
"pattern": "[file:hashes.SHA256 = '7953b0dbd410a2e216b45671be48a48f472e74fb1a8049afdacaade02e63709b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-22T08:19:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--580b20f8-d5f8-4ac9-916e-42be02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-22T08:19:04.000Z",
"modified": "2016-10-22T08:19:04.000Z",
"description": "Ransom:Win32/Locky - Xchecked via VT: c1ee00884c0f872767992d5348e4de576935d8da",
"pattern": "[file:hashes.MD5 = '6f582adb2226db03b8ce9822a0d1b1e8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-22T08:19:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--580b20f8-9078-49f7-94bf-4e2502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-22T08:19:04.000Z",
"modified": "2016-10-22T08:19:04.000Z",
"first_observed": "2016-10-22T08:19:04Z",
"last_observed": "2016-10-22T08:19:04Z",
"number_observed": 1,
"object_refs": [
"url--580b20f8-9078-49f7-94bf-4e2502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--580b20f8-9078-49f7-94bf-4e2502de0b81",
"value": "https://www.virustotal.com/file/7953b0dbd410a2e216b45671be48a48f472e74fb1a8049afdacaade02e63709b/analysis/1476852064/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}