282 lines
11 KiB
JSON
282 lines
11 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--58ca5f56-3da4-4ed9-a13f-0804950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-17T14:10:59.000Z",
|
||
|
"modified": "2017-03-17T14:10:59.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--58ca5f56-3da4-4ed9-a13f-0804950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-17T14:10:59.000Z",
|
||
|
"modified": "2017-03-17T14:10:59.000Z",
|
||
|
"name": "Revenge Ransomware, a CryptoMix Variant, Being Distributed by RIG Exploit Kit",
|
||
|
"published": "2017-03-17T14:12:03Z",
|
||
|
"object_refs": [
|
||
|
"indicator--58ca60c3-7198-4ac1-ac14-4a40950d210f",
|
||
|
"indicator--58ca60c4-e6a4-4451-993c-4b74950d210f",
|
||
|
"indicator--58ca6129-8f7c-4b81-8f17-41af950d210f",
|
||
|
"indicator--58ca627e-c0d4-40d2-8fa8-785902de0b81",
|
||
|
"indicator--58ca627f-b634-43de-a973-785902de0b81",
|
||
|
"observed-data--58ca6280-2d9c-4086-882e-785902de0b81",
|
||
|
"url--58ca6280-2d9c-4086-882e-785902de0b81",
|
||
|
"observed-data--58ca62ec-9c00-42a3-b879-4dda950d210f",
|
||
|
"url--58ca62ec-9c00-42a3-b879-4dda950d210f",
|
||
|
"indicator--58ca6312-de00-4fc9-b6a3-7851950d210f",
|
||
|
"observed-data--58ca6dcc-0a74-4387-8904-7852950d210f",
|
||
|
"network-traffic--58ca6dcc-0a74-4387-8904-7852950d210f",
|
||
|
"ipv4-addr--58ca6dcc-0a74-4387-8904-7852950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:ransomware=\"CryptoMix\"",
|
||
|
"malware_classification:malware-category=\"Ransomware\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58ca60c3-7198-4ac1-ac14-4a40950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-16T10:01:30.000Z",
|
||
|
"modified": "2017-03-16T10:01:30.000Z",
|
||
|
"pattern": "[file:name = '\\\\%ALLUSERSPROFILE\\\\%\\\\Microsofts\\\\Windows NT\\\\svchost.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-16T10:01:30Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58ca60c4-e6a4-4451-993c-4b74950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-16T10:01:30.000Z",
|
||
|
"modified": "2017-03-16T10:01:30.000Z",
|
||
|
"pattern": "[file:name = '# !!!HELP_FILE!!! #.txt']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-16T10:01:30Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58ca6129-8f7c-4b81-8f17-41af950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-16T10:01:30.000Z",
|
||
|
"modified": "2017-03-16T10:01:30.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'f5bceebaecb329380385509d263f55e3d7bddde02377636a0e15f8bfd77a84a6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-16T10:01:30Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58ca627e-c0d4-40d2-8fa8-785902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-16T10:01:34.000Z",
|
||
|
"modified": "2017-03-16T10:01:34.000Z",
|
||
|
"description": "- Xchecked via VT: f5bceebaecb329380385509d263f55e3d7bddde02377636a0e15f8bfd77a84a6",
|
||
|
"pattern": "[file:hashes.SHA1 = '579a7cde9174b5f375fff832eb0ee41a6afc4b65']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-16T10:01:34Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58ca627f-b634-43de-a973-785902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-16T10:01:35.000Z",
|
||
|
"modified": "2017-03-16T10:01:35.000Z",
|
||
|
"description": "- Xchecked via VT: f5bceebaecb329380385509d263f55e3d7bddde02377636a0e15f8bfd77a84a6",
|
||
|
"pattern": "[file:hashes.MD5 = 'e0d52cc8793592184a854fde5afaf152']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-16T10:01:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58ca6280-2d9c-4086-882e-785902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-16T10:01:36.000Z",
|
||
|
"modified": "2017-03-16T10:01:36.000Z",
|
||
|
"first_observed": "2017-03-16T10:01:36Z",
|
||
|
"last_observed": "2017-03-16T10:01:36Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58ca6280-2d9c-4086-882e-785902de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58ca6280-2d9c-4086-882e-785902de0b81",
|
||
|
"value": "https://www.virustotal.com/file/f5bceebaecb329380385509d263f55e3d7bddde02377636a0e15f8bfd77a84a6/analysis/1489641720/"
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58ca62ec-9c00-42a3-b879-4dda950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-16T10:03:24.000Z",
|
||
|
"modified": "2017-03-16T10:03:24.000Z",
|
||
|
"first_observed": "2017-03-16T10:03:24Z",
|
||
|
"last_observed": "2017-03-16T10:03:24Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58ca62ec-9c00-42a3-b879-4dda950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58ca62ec-9c00-42a3-b879-4dda950d210f",
|
||
|
"value": "https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58ca6312-de00-4fc9-b6a3-7851950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-16T10:04:02.000Z",
|
||
|
"modified": "2017-03-16T10:04:02.000Z",
|
||
|
"pattern": "[url:value = '109.236.87.201/js/other_scripts/get.php']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-16T10:04:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58ca6dcc-0a74-4387-8904-7852950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-16T10:49:48.000Z",
|
||
|
"modified": "2017-03-16T10:49:48.000Z",
|
||
|
"first_observed": "2017-03-16T10:49:48Z",
|
||
|
"last_observed": "2017-03-16T10:49:48Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"network-traffic--58ca6dcc-0a74-4387-8904-7852950d210f",
|
||
|
"ipv4-addr--58ca6dcc-0a74-4387-8904-7852950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "network-traffic",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "network-traffic--58ca6dcc-0a74-4387-8904-7852950d210f",
|
||
|
"dst_ref": "ipv4-addr--58ca6dcc-0a74-4387-8904-7852950d210f",
|
||
|
"protocols": [
|
||
|
"tcp"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "ipv4-addr",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "ipv4-addr--58ca6dcc-0a74-4387-8904-7852950d210f",
|
||
|
"value": "109.236.87.201"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|