368 lines
16 KiB
JSON
368 lines
16 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--59a3c0d9-6e00-4f61-b768-47d6950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-08-28T14:23:14.000Z",
|
||
|
"modified": "2017-08-28T14:23:14.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--59a3c0d9-6e00-4f61-b768-47d6950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-08-28T14:23:14.000Z",
|
||
|
"modified": "2017-08-28T14:23:14.000Z",
|
||
|
"name": "OSINT - The ZAYKA and NOOB CryptoMix Ransomware Variants Released in Quick Succession",
|
||
|
"published": "2017-08-28T14:23:21Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--59a3c0eb-d44c-4133-bf6c-4233950d210f",
|
||
|
"url--59a3c0eb-d44c-4133-bf6c-4233950d210f",
|
||
|
"x-misp-attribute--59a3c0fa-676c-4413-acb9-495a950d210f",
|
||
|
"indicator--59a3c152-41b0-4924-b651-493a950d210f",
|
||
|
"indicator--59a3c152-bd44-48cb-964f-4beb950d210f",
|
||
|
"indicator--59a3c160-4c58-46a3-b48a-47a5950d210f",
|
||
|
"indicator--59a3c160-1068-438a-903f-4069950d210f",
|
||
|
"indicator--59a3c1ff-e884-4e50-9e49-44cb950d210f",
|
||
|
"indicator--59a4274c-b8f4-464b-b95b-459402de0b81",
|
||
|
"indicator--59a4274c-f1e8-46ed-afa7-47f202de0b81",
|
||
|
"observed-data--59a4274c-a26c-4940-8ab2-4eb102de0b81",
|
||
|
"url--59a4274c-a26c-4940-8ab2-4eb102de0b81",
|
||
|
"indicator--59a4274c-9fbc-4261-86dc-44c502de0b81",
|
||
|
"indicator--59a4274c-bb90-4eb0-8899-420a02de0b81",
|
||
|
"observed-data--59a4274c-fbdc-40d5-ba87-44ae02de0b81",
|
||
|
"url--59a4274c-fbdc-40d5-ba87-44ae02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:ransomware=\"CryptoMix\"",
|
||
|
"type:OSINT",
|
||
|
"malware_classification:malware-category=\"Ransomware\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59a3c0eb-d44c-4133-bf6c-4233950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-08-28T14:23:07.000Z",
|
||
|
"modified": "2017-08-28T14:23:07.000Z",
|
||
|
"first_observed": "2017-08-28T14:23:07Z",
|
||
|
"last_observed": "2017-08-28T14:23:07Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59a3c0eb-d44c-4133-bf6c-4233950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59a3c0eb-d44c-4133-bf6c-4233950d210f",
|
||
|
"value": "https://www.bleepingcomputer.com/news/security/the-zayka-and-noob-cryptomix-ransomware-variants-released-in-quick-succession/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--59a3c0fa-676c-4413-acb9-495a950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-08-28T14:23:07.000Z",
|
||
|
"modified": "2017-08-28T14:23:07.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "CryptoMix is releasing new variants very quickly now and is reminiscent of how the Locky developers used to distribute Locky. Yesterday, ID-Ransomware's Michael Gillespie & Malwarebytes malware researcher Marcelo Rivero discovered two new variants of the CryptoMix ransomware being distributed within a week or two of each other. These variants append either the NOOB or ZAYKA extension to encrypted files, but use the same contact email of admin@zayka.pro for payment instructions."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59a3c152-41b0-4924-b651-493a950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-08-28T14:23:07.000Z",
|
||
|
"modified": "2017-08-28T14:23:07.000Z",
|
||
|
"description": "NOOB version",
|
||
|
"pattern": "[file:hashes.SHA256 = 'ceaee070d84bb182593787002442520acbbac7a0e5ec6cecde40370d5d744023']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-08-28T14:23:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59a3c152-bd44-48cb-964f-4beb950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-08-28T14:23:07.000Z",
|
||
|
"modified": "2017-08-28T14:23:07.000Z",
|
||
|
"description": "ZAYKA version",
|
||
|
"pattern": "[file:hashes.SHA256 = 'aaf7bdb7445d7d58e597240630b23bd7f3f2c6551de61029e932eaa09e27a685']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-08-28T14:23:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59a3c160-4c58-46a3-b48a-47a5950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-08-28T14:23:07.000Z",
|
||
|
"modified": "2017-08-28T14:23:07.000Z",
|
||
|
"pattern": "[file:name = '_HELP_INSTRUCTION.TXT']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-08-28T14:23:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59a3c160-1068-438a-903f-4069950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-08-28T14:23:07.000Z",
|
||
|
"modified": "2017-08-28T14:23:07.000Z",
|
||
|
"pattern": "[file:name = '\\\\%AppData\\\\%\\\\[random].exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-08-28T14:23:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59a3c1ff-e884-4e50-9e49-44cb950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-08-28T14:23:07.000Z",
|
||
|
"modified": "2017-08-28T14:23:07.000Z",
|
||
|
"description": "contact mail in the ransom note",
|
||
|
"pattern": "[email-message:from_ref.value = 'admin@zayka.pro']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-08-28T14:23:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59a4274c-b8f4-464b-b95b-459402de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-08-28T14:23:08.000Z",
|
||
|
"modified": "2017-08-28T14:23:08.000Z",
|
||
|
"description": "ZAYKA version - Xchecked via VT: aaf7bdb7445d7d58e597240630b23bd7f3f2c6551de61029e932eaa09e27a685",
|
||
|
"pattern": "[file:hashes.SHA1 = '53371fd7a36fcf23d615143ba82045a417850c08']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-08-28T14:23:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59a4274c-f1e8-46ed-afa7-47f202de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-08-28T14:23:08.000Z",
|
||
|
"modified": "2017-08-28T14:23:08.000Z",
|
||
|
"description": "ZAYKA version - Xchecked via VT: aaf7bdb7445d7d58e597240630b23bd7f3f2c6551de61029e932eaa09e27a685",
|
||
|
"pattern": "[file:hashes.MD5 = 'c34e3bcddab6b671cccb1c5e9ba3a881']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-08-28T14:23:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59a4274c-a26c-4940-8ab2-4eb102de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-08-28T14:23:08.000Z",
|
||
|
"modified": "2017-08-28T14:23:08.000Z",
|
||
|
"first_observed": "2017-08-28T14:23:08Z",
|
||
|
"last_observed": "2017-08-28T14:23:08Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59a4274c-a26c-4940-8ab2-4eb102de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59a4274c-a26c-4940-8ab2-4eb102de0b81",
|
||
|
"value": "https://www.virustotal.com/file/aaf7bdb7445d7d58e597240630b23bd7f3f2c6551de61029e932eaa09e27a685/analysis/1500647663/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59a4274c-9fbc-4261-86dc-44c502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-08-28T14:23:08.000Z",
|
||
|
"modified": "2017-08-28T14:23:08.000Z",
|
||
|
"description": "NOOB version - Xchecked via VT: ceaee070d84bb182593787002442520acbbac7a0e5ec6cecde40370d5d744023",
|
||
|
"pattern": "[file:hashes.SHA1 = 'f71297632052974c83b95412dcb07090089b890d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-08-28T14:23:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59a4274c-bb90-4eb0-8899-420a02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-08-28T14:23:08.000Z",
|
||
|
"modified": "2017-08-28T14:23:08.000Z",
|
||
|
"description": "NOOB version - Xchecked via VT: ceaee070d84bb182593787002442520acbbac7a0e5ec6cecde40370d5d744023",
|
||
|
"pattern": "[file:hashes.MD5 = 'a862f5ee210a43fddcb33ad2f01af73f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-08-28T14:23:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59a4274c-fbdc-40d5-ba87-44ae02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-08-28T14:23:08.000Z",
|
||
|
"modified": "2017-08-28T14:23:08.000Z",
|
||
|
"first_observed": "2017-08-28T14:23:08Z",
|
||
|
"last_observed": "2017-08-28T14:23:08Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59a4274c-fbdc-40d5-ba87-44ae02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59a4274c-fbdc-40d5-ba87-44ae02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/ceaee070d84bb182593787002442520acbbac7a0e5ec6cecde40370d5d744023/analysis/1503697510/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|