misp-circl-feed/feeds/circl/stix-2.1/59a3d08d-5dc8-4153-bc7c-456d950d210f.json

218 lines
9.2 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--59a3d08d-5dc8-4153-bc7c-456d950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:24:36.000Z",
"modified": "2017-08-28T14:24:36.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--59a3d08d-5dc8-4153-bc7c-456d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:24:36.000Z",
"modified": "2017-08-28T14:24:36.000Z",
"name": "OSINT - New Arena Crysis Ransomware Variant Released",
"published": "2017-08-28T14:25:29Z",
"object_refs": [
"observed-data--59a3d0bb-a884-438b-b79f-4005950d210f",
"url--59a3d0bb-a884-438b-b79f-4005950d210f",
"x-misp-attribute--59a3d0cd-96f4-4f05-9ec5-40a7950d210f",
"indicator--59a3d176-7af0-4784-a3aa-47b3950d210f",
"indicator--59a3d190-0bb8-4bcd-b0d4-45df950d210f",
"indicator--59a427a0-9500-426e-a8d8-dfd702de0b81",
"indicator--59a427a0-f6f8-4178-9e7d-dfd702de0b81",
"observed-data--59a427a0-16f0-4270-a9a7-dfd702de0b81",
"url--59a427a0-16f0-4270-a9a7-dfd702de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:ransomware=\"Dharma Ransomware\"",
"type:OSINT",
"malware_classification:malware-category=\"Ransomware\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a3d0bb-a884-438b-b79f-4005950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:24:32.000Z",
"modified": "2017-08-28T14:24:32.000Z",
"first_observed": "2017-08-28T14:24:32Z",
"last_observed": "2017-08-28T14:24:32Z",
"number_observed": 1,
"object_refs": [
"url--59a3d0bb-a884-438b-b79f-4005950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a3d0bb-a884-438b-b79f-4005950d210f",
"value": "https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59a3d0cd-96f4-4f05-9ec5-40a7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:24:32.000Z",
"modified": "2017-08-28T14:24:32.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Yesterday, ID-Ransomware's Michael Gillespie discovered a new variant of the Crysis/Dharma ransomware that is appending the .arena extension to encrypted files. It is not known exactly how this variant is being distributed, but in the past Crysis was typically spread by hacking into Remote Desktop Services and manually installing the ransomware."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a3d176-7af0-4784-a3aa-47b3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:24:32.000Z",
"modified": "2017-08-28T14:24:32.000Z",
"pattern": "[file:hashes.SHA256 = 'a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-28T14:24:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a3d190-0bb8-4bcd-b0d4-45df950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:24:32.000Z",
"modified": "2017-08-28T14:24:32.000Z",
"description": "Email to contact in ransom note",
"pattern": "[email-message:from_ref.value = 'chivas@aolonline.top']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-28T14:24:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a427a0-9500-426e-a8d8-dfd702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:24:32.000Z",
"modified": "2017-08-28T14:24:32.000Z",
"description": "- Xchecked via VT: a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e",
"pattern": "[file:hashes.SHA1 = '60cbe0e3a70ef3d56810bd9178ce232529c09c5f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-28T14:24:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a427a0-f6f8-4178-9e7d-dfd702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:24:32.000Z",
"modified": "2017-08-28T14:24:32.000Z",
"description": "- Xchecked via VT: a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e",
"pattern": "[file:hashes.MD5 = 'f2679bdabe46e10edc6352fff3c829bc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-28T14:24:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a427a0-16f0-4270-a9a7-dfd702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:24:32.000Z",
"modified": "2017-08-28T14:24:32.000Z",
"first_observed": "2017-08-28T14:24:32Z",
"last_observed": "2017-08-28T14:24:32Z",
"number_observed": 1,
"object_refs": [
"url--59a427a0-16f0-4270-a9a7-dfd702de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a427a0-16f0-4270-a9a7-dfd702de0b81",
"value": "https://www.virustotal.com/file/a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e/analysis/1503922016/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}