317 lines
13 KiB
JSON
317 lines
13 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--59f0462f-41d4-47b4-9e1b-4a07950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-25T09:04:21.000Z",
|
||
|
"modified": "2017-10-25T09:04:21.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--59f0462f-41d4-47b4-9e1b-4a07950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-25T09:04:21.000Z",
|
||
|
"modified": "2017-10-25T09:04:21.000Z",
|
||
|
"name": "OSINT - Bad Rabbit ransomware",
|
||
|
"published": "2017-10-25T09:04:25Z",
|
||
|
"object_refs": [
|
||
|
"indicator--59f04689-1d08-4780-b433-4e4e950d210f",
|
||
|
"observed-data--59f04703-4f20-4b4c-9655-4e01950d210f",
|
||
|
"url--59f04703-4f20-4b4c-9655-4e01950d210f",
|
||
|
"x-misp-attribute--59f047b0-776c-49a7-82e5-4594950d210f",
|
||
|
"indicator--59f04853-d364-4c70-a966-496c950d210f",
|
||
|
"indicator--59f04854-ee44-43a7-add1-48e2950d210f",
|
||
|
"indicator--59f04998-0774-4f90-93ec-42a9950d210f",
|
||
|
"indicator--59f049ed-6f9c-4994-b4a2-466c950d210f",
|
||
|
"indicator--59f04a1b-b1ac-4bdb-9771-45ff950d210f",
|
||
|
"indicator--59f04a1b-9ee4-4318-a764-49df950d210f",
|
||
|
"indicator--59f04a1b-4228-4582-ad70-48b4950d210f",
|
||
|
"indicator--59f04a1b-5400-4fbd-8027-476b950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:ransomware=\"Bad Rabbit\"",
|
||
|
"type:OSINT",
|
||
|
"malware_classification:malware-category=\"Ransomware\"",
|
||
|
"osint:source-type=\"blog-post\"",
|
||
|
"misp-galaxy:preventive-measure=\"Backup and Restore Process\"",
|
||
|
"misp-galaxy:preventive-measure=\"Restrict Workstation Communication\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f04689-1d08-4780-b433-4e4e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-25T08:08:41.000Z",
|
||
|
"modified": "2017-10-25T08:08:41.000Z",
|
||
|
"description": "The ransomware dropper is distributed from",
|
||
|
"pattern": "[url:value = 'http://1dnscontrol.com/flash_install.php']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-25T08:08:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--59f04703-4f20-4b4c-9655-4e01950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-25T08:11:29.000Z",
|
||
|
"modified": "2017-10-25T08:11:29.000Z",
|
||
|
"first_observed": "2017-10-25T08:11:29Z",
|
||
|
"last_observed": "2017-10-25T08:11:29Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--59f04703-4f20-4b4c-9655-4e01950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--59f04703-4f20-4b4c-9655-4e01950d210f",
|
||
|
"value": "https://securelist.com/bad-rabbit-ransomware/82851/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--59f047b0-776c-49a7-82e5-4594950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-25T08:13:42.000Z",
|
||
|
"modified": "2017-10-25T08:13:42.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "n October 24th we observed notifications of mass attacks with ransomware called Bad Rabbit. It has been targeting organizations and consumers, mostly in Russia but there have also been reports of victims in Ukraine."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f04853-d364-4c70-a966-496c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-25T08:16:19.000Z",
|
||
|
"modified": "2017-10-25T08:16:19.000Z",
|
||
|
"description": "downloaded file",
|
||
|
"pattern": "[file:name = 'install_flash_player.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-25T08:16:19Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f04854-ee44-43a7-add1-48e2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-25T08:16:20.000Z",
|
||
|
"modified": "2017-10-25T08:16:20.000Z",
|
||
|
"description": "malicious DLL",
|
||
|
"pattern": "[file:name = '\\\\%WINDIR\\\\%\\\\infpub.dat']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-25T08:16:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f04998-0774-4f90-93ec-42a9950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-25T08:21:44.000Z",
|
||
|
"modified": "2017-10-25T08:21:44.000Z",
|
||
|
"pattern": "[file:name = 'dispci.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-25T08:21:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f049ed-6f9c-4994-b4a2-466c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-25T08:23:09.000Z",
|
||
|
"modified": "2017-10-25T08:23:09.000Z",
|
||
|
"pattern": "[file:name = '\\\\%WINDIR\\\\%\\\\cscc.dat']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-25T08:23:09Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f04a1b-b1ac-4bdb-9771-45ff950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-25T08:23:55.000Z",
|
||
|
"modified": "2017-10-25T08:23:55.000Z",
|
||
|
"pattern": "[url:value = 'http://1dnscontrol.com/']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-25T08:23:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f04a1b-9ee4-4318-a764-49df950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-25T08:23:55.000Z",
|
||
|
"modified": "2017-10-25T08:23:55.000Z",
|
||
|
"description": "install_flash_player.exe",
|
||
|
"pattern": "[file:hashes.MD5 = 'fbbdc39af1139aebba4da004475e8839']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-25T08:23:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f04a1b-4228-4582-ad70-48b4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-25T08:23:55.000Z",
|
||
|
"modified": "2017-10-25T08:23:55.000Z",
|
||
|
"description": "C:\\Windows\\infpub.dat",
|
||
|
"pattern": "[file:hashes.MD5 = '1d724f95c61f1055f0d02c2154bbccd3']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-25T08:23:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--59f04a1b-5400-4fbd-8027-476b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-10-25T08:23:55.000Z",
|
||
|
"modified": "2017-10-25T08:23:55.000Z",
|
||
|
"description": "C:\\Windows\\dispci.exe",
|
||
|
"pattern": "[file:hashes.MD5 = 'b14d8faf7f0cbcfad051cefe5f39645f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-10-25T08:23:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|