350 lines
15 KiB
JSON
350 lines
15 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5b238476-4fbc-480c-9c86-48ab950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-10-26T12:01:14.000Z",
|
||
|
"modified": "2018-10-26T12:01:14.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "grouping",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "grouping--5b238476-4fbc-480c-9c86-48ab950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-10-26T12:01:14.000Z",
|
||
|
"modified": "2018-10-26T12:01:14.000Z",
|
||
|
"name": "OSINT - The Week in Ransomware - June 8th 2018 - CryBrazil, CryptConsole, and Magniber",
|
||
|
"context": "suspicious-activity",
|
||
|
"object_refs": [
|
||
|
"observed-data--5b23848a-10e0-4b5d-88ec-47f6950d210f",
|
||
|
"url--5b23848a-10e0-4b5d-88ec-47f6950d210f",
|
||
|
"x-misp-attribute--5b238497-f7d8-4ab2-bfff-4520950d210f",
|
||
|
"indicator--5b23a6f6-3a8c-4e59-9211-42a0950d210f",
|
||
|
"indicator--5b23a946-76f4-4ae8-949e-4602950d210f",
|
||
|
"indicator--5b23a946-948c-4e4f-bf0c-4a44950d210f",
|
||
|
"indicator--5b23ab64-dad0-40fd-a7f8-18a9950d210f",
|
||
|
"indicator--5b23acf4-92f8-423f-9fcd-43bc950d210f",
|
||
|
"indicator--5b23acf5-e9b0-49b6-924a-4b28950d210f",
|
||
|
"x-misp-attribute--5bd301b9-461c-4001-8aa4-4122950d210f",
|
||
|
"indicator--5b23a361-fe98-4450-9fb8-4703950d210f",
|
||
|
"indicator--5b23a3de-2368-473b-be4a-4ecb950d210f",
|
||
|
"indicator--5b23a70c-cb38-42dd-a922-47b9950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"workflow:todo=\"add-missing-misp-galaxy-cluster-values\"",
|
||
|
"workflow:todo=\"create-missing-misp-galaxy-cluster\"",
|
||
|
"malware_classification:malware-category=\"Ransomware\"",
|
||
|
"osint:source-type=\"blog-post\"",
|
||
|
"circl:incident-classification=\"malware\"",
|
||
|
"misp-galaxy:ransomware=\"CryBrazil\"",
|
||
|
"misp-galaxy:malpedia=\"Magniber\"",
|
||
|
"misp-galaxy:ransomware=\"Pedcont\"",
|
||
|
"misp-galaxy:ransomware=\"DiskDoctor\"",
|
||
|
"misp-galaxy:ransomware=\"Magniber Ransomware\"",
|
||
|
"misp-galaxy:ransomware=\"XiaoBa ransomware\"",
|
||
|
"misp-galaxy:ransomware=\"CryptConsole\"",
|
||
|
"misp-galaxy:ransomware=\"RedEye\"",
|
||
|
"misp-galaxy:ransomware=\"Aurora Ransomware\"",
|
||
|
"misp-galaxy:ransomware=\"Fake Globe Ransomware\"",
|
||
|
"misp-galaxy:malpedia=\"GlobeImposter\"",
|
||
|
"misp-galaxy:ransomware=\"PGPSnippet Ransomware\"",
|
||
|
"misp-galaxy:ransomware=\"Spartacus Ransomware\"",
|
||
|
"workflow:todo=\"additional-task\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5b23848a-10e0-4b5d-88ec-47f6950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-06-15T12:26:00.000Z",
|
||
|
"modified": "2018-06-15T12:26:00.000Z",
|
||
|
"first_observed": "2018-06-15T12:26:00Z",
|
||
|
"last_observed": "2018-06-15T12:26:00Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5b23848a-10e0-4b5d-88ec-47f6950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5b23848a-10e0-4b5d-88ec-47f6950d210f",
|
||
|
"value": "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5b238497-f7d8-4ab2-bfff-4520950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-06-15T12:26:07.000Z",
|
||
|
"modified": "2018-06-15T12:26:07.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "This week we have seen a lot of CryptConsole variants, Magniber activity, and smaller variants released. Ransomware continues to decline as malware developers move toward more profitable miners and information stealing Trojans. Ransomware is not going away, but is instead moving away from mass malspam campaigns to targeted network attacks where a ransom payment may be more likely."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b23a6f6-3a8c-4e59-9211-42a0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-06-15T11:45:58.000Z",
|
||
|
"modified": "2018-06-15T11:45:58.000Z",
|
||
|
"description": "CryptConsole contact mail",
|
||
|
"pattern": "[email-message:from_ref.value = 'xser@tutanota.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-06-15T11:45:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b23a946-76f4-4ae8-949e-4602950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-06-15T11:55:50.000Z",
|
||
|
"modified": "2018-06-15T11:55:50.000Z",
|
||
|
"description": "CryptConsole contact email",
|
||
|
"pattern": "[email-message:from_ref.value = 'redbul@tutanota.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-06-15T11:55:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b23a946-948c-4e4f-bf0c-4a44950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-06-15T11:55:50.000Z",
|
||
|
"modified": "2018-06-15T11:55:50.000Z",
|
||
|
"description": "CryptConsole contact email",
|
||
|
"pattern": "[email-message:from_ref.value = 'heineken@tuta.io']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-06-15T11:55:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b23ab64-dad0-40fd-a7f8-18a9950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-06-15T12:04:52.000Z",
|
||
|
"modified": "2018-06-15T12:04:52.000Z",
|
||
|
"description": "PGPSnippet Ransomware contact email",
|
||
|
"pattern": "[email-message:from_ref.value = 'digiworldhack@tutanota.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-06-15T12:04:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b23acf4-92f8-423f-9fcd-43bc950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-06-15T12:11:32.000Z",
|
||
|
"modified": "2018-06-15T12:11:32.000Z",
|
||
|
"description": "Spartacus ransomware contact email",
|
||
|
"pattern": "[email-message:from_ref.value = 'example@gmail.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-06-15T12:11:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b23acf5-e9b0-49b6-924a-4b28950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-06-15T12:11:33.000Z",
|
||
|
"modified": "2018-06-15T12:11:33.000Z",
|
||
|
"description": "Spartacus ransomware contact email",
|
||
|
"pattern": "[email-message:from_ref.value = 'example1@gmail.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-06-15T12:11:33Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5bd301b9-461c-4001-8aa4-4122950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-10-26T12:01:14.000Z",
|
||
|
"modified": "2018-10-26T12:01:14.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"Other\"",
|
||
|
"workflow:todo=\"additional-task\""
|
||
|
],
|
||
|
"x_misp_category": "Other",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "Missing cluster : Ransomware>Princess Ransomware"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b23a361-fe98-4450-9fb8-4703950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-06-15T11:30:41.000Z",
|
||
|
"modified": "2018-06-15T11:30:41.000Z",
|
||
|
"description": "Scarab Ransomware variant, DiskDoctor, Ransomnote",
|
||
|
"pattern": "[file:name = 'HOW TO RECOVER ENCRYPTED FILES.TXT' AND file:x_misp_state = 'Malicious']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-06-15T11:30:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b23a3de-2368-473b-be4a-4ecb950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-06-15T11:32:46.000Z",
|
||
|
"modified": "2018-06-15T11:32:46.000Z",
|
||
|
"description": "XiaoBa Ransomware ransomnote",
|
||
|
"pattern": "[file:name = '# # DECRYPT MY FILE # #.bmp' AND file:x_misp_state = 'Malicious']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-06-15T11:32:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b23a70c-cb38-42dd-a922-47b9950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-06-15T11:46:20.000Z",
|
||
|
"modified": "2018-06-15T11:46:20.000Z",
|
||
|
"description": "Aurora ransomware ransomnote",
|
||
|
"pattern": "[file:name = '#RECOVERY-PC#.txt' AND file:x_misp_state = 'Malicious']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-06-15T11:46:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|