165 lines
8.1 KiB
JSON
165 lines
8.1 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5b718bda-8d9c-477f-bcd5-4634950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-09-13T12:44:37.000Z",
|
||
|
"modified": "2018-09-13T12:44:37.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5b718bda-8d9c-477f-bcd5-4634950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-09-13T12:44:37.000Z",
|
||
|
"modified": "2018-09-13T12:44:37.000Z",
|
||
|
"name": "OSINT - New KeyPass Ransomware Campaign Underway",
|
||
|
"published": "2018-09-13T13:52:40Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--5b718d07-ac14-4b23-9a09-4837950d210f",
|
||
|
"url--5b718d07-ac14-4b23-9a09-4837950d210f",
|
||
|
"x-misp-attribute--5b718d35-5110-4e9a-b084-4c45950d210f",
|
||
|
"indicator--5b9a590a-61b8-48b0-b5d0-5c6d950d210f",
|
||
|
"indicator--5b9a590a-e45c-4a9c-953d-5c6d950d210f",
|
||
|
"indicator--5b9a58f0-5ba8-4bd6-b7c4-3055950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:ransomware=\"KEYPASS\"",
|
||
|
"osint:source-type=\"blog-post\"",
|
||
|
"circl:incident-classification=\"malware\"",
|
||
|
"malware_classification:malware-category=\"Ransomware\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5b718d07-ac14-4b23-9a09-4837950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-08-13T13:52:16.000Z",
|
||
|
"modified": "2018-08-13T13:52:16.000Z",
|
||
|
"first_observed": "2018-08-13T13:52:16Z",
|
||
|
"last_observed": "2018-08-13T13:52:16Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5b718d07-ac14-4b23-9a09-4837950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5b718d07-ac14-4b23-9a09-4837950d210f",
|
||
|
"value": "https://www.bleepingcomputer.com/news/security/new-keypass-ransomware-campaign-underway/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5b718d35-5110-4e9a-b084-4c45950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-09-13T12:38:55.000Z",
|
||
|
"modified": "2018-09-13T12:38:55.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "A new distribution campaign is underway for a STOP Ransomware variant called KeyPass based on the amount of victims that have been seen. Unfortunately, how the ransomware is being distributed is unknown at this time.\r\n\r\nNot much is known regarding how this ransomware is being distributed other than what people have posted in the BleepingComputer forums. According to some of the posts, the ransomware appeared after the user downloaded and installed cracks such as KMSpico. Other reports state that it appeared on its own and that the victim did not install anything."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b9a590a-61b8-48b0-b5d0-5c6d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-09-13T12:33:14.000Z",
|
||
|
"modified": "2018-09-13T12:33:14.000Z",
|
||
|
"pattern": "[email-message:from_ref.value = 'keypass@bitmessage.ch']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-09-13T12:33:14Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b9a590a-e45c-4a9c-953d-5c6d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-09-13T12:33:14.000Z",
|
||
|
"modified": "2018-09-13T12:33:14.000Z",
|
||
|
"pattern": "[email-message:from_ref.value = 'keypass@india.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-09-13T12:33:14Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b9a58f0-5ba8-4bd6-b7c4-3055950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-09-13T12:32:48.000Z",
|
||
|
"modified": "2018-09-13T12:32:48.000Z",
|
||
|
"pattern": "[file:name = '!!!KEYPASS_DECRYPTION_INFO!!!.txt' AND file:x_misp_text = 'Attention! \r\n\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KEYPASS\r\n\r\nThe only method of recovering files is to purchase an decrypt software and unique private key.\r\n\r\nAfter purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.\r\n\r\nOnly we can give you this key and only we can recover your files.\r\n\r\nYou need to contact us by e-mail keypass@bitmessage.ch send us your personal ID and wait for further instructions.\r\n\r\nFor you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.\r\n\r\nPrice for decryption $300. \r\n\r\nThis price avaliable if you contact us first 72 hours.\r\n\r\nE-mail address to contact us:\r\n\r\nkeypass@bitmessage.ch\r\n\r\n\r\n\r\nReserve e-mail address to contact us:\r\n\r\nkeypass@india.com\r\n\r\n\r\n\r\nYour personal id:\r\n[id]' AND file:x_misp_state = 'Malicious']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-09-13T12:32:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|