2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type" : "bundle" ,
"id" : "bundle--56c44d9a-a738-4a22-9306-058c950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T14:42:59.000Z" ,
"modified" : "2016-02-17T14:42:59.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--56c44d9a-a738-4a22-9306-058c950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T14:42:59.000Z" ,
"modified" : "2016-02-17T14:42:59.000Z" ,
"name" : "OSINT - Dridex Actors Get In the Ransomware Game With \"Locky\"" ,
"published" : "2016-02-17T16:09:30Z" ,
"object_refs" : [
"observed-data--56c44e27-8b0c-481f-9f2c-659e950d210f" ,
"url--56c44e27-8b0c-481f-9f2c-659e950d210f" ,
"x-misp-attribute--56c44e47-c110-4aab-ad9b-659b950d210f" ,
"indicator--56c44e7f-356c-4509-a371-42d5950d210f" ,
"indicator--56c44e7f-c92c-4116-bed0-44e3950d210f" ,
"indicator--56c44e7f-7424-4a58-b009-4a0b950d210f" ,
"indicator--56c44e80-4168-4412-883a-4373950d210f" ,
"indicator--56c44e80-6c6c-46db-bdf2-4377950d210f" ,
"indicator--56c44ec8-ddf0-4c29-b765-42bc950d210f" ,
"indicator--56c44ec8-2100-442b-9b8a-44e1950d210f" ,
"indicator--56c44ec8-60b4-4512-af9e-4771950d210f" ,
"indicator--56c44ec9-245c-4ef1-9ebb-4cb8950d210f" ,
"indicator--56c44ec9-bc18-4f00-be97-4f40950d210f" ,
"indicator--56c44ec9-d334-4804-b8aa-4780950d210f" ,
"indicator--56c44eca-a00c-462a-9c72-469a950d210f" ,
"indicator--56c44eed-24dc-4e71-8a5d-4167950d210f" ,
"indicator--56c44eed-6f04-498d-89ad-4371950d210f" ,
"indicator--56c44eee-6b80-412d-b219-4781950d210f" ,
"indicator--56c44eee-d6e4-4edc-a889-459a950d210f" ,
"indicator--56c44eee-07f4-452b-b63e-4091950d210f" ,
"indicator--56c44eef-8e00-4b72-8271-49ee950d210f" ,
"indicator--56c44eef-b904-4b5e-ac3d-4827950d210f" ,
"indicator--56c44f11-3b1c-410d-9ab2-4d31950d210f" ,
"indicator--56c44f11-56b4-4280-a544-470e950d210f" ,
"indicator--56c44f11-960c-40ea-b988-4a98950d210f" ,
"indicator--56c44f12-8278-4076-b08d-4c22950d210f" ,
"indicator--56c44f6a-4084-4283-8701-659d950d210f" ,
"indicator--56c44f6b-de78-4b97-b34e-659d950d210f" ,
"indicator--56c44f6b-5f08-4d9f-b024-659d950d210f" ,
"indicator--56c44f6b-176c-49ba-8548-659d950d210f"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"type:OSINT"
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--56c44e27-8b0c-481f-9f2c-659e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T10:40:39.000Z" ,
"modified" : "2016-02-17T10:40:39.000Z" ,
"first_observed" : "2016-02-17T10:40:39Z" ,
"last_observed" : "2016-02-17T10:40:39Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--56c44e27-8b0c-481f-9f2c-659e950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--56c44e27-8b0c-481f-9f2c-659e950d210f" ,
"value" : "https://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--56c44e47-c110-4aab-ad9b-659b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T10:46:24.000Z" ,
"modified" : "2016-02-17T10:46:24.000Z" ,
"labels" : [
"misp:type=\"comment\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "comment" ,
"x_misp_value" : "Proofpoint researchers have discovered a new ransomware named \"Locky\" being distributed via MS Word documents with malicious macros. While a variety of new ransomware has appeared since the end of 2015, Locky stands out because it is being delivered by the same actor behind many of the Dridex campaigns we have tracked over the last year."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44e7f-356c-4509-a371-42d5950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T10:42:07.000Z" ,
"modified" : "2016-02-17T10:42:07.000Z" ,
"description" : "Payment URIs (Locky asks user to click these links)" ,
"pattern" : "[url:value = 'http://6dtxgqam4crv6rr6.tor2web.org']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T10:42:07Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44e7f-c92c-4116-bed0-44e3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T10:42:07.000Z" ,
"modified" : "2016-02-17T10:42:07.000Z" ,
"description" : "Payment URIs (Locky asks user to click these links)" ,
"pattern" : "[url:value = 'http://6dtxgqam4crv6rr6.onion.to']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T10:42:07Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44e7f-7424-4a58-b009-4a0b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T10:42:07.000Z" ,
"modified" : "2016-02-17T10:42:07.000Z" ,
"description" : "Payment URIs (Locky asks user to click these links)" ,
"pattern" : "[url:value = 'http://6dtxgqam4crv6rr6.onion.cab']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T10:42:07Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44e80-4168-4412-883a-4373950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T10:42:08.000Z" ,
"modified" : "2016-02-17T10:42:08.000Z" ,
"description" : "Payment URIs (Locky asks user to click these links)" ,
"pattern" : "[url:value = 'http://6dtxgqam4crv6rr6.onion.link']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T10:42:08Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44e80-6c6c-46db-bdf2-4377950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T10:42:08.000Z" ,
"modified" : "2016-02-17T10:42:08.000Z" ,
"description" : "Payment URIs (Locky asks user to click these links)" ,
"pattern" : "[url:value = 'https://6dtxgqam4crv6rr6.onion']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T10:42:08Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44ec8-ddf0-4c29-b765-42bc950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T10:43:20.000Z" ,
"modified" : "2016-02-17T10:43:20.000Z" ,
"description" : "Locky C2" ,
"pattern" : "[url:value = 'http://109.234.38.35/main.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T10:43:20Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44ec8-2100-442b-9b8a-44e1950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T10:43:20.000Z" ,
"modified" : "2016-02-17T10:43:20.000Z" ,
"description" : "Locky C2" ,
"pattern" : "[url:value = 'http://lneqqkvxxogomu.eu/main.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T10:43:20Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44ec8-60b4-4512-af9e-4771950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T10:43:20.000Z" ,
"modified" : "2016-02-17T10:43:20.000Z" ,
"description" : "Locky C2" ,
"pattern" : "[url:value = 'http://qpdar.pw/main.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T10:43:20Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44ec9-245c-4ef1-9ebb-4cb8950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T10:43:21.000Z" ,
"modified" : "2016-02-17T10:43:21.000Z" ,
"description" : "Locky C2" ,
"pattern" : "[url:value = 'http://ydbayd.de/main.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T10:43:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44ec9-bc18-4f00-be97-4f40950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T10:43:21.000Z" ,
"modified" : "2016-02-17T10:43:21.000Z" ,
"description" : "Locky C2" ,
"pattern" : "[url:value = 'http://ssojravpf.be/main.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T10:43:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44ec9-d334-4804-b8aa-4780950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T10:43:21.000Z" ,
"modified" : "2016-02-17T10:43:21.000Z" ,
"description" : "Locky C2" ,
"pattern" : "[url:value = 'http://gioaqjklhoxf.eu/main.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T10:43:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44eca-a00c-462a-9c72-469a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T10:43:22.000Z" ,
"modified" : "2016-02-17T10:43:22.000Z" ,
"description" : "Locky C2" ,
"pattern" : "[url:value = 'http://txlmnqnunppnpuq.ru/main.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T10:43:22Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44eed-24dc-4e71-8a5d-4167950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T10:43:57.000Z" ,
"modified" : "2016-02-17T10:43:57.000Z" ,
"description" : "Payloads downloaded by macro" ,
"pattern" : "[url:value = 'http://www.iglobali.com/34gf5y/r34f3345g.exe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T10:43:57Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44eed-6f04-498d-89ad-4371950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T10:43:57.000Z" ,
"modified" : "2016-02-17T10:43:57.000Z" ,
"description" : "Payloads downloaded by macro" ,
"pattern" : "[url:value = 'http://www.southlife.church/34gf5y/r34f3345g.exe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T10:43:57Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44eee-6b80-412d-b219-4781950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T10:43:58.000Z" ,
"modified" : "2016-02-17T10:43:58.000Z" ,
"description" : "Payloads downloaded by macro" ,
"pattern" : "[url:value = 'http://www.villaggio.airwave.at/34gf5y/r34f3345g.exe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T10:43:58Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44eee-d6e4-4edc-a889-459a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T10:43:58.000Z" ,
"modified" : "2016-02-17T10:43:58.000Z" ,
"description" : "Payloads downloaded by macro" ,
"pattern" : "[url:value = 'http://www.jesusdenazaret.com.ve/34gf5y/r34f3345g.exe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T10:43:58Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44eee-07f4-452b-b63e-4091950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T10:43:58.000Z" ,
"modified" : "2016-02-17T10:43:58.000Z" ,
"description" : "Payloads downloaded by macro" ,
"pattern" : "[url:value = 'http://66.133.129.5/~chuckgilbert/09u8h76f/65fg67n']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T10:43:58Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44eef-8e00-4b72-8271-49ee950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T10:43:59.000Z" ,
"modified" : "2016-02-17T10:43:59.000Z" ,
"description" : "Payloads downloaded by macro" ,
"pattern" : "[url:value = 'http://173.214.183.81/~tomorrowhope/09u8h76f/65fg67n']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T10:43:59Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44eef-b904-4b5e-ac3d-4827950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T10:43:59.000Z" ,
"modified" : "2016-02-17T10:43:59.000Z" ,
"description" : "Payloads downloaded by macro" ,
"pattern" : "[url:value = 'http://iynus.net/~test/09u8h76f/65fg67n']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T10:43:59Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44f11-3b1c-410d-9ab2-4d31950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T14:42:59.000Z" ,
"modified" : "2016-02-17T14:42:59.000Z" ,
"pattern" : "[windows-registry-key:key = 'HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Locky']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T14:42:59Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Persistence mechanism"
}
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Persistence mechanism\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44f11-56b4-4280-a544-470e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T14:42:58.000Z" ,
"modified" : "2016-02-17T14:42:58.000Z" ,
"pattern" : "[windows-registry-key:key = 'HKCU\\\\Software\\\\Locky\\\\id']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T14:42:58Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Persistence mechanism"
}
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Persistence mechanism\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44f11-960c-40ea-b988-4a98950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T14:42:58.000Z" ,
"modified" : "2016-02-17T14:42:58.000Z" ,
"pattern" : "[windows-registry-key:key = 'HKCU\\\\Software\\\\Locky\\\\pubkey']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T14:42:58Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Persistence mechanism"
}
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Persistence mechanism\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44f12-8278-4076-b08d-4c22950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T14:42:58.000Z" ,
"modified" : "2016-02-17T14:42:58.000Z" ,
"pattern" : "[windows-registry-key:key = 'HKCU\\\\Software\\\\Locky\\\\paytext']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T14:42:58Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Persistence mechanism"
}
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Persistence mechanism\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44f6a-4084-4283-8701-659d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T10:46:30.000Z" ,
"modified" : "2016-02-17T10:46:30.000Z" ,
"description" : "Locky also appears to generate DGA traffic for command and control (the list of domains below were unregistered at the time of investigation) - See more at: https://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky#sthash.MoLx2rvu.dpuf" ,
"pattern" : "[domain-name:value = 'vkrdbsrqpi.de']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T10:46:30Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44f6b-de78-4b97-b34e-659d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T10:46:03.000Z" ,
"modified" : "2016-02-17T10:46:03.000Z" ,
"description" : "Locky also appears to generate DGA traffic for command and control (the list of domains below were unregistered at the time of investigation) - See more at: https://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky#sthash.MoLx2rvu.dpuf" ,
"pattern" : "[domain-name:value = 'jaomjlyvwxgdt.fr']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T10:46:03Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44f6b-5f08-4d9f-b024-659d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T10:46:03.000Z" ,
"modified" : "2016-02-17T10:46:03.000Z" ,
"description" : "Locky also appears to generate DGA traffic for command and control (the list of domains below were unregistered at the time of investigation) - See more at: https://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky#sthash.MoLx2rvu.dpuf" ,
"pattern" : "[domain-name:value = 'wpogw.it']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T10:46:03Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--56c44f6b-176c-49ba-8548-659d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2016-02-17T10:46:03.000Z" ,
"modified" : "2016-02-17T10:46:03.000Z" ,
"description" : "Locky also appears to generate DGA traffic for command and control (the list of domains below were unregistered at the time of investigation) - See more at: https://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky#sthash.MoLx2rvu.dpuf" ,
"pattern" : "[domain-name:value = 'ofhhoowfmnuihyd.ru']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2016-02-17T10:46:03Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"domain\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
2023-04-21 13:25:09 +00:00
]
}