misp-circl-feed/feeds/circl/misp/588f9099-bcc8-4730-b744-4eed02de0b81.json

227 lines
118 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type": "bundle",
"id": "bundle--588f9099-bcc8-4730-b744-4eed02de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-30T19:19:47.000Z",
"modified": "2017-01-30T19:19:47.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--588f9099-bcc8-4730-b744-4eed02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-30T19:19:47.000Z",
"modified": "2017-01-30T19:19:47.000Z",
"name": "OSINT - Saga 2.0 (Sage 2.0) comes with IP Generation Algorithm (IPGA)",
"published": "2017-01-30T19:19:56Z",
"object_refs": [
"x-misp-attribute--588f90a9-09cc-4c5f-86d1-4f5602de0b81",
"observed-data--588f90c8-6aec-4917-83a2-404202de0b81",
"url--588f90c8-6aec-4917-83a2-404202de0b81",
"indicator--588f90e4-27dc-48c5-9c7d-4a6a02de0b81",
"observed-data--588f9152-70fc-466d-a8cc-474302de0b81",
"file--588f9152-70fc-466d-a8cc-474302de0b81",
"artifact--588f9152-70fc-466d-a8cc-474302de0b81",
"indicator--588f9196-e66c-4ceb-b014-4f9002de0b81",
"indicator--588f9196-cb48-4b36-8f32-41e802de0b81",
"observed-data--588f9197-7d90-436b-af52-41b002de0b81",
"url--588f9197-7d90-436b-af52-41b002de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--588f90a9-09cc-4c5f-86d1-4f5602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-30T19:14:49.000Z",
"modified": "2017-01-30T19:14:49.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "On Jan 20, 2017, we came across a malware that appeared to be a new Ransomware family called Sage 2.0. Within a couple of days we were able to collect more than 200 malware binaries across our sensors associated with this new Ransomware. Last week, Brad Duncan also wrote a SANS InfoSec Diary entry on Sage 2.0, noticing some strange UDP packets sent to over 7'000 different IPs:"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--588f90c8-6aec-4917-83a2-404202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-30T19:17:59.000Z",
"modified": "2017-01-30T19:17:59.000Z",
"first_observed": "2017-01-30T19:17:59Z",
"last_observed": "2017-01-30T19:17:59Z",
"number_observed": 1,
"object_refs": [
"url--588f90c8-6aec-4917-83a2-404202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"admiralty-scale:source-reliability=\"b\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--588f90c8-6aec-4917-83a2-404202de0b81",
"value": "https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588f90e4-27dc-48c5-9c7d-4a6a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-30T19:15:48.000Z",
"modified": "2017-01-30T19:15:48.000Z",
"description": "Sage 2.0 samples",
"pattern": "[file:hashes.MD5 = 'cfe8749de0954cee3966e1cbdb341e69']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-30T19:15:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--588f9152-70fc-466d-a8cc-474302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-30T19:19:30.000Z",
"modified": "2017-01-30T19:19:30.000Z",
"first_observed": "2017-01-30T19:19:30Z",
"last_observed": "2017-01-30T19:19:30Z",
"number_observed": 1,
"object_refs": [
"file--588f9152-70fc-466d-a8cc-474302de0b81",
"artifact--588f9152-70fc-466d-a8cc-474302de0b81"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"admiralty-scale:information-credibility=\"2\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--588f9152-70fc-466d-a8cc-474302de0b81",
"name": "sage.png",
"content_ref": "artifact--588f9152-70fc-466d-a8cc-474302de0b81"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--588f9152-70fc-466d-a8cc-474302de0b81",
"payload_bin": "iVBORw0KGgoAAAANSUhEUgAABAAAAAWLCAMAAACawzQeAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAwBQTFRFP4/u/KOsampoSn+/lZSTKG+1j2drPldx//DxTExKaH2XDw8PLXrRyChEzs7Kh7glk73u+zVK/FRlx96Z29vXxMPBvb29MIHfwsG/jYyMcHBwiYiGnogZzc3Np8tfosDf+yY92SU3PT08Hh4e4+LfGUZ0Li0trKyqZGRjQkJCoKCeNTU1lLfadXV17u7up6akmJiX+fn3FTdb2oiPWnebaaI++hcviYmJ3NzY5ubmrAUXHlKOVoG01dXV9vXyxcXFrX+Evr67olZeJiYmFxcXeHh4k6e7Q4G/egcTf7MWXFxcCRgoZYmwx9XkAAAA0wYc+gch////VFRUtrazenl3rq6urrjCFQAD5OPfnp6d1dTQxcXBmJeVzOH7W1tZ/Pz73t7emcP2tLSym5ubZaXy1NPQ9/f3goKCn8ZQfX196+rm8vj+v9mLk5OTWJ7wi4uLhYWEf7T0/YOQ3+zFTJbvstL4/sHInJybrKys+0VZ2en8RITQpKSivLu5zMvI5fD9pKSktLS0cq3z1uK4jLz1v9r5ml1kpcv36+vnZGe6goKBnMNM9be79/rwkZGQl8FCt9R8j70zt7a0p6emxsXDw9fuz+Oor9Bt5/HT5OPg3ebG1dTRfqUv7/bi1+e2/HSC/tHV/GR0r6+tudOC/uDj/bK6932Iydvt7O7hlb8/XpPIq8tn/ZOe+EJU5+bilkeHsrGv8+Ph0tLPuLe08vb6NXi6UIrDWVhYfHx69MbIcHBv919u9pqha5zMPXKljrHSrsnj1+Tx9ouU9NXU8g4nrKuphq7VvNLo9257vD9MgICAeaXR5O324h0yysnHskhTurm3qamnqk9ZBhEeCAgIAwgNJmirDiVB6hUs9PPvPzAybHF45erTPwII2+Xu/v7+IVqTIl2j+/v6/v39y6PDXG7Aw2hxI2Geb29v6gcfiputfFSaVZXi252i5dHh5qisj4+O5be58cjRss91rsqW3c3L4+PjprC9gI2dz8/hgqLIBQ4X7XOAMoftenp68/Luqd/VsAABQLFJREFUeNrsfcuuszyTdQsxQUyTQcTMRGSEuBP0SzBAgGgJiQGMMsskyRV81/HP+xr6wmhXlW0OIad9evZOaul995OAMcahlstle/m//pvBYLwt/qtnMBhvCyYABoMJgMFgMAEwGAwmAAaDwQTAYDCYABgMBhMAg8FgAmAwGEwADAaDCYDBYDABMBgMJgAGg8EEwGAwmAAYDAYTAIPBYAJgMBh/jgCSJMl+XZlzS4gqzeWnzBPCSZM+T1P59xk88mCJzDW/PCyPltfOqnNfilJm+nOV+x1PwPibBFAGMcJ3vI9mnyXy9fUubTOLwIjLkQEVYoLihv27WCrIlAqY9gn+fdykHnuwVN1lBnlUXDurzn0phMx0+GaNa+kbXojveALGnySAKh7wwbbLV5f70fRE5KoTg9Um8QTJ3XLJFGX8IQJ49MF+JQGI+NM/ywIswyZMAEwAw+uv4X/QnRxymDBANBy3nicAaL4D9BEsKJoQ5XME8PCDvREBDPdgAmACIEDrHZSyr/zxPqi3bGkZtv9CuGNLpy4AnbjdBRhyg+TYi3gqBvDwg12JASgT+bEYwCUBBF/eBRjuwTEAJgDqaYOdfTIAmCdgxxk2uSNbAc/dlWcyaMuruXHdbdaGNkp8pBH89IP9dBt5SQDJN9+DwQSAXrWYtocOtNmBpUw5r6T9ukIepZaoqORZv0qutLmj4478WmpbdJcJAByCsi+sIOnz0hJwKwevKeFddcFHKNCFoHT415wOxFLLfe3BZkWXWVl97olU5kWeyOzJ1fXqbDkJXOLFdDCyZKED7WIkjg9Bx1QlWKhReAbPE1AQRU9ZKk8LuPA6AVxelVc+VFBV6iJGld/LH8mh3heUTF2F5cuwuKYme1PAHMqvK+XyNowXJ4Bi3nM33ryb62Z83Bc139Pl9mX00sLblpnufLFIAGCmDl2XTgIG5luSDHc0MYDqfgzh4sFmRQcCqfCL7uXPnnwaA0gncYvROQWyu3HcUSzX6CgIQg5K4S519md1ef0qQcWwkD8cXeUW1vjoqiAbFTcd/BtTKdXibRgvHwPAFynw8ovXFV+JPJ4SQHIl3mc8gGxi5e7gCyRXCUBZ1cia8jsEkD4SRJw/2KzoQ64XBEDG8BwBYJ4TthTLNTqOggLTZX78HAHQVW48JQC63NO/S4B1P74qXSSAZJLg4jaM1ycAHcELvExFhxIInKkQHLwz0htM4H2LEnqxvCRJlzrIcE2w6IOnc49hiQCSFCJ2iaCOA97ChwBcnoKJYPhPEwCUxrXkoaroH36wWdEvCWD65DMCoC4AGmsxOedXKRawUlbr0Z39pBgihuN84RlcJ02F+o6kkSZR6l8LAhYLV+HDCVkDqTUmgELzA/kkWLvyKpe4OBlqUj8B+GYiStBzyS5vw3h9AhheH9e7DBcJ1ahbZAa5bhkWokk4caf8CAH4VpRNLkuvBAHVOXxN73uo0webFx1P4Byl2UCfvtvCMCA+YnV5Lh9IJdBdnmsBOPN8yuAd/f3qMGCycJUY1yg+aIDjIy6VICIm0lflOpv5MGCha1JML+h9jha+DQH0eTX3+vIkCYYXrR9e9URbw+XoOMb6Rf8BAhifSRLvPgGUF6MKoyDdtQebF31auuTiyRcIAB8xWDoXGFIRy/Q45GueWHGqr+MjjxHA6Kp8TADJ0NlSR4rRVToeOyeASNdkOVTS+DaMdyAAmLFbubrzjdFl0yOtqGXI/KFnHmhfOLmw/yD7DAGUYh6lu0IA6UIMMl2cNDN6sHnRLwlg+uQLBFAZz2N+TpVQGXMxdaCn+ZonHogo7pcJYNYFWLxqRgAefRQUfplclS4QgKlJ9WPNb8N4DwLAV4c8+FlMGnuoAQ4f+bOo13jIf8H+0e9UIQFr2jlYJoBqGo/6EgIYPdi86BcEMI/GXxCAF5vBjCsEUNEEp3jioczyfYIAZkHARwigMCE+hwmA8QwBoJWm6CxCfE07wsEkzJ1emaC6YP/jl1TcHAVIzasLYS3rYwRQXp81Z5lQ37joFwQwf/K5kWO4ouxvEUDuTkcSjVc+yvd7CYBKlpDfxgTAeIIAUnxrXNW061cl07H0SDeCXqIw7//Pw3KBHpPK4un44CIBeKNhsg/EAO4+2LzoFwQwf/J5oM8d3fUKAZjVD85odGKW79zGTG/+KQK4FgMg599Trspk3sRTMQAmgLcjgIz6xto0R9E/vzDGnpgpLxf9/2pq3gm1vOgVpNPxwWUCSEdD0V8zCjB9sHnRLwhg/uRTIx8CgLcIQP5bJUmx+KxXCEBcHwW4QQAXowDJ6HPhqBkY+iqcNbA0CpCPRwFKJoB3JAAnEBUMJ6uxYhwpThJPB6fdqe26evg5tayJkxsrD7wcCAAHn3waVJ6GAJYIAMfJkySqtKFeJ4DH5gHMHmxe9AsCmD/51Mi92ETliqsEUCzNn5nlO7cx7JrIgmKcZTEIKBZ884t5ABOKdlUVJjTKj7oIrvYEnDvzAJgA3osAxHQ2WzXrKvu0FFc4aaT70/OZbpMs0oEAxomD/h4BTOYcprcJ4KGZgLMHmxf9ggCq5SDBvZmAkxiAZokqHZipupxLObaxPL46E/DGVRczAZNx1aoQwHwmoJkcdXMmIBPAexHAKEZdTuJYo4lqw3TyLHiCAIZ3/2p8cDQKMDLQuLxNAENo8t5U4CG7edEvCGD+5B8ggLGxmy7RLN8LGys/QgCD1sKcANSFxYwAqPejeOPmWgAmgPcigMTDRXhmEVwOI+cizUuBb8jYLClcRMv0xm3cWL4KQ01moX+CS9aci5XnJlw/rO8jBS+/KmHYPOlH69UGHZtnVgNePNis6EP2ejXg7MlHK/5urQYsRiXMxIzEFmrUPIO5OJEuu6wjazKEMZMEu7zqYjXgMBzijgnTx+WJujAFdA9EdGs14PQ2jLcZBVg
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588f9196-e66c-4ceb-b014-4f9002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-30T19:18:46.000Z",
"modified": "2017-01-30T19:18:46.000Z",
"description": "Sage 2.0 samples - Xchecked via VT: cfe8749de0954cee3966e1cbdb341e69",
"pattern": "[file:hashes.SHA256 = '5e7cc796dfd2d47e6efb31412e1d614db6d96620ac118426dda04b6fbb943993']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-30T19:18:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--588f9196-cb48-4b36-8f32-41e802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-30T19:18:46.000Z",
"modified": "2017-01-30T19:18:46.000Z",
"description": "Sage 2.0 samples - Xchecked via VT: cfe8749de0954cee3966e1cbdb341e69",
"pattern": "[file:hashes.SHA1 = 'e8eec675b5af14138598e4d152d34fd2ecb43a87']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-01-30T19:18:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--588f9197-7d90-436b-af52-41b002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-01-30T19:18:47.000Z",
"modified": "2017-01-30T19:18:47.000Z",
"first_observed": "2017-01-30T19:18:47Z",
"last_observed": "2017-01-30T19:18:47Z",
"number_observed": 1,
"object_refs": [
"url--588f9197-7d90-436b-af52-41b002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--588f9197-7d90-436b-af52-41b002de0b81",
"value": "https://www.virustotal.com/file/5e7cc796dfd2d47e6efb31412e1d614db6d96620ac118426dda04b6fbb943993/analysis/1485347931/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
2023-04-21 13:25:09 +00:00
]
}