2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type" : "bundle" ,
"id" : "bundle--589b1a8a-1e10-4e76-860a-4cba950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-10T07:48:34.000Z" ,
"modified" : "2017-02-10T07:48:34.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--589b1a8a-1e10-4e76-860a-4cba950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-10T07:48:34.000Z" ,
"modified" : "2017-02-10T07:48:34.000Z" ,
"name" : "Erebus Ransomware Utilizes a UAC Bypass and Request a $90 Ransom Payment" ,
"published" : "2017-02-10T07:48:45Z" ,
"object_refs" : [
"observed-data--589b1aad-8768-4196-a952-48ec950d210f" ,
"url--589b1aad-8768-4196-a952-48ec950d210f" ,
"x-misp-attribute--589b1ae1-8ea8-4f2f-a702-439d950d210f" ,
"indicator--589b1b4a-3178-4814-9c07-480a950d210f" ,
"indicator--589b1b4b-3bb0-426a-a692-40a3950d210f" ,
"indicator--589b1b4c-6378-410a-a1f1-42cd950d210f" ,
"indicator--589b1b4d-ea20-47d8-8c30-4812950d210f" ,
"indicator--589b1b4d-ff80-4c1d-bed3-440a950d210f" ,
"indicator--589b1b4e-8518-4c9e-ae53-49ab950d210f" ,
"indicator--589b1d73-8c78-4bab-9438-4b7f950d210f" ,
"indicator--589b1d75-2204-45ce-86ea-4f70950d210f" ,
"indicator--589b1d77-d5dc-4c7b-93df-4d66950d210f" ,
"indicator--589b1d77-b140-49f4-901e-4763950d210f" ,
"indicator--589b1d79-fbc4-4600-9f45-4d55950d210f" ,
"indicator--589b1d7a-a8fc-4d0e-b0e9-4974950d210f" ,
"indicator--589b1d7b-29cc-47f9-9524-4258950d210f" ,
"indicator--589b1d7d-2da0-40cc-b997-4b4f950d210f" ,
"indicator--589b1d7e-8c68-47e6-8bc2-4df9950d210f" ,
"indicator--589b1d7f-30fc-425c-b5c8-489f950d210f" ,
"indicator--589b1d81-c620-4c3c-880b-4c58950d210f" ,
"indicator--589b1d82-46ec-431a-8b78-4f53950d210f" ,
"indicator--589b1d83-bb94-4ea8-abfb-4a42950d210f" ,
"indicator--589b1d83-c664-4696-b610-4d9e950d210f" ,
"indicator--589b1d85-349c-45e5-8784-4a8e950d210f" ,
"indicator--589b1d86-a4e8-4ec6-84a3-4dad950d210f" ,
"indicator--589b1d87-c6bc-4a04-960c-4223950d210f" ,
"indicator--589b1d89-6708-44c9-a4be-4236950d210f" ,
"indicator--589b1d89-bbdc-4c8c-be68-4902950d210f" ,
"indicator--589b1d8b-e95c-43c2-8931-45f7950d210f" ,
"indicator--589b1d8c-7ed4-43c0-954b-408f950d210f" ,
"indicator--589b1d8d-5728-467a-aab7-4903950d210f" ,
"indicator--589b1d8f-a378-4f2d-9c37-4c29950d210f" ,
"indicator--589b1d90-0940-421f-b1fe-4839950d210f" ,
"indicator--589b1d91-703c-4383-8aa5-4771950d210f" ,
"indicator--589b1d97-6d60-4d40-a35d-42e0950d210f" ,
"indicator--589b1d98-f3dc-4ed6-a088-4d9a950d210f" ,
"indicator--589b1de4-c14c-483a-b435-4f92950d210f" ,
"indicator--589b1dfc-f4d8-4733-a045-45ed950d210f" ,
"x-misp-attribute--589b2243-c398-4060-8b34-49b8950d210f" ,
"x-misp-attribute--589b225d-ae00-4143-acdb-44d3950d210f" ,
"indicator--589c1de5-25a0-4e89-90c7-442602de0b81" ,
"indicator--589c1de5-4bc4-4beb-9de3-4f7d02de0b81" ,
"observed-data--589c1de7-49c0-44ea-a90c-4e8202de0b81" ,
"url--589c1de7-49c0-44ea-a90c-4e8202de0b81"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"type:OSINT" ,
"malware_classification:malware-category=\"Ransomware\"" ,
"ecsirt:malicious-code=\"ransomware\"" ,
"veris:action:malware:variety=\"Ransomware\"" ,
"enisa:nefarious-activity-abuse=\"ransomware\"" ,
"dnc:malware-type=\"Ransomware\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--589b1aad-8768-4196-a952-48ec950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"first_observed" : "2017-02-09T07:44:21Z" ,
"last_observed" : "2017-02-09T07:44:21Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--589b1aad-8768-4196-a952-48ec950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\"" ,
"type:OSINT" ,
"osint:source-type=\"blog-post\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--589b1aad-8768-4196-a952-48ec950d210f" ,
"value" : "https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--589b1ae1-8ea8-4f2f-a702-439d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"labels" : [
"misp:type=\"comment\"" ,
"misp:category=\"External analysis\"" ,
"type:OSINT" ,
"osint:source-type=\"blog-post\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "comment" ,
"x_misp_value" : "A sample of a potentially new ransomware called Erebus has been discovered by MalwareHunterTeam on VirusTotal. I say that this is a potentially new ransomware because TrendMicro had reported another ransomware using the same name was previously released back in September 2016. Though I do not have a sample of the original Erebus, from its outward characteristics, the one discovered today looks like either a complete rewrite or a new ransomware using the same name.."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1b4a-3178-4814-9c07-480a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[windows-registry-key:key = 'HKEY_CLASSES_ROOT.msc']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Persistence mechanism"
}
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Persistence mechanism\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1b4b-3bb0-426a-a692-40a3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[windows-registry-key:key = 'HKCU\\\\Software\\\\Classes\\\\mscfile']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Persistence mechanism"
}
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Persistence mechanism\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1b4c-6378-410a-a1f1-42cd950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[windows-registry-key:key = 'HKCU\\\\Software\\\\Classes\\\\mscfile\\\\shell']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Persistence mechanism"
}
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Persistence mechanism\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1b4d-ea20-47d8-8c30-4812950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[windows-registry-key:key = 'HKCU\\\\Software\\\\Classes\\\\mscfile\\\\shell\\\\open']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Persistence mechanism"
}
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Persistence mechanism\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1b4d-ff80-4c1d-bed3-440a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[windows-registry-key:key = 'HKCU\\\\Software\\\\Classes\\\\mscfile\\\\shell\\\\open\\\\command']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Persistence mechanism"
}
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Persistence mechanism\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1b4e-8518-4c9e-ae53-49ab950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[windows-registry-key:key = 'HKCU\\\\Software\\\\Classes\\\\mscfile\\\\shell\\\\open\\\\command\\\\ \\\\%UserProfile\\\\%\\\\[random].exe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Persistence mechanism"
}
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Persistence mechanism\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d73-8c78-4bab-9438-4b7f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d75-2204-45ce-86ea-4f70950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Data\\\\']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d77-d5dc-4c7b-93df-4d66950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Data\\\\Tor\\\\']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d77-b140-49f4-901e-4763950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Data\\\\Tor\\\\geoip']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d79-fbc4-4600-9f45-4d55950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Data\\\\Tor\\\\geoip6']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d7a-a8fc-4d0e-b0e9-4974950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Tor\\\\']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d7b-29cc-47f9-9524-4258950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Tor\\\\libeay32.dll']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d7d-2da0-40cc-b997-4b4f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Tor\\\\libevent-2-0-5.dll']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d7e-8c68-47e6-8bc2-4df9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Tor\\\\libevent_core-2-0-5.dll']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d7f-30fc-425c-b5c8-489f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Tor\\\\libevent_extra-2-0-5.dll']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d81-c620-4c3c-880b-4c58950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Tor\\\\libgcc_s_sjlj-1.dll']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d82-46ec-431a-8b78-4f53950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Tor\\\\libssp-0.dll']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d83-bb94-4ea8-abfb-4a42950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Tor\\\\ssleay32.dll']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d83-c664-4696-b610-4d9e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Tor\\\\tor-gencert.exe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d85-349c-45e5-8784-4a8e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Tor\\\\tor.exe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d86-a4e8-4ec6-84a3-4dad950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Tor\\\\zlib1.dll']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d87-c6bc-4a04-960c-4223950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor.zip']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d89-6708-44c9-a4be-4236950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d89-bbdc-4c8c-be68-4902950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\cached-certs']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d8b-e95c-43c2-8931-45f7950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\cached-microdesc-consensus']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d8c-7ed4-43c0-954b-408f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\cached-microdescs.new']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d8d-5728-467a-aab7-4903950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\lock']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d8f-a378-4f2d-9c37-4c29950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\state']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d90-0940-421f-b1fe-4839950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\Desktop\\\\test\\\\xor-test.pdf']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d91-703c-4383-8aa5-4771950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\Desktop\\\\README.html']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d97-6d60-4d40-a35d-42e0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\Documents\\\\README.html']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1d98-f3dc-4ed6-a088-4d9a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\[random].exe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1de4-c14c-483a-b435-4f92950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[url:value = 'http://erebus5743lnq6db.onion/']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589b1dfc-f4d8-4733-a045-45ed950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"pattern" : "[file:hashes.SHA256 = 'ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--589b2243-c398-4060-8b34-49b8950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"Artifacts dropped\""
] ,
"x_misp_category" : "Artifacts dropped" ,
"x_misp_type" : "text" ,
"x_misp_value" : "Files crypted!\r\nEvery important file on this computer was crypted. Please look on your documents or desktop folder for a file called README.html for instructions on how to decrypt them."
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--589b225d-ae00-4143-acdb-44d3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:21.000Z" ,
"modified" : "2017-02-09T07:44:21.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"Artifacts dropped\""
] ,
"x_misp_category" : "Artifacts dropped" ,
"x_misp_type" : "text" ,
"x_misp_value" : "Data crypted\r\n\r\nEvery important file (documents,photos,videos etc) on this computer has been encrypted using an unique key for this computer. \r\nIt is impossible to recover your files without this key. You can try to open them they won't work and will stay that way. \r\n\r\nThat is, unless you buy a decryption key and decrypt your files.\r\nClick 'recover my files' below to go to the website allowing you to buy the key. \r\nFrom now on you have 96 hours to recover the key after this time it will be deleted and your files will stay unusable forever \r\nYour id is : '[id]' you can find this page on your desktop and document folder Use it to \r\n\r\nif the button below doesn't work you need to download a web browser called 'tor browser' \r\ndownload by clicking here then install the browser, it's like chrome, firefox or internet explorer except it allows you to browse to special websites. \r\nonce it's launched browse to http://erebus5743lnq6db.onion"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589c1de5-25a0-4e89-90c7-442602de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:37.000Z" ,
"modified" : "2017-02-09T07:44:37.000Z" ,
"description" : "- Xchecked via VT: ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791" ,
"pattern" : "[file:hashes.SHA1 = '6e5fca51a018272d1b1003b16dce6ee9e836908c']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:37Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--589c1de5-4bc4-4beb-9de3-4f7d02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:37.000Z" ,
"modified" : "2017-02-09T07:44:37.000Z" ,
"description" : "- Xchecked via VT: ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791" ,
"pattern" : "[file:hashes.MD5 = '0ced87772881b63caf95f1d828ba40c5']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-02-09T07:44:37Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--589c1de7-49c0-44ea-a90c-4e8202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-02-09T07:44:39.000Z" ,
"modified" : "2017-02-09T07:44:39.000Z" ,
"first_observed" : "2017-02-09T07:44:39Z" ,
"last_observed" : "2017-02-09T07:44:39Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--589c1de7-49c0-44ea-a90c-4e8202de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"Payload delivery\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--589c1de7-49c0-44ea-a90c-4e8202de0b81" ,
"value" : "https://www.virustotal.com/file/ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791/analysis/1486609351/"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
2023-04-21 13:25:09 +00:00
]
}