2023-06-14 17:31:25 +00:00
{
"type" : "bundle" ,
"id" : "bundle--5afabbf7-4bd8-4c5a-954f-407d950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-05-15T15:47:36.000Z" ,
"modified" : "2018-05-15T15:47:36.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "grouping" ,
"spec_version" : "2.1" ,
"id" : "grouping--5afabbf7-4bd8-4c5a-954f-407d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-05-15T15:47:36.000Z" ,
"modified" : "2018-05-15T15:47:36.000Z" ,
"name" : "OSINT - StalinLocker Deletes Your Files Unless You Enter the Right Code" ,
"context" : "suspicious-activity" ,
"object_refs" : [
"observed-data--5afad4b7-3ef8-4b63-be67-4153950d210f" ,
"file--5afad4b7-3ef8-4b63-be67-4153950d210f" ,
"artifact--5afad4b7-3ef8-4b63-be67-4153950d210f" ,
"observed-data--5afad493-03dc-48e6-9e37-4d18950d210f" ,
"windows-registry-key--5afad493-03dc-48e6-9e37-4d18950d210f" ,
"indicator--5afad492-9004-468d-b450-4228950d210f" ,
"indicator--5afad187-83b4-4977-91c3-195a950d210f" ,
"indicator--5afad187-3b74-443e-b568-195a950d210f" ,
"indicator--5afad185-171c-4f6d-a38e-195a950d210f" ,
"indicator--5afad186-a304-4a88-81b7-195a950d210f" ,
"x-misp-attribute--5afabdcb-1944-4916-942d-407d950d210f" ,
"observed-data--5afabdb1-8418-4aea-af8b-6af7950d210f" ,
"url--5afabdb1-8418-4aea-af8b-6af7950d210f" ,
"x-misp-object--116343d3-a28c-45b6-92ad-33038ffb3af0" ,
"x-misp-object--666e3305-6776-40de-8d19-84a8d18ed470" ,
"relationship--256e17cb-6115-4074-bf46-b51fb7ab992b"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"osint:source-type=\"blog-post\"" ,
"workflow:todo=\"create-missing-misp-galaxy-cluster\"" ,
"workflow:todo=\"create-missing-misp-galaxy-cluster-values\"" ,
"workflow:todo=\"add-tagging\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5afad4b7-3ef8-4b63-be67-4153950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-05-15T12:38:15.000Z" ,
"modified" : "2018-05-15T12:38:15.000Z" ,
"first_observed" : "2018-05-15T12:38:15Z" ,
"last_observed" : "2018-05-15T12:38:15Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--5afad4b7-3ef8-4b63-be67-4153950d210f" ,
"artifact--5afad4b7-3ef8-4b63-be67-4153950d210f"
] ,
"labels" : [
"misp:type=\"attachment\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--5afad4b7-3ef8-4b63-be67-4153950d210f" ,
"name" : "stalinlocker.jpg" ,
"content_ref" : "artifact--5afad4b7-3ef8-4b63-be67-4153950d210f"
} ,
{
"type" : "artifact" ,
"spec_version" : "2.1" ,
"id" : "artifact--5afad4b7-3ef8-4b63-be67-4153950d210f" ,
"payload_bin" : " / 9 j / 4 A A Q S k Z J R g A B A Q A A A Q A B A A D / 4 g l 0 S U N D X 1 B S T 0 Z J T E U A A Q E A A A l k A A A A A A I A A A B t b n R y U k d C I F h Z W i A H 1 A A M A B c A C Q A B A A l h Y 3 N w T V N G V A A A A A B T R U M g R l B E I A A A A A A A A A A A A A A A A Q A A 9 t U A A Q A A A A D T L F N F Q y A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A 1 j c H J 0 A A A B I A A A A D h k Z X N j A A A B W A A A A I B k b W 5 k A A A B 2 A A A A H p k b W R k A A A C V A A A A G J y W F l a A A A C u A A A A B R n W F l a A A A C z A A A A B R i W F l a A A A C 4 A A A A B R 3 d H B 0 A A A C 9 A A A A B R y V F J D A A A D C A A A A g x n V F J D A A A F F A A A A g x i V F J D A A A H I A A A A g x j Y W x 0 A A A J L A A A A B R 2 a W V 3 A A A J Q A A A A C R 0 Z X h 0 A A A A A E N v c H l y a W d o d C A o Y y k g M j A w M y B T Y W 1 z d W 5 n I E V s Z W N 0 c m 9 u a W N z I E N v L i w g T H R k A G R l c 2 M A A A A A A A A A J F N h b X N 1 b m c g L S B O Y X R 1 c m F s I E N v b G 9 y I F B y b y A x L j A g S U N N A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A Z G V z Y w A A A A A A A A A d U 2 F t c 3 V u Z y B F b G V j d H J v b m l j c y B D b y 4 s I E x 0 Z A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A G R l c 2 M A A A A A A A A A B S A g I C A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A B Y W V o g A A A A A A A A f D Q A A E M M A A A B 0 1 h Z W i A A A A A A A A B V Q Q A A p C Y A A B h W W F l a I A A A A A A A A C V g A A A Y 0 Q A A u Q N Y W V o g A A A A A A A A 8 z 4 A A Q A A A A E W c G N 1 c n Y A A A A A A A A B A A A A A A A A A Q A D A A c A C w A R A B g A I A A p A D Q A Q Q B O A F 0 A b g C A A J Q A q Q D A A N g A 8 g E N A S o B S Q F p A Y s B r w H U A f s C J A J P A n s C q Q L Z A w o D P Q N y A 6 k D 4 g Q c B F k E l w T X B R k F X Q W i B e o G M w Z + B s s H G g d r B 74 I E w h q C M M J H Q l 6 C d k K O Q q c C w E L Z w v Q D D o M p w 0 W D Y Y N + Q 5 u D u U P X g / Z E F Y Q 1 R F W E d k S X h L m E 28 T + x S J F R k V q h Y / F t U X b R g I G K Q Z Q x n k G o c b L B v U H H 4 d K R 3 X H o c f O h / u I K U h X i I Z I t c j l i R Y J R w l 4 y a r J 3 Y o Q y k S K e Q q t y u O L G Y t Q C 4 d L v w v 3 j D B M a c y k D N 6 N G c 1 V j Z I N z w 4 M j k q O i U 7 I j w h P S M + J z 8 u Q D Z B Q U J P Q 19 E c U W F R p x H t U j R S e 9 L D 0 w y T V d O f 0 + p U N V S B F M 1 V G h V n l b X W B F Z T l q O W 9 B d F F 5 b X 6 R g 8 G I + Y 49 k 4 m Y 3 Z 49 o 6 W p G a 6 V t B 25 r b 9 J x O 3 K n d B V 1 h X b 4 e G 555 n t g f N 1 + X X / f g W O C 6 o R z h f + H j o k f i r K M S I 3 h j 3 y R G Z K 5 l F y W A Z e p m V O b A J y v n m G g F a H M o 4 a l Q q c B q M K q h a x M r h W v 4 L G u s 3 + 1 U r c o u Q C 627 y 4 v p j A e 8 J g x E j G M s g g y g / M A c 32 z + 7 R 6 N P l 1 e T X 5 t n q 2 / H d + + A I 4 h f k K O Y 96 F T q b e y J 7 q j w y v L u 9 R X 3 P v l q + 5 n 9 y v //Y3VydgAAAAAAAAEAAAAAAAABAAMABwALABEAGAAgACkANABBAE4AXQBuAIAAlACpAMAA2ADyAQ0BKgFJAWkBiwGvAdQB+wIkAk8CewKpAtkDCgM9A3IDqQPiBBwEWQSXBNcFGQVdBaIF6gYzBn4GywcaB2sHvggTCGoIwwkdCXoJ2Qo5CpwLAQtnC9AMOgynDRYNhg35Dm4O5Q9eD9kQVhDVEVYR2RJeEuYTbxP7FIkVGRWqFj8W1RdtGAgYpBlDGeQahxssG9Qcfh0pHdcehx86H+4gpSFeIhki1yOWJFglHCXjJqsndihDKRIp5Cq3K44sZi1ALh0u/C/eMMExpzKQM3o0ZzVWNkg3PDgyOSo6JTsiPCE9Iz4nPy5ANkFBQk9DX0RxRYVGnEe1SNFJ70sPTDJNV05/T6lQ1VIEUzVUaFWeVtdYEVlOWo5b0F0UXltfpGDwYj5jj2TiZjdnj2jpakZrpW0Hbmtv0nE7cqd0FXWFdvh4bnnme2B83X5df9+BY4LqhHOF/4eOiR+KsoxIjeGPfJEZkrmUXJYBl6mZU5sAnK+eYaAVocyjhqVCpwGowqqFrEyuFa/gsa6zf7VStyi5ALrbvLi+mMB7wmDESMYyyCDKD8wBzfbP7tHo0+XV5Nfm2erb8d374AjiF+Qo5j3oVOpt7InuqPDK8u71Ffc++Wr7mf3K//9jdXJ2AAAAAAAAAQAAAAAAAAEAAwAHAAsAEQAYACAAKQA0AEEATgBdAG4AgACUAKkAwADYAPIBDQEqAUkBaQGLAa8B1AH7AiQCTwJ7AqkC2QMKAz0DcgOpA+IEHARZBJcE1wUZBV0FogXqBjMGfgbLBxoHawe+CBMIagjDCR0JegnZCjkKnAsBC2cL0Aw6DKcNFg2GDfkObg7lD14P2RBWENURVhHZEl4S5hNvE/sUiRUZFaoWPxbVF20YCBikGUMZ5BqHGywb1Bx+HSkd1x6HHzof7iClIV4iGSLXI5YkWCUcJeMmqyd2KEMpEinkKrcrjixmLUAuHS78L94wwTGnMpAzejRnNVY2SDc8ODI5KjolOyI8IT0jPic/LkA2QUFCT0NfRHFFhUacR7VI0UnvSw9MMk1XTn9PqVDVUgRTNVRoVZ5W11gRWU5ajlvQXRReW1+kYPBiPmOPZOJmN2ePaOlqRmulbQdua2/ScTtyp3QVdYV2+HhueeZ7YHzdfl1/34FjguqEc4X/h46JH4qyjEiN4Y98kRmSuZRclgGXqZlTmwCcr55hoBWhzKOGpUKnAajCqoWsTK4Vr+CxrrN/tVK3KLkAutu8uL6YwHvCYMRIxjLIIMoPzAHN9s/u0ejT5dXk1+bZ6tvx3fvgCOIX5CjmPehU6m3sie6o8Mry7vUV9z75avuZ/cr//2R0aW0AAAAAB9QADAAXAAkABwAPdmlldwAAAAAFdU1zBb6WlwY/fZoBF3XkASYeHgE/5ewAAAAC/9sAQwAQCwsLDAsQDAwQFw8NDxcbFBAQFBsfFxcXFxcfHhcaGhoaFx4eIyUnJSMeLy8zMy8vQEBAQEBAQEBAQEBAQEBA/9sAQwERDw8RExEVEhIVFBEUERQaFBYWFBomGhocGhomMCMeHh4eIzArLicnJy4rNTUwMDU1QEA/QEBAQEBAQEBAQEBA/8IAEQgDagY/AwEiAAIRAQMRAf/EABoAAAMBAQEBAAAAAAAAAAAAAAABAgMEBQb/xAAZAQEBAQEBAQAAAAAAAAAAAAAAAQIDBAX/2gAMAwEAAhADEAAAAfQpVx7jHYA6GmgDQTKGmCYMUoc8RnsYmD0VmlOrE7QCAYiTSpVLKTVxKavNJiIaZGmulTU7aNU3KpSgFJNSkXDMgryJZcJUrlMoTBUMJKJJKZJSJTKAamkXOjYOg2SsGqoaIaAASaWU1ZKed5WpTGzx3z3kCdD3fC93Xl4ut6Xj5fF1cufV6WuXZfPxb6Qnj+543tzd+L6nDc5et5Pqr5/fwd9nOmRTW9nj7XGfR63n+jnry14fs+M7rr4+2dfT4O3xdeb2vGrLPb1MtcLy5va8P3LfM9Ly/TZ8vt5O+a38r0OZz8v3fD9118f1J3cvK9PzPTXyeb2eab8wadvXmovm0vO0w3w9E8CPf8udNtse28/Dj1PMnb2eLu85y7efnlv0sN+Vjr5ujA68N5Z8yOvino+g4O3z3L1OLr4JPUw2wc8MWY9Pq+N7fDrz9Xi+74m7p6nDvZHh/Q/Pzq89M7n6Gk85GFjARiYNNACmAgEK+Z4Z6nO8J6XKHRAXTE0
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5afad493-03dc-48e6-9e37-4d18950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-05-15T12:37:39.000Z" ,
"modified" : "2018-05-15T12:37:39.000Z" ,
"first_observed" : "2018-05-15T12:37:39Z" ,
"last_observed" : "2018-05-15T12:37:39Z" ,
"number_observed" : 1 ,
"object_refs" : [
"windows-registry-key--5afad493-03dc-48e6-9e37-4d18950d210f"
] ,
"labels" : [
"misp:type=\"regkey\"" ,
"misp:category=\"Persistence mechanism\""
]
} ,
{
"type" : "windows-registry-key" ,
"spec_version" : "2.1" ,
"id" : "windows-registry-key--5afad493-03dc-48e6-9e37-4d18950d210f" ,
"key" : "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Stalin"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5afad492-9004-468d-b450-4228950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-05-15T12:37:38.000Z" ,
"modified" : "2018-05-15T12:37:38.000Z" ,
"pattern" : "[file:hashes.SHA256 = '853177d9a42fab0d8d62a190894de5c27ec203240df0d9e70154a675823adf04']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-05-15T12:37:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5afad187-83b4-4977-91c3-195a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-05-15T12:24:39.000Z" ,
"modified" : "2018-05-15T12:24:39.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\fl.dat']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-05-15T12:24:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5afad187-3b74-443e-b568-195a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-05-15T12:24:39.000Z" ,
"modified" : "2018-05-15T12:24:39.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\stalin.exe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-05-15T12:24:39Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5afad185-171c-4f6d-a38e-195a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-05-15T12:24:37.000Z" ,
"modified" : "2018-05-15T12:24:37.000Z" ,
"pattern" : "[file:name = 'USSR_Anthem.mp3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-05-15T12:24:37Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5afad186-a304-4a88-81b7-195a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-05-15T12:24:38.000Z" ,
"modified" : "2018-05-15T12:24:38.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\USSR_Anthem.mp3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-05-15T12:24:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5afabdcb-1944-4916-942d-407d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-05-15T11:01:13.000Z" ,
"modified" : "2018-05-15T11:01:13.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "A new in-development screenlocker/wiper called StalinLocker, or StalinScreamer, was discovered by MalwareHunterTeam that gives you 10 minutes to enter a code or it will try to delete the contents of the drives on the computer. While running, it will display screen that shows Stalin while playing the USSR anthem and displaying a countdown until files are deleted."
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5afabdb1-8418-4aea-af8b-6af7950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-05-15T11:01:04.000Z" ,
"modified" : "2018-05-15T11:01:04.000Z" ,
"first_observed" : "2018-05-15T11:01:04Z" ,
"last_observed" : "2018-05-15T11:01:04Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5afabdb1-8418-4aea-af8b-6af7950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5afabdb1-8418-4aea-af8b-6af7950d210f" ,
"value" : "https://www.bleepingcomputer.com/news/security/stalinlocker-deletes-your-files-unless-you-enter-the-right-code/"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--116343d3-a28c-45b6-92ad-33038ffb3af0" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-05-15T15:47:18.000Z" ,
"modified" : "2018-05-15T15:47:18.000Z" ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\""
] ,
"x_misp_meta_category" : "file" ,
"x_misp_name" : "file"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--666e3305-6776-40de-8d19-84a8d18ed470" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-05-15T15:47:17.000Z" ,
"modified" : "2018-05-15T15:47:17.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
"id" : "relationship--256e17cb-6115-4074-bf46-b51fb7ab992b" ,
"created" : "2018-05-15T15:47:18.000Z" ,
"modified" : "2018-05-15T15:47:18.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "x-misp-object--116343d3-a28c-45b6-92ad-33038ffb3af0" ,
"target_ref" : "x-misp-object--666e3305-6776-40de-8d19-84a8d18ed470"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}