2023-06-14 17:31:25 +00:00
{
"type" : "bundle" ,
"id" : "bundle--5bf81c54-4464-4c12-aae7-4607950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-26T08:54:58.000Z" ,
"modified" : "2018-11-26T08:54:58.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "grouping" ,
"spec_version" : "2.1" ,
"id" : "grouping--5bf81c54-4464-4c12-aae7-4607950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-26T08:54:58.000Z" ,
"modified" : "2018-11-26T08:54:58.000Z" ,
"name" : "OSINT - Aurora / Zorro Ransomware Actively Being Distributed" ,
"context" : "suspicious-activity" ,
"object_refs" : [
"observed-data--5bf81c67-e654-4753-b719-fb4f950d210f" ,
"url--5bf81c67-e654-4753-b719-fb4f950d210f" ,
"indicator--5bfbaa8d-8274-4a83-8c7b-4cc5950d210f" ,
"observed-data--5bfbadd3-e0cc-4967-b90c-4de6950d210f" ,
"file--5bfbadd3-e0cc-4967-b90c-4de6950d210f" ,
"artifact--5bfbadd3-e0cc-4967-b90c-4de6950d210f" ,
"observed-data--5bfbae56-d408-4f6d-8977-494a950d210f" ,
"file--5bfbae56-d408-4f6d-8977-494a950d210f" ,
"artifact--5bfbae56-d408-4f6d-8977-494a950d210f" ,
"indicator--5bfbaeb3-7d50-45a1-8b58-43ba950d210f" ,
"indicator--5bfbaeb4-ec5c-4776-8db3-41c0950d210f" ,
"indicator--5bfbaeb4-a498-425e-ab80-4239950d210f" ,
"indicator--5bfbaeb5-2b74-4dff-946d-4848950d210f" ,
"indicator--5bfbaeb5-d25c-4167-8c3e-40ba950d210f" ,
"indicator--5bfbaeb6-daec-4ad8-97c8-415a950d210f" ,
"indicator--5bfbaeb6-f848-4533-9c3a-4b61950d210f" ,
"indicator--5bfbaeb6-3df8-4728-bd4f-4170950d210f" ,
"x-misp-attribute--5bfbb433-56d0-499a-85f3-4101950d210f" ,
"x-misp-object--5bfba696-7a10-46db-8e0b-4c9f950d210f" ,
"indicator--5bfba948-d188-4b1a-b11e-406d950d210f" ,
"indicator--5bfba95f-ec48-46b9-ad7b-4a10950d210f" ,
"indicator--5bfba976-5148-4a25-8b94-4467950d210f" ,
"indicator--5bfbab76-daf8-4a43-a78d-4b51950d210f" ,
"indicator--5bfbae8b-d1ac-487a-be44-4c05950d210f"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"workflow:todo=\"expansion\"" ,
"malware_classification:malware-category=\"Ransomware\"" ,
"circl:incident-classification=\"malware\"" ,
"osint:source-type=\"blog-post\"" ,
"misp-galaxy:ransomware=\"Aurora Ransomware\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5bf81c67-e654-4753-b719-fb4f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-26T08:52:24.000Z" ,
"modified" : "2018-11-26T08:52:24.000Z" ,
"first_observed" : "2018-11-26T08:52:24Z" ,
"last_observed" : "2018-11-26T08:52:24Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5bf81c67-e654-4753-b719-fb4f950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5bf81c67-e654-4753-b719-fb4f950d210f" ,
"value" : "https://www.bleepingcomputer.com/news/security/aurora-zorro-ransomware-actively-being-distributed/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bfbaa8d-8274-4a83-8c7b-4cc5950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-26T08:10:53.000Z" ,
"modified" : "2018-11-26T08:10:53.000Z" ,
"pattern" : "[email-message:from_ref.value = 'oktropys@protonmail.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-26T08:10:53Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"email-src\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5bfbadd3-e0cc-4967-b90c-4de6950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-26T08:24:51.000Z" ,
"modified" : "2018-11-26T08:24:51.000Z" ,
"first_observed" : "2018-11-26T08:24:51Z" ,
"last_observed" : "2018-11-26T08:24:51Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--5bfbadd3-e0cc-4967-b90c-4de6950d210f" ,
"artifact--5bfbadd3-e0cc-4967-b90c-4de6950d210f"
] ,
"labels" : [
"misp:type=\"attachment\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--5bfbadd3-e0cc-4967-b90c-4de6950d210f" ,
"name" : "ransom-note.jpg" ,
"content_ref" : "artifact--5bfbadd3-e0cc-4967-b90c-4de6950d210f"
} ,
{
"type" : "artifact" ,
"spec_version" : "2.1" ,
"id" : "artifact--5bfbadd3-e0cc-4967-b90c-4de6950d210f" ,
"payload_bin" : " / 9 j / 4 A A Q S k Z J R g A B A Q A A A Q A B A A D / 4 g l 0 S U N D X 1 B S T 0 Z J T E U A A Q E A A A l k A A A A A A I A A A B t b n R y U k d C I F h Z W i A H 1 A A M A B c A C Q A B A A l h Y 3 N w T V N G V A A A A A B T R U M g R l B E I A A A A A A A A A A A A A A A A Q A A 9 t U A A Q A A A A D T L F N F Q y A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A 1 j c H J 0 A A A B I A A A A D h k Z X N j A A A B W A A A A I B k b W 5 k A A A B 2 A A A A H p k b W R k A A A C V A A A A G J y W F l a A A A C u A A A A B R n W F l a A A A C z A A A A B R i W F l a A A A C 4 A A A A B R 3 d H B 0 A A A C 9 A A A A B R y V F J D A A A D C A A A A g x n V F J D A A A F F A A A A g x i V F J D A A A H I A A A A g x j Y W x 0 A A A J L A A A A B R 2 a W V 3 A A A J Q A A A A C R 0 Z X h 0 A A A A A E N v c H l y a W d o d C A o Y y k g M j A w M y B T Y W 1 z d W 5 n I E V s Z W N 0 c m 9 u a W N z I E N v L i w g T H R k A G R l c 2 M A A A A A A A A A J F N h b X N 1 b m c g L S B O Y X R 1 c m F s I E N v b G 9 y I F B y b y A x L j A g S U N N A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A Z G V z Y w A A A A A A A A A d U 2 F t c 3 V u Z y B F b G V j d H J v b m l j c y B D b y 4 s I E x 0 Z A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A G R l c 2 M A A A A A A A A A B S A g I C A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A B Y W V o g A A A A A A A A f D Q A A E M M A A A B 0 1 h Z W i A A A A A A A A B V Q Q A A p C Y A A B h W W F l a I A A A A A A A A C V g A A A Y 0 Q A A u Q N Y W V o g A A A A A A A A 8 z 4 A A Q A A A A E W c G N 1 c n Y A A A A A A A A B A A A A A A A A A Q A D A A c A C w A R A B g A I A A p A D Q A Q Q B O A F 0 A b g C A A J Q A q Q D A A N g A 8 g E N A S o B S Q F p A Y s B r w H U A f s C J A J P A n s C q Q L Z A w o D P Q N y A 6 k D 4 g Q c B F k E l w T X B R k F X Q W i B e o G M w Z + B s s H G g d r B 74 I E w h q C M M J H Q l 6 C d k K O Q q c C w E L Z w v Q D D o M p w 0 W D Y Y N + Q 5 u D u U P X g / Z E F Y Q 1 R F W E d k S X h L m E 28 T + x S J F R k V q h Y / F t U X b R g I G K Q Z Q x n k G o c b L B v U H H 4 d K R 3 X H o c f O h / u I K U h X i I Z I t c j l i R Y J R w l 4 y a r J 3 Y o Q y k S K e Q q t y u O L G Y t Q C 4 d L v w v 3 j D B M a c y k D N 6 N G c 1 V j Z I N z w 4 M j k q O i U 7 I j w h P S M + J z 8 u Q D Z B Q U J P Q 19 E c U W F R p x H t U j R S e 9 L D 0 w y T V d O f 0 + p U N V S B F M 1 V G h V n l b X W B F Z T l q O W 9 B d F F 5 b X 6 R g 8 G I + Y 49 k 4 m Y 3 Z 49 o 6 W p G a 6 V t B 25 r b 9 J x O 3 K n d B V 1 h X b 4 e G 555 n t g f N 1 + X X / f g W O C 6 o R z h f + H j o k f i r K M S I 3 h j 3 y R G Z K 5 l F y W A Z e p m V O b A J y v n m G g F a H M o 4 a l Q q c B q M K q h a x M r h W v 4 L G u s 3 + 1 U r c o u Q C 627 y 4 v p j A e 8 J g x E j G M s g g y g / M A c 32 z + 7 R 6 N P l 1 e T X 5 t n q 2 / H d + + A I 4 h f k K O Y 96 F T q b e y J 7 q j w y v L u 9 R X 3 P v l q + 5 n 9 y v //Y3VydgAAAAAAAAEAAAAAAAABAAMABwALABEAGAAgACkANABBAE4AXQBuAIAAlACpAMAA2ADyAQ0BKgFJAWkBiwGvAdQB+wIkAk8CewKpAtkDCgM9A3IDqQPiBBwEWQSXBNcFGQVdBaIF6gYzBn4GywcaB2sHvggTCGoIwwkdCXoJ2Qo5CpwLAQtnC9AMOgynDRYNhg35Dm4O5Q9eD9kQVhDVEVYR2RJeEuYTbxP7FIkVGRWqFj8W1RdtGAgYpBlDGeQahxssG9Qcfh0pHdcehx86H+4gpSFeIhki1yOWJFglHCXjJqsndihDKRIp5Cq3K44sZi1ALh0u/C/eMMExpzKQM3o0ZzVWNkg3PDgyOSo6JTsiPCE9Iz4nPy5ANkFBQk9DX0RxRYVGnEe1SNFJ70sPTDJNV05/T6lQ1VIEUzVUaFWeVtdYEVlOWo5b0F0UXltfpGDwYj5jj2TiZjdnj2jpakZrpW0Hbmtv0nE7cqd0FXWFdvh4bnnme2B83X5df9+BY4LqhHOF/4eOiR+KsoxIjeGPfJEZkrmUXJYBl6mZU5sAnK+eYaAVocyjhqVCpwGowqqFrEyuFa/gsa6zf7VStyi5ALrbvLi+mMB7wmDESMYyyCDKD8wBzfbP7tHo0+XV5Nfm2erb8d374AjiF+Qo5j3oVOpt7InuqPDK8u71Ffc++Wr7mf3K//9jdXJ2AAAAAAAAAQAAAAAAAAEAAwAHAAsAEQAYACAAKQA0AEEATgBdAG4AgACUAKkAwADYAPIBDQEqAUkBaQGLAa8B1AH7AiQCTwJ7AqkC2QMKAz0DcgOpA+IEHARZBJcE1wUZBV0FogXqBjMGfgbLBxoHawe+CBMIagjDCR0JegnZCjkKnAsBC2cL0Aw6DKcNFg2GDfkObg7lD14P2RBWENURVhHZEl4S5hNvE/sUiRUZFaoWPxbVF20YCBikGUMZ5BqHGywb1Bx+HSkd1x6HHzof7iClIV4iGSLXI5YkWCUcJeMmqyd2KEMpEinkKrcrjixmLUAuHS78L94wwTGnMpAzejRnNVY2SDc8ODI5KjolOyI8IT0jPic/LkA2QUFCT0NfRHFFhUacR7VI0UnvSw9MMk1XTn9PqVDVUgRTNVRoVZ5W11gRWU5ajlvQXRReW1+kYPBiPmOPZOJmN2ePaOlqRmulbQdua2/ScTtyp3QVdYV2+HhueeZ7YHzdfl1/34FjguqEc4X/h46JH4qyjEiN4Y98kRmSuZRclgGXqZlTmwCcr55hoBWhzKOGpUKnAajCqoWsTK4Vr+CxrrN/tVK3KLkAutu8uL6YwHvCYMRIxjLIIMoPzAHN9s/u0ejT5dXk1+bZ6tvx3fvgCOIX5CjmPehU6m3sie6o8Mry7vUV9z75avuZ/cr//2R0aW0AAAAAB9QADAAXAAkABwAPdmlldwAAAAAFdU1zBb6WlwY/fZoBF3XkASYeHgE/5ewAAAAC/9sAQwAQCwsLDAsQDAwQFw8NDxcbFBAQFBsfFxcXFxcfHhcaGhoaFx4eIyUnJSMeLy8zMy8vQEBAQEBAQEBAQEBAQEBA/9sAQwERDw8RExEVEhIVFBEUERQaFBYWFBomGhocGhomMCMeHh4eIzArLicnJy4rNTUwMDU1QEA/QEBAQEBAQEBAQEBA/8IAEQgBwgO5AwEiAAIRAQMRAf/EABoAAQADAQEBAAAAAAAAAAAAAAACAwQFAQb/xAAYAQEBAQEBAAAAAAAAAAAAAAAAAQIDBP/aAAwDAQACEAMQAAABvnL3eIPfbIp1SyRsIvYnqVRN7E9T8qKYg99iKftVrBW8titYqtYK1grWCtYK1grWCtYK1grWCtYK1grWCtYK1grWCtYK1grWCtYK1grWCtYK1grWCtYK1grWCtYK1grWCtYK1grWCtYK1grWCtYK1grWeRBcKV1ZFdAgsFaLO5PPCXP6nz2sfQ+rEw6L/ayUdJLg03QOe6Ypw9GZzZdAZKOkOXq1DHR0xyp9Icr3p+nL32ipaKloqWipaKloqWipaKloqWipaKloqWipaKloqWipaKloqWipaKloqWipaKloqWipaKloqWipaKloqWipaKloqWipaKloqWipaKloqWiqN4pjeKPNHhCnUlo9uWcq7U5d8kNw9+c+l+W6+f6XZj1TWO2pLt9gM3tNxdbTZVEqEap5NFWZr8EaFcyaqo6HtU6qvzXkkRJESREkRJESREkRJESREkRJESREkRJESREkRJESREkRJESREkRJESREkRJESREkRJESREkRJES
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5bfbae56-d408-4f6d-8977-494a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-26T08:27:02.000Z" ,
"modified" : "2018-11-26T08:27:02.000Z" ,
"first_observed" : "2018-11-26T08:27:02Z" ,
"last_observed" : "2018-11-26T08:27:02Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--5bfbae56-d408-4f6d-8977-494a950d210f" ,
"artifact--5bfbae56-d408-4f6d-8977-494a950d210f"
] ,
"labels" : [
"misp:type=\"attachment\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--5bfbae56-d408-4f6d-8977-494a950d210f" ,
"name" : "wallpaper.jpg" ,
"content_ref" : "artifact--5bfbae56-d408-4f6d-8977-494a950d210f"
} ,
{
"type" : "artifact" ,
"spec_version" : "2.1" ,
"id" : "artifact--5bfbae56-d408-4f6d-8977-494a950d210f" ,
"payload_bin" : " / 9 j / 4 A A Q S k Z J R g A B A Q A A A Q A B A A D / 4 g l 0 S U N D X 1 B S T 0 Z J T E U A A Q E A A A l k A A A A A A I A A A B t b n R y U k d C I F h Z W i A H 1 A A M A B c A C Q A B A A l h Y 3 N w T V N G V A A A A A B T R U M g R l B E I A A A A A A A A A A A A A A A A Q A A 9 t U A A Q A A A A D T L F N F Q y A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A 1 j c H J 0 A A A B I A A A A D h k Z X N j A A A B W A A A A I B k b W 5 k A A A B 2 A A A A H p k b W R k A A A C V A A A A G J y W F l a A A A C u A A A A B R n W F l a A A A C z A A A A B R i W F l a A A A C 4 A A A A B R 3 d H B 0 A A A C 9 A A A A B R y V F J D A A A D C A A A A g x n V F J D A A A F F A A A A g x i V F J D A A A H I A A A A g x j Y W x 0 A A A J L A A A A B R 2 a W V 3 A A A J Q A A A A C R 0 Z X h 0 A A A A A E N v c H l y a W d o d C A o Y y k g M j A w M y B T Y W 1 z d W 5 n I E V s Z W N 0 c m 9 u a W N z I E N v L i w g T H R k A G R l c 2 M A A A A A A A A A J F N h b X N 1 b m c g L S B O Y X R 1 c m F s I E N v b G 9 y I F B y b y A x L j A g S U N N A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A Z G V z Y w A A A A A A A A A d U 2 F t c 3 V u Z y B F b G V j d H J v b m l j c y B D b y 4 s I E x 0 Z A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A G R l c 2 M A A A A A A A A A B S A g I C A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A B Y W V o g A A A A A A A A f D Q A A E M M A A A B 0 1 h Z W i A A A A A A A A B V Q Q A A p C Y A A B h W W F l a I A A A A A A A A C V g A A A Y 0 Q A A u Q N Y W V o g A A A A A A A A 8 z 4 A A Q A A A A E W c G N 1 c n Y A A A A A A A A B A A A A A A A A A Q A D A A c A C w A R A B g A I A A p A D Q A Q Q B O A F 0 A b g C A A J Q A q Q D A A N g A 8 g E N A S o B S Q F p A Y s B r w H U A f s C J A J P A n s C q Q L Z A w o D P Q N y A 6 k D 4 g Q c B F k E l w T X B R k F X Q W i B e o G M w Z + B s s H G g d r B 74 I E w h q C M M J H Q l 6 C d k K O Q q c C w E L Z w v Q D D o M p w 0 W D Y Y N + Q 5 u D u U P X g / Z E F Y Q 1 R F W E d k S X h L m E 28 T + x S J F R k V q h Y / F t U X b R g I G K Q Z Q x n k G o c b L B v U H H 4 d K R 3 X H o c f O h / u I K U h X i I Z I t c j l i R Y J R w l 4 y a r J 3 Y o Q y k S K e Q q t y u O L G Y t Q C 4 d L v w v 3 j D B M a c y k D N 6 N G c 1 V j Z I N z w 4 M j k q O i U 7 I j w h P S M + J z 8 u Q D Z B Q U J P Q 19 E c U W F R p x H t U j R S e 9 L D 0 w y T V d O f 0 + p U N V S B F M 1 V G h V n l b X W B F Z T l q O W 9 B d F F 5 b X 6 R g 8 G I + Y 49 k 4 m Y 3 Z 49 o 6 W p G a 6 V t B 25 r b 9 J x O 3 K n d B V 1 h X b 4 e G 555 n t g f N 1 + X X / f g W O C 6 o R z h f + H j o k f i r K M S I 3 h j 3 y R G Z K 5 l F y W A Z e p m V O b A J y v n m G g F a H M o 4 a l Q q c B q M K q h a x M r h W v 4 L G u s 3 + 1 U r c o u Q C 627 y 4 v p j A e 8 J g x E j G M s g g y g / M A c 32 z + 7 R 6 N P l 1 e T X 5 t n q 2 / H d + + A I 4 h f k K O Y 96 F T q b e y J 7 q j w y v L u 9 R X 3 P v l q + 5 n 9 y v //Y3VydgAAAAAAAAEAAAAAAAABAAMABwALABEAGAAgACkANABBAE4AXQBuAIAAlACpAMAA2ADyAQ0BKgFJAWkBiwGvAdQB+wIkAk8CewKpAtkDCgM9A3IDqQPiBBwEWQSXBNcFGQVdBaIF6gYzBn4GywcaB2sHvggTCGoIwwkdCXoJ2Qo5CpwLAQtnC9AMOgynDRYNhg35Dm4O5Q9eD9kQVhDVEVYR2RJeEuYTbxP7FIkVGRWqFj8W1RdtGAgYpBlDGeQahxssG9Qcfh0pHdcehx86H+4gpSFeIhki1yOWJFglHCXjJqsndihDKRIp5Cq3K44sZi1ALh0u/C/eMMExpzKQM3o0ZzVWNkg3PDgyOSo6JTsiPCE9Iz4nPy5ANkFBQk9DX0RxRYVGnEe1SNFJ70sPTDJNV05/T6lQ1VIEUzVUaFWeVtdYEVlOWo5b0F0UXltfpGDwYj5jj2TiZjdnj2jpakZrpW0Hbmtv0nE7cqd0FXWFdvh4bnnme2B83X5df9+BY4LqhHOF/4eOiR+KsoxIjeGPfJEZkrmUXJYBl6mZU5sAnK+eYaAVocyjhqVCpwGowqqFrEyuFa/gsa6zf7VStyi5ALrbvLi+mMB7wmDESMYyyCDKD8wBzfbP7tHo0+XV5Nfm2erb8d374AjiF+Qo5j3oVOpt7InuqPDK8u71Ffc++Wr7mf3K//9jdXJ2AAAAAAAAAQAAAAAAAAEAAwAHAAsAEQAYACAAKQA0AEEATgBdAG4AgACUAKkAwADYAPIBDQEqAUkBaQGLAa8B1AH7AiQCTwJ7AqkC2QMKAz0DcgOpA+IEHARZBJcE1wUZBV0FogXqBjMGfgbLBxoHawe+CBMIagjDCR0JegnZCjkKnAsBC2cL0Aw6DKcNFg2GDfkObg7lD14P2RBWENURVhHZEl4S5hNvE/sUiRUZFaoWPxbVF20YCBikGUMZ5BqHGywb1Bx+HSkd1x6HHzof7iClIV4iGSLXI5YkWCUcJeMmqyd2KEMpEinkKrcrjixmLUAuHS78L94wwTGnMpAzejRnNVY2SDc8ODI5KjolOyI8IT0jPic/LkA2QUFCT0NfRHFFhUacR7VI0UnvSw9MMk1XTn9PqVDVUgRTNVRoVZ5W11gRWU5ajlvQXRReW1+kYPBiPmOPZOJmN2ePaOlqRmulbQdua2/ScTtyp3QVdYV2+HhueeZ7YHzdfl1/34FjguqEc4X/h46JH4qyjEiN4Y98kRmSuZRclgGXqZlTmwCcr55hoBWhzKOGpUKnAajCqoWsTK4Vr+CxrrN/tVK3KLkAutu8uL6YwHvCYMRIxjLIIMoPzAHN9s/u0ejT5dXk1+bZ6tvx3fvgCOIX5CjmPehU6m3sie6o8Mry7vUV9z75avuZ/cr//2R0aW0AAAAAB9QADAAXAAkABwAPdmlldwAAAAAFdU1zBb6WlwY/fZoBF3XkASYeHgE/5ewAAAAC/9sAQwAQCwsLDAsQDAwQFw8NDxcbFBAQFBsfFxcXFxcfHhcaGhoaFx4eIyUnJSMeLy8zMy8vQEBAQEBAQEBAQEBAQEBA/9sAQwERDw8RExEVEhIVFBEUERQaFBYWFBomGhocGhomMCMeHh4eIzArLicnJy4rNTUwMDU1QEA/QEBAQEBAQEBAQEBA/8IAEQgCLQQ2AwEiAAIRAQMRAf/EABoAAQADAQEBAAAAAAAAAAAAAAADBAUCAQb/xAAWAQEBAQAAAAAAAAAAAAAAAAAAAQL/2gAMAwEAAhADEAAAAfnwD0PfA8HrwevB68HrweuvDx1wevB68HrwevB68HrwevB68HrwevB68HrwevB68Hrzo8eD11wevB68Hr3k9ednL3k9eD14PXg9eD14PXg9eD14PXg9eD14PXg9eD14PXg98AAAdHIDr04Adch1yAAAAAAAAAAAALFfVPKl+iWa1mtFfm4qr3p1Sl7p8Ge0OjPjtVTaqWOTnM0+ihDuwGfDr5B7JLsHz/dzgpd7Ex8691ChFuVzPj1PDOadMh91ahQ7s2TP40vSOhqxFOHciM271IY4NTM0xRhvWTNjuznFDazSptYuuZvt2ApzW7ZiWa+iZ3d6MoTW7ZmpeCu1qRT9nslBp0yeG5GmdJbiWnJfnMjzUGbHbqFuvozGTHr5Amv2DCmtWjFlv+GdpU9MxudXKNjO0IinDcnFDQ7I83Z8MvjeqGfFeogAAAAAAAAADWyRbu44061UPoPn7xHayxpS5A3K2YANL3MGnxnjRr1huYvI1LGGNKjGNSPPDQzxow1
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bfbaeb3-7d50-45a1-8b58-43ba950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-26T08:28:35.000Z" ,
"modified" : "2018-11-26T08:28:35.000Z" ,
"description" : "Associated email address" ,
"pattern" : "[email-message:from_ref.value = 'anastacialove21@mail.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-26T08:28:35Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"email-src\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bfbaeb4-ec5c-4776-8db3-41c0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-26T08:28:36.000Z" ,
"modified" : "2018-11-26T08:28:36.000Z" ,
"description" : "Associated email address" ,
"pattern" : "[email-message:from_ref.value = 'anonimus.mr@yahoo.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-26T08:28:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"email-src\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bfbaeb4-a498-425e-ab80-4239950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-26T08:28:36.000Z" ,
"modified" : "2018-11-26T08:28:36.000Z" ,
"description" : "Associated email address" ,
"pattern" : "[email-message:from_ref.value = 'big.fish@vfemail.net']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-26T08:28:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"email-src\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bfbaeb5-2b74-4dff-946d-4848950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-26T08:28:37.000Z" ,
"modified" : "2018-11-26T08:28:37.000Z" ,
"description" : "Associated email address" ,
"pattern" : "[email-message:from_ref.value = 'enco@cock.email']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-26T08:28:37Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"email-src\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bfbaeb5-d25c-4167-8c3e-40ba950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-26T08:28:37.000Z" ,
"modified" : "2018-11-26T08:28:37.000Z" ,
"description" : "Associated email address" ,
"pattern" : "[email-message:from_ref.value = 'hellstaff@india.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-26T08:28:37Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"email-src\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bfbaeb6-daec-4ad8-97c8-415a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-26T08:28:38.000Z" ,
"modified" : "2018-11-26T08:28:38.000Z" ,
"description" : "Associated email address" ,
"pattern" : "[email-message:from_ref.value = 'j0ra@protonmail.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-26T08:28:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"email-src\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bfbaeb6-f848-4533-9c3a-4b61950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-26T08:28:38.000Z" ,
"modified" : "2018-11-26T08:28:38.000Z" ,
"description" : "Associated email address" ,
"pattern" : "[email-message:from_ref.value = 'ochennado@tutanota.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-26T08:28:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"email-src\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bfbaeb6-3df8-4728-bd4f-4170950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-26T08:28:38.000Z" ,
"modified" : "2018-11-26T08:28:38.000Z" ,
"description" : "Associated email address" ,
"pattern" : "[email-message:from_ref.value = 'unlockalexkingman@protonmail.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-26T08:28:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"email-src\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5bfbb433-56d0-499a-85f3-4101950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-26T08:52:25.000Z" ,
"modified" : "2018-11-26T08:52:25.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "A ransomware that has been distributed since the summer of 2018 has started to pick up steam in the latest variant. This new variant is currently being called Zorro Ransomware, but has also been called Aurora Ransomware in the past.\r\n\r\nIt is not currently known how this ransomware is distributed, but there are indications it may be installed by hacking into computers running Remote Desktop Services and that are exposed to the Internet. The attackers will brute force the password for RDP accounts in order to gain access to the computer and install the ransomware."
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5bfba696-7a10-46db-8e0b-4c9f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-26T07:53:58.000Z" ,
"modified" : "2018-11-26T07:53:58.000Z" ,
"labels" : [
"misp:name=\"coin-address\"" ,
"misp:meta-category=\"financial\""
] ,
"x_misp_attributes" : [
{
"type" : "btc" ,
"object_relation" : "address" ,
"value" : "18sj1xr86c3YHK44Mj2AXAycEsT2QLUFac" ,
"category" : "Financial fraud" ,
"to_ids" : true ,
"uuid" : "5bfba696-2460-4afb-ae36-4b96950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "symbol" ,
"value" : "BTC" ,
"category" : "Other" ,
"uuid" : "5bfba697-a9f8-4af6-ba2b-4ce9950d210f"
}
] ,
"x_misp_meta_category" : "financial" ,
"x_misp_name" : "coin-address"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bfba948-d188-4b1a-b11e-406d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-26T08:05:28.000Z" ,
"modified" : "2018-11-26T08:05:28.000Z" ,
"description" : "Ransomnote" ,
"pattern" : "[file:name = '!-GET_MY_FILES-!.txt' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-26T08:05:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bfba95f-ec48-46b9-ad7b-4a10950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-26T08:05:51.000Z" ,
"modified" : "2018-11-26T08:05:51.000Z" ,
"description" : "Ransomnote" ,
"pattern" : "[file:name = '#RECOVERY-PC#.txt' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-26T08:05:51Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bfba976-5148-4a25-8b94-4467950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-26T08:06:14.000Z" ,
"modified" : "2018-11-26T08:06:14.000Z" ,
"description" : "Ransomnote" ,
"pattern" : "[file:name = '@_RESTORE-FILES_@.txt' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-26T08:06:14Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bfbab76-daf8-4a43-a78d-4b51950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-26T08:14:46.000Z" ,
"modified" : "2018-11-26T08:14:46.000Z" ,
"description" : "Wallpapaer ransomnote" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%wall.i' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-26T08:14:46Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5bfbae8b-d1ac-487a-be44-4c05950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-11-26T08:27:55.000Z" ,
"modified" : "2018-11-26T08:27:55.000Z" ,
"pattern" : "[file:hashes.SHA256 = 'e8e995787549117aacb30b3d4896c058a8bfc8d0aab312b726d34e6ab85d819d' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-11-26T08:27:55Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}
