misp-circl-feed/feeds/circl/stix-2.1/591d952f-ff4c-4fae-92dd-4a9e950d210f.json

368 lines
16 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--591d952f-ff4c-4fae-92dd-4a9e950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T18:48:24.000Z",
"modified": "2017-05-18T18:48:24.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--591d952f-ff4c-4fae-92dd-4a9e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T18:48:24.000Z",
"modified": "2017-05-18T18:48:24.000Z",
"name": "OSINT - Uiwix Ransomware Using EternalBlue SMB Exploit To Infect Victims",
"published": "2017-05-18T18:48:40Z",
"object_refs": [
"observed-data--591d9936-2f90-4414-a72b-a002950d210f",
"url--591d9936-2f90-4414-a72b-a002950d210f",
"x-misp-attribute--591d995a-28a0-42ab-a7aa-c521950d210f",
"indicator--591d9cb1-5244-4a7d-94d2-4c60950d210f",
"indicator--591d9cbf-f594-49f8-9857-a009950d210f",
"indicator--591d9cda-b08c-47d3-85a7-4acf950d210f",
"indicator--591d9cdb-521c-4402-9078-49b8950d210f",
"indicator--591d9cdb-5bcc-48c0-ae72-4cd7950d210f",
"indicator--591d9cdb-bb58-4741-ae0d-462e950d210f",
"indicator--591d9cdc-a944-42bf-92d1-4af5950d210f",
"indicator--591d9cdc-ee90-4fac-b4c0-4794950d210f",
"indicator--591db08b-c1ec-4e68-8bc1-c52102de0b81",
"indicator--591db08c-ce94-480c-bab0-c52102de0b81",
"observed-data--591db08c-f04c-48da-83a5-c52102de0b81",
"url--591db08c-f04c-48da-83a5-c52102de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"malware_classification:malware-category=\"Ransomware\"",
"osint:source-type=\"blog-post\"",
"misp-galaxy:ransomware=\"Uiwix Ransomware\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--591d9936-2f90-4414-a72b-a002950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T14:34:24.000Z",
"modified": "2017-05-18T14:34:24.000Z",
"first_observed": "2017-05-18T14:34:24Z",
"last_observed": "2017-05-18T14:34:24Z",
"number_observed": 1,
"object_refs": [
"url--591d9936-2f90-4414-a72b-a002950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--591d9936-2f90-4414-a72b-a002950d210f",
"value": "https://www.bleepingcomputer.com/news/security/uiwix-ransomware-using-eternalblue-smb-exploit-to-infect-victims/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--591d995a-28a0-42ab-a7aa-c521950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T14:34:24.000Z",
"modified": "2017-05-18T14:34:24.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "A littler over a week ago, a member posted a topic in our forums looking for help regarding a new ransomware that they were infected with. For this particular victim, the ransomware was appending the _2883765424.UIWIX extension to their files and was creating ransom notes named _DECODE_FILES.txt. Over the next few days, a few more victims posted in the thread and we saw an increasing amount of encrypted files submitted to our malware submission system and ID-Ransomware."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--591d9cb1-5244-4a7d-94d2-4c60950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T14:32:39.000Z",
"modified": "2017-05-18T14:32:39.000Z",
"pattern": "[file:hashes.SHA256 = '146581f0b3fbe00026ee3ebe68797b0e57f39d1d8aecc99fdc3290e9cfadc4fc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-18T14:32:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--591d9cbf-f594-49f8-9857-a009950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T14:32:39.000Z",
"modified": "2017-05-18T14:32:39.000Z",
"description": ">>> ALL YOUR PERSONAL FILES ARE DECODED <<<\r\n\r\nYour personal code: [10_digit_victim_id]\r\n\r\nTo decrypt your files, you need to buy special software.\r\nDo not attempt to decode or modify files, it may be broken.\r\nTo restore data, follow the instructions!\r\n\r\nYou can learn more at this site:\r\nhttps://4ujngbdqqm6t2c53.onion.to\r\nhttps://4ujngbdqqm6t2c53.onion.cab\r\nhttps://4ujngbdqqm6t2c53.onion.nu\r\n\r\nIf a resource is unavailable for a long time to install and use the tor browser.\r\nAfter you start the Tor browser you need to open this link http://4ujngbdqqm6t2c53.onion",
"pattern": "[file:name = '_DECODE_FILES.txt']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-18T14:32:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--591d9cda-b08c-47d3-85a7-4acf950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T14:32:39.000Z",
"modified": "2017-05-18T14:32:39.000Z",
"description": "Uiwix Network Connections",
"pattern": "[url:value = 'https://4ujngbdqqm6t2c53.onion.to']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-18T14:32:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--591d9cdb-521c-4402-9078-49b8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T14:32:39.000Z",
"modified": "2017-05-18T14:32:39.000Z",
"description": "Uiwix Network Connections",
"pattern": "[url:value = 'https://4ujngbdqqm6t2c53.onion.cab']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-18T14:32:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--591d9cdb-5bcc-48c0-ae72-4cd7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T14:32:39.000Z",
"modified": "2017-05-18T14:32:39.000Z",
"description": "Uiwix Network Connections",
"pattern": "[url:value = 'https://4ujngbdqqm6t2c53.onion.nu']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-18T14:32:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--591d9cdb-bb58-4741-ae0d-462e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T14:32:39.000Z",
"modified": "2017-05-18T14:32:39.000Z",
"description": "Uiwix Network Connections",
"pattern": "[url:value = 'http://4ujngbdqqm6t2c53.onion']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-18T14:32:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--591d9cdc-a944-42bf-92d1-4af5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T14:32:39.000Z",
"modified": "2017-05-18T14:32:39.000Z",
"description": "Uiwix Network Connections",
"pattern": "[url:value = 'https://netcologne.dl.sourceforge.net/project/cyqlite/3.8.5/sqlite-dll-win32-x86-3080500.zip']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-18T14:32:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--591d9cdc-ee90-4fac-b4c0-4794950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T14:32:39.000Z",
"modified": "2017-05-18T14:32:39.000Z",
"description": "Uiwix Network Connections",
"pattern": "[url:value = 'http://sqlite.org/2014/sqlite-dll-win32-x86-3080500.zip']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-18T14:32:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--591db08b-c1ec-4e68-8bc1-c52102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T14:32:43.000Z",
"modified": "2017-05-18T14:32:43.000Z",
"description": "- Xchecked via VT: 146581f0b3fbe00026ee3ebe68797b0e57f39d1d8aecc99fdc3290e9cfadc4fc",
"pattern": "[file:hashes.SHA1 = '18aa7b02f933c753989ba3d16698a5ee3a4d9420']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-18T14:32:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--591db08c-ce94-480c-bab0-c52102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T14:32:44.000Z",
"modified": "2017-05-18T14:32:44.000Z",
"description": "- Xchecked via VT: 146581f0b3fbe00026ee3ebe68797b0e57f39d1d8aecc99fdc3290e9cfadc4fc",
"pattern": "[file:hashes.MD5 = 'a933a1a402775cfa94b6bee0963f4b46']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-05-18T14:32:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--591db08c-f04c-48da-83a5-c52102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-05-18T14:32:44.000Z",
"modified": "2017-05-18T14:32:44.000Z",
"first_observed": "2017-05-18T14:32:44Z",
"last_observed": "2017-05-18T14:32:44Z",
"number_observed": 1,
"object_refs": [
"url--591db08c-f04c-48da-83a5-c52102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--591db08c-f04c-48da-83a5-c52102de0b81",
"value": "https://www.virustotal.com/file/146581f0b3fbe00026ee3ebe68797b0e57f39d1d8aecc99fdc3290e9cfadc4fc/analysis/1495112647/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}