634 lines
288 KiB
JSON
634 lines
288 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5acb6516-f590-4456-8fd7-4243950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-10T20:14:51.000Z",
|
||
|
"modified": "2018-04-10T20:14:51.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5acb6516-f590-4456-8fd7-4243950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-10T20:14:51.000Z",
|
||
|
"modified": "2018-04-10T20:14:51.000Z",
|
||
|
"name": "OSINT - New Matrix Ransomware Variants Installed Via Hacked Remote Desktop Services",
|
||
|
"published": "2018-04-10T20:15:10Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--5acb6525-5b00-451c-9e62-430f950d210f",
|
||
|
"url--5acb6525-5b00-451c-9e62-430f950d210f",
|
||
|
"x-misp-attribute--5acb6534-0f10-4266-b5fc-4f1a950d210f",
|
||
|
"indicator--5acb659c-0d50-42b8-9be9-40f2950d210f",
|
||
|
"indicator--5acb659d-25ec-41ac-ae45-4e10950d210f",
|
||
|
"indicator--5acb659d-0704-4e84-b9ce-46a2950d210f",
|
||
|
"indicator--5acb659d-45ec-4971-aa43-4a49950d210f",
|
||
|
"observed-data--5acb65c4-ae24-453a-a1fd-4317950d210f",
|
||
|
"file--5acb65c4-ae24-453a-a1fd-4317950d210f",
|
||
|
"artifact--5acb65c4-ae24-453a-a1fd-4317950d210f",
|
||
|
"observed-data--5acb662e-ae24-4c24-b1e4-45b9950d210f",
|
||
|
"file--5acb662e-ae24-4c24-b1e4-45b9950d210f",
|
||
|
"artifact--5acb662e-ae24-4c24-b1e4-45b9950d210f",
|
||
|
"indicator--5acb688a-afe4-4118-9fa4-4d4c950d210f",
|
||
|
"indicator--5acb688b-04dc-4e65-9b64-4eab950d210f",
|
||
|
"indicator--5acb688b-1d94-4570-94ce-4e30950d210f",
|
||
|
"indicator--5acb688b-1de4-4f58-924d-445a950d210f",
|
||
|
"observed-data--5acb68b4-eaa8-43da-963b-4714950d210f",
|
||
|
"file--5acb68b4-eaa8-43da-963b-4714950d210f",
|
||
|
"artifact--5acb68b4-eaa8-43da-963b-4714950d210f",
|
||
|
"indicator--5acb693d-4d94-4edb-b326-40a4950d210f",
|
||
|
"indicator--5acb693e-b984-43e9-8985-41e9950d210f",
|
||
|
"observed-data--5accacb2-2a30-4de7-8c57-4094950d210f",
|
||
|
"url--5accacb2-2a30-4de7-8c57-4094950d210f",
|
||
|
"indicator--8d158558-595e-4460-9706-acc37ae7f29f",
|
||
|
"x-misp-object--2b816db9-6c8d-4c0e-9efd-99a358d67736",
|
||
|
"indicator--949e2684-bf18-4920-8317-98d91d5c505c",
|
||
|
"x-misp-object--d21be9c3-bd7f-4349-8c2d-cea0804f2b37",
|
||
|
"indicator--5accacf2-ed80-4799-b66f-4f5d950d210f",
|
||
|
"relationship--8b1ea4cf-6832-4332-a4a2-58fb6b5680e9",
|
||
|
"relationship--93e2fddc-1f94-4529-9d2d-6a7445484f09"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:ransomware=\"Matrix\"",
|
||
|
"malware_classification:malware-category=\"Ransomware\"",
|
||
|
"osint:source-type=\"blog-post\"",
|
||
|
"circl:incident-classification=\"malware\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5acb6525-5b00-451c-9e62-430f950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-10T20:14:04.000Z",
|
||
|
"modified": "2018-04-10T20:14:04.000Z",
|
||
|
"first_observed": "2018-04-10T20:14:04Z",
|
||
|
"last_observed": "2018-04-10T20:14:04Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5acb6525-5b00-451c-9e62-430f950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5acb6525-5b00-451c-9e62-430f950d210f",
|
||
|
"value": "https://www.bleepingcomputer.com/news/security/new-matrix-ransomware-variants-installed-via-hacked-remote-desktop-services/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5acb6534-0f10-4266-b5fc-4f1a950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-10T20:14:04.000Z",
|
||
|
"modified": "2018-04-10T20:14:04.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "Two new Matrix Ransomware variants were discovered this week by MalwareHunterTeam that are being installed through hacked Remote Desktop services. While both of these variants encrypt your computer's files, one is a bit more advanced with more debugging messages and the use of cipher to wipe free space."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5acb659c-0d50-42b8-9be9-40f2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-10T20:14:04.000Z",
|
||
|
"modified": "2018-04-10T20:14:04.000Z",
|
||
|
"pattern": "[file:name = '!ReadMe_To_Decrypt_Files!.rtf']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-04-10T20:14:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5acb659d-25ec-41ac-ae45-4e10950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-10T20:14:05.000Z",
|
||
|
"modified": "2018-04-10T20:14:05.000Z",
|
||
|
"pattern": "[email-message:from_ref.value = 'files4463@tuta.io']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-04-10T20:14:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5acb659d-0704-4e84-b9ce-46a2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-10T20:14:05.000Z",
|
||
|
"modified": "2018-04-10T20:14:05.000Z",
|
||
|
"pattern": "[email-message:from_ref.value = 'files4463@protonmail.ch']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-04-10T20:14:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5acb659d-45ec-4971-aa43-4a49950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-10T20:14:06.000Z",
|
||
|
"modified": "2018-04-10T20:14:06.000Z",
|
||
|
"pattern": "[email-message:from_ref.value = 'files4463@gmail.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-04-10T20:14:06Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5acb65c4-ae24-453a-a1fd-4317950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-10T20:14:06.000Z",
|
||
|
"modified": "2018-04-10T20:14:06.000Z",
|
||
|
"first_observed": "2018-04-10T20:14:06Z",
|
||
|
"last_observed": "2018-04-10T20:14:06Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"file--5acb65c4-ae24-453a-a1fd-4317950d210f",
|
||
|
"artifact--5acb65c4-ae24-453a-a1fd-4317950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"attachment\"",
|
||
|
"misp:category=\"Artifacts dropped\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "file",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "file--5acb65c4-ae24-453a-a1fd-4317950d210f",
|
||
|
"name": "ransom-note.jpg",
|
||
|
"content_ref": "artifact--5acb65c4-ae24-453a-a1fd-4317950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "artifact",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "artifact--5acb65c4-ae24-453a-a1fd-4317950d210f",
|
||
|
"payload_bin": "/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDABALCwsMCxAMDBAXDw0PFxsUEBAUGx8XFxcXFx8eFxoaGhoXHh4jJSclIx4vLzMzLy9AQEBAQEBAQEBAQEBAQED/2wBDAREPDxETERUSEhUUERQRFBoUFhYUGiYaGhwaGiYwIx4eHh4jMCsuJycnLis1NTAwNTVAQD9AQEBAQEBAQEBAQED/wgARCATiA4MDASIAAhEBAxEB/8QAGgABAAMBAQEAAAAAAAAAAAAAAAIDBAUBBv/EABgBAQEBAQEAAAAAAAAAAAAAAAABAgME/9oADAMBAAIQAxAAAAHq2ufrO2fG7FersGdaWbeUp55LUvSC6BB56F0CC4UrhSuFK4UrhSuFK4UrhSuFKMSwiSVixZQTTzlr3wPayazKXIiSWYvexPXnhIiSV2BTeeIxLCBMuKVUyR4erhSuFK4UrhSuFK4UrhSuFK4UrspY9tKTOaHtpSuFK4UqLj1dAgo2mBY64txeTzrN1MhOjzialv52g0xM2NkRKIVz9EqrQAAAAAAAABTDSMU9QzQ2CqGgZ46hl90jNTvFPl4xy1CmOgU+XjJPQMfm0ZfdIyS0iiGoZY7BRZMZmkZZ3gAAAAAAAABVaAK4XiEwq8uAFMrAhOkhpziCl1xxB052T8vlz16sp51uT1pep57Xw6SjTOpeU+Wb4yjnUq7KB7msJe57TRPz0AzqvS33NMs0c/oAFcVZZ5TE1q4l0KbScK/TTIAMs8thcr8J2ZJF6ETVKuwAoURNPuWZf5V4aLc2kAoVixnmXTxbiQI1X4DR7TWbZxkAAAAAAAAAPPfCi3NWbfKRoxaqC7LrqOeOuM/vbuj559BXHDfQj57ob/JfZPM69AAjIRSEUhFIRSEUhFIRSEUhFIRSEUhFIRSEXvpFIRSEUhFIRSEUhFIRSEUhFIRSEUhFIRe1FislisWKxYrFjwvrwevB68HrwevB68HrwevB6j6enh6AeHr30jXcI+THKanXFs4S47x13Wc9+6c128KNHmkoTges8DW5d5tVaCCYgmIVy8JsUzUnEhbTaeRxdEVe1Gh74eS5sjoKrBCdBbPmdGa9rsruFtVi+1CJwmsqlpX7XYk/K7F9rniTTZTNfJZNKWeewV7VNLCtY34N55m057LkbIiqsPVdgg9qcowlteUGhXAvQgXAMG0kqxnRc/WWsegl576RBPm7ucadXM6Z7756AAZB1xbKNvLeK23zlq2t71zGVdZrrl6VeXiny8V+zEExBMQq0DPZYIJiqchCYQTDz0AAeeSEJh5XZ6VWgqtFU5ACKQeehXYKrPRVKY8jMVrB56EJh5n0Z7MbqpeR71hiy9cc6/VVZPmdOUcqPXLydO0ci7oim4ON52InMr6vkcTd0PKw9GEyEvPCRI8SEfJjz3z0AAyDri2Mp8tZ/bIrHVReK55TVHz0yeVw3jfbVDOr5wnLVPBtLFVg95MjqHKOqh4T8wbz0geWZ7yVU4RTbk3xJVPSu3m6JdaqyxCeYt8hOzN7VLWdvnufGtKssp49ROi+tFmPUs/ITPct1JoljvSfjxZShEteenmfRnstKpb5YRuYhrhVbZ69rllbz7DRZmqNzn6S9GRFTnOhDJA6HuOJrnn0FUoxLM+jwyNUjL5soL5RkAAZB1xbdTdy15XaUCnNv8zfYT81MzU1KLzIFqnIAAARkAHnkhH30IyZQ9kyVWujnWbWeoa5ee+eiq0mVqaQmZoAHldoAeeiCYhMPK7RCYAeZdXqZmlWZpGZpGbzUK/ZpYJiEbRBMQTEExBMQhcIJir2wQl74e1Wjz0PPfPQADIOuJ2Ue8tao45LsYRs9yaRKm49AAAAAArsoL45qzd7CYAAAAABHxWXe+egAAAFVuIbXP8ATfHDI3KbgAAADyKsu989AAAAAPK7MZr9w2mpReAAAAAIyge+03HoAPPfPQeD3HsMg64strt5a8el8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6PHo8ejx6IPImZS646FtVvLQLH1IikIpCKQikIpCKQikIpCKQikIpCKQikIpCKQikIpCKQikIpCKQikIpCKQikIpCKQikIpCKQikIpCKQikIpCKQikIpCKQikIpCKQikIpCKQikIpCKQikIpCPvnoBUnM5I646FtVvLQL5KMgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACPsZAEZwmckdcdC2q3loF8lGQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCUZAEZwmckdcdC2q3loF8lGQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCUZAEZwmckdcdC2m7loF8lGQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCUZAEZwmckdcb7qbuWgXyUZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEJRkARnCZyR1xvupu5aBfJRkAAAAAAAAAAAAAAAAK7OSdZx6zuObQdlyd5e5Xh1nN559E4tZ3nGsOq4dx1mCJ0XEmdhxbzpsGQ7TlenUc3Ed9zqDsOZYb3DkdpyOoTAAAAAAAAAAAAAABCUZAEZwmckdcb7qbuWgXyUZAAAAAAAAAAAAAAAADi9qBxdPUHLz9wcnrBys/dHJdYcl1hyY9gcO7rDBn644mzeMFfTGDzoDmukOJPsDnx6Q59HXHDl2hj2AAAAAAAAAAAAAAABCUZAEZwmckdcb7qbuWgXyUZAAAAABm0HoBSXAAAITBUWoTCm4AFJcApuAABAmAUlyi49U+loABUWlJcjIECYACEwhEtZNYAAAAAQmFVoAAAAABCUZAEZwmckdcb7areWgVKMgAAAADFn6o5k+gMObrjk3dAcr3qDkS6o5d27wx5euONLrjjS645tXXHMv1+nKr7I5U+kONLqTKMnR9ORd0RyJ9Qcp1Riy9ccuHXHHu6Qy4ewOVo2jkT6g5tPYGbH1Ryqu1A5mjcOO7A5OnaOVHrjnT3Dk+dcYs3WHKn0hzKOuObHrjn9AAAAAAAIe+egHk6vTmvXXG62q3loFSjIAAAAAxxvgY90bjnT2VmbZ76ZqNYz1bfC3PogVrJmCzVAo1wvMlOj0pvl4Z4WXFUdAhromWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAh756AR898Mw64vtqt5aBUoyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIexkAR898Mw64vtqt5aBUoyAAAAAOetHvjwuotgU3BKu2BOn3wl754XeTyC+v0tp99PadNZKMNBjtsrJy8oLfJRLqLYmeycj15QW+ezI2Z7zJo88LPK7Cr2dhDym88uy6iwAAAAAAAAAAAAAAAAAAAFcoyAI+e+GYdcX21W8tAqUZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFcoyAI+e+GYdcX21W8tAqUZAAAAAGCyt3krMN1miFcZdE8VsX1111d7TDU2snubLVjhZ0aqPM2/3FfZfXRNV2W2yu6uVS3cvXzsfc0tNMM/hp9oiaZZqzVLJ5Zq9z2Yui6m7lQAAAAAAAAAAAAAAAAAAAAAAAK5RkAR8DMOuL7areWgVKMgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACuUZAEAZh1xfbTdy0CpQmAAAAAYrM3veXWc2+zVGiuXdLm3xqhlrrXLJXqdJz/c2/Tz/LOnXlhm7fOffZsrxTW6zDdZd7j9N7FCXfLDONVOX3U62G7Li6pYZVq9w16m6WMbZ87Tm6ctuI3+ZPK21ZfLN9Wfw6zz3z6AAAAAAAAAAAAAAAAAAArlGQBAGYdcXW1W8tAqcJgAAAA
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5acb662e-ae24-4c24-b1e4-45b9950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-10T20:14:06.000Z",
|
||
|
"modified": "2018-04-10T20:14:06.000Z",
|
||
|
"first_observed": "2018-04-10T20:14:06Z",
|
||
|
"last_observed": "2018-04-10T20:14:06Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"file--5acb662e-ae24-4c24-b1e4-45b9950d210f",
|
||
|
"artifact--5acb662e-ae24-4c24-b1e4-45b9950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"attachment\"",
|
||
|
"misp:category=\"Artifacts dropped\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "file",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "file--5acb662e-ae24-4c24-b1e4-45b9950d210f",
|
||
|
"name": "background.jpg",
|
||
|
"content_ref": "artifact--5acb662e-ae24-4c24-b1e4-45b9950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "artifact",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "artifact--5acb662e-ae24-4c24-b1e4-45b9950d210f",
|
||
|
"payload_bin": "/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDABALCwsMCxAMDBAXDw0PFxsUEBAUGx8XFxcXFx8eFxoaGhoXHh4jJSclIx4vLzMzLy9AQEBAQEBAQEBAQEBAQED/2wBDAREPDxETERUSEhUUERQRFBoUFhYUGiYaGhwaGiYwIx4eHh4jMCsuJycnLis1NTAwNTVAQD9AQEBAQEBAQEBAQED/wgARCAE7A8gDASIAAhEBAxEB/8QAGQABAQEBAQEAAAAAAAAAAAAAAAIDAQQF/8QAGQEBAQEBAQEAAAAAAAAAAAAAAAECAwQF/9oADAMBAAIQAxAAAAH4DWs9MO69Xzml55rtrFZIXouHXql8z0w152nbzybQsK6zKurm9Ga5taMHVxxvE3m3ySe7S1k2hmGvVxezCayb53PJ9flXi+s59u1wr1TOnlbY3l1vU6eXu1p5uaeg8bvNcutdM9fL30dXy9vZPL30dXyl3lDbreDQzm3lc+ezCaya5Xmamon0RLk25Zl26MuejSb8s+qEwaVc4tkuK4uAsAAAAAAAAAA9VYcx6b7yUy9Hn3uKnPabTylOSmW+Gt52hOm8SmqzvO5n1ePe50ZxnpsngvDazK8+Xn6OzOe07+a7jPZFldy0lrlRN9qFl85yXuHo8+uO2nn1m+87mtqg759p1y00zzz15ra5m4ymtOdwuKvTkvHKarvk3O9TLhv59tcc9p41fGc1r28ZunZTvn9Hn1y9GmXc9SLsKiarnJua7FHedzTaZ4tclcTNTeQWAAAAAAAAAAG3Z0wXbOOlJrEa5gDWXJ3lgAAAAAAAAABaaTfF7m6zwWAANM6KjfBbzok6Z0Odk04tcqklTrlL3srLZ6LPd4m4zuLzAA0jiXTMDbFSqMxctsezVQIFgAAAA0lzd5YNJcxYAAAAaVN4u6piLk2TdVHMd9J0yXRFrzmW6TU9XH0TxIz1w1w9Fss977wuW/OpGFRvz+uann6tY5mbMqs5XeHKnNNNs03zHfDXLuuWg3x5no5LXPL0+b1XHecjPa6i7O+T1ea8fXCp153iXTk8a4cvO3E3lntjrz+yOVn0TcVZyvP6EhWZzfC5vnKwZ9ePclz9Pn9GuXNc+47k0nZqDzevyb78+tYsejvO8uKIaadyT05Smuzh6tc/PeO951zmme3k9Hn9GuNs2e1VFrPedOaZ9l5XLMbmrlNSbRzNqkryxazrjDbEC5AAAA2y4mhSSVZKpNsuJoLkA72WRYAAABrEpoLl2rm8u1mz3hZVZjXPiXrmhHCx3g7wAAAC+SyLAAAC5l4LOupZXAFgAAAHdcbm4XDIWAAd1xTQXIAAAAAHpc5z9fJhvz1prGe6Y9J5VcvHqfQ3j3bOb7O2UvagZ1leuGvOJ25j6MLx9E9vPaOdUuOS9m1ie3Eef0Ya5a8rs2mzWazPcNvPcerks9exdkc6qMt8tceejz7y8d7OvJ2iVGvCZ0oz8/ow1x0ppOmOnA0zTXKqU8+me+uOdk2w9PmufZl3uezC+a5admZvbHu01GW+NznvGyYRty4tPZ147ZlVcgdXLK435guQAAAAAAAAN5zTfBcejFM3vlI3ykjTMmjMu8Rxb7mTSOE2Ym7gYtBd2Ca0vBZrzMWgm+AazyV15mNuZC4GbQXRmN2Ca17is76vJS1yDO3Mi7zkN84G+Al8kloLdZDW/OXtQZ3nI1rkM6si748FaYiqzG+cF7tgS4E05BdKxLozJrWPF0zGQsAAAAAAAAA9nKnj9Bypsyb1ceO/RSeL1c0mvLpdmPbqbyj0ePXL1eb15Tfani5eiNE8vN51xjfnc9vP3Te4+ftnrrjLec9vNz2ePXANcwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPX5eJv0886a318ZfT3yjavOZ3nJZ6e+VN+uPOPZhkPdzydm628i8/Rp5OL6NPGPX3xpfTzzrn0aeTi74F5hcgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAb3ccvdPNOXOEenS8/E9Vp4t27Xk7eqY811nTGNvPca+f3YTXO6F8nPRtefi57eHjenRPHtppOng76NLz8XfRqeF7C+N7pXxt9bjy69qanz+3xI76VT5/cz18LvOnjAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA9vj7Oevsnzp09VeKl9GnhpPRfho9XPKT288ia9mOK59eeMnrZJ07v4fWVzyGa9PirXP1d8fZv0d83U9PPL09byJr0cwXHrrxdm/Q8yz154E9eWFHqnzFSb8wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFvVPP1Yc3WeedrvPzNNU81V62/C11Tzc9Nzfln1Z3Oce/zS5vYa8PdbvLzPRwxeji+dpqz56rRrLP2+JDak87fq+futnmejKyBeYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHty5jj0+uc03vzz7S9rGjSvHVz6K8kp7O+ZOnp8mk3G8zivo5Sa53zetOK883pzPmuO3cbmqZK381md/JdmnMuzprGfLjRmuchvzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANcktwAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaVPc9ZvO07FSXPeL3s9WbimU1JcVK13hZuKZcCoqDRw1NxTPO8FRUl8GpuKSamk7FSXxxpU9Sbik7FSXPeL3s9WbimU1JcVK13hZuKZcCoqDRw1NxTPO8FRUl8GpuKSamk7FSXxxpU9SbztOxUlz3i97PVm4plNSXFStd4WbimXAqKg0cNTcUzzvBUVJfBqbikkXML6mZ2541ylNIOLpcmnCHeXIBpnKaZ0NpcVwgWAAAAAAHdprBpmgWGmcveaZgWG3JvJpmyFgA0lzby1kLgAaS5tYWWmaBYaaTp522LAWHd5rztM0CwAAdOLiUbrg2lc2mbIWGkS8O2FaTeCpuAAAAAAN683c9ebY+o5ntzPbuddXufepU86s3M3PNnZrLD0efXDaidO3mmnQ8+ud74drrPbk2Ix9PmvLfl5zesazOjLtXGPq8m1zzSeZ2rsnfN6PPrltpPM9eZb4a5evJ3PZc2ufeWmMXnvz89Hn1l06Z9E12UntlnvBcchnSibxz0y6eV6PP6JrHfK2py9HnuK0z2mu8rue3J6SazXHaqFvnOzVeT0+fXLnr8noJ7j6JeaJnaS2Y8+s643fMZr1InPbHh18QAAAAAAHahL244axJdZjpXcxfJJdZFuBKSLTwqsy9vPqaTBbQNMyyqzRpyC12Fi4SUkt1kW4EpIuO8LQL7mW6yFJJ2oVaEXWRdGfS2YqRmryNa9xLpyCNciaVia1ZCkmdZgukyT0ZTxr0+dw17iNZgi4JV5F0Zi+SS54NOQULkAAAAAD0ef0efPW+31dJrHPeHo5eUVGrXnjTPXnC5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA9HMGPR6ZwGuRrlvzFOl735peQa4BYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB/8QAKhAAAgIBAwQBBAMBAQEAAAAAAQIAERIDEyEQIjEyQzAzQGAgI0FCUHD/2gAIAQEAAQUC6VK+l5lGV+bX86P/AINfQr83THOpyF+38UK1MeBpkwqVjLjMeNo9EBx74PRULRkIg0yYVKwCzjyRRwN7RgUmFCJtNK6bTQKSdppRvaMCEgoRFW4EJB0yJicMDZ0iIFLRVK9MeApMVbnOBQlQpwOmR00oHyIUbh1KLGyvAPQPQPcg7U91VbjVgO1LzWKpaFCJtmFamPG2ZgQXQmBCYUI6KhaMhE+JUJhQgDTJjIVm2ZyFxOCrU2mgUmHTattq0/dvb8ZR2YjEfb+KDu0zNT286er5Ppq+Yv29OD07QuSVatGFQGjVN7RfbLTimaftlp25s6XtlpxSC6k5/wDVmfHpz1T4tOfEnqG0xPj0+mnAcZW
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5acb688a-afe4-4118-9fa4-4d4c950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-10T20:14:07.000Z",
|
||
|
"modified": "2018-04-10T20:14:07.000Z",
|
||
|
"pattern": "[file:name = '#Decrypt_Files_ReadMe#.rtf']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-04-10T20:14:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5acb688b-04dc-4e65-9b64-4eab950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-10T20:14:07.000Z",
|
||
|
"modified": "2018-04-10T20:14:07.000Z",
|
||
|
"pattern": "[email-message:from_ref.value = 'restorfile@tutanota.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-04-10T20:14:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5acb688b-1d94-4570-94ce-4e30950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-10T20:14:07.000Z",
|
||
|
"modified": "2018-04-10T20:14:07.000Z",
|
||
|
"pattern": "[email-message:from_ref.value = 'restorefile@protonmail.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-04-10T20:14:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5acb688b-1de4-4f58-924d-445a950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-10T20:14:08.000Z",
|
||
|
"modified": "2018-04-10T20:14:08.000Z",
|
||
|
"pattern": "[email-message:from_ref.value = 'restorefile@qq.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-04-10T20:14:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5acb68b4-eaa8-43da-963b-4714950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-10T20:14:08.000Z",
|
||
|
"modified": "2018-04-10T20:14:08.000Z",
|
||
|
"first_observed": "2018-04-10T20:14:08Z",
|
||
|
"last_observed": "2018-04-10T20:14:08Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"file--5acb68b4-eaa8-43da-963b-4714950d210f",
|
||
|
"artifact--5acb68b4-eaa8-43da-963b-4714950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"attachment\"",
|
||
|
"misp:category=\"Artifacts dropped\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "file",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "file--5acb68b4-eaa8-43da-963b-4714950d210f",
|
||
|
"name": "wallpaper.jpg",
|
||
|
"content_ref": "artifact--5acb68b4-eaa8-43da-963b-4714950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "artifact",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "artifact--5acb68b4-eaa8-43da-963b-4714950d210f",
|
||
|
"payload_bin": "/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDABALCwsMCxAMDBAXDw0PFxsUEBAUGx8XFxcXFx8eFxoaGhoXHh4jJSclIx4vLzMzLy9AQEBAQEBAQEBAQEBAQED/2wBDAREPDxETERUSEhUUERQRFBoUFhYUGiYaGhwaGiYwIx4eHh4jMCsuJycnLis1NTAwNTVAQD9AQEBAQEBAQEBAQED/wgARCAE7A8gDASIAAhEBAxEB/8QAGQABAAMBAQAAAAAAAAAAAAAAAAECAwQF/8QAGQEBAQEBAQEAAAAAAAAAAAAAAAECAwQF/9oADAMBAAIQAxAAAAHwGts9MY3LzpveebSzWM2JWL6LjMdUvM6aNc7SbzybUKLSlJtK0jozXNrYwSYidqN5ts0q3iXFtSyjWVyjswmsm9LmsdXKsTcznNtFxddZ05o2xvKW9505W9jmX6E40xrlLXTPXmdErzNNU5nRK8qbXlRtLWMaEzb1ms47MFzjXK8zU1SvRSXNosym9jJvpN8kdVExXtc5RvEuK9LgLAAAAAAAAAAOq2NcenRFUz3597i1c9ZuaxZSKplvjped1E6b0qmrZ3zua9PJvc6Mq56bIqq+G1znbNee81rntXfm0uMtlLLTlpLK1Ju00WXiIJw6Oe89tOeZrWIqtyCcNM7y30wrOrVKL54LvFc7i17xNFZXSeTUvNJl5+nn11yz2rC3RnNazfGbtKqW598Nct752z1ic72FqzRWLm00sTE5prEVW0VXFa2reQWAAAAAAAAAAGtpvBe6Y3tLWIvMCYay5JiwAAAAAAAAAAumlbwqiWYFgAABtjNBcgAE3lzFhtjNBck2lrHTk3mLzAA0oiW9ANslhOhkLlvgmr1EgWAAAAE3lzTFiV5cxYAAAAaWm8U6piLk2TdrUjPfSumUuil2ojLZiLVlrHorCUz1x1w3uyz3vMFy3iUpham/P1xNcenWkZy7M5si0wRatEvtmm4x3w1xnXLRW+MZ6IrOuePTzdVxMRXPaZrYc3Ty649dJtnsiYl2yiqzExedrRDdMN8NeftytbHopas2Sx1StporfC6xF+dnrxnJc+nn6Nco1ztjvCtkmtqVzdfLtrz62yjHotWYuLTFFaTkvTlVLNcOvXPmvltedojXPbj6Ofo1xuznPabUusIkjTOZYvW5laJuVbVNqRm1ZReObSuuVG2IFyAAABtkTUF0rC1lUwbYk0FyATMtRYAAABrSszUC5L3m8l82QsmapdcglFygsAAAAALpaCwAACVqywLJTEqL0AsAAAAnXK83mvRkLAAJ1xTQXIAAAAAHSiOfqitG+F77Z57q06TlWi8ZV6G8Z2zm0a5yr0Gdsr64axCda5dPPrlvDTHakWrZN6RNTWyxDSKYdHPrlrFpm1bGqLmZw1xuOmKs9Zra60i1bmue2WuUdHPvLEpz1im9FU1gjPWxnh0c+uOlmk6Y6RBOmUzUWmDn0z31wzuTcZdHPc9eUzns59I1y0mtZvbGdpc898bmm+exhTaLi0wz1iV6ytaIRJc87U35guQAAAAAAAAN65TNwLjoxRN7ZVG+VSTfMmihds6St2ZNKQTacDV6wZuqXZgmtL4LNYzF1SbYoNqRVdYzG0ZC9JhnSKDRSF3YJrWcljq5ZW0UM7RkXeuQ3pmN8UJeKkvOZdJzg1vgVahneuRrXKYZ1ZGt8UJbTKC85k3zoanbCUtWCXVhb3xLozJrbEt6QZCwAAAAAAAADslbj9Lli/Rvz8Vum8vJvW7XLboqxzX6KWXremO8LVucbbWuePpmRz6wac3VkuNr6XnPN05TpSvZmzjTpsnNHVKxzdOCs+vO45tI6rjltpeb5p6ZmuWemq8kaZ78gWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdWeUZ69N+Q10TzQnRpxjpvxyu9M4Y6uZFdMc6a305JNejilevClTppjCdlOZL1uUdVeaa1vzmeqOWZroc6zqrzl6LcpN9OMdM8snTTAaZl5C1lV4KpEFiq9SFxRNii9SFqhepCZKrwVAAAAAAAAAAAAAAAAAAAAAAAABve7l7+Wu+uvPxuqy8mmms1wuq1zxT0XTkdVlw0tGetIuucadOlzxaaamOXVSXmdc3PHHVNnK65lwz685rnjtpc8s9heN0as8Troc7qiqtJx24jo6eTnnrjPXkv1UrCeuq8jq5rypeq4tWYS8QIvQtqwL1QaKEmayqVUgKAAAAAAAAAAAAAAAAAAAAAAAB215649PTtxQdNuSTpnjsdUcsnTjmZ7I47TfTz1jXPotzJrp14LNb6cWidFI517Jpz56dPPWN+ftcbPTqpz2uOpy1a7K8yOmuCzfTkHbXlTfU5JTW/NFx0actV655bG7nXPXyWzuZF5VtIrathUIskrbO5Fs9BW0CYkzCgAAAAAAAAAAAAAAAAAAAAAAAXdTn6uJvbXLnaXTCdt504J1vcc06aJzNrGM9EzrzxuTnja1zzTfoTmr3YzfO10uOaNdTmjSl5xPRSbyjqyXKeiFwjp57iBcAAAAAWqC1RMAAABKAAmBMAAAAAAAAAAAAAAAAAAAAAAAAAAB2258+Xt12wtZa2UrM46M6ZV0W+NYuOumOmet865Xn0sZXdz6zU6cutTXTmTprnvnoyptc5xamuekKS21pivSxS68umWuMDfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABpSJZmovQQKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0tWc9a3pZJpapeswszBa3pZlW1S9LVW6C1vS7MQFqWqXQarelmYmJJpapeBqt6WStq2SaWqXhDS1ZSt6WSaWqXrMLMwWt6WZVtUvS1Vugtb0uzEBalql0Gq3pZmJiSaWqXgarelkratkmlql4Q0tWUrelkmlql6zCzMFrelmVbVL0tVboLW9LsxAWpapdBqt6WZiYkmlql4Gq3pZKi5ovKZk3MNcpTShE2suTSCiYuQJjSksTfMGxivSgQAAAAABLea52mdgIaZymmdAkxvWbzXzZCwAWKrzNZujFai4AAAmNM5RZKuis6ZRrlcBYATvN869GQsANU3mvVKi5LpaCw0rLEb4KFyAAAAAABvbmnPWNsekU1Z7M7Ss0SlqwIvWtjVM1lh0c+uG16zOk3zTSQ59c774TaWeylxTLo57y2i+c3rTWs6M1rjHq5NrmNKpuLIiebp5tc9tKp0jHfC8uvJOey9brnMXTGl6b88dHP0zapnrjvnrcTTSs6RESzOdOq5oiJrTHbnsppnprjtXO+e0xN5pWJM89+ffC2+HTnpWaazpnauiZWvkXtWrV6Rqjn1pca568y16Mdbz0rWM9pwvnvzBcAAAAAAAATaKy2tmNa1LpWgvbMWipL2zLaiUmaC6gtakK0oTStC3UGmcwlrZl0isFposXoi00F7ZFvQS00F6Fl1Et5oW85C8VIvRZaaF1zhGkULrWgnbCTemZqdMoZ2jKVlUzeKjWMy6WxLrSpLzmNGYvbIXipLKjWlS3oXN1EtrUhZguQAAAAAAANGjPdFqzVdawNM5Wk2qxTe+U3G2VmoRhee2kWnWkxmxrFNVpS9rlj0Zrla92Yi9J1is6XGanUZ5R0mVGrOG8QtprfPTJj065Rk2WvP18txA1xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA3z1wz22pSE3tzJve3PBuxhNrYCNcmue9uZnroo1zb86XopmaaZTedr5azU4XpZsxma6J5tp0tlSLjqyziXrxgt5w75eWtGuV7ZEsos1zggXIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAH/8QAKhAAAgIBAwQBAwUBAQAAAAAAAQIAERIDEzIQISIxMzBAQyAjQVBgQnD/2gAIAQEAAQUC619KpREr72v6iv6XTHfU7hfj/FCtTHsNMmFSsK4zHttHogOPnF+NULRkKwaZMZSsAs15FaOJvaaBSYUIm03XaMCknaaUb2mmBIKEQLlAhIOmRMThgbOmRApaKpX
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5acb693d-4d94-4edb-b326-40a4950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-09T13:23:09.000Z",
|
||
|
"modified": "2018-04-09T13:23:09.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'a26087bb88d654cd702f945e43d7feebd98cfc50531d2cdc0afa2b0437d25eea']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-04-09T13:23:09Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5acb693e-b984-43e9-8985-41e9950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-09T13:23:10.000Z",
|
||
|
"modified": "2018-04-09T13:23:10.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = '996ea85f12a17e8267dcc32eae9ad20cff44115182e707153006162711fbe3c9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-04-09T13:23:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5accacb2-2a30-4de7-8c57-4094950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-10T20:14:09.000Z",
|
||
|
"modified": "2018-04-10T20:14:09.000Z",
|
||
|
"first_observed": "2018-04-10T20:14:09Z",
|
||
|
"last_observed": "2018-04-10T20:14:09Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5accacb2-2a30-4de7-8c57-4094950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5accacb2-2a30-4de7-8c57-4094950d210f",
|
||
|
"value": "http://id-ransomware.blogspot.lu/2016/12/matrix-ransomware.html"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--8d158558-595e-4460-9706-acc37ae7f29f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-09T20:50:58.000Z",
|
||
|
"modified": "2018-04-09T20:50:58.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'b4d152a4a0dc40258f3dfae88dd1e2c0' AND file:hashes.SHA1 = 'be45c74a5dc7a4830be0167ef8ef26ffec37d4de' AND file:hashes.SHA256 = 'a26087bb88d654cd702f945e43d7feebd98cfc50531d2cdc0afa2b0437d25eea']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-04-09T20:50:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--2b816db9-6c8d-4c0e-9efd-99a358d67736",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-09T20:50:57.000Z",
|
||
|
"modified": "2018-04-09T20:50:57.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/a26087bb88d654cd702f945e43d7feebd98cfc50531d2cdc0afa2b0437d25eea/analysis/1523287281/",
|
||
|
"category": "External analysis",
|
||
|
"uuid": "5acbd231-7c70-4127-a4bd-8fe202de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "51/65",
|
||
|
"category": "Other",
|
||
|
"uuid": "5acbd231-b244-4747-8a04-8fe202de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2018-04-09T15:21:21",
|
||
|
"category": "Other",
|
||
|
"uuid": "5acbd231-0470-42cd-a4a9-8fe202de0b81"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--949e2684-bf18-4920-8317-98d91d5c505c",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-09T20:51:01.000Z",
|
||
|
"modified": "2018-04-09T20:51:01.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'a42c211988a47c9843737ce26812584f' AND file:hashes.SHA1 = 'ff70a421bbcf31ad76708912aeb362d9102695f4' AND file:hashes.SHA256 = '996ea85f12a17e8267dcc32eae9ad20cff44115182e707153006162711fbe3c9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-04-09T20:51:01Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--d21be9c3-bd7f-4349-8c2d-cea0804f2b37",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-09T20:50:59.000Z",
|
||
|
"modified": "2018-04-09T20:50:59.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/996ea85f12a17e8267dcc32eae9ad20cff44115182e707153006162711fbe3c9/analysis/1523284651/",
|
||
|
"category": "External analysis",
|
||
|
"uuid": "5acbd233-103c-4153-9fa1-8fe202de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "52/67",
|
||
|
"category": "Other",
|
||
|
"uuid": "5acbd234-8a9c-41c3-b96a-8fe202de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2018-04-09T14:37:31",
|
||
|
"category": "Other",
|
||
|
"uuid": "5acbd234-da28-404a-ab73-8fe202de0b81"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5accacf2-ed80-4799-b66f-4f5d950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-10T12:24:18.000Z",
|
||
|
"modified": "2018-04-10T12:24:18.000Z",
|
||
|
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '212.8.244.111') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'murik.xyz') AND network-traffic:dst_port = '80']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-04-10T12:24:18Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "network"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"ip-port\"",
|
||
|
"misp:meta-category=\"network\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--8b1ea4cf-6832-4332-a4a2-58fb6b5680e9",
|
||
|
"created": "2018-04-09T20:51:00.000Z",
|
||
|
"modified": "2018-04-09T20:51:00.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--8d158558-595e-4460-9706-acc37ae7f29f",
|
||
|
"target_ref": "x-misp-object--2b816db9-6c8d-4c0e-9efd-99a358d67736"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--93e2fddc-1f94-4529-9d2d-6a7445484f09",
|
||
|
"created": "2018-04-09T20:51:00.000Z",
|
||
|
"modified": "2018-04-09T20:51:00.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--949e2684-bf18-4920-8317-98d91d5c505c",
|
||
|
"target_ref": "x-misp-object--d21be9c3-bd7f-4349-8c2d-cea0804f2b37"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|