233 lines
66 KiB
JSON
233 lines
66 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5ad09f32-ce58-47f3-b137-4411950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-16T07:52:30.000Z",
|
||
|
"modified": "2018-04-16T07:52:30.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--5ad09f32-ce58-47f3-b137-4411950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-16T07:52:30.000Z",
|
||
|
"modified": "2018-04-16T07:52:30.000Z",
|
||
|
"name": "Vurten Ransomware",
|
||
|
"published": "2018-04-16T07:52:34Z",
|
||
|
"object_refs": [
|
||
|
"indicator--5ad0a269-9a68-4e19-82b8-7323950d210f",
|
||
|
"observed-data--5ad0a2a4-5178-4f36-a32e-4b40950d210f",
|
||
|
"file--5ad0a2a4-5178-4f36-a32e-4b40950d210f",
|
||
|
"artifact--5ad0a2a4-5178-4f36-a32e-4b40950d210f",
|
||
|
"x-misp-object--5ad0a193-a488-4138-9882-436e950d210f",
|
||
|
"indicator--2297d10f-fa36-4cdf-84a4-92586cabcb2b",
|
||
|
"x-misp-object--644fa57b-273b-455d-aabd-820d13f84808",
|
||
|
"relationship--2b19a3b4-02f3-48a7-b0bf-a8c7ffa48979"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"malware_classification:malware-category=\"Ransomware\"",
|
||
|
"osint:source-type=\"microblog-post\"",
|
||
|
"misp-galaxy:ransomware=\"Vurten\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5ad0a269-9a68-4e19-82b8-7323950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-13T12:28:25.000Z",
|
||
|
"modified": "2018-04-13T12:28:25.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'f2be597fc76acc3390ff4cf944008ba5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-04-13T12:28:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5ad0a2a4-5178-4f36-a32e-4b40950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-16T07:15:58.000Z",
|
||
|
"modified": "2018-04-16T07:15:58.000Z",
|
||
|
"first_observed": "2018-04-16T07:15:58Z",
|
||
|
"last_observed": "2018-04-16T07:15:58Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"file--5ad0a2a4-5178-4f36-a32e-4b40950d210f",
|
||
|
"artifact--5ad0a2a4-5178-4f36-a32e-4b40950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"attachment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "file",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "file--5ad0a2a4-5178-4f36-a32e-4b40950d210f",
|
||
|
"name": "DZ3kB-QXUAArt0a.jpg:large.jpeg",
|
||
|
"content_ref": "artifact--5ad0a2a4-5178-4f36-a32e-4b40950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "artifact",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "artifact--5ad0a2a4-5178-4f36-a32e-4b40950d210f",
|
||
|
"payload_bin": "/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAUDBAQEAwUEBAQFBQUGBwwIBwcHBw8LCwkMEQ8SEhEPERETFhwXExQaFRERGCEYGh0dHx8fExciJCIeJBweHx7/2wBDAQUFBQcGBw4ICA4eFBEUHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh7/wgARCAIOAwUDASIAAhEBAxEB/8QAGwABAAMBAQEBAAAAAAAAAAAAAAMEBQYHAgH/xAAYAQEBAQEBAAAAAAAAAAAAAAAAAQIDBP/aAAwDAQACEAMQAAAB6JJZ9XlpLUFnwftfj4gW0/ICwV0sPkfT4L9vqxZVVtKKy0qqtfBAtCqtCqtCqtCqtCqtCqtCqtCqtCqtCqtCqtCqtCqtCqtCqtCqtCqtCqtCqtCqtCqtCqtCqtCqtCqtCqtCqtCqtCqtIqtBLntGmRLkUsDQyWpkfxy7zo/vWIHPOc7O1Dq9+GVX2/3F4OXuG7ylDulcFodal5bI9AWcXX7xHAReiGuctbK8/MdTujfI/vWpPPf30Evn/X6K5zmiszmiM5ojOaIzmiM5ojOaIzmiM5ojOaIzmiM5ojOaIzmiM5ojOaIzmiM5ojOaIzmiM5ojOaIzmiM5ojOaIzmiM5ojOaIzoNiKXK+ddnVOjtfmpm0OiY1QwOurTpxG7qPJ7+P3dOfeOCRuvg7fpuZ3tub08y1nrZmo0bOpmr/Vzg/ubdzq3YpV13L2Xe1jFu/vOZ1v/VX8Prb4/qrLGJochlZ3K0OrYs08mOhv8V1dl/Kv5BuoRMhEyETIRMhEyETIRMhEyETIRMhEyETIRMhEyETIRMhEyETIRMhEyETIRMhEyETIRMhEyETIRMhEyETIRMhE1f6iufHhiejaeZBt0cuRn8unTuX7gz2RnnRx8zsrp/WfSZ3XzTW9HyUp1jAqnU08G8u4myE0XM/h07lJY6KPm9e3T+q2Ez0z5orLPynwdkxtBLLJy5eqcf21kLIz16dy182mXinVSchfOgqYPQ1Yr0c+XoIa3yzro6i33Mfh1DQ56LsnOXK12VlHVOU3y5mfefLvfWVh6z2Nfndeauw1vlnXcN1BotYuS1hktYZLWGS1hktYZLWGS1hkw7lQzoZJd48bEno+hQ6C2O7Qm5df35mpS/UtKxZJ814ifZx94qZ1exEkMEtbVTRyil8V/s25Mq4n1+fmVLa/UVXKmjAVbebcKaT7INehppTm/YZbtGdWdYnyo6DJ0q1Z9v5tFL7l+SpoVrxL9fFCFKOGp9bI0BPnzGleydJMi3VjW1n36cUr1W3WfYuZppQfHwkc8cC2/wAztgikh0ZEE2fbXtULJBdtZxapzSn3Zz6ZNoS04qz6GYt/8p/lzN9/FLOuqh+/jePyldpanjb9XHpN2rqNZfV87a59PrLvXIw9qx9Vn8908hFX0Pw52n09WN7J0YDnP3d+653T0bJzEOvDGVHu6VYGzm7SYWf1MLWZHe0GeU19C2ufHfoxoZmlSrmbe9lke1n/ACdLz2vjRm/XQ5lYcvU48QVNXWq9zet9Ry+5ZuVjbf7JZy2V2jNgztuSsDN7CCTEh6L7t5iLovk5+TpoDOk2oTirvSji7vS2Jeb0tCLWbolAAAAAAAAVLdQ/KdypvHjb6XHpdyrbm6Op9UMb+YfrXjV5eX4qnU7vn4yP2xespv261vc/qzs85U6eksud9fsV9ipVrS1KeSlulZ/Jcyf9/a+dKpEQbmNMlrnukzGotKxQT6y/3Rirr5d22TK6/PZ/K/3ky2K/QaFYmb1qOM+O2WcvP0JQAAAAAAAAAAAAAAAAAAAFS3UPyrarbx44/TPpmlhdjbnfOw59Mb92EYFrVVHT0BifO6MXQtCncEow6iXHs31ZX1pjG+NxGVldUMv901lCntl5bS1xn1NsZXxsDB/d1GLoWlUfjRGRW6AlW0KAAAAAAAAAAAAAAAAAAAAAAAqW6h+VrNLePIkC49G7LjeytlHLqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAqW6h+Ub1HePHBcejdlxvZWyjl1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVLdQ/KN6jvHjguPRuy43srZRy6gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKluoflG9R3jxwXHo3Zcb2Vso5dQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFS3UPyjeo7x44Lj0bsuN7K2UcuoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACpbqH5RvUd48cFx6N2XG9lbKOXUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABUt1D8o3qO8eOC49G7LjeytlHLqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAqW6h+Ub1HePHBcejdlxvZWyjl1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVLdQ/KN6jvHjguPRuy43srZRy6gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKluoflG9R3jxwXHo3Zcb2Vso5dQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFS3UPyjeo7x44Lj0bsuN7K2UcuoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACpbqH5RvUd48cFx6N2XG9lbKOXUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABUt1D8o3qO8eOC49G7LjeytlHLqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAqW6h+Ub1HePHBcejdlxvZWyjl1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVLdQ/KN6jvHjguPRuy43srZRy6gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKluoflG9R3jxwXHo3Zcb2Vso5dQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFS3UPyjeo7x44Lj0bsuN7K2UcuoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACpbqH5RvUd48cFx6N2XG9lbKOXUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABUt1D8o3qO8eOC49G7LjeytlHLqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAqW6h+Ub1HePHBcejdlxvZWyjl1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVLdQ/KN6jvHjguPRuy43srZRy6gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKluoflG9R3jxwXHo3Zcb2Vso5dQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFS3UPyjeo7x44Lj0bsuN7K2UcuoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACpbqnzR+JN48bFx6N1fKdPbMy9Dl1kRiRGJEYkRiRGJEYkRiRGJEYkRiRGJEYkRiRGJEYkRiRGJEYkRiRGJEYkRiRGJEYkRiRGJEYkRiRGJEYkRiRGJEYkRiRGJEYkRiRGJEYkRiRGJEYkRiRGJfnN0T9o2qu8eNi49G6DyOz28/qryoeqvKh6q8qHqryoeqvKh6q8qHqryoeqvKh6q8qHqryoeqvKh6q8qHqryoeqvKh6q8qHqryoeqvKh6q8qHqryoeqvKh6q8qHqryoeqvKh6q8qHqryoeqvKh6q8qHqryoeqvKh6q8qHqryoeqvKh6q8qHqryoeqvKh6q8qHqryoeqvKh6q8qHqryoeqvKh6q8qHqryoeqvKh6q8qHqv75SPUofM1mY59w9H/8QALhAAAQMDBAIDAAAFBQEAAAAAAwACBAEFExEUFjMGNRIVYAc
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--5ad0a193-a488-4138-9882-436e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-13T12:24:51.000Z",
|
||
|
"modified": "2018-04-13T12:24:51.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"microblog\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "post",
|
||
|
"value": "#Ransomware Vurten .improved F2BE597FC76ACC3390FF4CF944008BA5",
|
||
|
"category": "Other",
|
||
|
"uuid": "5ad0a193-db90-49d2-bf42-49c4950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "type",
|
||
|
"value": "Twitter",
|
||
|
"category": "Other",
|
||
|
"uuid": "5ad0a194-ff14-4170-9182-4dc0950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"object_relation": "url",
|
||
|
"value": "https://twitter.com/siri_urz/status/981191281195044867",
|
||
|
"category": "Network activity",
|
||
|
"to_ids": true,
|
||
|
"uuid": "5ad0a194-ca54-4c7f-ae7b-465f950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "creation-date",
|
||
|
"value": "2018-04-03T00:00:00",
|
||
|
"category": "Other",
|
||
|
"uuid": "5ad0a194-46d8-4612-b316-4610950d210f"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "username",
|
||
|
"value": "@siri_urz",
|
||
|
"category": "Other",
|
||
|
"uuid": "5ad0a195-ac50-4040-b583-4d67950d210f"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "microblog"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--2297d10f-fa36-4cdf-84a4-92586cabcb2b",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-16T07:16:02.000Z",
|
||
|
"modified": "2018-04-16T07:16:02.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'f2be597fc76acc3390ff4cf944008ba5' AND file:hashes.SHA1 = 'e920827ddf406928b94c7ff30b9785c585ad9be0' AND file:hashes.SHA256 = '583aabffbdb69f611557f8289059792e4ff0aeb7ce6d7dc812dbd3b93079b1c9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-04-16T07:16:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--644fa57b-273b-455d-aabd-820d13f84808",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-04-16T07:16:00.000Z",
|
||
|
"modified": "2018-04-16T07:16:00.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2018-04-15T07:22:39",
|
||
|
"category": "Other",
|
||
|
"uuid": "5ad44db0-eb24-47ad-bbbe-4c0802de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/583aabffbdb69f611557f8289059792e4ff0aeb7ce6d7dc812dbd3b93079b1c9/analysis/1523776959/",
|
||
|
"category": "External analysis",
|
||
|
"uuid": "5ad44db0-65b0-4245-9e66-474f02de0b81"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "37/67",
|
||
|
"category": "Other",
|
||
|
"uuid": "5ad44db1-bf8c-4785-a39c-4f3502de0b81"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--2b19a3b4-02f3-48a7-b0bf-a8c7ffa48979",
|
||
|
"created": "2018-04-16T07:16:01.000Z",
|
||
|
"modified": "2018-04-16T07:16:01.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--2297d10f-fa36-4cdf-84a4-92586cabcb2b",
|
||
|
"target_ref": "x-misp-object--644fa57b-273b-455d-aabd-820d13f84808"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|