adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/5b6c4a32-92cc-499d-9dd2-3989950d210f.json

768 lines
34 KiB
JSON
Raw Normal View History

chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5b6c4a32-92cc-499d-9dd2-3989950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-13T11:40:21.000Z",
"modified": "2018-08-13T11:40:21.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5b6c4a32-92cc-499d-9dd2-3989950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-13T11:40:21.000Z",
"modified": "2018-08-13T11:40:21.000Z",
"name": "OSINT - SamSam Ransomware Crew Made Nearly $6 Million From Ransom Payments",
"published": "2018-08-14T12:32:45Z",
"object_refs": [
"observed-data--5b6c4a46-45d4-4295-a2fc-39a4950d210f",
"url--5b6c4a46-45d4-4295-a2fc-39a4950d210f",
"observed-data--5b6c4a46-ca9c-4c61-a5fe-39a4950d210f",
"url--5b6c4a46-ca9c-4c61-a5fe-39a4950d210f",
"indicator--5b6d3743-9978-4126-9233-4ecf950d210f",
"indicator--5b6d3744-b3a0-47c7-8e34-4e1d950d210f",
"indicator--5b6d3744-3468-486f-9a18-4b1d950d210f",
"indicator--5b6d3744-abe8-4517-84f3-4cb2950d210f",
"indicator--5b6d3745-1f3c-4c39-bf33-4dd3950d210f",
"x-misp-attribute--5b6d95e2-72e4-4ffc-a54a-cc71950d210f",
"x-misp-attribute--5b6d95e2-9794-4658-9d3f-cc71950d210f",
"x-misp-attribute--5b6d95e2-33f0-4b10-9457-cc71950d210f",
"x-misp-attribute--5b6d95e2-c6ec-464a-8985-cc71950d210f",
"x-misp-attribute--5b6d95e2-4e94-406b-b786-cc71950d210f",
"x-misp-attribute--5b6d95e2-d060-4f30-b3b2-cc71950d210f",
"x-misp-attribute--5b6d95e2-6eb0-4ea4-a0f0-cc71950d210f",
"x-misp-attribute--5b6d95e2-ecf8-41cf-9a61-cc71950d210f",
"x-misp-attribute--5b6d95e2-9700-4ecd-bcb1-cc71950d210f",
"x-misp-attribute--5b716bce-3a14-4b1a-a634-4778950d210f",
"x-misp-object--5b6d3c07-c878-4170-827b-402d950d210f",
"x-misp-object--5b6d42b6-0dfc-4e69-8e97-4b97950d210f",
"x-misp-object--5b6d42c6-9cc0-41fc-ab7a-4ddb950d210f",
"x-misp-object--5b6d42d2-16e4-42d6-b1a1-4a48950d210f",
"x-misp-object--5b6d43e4-712c-4dec-b141-4eda950d210f",
"indicator--5b6d4508-dee0-4196-b3d5-40f6950d210f",
"indicator--5b6d606c-8448-4cf4-a378-4117950d210f",
"indicator--5b6d608a-da3c-4206-8c5c-4bee950d210f",
"indicator--5b6d60a0-74c0-4571-8d8c-4ae7950d210f",
"indicator--5b6d60b1-84b4-40b0-a9fc-489f950d210f",
"indicator--5b6d60c2-4cd8-4e13-bbbe-4ca0950d210f",
"indicator--5b6d60fd-27e4-44b1-8adc-47aa950d210f",
"indicator--5b6d9368-1008-456a-bc51-a1d8950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:ransomware=\"Samas-Samsam\"",
"malware_classification:malware-category=\"Ransomware\"",
"circl:incident-classification=\"malware\"",
"osint:source-type=\"blog-post\"",
"osint:source-type=\"technical-report\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b6c4a46-45d4-4295-a2fc-39a4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-13T11:29:48.000Z",
"modified": "2018-08-13T11:29:48.000Z",
"first_observed": "2018-08-13T11:29:48Z",
"last_observed": "2018-08-13T11:29:48Z",
"number_observed": 1,
"object_refs": [
"url--5b6c4a46-45d4-4295-a2fc-39a4950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5b6c4a46-45d4-4295-a2fc-39a4950d210f",
"value": "https://www.bleepingcomputer.com/news/security/samsam-ransomware-crew-made-nearly-6-million-from-ransom-payments/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b6c4a46-ca9c-4c61-a5fe-39a4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-13T11:29:57.000Z",
"modified": "2018-08-13T11:29:57.000Z",
"first_observed": "2018-08-13T11:29:57Z",
"last_observed": "2018-08-13T11:29:57Z",
"number_observed": 1,
"object_refs": [
"url--5b6c4a46-ca9c-4c61-a5fe-39a4950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"technical-report\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5b6c4a46-ca9c-4c61-a5fe-39a4950d210f",
"value": "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b6d3743-9978-4126-9233-4ecf950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T06:57:07.000Z",
"modified": "2018-08-10T06:57:07.000Z",
"description": "URLs for payment sites used in April/March 2016",
"pattern": "[url:value = 'roe53ncs47yt564u.onion/east3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-10T06:57:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b6d3744-b3a0-47c7-8e34-4e1d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T06:57:08.000Z",
"modified": "2018-08-10T06:57:08.000Z",
"description": "URLs for payment sites used in April/March 2016",
"pattern": "[url:value = 'roe53ncs47yt564u.onion/fatman']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-10T06:57:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b6d3744-3468-486f-9a18-4b1d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T06:57:08.000Z",
"modified": "2018-08-10T06:57:08.000Z",
"description": "URLs for payment sites used in April/March 2016",
"pattern": "[url:value = 'roe53ncs47yt564u.onion/athena']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-10T06:57:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b6d3744-abe8-4517-84f3-4cb2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T06:57:08.000Z",
"modified": "2018-08-10T06:57:08.000Z",
"description": "URLs for payment sites used in April/March 2016",
"pattern": "[url:value = 'evpf4i4csbohoqwj.onion/hummer']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-10T06:57:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b6d3745-1f3c-4c39-bf33-4dd3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T06:57:09.000Z",
"modified": "2018-08-10T06:57:09.000Z",
"description": "URLs for payment sites used in April/March 2016",
"pattern": "[url:value = 'evpf4i4csbohoqwj.onion/cadillac']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-10T06:57:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b6d95e2-72e4-4ffc-a54a-cc71950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T13:40:50.000Z",
"modified": "2018-08-10T13:40:50.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_comment": "\"These strings of data reveal the folder path on the attacker\u00e2\u20ac\u2122s computer used to compile the executable\"",
"x_misp_type": "pdb",
"x_misp_value": "f:\\SAM\\clients\\test\\enc\\SAM\\obj\\Release\\samsam.pdb"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b6d95e2-9794-4658-9d3f-cc71950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T13:40:50.000Z",
"modified": "2018-08-10T13:40:50.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_comment": "\"These strings of data reveal the folder path on the attacker\u00e2\u20ac\u2122s computer used to compile the executable\"",
"x_misp_type": "pdb",
"x_misp_value": "f:\\SAM\\clients\\Sam12\\SAM\\obj\\Release\\sbmsam.pdb"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b6d95e2-33f0-4b10-9457-cc71950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T13:40:50.000Z",
"modified": "2018-08-10T13:40:50.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_comment": "\"These strings of data reveal the folder path on the attacker\u00e2\u20ac\u2122s computer used to compile the executable\"",
"x_misp_type": "pdb",
"x_misp_value": "x:\\SAM\\Servers\\Sam54-onion\\SAM\\obj\\Release\\samsam.pdb"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b6d95e2-c6ec-464a-8985-cc71950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T13:40:50.000Z",
"modified": "2018-08-10T13:40:50.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_comment": "\"These strings of data reveal the folder path on the attacker\u00e2\u20ac\u2122s computer used to compile the executable\"",
"x_misp_type": "pdb",
"x_misp_value": "x:\\SAM\\Servers\\Sam-onion-no-check-lock-file\\SAM\\obj\\Release\\MIKOPONI.pdb"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b6d95e2-4e94-406b-b786-cc71950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T13:40:50.000Z",
"modified": "2018-08-10T13:40:50.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_comment": "\"These strings of data reveal the folder path on the attacker\u00e2\u20ac\u2122s computer used to compile the executable\"",
"x_misp_type": "pdb",
"x_misp_value": "u:\\SAM\\Original\\delfiletype\\delfiletype\\obj\\Release\\gogodele.pdb"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b6d95e2-d060-4f30-b3b2-cc71950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T13:40:50.000Z",
"modified": "2018-08-10T13:40:50.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_comment": "\"These strings of data reveal the folder path on the attacker\u00e2\u20ac\u2122s computer used to compile the executable\"",
"x_misp_type": "pdb",
"x_misp_value": "u:\\SAM\\Servers\\Sam-onion-encall-ext-(WORKGROUP)-20160505\\SAM\\obj\\Release\\"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b6d95e2-6eb0-4ea4-a0f0-cc71950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T13:40:50.000Z",
"modified": "2018-08-10T13:40:50.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_comment": "\"These strings of data reveal the folder path on the attacker\u00e2\u20ac\u2122s computer used to compile the executable\"",
"x_misp_type": "pdb",
"x_misp_value": "showmehowto.pdb"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b6d95e2-ecf8-41cf-9a61-cc71950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T13:40:50.000Z",
"modified": "2018-08-10T13:40:50.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_comment": "\"These strings of data reveal the folder path on the attacker\u00e2\u20ac\u2122s computer used to compile the executable\"",
"x_misp_type": "pdb",
"x_misp_value": "t:\\hjgjgskjfhsjdhfkjsdhfkjhsdkjfhskdhfkjsdhfkjhtuyryiurytuet\\fdhjghdfjg.pdb"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b6d95e2-9700-4ecd-bcb1-cc71950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T13:40:50.000Z",
"modified": "2018-08-10T13:40:50.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_comment": "\"These strings of data reveal the folder path on the attacker\u00e2\u20ac\u2122s computer used to compile the executable\"",
"x_misp_type": "pdb",
"x_misp_value": "y:\\sdhjfhskjdfhsdkjhfkjshfkjshdjfkhsdkjfhskjdhhfjfj\\fhfhfhfhf.pdb"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b716bce-3a14-4b1a-a634-4778950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-13T11:39:55.000Z",
"modified": "2018-08-13T11:39:55.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "The SamSam ransomware has earned its creator(s) more than $5.9 million in ransom payments since late 2015, according to the most comprehensive report ever published on SamSam's activity, containing information since the ransomware's launch in late 2015 and up to attacks that have happened earlier this month.\r\n\r\nCompiled by UK cyber-security firm Sophos, the 47-page report is a result of researchers collecting data from past attacks, talking to victims, and data-mining public and private sources for SamSam samples that might have slipped through the cracks.\r\n\r\nIn addition, Sophos researchers also partnered with blockchain & cryptocurrency monitoring firm Neutrino to track down transfers and relations between the different Bitcoin addresses the SamSam crew has used until now."
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5b6d3c07-c878-4170-827b-402d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T07:17:27.000Z",
"modified": "2018-08-10T07:17:27.000Z",
"labels": [
"misp:name=\"coin-address\"",
"misp:meta-category=\"financial\""
],
"x_misp_attributes": [
{
"type": "btc",
"object_relation": "address",
"value": "136hcUpNwhpKQQL7iXXWmwUnikX7n98xsL",
"category": "Financial fraud",
"to_ids": true,
"uuid": "5b6d3c08-dbdc-405e-8dbc-4748950d210f"
},
{
"type": "text",
"object_relation": "symbol",
"value": "BTC",
"category": "Other",
"uuid": "5b6d3c08-cc8c-4d71-a5aa-4e71950d210f"
}
],
"x_misp_meta_category": "financial",
"x_misp_name": "coin-address"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5b6d42b6-0dfc-4e69-8e97-4b97950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T07:45:58.000Z",
"modified": "2018-08-10T07:45:58.000Z",
"labels": [
"misp:name=\"coin-address\"",
"misp:meta-category=\"financial\""
],
"x_misp_attributes": [
{
"type": "btc",
"object_relation": "address",
"value": "1FDj6HsedzPNgVKTAHznsHUg4pKnGRarH6",
"category": "Financial fraud",
"to_ids": true,
"uuid": "5b6d42b6-345c-4e74-bfdc-4eb1950d210f"
},
{
"type": "text",
"object_relation": "symbol",
"value": "BTC",
"category": "Other",
"uuid": "5b6d42b6-9f60-4467-a031-4b19950d210f"
}
],
"x_misp_meta_category": "financial",
"x_misp_name": "coin-address"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5b6d42c6-9cc0-41fc-ab7a-4ddb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T07:46:14.000Z",
"modified": "2018-08-10T07:46:14.000Z",
"labels": [
"misp:name=\"coin-address\"",
"misp:meta-category=\"financial\""
],
"x_misp_attributes": [
{
"type": "btc",
"object_relation": "address",
"value": "1EzpHEojHsLkHTExyz45Tw6L7FNiaeyZdm",
"category": "Financial fraud",
"to_ids": true,
"uuid": "5b6d42c6-3650-427a-9762-486a950d210f"
},
{
"type": "text",
"object_relation": "symbol",
"value": "BTC",
"category": "Other",
"uuid": "5b6d42c7-7da8-459a-8579-4391950d210f"
}
],
"x_misp_meta_category": "financial",
"x_misp_name": "coin-address"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5b6d42d2-16e4-42d6-b1a1-4a48950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T07:46:26.000Z",
"modified": "2018-08-10T07:46:26.000Z",
"labels": [
"misp:name=\"coin-address\"",
"misp:meta-category=\"financial\""
],
"x_misp_attributes": [
{
"type": "btc",
"object_relation": "address",
"value": "1NkDXh778bwxhKb1Wof9oPbUfs6NWrURja",
"category": "Financial fraud",
"to_ids": true,
"uuid": "5b6d42d3-6c48-4b01-b3b0-4946950d210f"
},
{
"type": "text",
"object_relation": "symbol",
"value": "BTC",
"category": "Other",
"uuid": "5b6d42d3-6928-4b82-b643-4327950d210f"
}
],
"x_misp_meta_category": "financial",
"x_misp_name": "coin-address"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5b6d43e4-712c-4dec-b141-4eda950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T07:51:00.000Z",
"modified": "2018-08-10T07:51:00.000Z",
"labels": [
"misp:name=\"coin-address\"",
"misp:meta-category=\"financial\""
],
"x_misp_attributes": [
{
"type": "btc",
"object_relation": "address",
"value": "182jpCsoGD92Pi5JrKnfAhoHVF9rqHdCjm",
"category": "Financial fraud",
"to_ids": true,
"uuid": "5b6d43e4-1c94-4fe9-ad88-4743950d210f"
},
{
"type": "text",
"object_relation": "symbol",
"value": "BTC",
"category": "Other",
"uuid": "5b6d43e5-3dc8-429e-abc1-4c48950d210f"
}
],
"x_misp_meta_category": "financial",
"x_misp_name": "coin-address"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b6d4508-dee0-4196-b3d5-40f6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T07:55:52.000Z",
"modified": "2018-08-10T07:55:52.000Z",
"description": "Ransomnote",
"pattern": "[file:name = 'HELP_DECRYPT_YOUR_FILES.html' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-10T07:55:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b6d606c-8448-4cf4-a378-4117950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T09:52:44.000Z",
"modified": "2018-08-10T09:52:44.000Z",
"description": "Ransomnote",
"pattern": "[file:name = 'HOW_TO_DECRYPT_FILES.html' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-10T09:52:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b6d608a-da3c-4206-8c5c-4bee950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T09:53:14.000Z",
"modified": "2018-08-10T09:53:14.000Z",
"description": "ransomnote",
"pattern": "[file:name = 'HELP_FOR_DECRYPT_FILE.html' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-10T09:53:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b6d60a0-74c0-4571-8d8c-4ae7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T09:53:36.000Z",
"modified": "2018-08-10T09:53:36.000Z",
"description": "Ransomnote",
"pattern": "[file:name = 'I_WILL_HELP_YOU_DECRYPT.html' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-10T09:53:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b6d60b1-84b4-40b0-a9fc-489f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T09:53:53.000Z",
"modified": "2018-08-10T09:53:53.000Z",
"description": "Ransomnote",
"pattern": "[file:name = 'PLEASE_READ_FOR_DECRYPT_FILES.html' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-10T09:53:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b6d60c2-4cd8-4e13-bbbe-4ca0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T09:54:10.000Z",
"modified": "2018-08-10T09:54:10.000Z",
"description": "Ransomnote",
"pattern": "[file:name = 'WE-CAN-HELP-U.html' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-10T09:54:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b6d60fd-27e4-44b1-8adc-47aa950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T09:55:09.000Z",
"modified": "2018-08-10T09:55:09.000Z",
"description": "ransomnote (note: duplicate copies of ransom notes are created, most ransom notes will have numbers prefixed to them)",
"pattern": "[file:name = '0001-WE-CAN-HELP-U.html' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-10T09:55:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b6d9368-1008-456a-bc51-a1d8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-10T13:30:16.000Z",
"modified": "2018-08-10T13:30:16.000Z",
"description": "Ransomnote",
"pattern": "[file:name = 'SORRY-FOR-FILES.html' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-10T13:30:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue Copy permalink