2023-06-14 17:31:25 +00:00
{
"type" : "bundle" ,
"id" : "bundle--5b238476-4fbc-480c-9c86-48ab950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-10-26T12:01:14.000Z" ,
"modified" : "2018-10-26T12:01:14.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "grouping" ,
"spec_version" : "2.1" ,
"id" : "grouping--5b238476-4fbc-480c-9c86-48ab950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-10-26T12:01:14.000Z" ,
"modified" : "2018-10-26T12:01:14.000Z" ,
"name" : "OSINT - The Week in Ransomware - June 8th 2018 - CryBrazil, CryptConsole, and Magniber" ,
"context" : "suspicious-activity" ,
"object_refs" : [
"observed-data--5b23848a-10e0-4b5d-88ec-47f6950d210f" ,
"url--5b23848a-10e0-4b5d-88ec-47f6950d210f" ,
"x-misp-attribute--5b238497-f7d8-4ab2-bfff-4520950d210f" ,
"indicator--5b23a6f6-3a8c-4e59-9211-42a0950d210f" ,
"indicator--5b23a946-76f4-4ae8-949e-4602950d210f" ,
"indicator--5b23a946-948c-4e4f-bf0c-4a44950d210f" ,
"indicator--5b23ab64-dad0-40fd-a7f8-18a9950d210f" ,
"indicator--5b23acf4-92f8-423f-9fcd-43bc950d210f" ,
"indicator--5b23acf5-e9b0-49b6-924a-4b28950d210f" ,
"x-misp-attribute--5bd301b9-461c-4001-8aa4-4122950d210f" ,
"indicator--5b23a361-fe98-4450-9fb8-4703950d210f" ,
"indicator--5b23a3de-2368-473b-be4a-4ecb950d210f" ,
"indicator--5b23a70c-cb38-42dd-a922-47b9950d210f"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"workflow:todo=\"add-missing-misp-galaxy-cluster-values\"" ,
"workflow:todo=\"create-missing-misp-galaxy-cluster\"" ,
"malware_classification:malware-category=\"Ransomware\"" ,
"osint:source-type=\"blog-post\"" ,
"circl:incident-classification=\"malware\"" ,
"misp-galaxy:ransomware=\"CryBrazil\"" ,
"misp-galaxy:malpedia=\"Magniber\"" ,
"misp-galaxy:ransomware=\"Pedcont\"" ,
"misp-galaxy:ransomware=\"DiskDoctor\"" ,
"misp-galaxy:ransomware=\"Magniber Ransomware\"" ,
"misp-galaxy:ransomware=\"XiaoBa ransomware\"" ,
"misp-galaxy:ransomware=\"CryptConsole\"" ,
"misp-galaxy:ransomware=\"RedEye\"" ,
"misp-galaxy:ransomware=\"Aurora Ransomware\"" ,
"misp-galaxy:ransomware=\"Fake Globe Ransomware\"" ,
"misp-galaxy:malpedia=\"GlobeImposter\"" ,
"misp-galaxy:ransomware=\"PGPSnippet Ransomware\"" ,
"misp-galaxy:ransomware=\"Spartacus Ransomware\"" ,
"workflow:todo=\"additional-task\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5b23848a-10e0-4b5d-88ec-47f6950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-06-15T12:26:00.000Z" ,
"modified" : "2018-06-15T12:26:00.000Z" ,
"first_observed" : "2018-06-15T12:26:00Z" ,
"last_observed" : "2018-06-15T12:26:00Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5b23848a-10e0-4b5d-88ec-47f6950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5b23848a-10e0-4b5d-88ec-47f6950d210f" ,
"value" : "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5b238497-f7d8-4ab2-bfff-4520950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-06-15T12:26:07.000Z" ,
"modified" : "2018-06-15T12:26:07.000Z" ,
"labels" : [
"misp:type=\"comment\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "comment" ,
"x_misp_value" : "This week we have seen a lot of CryptConsole variants, Magniber activity, and smaller variants released. Ransomware continues to decline as malware developers move toward more profitable miners and information stealing Trojans. Ransomware is not going away, but is instead moving away from mass malspam campaigns to targeted network attacks where a ransom payment may be more likely."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b23a6f6-3a8c-4e59-9211-42a0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-06-15T11:45:58.000Z" ,
"modified" : "2018-06-15T11:45:58.000Z" ,
"description" : "CryptConsole contact mail" ,
"pattern" : "[email-message:from_ref.value = 'xser@tutanota.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-06-15T11:45:58Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"email-src\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b23a946-76f4-4ae8-949e-4602950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-06-15T11:55:50.000Z" ,
"modified" : "2018-06-15T11:55:50.000Z" ,
"description" : "CryptConsole contact email" ,
"pattern" : "[email-message:from_ref.value = 'redbul@tutanota.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-06-15T11:55:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"email-src\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b23a946-948c-4e4f-bf0c-4a44950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-06-15T11:55:50.000Z" ,
"modified" : "2018-06-15T11:55:50.000Z" ,
"description" : "CryptConsole contact email" ,
"pattern" : "[email-message:from_ref.value = 'heineken@tuta.io']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-06-15T11:55:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"email-src\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b23ab64-dad0-40fd-a7f8-18a9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-06-15T12:04:52.000Z" ,
"modified" : "2018-06-15T12:04:52.000Z" ,
"description" : "PGPSnippet Ransomware contact email" ,
"pattern" : "[email-message:from_ref.value = 'digiworldhack@tutanota.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-06-15T12:04:52Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"email-src\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b23acf4-92f8-423f-9fcd-43bc950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-06-15T12:11:32.000Z" ,
"modified" : "2018-06-15T12:11:32.000Z" ,
"description" : "Spartacus ransomware contact email" ,
"pattern" : "[email-message:from_ref.value = 'example@gmail.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-06-15T12:11:32Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"email-src\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b23acf5-e9b0-49b6-924a-4b28950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-06-15T12:11:33.000Z" ,
"modified" : "2018-06-15T12:11:33.000Z" ,
"description" : "Spartacus ransomware contact email" ,
"pattern" : "[email-message:from_ref.value = 'example1@gmail.com']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-06-15T12:11:33Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"email-src\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5bd301b9-461c-4001-8aa4-4122950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-10-26T12:01:14.000Z" ,
"modified" : "2018-10-26T12:01:14.000Z" ,
"labels" : [
"misp:type=\"comment\"" ,
"misp:category=\"Other\"" ,
"workflow:todo=\"additional-task\""
] ,
"x_misp_category" : "Other" ,
"x_misp_type" : "comment" ,
"x_misp_value" : "Missing cluster : Ransomware>Princess Ransomware"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b23a361-fe98-4450-9fb8-4703950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-06-15T11:30:41.000Z" ,
"modified" : "2018-06-15T11:30:41.000Z" ,
"description" : "Scarab Ransomware variant, DiskDoctor, Ransomnote" ,
"pattern" : "[file:name = 'HOW TO RECOVER ENCRYPTED FILES.TXT' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-06-15T11:30:41Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b23a3de-2368-473b-be4a-4ecb950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-06-15T11:32:46.000Z" ,
"modified" : "2018-06-15T11:32:46.000Z" ,
"description" : "XiaoBa Ransomware ransomnote" ,
"pattern" : "[file:name = '# # DECRYPT MY FILE # #.bmp' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-06-15T11:32:46Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b23a70c-cb38-42dd-a922-47b9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-06-15T11:46:20.000Z" ,
"modified" : "2018-06-15T11:46:20.000Z" ,
"description" : "Aurora ransomware ransomnote" ,
"pattern" : "[file:name = '#RECOVERY-PC#.txt' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-06-15T11:46:20Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}