418 lines
18 KiB
JSON
418 lines
18 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--582ab037-052c-483d-803c-4174950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:54:32.000Z",
|
||
|
"modified": "2016-11-15T06:54:32.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--582ab037-052c-483d-803c-4174950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:54:32.000Z",
|
||
|
"modified": "2016-11-15T06:54:32.000Z",
|
||
|
"name": "OSINT - Ransoc Desktop Locking Ransomware Ransacks Local Files and Social Media Profiles",
|
||
|
"published": "2016-11-15T06:56:13Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--582ab080-fe34-4b1d-8239-4978950d210f",
|
||
|
"url--582ab080-fe34-4b1d-8239-4978950d210f",
|
||
|
"x-misp-attribute--582ab095-8cf8-459b-a286-425f950d210f",
|
||
|
"indicator--582ab0e7-bdc4-4195-b375-40b2950d210f",
|
||
|
"indicator--582ab0e8-98e0-4bd3-8148-4518950d210f",
|
||
|
"indicator--582ab0e8-6d20-4897-8b2a-4f87950d210f",
|
||
|
"indicator--582ab0e8-0b08-4854-9a4d-4f18950d210f",
|
||
|
"indicator--582ab0e8-ecf4-49ba-9439-4b8b950d210f",
|
||
|
"indicator--582ab0e9-6444-4e74-bc0a-49cc950d210f",
|
||
|
"indicator--582ab0e9-0808-418b-af49-499b950d210f",
|
||
|
"indicator--582ab0e9-0a44-4930-a673-44ba950d210f",
|
||
|
"indicator--582ab0e9-76dc-4b25-b066-4236950d210f",
|
||
|
"indicator--582ab11f-9020-4af4-994a-4b12950d210f",
|
||
|
"indicator--582ab128-13e4-458e-a37c-414e02de0b81",
|
||
|
"indicator--582ab129-dd7c-4b36-9f3b-422e02de0b81",
|
||
|
"observed-data--582ab129-58ac-41fd-9807-480502de0b81",
|
||
|
"url--582ab129-58ac-41fd-9807-480502de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"ecsirt:malicious-code=\"ransomware\"",
|
||
|
"veris:action:malware:variety=\"Ransomware\"",
|
||
|
"malware_classification:malware-category=\"Ransomware\"",
|
||
|
"ms-caro-malware:malware-type=\"Ransom\"",
|
||
|
"enisa:nefarious-activity-abuse=\"ransomware\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--582ab080-fe34-4b1d-8239-4978950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:51:44.000Z",
|
||
|
"modified": "2016-11-15T06:51:44.000Z",
|
||
|
"first_observed": "2016-11-15T06:51:44Z",
|
||
|
"last_observed": "2016-11-15T06:51:44Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--582ab080-fe34-4b1d-8239-4978950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--582ab080-fe34-4b1d-8239-4978950d210f",
|
||
|
"value": "https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--582ab095-8cf8-459b-a286-425f950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:52:05.000Z",
|
||
|
"modified": "2016-11-15T06:52:05.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "Ransomware has exploded in the last year, becoming the malware of choice for many threat actors because of its easy monetization and ease of distribution, whether via massive email campaigns or through a variety of exploit kits. Proofpoint research suggests that the number of ransomware variants has grown tenfold since December 2015. While most such malware encrypts a victim's files and demands that a ransom be paid in Bitcoins to decrypt them, Proofpoint researchers recently discovered a new variant that scrapes Skype and social media profiles for personal information while it scans files and torrents for potentially sensitive information. Instead of encrypting files, it threatens victims with fake legal proceedings if they fail to pay the ransom."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--582ab0e7-bdc4-4195-b375-40b2950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:53:27.000Z",
|
||
|
"modified": "2016-11-15T06:53:27.000Z",
|
||
|
"description": "5.45.86.171 \t Browlock for IE Windows",
|
||
|
"pattern": "[domain-name:value = 'cis-criminal-report.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-15T06:53:27Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--582ab0e8-98e0-4bd3-8148-4518950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:53:28.000Z",
|
||
|
"modified": "2016-11-15T06:53:28.000Z",
|
||
|
"description": "Browlock for IE Windows",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.45.86.171']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-15T06:53:28Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--582ab0e8-6d20-4897-8b2a-4f87950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:53:28.000Z",
|
||
|
"modified": "2016-11-15T06:53:28.000Z",
|
||
|
"description": "5.45.86.171 \t Browlock for IE Windows",
|
||
|
"pattern": "[domain-name:value = 'criminal-report.in']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-15T06:53:28Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--582ab0e8-0b08-4854-9a4d-4f18950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:53:28.000Z",
|
||
|
"modified": "2016-11-15T06:53:28.000Z",
|
||
|
"description": "5.45.86.171 \t Browlock for IE Windows",
|
||
|
"pattern": "[domain-name:value = 'violation-report.in']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-15T06:53:28Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--582ab0e8-ecf4-49ba-9439-4b8b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:53:28.000Z",
|
||
|
"modified": "2016-11-15T06:53:28.000Z",
|
||
|
"description": "78.47.134.204 \t Intermediate Redirector/TDS",
|
||
|
"pattern": "[domain-name:value = 'latexfetishsex.com']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-15T06:53:28Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--582ab0e9-6444-4e74-bc0a-49cc950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:53:29.000Z",
|
||
|
"modified": "2016-11-15T06:53:29.000Z",
|
||
|
"description": "Intermediate Redirector/TDS",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '78.47.134.204']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-15T06:53:29Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--582ab0e9-0808-418b-af49-499b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:53:29.000Z",
|
||
|
"modified": "2016-11-15T06:53:29.000Z",
|
||
|
"description": "5.9.86.131 \t Intermediate Redirector/TDS",
|
||
|
"pattern": "[domain-name:value = 'italy-girls.mobi']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-15T06:53:29Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"domain\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--582ab0e9-0a44-4930-a673-44ba950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:53:29.000Z",
|
||
|
"modified": "2016-11-15T06:53:29.000Z",
|
||
|
"description": "Intermediate Redirector/TDS",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.9.86.131']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-15T06:53:29Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--582ab0e9-76dc-4b25-b066-4236950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:53:29.000Z",
|
||
|
"modified": "2016-11-15T06:53:29.000Z",
|
||
|
"description": "IP found in the Ransoc",
|
||
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.45.86.148']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-15T06:53:29Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"ip-dst\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--582ab11f-9020-4af4-994a-4b12950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:54:23.000Z",
|
||
|
"modified": "2016-11-15T06:54:23.000Z",
|
||
|
"description": "Ransoc PenaltyNotice",
|
||
|
"pattern": "[file:hashes.SHA256 = 'fee53dc4e165b2aa45c3e7bd100b49c367aa8b7f81757617114ff50a584a1566']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-15T06:54:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--582ab128-13e4-458e-a37c-414e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:54:32.000Z",
|
||
|
"modified": "2016-11-15T06:54:32.000Z",
|
||
|
"description": "Ransoc PenaltyNotice - Xchecked via VT: fee53dc4e165b2aa45c3e7bd100b49c367aa8b7f81757617114ff50a584a1566",
|
||
|
"pattern": "[file:hashes.SHA1 = '44fd0e2d99d6ccc49db7b48d5fc49e74c54f4463']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-15T06:54:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--582ab129-dd7c-4b36-9f3b-422e02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:54:32.000Z",
|
||
|
"modified": "2016-11-15T06:54:32.000Z",
|
||
|
"description": "Ransoc PenaltyNotice - Xchecked via VT: fee53dc4e165b2aa45c3e7bd100b49c367aa8b7f81757617114ff50a584a1566",
|
||
|
"pattern": "[file:hashes.MD5 = '30bf1d54830eb4223f0f3e68d113ff5d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-15T06:54:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--582ab129-58ac-41fd-9807-480502de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:54:33.000Z",
|
||
|
"modified": "2016-11-15T06:54:33.000Z",
|
||
|
"first_observed": "2016-11-15T06:54:33Z",
|
||
|
"last_observed": "2016-11-15T06:54:33Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--582ab129-58ac-41fd-9807-480502de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--582ab129-58ac-41fd-9807-480502de0b81",
|
||
|
"value": "https://www.virustotal.com/file/fee53dc4e165b2aa45c3e7bd100b49c367aa8b7f81757617114ff50a584a1566/analysis/1479181529/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|