misp-circl-feed/feeds/circl/stix-2.1/5ac6140f-5964-4eb8-81bd-4095950d210f.json

309 lines
13 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5ac6140f-5964-4eb8-81bd-4095950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-04-08T15:31:47.000Z",
"modified": "2018-04-08T15:31:47.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5ac6140f-5964-4eb8-81bd-4095950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-04-08T15:31:47.000Z",
"modified": "2018-04-08T15:31:47.000Z",
"name": "OSINT - The DiskWriter or UselessDisk BootLocker May Be A Wiper",
"published": "2018-04-08T15:31:53Z",
"object_refs": [
"observed-data--5ac61454-3594-46fd-8de1-3be0950d210f",
"url--5ac61454-3594-46fd-8de1-3be0950d210f",
"x-misp-attribute--5ac61490-bc28-4c77-9fd7-4e33950d210f",
"indicator--5ac619b3-39f4-4bdc-a22f-3be0950d210f",
"indicator--5ac619b3-b258-4e49-9904-3be0950d210f",
"indicator--5ac619b4-3ee4-4c02-9e4c-3be0950d210f",
"indicator--5ac619c6-84f0-4be7-b49c-4511950d210f",
"x-misp-attribute--5aca35d5-3dd4-487d-bb2a-621b02de0b81",
"x-misp-object--5ac618a5-04fc-424c-b54d-43e7950d210f",
"indicator--b36edfe1-10b3-4ce6-850c-48fec67da615",
"x-misp-object--5d9c2b1a-eb9d-409e-9145-b203188a65aa",
2023-05-19 09:05:37 +00:00
"relationship--ecd7f91e-961b-46c2-84cc-761868a3dc61"
2023-04-21 14:44:17 +00:00
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\"",
"misp-galaxy:tool=\"UselessDisk\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ac61454-3594-46fd-8de1-3be0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-04-08T15:13:21.000Z",
"modified": "2018-04-08T15:13:21.000Z",
"first_observed": "2018-04-08T15:13:21Z",
"last_observed": "2018-04-08T15:13:21Z",
"number_observed": 1,
"object_refs": [
"url--5ac61454-3594-46fd-8de1-3be0950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5ac61454-3594-46fd-8de1-3be0950d210f",
"value": "https://www.bleepingcomputer.com/news/security/the-diskwriter-or-uselessdisk-bootlocker-may-be-a-wiper/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5ac61490-bc28-4c77-9fd7-4e33950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-04-08T15:13:22.000Z",
"modified": "2018-04-08T15:13:22.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "A new MBR bootlocker called DiskWriter, or UselessDisk, has been discovered that overwrites the MBR of a victim's computer and then displays a ransom screen on reboot instead of booting into Windows. This ransom note asks for $300 in bitcoins in order to gain access to Windows again."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ac619b3-39f4-4bdc-a22f-3be0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-04-08T15:13:22.000Z",
"modified": "2018-04-08T15:13:22.000Z",
"pattern": "[file:name = 'DiskWriter.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-04-08T15:13:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ac619b3-b258-4e49-9904-3be0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-04-08T15:13:22.000Z",
"modified": "2018-04-08T15:13:22.000Z",
"pattern": "[file:name = 'UselessDisk.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-04-08T15:13:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ac619b4-3ee4-4c02-9e4c-3be0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-04-08T15:13:23.000Z",
"modified": "2018-04-08T15:13:23.000Z",
"pattern": "[file:name = 'E:\\\\Debug\\\\UselessDisk.pdb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-04-08T15:13:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ac619c6-84f0-4be7-b49c-4511950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-04-05T12:42:46.000Z",
"modified": "2018-04-05T12:42:46.000Z",
"pattern": "[file:hashes.SHA256 = 'bf664370a287f83a67eb9ec01d575cad3bcdfbec2e2290a5e8d570999566e79e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-04-05T12:42:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5aca35d5-3dd4-487d-bb2a-621b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-04-08T15:31:33.000Z",
"modified": "2018-04-08T15:31:33.000Z",
"labels": [
"misp:type=\"pdb\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Artifacts dropped",
"x_misp_type": "pdb",
"x_misp_value": "E:\\Debug\\UselessDisk.pdb"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5ac618a5-04fc-424c-b54d-43e7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-04-05T12:37:57.000Z",
"modified": "2018-04-05T12:37:57.000Z",
"labels": [
"misp:name=\"coin-address\"",
"misp:meta-category=\"financial\""
],
"x_misp_attributes": [
{
"type": "btc",
"object_relation": "address",
"value": "1GZCw453MzQr8V2VAgJpRmKBYRDUJ8kzco",
"category": "Financial fraud",
"to_ids": true,
"uuid": "5ac618a5-2194-4990-a478-4713950d210f"
},
{
"type": "text",
"object_relation": "symbol",
"value": "BTC",
"category": "Other",
"uuid": "5ac618a6-7594-437a-bcfe-42d5950d210f"
}
],
"x_misp_meta_category": "financial",
"x_misp_name": "coin-address"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b36edfe1-10b3-4ce6-850c-48fec67da615",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-04-08T15:13:26.000Z",
"modified": "2018-04-08T15:13:26.000Z",
"pattern": "[file:hashes.MD5 = '577be8c5b73e59fb71570f632349e5fe' AND file:hashes.SHA1 = '363605836bf4ee34d9dfb43a6e71acdfd2b2cebe' AND file:hashes.SHA256 = 'bf664370a287f83a67eb9ec01d575cad3bcdfbec2e2290a5e8d570999566e79e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-04-08T15:13:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5d9c2b1a-eb9d-409e-9145-b203188a65aa",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-04-08T15:13:25.000Z",
"modified": "2018-04-08T15:13:25.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/bf664370a287f83a67eb9ec01d575cad3bcdfbec2e2290a5e8d570999566e79e/analysis/1522221142/",
"category": "External analysis",
"uuid": "5aca3195-62bc-4071-8d07-61c702de0b81"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "47/67",
"category": "Other",
"uuid": "5aca3195-0948-47b7-b12b-61c702de0b81"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-03-28T07:12:22",
"category": "Other",
"uuid": "5aca3195-2d94-4f77-8ccd-61c702de0b81"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
2023-05-19 09:05:37 +00:00
"id": "relationship--ecd7f91e-961b-46c2-84cc-761868a3dc61",
2023-04-21 14:44:17 +00:00
"created": "2018-04-08T15:13:26.000Z",
"modified": "2018-04-08T15:13:26.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--b36edfe1-10b3-4ce6-850c-48fec67da615",
"target_ref": "x-misp-object--5d9c2b1a-eb9d-409e-9145-b203188a65aa"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}