2023-04-21 14:44:17 +00:00
{
"type" : "bundle" ,
"id" : "bundle--5b72c78a-274c-43a6-a945-4fd5950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-14T06:33:53.000Z" ,
"modified" : "2018-09-14T06:33:53.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "grouping" ,
"spec_version" : "2.1" ,
"id" : "grouping--5b72c78a-274c-43a6-a945-4fd5950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-14T06:33:53.000Z" ,
"modified" : "2018-09-14T06:33:53.000Z" ,
"name" : "OSINT - New Cmb Dharma Ransomware Variant Released" ,
"context" : "suspicious-activity" ,
"object_refs" : [
"observed-data--5b72cc0c-7650-45f8-a0b8-480e950d210f" ,
"url--5b72cc0c-7650-45f8-a0b8-480e950d210f" ,
"x-misp-attribute--5b72cc2d-4e18-422b-9e9c-4b04950d210f" ,
"indicator--5b76bb98-be88-4cc7-840e-43e9950d210f" ,
"indicator--5b76be0c-bfb0-476c-8e1a-43c9950d210f" ,
"indicator--5b76bea9-c140-4dc4-b0b9-46a0950d210f" ,
"indicator--5b76bea9-fa40-48bd-814c-4928950d210f" ,
"indicator--5b76bea9-c25c-4a54-b4f1-4562950d210f" ,
"indicator--5b76bea9-862c-401d-bdbd-4339950d210f" ,
"indicator--5b76bea9-38cc-4d10-b9e7-45fc950d210f" ,
"indicator--5b76c113-5bcc-4611-9e46-f168950d210f" ,
"indicator--5b76c113-9c38-43f7-bece-f168950d210f" ,
"indicator--5b76c113-3e70-4f67-baec-f168950d210f" ,
"indicator--a2a92847-3c13-47aa-b8f6-6bc6599ef7b8" ,
"x-misp-object--28d37ac7-5d4e-4dc5-9806-3a0335b4afbd" ,
2023-05-19 09:05:37 +00:00
"relationship--9a42c394-0381-4c08-bc21-bb30357a0ce6"
2023-04-21 14:44:17 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"misp-galaxy:ransomware=\"Dharma Ransomware\"" ,
"malware_classification:malware-category=\"Ransomware\"" ,
"circl:incident-classification=\"malware\"" ,
"osint:source-type=\"blog-post\"" ,
"workflow:state=\"complete\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5b72cc0c-7650-45f8-a0b8-480e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-08-14T12:34:27.000Z" ,
"modified" : "2018-08-14T12:34:27.000Z" ,
"first_observed" : "2018-08-14T12:34:27Z" ,
"last_observed" : "2018-08-14T12:34:27Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5b72cc0c-7650-45f8-a0b8-480e950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5b72cc0c-7650-45f8-a0b8-480e950d210f" ,
"value" : "https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5b72cc2d-4e18-422b-9e9c-4b04950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-08-14T12:33:57.000Z" ,
"modified" : "2018-08-14T12:33:57.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "On Thursday a new variant of the Dharma Ransomware was discovered that appends the .cmb extension to encrypted files.\r\n\r\nThe Cmb variant of the Dharma Ransomware was first discovered by Michael Gillespie when he noticed samples uploaded to ID Ransomware, After tweeting about it, Jakub Kroustek replied with a hash to the sample."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b76bb98-be88-4cc7-840e-43e9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-08-17T12:12:08.000Z" ,
"modified" : "2018-08-17T12:12:08.000Z" ,
"pattern" : "[file:hashes.SHA256 = 'c2ab289cbd2573572c39cac3f234d77fdf769e48a1715a14feddaea8ae9d9702']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-08-17T12:12:08Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b76be0c-bfb0-476c-8e1a-43c9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-08-17T12:40:43.000Z" ,
"modified" : "2018-08-17T12:40:43.000Z" ,
"description" : "Contact email mentioned in ransom note" ,
"pattern" : "[email-message:from_ref.value = 'paymentbtc@firemail.cc']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-08-17T12:40:43Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"email-src\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b76bea9-c140-4dc4-b0b9-46a0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-08-17T12:25:13.000Z" ,
"modified" : "2018-08-17T12:25:13.000Z" ,
"pattern" : "[file:name = '\\\\%Appdata\\\\%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\Info.hta']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-08-17T12:25:13Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b76bea9-fa40-48bd-814c-4928950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-08-17T12:25:13.000Z" ,
"modified" : "2018-08-17T12:25:13.000Z" ,
"pattern" : "[file:name = '\\\\%Appdata\\\\%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\cmb_ransomware.exe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-08-17T12:25:13Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b76bea9-c25c-4a54-b4f1-4562950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-08-17T12:25:13.000Z" ,
"modified" : "2018-08-17T12:25:13.000Z" ,
"pattern" : "[file:name = '\\\\%Appdata\\\\%\\\\Info.hta']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-08-17T12:25:13Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b76bea9-862c-401d-bdbd-4339950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-08-17T12:25:13.000Z" ,
"modified" : "2018-08-17T12:25:13.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\Desktop\\\\FILES ENCRYPTED.txt']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-08-17T12:25:13Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b76bea9-38cc-4d10-b9e7-45fc950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-08-17T12:25:13.000Z" ,
"modified" : "2018-08-17T12:25:13.000Z" ,
"pattern" : "[file:name = '\\\\%PUBLIC\\\\%\\\\Desktop\\\\FILES ENCRYPTED.txt']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-08-17T12:25:13Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b76c113-5bcc-4611-9e46-f168950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-08-17T13:26:26.000Z" ,
"modified" : "2018-08-17T13:26:26.000Z" ,
"pattern" : "[windows-registry-key:key = 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\cmb_ransomware.exe' AND windows-registry-key:values.data = '\\\\%WINDIR\\\\%\\\\System32\\\\cmb_ransomware.exe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-08-17T13:26:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"regkey|value\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b76c113-9c38-43f7-bece-f168950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-08-17T13:29:31.000Z" ,
"modified" : "2018-08-17T13:29:31.000Z" ,
"pattern" : "[windows-registry-key:key = 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%WINDIR%\\\\System32\\\\Info.hta mshta.exe' AND windows-registry-key:values.data = '\\\\\"%WINDIR%\\\\System32\\\\Info.hta']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-08-17T13:29:31Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"regkey|value\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b76c113-3e70-4f67-baec-f168950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-08-17T13:29:58.000Z" ,
"modified" : "2018-08-17T13:29:58.000Z" ,
"pattern" : "[windows-registry-key:key = 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%Appdata%\\\\Info.hta\tmshta.exe' AND windows-registry-key:values.data = '\\\\\"%Appdata%\\\\Info.hta']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-08-17T13:29:58Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Artifacts dropped"
}
] ,
"labels" : [
"misp:type=\"regkey|value\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--a2a92847-3c13-47aa-b8f6-6bc6599ef7b8" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-08-17T12:23:44.000Z" ,
"modified" : "2018-08-17T12:23:44.000Z" ,
"pattern" : "[file:hashes.MD5 = 'd50f69f0d3a73c0a58d2ad08aedac1c8' AND file:hashes.SHA1 = 'c25ff1bb2ea3e0804ab3f370ad2877b0b7c56903' AND file:hashes.SHA256 = 'c2ab289cbd2573572c39cac3f234d77fdf769e48a1715a14feddaea8ae9d9702']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-08-17T12:23:44Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--28d37ac7-5d4e-4dc5-9806-3a0335b4afbd" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-08-17T12:23:43.000Z" ,
"modified" : "2018-08-17T12:23:43.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-08-14 05:47:48" ,
"category" : "Other" ,
"uuid" : "7b4c2186-d46a-4444-904e-963bbb0fdbae"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/c2ab289cbd2573572c39cac3f234d77fdf769e48a1715a14feddaea8ae9d9702/analysis/1534225668/" ,
"category" : "External analysis" ,
"uuid" : "94fd6e61-154c-44e8-ac6b-073a54eaaa16"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "56/68" ,
"category" : "Other" ,
"uuid" : "2a66be74-d97a-45c3-b2b6-647492a2ddb5"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-05-19 09:05:37 +00:00
"id" : "relationship--9a42c394-0381-4c08-bc21-bb30357a0ce6" ,
2023-04-21 14:44:17 +00:00
"created" : "2018-08-17T12:23:44.000Z" ,
"modified" : "2018-08-17T12:23:44.000Z" ,
"relationship_type" : "analysed-with" ,
"source_ref" : "indicator--a2a92847-3c13-47aa-b8f6-6bc6599ef7b8" ,
"target_ref" : "x-misp-object--28d37ac7-5d4e-4dc5-9806-3a0335b4afbd"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
]
}