2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type" : "bundle" ,
"id" : "bundle--59f04ba5-e890-4534-8fa9-47dd950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T11:08:30.000Z" ,
"modified" : "2017-10-25T11:08:30.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--59f04ba5-e890-4534-8fa9-47dd950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T11:08:30.000Z" ,
"modified" : "2017-10-25T11:08:30.000Z" ,
"name" : "OSINT - BadRabbit Ransomware Compiled by ThaiCERT, a member of the Electronic Transactions Development Agency" ,
"published" : "2017-10-25T11:23:21Z" ,
"object_refs" : [
"observed-data--59f04c02-c344-41df-834f-4b4c950d210f" ,
"file--59f04c02-c344-41df-834f-4b4c950d210f" ,
"artifact--59f04c02-c344-41df-834f-4b4c950d210f" ,
"x-misp-attribute--59f04c43-0da0-47ac-9dd8-47aa950d210f" ,
"x-misp-attribute--59f04c43-98a4-4ed8-b4ff-48c2950d210f" ,
"x-misp-attribute--59f04c43-d550-4bd6-912a-457c950d210f" ,
"x-misp-attribute--59f04c43-23a4-4f3d-aea4-4a8e950d210f" ,
"x-misp-attribute--59f04c56-7f1c-4ee7-b43c-4bc8950d210f" ,
"observed-data--59f04c7b-d584-4493-b8e1-4367950d210f" ,
"url--59f04c7b-d584-4493-b8e1-4367950d210f" ,
"observed-data--59f04c7b-b790-48b4-9492-4d4b950d210f" ,
"url--59f04c7b-b790-48b4-9492-4d4b950d210f" ,
"observed-data--59f04c7b-9658-4755-ab9c-4860950d210f" ,
"url--59f04c7b-9658-4755-ab9c-4860950d210f" ,
"observed-data--59f04c7b-2188-4046-b429-4a25950d210f" ,
"url--59f04c7b-2188-4046-b429-4a25950d210f" ,
"observed-data--59f04c7b-2c10-43f3-9b66-4f48950d210f" ,
"url--59f04c7b-2c10-43f3-9b66-4f48950d210f" ,
"observed-data--59f04c7b-6efc-4c7d-aa76-40de950d210f" ,
"url--59f04c7b-6efc-4c7d-aa76-40de950d210f" ,
"observed-data--59f04c7b-2bcc-4171-887e-4084950d210f" ,
"url--59f04c7b-2bcc-4171-887e-4084950d210f" ,
"observed-data--59f04c7b-6c44-437d-9ac0-4ebb950d210f" ,
"url--59f04c7b-6c44-437d-9ac0-4ebb950d210f" ,
"observed-data--59f04c7b-971c-4c87-bec5-4110950d210f" ,
"url--59f04c7b-971c-4c87-bec5-4110950d210f" ,
"observed-data--59f04c7b-ea28-4569-b8b3-4e2b950d210f" ,
"url--59f04c7b-ea28-4569-b8b3-4e2b950d210f" ,
"observed-data--59f04c8a-edfc-4f0f-97a2-4d37950d210f" ,
"url--59f04c8a-edfc-4f0f-97a2-4d37950d210f" ,
"observed-data--59f04ca9-d00c-4043-897c-44db950d210f" ,
"url--59f04ca9-d00c-4043-897c-44db950d210f" ,
"observed-data--59f04ca9-ad18-4172-92c5-43b2950d210f" ,
"url--59f04ca9-ad18-4172-92c5-43b2950d210f" ,
"observed-data--59f04ca9-53a4-4546-a05f-4a38950d210f" ,
"url--59f04ca9-53a4-4546-a05f-4a38950d210f" ,
"observed-data--59f04ca9-8a84-4e67-b96a-4bcc950d210f" ,
"url--59f04ca9-8a84-4e67-b96a-4bcc950d210f" ,
"observed-data--59f04ca9-00f0-4d6c-861f-4f0a950d210f" ,
"url--59f04ca9-00f0-4d6c-861f-4f0a950d210f" ,
"observed-data--59f04ca9-9080-49be-96b2-4b33950d210f" ,
"url--59f04ca9-9080-49be-96b2-4b33950d210f" ,
"observed-data--59f04ca9-76d0-4712-b9bf-41fa950d210f" ,
"url--59f04ca9-76d0-4712-b9bf-41fa950d210f" ,
"observed-data--59f04ca9-18fc-4672-8078-41e5950d210f" ,
"url--59f04ca9-18fc-4672-8078-41e5950d210f" ,
"observed-data--59f04ca9-0d54-42c2-bfea-4017950d210f" ,
"url--59f04ca9-0d54-42c2-bfea-4017950d210f" ,
"observed-data--59f04ca9-f1a8-4ee7-9195-4a3c950d210f" ,
"url--59f04ca9-f1a8-4ee7-9195-4a3c950d210f" ,
"observed-data--59f04ca9-16cc-4f80-8ba4-406e950d210f" ,
"url--59f04ca9-16cc-4f80-8ba4-406e950d210f" ,
"observed-data--59f04ca9-7f20-4363-8096-4a8c950d210f" ,
"url--59f04ca9-7f20-4363-8096-4a8c950d210f" ,
"observed-data--59f04ca9-14f0-4ad8-bbb4-4c6b950d210f" ,
"url--59f04ca9-14f0-4ad8-bbb4-4c6b950d210f" ,
"observed-data--59f04ca9-4624-4a61-bb1d-4a80950d210f" ,
"url--59f04ca9-4624-4a61-bb1d-4a80950d210f" ,
"observed-data--59f04ca9-b7c4-4496-94b5-4bd4950d210f" ,
"url--59f04ca9-b7c4-4496-94b5-4bd4950d210f" ,
"observed-data--59f04ca9-1c5c-48a5-940e-4846950d210f" ,
"url--59f04ca9-1c5c-48a5-940e-4846950d210f" ,
"observed-data--59f04ca9-2cd4-407f-93cc-47e3950d210f" ,
"url--59f04ca9-2cd4-407f-93cc-47e3950d210f" ,
"observed-data--59f04ca9-2384-4933-a65f-44a4950d210f" ,
"url--59f04ca9-2384-4933-a65f-44a4950d210f" ,
"observed-data--59f04ca9-20b4-41b5-9814-45da950d210f" ,
"url--59f04ca9-20b4-41b5-9814-45da950d210f" ,
"observed-data--59f04caa-13e0-43c0-b1ab-4f6a950d210f" ,
"url--59f04caa-13e0-43c0-b1ab-4f6a950d210f" ,
"observed-data--59f04caa-a06c-4fa8-9068-4cdf950d210f" ,
"url--59f04caa-a06c-4fa8-9068-4cdf950d210f" ,
"observed-data--59f04caa-f4dc-454f-8eee-416d950d210f" ,
"url--59f04caa-f4dc-454f-8eee-416d950d210f" ,
"observed-data--59f04caa-2cc8-483e-a992-4be4950d210f" ,
"url--59f04caa-2cc8-483e-a992-4be4950d210f" ,
"observed-data--59f04caa-c97c-4ed4-a364-410d950d210f" ,
"url--59f04caa-c97c-4ed4-a364-410d950d210f" ,
"observed-data--59f04caa-0a40-4ec0-aadc-498e950d210f" ,
"url--59f04caa-0a40-4ec0-aadc-498e950d210f" ,
"observed-data--59f04cbe-55c4-43b3-9b81-4a39950d210f" ,
"url--59f04cbe-55c4-43b3-9b81-4a39950d210f" ,
"observed-data--59f04cbe-eed8-40ca-aad0-464f950d210f" ,
"url--59f04cbe-eed8-40ca-aad0-464f950d210f" ,
"observed-data--59f04cbe-a1a4-416b-9f68-4764950d210f" ,
"url--59f04cbe-a1a4-416b-9f68-4764950d210f" ,
"observed-data--59f04cbe-e4e4-4d6d-8eab-4e42950d210f" ,
"url--59f04cbe-e4e4-4d6d-8eab-4e42950d210f" ,
"observed-data--59f04cbe-c9dc-4e7f-98ee-43e3950d210f" ,
"url--59f04cbe-c9dc-4e7f-98ee-43e3950d210f" ,
"observed-data--59f04cbe-09b0-4172-9c38-4ece950d210f" ,
"url--59f04cbe-09b0-4172-9c38-4ece950d210f" ,
"observed-data--59f04cbe-1888-4a4e-8e13-4f6e950d210f" ,
"url--59f04cbe-1888-4a4e-8e13-4f6e950d210f" ,
"observed-data--59f04ce0-ace4-4fd9-a5e1-4384950d210f" ,
"url--59f04ce0-ace4-4fd9-a5e1-4384950d210f" ,
"x-misp-attribute--59f04ddb-4394-4395-a6dc-4cad950d210f" ,
"x-misp-attribute--59f04ddb-8c10-49a8-8478-4af9950d210f" ,
"indicator--59f04e08-25d8-45ee-8504-4e93950d210f" ,
"indicator--59f04e08-95a8-4618-9479-44db950d210f" ,
"indicator--59f04e08-ccc4-488b-b969-4333950d210f" ,
"indicator--59f04e08-6ae4-489b-be10-4669950d210f" ,
"x-misp-attribute--59f04e1b-213c-4331-928a-4c81950d210f" ,
"x-misp-attribute--59f04e1b-a3f8-4600-8f29-40ea950d210f" ,
"x-misp-attribute--59f04e1b-c00c-4b3e-ac65-4124950d210f" ,
"indicator--59f04e62-cb50-4df9-abff-4be0950d210f" ,
"indicator--59f04e62-b7e4-48b7-8223-485f950d210f" ,
"indicator--59f04e62-6178-4db1-8e6b-41d0950d210f" ,
"indicator--59f04e9c-1a6c-4b65-ace5-4043950d210f" ,
"indicator--59f04e9c-94e4-4a5c-91e5-481a950d210f" ,
"indicator--59f04e9c-0ad8-41a7-9039-45a2950d210f" ,
"indicator--59f04eb4-d490-4167-a395-4b88950d210f" ,
"indicator--59f04f7a-dd8c-4fb0-a584-4d3202de0b81" ,
"indicator--59f04f7a-9058-4c94-b7d7-44eb02de0b81" ,
"observed-data--59f04f7a-ede0-414e-89d5-49a902de0b81" ,
"url--59f04f7a-ede0-414e-89d5-49a902de0b81" ,
"indicator--59f04f7a-a1bc-4d00-ab1f-408a02de0b81" ,
"indicator--59f04f7a-f30c-4b40-8e0b-41eb02de0b81" ,
"observed-data--59f04f7a-ffb8-4ccf-a9e4-4a8c02de0b81" ,
"url--59f04f7a-ffb8-4ccf-a9e4-4a8c02de0b81" ,
"indicator--59f04f7a-52b0-4877-b62a-45f802de0b81" ,
"indicator--59f04f7a-6898-4e2e-84f0-4d5c02de0b81" ,
"observed-data--59f04f7a-0b4c-4347-ba7a-4bde02de0b81" ,
"url--59f04f7a-0b4c-4347-ba7a-4bde02de0b81" ,
"indicator--59f04f7a-80dc-41da-97fd-476202de0b81" ,
"indicator--59f04f7a-eca0-453f-88f3-425902de0b81" ,
"observed-data--59f04f7a-0e90-4e91-85c6-433702de0b81" ,
"url--59f04f7a-0e90-4e91-85c6-433702de0b81" ,
"indicator--59f04f7a-de34-4cca-ad90-4b9302de0b81" ,
"indicator--59f04f7a-26ac-4faf-a5c9-412402de0b81" ,
"observed-data--59f04f7b-9318-4819-94bb-419e02de0b81" ,
"url--59f04f7b-9318-4819-94bb-419e02de0b81" ,
"indicator--59f04f7b-9110-465c-98b1-4ebf02de0b81" ,
"indicator--59f04f7b-7134-494e-9467-411b02de0b81" ,
"observed-data--59f04f7b-667c-4ad9-ad32-42b102de0b81" ,
"url--59f04f7b-667c-4ad9-ad32-42b102de0b81" ,
"indicator--59f04f7b-d238-4e6b-8d21-445502de0b81" ,
"indicator--59f04f7b-c8e0-4bdf-a5c9-46ed02de0b81" ,
"observed-data--59f04f7b-099c-46e6-a0b0-4a4f02de0b81" ,
"url--59f04f7b-099c-46e6-a0b0-4a4f02de0b81"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"misp-galaxy:ransomware=\"Bad Rabbit\"" ,
"misp-galaxy:preventive-measure=\"Restrict Workstation Communication\"" ,
"misp-galaxy:preventive-measure=\"Backup and Restore Process\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04c02-c344-41df-834f-4b4c950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:49.000Z" ,
"modified" : "2017-10-25T08:46:49.000Z" ,
"first_observed" : "2017-10-25T08:46:49Z" ,
"last_observed" : "2017-10-25T08:46:49Z" ,
"number_observed" : 1 ,
"object_refs" : [
"file--59f04c02-c344-41df-834f-4b4c950d210f" ,
"artifact--59f04c02-c344-41df-834f-4b4c950d210f"
] ,
"labels" : [
"misp:type=\"attachment\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"technical-report\""
]
} ,
{
"type" : "file" ,
"spec_version" : "2.1" ,
"id" : "file--59f04c02-c344-41df-834f-4b4c950d210f" ,
"name" : "BadRabbit Ransomware v0.2.pdf" ,
"content_ref" : "artifact--59f04c02-c344-41df-834f-4b4c950d210f"
} ,
{
"type" : "artifact" ,
"spec_version" : "2.1" ,
"id" : "artifact--59f04c02-c344-41df-834f-4b4c950d210f" ,
"payload_bin" : " J V B E R i 0 x L j U N C i W 1 t b W 1 D Q o x I D A g b 2 J q D Q o 8 P C 9 U e X B l L 0 N h d G F s b 2 c v U G F n Z X M g M i A w I F I v T G F u Z y h l b i 1 V U y k g L 1 N 0 c n V j d F R y Z W V S b 290 I D E 0 O C A w I F I v T W F y a 0 l u Z m 88 P C 9 N Y X J r Z W Q g d H J 1 Z T 4 + P j 4 N C m V u Z G 9 i a g 0 K M i A w I G 9 i a g 0 K P D w v V H l w Z S 9 Q Y W d l c y 9 D b 3 V u d C A 5 L 0 t p Z H N b I D M g M C B S I D I 4 I D A g U i A z M y A w I F I g M z Y g M C B S I D Q w I D A g U i A 0 N y A w I F I g N D k g M C B S I D U z I D A g U i A 1 O C A w I F J d I D 4 + D Q p l b m R v Y m o N C j M g M C B v Y m o N C j w 8 L 1 R 5 c G U v U G F n Z S 9 Q Y X J l b n Q g M i A w I F I v U m V z b 3 V y Y 2 V z P D w v R m 9 u d D w 8 L 0 Y x I D U g M C B S L 0 Y y I D k g M C B S L 0 Y z I D E x I D A g U i 9 G N C A x M y A w I F I v R j U g M T U g M C B S L 0 Y 2 I D E 3 I D A g U i 9 G N y A x O S A w I F I + P i 9 F e H R H U 3 R h d G U 8 P C 9 H U z c g N y A w I F I v R 1 M 4 I D g g M C B S P j 4 v W E 9 i a m V j d D w 8 L 0 l t Y W d l M j I g M j I g M C B S L 0 l t Y W d l M j U g M j U g M C B S L 0 l t Y W d l M j c g M j c g M C B S P j 4 v U H J v Y 1 N l d F s v U E R G L 1 R l e H Q v S W 1 h Z 2 V C L 0 l t Y W d l Q y 9 J b W F n Z U l d I D 4 + L 0 F u b m 90 c 1 s g M j E g M C B S I D I 0 I D A g U l 0 g L 0 1 l Z G l h Q m 94 W y A w I D A g N j E y I D c 5 M l 0 g L 0 N v b n R l b n R z I D Q g M C B S L 0 d y b 3 V w P D w v V H l w Z S 9 H c m 91 c C 9 T L 1 R y Y W 5 z c G F y Z W 5 j e S 9 D U y 9 E Z X Z p Y 2 V S R 0 I + P i 9 U Y W J z L 1 M v U 3 R y d W N 0 U G F y Z W 50 c y A w P j 4 N C m V u Z G 9 i a g 0 K N C A w I G 9 i a g 0 K P D w v R m l s d G V y L 0 Z s Y X R l R G V j b 2 R l L 0 x l b m d 0 a C A 5 M z Q + P g 0 K c 3 R y Z W F t D Q p 4 n J 1 W 224 T M R B 9 j 5 R / m E c v I q 7 v F 1 R V a t M U i k C U N o K H l o e 0 L K G I b C A p I P 6 e s b N N 15 t 4 t S J R H G c y n j N z 5 r K G g w s 4 P D x 4 O z 4 / B X Z 0 B C e n Y z i Z D g c H Z x y 4 g O m X 4 Y A D w z c H K y g T C o x 1 l M N 0 g T o v r y z M 18 M B g 3 n 85 e p f L 4 e D a w L F S M j 2 y n c k O f l / S T 7 B 9 P V w M E H / Q w y P j k s m q J Q N x 7 u c S 0 0 c n I k 2 D Y o x K m z L 2 t M p m L w d A z R Y 5 Q 1 W 21 R q S 7 X r Y 0 R 0 G J G S 2 j 42 Z I c N 5 q l X f Y y o p E Z k p k a 0 M 1 T W 5 k 6 Q W E t m k e T P u H f k s i G 5 j Z L N e o 8 S T h 4 y W e R S U e 4 S 0 7 m E c 2 m p T V W b m F V E W 8 f 9 M u 4 X x U g y 8 g d X X u u s U M 5 I m Q E Q X F P m s 77 s s K b z 1 G v 81 n 1 s m I R 5 B Z g x s 5 d 7 w 6 g R t c X x c v G j G F m k V p P v x c i Q 8 n O h Y q 0 z c v s X 4 y U w / T p D 4 j U Z T w p J L q f 4 l y b P Y b Z V W 5 Q o R 4 I 8 u S 1 R u I q H l l + 2 / z 98 L b f 7 S c D 6 j l j l X V B 7 Q G V B l t W j B 3 c B B 6 a r 4 M i s w l P r I J h t d O 8 L E 7 L h S b W O E K f l 7 / B d o t u K L G M U 0 Z X q o R g 5 A s f B y D x A V / H 830 y q l E a i e M p K J 8824 V n n e V a + 3 w B w H c m X j Q H w A S n 0 W H K h C Q J x N p a o D 22 B x b m M 8 i q u S L Z U h M U 9 j X u R 6 w S h s U I T m G z T C N d W v S H R D R G B d O 6 c k l S r n h j K 7 O i + Q + s u l A a G i q k V o g 4 V Z 4 K U W z o y 9 p y k z v T E x m Z t 64 q I s S G S x 9 X G 9 a b I N j 4 O W 5 s H 3 E m + b 1 V T Z l 4 K R U W v S c J Z R z U x T u V j S U 4 j r W / i M L u I t L 4 o H P m I D a f J q 9 B M 51 h u v F a b Z A c p 1 o R L D X e 7 x 3 v d I V R 4 e P a a e l w k B g 0 i U K Y S m x o L E I G s 7 z e L u U w s W v D 7 P O S G U 7 W Z F / i 4 N x Y Y l c L j q r i B 1 X y f 9 D J e e 85 w j N 3 j m J q H 0 f Y r L H F i l r m y 9 I Z 6 l + B d Y y l m 0 o F 50 I k u j B h l g e O 7 a / I i W / l M I 0 Z y j M U T x + j r b / z M g p v r 9 o N 3 z 92 H C 4 N h p 852 k 6161 U N 4 Y B u z Y T v c J b d X y F w X G s p 0 89 R e N 65 + z K o n T x 6 f w T + H g 0 B a e C G f e C 0 0 j j o H B j 3 T n O K 6 K o e D j 8 + g Q j y 7 Q c R Y u e Q h c r z 1 w V 24 + p 4 v Z v N S C D h d w v s M o N k B l E J J 3 w W I 44 x j R B G T h x A l t 5 T Z N q x O Y R t 0 290 g h U Q I b l l o m 4 A p v K b G N U C V s d T r C C r Q A Q U W B z q O S 0 a d b K L a G p X D n z p D m I p v M L A y K u M N W 2 F k a E k 4 h V Y C w F X t 4 z / C c H M 1 D Q p l b m R z d H J l Y W 0 N C m V u Z G 9 i a g 0 K N S A w I G 9 i a g 0 K P D w v V H l w Z S 9 G b 250 L 1 N 1 Y n R 5 c G U v V H J 1 Z V R 5 c G U v T m F t Z S 9 G M S 9 C Y X N l R m 9 u d C 9 B Q k N E R U U r Q 2 F s a W J y a S 1 C b 2 x k S X R h b G l j L 0 V u Y 29 k a W 5 n L 1 d p b k F u c 2 l F b m N v Z G l u Z y 9 G b 250 R G V z Y 3 J p c H R v c i A 2 I D A g U i 9 G a X J z d E N o Y X I g M z I v T G F z d E N o Y X I g M z I v V 2 l k d G h z I D k 5 M i A w I F I + P g 0 K Z W 5 k b 2 J q D Q o 2 I D A g b 2 J q D Q o 8 P C 9 U e X B l L 0 Z v b n R E Z X N j c m l w d G 9 y L 0 Z v b n R O Y W 1 l L 0 F C Q 0 R F R S t D Y W x p Y n J p L U J v b G R J d G F s a W M v R m x h Z 3 M g M z I v S X R h b G l j Q W 5 n b G U g L T E x L 0 F z Y 2 V u d C A 3 N T A v R G V z Y 2 V u d C A t M j U w L 0 N h c E h l a W d o d C A 3 N T A v Q X Z n V 2 l k d G g g N T M 3 L 0 1 h e F d p Z H R o I D E 5 N T Y v R m 9 u d F d l a W d o d C A 3 M D A v W E h l a W d o d C A y N T A v U 3 R l b V Y g N T M v R m 9 u d E J C b 3 h b I C 0 2 O T E g L T I 1 M C A x M j Y 1 I D c 1 M F 0 g L 0 Z v b n R G a W x l M i A 5 O T M g M C B S P j 4 N C m V u Z G 9 i a g 0 K N y A w I G 9 i a g 0 K P D w v V H l w Z S 9 F e H R H U 3 R h d G U v Q k 0 v T m 9 y b W F s L 2 N h I D E + P g 0 K Z W 5 k b 2 J q D Q o 4 I D A g b 2 J q D Q o 8 P C 9 U e X B l L 0 V 4 d E d T d G F 0 Z S 9 C T S 9 O b 3 J t Y W w v Q 0 E g M T 4 + D Q p l b m R v Y m o N C j k g M C B v Y m o N C j w 8 L 1 R 5 c G U v R m 9 u d C 9 T d W J 0 e X B l L 1 R y d W V U e X B l L 0 5 h b W U v R j I v Q m F z Z U Z v b n Q v Q U J D R E V F K 0 N h b G l i c m k t Q m 9 s Z C 9 F b m N v Z G l u Z y 9 X a W 5 B b n N p R W 5 j b 2 R p b m c v R m 9 u d E R l c 2 N y a X B 0 b 3 I g M T A g M C B S L 0 Z p c n N 0 Q 2 h h c i A z M i 9 M Y X N 0 Q 2 h h c i A x M T U v V 2 l k d G h z I D k 5 N C A w I F I + P g 0 K Z W 5 k b 2 J q D Q o x M C A w I G 9 i a g 0 K P D w v V H l w Z S 9 G b 250 R G V z Y 3 J p c H R v c i 9 G b 250 T m F t Z S 9 B Q k N E R U U r Q 2 F s a W J y a S 1 C b 2 x k L 0 Z s Y W d z I D M y L 0 l 0 Y W x p Y 0 F u Z 2 x l I D A v Q X N j Z W 50 I D c 1 M C 9 E Z X N j Z W 50 I C 0 y N T A v Q 2 F w S G V p Z 2 h 0 I D c 1 M C 9 B d m d X a W R 0 a C A 1 M z Y v T W F 4 V 2 l k d G g g M T c 1 O S 9 G b 250 V 2 V p Z 2 h 0 I D c w M C 9 Y S G V p Z 2 h 0 I D I 1 M C 9 T d G V t V i A 1 M y 9 G b 250 Q k J v e F s g L T U x O S A t M j U w I D E y N D A g N z U w X S A v R m 9 u d E Z p b G U y I D k 5 N S A w I F I + P g 0 K Z W 5 k b 2 J q D Q o x M S A w I G 9 i a g 0 K P D w v V H l w Z S 9 G b 250 L 1 N 1 Y n R 5 c G U v V H J 1 Z V R 5 c G U v T m F t Z S 9 G M y 9 C Y X N l R m 9 u d C 9 B c m l h b C 1 C b 2 x k T V Q v R W 5 j b 2 R p b m c v V 2 l u Q W 5 z a U V u Y 29 k a W 5 n L 0 Z v b n R E Z X N j c m l w d G 9 y I D E y I D A g U i 9 G a X J z d E N o Y X I g M z I v T G F z d E N o Y X I g M T I w L 1 d p Z H R o c y A 5 O T Y g M C B S P j 4 N C m V u Z G 9 i a g 0 K M T I g M C B v Y m o N C j w 8 L 1 R 5 c G U v R m 9 u d E R l c 2 N y a X B 0 b 3 I v R m 9 u d E 5 h b W U v Q X J p Y W w t Q m 9 s Z E 1 U L 0 Z s Y W d z I D M y L 0 l 0 Y W x p Y 0 F u Z 2 x l I D A v Q X N j Z W 50 I D k w N S 9 E Z X N j Z W 50 I C 0 y M T A v Q 2 F w S G V p Z 2 h 0 I D c y O C 9 B d m d X a W R 0 a C A 0 N z k v T W F 4 V 2 l k d G g g M j Y y O C 9 G b 250 V 2 V p Z 2 h 0 I D c w M C 9 Y S G V p Z 2 h 0 I D I 1 M C 9 M Z W F k a W 5 n I D M z L 1 N 0 Z W 1 W I D Q 3 L 0 Z v b n R C Q m 94 W y A t N j I 4 I C 0 y M T A g M j A w M C A 3 M j h d I D 4 + D Q p l b m R v Y m o N C j E z I D A g b 2 J q D Q o 8 P C 9 U e X B l L 0 Z v b n Q v U 3 V i d H l w Z S 9 U c n V l V H l w Z S 9
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--59f04c43-0da0-47ac-9dd8-47aa950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:49.000Z" ,
"modified" : "2017-10-25T08:46:49.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"Antivirus detection\""
] ,
"x_misp_category" : "Antivirus detection" ,
"x_misp_type" : "text" ,
"x_misp_value" : "Win32/Diskcoder.D"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--59f04c43-98a4-4ed8-b4ff-48c2950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:49.000Z" ,
"modified" : "2017-10-25T08:46:49.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"Antivirus detection\""
] ,
"x_misp_category" : "Antivirus detection" ,
"x_misp_type" : "text" ,
"x_misp_value" : "Trojan-Ransom.Win32.Gen.ftl"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--59f04c43-d550-4bd6-912a-457c950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:49.000Z" ,
"modified" : "2017-10-25T08:46:49.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"Antivirus detection\""
] ,
"x_misp_category" : "Antivirus detection" ,
"x_misp_type" : "text" ,
"x_misp_value" : "Win32/Tibbar.A"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--59f04c43-23a4-4f3d-aea4-4a8e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:49.000Z" ,
"modified" : "2017-10-25T08:46:49.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"Antivirus detection\""
] ,
"x_misp_category" : "Antivirus detection" ,
"x_misp_type" : "text" ,
"x_misp_value" : "Troj/Ransom-ERK"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--59f04c56-7f1c-4ee7-b43c-4bc8950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:49.000Z" ,
"modified" : "2017-10-25T08:46:49.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "new ransomware strain named BadRabbit is wreaking havoc in many Eastern European countries,\r\naffecting both government agencies and private businesses alike.\r\nAt the time of writing, the ransomware has hit countries such as Russia, Ukraine, Bulgaria, and Turkey.\r\nConfirmed victims include the Odessa airport in Ukraine, the Kiev subway system in Ukraine, the\r\nUkrainian Ministry of Infrastructure, and three Russian news agencies, including Interfax and Fontanka.\r\nUkraine's CERT team has posted an alert and is warning Ukrainian businesses about this new outbreak.\r\nThe speed with which BadRabbit spread is similar to the WannaCry and NotPetya outbreaks that have hit\r\nin May and June this year, respectively.\r\nThe domain where the malware is downloaded from has been taken down already.\r\nAt the time of writing, no recovery tools for the encryption have been found."
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04c7b-d584-4493-b8e1-4367950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:19:16.000Z" ,
"modified" : "2017-10-25T10:19:16.000Z" ,
"first_observed" : "2017-10-25T10:19:16Z" ,
"last_observed" : "2017-10-25T10:19:16Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04c7b-d584-4493-b8e1-4367950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04c7b-d584-4493-b8e1-4367950d210f" ,
"value" : "https://securingtomorrow.mcafee.com/mcafee-labs/badrabbit-ransomware-burrows-russia-ukraine/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04c7b-b790-48b4-9492-4d4b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:16:47.000Z" ,
"modified" : "2017-10-25T10:16:47.000Z" ,
"first_observed" : "2017-10-25T10:16:47Z" ,
"last_observed" : "2017-10-25T10:16:47Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04c7b-b790-48b4-9492-4d4b950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04c7b-b790-48b4-9492-4d4b950d210f" ,
"value" : "https://www.bleepingcomputer.com/news/security/bad-rabbit-ransomware-outbreak-hits-eastern-europe/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04c7b-9658-4755-ab9c-4860950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:15:53.000Z" ,
"modified" : "2017-10-25T10:15:53.000Z" ,
"first_observed" : "2017-10-25T10:15:53Z" ,
"last_observed" : "2017-10-25T10:15:53Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04c7b-9658-4755-ab9c-4860950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04c7b-9658-4755-ab9c-4860950d210f" ,
"value" : "https://blog.malwarebytes.com/threat-analysis/2017/10/badrabbit-closer-look-new-version-petyanotpetya/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04c7b-2188-4046-b429-4a25950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:15:44.000Z" ,
"modified" : "2017-10-25T10:15:44.000Z" ,
"first_observed" : "2017-10-25T10:15:44Z" ,
"last_observed" : "2017-10-25T10:15:44Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04c7b-2188-4046-b429-4a25950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04c7b-2188-4046-b429-4a25950d210f" ,
"value" : "https://securelist.com/bad-rabbit-ransomware/82851/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04c7b-2c10-43f3-9b66-4f48950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:16:03.000Z" ,
"modified" : "2017-10-25T10:16:03.000Z" ,
"first_observed" : "2017-10-25T10:16:03Z" ,
"last_observed" : "2017-10-25T10:16:03Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04c7b-2c10-43f3-9b66-4f48950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04c7b-2c10-43f3-9b66-4f48950d210f" ,
"value" : "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04c7b-6efc-4c7d-aa76-40de950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:16:14.000Z" ,
"modified" : "2017-10-25T10:16:14.000Z" ,
"first_observed" : "2017-10-25T10:16:14Z" ,
"last_observed" : "2017-10-25T10:16:14Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04c7b-6efc-4c7d-aa76-40de950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04c7b-6efc-4c7d-aa76-40de950d210f" ,
"value" : "https://www.group-ib.com/blog/badrabbit"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04c7b-2bcc-4171-887e-4084950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:16:57.000Z" ,
"modified" : "2017-10-25T10:16:57.000Z" ,
"first_observed" : "2017-10-25T10:16:57Z" ,
"last_observed" : "2017-10-25T10:16:57Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04c7b-2bcc-4171-887e-4084950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04c7b-2bcc-4171-887e-4084950d210f" ,
"value" : "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Tibbar.A"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04c7b-6c44-437d-9ac0-4ebb950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:14:38.000Z" ,
"modified" : "2017-10-25T10:14:38.000Z" ,
"first_observed" : "2017-10-25T10:14:38Z" ,
"last_observed" : "2017-10-25T10:14:38Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04c7b-6c44-437d-9ac0-4ebb950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04c7b-6c44-437d-9ac0-4ebb950d210f" ,
"value" : "http://blog.talosintelligence.com/2017/10/bad-rabbit.html"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04c7b-971c-4c87-bec5-4110950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:15:34.000Z" ,
"modified" : "2017-10-25T10:15:34.000Z" ,
"first_observed" : "2017-10-25T10:15:34Z" ,
"last_observed" : "2017-10-25T10:15:34Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04c7b-971c-4c87-bec5-4110950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04c7b-971c-4c87-bec5-4110950d210f" ,
"value" : "https://otx.alienvault.com/pulse/59ef5e053db003162704fcb2/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04c7b-ea28-4569-b8b3-4e2b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:16:25.000Z" ,
"modified" : "2017-10-25T10:16:25.000Z" ,
"first_observed" : "2017-10-25T10:16:25Z" ,
"last_observed" : "2017-10-25T10:16:25Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04c7b-ea28-4569-b8b3-4e2b950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04c7b-ea28-4569-b8b3-4e2b950d210f" ,
"value" : "https://labs.bitdefender.com/2017/10/bad-rabbit-ransomware-strikes-ukraine-likely-related-to-goldeneye/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04c8a-edfc-4f0f-97a2-4d37950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:17:24.000Z" ,
"modified" : "2017-10-25T10:17:24.000Z" ,
"first_observed" : "2017-10-25T10:17:24Z" ,
"last_observed" : "2017-10-25T10:17:24Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04c8a-edfc-4f0f-97a2-4d37950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04c8a-edfc-4f0f-97a2-4d37950d210f" ,
"value" : "https://www.us-cert.gov/ncas/current-activity/2017/10/24/Multiple-Ransomware-Infections-Reported"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04ca9-d00c-4043-897c-44db950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:19:53.000Z" ,
"modified" : "2017-10-25T10:19:53.000Z" ,
"first_observed" : "2017-10-25T10:19:53Z" ,
"last_observed" : "2017-10-25T10:19:53Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04ca9-d00c-4043-897c-44db950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04ca9-d00c-4043-897c-44db950d210f" ,
"value" : "https://www.csoonline.com/article/3234691/security/badrabbit-ransomware-attacks-multiple-media-outlets.html"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04ca9-ad18-4172-92c5-43b2950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:19:24.000Z" ,
"modified" : "2017-10-25T10:19:24.000Z" ,
"first_observed" : "2017-10-25T10:19:24Z" ,
"last_observed" : "2017-10-25T10:19:24Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04ca9-ad18-4172-92c5-43b2950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04ca9-ad18-4172-92c5-43b2950d210f" ,
"value" : "https://www.cyberscoop.com/badrabbit-ransomware-spreading-across-ukraine-russia/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04ca9-53a4-4546-a05f-4a38950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:20:03.000Z" ,
"modified" : "2017-10-25T10:20:03.000Z" ,
"first_observed" : "2017-10-25T10:20:03Z" ,
"last_observed" : "2017-10-25T10:20:03Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04ca9-53a4-4546-a05f-4a38950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04ca9-53a4-4546-a05f-4a38950d210f" ,
"value" : "https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine---and-"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04ca9-8a84-4e67-b96a-4bcc950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:19:46.000Z" ,
"modified" : "2017-10-25T10:19:46.000Z" ,
"first_observed" : "2017-10-25T10:19:46Z" ,
"last_observed" : "2017-10-25T10:19:46Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04ca9-8a84-4e67-b96a-4bcc950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04ca9-8a84-4e67-b96a-4bcc950d210f" ,
"value" : "https://www.infosecurity-magazine.com/news/new-waves-of-ransomware-spread/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04ca9-00f0-4d6c-861f-4f0a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:19:39.000Z" ,
"modified" : "2017-10-25T10:19:39.000Z" ,
"first_observed" : "2017-10-25T10:19:39Z" ,
"last_observed" : "2017-10-25T10:19:39Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04ca9-00f0-4d6c-861f-4f0a950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04ca9-00f0-4d6c-861f-4f0a950d210f" ,
"value" : "https://www.itnews.com.au/news/is-bad-rabbit-the-new-notpetya-476121"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04ca9-9080-49be-96b2-4b33950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:04:11.000Z" ,
"modified" : "2017-10-25T10:04:11.000Z" ,
"first_observed" : "2017-10-25T10:04:11Z" ,
"last_observed" : "2017-10-25T10:04:11Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04ca9-9080-49be-96b2-4b33950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04ca9-9080-49be-96b2-4b33950d210f" ,
"value" : "https://blog.malwarebytes.com/cybercrime/2017/10/badrabbit-ransomware-strikes-eastern-europe/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04ca9-76d0-4712-b9bf-41fa950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T11:08:30.000Z" ,
"modified" : "2017-10-25T11:08:30.000Z" ,
"first_observed" : "2017-10-25T11:08:30Z" ,
"last_observed" : "2017-10-25T11:08:30Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04ca9-76d0-4712-b9bf-41fa950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04ca9-76d0-4712-b9bf-41fa950d210f" ,
"value" : "https://motherboard.vice.com/en_us/article/59yb4q/bad-rabbit-petya-ransomware-russia-ukraine"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04ca9-18fc-4672-8078-41e5950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:19:32.000Z" ,
"modified" : "2017-10-25T10:19:32.000Z" ,
"first_observed" : "2017-10-25T10:19:32Z" ,
"last_observed" : "2017-10-25T10:19:32Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04ca9-18fc-4672-8078-41e5950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04ca9-18fc-4672-8078-41e5950d210f" ,
"value" : "https://nakedsecurity.sophos.com/2017/10/24/bad-rabbit-ransomware-outbreak/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04ca9-0d54-42c2-bfea-4017950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:18:25.000Z" ,
"modified" : "2017-10-25T10:18:25.000Z" ,
"first_observed" : "2017-10-25T10:18:25Z" ,
"last_observed" : "2017-10-25T10:18:25Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04ca9-0d54-42c2-bfea-4017950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04ca9-0d54-42c2-bfea-4017950d210f" ,
"value" : "https://researchcenter.paloaltonetworks.com/2017/10/threat-brief-information-bad-rabbit-ransomware-attacks/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04ca9-f1a8-4ee7-9195-4a3c950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:18:09.000Z" ,
"modified" : "2017-10-25T10:18:09.000Z" ,
"first_observed" : "2017-10-25T10:18:09Z" ,
"last_observed" : "2017-10-25T10:18:09Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04ca9-f1a8-4ee7-9195-4a3c950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04ca9-f1a8-4ee7-9195-4a3c950d210f" ,
"value" : "http://www.reuters.com/article/us-ukraine-cyber/new-wave-of-cyber-attacks-hits-ukraine-and-russia-"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04ca9-16cc-4f80-8ba4-406e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:18:17.000Z" ,
"modified" : "2017-10-25T10:18:17.000Z" ,
"first_observed" : "2017-10-25T10:18:17Z" ,
"last_observed" : "2017-10-25T10:18:17Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04ca9-16cc-4f80-8ba4-406e950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04ca9-16cc-4f80-8ba4-406e950d210f" ,
"value" : "http://www.reuters.com/article/us-ukraine-cyber/new-cyber-attacks-hit-airport-metro-in-ukraine-"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04ca9-7f20-4363-8096-4a8c950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:17:15.000Z" ,
"modified" : "2017-10-25T10:17:15.000Z" ,
"first_observed" : "2017-10-25T10:17:15Z" ,
"last_observed" : "2017-10-25T10:17:15Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04ca9-7f20-4363-8096-4a8c950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04ca9-7f20-4363-8096-4a8c950d210f" ,
"value" : "http://securityaffairs.co/wordpress/64713/malware/bad-rabbit-ransomware.html"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04ca9-14f0-4ad8-bbb4-4c6b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:17:50.000Z" ,
"modified" : "2017-10-25T10:17:50.000Z" ,
"first_observed" : "2017-10-25T10:17:50Z" ,
"last_observed" : "2017-10-25T10:17:50Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04ca9-14f0-4ad8-bbb4-4c6b950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04ca9-14f0-4ad8-bbb4-4c6b950d210f" ,
"value" : "https://thehackernews.com/2017/10/bad-rabbit-ransomware-attack.html"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04ca9-4624-4a61-bb1d-4a80950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:16:38.000Z" ,
"modified" : "2017-10-25T10:16:38.000Z" ,
"first_observed" : "2017-10-25T10:16:38Z" ,
"last_observed" : "2017-10-25T10:16:38Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04ca9-4624-4a61-bb1d-4a80950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04ca9-4624-4a61-bb1d-4a80950d210f" ,
"value" : "https://www.theregister.co.uk/2017/10/24/badrabbit_ransomware/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04ca9-b7c4-4496-94b5-4bd4950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T11:08:30.000Z" ,
"modified" : "2017-10-25T11:08:30.000Z" ,
"first_observed" : "2017-10-25T11:08:30Z" ,
"last_observed" : "2017-10-25T11:08:30Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04ca9-b7c4-4496-94b5-4bd4950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04ca9-b7c4-4496-94b5-4bd4950d210f" ,
"value" : "https://threatpost.com/badrabbit-ransomware-attacks-hitting-russia-ukraine/128593/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04ca9-1c5c-48a5-940e-4846950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:17:59.000Z" ,
"modified" : "2017-10-25T10:17:59.000Z" ,
"first_observed" : "2017-10-25T10:17:59Z" ,
"last_observed" : "2017-10-25T10:17:59Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04ca9-1c5c-48a5-940e-4846950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04ca9-1c5c-48a5-940e-4846950d210f" ,
"value" : "https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04ca9-2cd4-407f-93cc-47e3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:17:41.000Z" ,
"modified" : "2017-10-25T10:17:41.000Z" ,
"first_observed" : "2017-10-25T10:17:41Z" ,
"last_observed" : "2017-10-25T10:17:41Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04ca9-2cd4-407f-93cc-47e3950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04ca9-2cd4-407f-93cc-47e3950d210f" ,
"value" : "https://www.kaspersky.com/blog/bad-rabbit-ransomware/19887/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04ca9-2384-4933-a65f-44a4950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:17:33.000Z" ,
"modified" : "2017-10-25T10:17:33.000Z" ,
"first_observed" : "2017-10-25T10:17:33Z" ,
"last_observed" : "2017-10-25T10:17:33Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04ca9-2384-4933-a65f-44a4950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04ca9-2384-4933-a65f-44a4950d210f" ,
"value" : "https://www.pcmag.com/news/356977/badrabbit-ransomware-targets-systems-in-russia-ukraine"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04ca9-20b4-41b5-9814-45da950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:17:06.000Z" ,
"modified" : "2017-10-25T10:17:06.000Z" ,
"first_observed" : "2017-10-25T10:17:06Z" ,
"last_observed" : "2017-10-25T10:17:06Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04ca9-20b4-41b5-9814-45da950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04ca9-20b4-41b5-9814-45da950d210f" ,
"value" : "https://www.technologyreview.com/the-download/609206/a-new-strain-of-ransomware-is-hitting-eastern-europe/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04caa-13e0-43c0-b1ab-4f6a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:05:01.000Z" ,
"modified" : "2017-10-25T10:05:01.000Z" ,
"first_observed" : "2017-10-25T10:05:01Z" ,
"last_observed" : "2017-10-25T10:05:01Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04caa-13e0-43c0-b1ab-4f6a950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04caa-13e0-43c0-b1ab-4f6a950d210f" ,
"value" : "https://www.bloomberg.com/news/articles/2017-10-24/russian-news-agency-interfax-faces-unprecedented-hacker-"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04caa-a06c-4fa8-9068-4cdf950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T11:08:30.000Z" ,
"modified" : "2017-10-25T11:08:30.000Z" ,
"first_observed" : "2017-10-25T11:08:30Z" ,
"last_observed" : "2017-10-25T11:08:30Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04caa-a06c-4fa8-9068-4cdf950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04caa-a06c-4fa8-9068-4cdf950d210f" ,
"value" : "https://www.washingtontimes.com/news/2017/oct/24/badrabbit-ransomware-strain-infects-russian-media-/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04caa-f4dc-454f-8eee-416d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:05:01.000Z" ,
"modified" : "2017-10-25T10:05:01.000Z" ,
"first_observed" : "2017-10-25T10:05:01Z" ,
"last_observed" : "2017-10-25T10:05:01Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04caa-f4dc-454f-8eee-416d950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04caa-f4dc-454f-8eee-416d950d210f" ,
"value" : "https://techcrunch.com/2017/10/24/badrabbit-notpetya-russia-ukraine-ransomware-malware/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04caa-2cc8-483e-a992-4be4950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:05:01.000Z" ,
"modified" : "2017-10-25T10:05:01.000Z" ,
"first_observed" : "2017-10-25T10:05:01Z" ,
"last_observed" : "2017-10-25T10:05:01Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04caa-2cc8-483e-a992-4be4950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04caa-2cc8-483e-a992-4be4950d210f" ,
"value" : "http://www.bbc.co.uk/news/technology-41740768"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04caa-c97c-4ed4-a364-410d950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:05:01.000Z" ,
"modified" : "2017-10-25T10:05:01.000Z" ,
"first_observed" : "2017-10-25T10:05:01Z" ,
"last_observed" : "2017-10-25T10:05:01Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04caa-c97c-4ed4-a364-410d950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04caa-c97c-4ed4-a364-410d950d210f" ,
"value" : "http://www.zdnet.com/article/bad-rabbit-ransomware-a-new-variant-of-petya-is-spreading-warn-researchers/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04caa-0a40-4ec0-aadc-498e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T11:08:30.000Z" ,
"modified" : "2017-10-25T11:08:30.000Z" ,
"first_observed" : "2017-10-25T11:08:30Z" ,
"last_observed" : "2017-10-25T11:08:30Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04caa-0a40-4ec0-aadc-498e950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04caa-0a40-4ec0-aadc-498e950d210f" ,
"value" : "https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04cbe-55c4-43b3-9b81-4a39950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:05:01.000Z" ,
"modified" : "2017-10-25T10:05:01.000Z" ,
"first_observed" : "2017-10-25T10:05:01Z" ,
"last_observed" : "2017-10-25T10:05:01Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04cbe-55c4-43b3-9b81-4a39950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04cbe-55c4-43b3-9b81-4a39950d210f" ,
"value" : "https://arstechnica.com/information-technology/2017/10/new-wave-of-data-encrypting-malware-crashes-through-"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04cbe-eed8-40ca-aad0-464f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T11:08:30.000Z" ,
"modified" : "2017-10-25T11:08:30.000Z" ,
"first_observed" : "2017-10-25T11:08:30Z" ,
"last_observed" : "2017-10-25T11:08:30Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04cbe-eed8-40ca-aad0-464f950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04cbe-eed8-40ca-aad0-464f950d210f" ,
"value" : "https://www.scmagazine.com/badrabbit-ransomware-spreading-in-russia-and-the-ukraine-vaccine-"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04cbe-a1a4-416b-9f68-4764950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:05:01.000Z" ,
"modified" : "2017-10-25T10:05:01.000Z" ,
"first_observed" : "2017-10-25T10:05:01Z" ,
"last_observed" : "2017-10-25T10:05:01Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04cbe-a1a4-416b-9f68-4764950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04cbe-a1a4-416b-9f68-4764950d210f" ,
"value" : "https://www.bangkokpost.com/news/world/1348551/new-badrabbit-ransomware-attacks-hit-europe"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04cbe-e4e4-4d6d-8eab-4e42950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:05:01.000Z" ,
"modified" : "2017-10-25T10:05:01.000Z" ,
"first_observed" : "2017-10-25T10:05:01Z" ,
"last_observed" : "2017-10-25T10:05:01Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04cbe-e4e4-4d6d-8eab-4e42950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04cbe-e4e4-4d6d-8eab-4e42950d210f" ,
"value" : "https://isc.sans.edu/forums/diary/BadRabbit+New+ransomware+wave+hitting+RU+UA/22964/"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04cbe-c9dc-4e7f-98ee-43e3950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T11:08:30.000Z" ,
"modified" : "2017-10-25T11:08:30.000Z" ,
"first_observed" : "2017-10-25T11:08:30Z" ,
"last_observed" : "2017-10-25T11:08:30Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04cbe-c9dc-4e7f-98ee-43e3950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04cbe-c9dc-4e7f-98ee-43e3950d210f" ,
"value" : "https://gizmodo.com/bad-rabbit-ransomware-strikes-russia-and-ukraine-1819814538"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04cbe-09b0-4172-9c38-4ece950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T11:08:30.000Z" ,
"modified" : "2017-10-25T11:08:30.000Z" ,
"first_observed" : "2017-10-25T11:08:30Z" ,
"last_observed" : "2017-10-25T11:08:30Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04cbe-09b0-4172-9c38-4ece950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04cbe-09b0-4172-9c38-4ece950d210f" ,
"value" : "http://money.cnn.com/2017/10/24/technology/bad-rabbit-ransomware-attack/index.html"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04cbe-1888-4a4e-8e13-4f6e950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T11:08:30.000Z" ,
"modified" : "2017-10-25T11:08:30.000Z" ,
"first_observed" : "2017-10-25T11:08:30Z" ,
"last_observed" : "2017-10-25T11:08:30Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04cbe-1888-4a4e-8e13-4f6e950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04cbe-1888-4a4e-8e13-4f6e950d210f" ,
"value" : "https://www.windowscentral.com/new-bad-rabbit-ransomware-attack-spreading-across-europe"
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04ce0-ace4-4fd9-a5e1-4384950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T11:08:30.000Z" ,
"modified" : "2017-10-25T11:08:30.000Z" ,
"first_observed" : "2017-10-25T11:08:30Z" ,
"last_observed" : "2017-10-25T11:08:30Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04ce0-ace4-4fd9-a5e1-4384950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04ce0-ace4-4fd9-a5e1-4384950d210f" ,
"value" : "https://www.cybereason.com/blog/cybereason-researcher-discovers-vaccine-for-badrabbit-ransomware"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--59f04ddb-4394-4395-a6dc-4cad950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:21:44.000Z" ,
"modified" : "2017-10-25T10:21:44.000Z" ,
"labels" : [
"misp:type=\"btc\"" ,
"misp:category=\"Financial fraud\"" ,
"misp:to_ids=\"True\""
] ,
"x_misp_category" : "Financial fraud" ,
"x_misp_type" : "btc" ,
"x_misp_value" : "1GxXGMoz7HAVwRDZd7ezkKipY4DHLUqzmM"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--59f04ddb-8c10-49a8-8478-4af9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T10:21:39.000Z" ,
"modified" : "2017-10-25T10:21:39.000Z" ,
"labels" : [
"misp:type=\"btc\"" ,
"misp:category=\"Financial fraud\"" ,
"misp:to_ids=\"True\""
] ,
"x_misp_category" : "Financial fraud" ,
"x_misp_type" : "btc" ,
"x_misp_value" : "17GhezAiRhgB8DGArZXBkrZBFTGCC9SQ2Z"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59f04e08-25d8-45ee-8504-4e93950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"description" : "Distribution URL 1" ,
"pattern" : "[url:value = 'http://1dnscontrol.com/flash_install.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-25T08:46:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59f04e08-95a8-4618-9479-44db950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"description" : "Distribution URL 2" ,
"pattern" : "[url:value = 'http://1dnscontrol.com/index.php']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-25T08:46:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59f04e08-ccc4-488b-b969-4333950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"description" : "Inject URL" ,
"pattern" : "[url:value = 'http://185.149.120.3/scholargoogle/']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-25T08:46:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59f04e08-6ae4-489b-be10-4669950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"description" : "Payment site" ,
"pattern" : "[url:value = 'http://caforssztxqzf2nm.onion']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-25T08:46:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--59f04e1b-213c-4331-928a-4c81950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"labels" : [
"misp:type=\"windows-scheduled-task\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
] ,
"x_misp_category" : "Artifacts dropped" ,
"x_misp_type" : "windows-scheduled-task" ,
"x_misp_value" : "viserion_"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--59f04e1b-a3f8-4600-8f29-40ea950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"labels" : [
"misp:type=\"windows-scheduled-task\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
] ,
"x_misp_category" : "Artifacts dropped" ,
"x_misp_type" : "windows-scheduled-task" ,
"x_misp_value" : "rhaegal"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--59f04e1b-c00c-4b3e-ac65-4124950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"labels" : [
"misp:type=\"windows-scheduled-task\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
] ,
"x_misp_category" : "Artifacts dropped" ,
"x_misp_type" : "windows-scheduled-task" ,
"x_misp_value" : "drogon"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59f04e62-cb50-4df9-abff-4be0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"description" : "diskcryptor client" ,
"pattern" : "[file:hashes.SHA256 = '8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-25T08:46:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59f04e62-b7e4-48b7-8223-485f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"description" : "mimikatz-like x86" ,
"pattern" : "[file:hashes.SHA256 = '2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-25T08:46:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59f04e62-6178-4db1-8e6b-41d0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"description" : "mimikatz-like x64" ,
"pattern" : "[file:hashes.SHA256 = '301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-25T08:46:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59f04e9c-1a6c-4b65-ace5-4043950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"description" : "infpub.dat diskcoder" ,
"pattern" : "[file:hashes.SHA256 = '579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-25T08:46:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59f04e9c-94e4-4a5c-91e5-481a950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"description" : "cscc.dat x32 diskcryptor drv" ,
"pattern" : "[file:hashes.SHA256 = '682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-25T08:46:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59f04e9c-0ad8-41a7-9039-45a2950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"description" : "cscc.dat x64 diskcryptor drv" ,
"pattern" : "[file:hashes.SHA256 = '0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-25T08:46:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59f04eb4-d490-4167-a395-4b88950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"description" : "install_flash_player.exe dropper" ,
"pattern" : "[file:hashes.SHA256 = '630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-25T08:46:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59f04f7a-dd8c-4fb0-a584-4d3202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"description" : "install_flash_player.exe dropper - Xchecked via VT: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da" ,
"pattern" : "[file:hashes.SHA1 = 'de5c8d858e6e41da715dca1c019df0bfb92d32c0']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-25T08:46:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59f04f7a-9058-4c94-b7d7-44eb02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"description" : "install_flash_player.exe dropper - Xchecked via VT: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da" ,
"pattern" : "[file:hashes.MD5 = 'fbbdc39af1139aebba4da004475e8839']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-25T08:46:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04f7a-ede0-414e-89d5-49a902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"first_observed" : "2017-10-25T08:46:50Z" ,
"last_observed" : "2017-10-25T08:46:50Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04f7a-ede0-414e-89d5-49a902de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04f7a-ede0-414e-89d5-49a902de0b81" ,
"value" : "https://www.virustotal.com/file/630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da/analysis/1508920901/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59f04f7a-a1bc-4d00-ab1f-408a02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"description" : "cscc.dat x64 diskcryptor drv - Xchecked via VT: 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6" ,
"pattern" : "[file:hashes.SHA1 = '08f94684e83a27f2414f439975b7f8a6d61fc056']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-25T08:46:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59f04f7a-f30c-4b40-8e0b-41eb02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"description" : "cscc.dat x64 diskcryptor drv - Xchecked via VT: 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6" ,
"pattern" : "[file:hashes.MD5 = 'edb72f4a46c39452d1a5414f7d26454a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-25T08:46:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04f7a-ffb8-4ccf-a9e4-4a8c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"first_observed" : "2017-10-25T08:46:50Z" ,
"last_observed" : "2017-10-25T08:46:50Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04f7a-ffb8-4ccf-a9e4-4a8c02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04f7a-ffb8-4ccf-a9e4-4a8c02de0b81" ,
"value" : "https://www.virustotal.com/file/0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6/analysis/1508918584/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59f04f7a-52b0-4877-b62a-45f802de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"description" : "cscc.dat x32 diskcryptor drv - Xchecked via VT: 682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806" ,
"pattern" : "[file:hashes.SHA1 = '59cd4907a438b8300a467cee1c6fc31135757039']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-25T08:46:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59f04f7a-6898-4e2e-84f0-4d5c02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"description" : "cscc.dat x32 diskcryptor drv - Xchecked via VT: 682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806" ,
"pattern" : "[file:hashes.MD5 = 'b4e6d97dafd9224ed9a547d52c26ce02']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-25T08:46:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04f7a-0b4c-4347-ba7a-4bde02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"first_observed" : "2017-10-25T08:46:50Z" ,
"last_observed" : "2017-10-25T08:46:50Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04f7a-0b4c-4347-ba7a-4bde02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04f7a-0b4c-4347-ba7a-4bde02de0b81" ,
"value" : "https://www.virustotal.com/file/682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806/analysis/1508920930/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59f04f7a-80dc-41da-97fd-476202de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"description" : "infpub.dat diskcoder - Xchecked via VT: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648" ,
"pattern" : "[file:hashes.SHA1 = '79116fe99f2b421c52ef64097f0f39b815b20907']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-25T08:46:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59f04f7a-eca0-453f-88f3-425902de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"description" : "infpub.dat diskcoder - Xchecked via VT: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648" ,
"pattern" : "[file:hashes.MD5 = '1d724f95c61f1055f0d02c2154bbccd3']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-25T08:46:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04f7a-0e90-4e91-85c6-433702de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"first_observed" : "2017-10-25T08:46:50Z" ,
"last_observed" : "2017-10-25T08:46:50Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04f7a-0e90-4e91-85c6-433702de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04f7a-0e90-4e91-85c6-433702de0b81" ,
"value" : "https://www.virustotal.com/file/579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648/analysis/1508917915/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59f04f7a-de34-4cca-ad90-4b9302de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"description" : "mimikatz-like x64 - Xchecked via VT: 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c" ,
"pattern" : "[file:hashes.SHA1 = '413eba3973a15c1a6429d9f170f3e8287f98c21c']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-25T08:46:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59f04f7a-26ac-4faf-a5c9-412402de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:50.000Z" ,
"modified" : "2017-10-25T08:46:50.000Z" ,
"description" : "mimikatz-like x64 - Xchecked via VT: 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c" ,
"pattern" : "[file:hashes.MD5 = '347ac3b6b791054de3e5720a7144a977']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-25T08:46:50Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04f7b-9318-4819-94bb-419e02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:51.000Z" ,
"modified" : "2017-10-25T08:46:51.000Z" ,
"first_observed" : "2017-10-25T08:46:51Z" ,
"last_observed" : "2017-10-25T08:46:51Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04f7b-9318-4819-94bb-419e02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04f7b-9318-4819-94bb-419e02de0b81" ,
"value" : "https://www.virustotal.com/file/301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c/analysis/1508918790/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59f04f7b-9110-465c-98b1-4ebf02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:51.000Z" ,
"modified" : "2017-10-25T08:46:51.000Z" ,
"description" : "mimikatz-like x86 - Xchecked via VT: 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035" ,
"pattern" : "[file:hashes.SHA1 = '16605a4a29a101208457c47ebfde788487be788d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-25T08:46:51Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59f04f7b-7134-494e-9467-411b02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:51.000Z" ,
"modified" : "2017-10-25T08:46:51.000Z" ,
"description" : "mimikatz-like x86 - Xchecked via VT: 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035" ,
"pattern" : "[file:hashes.MD5 = '37945c44a897aa42a66adcab68f560e0']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-25T08:46:51Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04f7b-667c-4ad9-ad32-42b102de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:51.000Z" ,
"modified" : "2017-10-25T08:46:51.000Z" ,
"first_observed" : "2017-10-25T08:46:51Z" ,
"last_observed" : "2017-10-25T08:46:51Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04f7b-667c-4ad9-ad32-42b102de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04f7b-667c-4ad9-ad32-42b102de0b81" ,
"value" : "https://www.virustotal.com/file/2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035/analysis/1508915760/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59f04f7b-d238-4e6b-8d21-445502de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:51.000Z" ,
"modified" : "2017-10-25T08:46:51.000Z" ,
"description" : "diskcryptor client - Xchecked via VT: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93" ,
"pattern" : "[file:hashes.SHA1 = 'afeee8b4acff87bc469a6f0364a81ae5d60a2add']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-25T08:46:51Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha1\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--59f04f7b-c8e0-4bdf-a5c9-46ed02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:51.000Z" ,
"modified" : "2017-10-25T08:46:51.000Z" ,
"description" : "diskcryptor client - Xchecked via VT: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93" ,
"pattern" : "[file:hashes.MD5 = 'b14d8faf7f0cbcfad051cefe5f39645f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2017-10-25T08:46:51Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"md5\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--59f04f7b-099c-46e6-a0b0-4a4f02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2017-10-25T08:46:51.000Z" ,
"modified" : "2017-10-25T08:46:51.000Z" ,
"first_observed" : "2017-10-25T08:46:51Z" ,
"last_observed" : "2017-10-25T08:46:51Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--59f04f7b-099c-46e6-a0b0-4a4f02de0b81"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--59f04f7b-099c-46e6-a0b0-4a4f02de0b81" ,
"value" : "https://www.virustotal.com/file/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93/analysis/1508918221/"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
2023-04-21 13:25:09 +00:00
]
}
