2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type" : "bundle" ,
"id" : "bundle--5ac6140f-5964-4eb8-81bd-4095950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-04-08T15:31:47.000Z" ,
"modified" : "2018-04-08T15:31:47.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--5ac6140f-5964-4eb8-81bd-4095950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-04-08T15:31:47.000Z" ,
"modified" : "2018-04-08T15:31:47.000Z" ,
"name" : "OSINT - The DiskWriter or UselessDisk BootLocker May Be A Wiper" ,
"published" : "2018-04-08T15:31:53Z" ,
"object_refs" : [
"observed-data--5ac61454-3594-46fd-8de1-3be0950d210f" ,
"url--5ac61454-3594-46fd-8de1-3be0950d210f" ,
"x-misp-attribute--5ac61490-bc28-4c77-9fd7-4e33950d210f" ,
"indicator--5ac619b3-39f4-4bdc-a22f-3be0950d210f" ,
"indicator--5ac619b3-b258-4e49-9904-3be0950d210f" ,
"indicator--5ac619b4-3ee4-4c02-9e4c-3be0950d210f" ,
"indicator--5ac619c6-84f0-4be7-b49c-4511950d210f" ,
"x-misp-attribute--5aca35d5-3dd4-487d-bb2a-621b02de0b81" ,
"x-misp-object--5ac618a5-04fc-424c-b54d-43e7950d210f" ,
"indicator--b36edfe1-10b3-4ce6-850c-48fec67da615" ,
"x-misp-object--5d9c2b1a-eb9d-409e-9145-b203188a65aa" ,
2023-06-24 09:36:52 +00:00
"relationship--cff87b12-c728-4e83-aac7-078c36f2be0d"
2023-06-14 17:31:25 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"osint:source-type=\"blog-post\"" ,
"misp-galaxy:tool=\"UselessDisk\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5ac61454-3594-46fd-8de1-3be0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-04-08T15:13:21.000Z" ,
"modified" : "2018-04-08T15:13:21.000Z" ,
"first_observed" : "2018-04-08T15:13:21Z" ,
"last_observed" : "2018-04-08T15:13:21Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5ac61454-3594-46fd-8de1-3be0950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5ac61454-3594-46fd-8de1-3be0950d210f" ,
"value" : "https://www.bleepingcomputer.com/news/security/the-diskwriter-or-uselessdisk-bootlocker-may-be-a-wiper/"
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5ac61490-bc28-4c77-9fd7-4e33950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-04-08T15:13:22.000Z" ,
"modified" : "2018-04-08T15:13:22.000Z" ,
"labels" : [
"misp:type=\"comment\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "comment" ,
"x_misp_value" : "A new MBR bootlocker called DiskWriter, or UselessDisk, has been discovered that overwrites the MBR of a victim's computer and then displays a ransom screen on reboot instead of booting into Windows. This ransom note asks for $300 in bitcoins in order to gain access to Windows again."
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5ac619b3-39f4-4bdc-a22f-3be0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-04-08T15:13:22.000Z" ,
"modified" : "2018-04-08T15:13:22.000Z" ,
"pattern" : "[file:name = 'DiskWriter.exe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-04-08T15:13:22Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5ac619b3-b258-4e49-9904-3be0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-04-08T15:13:22.000Z" ,
"modified" : "2018-04-08T15:13:22.000Z" ,
"pattern" : "[file:name = 'UselessDisk.exe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-04-08T15:13:22Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5ac619b4-3ee4-4c02-9e4c-3be0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-04-08T15:13:23.000Z" ,
"modified" : "2018-04-08T15:13:23.000Z" ,
"pattern" : "[file:name = 'E:\\\\Debug\\\\UselessDisk.pdb']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-04-08T15:13:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5ac619c6-84f0-4be7-b49c-4511950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-04-05T12:42:46.000Z" ,
"modified" : "2018-04-05T12:42:46.000Z" ,
"pattern" : "[file:hashes.SHA256 = 'bf664370a287f83a67eb9ec01d575cad3bcdfbec2e2290a5e8d570999566e79e']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-04-05T12:42:46Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"sha256\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5aca35d5-3dd4-487d-bb2a-621b02de0b81" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-04-08T15:31:33.000Z" ,
"modified" : "2018-04-08T15:31:33.000Z" ,
"labels" : [
"misp:type=\"pdb\"" ,
"misp:category=\"Artifacts dropped\"" ,
"misp:to_ids=\"True\""
] ,
"x_misp_category" : "Artifacts dropped" ,
"x_misp_type" : "pdb" ,
"x_misp_value" : "E:\\Debug\\UselessDisk.pdb"
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5ac618a5-04fc-424c-b54d-43e7950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-04-05T12:37:57.000Z" ,
"modified" : "2018-04-05T12:37:57.000Z" ,
"labels" : [
"misp:name=\"coin-address\"" ,
"misp:meta-category=\"financial\""
] ,
"x_misp_attributes" : [
{
"type" : "btc" ,
"object_relation" : "address" ,
"value" : "1GZCw453MzQr8V2VAgJpRmKBYRDUJ8kzco" ,
"category" : "Financial fraud" ,
"to_ids" : true ,
"uuid" : "5ac618a5-2194-4990-a478-4713950d210f"
} ,
{
"type" : "text" ,
"object_relation" : "symbol" ,
"value" : "BTC" ,
"category" : "Other" ,
"uuid" : "5ac618a6-7594-437a-bcfe-42d5950d210f"
}
] ,
"x_misp_meta_category" : "financial" ,
"x_misp_name" : "coin-address"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--b36edfe1-10b3-4ce6-850c-48fec67da615" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-04-08T15:13:26.000Z" ,
"modified" : "2018-04-08T15:13:26.000Z" ,
"pattern" : "[file:hashes.MD5 = '577be8c5b73e59fb71570f632349e5fe' AND file:hashes.SHA1 = '363605836bf4ee34d9dfb43a6e71acdfd2b2cebe' AND file:hashes.SHA256 = 'bf664370a287f83a67eb9ec01d575cad3bcdfbec2e2290a5e8d570999566e79e']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-04-08T15:13:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--5d9c2b1a-eb9d-409e-9145-b203188a65aa" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-04-08T15:13:25.000Z" ,
"modified" : "2018-04-08T15:13:25.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/bf664370a287f83a67eb9ec01d575cad3bcdfbec2e2290a5e8d570999566e79e/analysis/1522221142/" ,
"category" : "External analysis" ,
"uuid" : "5aca3195-62bc-4071-8d07-61c702de0b81"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "47/67" ,
"category" : "Other" ,
"uuid" : "5aca3195-0948-47b7-b12b-61c702de0b81"
} ,
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-03-28T07:12:22" ,
"category" : "Other" ,
"uuid" : "5aca3195-2d94-4f77-8ccd-61c702de0b81"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-06-24 09:36:52 +00:00
"id" : "relationship--cff87b12-c728-4e83-aac7-078c36f2be0d" ,
2023-06-14 17:31:25 +00:00
"created" : "2018-04-08T15:13:26.000Z" ,
"modified" : "2018-04-08T15:13:26.000Z" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-06-14 17:31:25 +00:00
"source_ref" : "indicator--b36edfe1-10b3-4ce6-850c-48fec67da615" ,
"target_ref" : "x-misp-object--5d9c2b1a-eb9d-409e-9145-b203188a65aa"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
2023-04-21 13:25:09 +00:00
]
}