2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type" : "bundle" ,
"id" : "bundle--5b9123c0-1480-4e09-877e-4783950d210f" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-12T12:36:30.000Z" ,
"modified" : "2018-09-12T12:36:30.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--5b9123c0-1480-4e09-877e-4783950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-12T12:36:30.000Z" ,
"modified" : "2018-09-12T12:36:30.000Z" ,
"name" : "OSINT - Sigma Ransomware Being Distributed Using Fake Craigslist Malspam" ,
"published" : "2018-09-12T12:38:00Z" ,
"object_refs" : [
"x-misp-attribute--5b912411-f738-46fc-b27c-4ada950d210f" ,
"observed-data--5b912433-50b0-4e96-8d7a-44b1950d210f" ,
"url--5b912433-50b0-4e96-8d7a-44b1950d210f" ,
"indicator--5b912ca6-7264-48c8-afca-40e4950d210f" ,
"indicator--5b927c00-c9c8-4780-84da-abc4950d210f" ,
"indicator--5b912b9e-67d4-45ad-b17d-4020950d210f" ,
"indicator--af63c140-7e55-4ae2-a261-9f126f0195ab" ,
"x-misp-object--6241958e-2b1b-4ccf-8aa5-0aee9e179e50" ,
"indicator--5b927884-8d5c-4a6c-af30-4daa950d210f" ,
"indicator--5b9279c2-40a4-4823-840a-4c03950d210f" ,
"indicator--5b927cc5-d5ac-46df-ace4-4cf8950d210f" ,
"indicator--5b927d28-edcc-445d-869b-42ae950d210f" ,
"indicator--5b927d3b-9628-4e2f-83b3-4cb8950d210f" ,
"indicator--5b927d4a-5334-448b-84e9-4545950d210f" ,
"indicator--5b927edc-e5a4-47e1-86a6-4a0f950d210f" ,
"indicator--5b927f07-0ebc-45ea-9a4c-4791950d210f" ,
"indicator--5b927f19-af00-4e57-bc93-49e9950d210f" ,
"indicator--5b927f4d-5914-4be0-bc7e-4da1950d210f" ,
"indicator--5b927f5e-50ac-4596-b3cb-474b950d210f" ,
"indicator--5b927f6b-0430-4a52-b692-4dba950d210f" ,
"indicator--5b927f7c-32c8-4e30-b9d5-421f950d210f" ,
"indicator--5b927fee-1590-49f2-a2f6-44ca950d210f" ,
"indicator--5b92809a-b468-47e6-a7c7-47c9950d210f" ,
"indicator--5b9280aa-969c-4c3e-ad03-4011950d210f" ,
"indicator--5b9280b9-be58-4c21-a4d2-49ca950d210f" ,
"indicator--5b9280c4-17b4-4114-8017-44e0950d210f" ,
"indicator--5b9280d0-1874-4711-87ed-4299950d210f" ,
"indicator--5b9280db-dfe0-41f0-9f42-44c7950d210f" ,
"indicator--5b9280ea-e38c-41f1-8453-47b9950d210f" ,
"x-misp-object--f04b2156-46a7-4ffe-a470-b0d0ac7ef70e" ,
2023-06-24 09:36:52 +00:00
"relationship--0293c4f9-0dbb-4e5d-9fb7-31840207f122" ,
"relationship--fa9029f6-e836-49de-b8e9-926db645e9a0"
2023-06-14 17:31:25 +00:00
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"malware_classification:malware-category=\"Ransomware\"" ,
"osint:source-type=\"blog-post\"" ,
"misp-galaxy:ransomware=\"Sigma Ransomware\"" ,
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Link - T1192\"" ,
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Attachment - T1193\"" ,
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"User Execution - T1204\"" ,
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Scripting - T1064\"" ,
"misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Obfuscated Files or Information - T1027\"" ,
"monarc-threat:unauthorised-actions=\"corruption-of-data\"" ,
"monarc-threat:compromise-of-information=\"malware-infection\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "x-misp-attribute" ,
"spec_version" : "2.1" ,
"id" : "x-misp-attribute--5b912411-f738-46fc-b27c-4ada950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-07T14:06:53.000Z" ,
"modified" : "2018-09-07T14:06:53.000Z" ,
"labels" : [
"misp:type=\"text\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
] ,
"x_misp_category" : "External analysis" ,
"x_misp_type" : "text" ,
"x_misp_value" : "Today one of our volunteers, Aura, told me about a new new malspam campaign pretending to be from Craigslist that is under way and distributing the Sigma Ransomware. These spam emails contain password protected Word or RTF documents that download the Sigma Ransomware executable from a remote site and install it on a recipients computer."
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5b912433-50b0-4e96-8d7a-44b1950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-07T14:07:02.000Z" ,
"modified" : "2018-09-07T14:07:02.000Z" ,
"first_observed" : "2018-09-07T14:07:02Z" ,
"last_observed" : "2018-09-07T14:07:02Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5b912433-50b0-4e96-8d7a-44b1950d210f"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\"" ,
"osint:source-type=\"blog-post\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5b912433-50b0-4e96-8d7a-44b1950d210f" ,
"value" : "https://www.bleepingcomputer.com/news/security/sigma-ransomware-being-distributed-using-fake-craigslist-malspam/"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b912ca6-7264-48c8-afca-40e4950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-06T13:33:26.000Z" ,
"modified" : "2018-09-06T13:33:26.000Z" ,
"pattern" : "[url:value = 'http://185.121.139.229/']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-06T13:33:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"url\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b927c00-c9c8-4780-84da-abc4950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-07T13:24:16.000Z" ,
"modified" : "2018-09-07T13:24:16.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\taskwgr.exe']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-07T13:24:16Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Payload delivery"
}
] ,
"labels" : [
"misp:type=\"filename\"" ,
"misp:category=\"Payload delivery\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b912b9e-67d4-45ad-b17d-4020950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-06T13:29:02.000Z" ,
"modified" : "2018-09-06T13:29:02.000Z" ,
"pattern" : "[file:hashes.SHA256 = 'b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-06T13:29:02Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--af63c140-7e55-4ae2-a261-9f126f0195ab" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-12T12:28:55.000Z" ,
"modified" : "2018-09-12T12:28:55.000Z" ,
"pattern" : "[file:hashes.MD5 = '9afa3302527608a30408958bc48019fc' AND file:hashes.SHA1 = '0d34add7d61e26583dc54e7b89b6d4056d6bf201' AND file:hashes.SHA256 = 'b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-12T12:28:55Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--6241958e-2b1b-4ccf-8aa5-0aee9e179e50" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-07T06:48:13.000Z" ,
"modified" : "2018-09-07T06:48:13.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-08-28T00:23:39" ,
"category" : "Other" ,
"uuid" : "8d5b54cd-1dfc-435b-8e19-cc4eda5b2288"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864/analysis/1535415819/" ,
"category" : "External analysis" ,
"uuid" : "18055e03-5add-4a61-9465-9afc972b1cb3"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "45/67" ,
"category" : "Other" ,
"uuid" : "e911d120-fdf4-4110-8272-ddb11eedd9ec"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b927884-8d5c-4a6c-af30-4daa950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-07T13:09:24.000Z" ,
"modified" : "2018-09-07T13:09:24.000Z" ,
"pattern" : "[file:name = 'ReadMe.txt' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-07T13:09:24Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9279c2-40a4-4823-840a-4c03950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-07T13:15:06.000Z" ,
"modified" : "2018-09-07T13:15:06.000Z" ,
"pattern" : "[windows-registry-key:key = '\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\chrome' AND windows-registry-key:values[0].data_type = 'REG_NONE' AND windows-registry-key:values[0].name = 'Rundll32.exe SHELL32.DLL,ShellExec_RunDLL' AND windows-registry-key:x_misp_root_keys = 'HKCU']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-07T13:15:06Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"registry-key\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b927cc5-d5ac-46df-ace4-4cf8950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-07T13:27:33.000Z" ,
"modified" : "2018-09-07T13:27:33.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Data\\\\Tor\\\\geoip' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-07T13:27:33Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b927d28-edcc-445d-869b-42ae950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-07T13:29:12.000Z" ,
"modified" : "2018-09-07T13:29:12.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Data\\\\Tor\\\\geoip6' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-07T13:29:12Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b927d3b-9628-4e2f-83b3-4cb8950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-07T13:29:31.000Z" ,
"modified" : "2018-09-07T13:29:31.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\test1.bmp' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-07T13:29:31Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b927d4a-5334-448b-84e9-4545950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-07T13:29:46.000Z" ,
"modified" : "2018-09-07T13:29:46.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\libeay32.dll' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-07T13:29:46Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b927edc-e5a4-47e1-86a6-4a0f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-07T13:36:28.000Z" ,
"modified" : "2018-09-07T13:36:28.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\libevent_core-2-0-5.dll' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-07T13:36:28Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b927f07-0ebc-45ea-9a4c-4791950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-07T13:37:11.000Z" ,
"modified" : "2018-09-07T13:37:11.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\cached-certs' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-07T13:37:11Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b927f19-af00-4e57-bc93-49e9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-07T13:37:29.000Z" ,
"modified" : "2018-09-07T13:37:29.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\cached-microdesc-consensus' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-07T13:37:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b927f4d-5914-4be0-bc7e-4da1950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-07T13:38:21.000Z" ,
"modified" : "2018-09-07T13:38:21.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\libssp-0.dll' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-07T13:38:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b927f5e-50ac-4596-b3cb-474b950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-07T13:38:38.000Z" ,
"modified" : "2018-09-07T13:38:38.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\tor-gencert.exe' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-07T13:38:38Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b927f6b-0430-4a52-b692-4dba950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-07T13:38:51.000Z" ,
"modified" : "2018-09-07T13:38:51.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\svchost.exe' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-07T13:38:51Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b927f7c-32c8-4e30-b9d5-421f950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-07T13:39:08.000Z" ,
"modified" : "2018-09-07T13:39:08.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\zlib1.dll' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-07T13:39:08Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b927fee-1590-49f2-a2f6-44ca950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-07T13:41:02.000Z" ,
"modified" : "2018-09-07T13:41:02.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\cached-microdescs.new' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-07T13:41:02Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b92809a-b468-47e6-a7c7-47c9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-07T13:43:54.000Z" ,
"modified" : "2018-09-07T13:43:54.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\libevent-2-0-5.dll' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-07T13:43:54Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9280aa-969c-4c3e-ad03-4011950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-07T13:44:09.000Z" ,
"modified" : "2018-09-07T13:44:09.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\ssleay32.dll' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-07T13:44:09Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9280b9-be58-4c21-a4d2-49ca950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-07T13:44:25.000Z" ,
"modified" : "2018-09-07T13:44:25.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\state' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-07T13:44:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9280c4-17b4-4114-8017-44e0950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-07T13:44:36.000Z" ,
"modified" : "2018-09-07T13:44:36.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\Desktop\\\\ReadMe.html' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-07T13:44:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9280d0-1874-4711-87ed-4299950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-07T13:44:48.000Z" ,
"modified" : "2018-09-07T13:44:48.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\libgcc_s_sjlj-1.dll' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-07T13:44:48Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9280db-dfe0-41f0-9f42-44c7950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-07T13:44:59.000Z" ,
"modified" : "2018-09-07T13:44:59.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\libevent_extra-2-0-5.dll' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-07T13:44:59Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5b9280ea-e38c-41f1-8453-47b9950d210f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-07T13:45:14.000Z" ,
"modified" : "2018-09-07T13:45:14.000Z" ,
"pattern" : "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\lock' AND file:x_misp_state = 'Malicious']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2018-09-07T13:45:14Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--f04b2156-46a7-4ffe-a470-b0d0ac7ef70e" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2018-09-12T12:28:55.000Z" ,
"modified" : "2018-09-12T12:28:55.000Z" ,
"labels" : [
"misp:name=\"virustotal-report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "datetime" ,
"object_relation" : "last-submission" ,
"value" : "2018-08-28T00:23:39" ,
"category" : "Other" ,
"uuid" : "bff3beea-deb5-49b8-a2be-334a5603e8ac"
} ,
{
"type" : "link" ,
"object_relation" : "permalink" ,
"value" : "https://www.virustotal.com/file/b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864/analysis/1535415819/" ,
"category" : "External analysis" ,
"uuid" : "505d7436-7769-4279-9d1a-b95934d0edc8"
} ,
{
"type" : "text" ,
"object_relation" : "detection-ratio" ,
"value" : "45/67" ,
"category" : "Other" ,
"uuid" : "00c8704b-05af-405d-a5ce-13f8167612d4"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "virustotal-report"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-06-24 09:36:52 +00:00
"id" : "relationship--0293c4f9-0dbb-4e5d-9fb7-31840207f122" ,
2023-06-14 17:31:25 +00:00
"created" : "2018-09-07T06:48:21.000Z" ,
"modified" : "2018-09-07T06:48:21.000Z" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-06-14 17:31:25 +00:00
"source_ref" : "indicator--af63c140-7e55-4ae2-a261-9f126f0195ab" ,
"target_ref" : "x-misp-object--6241958e-2b1b-4ccf-8aa5-0aee9e179e50"
} ,
{
"type" : "relationship" ,
"spec_version" : "2.1" ,
2023-06-24 09:36:52 +00:00
"id" : "relationship--fa9029f6-e836-49de-b8e9-926db645e9a0" ,
2023-06-14 17:31:25 +00:00
"created" : "2018-09-12T12:29:05.000Z" ,
"modified" : "2018-09-12T12:29:05.000Z" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-06-14 17:31:25 +00:00
"source_ref" : "indicator--af63c140-7e55-4ae2-a261-9f126f0195ab" ,
"target_ref" : "x-misp-object--f04b2156-46a7-4ffe-a470-b0d0ac7ef70e"
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
2023-04-21 13:25:09 +00:00
]
}