368 lines
16 KiB
JSON
368 lines
16 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--582aae88-202c-45ef-b8e9-4e61950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:49:04.000Z",
|
||
|
"modified": "2016-11-15T06:49:04.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--582aae88-202c-45ef-b8e9-4e61950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:49:04.000Z",
|
||
|
"modified": "2016-11-15T06:49:04.000Z",
|
||
|
"name": "OSINT - Hades Locker Ransomware Mimics Locky",
|
||
|
"published": "2016-11-15T06:49:28Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--582aae97-bce0-478f-8b51-9912950d210f",
|
||
|
"url--582aae97-bce0-478f-8b51-9912950d210f",
|
||
|
"x-misp-attribute--582aaea7-f16c-415a-b96b-4dbc950d210f",
|
||
|
"indicator--582aaec1-a1e8-4dae-963c-4a28950d210f",
|
||
|
"indicator--582aaf1a-2ba0-4b6e-9831-44c6950d210f",
|
||
|
"indicator--582aaf1a-c674-4a31-8d7e-43b7950d210f",
|
||
|
"indicator--582aaf36-dc28-4aec-99cf-b9bb950d210f",
|
||
|
"indicator--582aaf56-cc40-4304-bd1d-4a2b950d210f",
|
||
|
"indicator--582aaf56-05dc-4c89-98e6-4a2b950d210f",
|
||
|
"indicator--582aaf56-1ec0-454f-821a-4a2b950d210f",
|
||
|
"indicator--582aaf57-819c-4be7-8764-4a2b950d210f",
|
||
|
"indicator--582aafe0-7574-4768-9c87-4e6b02de0b81",
|
||
|
"indicator--582aafe0-9d54-4194-8340-44f302de0b81",
|
||
|
"observed-data--582aafe1-ac98-459f-87f4-4e1902de0b81",
|
||
|
"url--582aafe1-ac98-459f-87f4-4e1902de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"ecsirt:malicious-code=\"ransomware\"",
|
||
|
"veris:action:malware:variety=\"Ransomware\"",
|
||
|
"malware_classification:malware-category=\"Ransomware\"",
|
||
|
"ms-caro-malware:malware-type=\"Ransom\"",
|
||
|
"enisa:nefarious-activity-abuse=\"ransomware\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--582aae97-bce0-478f-8b51-9912950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:43:35.000Z",
|
||
|
"modified": "2016-11-15T06:43:35.000Z",
|
||
|
"first_observed": "2016-11-15T06:43:35Z",
|
||
|
"last_observed": "2016-11-15T06:43:35Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--582aae97-bce0-478f-8b51-9912950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--582aae97-bce0-478f-8b51-9912950d210f",
|
||
|
"value": "https://www.proofpoint.com/us/threat-insight/post/hades-locker-ransomware-mimics-locky"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--582aaea7-f16c-415a-b96b-4dbc950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:43:51.000Z",
|
||
|
"modified": "2016-11-15T06:43:51.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "Proofpoint discovered another new ransomware strain on October 4, called Hades Locker, which mimics Locky\u00e2\u20ac\u2122s ransom message. Hades Locker appears to be an evolution of Zyklon Locker and Wildfire Locker [1] which we observed using the same sending botnet (Kelihos [2]) earlier this year. The recently documented CryptFile2 [3] and MarsJoke [4] campaigns also used the same sending spam botnet and similar distribution techniques (transportation-related email lures). However, while CryptFile2 and MarsJoke campaigns targeted state and local government agencies, the current Hades Locker campaign targeted Manufacturing and Business Services verticals."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--582aaec1-a1e8-4dae-963c-4a28950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:44:17.000Z",
|
||
|
"modified": "2016-11-15T06:44:17.000Z",
|
||
|
"description": "Update.exe (Hades Locker)",
|
||
|
"pattern": "[file:hashes.SHA256 = '37004c5019db04463248da8469952af8ed742ba00cfa440dd65b2d94d0856809']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-15T06:44:17Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--582aaf1a-2ba0-4b6e-9831-44c6950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:45:46.000Z",
|
||
|
"modified": "2016-11-15T06:45:46.000Z",
|
||
|
"description": "Hades Locker C2",
|
||
|
"pattern": "[url:value = 'http://pfmydcsjib.ru/config.php']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-15T06:45:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--582aaf1a-c674-4a31-8d7e-43b7950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:45:46.000Z",
|
||
|
"modified": "2016-11-15T06:45:46.000Z",
|
||
|
"description": "Hades Locker C2",
|
||
|
"pattern": "[url:value = 'http://jdybchotfn.ru/config.php']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-15T06:45:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--582aaf36-dc28-4aec-99cf-b9bb950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:46:14.000Z",
|
||
|
"modified": "2016-11-15T06:46:14.000Z",
|
||
|
"description": "Payload (Hades Locker) downloaded by documents",
|
||
|
"pattern": "[url:value = 'http://185.45.193.169/update.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-15T06:46:14Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--582aaf56-cc40-4304-bd1d-4a2b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:46:46.000Z",
|
||
|
"modified": "2016-11-15T06:46:46.000Z",
|
||
|
"description": "URL in email",
|
||
|
"pattern": "[url:value = 'http://transportbedrijfvanetten.nl/downloads/levering-7834535.doc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-15T06:46:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--582aaf56-05dc-4c89-98e6-4a2b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:46:46.000Z",
|
||
|
"modified": "2016-11-15T06:46:46.000Z",
|
||
|
"description": "URL in email",
|
||
|
"pattern": "[url:value = 'http://leursmatransport.nl/downloads/levering-1245789.doc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-15T06:46:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--582aaf56-1ec0-454f-821a-4a2b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:46:46.000Z",
|
||
|
"modified": "2016-11-15T06:46:46.000Z",
|
||
|
"description": "URL in email",
|
||
|
"pattern": "[url:value = 'http://transportbedrijfbrenninkmeijer.nl/downloads/levering-739176.doc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-15T06:46:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--582aaf57-819c-4be7-8764-4a2b950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:46:47.000Z",
|
||
|
"modified": "2016-11-15T06:46:47.000Z",
|
||
|
"description": "URL in email",
|
||
|
"pattern": "[url:value = 'http://breesmanstransport.nl/downloads/levering-1478529.doc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-15T06:46:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Network activity"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Network activity\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--582aafe0-7574-4768-9c87-4e6b02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:49:04.000Z",
|
||
|
"modified": "2016-11-15T06:49:04.000Z",
|
||
|
"description": "Update.exe (Hades Locker) - Xchecked via VT: 37004c5019db04463248da8469952af8ed742ba00cfa440dd65b2d94d0856809",
|
||
|
"pattern": "[file:hashes.SHA1 = '68e8e1eaa7439173362ff42fec37e1149f162662']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-15T06:49:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--582aafe0-9d54-4194-8340-44f302de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:49:04.000Z",
|
||
|
"modified": "2016-11-15T06:49:04.000Z",
|
||
|
"description": "Update.exe (Hades Locker) - Xchecked via VT: 37004c5019db04463248da8469952af8ed742ba00cfa440dd65b2d94d0856809",
|
||
|
"pattern": "[file:hashes.MD5 = '8f03cf5d3c951cf2711144e84779b590']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-11-15T06:49:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--582aafe1-ac98-459f-87f4-4e1902de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-11-15T06:49:05.000Z",
|
||
|
"modified": "2016-11-15T06:49:05.000Z",
|
||
|
"first_observed": "2016-11-15T06:49:05Z",
|
||
|
"last_observed": "2016-11-15T06:49:05Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--582aafe1-ac98-459f-87f4-4e1902de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--582aafe1-ac98-459f-87f4-4e1902de0b81",
|
||
|
"value": "https://www.virustotal.com/file/37004c5019db04463248da8469952af8ed742ba00cfa440dd65b2d94d0856809/analysis/1478842683/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|