408 lines
18 KiB
JSON
408 lines
18 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--5b72c78a-274c-43a6-a945-4fd5950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-09-14T06:33:53.000Z",
|
||
|
"modified": "2018-09-14T06:33:53.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "grouping",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "grouping--5b72c78a-274c-43a6-a945-4fd5950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-09-14T06:33:53.000Z",
|
||
|
"modified": "2018-09-14T06:33:53.000Z",
|
||
|
"name": "OSINT - New Cmb Dharma Ransomware Variant Released",
|
||
|
"context": "suspicious-activity",
|
||
|
"object_refs": [
|
||
|
"observed-data--5b72cc0c-7650-45f8-a0b8-480e950d210f",
|
||
|
"url--5b72cc0c-7650-45f8-a0b8-480e950d210f",
|
||
|
"x-misp-attribute--5b72cc2d-4e18-422b-9e9c-4b04950d210f",
|
||
|
"indicator--5b76bb98-be88-4cc7-840e-43e9950d210f",
|
||
|
"indicator--5b76be0c-bfb0-476c-8e1a-43c9950d210f",
|
||
|
"indicator--5b76bea9-c140-4dc4-b0b9-46a0950d210f",
|
||
|
"indicator--5b76bea9-fa40-48bd-814c-4928950d210f",
|
||
|
"indicator--5b76bea9-c25c-4a54-b4f1-4562950d210f",
|
||
|
"indicator--5b76bea9-862c-401d-bdbd-4339950d210f",
|
||
|
"indicator--5b76bea9-38cc-4d10-b9e7-45fc950d210f",
|
||
|
"indicator--5b76c113-5bcc-4611-9e46-f168950d210f",
|
||
|
"indicator--5b76c113-9c38-43f7-bece-f168950d210f",
|
||
|
"indicator--5b76c113-3e70-4f67-baec-f168950d210f",
|
||
|
"indicator--a2a92847-3c13-47aa-b8f6-6bc6599ef7b8",
|
||
|
"x-misp-object--28d37ac7-5d4e-4dc5-9806-3a0335b4afbd",
|
||
|
"relationship--f7c6f476-56b2-4f7a-91a6-ec2d56cf3d14"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"misp-galaxy:ransomware=\"Dharma Ransomware\"",
|
||
|
"malware_classification:malware-category=\"Ransomware\"",
|
||
|
"circl:incident-classification=\"malware\"",
|
||
|
"osint:source-type=\"blog-post\"",
|
||
|
"workflow:state=\"complete\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--5b72cc0c-7650-45f8-a0b8-480e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-08-14T12:34:27.000Z",
|
||
|
"modified": "2018-08-14T12:34:27.000Z",
|
||
|
"first_observed": "2018-08-14T12:34:27Z",
|
||
|
"last_observed": "2018-08-14T12:34:27Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--5b72cc0c-7650-45f8-a0b8-480e950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--5b72cc0c-7650-45f8-a0b8-480e950d210f",
|
||
|
"value": "https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--5b72cc2d-4e18-422b-9e9c-4b04950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-08-14T12:33:57.000Z",
|
||
|
"modified": "2018-08-14T12:33:57.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "On Thursday a new variant of the Dharma Ransomware was discovered that appends the .cmb extension to encrypted files.\r\n\r\nThe Cmb variant of the Dharma Ransomware was first discovered by Michael Gillespie when he noticed samples uploaded to ID Ransomware, After tweeting about it, Jakub Kroustek replied with a hash to the sample."
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b76bb98-be88-4cc7-840e-43e9950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-08-17T12:12:08.000Z",
|
||
|
"modified": "2018-08-17T12:12:08.000Z",
|
||
|
"pattern": "[file:hashes.SHA256 = 'c2ab289cbd2573572c39cac3f234d77fdf769e48a1715a14feddaea8ae9d9702']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-17T12:12:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b76be0c-bfb0-476c-8e1a-43c9950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-08-17T12:40:43.000Z",
|
||
|
"modified": "2018-08-17T12:40:43.000Z",
|
||
|
"description": "Contact email mentioned in ransom note",
|
||
|
"pattern": "[email-message:from_ref.value = 'paymentbtc@firemail.cc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-17T12:40:43Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"email-src\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b76bea9-c140-4dc4-b0b9-46a0950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-08-17T12:25:13.000Z",
|
||
|
"modified": "2018-08-17T12:25:13.000Z",
|
||
|
"pattern": "[file:name = '\\\\%Appdata\\\\%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\Info.hta']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-17T12:25:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b76bea9-fa40-48bd-814c-4928950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-08-17T12:25:13.000Z",
|
||
|
"modified": "2018-08-17T12:25:13.000Z",
|
||
|
"pattern": "[file:name = '\\\\%Appdata\\\\%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\cmb_ransomware.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-17T12:25:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b76bea9-c25c-4a54-b4f1-4562950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-08-17T12:25:13.000Z",
|
||
|
"modified": "2018-08-17T12:25:13.000Z",
|
||
|
"pattern": "[file:name = '\\\\%Appdata\\\\%\\\\Info.hta']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-17T12:25:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b76bea9-862c-401d-bdbd-4339950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-08-17T12:25:13.000Z",
|
||
|
"modified": "2018-08-17T12:25:13.000Z",
|
||
|
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\Desktop\\\\FILES ENCRYPTED.txt']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-17T12:25:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b76bea9-38cc-4d10-b9e7-45fc950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-08-17T12:25:13.000Z",
|
||
|
"modified": "2018-08-17T12:25:13.000Z",
|
||
|
"pattern": "[file:name = '\\\\%PUBLIC\\\\%\\\\Desktop\\\\FILES ENCRYPTED.txt']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-17T12:25:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"filename\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b76c113-5bcc-4611-9e46-f168950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-08-17T13:26:26.000Z",
|
||
|
"modified": "2018-08-17T13:26:26.000Z",
|
||
|
"pattern": "[windows-registry-key:key = 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\cmb_ransomware.exe' AND windows-registry-key:values.data = '\\\\%WINDIR\\\\%\\\\System32\\\\cmb_ransomware.exe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-17T13:26:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"regkey|value\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b76c113-9c38-43f7-bece-f168950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-08-17T13:29:31.000Z",
|
||
|
"modified": "2018-08-17T13:29:31.000Z",
|
||
|
"pattern": "[windows-registry-key:key = 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%WINDIR%\\\\System32\\\\Info.hta mshta.exe' AND windows-registry-key:values.data = '\\\\\"%WINDIR%\\\\System32\\\\Info.hta']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-17T13:29:31Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"regkey|value\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--5b76c113-3e70-4f67-baec-f168950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-08-17T13:29:58.000Z",
|
||
|
"modified": "2018-08-17T13:29:58.000Z",
|
||
|
"pattern": "[windows-registry-key:key = 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%Appdata%\\\\Info.hta\tmshta.exe' AND windows-registry-key:values.data = '\\\\\"%Appdata%\\\\Info.hta']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-17T13:29:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Artifacts dropped"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"regkey|value\"",
|
||
|
"misp:category=\"Artifacts dropped\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--a2a92847-3c13-47aa-b8f6-6bc6599ef7b8",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-08-17T12:23:44.000Z",
|
||
|
"modified": "2018-08-17T12:23:44.000Z",
|
||
|
"pattern": "[file:hashes.MD5 = 'd50f69f0d3a73c0a58d2ad08aedac1c8' AND file:hashes.SHA1 = 'c25ff1bb2ea3e0804ab3f370ad2877b0b7c56903' AND file:hashes.SHA256 = 'c2ab289cbd2573572c39cac3f234d77fdf769e48a1715a14feddaea8ae9d9702']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2018-08-17T12:23:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "file"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:name=\"file\"",
|
||
|
"misp:meta-category=\"file\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-object",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-object--28d37ac7-5d4e-4dc5-9806-3a0335b4afbd",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2018-08-17T12:23:43.000Z",
|
||
|
"modified": "2018-08-17T12:23:43.000Z",
|
||
|
"labels": [
|
||
|
"misp:name=\"virustotal-report\"",
|
||
|
"misp:meta-category=\"misc\""
|
||
|
],
|
||
|
"x_misp_attributes": [
|
||
|
{
|
||
|
"type": "datetime",
|
||
|
"object_relation": "last-submission",
|
||
|
"value": "2018-08-14 05:47:48",
|
||
|
"category": "Other",
|
||
|
"uuid": "7b4c2186-d46a-4444-904e-963bbb0fdbae"
|
||
|
},
|
||
|
{
|
||
|
"type": "link",
|
||
|
"object_relation": "permalink",
|
||
|
"value": "https://www.virustotal.com/file/c2ab289cbd2573572c39cac3f234d77fdf769e48a1715a14feddaea8ae9d9702/analysis/1534225668/",
|
||
|
"category": "External analysis",
|
||
|
"uuid": "94fd6e61-154c-44e8-ac6b-073a54eaaa16"
|
||
|
},
|
||
|
{
|
||
|
"type": "text",
|
||
|
"object_relation": "detection-ratio",
|
||
|
"value": "56/68",
|
||
|
"category": "Other",
|
||
|
"uuid": "2a66be74-d97a-45c3-b2b6-647492a2ddb5"
|
||
|
}
|
||
|
],
|
||
|
"x_misp_meta_category": "misc",
|
||
|
"x_misp_name": "virustotal-report"
|
||
|
},
|
||
|
{
|
||
|
"type": "relationship",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "relationship--f7c6f476-56b2-4f7a-91a6-ec2d56cf3d14",
|
||
|
"created": "2018-08-17T12:23:44.000Z",
|
||
|
"modified": "2018-08-17T12:23:44.000Z",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"source_ref": "indicator--a2a92847-3c13-47aa-b8f6-6bc6599ef7b8",
|
||
|
"target_ref": "x-misp-object--28d37ac7-5d4e-4dc5-9806-3a0335b4afbd"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|