misp-circl-feed/feeds/circl/stix-2.1/5b72c78a-274c-43a6-a945-4fd5950d210f.json

408 lines
18 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--5b72c78a-274c-43a6-a945-4fd5950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-14T06:33:53.000Z",
"modified": "2018-09-14T06:33:53.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--5b72c78a-274c-43a6-a945-4fd5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-09-14T06:33:53.000Z",
"modified": "2018-09-14T06:33:53.000Z",
"name": "OSINT - New Cmb Dharma Ransomware Variant Released",
"context": "suspicious-activity",
"object_refs": [
"observed-data--5b72cc0c-7650-45f8-a0b8-480e950d210f",
"url--5b72cc0c-7650-45f8-a0b8-480e950d210f",
"x-misp-attribute--5b72cc2d-4e18-422b-9e9c-4b04950d210f",
"indicator--5b76bb98-be88-4cc7-840e-43e9950d210f",
"indicator--5b76be0c-bfb0-476c-8e1a-43c9950d210f",
"indicator--5b76bea9-c140-4dc4-b0b9-46a0950d210f",
"indicator--5b76bea9-fa40-48bd-814c-4928950d210f",
"indicator--5b76bea9-c25c-4a54-b4f1-4562950d210f",
"indicator--5b76bea9-862c-401d-bdbd-4339950d210f",
"indicator--5b76bea9-38cc-4d10-b9e7-45fc950d210f",
"indicator--5b76c113-5bcc-4611-9e46-f168950d210f",
"indicator--5b76c113-9c38-43f7-bece-f168950d210f",
"indicator--5b76c113-3e70-4f67-baec-f168950d210f",
"indicator--a2a92847-3c13-47aa-b8f6-6bc6599ef7b8",
"x-misp-object--28d37ac7-5d4e-4dc5-9806-3a0335b4afbd",
"relationship--f7c6f476-56b2-4f7a-91a6-ec2d56cf3d14"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:ransomware=\"Dharma Ransomware\"",
"malware_classification:malware-category=\"Ransomware\"",
"circl:incident-classification=\"malware\"",
"osint:source-type=\"blog-post\"",
"workflow:state=\"complete\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b72cc0c-7650-45f8-a0b8-480e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-14T12:34:27.000Z",
"modified": "2018-08-14T12:34:27.000Z",
"first_observed": "2018-08-14T12:34:27Z",
"last_observed": "2018-08-14T12:34:27Z",
"number_observed": 1,
"object_refs": [
"url--5b72cc0c-7650-45f8-a0b8-480e950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5b72cc0c-7650-45f8-a0b8-480e950d210f",
"value": "https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b72cc2d-4e18-422b-9e9c-4b04950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-14T12:33:57.000Z",
"modified": "2018-08-14T12:33:57.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "On Thursday a new variant of the Dharma Ransomware was discovered that appends the .cmb extension to encrypted files.\r\n\r\nThe Cmb variant of the Dharma Ransomware was first discovered by Michael Gillespie when he noticed samples uploaded to ID Ransomware, After tweeting about it, Jakub Kroustek replied with a hash to the sample."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b76bb98-be88-4cc7-840e-43e9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-17T12:12:08.000Z",
"modified": "2018-08-17T12:12:08.000Z",
"pattern": "[file:hashes.SHA256 = 'c2ab289cbd2573572c39cac3f234d77fdf769e48a1715a14feddaea8ae9d9702']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-17T12:12:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b76be0c-bfb0-476c-8e1a-43c9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-17T12:40:43.000Z",
"modified": "2018-08-17T12:40:43.000Z",
"description": "Contact email mentioned in ransom note",
"pattern": "[email-message:from_ref.value = 'paymentbtc@firemail.cc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-17T12:40:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b76bea9-c140-4dc4-b0b9-46a0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-17T12:25:13.000Z",
"modified": "2018-08-17T12:25:13.000Z",
"pattern": "[file:name = '\\\\%Appdata\\\\%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\Info.hta']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-17T12:25:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b76bea9-fa40-48bd-814c-4928950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-17T12:25:13.000Z",
"modified": "2018-08-17T12:25:13.000Z",
"pattern": "[file:name = '\\\\%Appdata\\\\%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\cmb_ransomware.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-17T12:25:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b76bea9-c25c-4a54-b4f1-4562950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-17T12:25:13.000Z",
"modified": "2018-08-17T12:25:13.000Z",
"pattern": "[file:name = '\\\\%Appdata\\\\%\\\\Info.hta']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-17T12:25:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b76bea9-862c-401d-bdbd-4339950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-17T12:25:13.000Z",
"modified": "2018-08-17T12:25:13.000Z",
"pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\Desktop\\\\FILES ENCRYPTED.txt']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-17T12:25:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b76bea9-38cc-4d10-b9e7-45fc950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-17T12:25:13.000Z",
"modified": "2018-08-17T12:25:13.000Z",
"pattern": "[file:name = '\\\\%PUBLIC\\\\%\\\\Desktop\\\\FILES ENCRYPTED.txt']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-17T12:25:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b76c113-5bcc-4611-9e46-f168950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-17T13:26:26.000Z",
"modified": "2018-08-17T13:26:26.000Z",
"pattern": "[windows-registry-key:key = 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\cmb_ransomware.exe' AND windows-registry-key:values.data = '\\\\%WINDIR\\\\%\\\\System32\\\\cmb_ransomware.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-17T13:26:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"regkey|value\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b76c113-9c38-43f7-bece-f168950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-17T13:29:31.000Z",
"modified": "2018-08-17T13:29:31.000Z",
"pattern": "[windows-registry-key:key = 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%WINDIR%\\\\System32\\\\Info.hta mshta.exe' AND windows-registry-key:values.data = '\\\\\"%WINDIR%\\\\System32\\\\Info.hta']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-17T13:29:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"regkey|value\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b76c113-3e70-4f67-baec-f168950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-17T13:29:58.000Z",
"modified": "2018-08-17T13:29:58.000Z",
"pattern": "[windows-registry-key:key = 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%Appdata%\\\\Info.hta\tmshta.exe' AND windows-registry-key:values.data = '\\\\\"%Appdata%\\\\Info.hta']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-17T13:29:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Artifacts dropped"
}
],
"labels": [
"misp:type=\"regkey|value\"",
"misp:category=\"Artifacts dropped\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a2a92847-3c13-47aa-b8f6-6bc6599ef7b8",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-17T12:23:44.000Z",
"modified": "2018-08-17T12:23:44.000Z",
"pattern": "[file:hashes.MD5 = 'd50f69f0d3a73c0a58d2ad08aedac1c8' AND file:hashes.SHA1 = 'c25ff1bb2ea3e0804ab3f370ad2877b0b7c56903' AND file:hashes.SHA256 = 'c2ab289cbd2573572c39cac3f234d77fdf769e48a1715a14feddaea8ae9d9702']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-08-17T12:23:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--28d37ac7-5d4e-4dc5-9806-3a0335b4afbd",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-08-17T12:23:43.000Z",
"modified": "2018-08-17T12:23:43.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-08-14 05:47:48",
"category": "Other",
"uuid": "7b4c2186-d46a-4444-904e-963bbb0fdbae"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/c2ab289cbd2573572c39cac3f234d77fdf769e48a1715a14feddaea8ae9d9702/analysis/1534225668/",
"category": "External analysis",
"uuid": "94fd6e61-154c-44e8-ac6b-073a54eaaa16"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "56/68",
"category": "Other",
"uuid": "2a66be74-d97a-45c3-b2b6-647492a2ddb5"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--f7c6f476-56b2-4f7a-91a6-ec2d56cf3d14",
"created": "2018-08-17T12:23:44.000Z",
"modified": "2018-08-17T12:23:44.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--a2a92847-3c13-47aa-b8f6-6bc6599ef7b8",
"target_ref": "x-misp-object--28d37ac7-5d4e-4dc5-9806-3a0335b4afbd"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}