misp-circl-feed/feeds/circl/stix-2.1/11879a3f-0ca4-491b-8774-d30496e66b34.json

764 lines
35 KiB
JSON
Raw Normal View History

2024-08-07 08:13:15 +00:00
{
"type": "bundle",
"id": "bundle--11879a3f-0ca4-491b-8774-d30496e66b34",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:32:37.000Z",
"modified": "2024-04-19T14:32:37.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--11879a3f-0ca4-491b-8774-d30496e66b34",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:32:37.000Z",
"modified": "2024-04-19T14:32:37.000Z",
"name": "OSINT - #StopRansomware: Akira Ransomware",
"published": "2024-04-19T14:33:45Z",
"object_refs": [
"indicator--d2000d00-7e54-47e9-ba5e-e54a4eb02412",
"indicator--f6ef3696-7c8b-4714-9c4f-50b56bfbf829",
"indicator--88257fe4-748c-4cda-875f-23916b820f17",
"indicator--f57a0494-4f22-4a97-8298-b6d2539741f4",
"indicator--11f69897-e358-44e6-af5f-e1c278e4a432",
"indicator--e38a9bc8-beb6-4311-980e-e873bb130d1a",
"indicator--1c92905d-52ca-4f9d-b889-3f7684fadafd",
"indicator--9799d2af-f8ef-450d-bc04-52a6c506247f",
"indicator--ed04d950-33cf-4e50-81d8-1ab24133c212",
"indicator--eece1583-0234-413c-9aee-ef64ef861f8e",
"indicator--e04f695f-19d0-4b28-a30e-2ac675fb3275",
"indicator--cd05a941-ac8d-4925-8a26-bc26bce125d2",
"indicator--6295346b-a591-4f34-ba72-32ebf497eebd",
"indicator--9bbb742f-79ca-4737-b0d6-4de8242d9497",
"indicator--7eac0d90-3baa-4384-89e7-8ab1b4082a45",
"indicator--ba84dd5c-fd5d-4f4c-a291-6e44b00920fa",
"indicator--a582f08b-7c1b-4ad7-94f5-a7acb1cf31ed",
"indicator--d4c7f818-07be-453a-96ce-b374a3825340",
"indicator--88d9fc05-545f-451e-a99b-2af32585fb30",
"indicator--e943e329-04da-4aea-a5f4-859f8c84a69d",
"indicator--8ed3f91f-791d-4083-8a46-ec592ddbcb28",
"indicator--5599f040-73b7-4618-ba6c-9c2c23f1a364",
"indicator--df9d1ee9-238b-4491-bcdd-40fa61657594",
"indicator--7c43ff9e-266a-4125-a896-62ef58f30f16",
"indicator--b7a9a8c7-9e0a-4852-ae68-9df6ead658fb",
"indicator--31678fa1-a95a-486b-9477-0234282c2c00",
"x-misp-object--dffcdd95-8a5f-4f4e-820d-b96fe13929b7"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:ransomware=\"Akira\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"tlp:clear",
"misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"",
"misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"",
"misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"",
"misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"",
"misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"",
"misp-galaxy:mitre-attack-pattern=\"/etc/passwd and /etc/shadow - T1003.008\"",
"misp-galaxy:mitre-attack-pattern=\"LSASS Memory - T1003.001\"",
"misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"",
"misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"",
"misp-galaxy:mitre-attack-pattern=\"Domain Trust Discovery - T1482\"",
"misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"",
"misp-galaxy:mitre-attack-pattern=\"Local Groups - T1069.001\"",
"misp-galaxy:mitre-attack-pattern=\"Domain Groups - T1069.002\"",
"misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\"",
"misp-galaxy:region=\"150 - Europe\"",
"misp-galaxy:region=\"021 - Northern America\"",
"misp-galaxy:mitre-attack-pattern=\"Domain Account - T1136.002\"",
"misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"",
"misp-galaxy:mitre-attack-pattern=\"Remote Access Software - T1219\"",
"misp-galaxy:mitre-attack-pattern=\"Connection Proxy - T1090\"",
"misp-galaxy:mitre-attack-pattern=\"Archive via Utility - T1560.001\"",
"misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Alternative Protocol - T1048\"",
"misp-galaxy:mitre-attack-pattern=\"Transfer Data to Cloud Account - T1537\"",
"misp-galaxy:mitre-attack-pattern=\"Exfiltration to Cloud Storage - T1567.002\"",
"misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"",
"misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d2000d00-7e54-47e9-ba5e-e54a4eb02412",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:09:46.000Z",
"modified": "2024-04-19T14:09:46.000Z",
"description": "Akira \u201cMegazord\u201d ransomware",
"pattern": "[file:hashes.SHA256 = 'ffd9f58e5fe8502249c67cad0123ceeeaa6e9f69b4ec9f9e21511809849eb8fc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:09:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f6ef3696-7c8b-4714-9c4f-50b56bfbf829",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:09:46.000Z",
"modified": "2024-04-19T14:09:46.000Z",
"description": "Akira \u201cMegazord\u201d ransomware",
"pattern": "[file:hashes.SHA256 = 'dfe6fddc67bdc93b9947430b966da2877fda094edf3e21e6f0ba98a84bc53198']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:09:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--88257fe4-748c-4cda-875f-23916b820f17",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:09:46.000Z",
"modified": "2024-04-19T14:09:46.000Z",
"description": "Akira \u201cMegazord\u201d ransomware",
"pattern": "[file:hashes.SHA256 = '131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:09:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f57a0494-4f22-4a97-8298-b6d2539741f4",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:09:46.000Z",
"modified": "2024-04-19T14:09:46.000Z",
"description": "Akira \u201cMegazord\u201d ransomware",
"pattern": "[file:hashes.SHA256 = '9f393516edf6b8e011df6ee991758480c5b99a0efbfd68347786061f0e04426c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:09:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--11f69897-e358-44e6-af5f-e1c278e4a432",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:09:46.000Z",
"modified": "2024-04-19T14:09:46.000Z",
"description": "Akira \u201cMegazord\u201d ransomware",
"pattern": "[file:hashes.SHA256 = '9585af44c3ff8fd921c713680b0c2b3bbc9d56add848ed62164f7c9b9f23d065']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:09:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e38a9bc8-beb6-4311-980e-e873bb130d1a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:09:46.000Z",
"modified": "2024-04-19T14:09:46.000Z",
"description": "Akira \u201cMegazord\u201d ransomware",
"pattern": "[file:hashes.SHA256 = '2f629395fdfa11e713ea8bf11d40f6f240acf2f5fcf9a2ac50b6f7fbc7521c83']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:09:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--1c92905d-52ca-4f9d-b889-3f7684fadafd",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:09:46.000Z",
"modified": "2024-04-19T14:09:46.000Z",
"description": "Akira \u201cMegazord\u201d ransomware",
"pattern": "[file:hashes.SHA256 = '7f731cc11f8e4d249142e99a44b9da7a48505ce32c4ee4881041beeddb3760be']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:09:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9799d2af-f8ef-450d-bc04-52a6c506247f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:09:46.000Z",
"modified": "2024-04-19T14:09:46.000Z",
"description": "Akira \u201cMegazord\u201d ransomware",
"pattern": "[file:hashes.SHA256 = '95477703e789e6182096a09bc98853e0a70b680a4f19fa2bf86cbb9280e8ec5a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:09:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ed04d950-33cf-4e50-81d8-1ab24133c212",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:09:46.000Z",
"modified": "2024-04-19T14:09:46.000Z",
"description": "Akira \u201cMegazord\u201d ransomware",
"pattern": "[file:hashes.SHA256 = '0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:09:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--eece1583-0234-413c-9aee-ef64ef861f8e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:09:46.000Z",
"modified": "2024-04-19T14:09:46.000Z",
"description": "Akira \u201cMegazord\u201d ransomware",
"pattern": "[file:hashes.SHA256 = 'c9c94ac5e1991a7db42c7973e328fceeb6f163d9f644031bdfd4123c7b3898b0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:09:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e04f695f-19d0-4b28-a30e-2ac675fb3275",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:10:08.000Z",
"modified": "2024-04-19T14:10:08.000Z",
"description": "Akira_v2 ransomware",
"pattern": "[file:hashes.SHA256 = '3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:10:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--cd05a941-ac8d-4925-8a26-bc26bce125d2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:10:08.000Z",
"modified": "2024-04-19T14:10:08.000Z",
"description": "Akira_v2 ransomware",
"pattern": "[file:hashes.SHA256 = '0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:10:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6295346b-a591-4f34-ba72-32ebf497eebd",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:12:12.000Z",
"modified": "2024-04-19T14:12:12.000Z",
"description": "Kerberos ticket dumping tool from LSA cache",
"pattern": "[file:hashes.SHA256 = '5e1e3bf6999126ae4aa52146280fdb913912632e8bac4f54e98c58821a307d32']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:12:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9bbb742f-79ca-4737-b0d6-4de8242d9497",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:07:26.000Z",
"modified": "2024-04-19T14:07:26.000Z",
"pattern": "[file:hashes.SHA256 = 'd2fd0654710c27dcf37b6c1437880020824e161dd0bf28e3a133ed777242a0ca' AND file:name = 'w.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:07:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--7eac0d90-3baa-4384-89e7-8ab1b4082a45",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:07:23.000Z",
"modified": "2024-04-19T14:07:23.000Z",
"pattern": "[file:hashes.SHA256 = 'dcfa2800754e5722acf94987bb03e814edcb9acebda37df6da1987bf48e5b05e' AND file:name = 'Win.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:07:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ba84dd5c-fd5d-4f4c-a291-6e44b00920fa",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:07:19.000Z",
"modified": "2024-04-19T14:07:19.000Z",
"pattern": "[file:hashes.SHA256 = 'bc747e3bf7b6e02c09f3d18bdd0e64eef62b940b2f16c9c72e647eec85cf0138' AND file:name = 'AnyDesk.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:07:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a582f08b-7c1b-4ad7-94f5-a7acb1cf31ed",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:07:16.000Z",
"modified": "2024-04-19T14:07:16.000Z",
"pattern": "[file:hashes.SHA256 = '73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf' AND file:name = 'Gcapi.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:07:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d4c7f818-07be-453a-96ce-b374a3825340",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:07:13.000Z",
"modified": "2024-04-19T14:07:13.000Z",
"pattern": "[file:hashes.SHA256 = '1b60097bf1ccb15a952e5bcc3522cf5c162da68c381a76abc2d5985659e4d386' AND file:name = 'Sysmon.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:07:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--88d9fc05-545f-451e-a99b-2af32585fb30",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:07:04.000Z",
"modified": "2024-04-19T14:07:04.000Z",
"pattern": "[file:hashes.SHA256 = 'aaa647327ba5b855bedea8e889b3fafdc05a6ca75d1cfd98869432006d6fecc9' AND file:name = 'Rclone.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:07:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e943e329-04da-4aea-a5f4-859f8c84a69d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:08:45.000Z",
"modified": "2024-04-19T14:08:45.000Z",
"pattern": "[file:hashes.SHA256 = '7d6959bb7a9482e1caa83b16ee01103d982d47c70c72fdd03708e2b7f4c552c4' AND file:name = 'Winscp.rnd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:08:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8ed3f91f-791d-4083-8a46-ec592ddbcb28",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:09:07.000Z",
"modified": "2024-04-19T14:09:07.000Z",
"pattern": "[file:hashes.SHA256 = '36cc31f0ab65b745f25c7e785df9e72d1c8919d35a1d7bd4ce8050c8c068b13c' AND file:name = 'WinSCP-6.1.2-Setup.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:09:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5599f040-73b7-4618-ba6c-9c2c23f1a364",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:11:18.000Z",
"modified": "2024-04-19T14:11:18.000Z",
"pattern": "[file:hashes.SHA256 = 'aaa6041912a6ba3cf167ecdb90a434a62feaf08639c59705847706b9f492015d' AND file:name = 'VeeamHax.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:11:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--df9d1ee9-238b-4491-bcdd-40fa61657594",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:11:54.000Z",
"modified": "2024-04-19T14:11:54.000Z",
"pattern": "[file:hashes.SHA256 = '18051333e658c4816ff3576a2e9d97fe2a1196ac0ea5ed9ba386c46defafdb88' AND file:name = 'Veeam-Get-Creds.ps1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:11:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--7c43ff9e-266a-4125-a896-62ef58f30f16",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:13:04.000Z",
"modified": "2024-04-19T14:13:04.000Z",
"pattern": "[file:hashes.SHA256 = '8317ff6416af8ab6eb35df3529689671a700fdb61a5e6436f4d6ea8ee002d694' AND file:name = 'sshd.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:13:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b7a9a8c7-9e0a-4852-ae68-9df6ead658fb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:13:39.000Z",
"modified": "2024-04-19T14:13:39.000Z",
"pattern": "[file:hashes.SHA256 = '892405573aa34dfc49b37e4c35b655543e88ec1c5e8ffb27ab8d1bbf90fc6ae0' AND file:name = 'ipscan-3.9.1-setup.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:13:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--31678fa1-a95a-486b-9477-0234282c2c00",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:14:01.000Z",
"modified": "2024-04-19T14:14:01.000Z",
"pattern": "[file:hashes.MD5 = '7a647af3c112ad805296a22b2a276e7c' AND file:name = 'winrar-x64-623.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-04-19T14:14:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--dffcdd95-8a5f-4f4e-820d-b96fe13929b7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2024-04-19T14:23:48.000Z",
"modified": "2024-04-19T14:23:48.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a",
"category": "External analysis",
"uuid": "6606746a-e024-4b4d-a8fe-14c9bbfcee3a"
},
{
"type": "text",
"object_relation": "summary",
"value": "SUMMARY\r\n\r\nNote: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.\r\n\r\nThe United States\u2019 Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Europol\u2019s European Cybercrime Centre (EC3), and the Netherlands\u2019 National Cyber Security Centre (NCSC-NL) are releasing this joint CSA to disseminate known Akira ransomware IOCs and TTPs identified through FBI investigations and trusted third party reporting as recently as February 2024.\r\n\r\nSince March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia. In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines. As of January 1, 2024, the ransomware group has impacted over 250 organizations and claimed approximately $42 million (USD) in ransomware proceeds.\r\n\r\nEarly versions of the Akira ransomware variant were written in C++ and encrypted files with a .akira extension; however, beginning in August 2023, some Akira attacks began deploying Megazord, using Rust-based code which encrypts files with a .powerranges extension. Akira threat actors have continued to use both Megazord and Akira, including Akira_v2 (identified by trusted third party investigations) interchangeably.\r\n\r\nThe FBI, CISA, EC3, and NCSC-NL encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.",
"category": "Other",
"uuid": "a6781a2c-7fe5-4e81-9ace-535be4a75fd8"
},
{
"type": "text",
"object_relation": "title",
"value": "#StopRansomware: Akira Ransomware",
"category": "Other",
"uuid": "9b32b569-960f-47f6-a64b-f10d339b0469"
},
{
"type": "text",
"object_relation": "type",
"value": "Alert",
"category": "Other",
"uuid": "f8ce43c8-9068-4ce0-b249-f4c2e5673232"
},
{
"type": "text",
"object_relation": "case-number",
"value": "AA24-109A",
"category": "Other",
"uuid": "335e410d-01f8-4608-9f07-2e10cc78ac70"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}