misp-circl-feed/feeds/circl/stix-2.1/56dc93a4-5a6c-470d-9c9b-4e9902de0b81.json

876 lines
38 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--56dc93a4-5a6c-470d-9c9b-4e9902de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-07T08:35:30.000Z",
"modified": "2016-03-07T08:35:30.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--56dc93a4-5a6c-470d-9c9b-4e9902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-07T08:35:30.000Z",
"modified": "2016-03-07T08:35:30.000Z",
"name": "OSINT - New OS X Ransomware KeRanger Infected Transmission BitTorrent Client Installer",
"published": "2016-03-07T08:36:54Z",
"object_refs": [
"observed-data--56dc93be-d390-4377-82cb-49cf02de0b81",
"url--56dc93be-d390-4377-82cb-49cf02de0b81",
"indicator--56dc93e5-4c30-4f24-82fc-434802de0b81",
"indicator--56dc93e5-fc70-4680-aa2d-494a02de0b81",
"indicator--56dc93e6-86ac-4ac2-98f2-413c02de0b81",
"indicator--56dc93e6-adac-4282-a062-485f02de0b81",
"indicator--56dc93e6-e290-4489-803f-4b7c02de0b81",
"indicator--56dc93e7-2fd0-4b80-b378-4d4702de0b81",
"x-misp-attribute--56dc93fc-4dd4-4bfe-894e-48a102de0b81",
"indicator--56dc9420-1368-4259-8c98-489a02de0b81",
"indicator--56dc9420-f8cc-4387-bc53-450f02de0b81",
"indicator--56dc9421-1ccc-46b1-8490-4aa402de0b81",
"indicator--56dc9421-5d8c-45fb-ba7d-424e02de0b81",
"indicator--56dc9421-e5b4-4527-967d-4fe202de0b81",
"indicator--56dc9421-9300-4c6c-be38-478e02de0b81",
"indicator--56dc9443-d870-4509-9d9f-434802de0b81",
"indicator--56dc9444-7a0c-4639-bbba-4af202de0b81",
"observed-data--56dc9444-9d10-4be0-b1d0-4aa002de0b81",
"url--56dc9444-9d10-4be0-b1d0-4aa002de0b81",
"indicator--56dc9444-dc2c-4d09-81d0-40d402de0b81",
"indicator--56dc9445-499c-4bda-bcb6-4af402de0b81",
"observed-data--56dc9445-2b00-4197-b2e2-4c3f02de0b81",
"url--56dc9445-2b00-4197-b2e2-4c3f02de0b81",
"indicator--56dc9445-ce5c-44c4-a315-41cd02de0b81",
"indicator--56dc9445-24e0-46a9-b8a8-498b02de0b81",
"observed-data--56dc9446-e51c-44cc-99f8-483402de0b81",
"url--56dc9446-e51c-44cc-99f8-483402de0b81",
"indicator--56dc9446-f4cc-4f5c-8ba7-4bfc02de0b81",
"indicator--56dc9446-f628-40c4-abde-46b202de0b81",
"observed-data--56dc9447-33e4-4cd8-9ebf-4aa502de0b81",
"url--56dc9447-33e4-4cd8-9ebf-4aa502de0b81",
"indicator--56dc9447-47e8-4c94-bb95-472102de0b81",
"indicator--56dc9447-547c-4cda-9caa-478302de0b81",
"observed-data--56dc9447-0350-4947-b63f-4c5802de0b81",
"url--56dc9447-0350-4947-b63f-4c5802de0b81",
"indicator--56dc9448-9050-44a5-9e8c-4a3302de0b81",
"indicator--56dc9448-6488-4152-816e-411d02de0b81",
"observed-data--56dc9448-d060-4412-9815-4c3f02de0b81",
"url--56dc9448-d060-4412-9815-4c3f02de0b81",
"x-misp-attribute--56dc9469-a334-4c0d-9ab7-416402de0b81",
"x-misp-attribute--56dd3d52-8768-4ce1-a546-48f0950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56dc93be-d390-4377-82cb-49cf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:31:58.000Z",
"modified": "2016-03-06T20:31:58.000Z",
"first_observed": "2016-03-06T20:31:58Z",
"last_observed": "2016-03-06T20:31:58Z",
"number_observed": 1,
"object_refs": [
"url--56dc93be-d390-4377-82cb-49cf02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56dc93be-d390-4377-82cb-49cf02de0b81",
"value": "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56dc93e5-4c30-4f24-82fc-434802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:32:37.000Z",
"modified": "2016-03-06T20:32:37.000Z",
"description": "Imported via the freetext import.",
"pattern": "[url:value = 'lclebb6kvohlkcml.onion.link']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-06T20:32:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56dc93e5-fc70-4680-aa2d-494a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:32:37.000Z",
"modified": "2016-03-06T20:32:37.000Z",
"description": "Imported via the freetext import.",
"pattern": "[domain-name:value = 'lclebb6kvohlkcml.onion.nu']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-06T20:32:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56dc93e6-86ac-4ac2-98f2-413c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:32:38.000Z",
"modified": "2016-03-06T20:32:38.000Z",
"description": "Imported via the freetext import.",
"pattern": "[url:value = 'bmacyzmea723xyaz.onion.link']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-06T20:32:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56dc93e6-adac-4282-a062-485f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:32:38.000Z",
"modified": "2016-03-06T20:32:38.000Z",
"description": "Imported via the freetext import.",
"pattern": "[domain-name:value = 'bmacyzmea723xyaz.onion.nu']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-06T20:32:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56dc93e6-e290-4489-803f-4b7c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:32:38.000Z",
"modified": "2016-03-06T20:32:38.000Z",
"description": "Imported via the freetext import.",
"pattern": "[url:value = 'nejdtkok7oz5kjoc.onion.link']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-06T20:32:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56dc93e7-2fd0-4b80-b378-4d4702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:32:39.000Z",
"modified": "2016-03-06T20:32:39.000Z",
"description": "Imported via the freetext import.",
"pattern": "[domain-name:value = 'nejdtkok7oz5kjoc.onion.nu']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-06T20:32:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--56dc93fc-4dd4-4bfe-894e-48a102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:33:00.000Z",
"modified": "2016-03-06T20:33:00.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Antivirus detection\""
],
"x_misp_category": "Antivirus detection",
"x_misp_type": "text",
"x_misp_value": "Ransomware.OSX.KeRanger"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56dc9420-1368-4259-8c98-489a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:33:36.000Z",
"modified": "2016-03-06T20:33:36.000Z",
"description": "Samples of Ransomware.OSX.KeRanger",
"pattern": "[file:hashes.SHA256 = 'd1ac55a4e610380f0ab239fcc1c5f5a42722e8ee1554cba8074bbae4a5f6dbe1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-06T20:33:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56dc9420-f8cc-4387-bc53-450f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:33:36.000Z",
"modified": "2016-03-06T20:33:36.000Z",
"description": "Samples of Ransomware.OSX.KeRanger",
"pattern": "[file:hashes.SHA256 = 'e3ad733cea9eba29e86610050c1a15592e6c77820927b9edeb77310975393574']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-06T20:33:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56dc9421-1ccc-46b1-8490-4aa402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:33:37.000Z",
"modified": "2016-03-06T20:33:37.000Z",
"description": "Samples of Ransomware.OSX.KeRanger",
"pattern": "[file:hashes.SHA256 = '31b6adb633cff2a0f34cefd2a218097f3a9a8176c9363cc70fe41fe02af810b9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-06T20:33:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56dc9421-5d8c-45fb-ba7d-424e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:33:37.000Z",
"modified": "2016-03-06T20:33:37.000Z",
"description": "Samples of Ransomware.OSX.KeRanger",
"pattern": "[file:hashes.SHA256 = 'd7d765b1ddd235a57a2d13bd065f293a7469594c7e13ea7700e55501206a09b5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-06T20:33:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56dc9421-e5b4-4527-967d-4fe202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:33:37.000Z",
"modified": "2016-03-06T20:33:37.000Z",
"description": "Samples of Ransomware.OSX.KeRanger",
"pattern": "[file:hashes.SHA256 = 'ddc3dbee2a8ea9d8ed93f0843400653a89350612f2914868485476a847c6484a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-06T20:33:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56dc9421-9300-4c6c-be38-478e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:33:37.000Z",
"modified": "2016-03-06T20:33:37.000Z",
"description": "Samples of Ransomware.OSX.KeRanger",
"pattern": "[file:hashes.SHA256 = '6061a554f5997a43c91f49f8aaf40c80a3f547fc6187bee57cd5573641fcf153']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-06T20:33:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56dc9443-d870-4509-9d9f-434802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:34:11.000Z",
"modified": "2016-03-06T20:34:11.000Z",
"description": "Samples of Ransomware.OSX.KeRanger - Xchecked via VT: 6061a554f5997a43c91f49f8aaf40c80a3f547fc6187bee57cd5573641fcf153",
"pattern": "[file:hashes.SHA1 = '260f02e7dd4a62575eca7c1a09f3e6b152733e40']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-06T20:34:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56dc9444-7a0c-4639-bbba-4af202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:34:12.000Z",
"modified": "2016-03-06T20:34:12.000Z",
"description": "Samples of Ransomware.OSX.KeRanger - Xchecked via VT: 6061a554f5997a43c91f49f8aaf40c80a3f547fc6187bee57cd5573641fcf153",
"pattern": "[file:hashes.MD5 = '861c3da2bbce6c09eda2709c8994f34c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-06T20:34:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56dc9444-9d10-4be0-b1d0-4aa002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:34:12.000Z",
"modified": "2016-03-06T20:34:12.000Z",
"first_observed": "2016-03-06T20:34:12Z",
"last_observed": "2016-03-06T20:34:12Z",
"number_observed": 1,
"object_refs": [
"url--56dc9444-9d10-4be0-b1d0-4aa002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56dc9444-9d10-4be0-b1d0-4aa002de0b81",
"value": "https://www.virustotal.com/file/6061a554f5997a43c91f49f8aaf40c80a3f547fc6187bee57cd5573641fcf153/analysis/1457131054/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56dc9444-dc2c-4d09-81d0-40d402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:34:12.000Z",
"modified": "2016-03-06T20:34:12.000Z",
"description": "Samples of Ransomware.OSX.KeRanger - Xchecked via VT: ddc3dbee2a8ea9d8ed93f0843400653a89350612f2914868485476a847c6484a",
"pattern": "[file:hashes.SHA1 = 'f2fe3ff6da97a5adfc9278c475536883adcef93b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-06T20:34:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56dc9445-499c-4bda-bcb6-4af402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:34:13.000Z",
"modified": "2016-03-06T20:34:13.000Z",
"description": "Samples of Ransomware.OSX.KeRanger - Xchecked via VT: ddc3dbee2a8ea9d8ed93f0843400653a89350612f2914868485476a847c6484a",
"pattern": "[file:hashes.MD5 = '3151d9a085d14508fa9f10d48afc7016']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-06T20:34:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56dc9445-2b00-4197-b2e2-4c3f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:34:13.000Z",
"modified": "2016-03-06T20:34:13.000Z",
"first_observed": "2016-03-06T20:34:13Z",
"last_observed": "2016-03-06T20:34:13Z",
"number_observed": 1,
"object_refs": [
"url--56dc9445-2b00-4197-b2e2-4c3f02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56dc9445-2b00-4197-b2e2-4c3f02de0b81",
"value": "https://www.virustotal.com/file/ddc3dbee2a8ea9d8ed93f0843400653a89350612f2914868485476a847c6484a/analysis/1457131063/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56dc9445-ce5c-44c4-a315-41cd02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:34:13.000Z",
"modified": "2016-03-06T20:34:13.000Z",
"description": "Samples of Ransomware.OSX.KeRanger - Xchecked via VT: d7d765b1ddd235a57a2d13bd065f293a7469594c7e13ea7700e55501206a09b5",
"pattern": "[file:hashes.SHA1 = 'e2f6d5912565ad3a2c9b3393cf7aff0110738f5c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-06T20:34:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56dc9445-24e0-46a9-b8a8-498b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:34:13.000Z",
"modified": "2016-03-06T20:34:13.000Z",
"description": "Samples of Ransomware.OSX.KeRanger - Xchecked via VT: d7d765b1ddd235a57a2d13bd065f293a7469594c7e13ea7700e55501206a09b5",
"pattern": "[file:hashes.MD5 = '24a8f01cfdc4228b4fc9bb87fedf6eb7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-06T20:34:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56dc9446-e51c-44cc-99f8-483402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:34:14.000Z",
"modified": "2016-03-06T20:34:14.000Z",
"first_observed": "2016-03-06T20:34:14Z",
"last_observed": "2016-03-06T20:34:14Z",
"number_observed": 1,
"object_refs": [
"url--56dc9446-e51c-44cc-99f8-483402de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56dc9446-e51c-44cc-99f8-483402de0b81",
"value": "https://www.virustotal.com/file/d7d765b1ddd235a57a2d13bd065f293a7469594c7e13ea7700e55501206a09b5/analysis/1457294776/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56dc9446-f4cc-4f5c-8ba7-4bfc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:34:14.000Z",
"modified": "2016-03-06T20:34:14.000Z",
"description": "Samples of Ransomware.OSX.KeRanger - Xchecked via VT: 31b6adb633cff2a0f34cefd2a218097f3a9a8176c9363cc70fe41fe02af810b9",
"pattern": "[file:hashes.SHA1 = 'fd1f246ee9effafba0811fd692e2e76947e82687']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-06T20:34:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56dc9446-f628-40c4-abde-46b202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:34:14.000Z",
"modified": "2016-03-06T20:34:14.000Z",
"description": "Samples of Ransomware.OSX.KeRanger - Xchecked via VT: 31b6adb633cff2a0f34cefd2a218097f3a9a8176c9363cc70fe41fe02af810b9",
"pattern": "[file:hashes.MD5 = '14a4df1df622562b3bf5bc9a94e6a783']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-06T20:34:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56dc9447-33e4-4cd8-9ebf-4aa502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:34:15.000Z",
"modified": "2016-03-06T20:34:15.000Z",
"first_observed": "2016-03-06T20:34:15Z",
"last_observed": "2016-03-06T20:34:15Z",
"number_observed": 1,
"object_refs": [
"url--56dc9447-33e4-4cd8-9ebf-4aa502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56dc9447-33e4-4cd8-9ebf-4aa502de0b81",
"value": "https://www.virustotal.com/file/31b6adb633cff2a0f34cefd2a218097f3a9a8176c9363cc70fe41fe02af810b9/analysis/1457127744/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56dc9447-47e8-4c94-bb95-472102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:34:15.000Z",
"modified": "2016-03-06T20:34:15.000Z",
"description": "Samples of Ransomware.OSX.KeRanger - Xchecked via VT: e3ad733cea9eba29e86610050c1a15592e6c77820927b9edeb77310975393574",
"pattern": "[file:hashes.SHA1 = 'f4c95047938cd66368f1f0fe7cbf87de8378a1fd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-06T20:34:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56dc9447-547c-4cda-9caa-478302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:34:15.000Z",
"modified": "2016-03-06T20:34:15.000Z",
"description": "Samples of Ransomware.OSX.KeRanger - Xchecked via VT: e3ad733cea9eba29e86610050c1a15592e6c77820927b9edeb77310975393574",
"pattern": "[file:hashes.MD5 = '56b1d956112b0b7bd3e44f20cf1f2c19']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-06T20:34:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56dc9447-0350-4947-b63f-4c5802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:34:15.000Z",
"modified": "2016-03-06T20:34:15.000Z",
"first_observed": "2016-03-06T20:34:15Z",
"last_observed": "2016-03-06T20:34:15Z",
"number_observed": 1,
"object_refs": [
"url--56dc9447-0350-4947-b63f-4c5802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56dc9447-0350-4947-b63f-4c5802de0b81",
"value": "https://www.virustotal.com/file/e3ad733cea9eba29e86610050c1a15592e6c77820927b9edeb77310975393574/analysis/1457127757/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56dc9448-9050-44a5-9e8c-4a3302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:34:16.000Z",
"modified": "2016-03-06T20:34:16.000Z",
"description": "Samples of Ransomware.OSX.KeRanger - Xchecked via VT: d1ac55a4e610380f0ab239fcc1c5f5a42722e8ee1554cba8074bbae4a5f6dbe1",
"pattern": "[file:hashes.SHA1 = '5f8ae46ae82e346000f366c3eabdafbec76e99e9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-06T20:34:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--56dc9448-6488-4152-816e-411d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:34:16.000Z",
"modified": "2016-03-06T20:34:16.000Z",
"description": "Samples of Ransomware.OSX.KeRanger - Xchecked via VT: d1ac55a4e610380f0ab239fcc1c5f5a42722e8ee1554cba8074bbae4a5f6dbe1",
"pattern": "[file:hashes.MD5 = '1d6297e2427f1d00a5b355d6d50809cb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-03-06T20:34:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--56dc9448-d060-4412-9815-4c3f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:34:16.000Z",
"modified": "2016-03-06T20:34:16.000Z",
"first_observed": "2016-03-06T20:34:16Z",
"last_observed": "2016-03-06T20:34:16Z",
"number_observed": 1,
"object_refs": [
"url--56dc9448-d060-4412-9815-4c3f02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--56dc9448-d060-4412-9815-4c3f02de0b81",
"value": "https://www.virustotal.com/file/d1ac55a4e610380f0ab239fcc1c5f5a42722e8ee1554cba8074bbae4a5f6dbe1/analysis/1457294749/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--56dc9469-a334-4c0d-9ab7-416402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-06T20:34:49.000Z",
"modified": "2016-03-06T20:34:49.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "On March 4, we detected that the Transmission BitTorrent client installer for OS X was infected with ransomware, just a few hours after installers were initially posted. We have named this Ransomware \u00e2\u20ac\u0153KeRanger.\u00e2\u20ac\u009d The only previous ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014. As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform.\r\n\r\nAttackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4. When we identified the issue, the infected DMG files were still available for downloading from the Transmission site (https://download.transmissionbt.com/files/Transmission-2.90.dmg) Transmission is an open source project. It\u00e2\u20ac\u2122s possible that Transmission\u00e2\u20ac\u2122s official website was compromised and the files were replaced by re-compiled malicious versions, but we can\u00e2\u20ac\u2122t confirm how this infection occurred."
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--56dd3d52-8768-4ce1-a546-48f0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-03-07T08:35:30.000Z",
"modified": "2016-03-07T08:35:30.000Z",
"labels": [
"misp:type=\"btc\"",
"misp:category=\"Financial fraud\""
],
"x_misp_category": "Financial fraud",
"x_misp_type": "btc",
"x_misp_value": "1PGAUBqHNcwSHYKnpHgzCrPkyxNxvsmEof"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}