282 lines
12 KiB
JSON
282 lines
12 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--57750a68-58c8-4323-8c93-c828950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-06-30T12:16:14.000Z",
|
||
|
"modified": "2016-06-30T12:16:14.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--57750a68-58c8-4323-8c93-c828950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-06-30T12:16:14.000Z",
|
||
|
"modified": "2016-06-30T12:16:14.000Z",
|
||
|
"name": "OSINT - Apocalypse: Ransomware which targets companies through insecure RDP",
|
||
|
"published": "2016-06-30T12:16:31Z",
|
||
|
"object_refs": [
|
||
|
"x-misp-attribute--57750a7f-c27c-4526-a5fd-49ef950d210f",
|
||
|
"observed-data--57750a96-b80c-4b3e-ac7f-c826950d210f",
|
||
|
"url--57750a96-b80c-4b3e-ac7f-c826950d210f",
|
||
|
"x-misp-attribute--57750ad6-bc78-4a06-9be6-4701950d210f",
|
||
|
"x-misp-attribute--57750ad6-2164-47f6-a1ba-46c9950d210f",
|
||
|
"x-misp-attribute--57750ad6-0da8-489a-8259-427a950d210f",
|
||
|
"x-misp-attribute--57750ad7-1094-4d92-ae00-4d08950d210f",
|
||
|
"x-misp-attribute--57750ad7-cec0-4910-8544-4577950d210f",
|
||
|
"indicator--57750bad-5ea4-48c3-bb28-c825950d210f",
|
||
|
"indicator--57750d8e-92a8-480c-a5b0-d08c02de0b81",
|
||
|
"indicator--57750d8f-1bc0-4991-a6ab-d08c02de0b81",
|
||
|
"observed-data--57750d8f-5d80-4464-9471-d08c02de0b81",
|
||
|
"url--57750d8f-5d80-4464-9471-d08c02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\"",
|
||
|
"type:OSINT",
|
||
|
"ecsirt:malicious-code=\"ransomware\"",
|
||
|
"malware_classification:malware-category=\"Ransomware\"",
|
||
|
"circl:incident-classification=\"malware\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--57750a7f-c27c-4526-a5fd-49ef950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-06-30T12:03:11.000Z",
|
||
|
"modified": "2016-06-30T12:03:11.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"comment\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "comment",
|
||
|
"x_misp_value": "Beyond a shadow of a doubt 2016 has been the year of the ransomware. So it comes as no surprise that new ransomware families are popping up on weekly basis. Emsisoft has been on the frontline battling ransomware for years now, providing users with valuable tools allowing them to recover their files after ransomware attacks. As a result Emsisoft researchers often find themselves at the receiving end of hate from ransomware authors. Late last year, we took a look at Radamant, whose authors included some rather unkind messages after our research team broke their amateurish ransomware. Today, we want to take a look at a new ransomware family Apocalypse, that reared its ugly head about 2 months ago, that recently started spewing insults towards our team as well."
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--57750a96-b80c-4b3e-ac7f-c826950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-06-30T12:03:34.000Z",
|
||
|
"modified": "2016-06-30T12:03:34.000Z",
|
||
|
"first_observed": "2016-06-30T12:03:34Z",
|
||
|
"last_observed": "2016-06-30T12:03:34Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--57750a96-b80c-4b3e-ac7f-c826950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--57750a96-b80c-4b3e-ac7f-c826950d210f",
|
||
|
"value": "http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--57750ad6-bc78-4a06-9be6-4701950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-06-30T12:04:38.000Z",
|
||
|
"modified": "2016-06-30T12:04:38.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"campaign-id\"",
|
||
|
"misp:category=\"Attribution\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_category": "Attribution",
|
||
|
"x_misp_comment": "email addresses are used in the ransom note",
|
||
|
"x_misp_type": "campaign-id",
|
||
|
"x_misp_value": "r.compress@us1.l.a"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--57750ad6-2164-47f6-a1ba-46c9950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-06-30T12:04:38.000Z",
|
||
|
"modified": "2016-06-30T12:04:38.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"campaign-id\"",
|
||
|
"misp:category=\"Attribution\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_category": "Attribution",
|
||
|
"x_misp_comment": "email addresses are used in the ransom note",
|
||
|
"x_misp_type": "campaign-id",
|
||
|
"x_misp_value": "dr.compress@bk.ru"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--57750ad6-0da8-489a-8259-427a950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-06-30T12:04:38.000Z",
|
||
|
"modified": "2016-06-30T12:04:38.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"campaign-id\"",
|
||
|
"misp:category=\"Attribution\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_category": "Attribution",
|
||
|
"x_misp_comment": "email addresses are used in the ransom note",
|
||
|
"x_misp_type": "campaign-id",
|
||
|
"x_misp_value": "dr.jimbo@bk.ru"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--57750ad7-1094-4d92-ae00-4d08950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-06-30T12:04:39.000Z",
|
||
|
"modified": "2016-06-30T12:04:39.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"campaign-id\"",
|
||
|
"misp:category=\"Attribution\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_category": "Attribution",
|
||
|
"x_misp_comment": "email addresses are used in the ransom note",
|
||
|
"x_misp_type": "campaign-id",
|
||
|
"x_misp_value": "dr.decrypter@bk.ru"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--57750ad7-cec0-4910-8544-4577950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-06-30T12:04:39.000Z",
|
||
|
"modified": "2016-06-30T12:04:39.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"campaign-id\"",
|
||
|
"misp:category=\"Attribution\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
],
|
||
|
"x_misp_category": "Attribution",
|
||
|
"x_misp_comment": "email addresses are used in the ransom note",
|
||
|
"x_misp_type": "campaign-id",
|
||
|
"x_misp_value": "decryptionservice@mail.ru"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57750bad-5ea4-48c3-bb28-c825950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-06-30T12:08:13.000Z",
|
||
|
"modified": "2016-06-30T12:08:13.000Z",
|
||
|
"description": "New sample",
|
||
|
"pattern": "[file:hashes.MD5 = 'ac70f2517698ca81bf161645413f168c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-06-30T12:08:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57750d8e-92a8-480c-a5b0-d08c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-06-30T12:16:14.000Z",
|
||
|
"modified": "2016-06-30T12:16:14.000Z",
|
||
|
"description": "New sample - Xchecked via VT: ac70f2517698ca81bf161645413f168c",
|
||
|
"pattern": "[file:hashes.SHA256 = 'aab148f9445f8ea69a6992a245037919b96c7b6457d35732f4171e371359aee5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-06-30T12:16:14Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--57750d8f-1bc0-4991-a6ab-d08c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-06-30T12:16:15.000Z",
|
||
|
"modified": "2016-06-30T12:16:15.000Z",
|
||
|
"description": "New sample - Xchecked via VT: ac70f2517698ca81bf161645413f168c",
|
||
|
"pattern": "[file:hashes.SHA1 = '70a255c076bd108b0654ae58b6f805efd2ad9613']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2016-06-30T12:16:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--57750d8f-5d80-4464-9471-d08c02de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2016-06-30T12:16:15.000Z",
|
||
|
"modified": "2016-06-30T12:16:15.000Z",
|
||
|
"first_observed": "2016-06-30T12:16:15Z",
|
||
|
"last_observed": "2016-06-30T12:16:15Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--57750d8f-5d80-4464-9471-d08c02de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--57750d8f-5d80-4464-9471-d08c02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/aab148f9445f8ea69a6992a245037919b96c7b6457d35732f4171e371359aee5/analysis/1466865459/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|