misp-circl-feed/feeds/circl/stix-2.1/59a3c0d9-6e00-4f61-b768-47d6950d210f.json

368 lines
16 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--59a3c0d9-6e00-4f61-b768-47d6950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:23:14.000Z",
"modified": "2017-08-28T14:23:14.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--59a3c0d9-6e00-4f61-b768-47d6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:23:14.000Z",
"modified": "2017-08-28T14:23:14.000Z",
"name": "OSINT - The ZAYKA and NOOB CryptoMix Ransomware Variants Released in Quick Succession",
"published": "2017-08-28T14:23:21Z",
"object_refs": [
"observed-data--59a3c0eb-d44c-4133-bf6c-4233950d210f",
"url--59a3c0eb-d44c-4133-bf6c-4233950d210f",
"x-misp-attribute--59a3c0fa-676c-4413-acb9-495a950d210f",
"indicator--59a3c152-41b0-4924-b651-493a950d210f",
"indicator--59a3c152-bd44-48cb-964f-4beb950d210f",
"indicator--59a3c160-4c58-46a3-b48a-47a5950d210f",
"indicator--59a3c160-1068-438a-903f-4069950d210f",
"indicator--59a3c1ff-e884-4e50-9e49-44cb950d210f",
"indicator--59a4274c-b8f4-464b-b95b-459402de0b81",
"indicator--59a4274c-f1e8-46ed-afa7-47f202de0b81",
"observed-data--59a4274c-a26c-4940-8ab2-4eb102de0b81",
"url--59a4274c-a26c-4940-8ab2-4eb102de0b81",
"indicator--59a4274c-9fbc-4261-86dc-44c502de0b81",
"indicator--59a4274c-bb90-4eb0-8899-420a02de0b81",
"observed-data--59a4274c-fbdc-40d5-ba87-44ae02de0b81",
"url--59a4274c-fbdc-40d5-ba87-44ae02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:ransomware=\"CryptoMix\"",
"type:OSINT",
"malware_classification:malware-category=\"Ransomware\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a3c0eb-d44c-4133-bf6c-4233950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:23:07.000Z",
"modified": "2017-08-28T14:23:07.000Z",
"first_observed": "2017-08-28T14:23:07Z",
"last_observed": "2017-08-28T14:23:07Z",
"number_observed": 1,
"object_refs": [
"url--59a3c0eb-d44c-4133-bf6c-4233950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a3c0eb-d44c-4133-bf6c-4233950d210f",
"value": "https://www.bleepingcomputer.com/news/security/the-zayka-and-noob-cryptomix-ransomware-variants-released-in-quick-succession/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59a3c0fa-676c-4413-acb9-495a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:23:07.000Z",
"modified": "2017-08-28T14:23:07.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "CryptoMix is releasing new variants very quickly now and is reminiscent of how the Locky developers used to distribute Locky. Yesterday, ID-Ransomware's Michael Gillespie & Malwarebytes malware researcher Marcelo Rivero discovered two new variants of the CryptoMix ransomware being distributed within a week or two of each other. These variants append either the NOOB or ZAYKA extension to encrypted files, but use the same contact email of admin@zayka.pro for payment instructions."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a3c152-41b0-4924-b651-493a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:23:07.000Z",
"modified": "2017-08-28T14:23:07.000Z",
"description": "NOOB version",
"pattern": "[file:hashes.SHA256 = 'ceaee070d84bb182593787002442520acbbac7a0e5ec6cecde40370d5d744023']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-28T14:23:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a3c152-bd44-48cb-964f-4beb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:23:07.000Z",
"modified": "2017-08-28T14:23:07.000Z",
"description": "ZAYKA version",
"pattern": "[file:hashes.SHA256 = 'aaf7bdb7445d7d58e597240630b23bd7f3f2c6551de61029e932eaa09e27a685']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-28T14:23:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a3c160-4c58-46a3-b48a-47a5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:23:07.000Z",
"modified": "2017-08-28T14:23:07.000Z",
"pattern": "[file:name = '_HELP_INSTRUCTION.TXT']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-28T14:23:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a3c160-1068-438a-903f-4069950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:23:07.000Z",
"modified": "2017-08-28T14:23:07.000Z",
"pattern": "[file:name = '\\\\%AppData\\\\%\\\\[random].exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-28T14:23:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a3c1ff-e884-4e50-9e49-44cb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:23:07.000Z",
"modified": "2017-08-28T14:23:07.000Z",
"description": "contact mail in the ransom note",
"pattern": "[email-message:from_ref.value = 'admin@zayka.pro']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-28T14:23:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a4274c-b8f4-464b-b95b-459402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:23:08.000Z",
"modified": "2017-08-28T14:23:08.000Z",
"description": "ZAYKA version - Xchecked via VT: aaf7bdb7445d7d58e597240630b23bd7f3f2c6551de61029e932eaa09e27a685",
"pattern": "[file:hashes.SHA1 = '53371fd7a36fcf23d615143ba82045a417850c08']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-28T14:23:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a4274c-f1e8-46ed-afa7-47f202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:23:08.000Z",
"modified": "2017-08-28T14:23:08.000Z",
"description": "ZAYKA version - Xchecked via VT: aaf7bdb7445d7d58e597240630b23bd7f3f2c6551de61029e932eaa09e27a685",
"pattern": "[file:hashes.MD5 = 'c34e3bcddab6b671cccb1c5e9ba3a881']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-28T14:23:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a4274c-a26c-4940-8ab2-4eb102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:23:08.000Z",
"modified": "2017-08-28T14:23:08.000Z",
"first_observed": "2017-08-28T14:23:08Z",
"last_observed": "2017-08-28T14:23:08Z",
"number_observed": 1,
"object_refs": [
"url--59a4274c-a26c-4940-8ab2-4eb102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a4274c-a26c-4940-8ab2-4eb102de0b81",
"value": "https://www.virustotal.com/file/aaf7bdb7445d7d58e597240630b23bd7f3f2c6551de61029e932eaa09e27a685/analysis/1500647663/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a4274c-9fbc-4261-86dc-44c502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:23:08.000Z",
"modified": "2017-08-28T14:23:08.000Z",
"description": "NOOB version - Xchecked via VT: ceaee070d84bb182593787002442520acbbac7a0e5ec6cecde40370d5d744023",
"pattern": "[file:hashes.SHA1 = 'f71297632052974c83b95412dcb07090089b890d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-28T14:23:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a4274c-bb90-4eb0-8899-420a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:23:08.000Z",
"modified": "2017-08-28T14:23:08.000Z",
"description": "NOOB version - Xchecked via VT: ceaee070d84bb182593787002442520acbbac7a0e5ec6cecde40370d5d744023",
"pattern": "[file:hashes.MD5 = 'a862f5ee210a43fddcb33ad2f01af73f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-28T14:23:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a4274c-fbdc-40d5-ba87-44ae02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:23:08.000Z",
"modified": "2017-08-28T14:23:08.000Z",
"first_observed": "2017-08-28T14:23:08Z",
"last_observed": "2017-08-28T14:23:08Z",
"number_observed": 1,
"object_refs": [
"url--59a4274c-fbdc-40d5-ba87-44ae02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a4274c-fbdc-40d5-ba87-44ae02de0b81",
"value": "https://www.virustotal.com/file/ceaee070d84bb182593787002442520acbbac7a0e5ec6cecde40370d5d744023/analysis/1503697510/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}