{ "type": "bundle", "id": "bundle--56f58bcc-96e4-49d2-bc8b-faf7950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T19:07:51.000Z", "modified": "2016-03-25T19:07:51.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--56f58bcc-96e4-49d2-bc8b-faf7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T19:07:51.000Z", "modified": "2016-03-25T19:07:51.000Z", "name": "OSINT - SURGE IN SPAM CAMPAIGN DELIVERING LOCKY RANSOMWARE DOWNLOADERS", "published": "2016-03-25T19:08:07Z", "object_refs": [ "observed-data--56f58bf1-3870-4b38-b851-faf0950d210f", "url--56f58bf1-3870-4b38-b851-faf0950d210f", "x-misp-attribute--56f58c05-770c-4455-9aaa-46d2950d210f", "indicator--56f58c18-9e90-4c3c-8985-faf7950d210f", "indicator--56f58c19-5bf8-4657-b19b-faf7950d210f", "indicator--56f58c19-5dd4-4fc0-ac9d-faf7950d210f", "indicator--56f58c19-bd84-4fee-a4d8-faf7950d210f", "indicator--56f58c3b-4968-4f48-9cbf-faf1950d210f", "indicator--56f58c5c-e06c-4aab-9e08-faee950d210f", "indicator--56f58c87-0e18-4b86-96be-4fc502de0b81", "indicator--56f58c88-2e54-4f15-87dc-43f802de0b81", "observed-data--56f58c88-b490-4c7f-ae54-469c02de0b81", "url--56f58c88-b490-4c7f-ae54-469c02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56f58bf1-3870-4b38-b851-faf0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T19:05:21.000Z", "modified": "2016-03-25T19:05:21.000Z", "first_observed": "2016-03-25T19:05:21Z", "last_observed": "2016-03-25T19:05:21Z", "number_observed": 1, "object_refs": [ "url--56f58bf1-3870-4b38-b851-faf0950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56f58bf1-3870-4b38-b851-faf0950d210f", "value": "https://www.fireeye.com/blog/threat-research/2016/03/surge_in_spam_campai.html" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--56f58c05-770c-4455-9aaa-46d2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T19:05:41.000Z", "modified": "2016-03-25T19:05:41.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "FireEye Labs is detecting a significant spike in Locky ransomware downloaders due to a pair of concurrent email spam campaigns impacting users in over 50 countries. Some of the top affected countries are depicted in Figure 1." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f58c18-9e90-4c3c-8985-faf7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T19:06:00.000Z", "modified": "2016-03-25T19:06:00.000Z", "description": "C&C", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.138.88.184']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-25T19:06:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f58c19-5bf8-4657-b19b-faf7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T19:06:01.000Z", "modified": "2016-03-25T19:06:01.000Z", "description": "C&C", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '31.41.47.37']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-25T19:06:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f58c19-5dd4-4fc0-ac9d-faf7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T19:06:01.000Z", "modified": "2016-03-25T19:06:01.000Z", "description": "C&C", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.34.183.136']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-25T19:06:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f58c19-bd84-4fee-a4d8-faf7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T19:06:01.000Z", "modified": "2016-03-25T19:06:01.000Z", "description": "C&C", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '91.121.97.170']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-25T19:06:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f58c3b-4968-4f48-9cbf-faf1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T19:06:35.000Z", "modified": "2016-03-25T19:06:35.000Z", "pattern": "[file:hashes.MD5 = '3f118d0b888430ab9f58fc2589207988']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-25T19:06:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f58c5c-e06c-4aab-9e08-faee950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T19:07:08.000Z", "modified": "2016-03-25T19:07:08.000Z", "pattern": "[windows-registry-key:key = 'HKCU\\\\Control Panel\\\\Desktop\\\\Wallpaper' AND windows-registry-key:values.data = '\\\\%CSIDL_DESKTOPDIRECTORY\\\\%\\\\_Locky_recover_instructions.bmp']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-25T19:07:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"regkey|value\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f58c87-0e18-4b86-96be-4fc502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T19:07:51.000Z", "modified": "2016-03-25T19:07:51.000Z", "description": "- Xchecked via VT: 3f118d0b888430ab9f58fc2589207988", "pattern": "[file:hashes.SHA256 = 'f927efd7cd2da3a052d857632f78ccf04b673e2774f6ce9a075e654dfd77d940']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-25T19:07:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56f58c88-2e54-4f15-87dc-43f802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T19:07:52.000Z", "modified": "2016-03-25T19:07:52.000Z", "description": "- Xchecked via VT: 3f118d0b888430ab9f58fc2589207988", "pattern": "[file:hashes.SHA1 = '1231e4a00c3da3ae8001a0620bae1242ef95d095']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-25T19:07:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56f58c88-b490-4c7f-ae54-469c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-25T19:07:52.000Z", "modified": "2016-03-25T19:07:52.000Z", "first_observed": "2016-03-25T19:07:52Z", "last_observed": "2016-03-25T19:07:52Z", "number_observed": 1, "object_refs": [ "url--56f58c88-b490-4c7f-ae54-469c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56f58c88-b490-4c7f-ae54-469c02de0b81", "value": "https://www.virustotal.com/file/f927efd7cd2da3a052d857632f78ccf04b673e2774f6ce9a075e654dfd77d940/analysis/1458838562/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }