{ "type": "bundle", "id": "bundle--5770f374-7cc4-40d6-9d1f-46f8950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-27T09:40:58.000Z", "modified": "2016-06-27T09:40:58.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5770f374-7cc4-40d6-9d1f-46f8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-27T09:40:58.000Z", "modified": "2016-06-27T09:40:58.000Z", "name": "OSINT - Doh! New \"Bart\" Ransomware from Threat Actors Spreading Dridex and Locky", "published": "2016-06-27T09:43:43Z", "object_refs": [ "observed-data--5770f38c-1824-4bb7-b138-461a950d210f", "url--5770f38c-1824-4bb7-b138-461a950d210f", "x-misp-attribute--5770f39f-083c-402d-983a-443e950d210f", "indicator--5770f3e3-9a60-40d1-b67d-46fe950d210f", "indicator--5770f3e4-5d3c-49b9-9751-44de950d210f", "indicator--5770f3e4-89ec-4e84-8a65-49b6950d210f", "indicator--5770f3e5-747c-4544-8ef5-4cbf950d210f", "indicator--5770f3e5-3fd8-46d0-8db2-4062950d210f", "indicator--5770f3fa-9888-452b-99ca-4afc950d210f", "indicator--5770f42c-7760-4e9b-bd75-3123950d210f", "indicator--5770f42d-90cc-4a11-a948-3123950d210f", "indicator--5770f4aa-bc0c-4416-9044-42e102de0b81", "indicator--5770f4ab-4e1c-42ff-a419-4ea802de0b81", "observed-data--5770f4ab-8ff4-4327-8fac-4ff002de0b81", "url--5770f4ab-8ff4-4327-8fac-4ff002de0b81", "indicator--5770f4ac-c42c-4a7e-bd79-4b3402de0b81", "indicator--5770f4ac-3c28-4572-b1f0-44e702de0b81", "observed-data--5770f4ad-d7e0-4ed6-a52f-426502de0b81", "url--5770f4ad-d7e0-4ed6-a52f-426502de0b81", "indicator--5770f4ad-1500-4ca1-a628-4c5902de0b81", "indicator--5770f4ad-0968-41cc-80ee-404802de0b81", "observed-data--5770f4ae-7678-403c-9b07-4bb102de0b81", "url--5770f4ae-7678-403c-9b07-4bb102de0b81", "indicator--5770f4ae-d228-48f7-b9f8-402002de0b81", "indicator--5770f4af-ed3c-4a99-8a7b-4e8902de0b81", "observed-data--5770f4af-9f58-4ffe-a278-4cdc02de0b81", "url--5770f4af-9f58-4ffe-a278-4cdc02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "circl:incident-classification=\"malware\"", "malware_classification:malware-category=\"Ransomware\"", "ecsirt:malicious-code=\"ransomware\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5770f38c-1824-4bb7-b138-461a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-27T09:36:12.000Z", "modified": "2016-06-27T09:36:12.000Z", "first_observed": "2016-06-27T09:36:12Z", "last_observed": "2016-06-27T09:36:12Z", "number_observed": 1, "object_refs": [ "url--5770f38c-1824-4bb7-b138-461a950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5770f38c-1824-4bb7-b138-461a950d210f", "value": "https://www.proofpoint.com/us/threat-insight/post/New-Bart-Ransomware-from-Threat-Actors-Spreading-Dridex-and-Locky" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5770f39f-083c-402d-983a-443e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-27T09:36:31.000Z", "modified": "2016-06-27T09:36:31.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Overview\r\n\r\nThe actors behind Dridex 220 and Locky Affid=3 have introduced a new ransomware called \u00e2\u20ac\u0153Bart\u00e2\u20ac\u009d. They are using the RockLoader malware to download Bart over HTTPS. Bart has a payment screen like Locky but encrypts files without first connecting to a command and control (C&C) server.\r\n\r\nAnalysis\r\n\r\nOn June 24, Proofpoint researchers detected a large campaign with .zip attachments containing JavaScript code. If opened, these attachments download and install the intermediary loader RockLoader (previously discovered by Proofpoint and used with Locky), which in turn downloads the new ransomware called \u00e2\u20ac\u0153Bart\u00e2\u20ac\u009d. The messages in this campaign had the subjects \"Photos\u00e2\u20ac\u009d with the attachment \"photos.zip\", \"image.zip\", \"Photos.zip\", \"photo.zip\", \"Photo.zip\", or \"picture.zip.\" The zip files contained JavaScript file such as \"PDF_123456789.js.\"" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5770f3e3-9a60-40d1-b67d-46fe950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-27T09:37:39.000Z", "modified": "2016-06-27T09:37:39.000Z", "description": "Photos.zip email attachment", "pattern": "[file:hashes.SHA256 = '247e2c07e57030607de901a461719ae2bb2ac27a90623ea5fd69f7f036c4ea0d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-27T09:37:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5770f3e4-5d3c-49b9-9751-44de950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-27T09:37:40.000Z", "modified": "2016-06-27T09:37:40.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:name = 'Photos.zip']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-27T09:37:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5770f3e4-89ec-4e84-8a65-49b6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-27T09:37:40.000Z", "modified": "2016-06-27T09:37:40.000Z", "description": "FILE 21076073.js file inside Photos.zip", "pattern": "[file:hashes.SHA256 = '7bb1e8e039d222a51a71599af75b56151a878cf8bbe1f9d3ad5be18200b2286b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-27T09:37:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5770f3e5-747c-4544-8ef5-4cbf950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-27T09:37:41.000Z", "modified": "2016-06-27T09:37:41.000Z", "description": "RockLoader", "pattern": "[file:hashes.SHA256 = '5d3e7c31f786bbdc149df632253fd538fb21cfc0aa364d0f03a79671bbaec62d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-27T09:37:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5770f3e5-3fd8-46d0-8db2-4062950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-27T09:37:41.000Z", "modified": "2016-06-27T09:37:41.000Z", "description": "6kuTU1.exe (Bart ransomware)", "pattern": "[file:hashes.SHA256 = '51ff4a033018d9343049305061dcde77cb5f26f5ec48d1be42669f368b1f5705']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-27T09:37:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5770f3fa-9888-452b-99ca-4afc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-27T09:38:02.000Z", "modified": "2016-06-27T09:38:02.000Z", "description": "JavaScript Payload (RockLoader)", "pattern": "[url:value = 'http://camera-test.hi2.ro/89ug6b7ui?voQeTqDw=RUYEzU']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-27T09:38:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5770f42c-7760-4e9b-bd75-3123950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-27T09:38:52.000Z", "modified": "2016-06-27T09:38:52.000Z", "description": "Rockloader C&C", "pattern": "[url:value = 'https://summerr554fox.su/api/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-27T09:38:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5770f42d-90cc-4a11-a948-3123950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-27T09:38:53.000Z", "modified": "2016-06-27T09:38:53.000Z", "description": "RockLoader Payload", "pattern": "[url:value = 'https://summerr554fox.su/files/6kuTU1.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-27T09:38:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5770f4aa-bc0c-4416-9044-42e102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-27T09:40:58.000Z", "modified": "2016-06-27T09:40:58.000Z", "description": "6kuTU1.exe (Bart ransomware) - Xchecked via VT: 51ff4a033018d9343049305061dcde77cb5f26f5ec48d1be42669f368b1f5705", "pattern": "[file:hashes.SHA1 = '158137d4835f7596ad0ef2a191d0e0d8976f0089']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-27T09:40:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5770f4ab-4e1c-42ff-a419-4ea802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-27T09:40:59.000Z", "modified": "2016-06-27T09:40:59.000Z", "description": "6kuTU1.exe (Bart ransomware) - Xchecked via VT: 51ff4a033018d9343049305061dcde77cb5f26f5ec48d1be42669f368b1f5705", "pattern": "[file:hashes.MD5 = '65535f2b1ecee54718233e40e3f333b2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-27T09:40:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5770f4ab-8ff4-4327-8fac-4ff002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-27T09:40:59.000Z", "modified": "2016-06-27T09:40:59.000Z", "first_observed": "2016-06-27T09:40:59Z", "last_observed": "2016-06-27T09:40:59Z", "number_observed": 1, "object_refs": [ "url--5770f4ab-8ff4-4327-8fac-4ff002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5770f4ab-8ff4-4327-8fac-4ff002de0b81", "value": "https://www.virustotal.com/file/51ff4a033018d9343049305061dcde77cb5f26f5ec48d1be42669f368b1f5705/analysis/1466936803/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5770f4ac-c42c-4a7e-bd79-4b3402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-27T09:41:00.000Z", "modified": "2016-06-27T09:41:00.000Z", "description": "RockLoader - Xchecked via VT: 5d3e7c31f786bbdc149df632253fd538fb21cfc0aa364d0f03a79671bbaec62d", "pattern": "[file:hashes.SHA1 = '960ec30ad5e94a35991a30b36411a4144b97b0d3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-27T09:41:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5770f4ac-3c28-4572-b1f0-44e702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-27T09:41:00.000Z", "modified": "2016-06-27T09:41:00.000Z", "description": "RockLoader - Xchecked via VT: 5d3e7c31f786bbdc149df632253fd538fb21cfc0aa364d0f03a79671bbaec62d", "pattern": "[file:hashes.MD5 = '846171e2629b712429a903811d19c12b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-27T09:41:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5770f4ad-d7e0-4ed6-a52f-426502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-27T09:41:01.000Z", "modified": "2016-06-27T09:41:01.000Z", "first_observed": "2016-06-27T09:41:01Z", "last_observed": "2016-06-27T09:41:01Z", "number_observed": 1, "object_refs": [ "url--5770f4ad-d7e0-4ed6-a52f-426502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5770f4ad-d7e0-4ed6-a52f-426502de0b81", "value": "https://www.virustotal.com/file/5d3e7c31f786bbdc149df632253fd538fb21cfc0aa364d0f03a79671bbaec62d/analysis/1466991759/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5770f4ad-1500-4ca1-a628-4c5902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-27T09:41:01.000Z", "modified": "2016-06-27T09:41:01.000Z", "description": "FILE 21076073.js file inside Photos.zip - Xchecked via VT: 7bb1e8e039d222a51a71599af75b56151a878cf8bbe1f9d3ad5be18200b2286b", "pattern": "[file:hashes.SHA1 = '387e6c2936af749d34690a8090127d75eb0970ea']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-27T09:41:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5770f4ad-0968-41cc-80ee-404802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-27T09:41:01.000Z", "modified": "2016-06-27T09:41:01.000Z", "description": "FILE 21076073.js file inside Photos.zip - Xchecked via VT: 7bb1e8e039d222a51a71599af75b56151a878cf8bbe1f9d3ad5be18200b2286b", "pattern": "[file:hashes.MD5 = '2808adab51f43b747ce61034a96ab9de']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-27T09:41:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5770f4ae-7678-403c-9b07-4bb102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-27T09:41:02.000Z", "modified": "2016-06-27T09:41:02.000Z", "first_observed": "2016-06-27T09:41:02Z", "last_observed": "2016-06-27T09:41:02Z", "number_observed": 1, "object_refs": [ "url--5770f4ae-7678-403c-9b07-4bb102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5770f4ae-7678-403c-9b07-4bb102de0b81", "value": "https://www.virustotal.com/file/7bb1e8e039d222a51a71599af75b56151a878cf8bbe1f9d3ad5be18200b2286b/analysis/1467016185/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5770f4ae-d228-48f7-b9f8-402002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-27T09:41:02.000Z", "modified": "2016-06-27T09:41:02.000Z", "description": "Photos.zip email attachment - Xchecked via VT: 247e2c07e57030607de901a461719ae2bb2ac27a90623ea5fd69f7f036c4ea0d", "pattern": "[file:hashes.SHA1 = '929b26eb040c5976af32be4f19e059d016df2273']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-27T09:41:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5770f4af-ed3c-4a99-8a7b-4e8902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-27T09:41:03.000Z", "modified": "2016-06-27T09:41:03.000Z", "description": "Photos.zip email attachment - Xchecked via VT: 247e2c07e57030607de901a461719ae2bb2ac27a90623ea5fd69f7f036c4ea0d", "pattern": "[file:hashes.MD5 = 'c9c69655db4a45686f9dcef0108b49b5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-27T09:41:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5770f4af-9f58-4ffe-a278-4cdc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-27T09:41:03.000Z", "modified": "2016-06-27T09:41:03.000Z", "first_observed": "2016-06-27T09:41:03Z", "last_observed": "2016-06-27T09:41:03Z", "number_observed": 1, "object_refs": [ "url--5770f4af-9f58-4ffe-a278-4cdc02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5770f4af-9f58-4ffe-a278-4cdc02de0b81", "value": "https://www.virustotal.com/file/247e2c07e57030607de901a461719ae2bb2ac27a90623ea5fd69f7f036c4ea0d/analysis/1467017028/" } ] }