{ "type": "bundle", "id": "bundle--57c4445b-c548-4654-af0b-4be3950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-30T07:10:11.000Z", "modified": "2016-08-30T07:10:11.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--57c4445b-c548-4654-af0b-4be3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-30T07:10:11.000Z", "modified": "2016-08-30T07:10:11.000Z", "name": "Ransomware - Xorist", "published": "2016-08-30T09:10:31Z", "object_refs": [ "indicator--57c4448a-bef0-4ba7-a071-444e950d210f", "indicator--57c4448a-fb04-457d-87e7-4127950d210f", "indicator--57c4448b-454c-4d17-90d1-4d2f950d210f", "indicator--57c4448b-3fa4-4d65-9ccc-4afa950d210f", "x-misp-attribute--57c444c0-8004-48fa-9c33-8aca950d210f", "x-misp-attribute--57c44648-96f4-45d4-a8eb-453e950d210f", "observed-data--57c5300c-0560-4146-bfaa-40e802de0b81", "url--57c5300c-0560-4146-bfaa-40e802de0b81", "observed-data--57c5310b-dc34-43cb-8b8e-4846950d210f", "url--57c5310b-dc34-43cb-8b8e-4846950d210f", "indicator--57c54b0f-27a4-458b-8e63-4455950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "circl:incident-classification=\"malware\"", "ms-caro-malware:malware-type=\"Ransom\"", "malware_classification:malware-category=\"Ransomware\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c4448a-bef0-4ba7-a071-444e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T14:19:54.000Z", "modified": "2016-08-29T14:19:54.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:hashes.SHA1 = '77b0c41b7d340b8a3d903f21347bbf06aa766b5b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T14:19:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c4448a-fb04-457d-87e7-4127950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T14:19:54.000Z", "modified": "2016-08-29T14:19:54.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:name = '3Z4wnG9603it23y.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T14:19:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c4448b-454c-4d17-90d1-4d2f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T14:19:55.000Z", "modified": "2016-08-29T14:19:55.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:hashes.MD5 = '0749bae92ca336a02c83d126e04ec628']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T14:19:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c4448b-3fa4-4d65-9ccc-4afa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T14:19:55.000Z", "modified": "2016-08-29T14:19:55.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:hashes.SHA256 = 'b3c4ae251f8094fa15b510051835c657eaef2a6cea46075d3aec964b14a99f68']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T14:19:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--57c444c0-8004-48fa-9c33-8aca950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T14:20:48.000Z", "modified": "2016-08-29T14:20:48.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"Other\"" ], "x_misp_category": "Other", "x_misp_type": "comment", "x_misp_value": "UPX packed" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--57c44648-96f4-45d4-a8eb-453e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T14:27:20.000Z", "modified": "2016-08-29T14:27:20.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Other\"" ], "x_misp_category": "Other", "x_misp_type": "text", "x_misp_value": "Key: 85350044dF4AC3518D185678A9414A7F,\r\nEncryption rounds:8,\r\nStart offset: 64,\r\nAlgorithm: TEA" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57c5300c-0560-4146-bfaa-40e802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-30T07:04:44.000Z", "modified": "2016-08-30T07:04:44.000Z", "first_observed": "2016-08-30T07:04:44Z", "last_observed": "2016-08-30T07:04:44Z", "number_observed": 1, "object_refs": [ "url--57c5300c-0560-4146-bfaa-40e802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57c5300c-0560-4146-bfaa-40e802de0b81", "value": "https://www.virustotal.com/file/b3c4ae251f8094fa15b510051835c657eaef2a6cea46075d3aec964b14a99f68/analysis/1469554268/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57c5310b-dc34-43cb-8b8e-4846950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-30T07:10:11.000Z", "modified": "2016-08-30T07:10:11.000Z", "first_observed": "2016-08-30T07:10:11Z", "last_observed": "2016-08-30T07:10:11Z", "number_observed": 1, "object_refs": [ "url--57c5310b-dc34-43cb-8b8e-4846950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57c5310b-dc34-43cb-8b8e-4846950d210f", "value": "http://www.xylibox.com/2011/06/have-fun-with-trojan-ransomwin32xorist.html" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c54b0f-27a4-458b-8e63-4455950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-30T08:59:59.000Z", "modified": "2016-08-30T08:59:59.000Z", "pattern": "[windows-registry-key:key = 'Software\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run' AND windows-registry-key:values.data = '\\\\%TEMP\\\\%\\\\3Z4wnG9603it23y.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-30T08:59:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Persistence mechanism" } ], "labels": [ "misp:type=\"regkey|value\"", "misp:category=\"Persistence mechanism\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }