{ "type": "bundle", "id": "bundle--580b201b-3e30-4bb1-ac2e-427202de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-22T08:19:03.000Z", "modified": "2016-10-22T08:19:03.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--580b201b-3e30-4bb1-ac2e-427202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-22T08:19:03.000Z", "modified": "2016-10-22T08:19:03.000Z", "name": "OSINT - The new .LNK between spam and Locky infection", "published": "2016-10-22T08:22:23Z", "object_refs": [ "x-misp-attribute--580b202f-2940-44d0-ab6c-4eb202de0b81", "observed-data--580b203c-83c4-4298-b23b-42fd02de0b81", "url--580b203c-83c4-4298-b23b-42fd02de0b81", "x-misp-attribute--580b204e-62e0-47ed-9414-4d0d02de0b81", "indicator--580b2072-2bd0-4a88-8f41-4a3702de0b81", "indicator--580b208b-7124-46a8-83f9-411302de0b81", "indicator--580b20b1-6aac-4a6a-8fc1-4d9102de0b81", "indicator--580b20ce-4470-478f-b52a-463702de0b81", "indicator--580b20f7-f558-4ece-ac93-406302de0b81", "indicator--580b20f7-b5c4-4453-b6bf-406a02de0b81", "observed-data--580b20f8-76c8-410f-905e-44ae02de0b81", "url--580b20f8-76c8-410f-905e-44ae02de0b81", "indicator--580b20f8-11e0-4df3-b3ed-42d902de0b81", "indicator--580b20f8-d5f8-4ac9-916e-42be02de0b81", "observed-data--580b20f8-9078-49f7-94bf-4e2502de0b81", "url--580b20f8-9078-49f7-94bf-4e2502de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "dnc:malware-type=\"Ransomware\"", "ecsirt:malicious-code=\"ransomware\"", "enisa:nefarious-activity-abuse=\"ransomware\"", "ms-caro-malware:malware-type=\"Ransom\"", "malware_classification:malware-category=\"Ransomware\"", "veris:action:malware:variety=\"Ransomware\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--580b202f-2940-44d0-ab6c-4eb202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-22T08:15:43.000Z", "modified": "2016-10-22T08:15:43.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Just when it seems the Ransom:Win32/Locky activity has slowed down, our continuous monitoring of the ransomware family reveals a new workaround that the authors might be using to keep it going.\r\n\r\nThe decline in Locky activity can be attributed to the slowdown of detections of Nemucod, which Locky uses to infect computers. Nemucod is a .wsf file contained in .zip attachments in spam email (see our Nemucod WSF blog for details). Locky has also been previously distributed by exploit kits and spam email attachments with other extensions such as .js, .hta, etc." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--580b203c-83c4-4298-b23b-42fd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-22T08:15:56.000Z", "modified": "2016-10-22T08:15:56.000Z", "first_observed": "2016-10-22T08:15:56Z", "last_observed": "2016-10-22T08:15:56Z", "number_observed": 1, "object_refs": [ "url--580b203c-83c4-4298-b23b-42fd02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--580b203c-83c4-4298-b23b-42fd02de0b81", "value": "https://blogs.technet.microsoft.com/mmpc/2016/10/19/the-new-lnk-between-spam-and-locky-infection/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--580b204e-62e0-47ed-9414-4d0d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-22T08:16:14.000Z", "modified": "2016-10-22T08:16:14.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_type": "text", "x_misp_value": "TrojanDownloader:PowerShell/Ploprolo.A" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--580b2072-2bd0-4a88-8f41-4a3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-22T08:16:50.000Z", "modified": "2016-10-22T08:16:50.000Z", "description": "Hard coded C&C addresses used", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '93.170.104.126']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-10-22T08:16:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--580b208b-7124-46a8-83f9-411302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-22T08:17:15.000Z", "modified": "2016-10-22T08:17:15.000Z", "description": "Hard coded C&C addresses used", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.46.11.73']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-10-22T08:17:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--580b20b1-6aac-4a6a-8fc1-4d9102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-22T08:17:53.000Z", "modified": "2016-10-22T08:17:53.000Z", "description": "TrojanDownloader:PowerShell/Ploprolo.A", "pattern": "[file:hashes.SHA1 = '3dcf2f116af0a548e88022baa1f41f61f362ae39']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-10-22T08:17:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--580b20ce-4470-478f-b52a-463702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-22T08:18:22.000Z", "modified": "2016-10-22T08:18:22.000Z", "description": "Ransom:Win32/Locky", "pattern": "[file:hashes.SHA1 = 'c1ee00884c0f872767992d5348e4de576935d8da']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-10-22T08:18:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--580b20f7-f558-4ece-ac93-406302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-22T08:19:03.000Z", "modified": "2016-10-22T08:19:03.000Z", "description": "TrojanDownloader:PowerShell/Ploprolo.A - Xchecked via VT: 3dcf2f116af0a548e88022baa1f41f61f362ae39", "pattern": "[file:hashes.SHA256 = 'a393cf8d2ec5811d976cff0972069d73a98d33f6d3004b8f11beaf21086ac848']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-10-22T08:19:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--580b20f7-b5c4-4453-b6bf-406a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-22T08:19:03.000Z", "modified": "2016-10-22T08:19:03.000Z", "description": "TrojanDownloader:PowerShell/Ploprolo.A - Xchecked via VT: 3dcf2f116af0a548e88022baa1f41f61f362ae39", "pattern": "[file:hashes.MD5 = 'ee0f3310fecae257f1902beabe8b90fd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-10-22T08:19:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--580b20f8-76c8-410f-905e-44ae02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-22T08:19:04.000Z", "modified": "2016-10-22T08:19:04.000Z", "first_observed": "2016-10-22T08:19:04Z", "last_observed": "2016-10-22T08:19:04Z", "number_observed": 1, "object_refs": [ "url--580b20f8-76c8-410f-905e-44ae02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--580b20f8-76c8-410f-905e-44ae02de0b81", "value": "https://www.virustotal.com/file/a393cf8d2ec5811d976cff0972069d73a98d33f6d3004b8f11beaf21086ac848/analysis/1477114649/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--580b20f8-11e0-4df3-b3ed-42d902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-22T08:19:04.000Z", "modified": "2016-10-22T08:19:04.000Z", "description": "Ransom:Win32/Locky - Xchecked via VT: c1ee00884c0f872767992d5348e4de576935d8da", "pattern": "[file:hashes.SHA256 = '7953b0dbd410a2e216b45671be48a48f472e74fb1a8049afdacaade02e63709b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-10-22T08:19:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--580b20f8-d5f8-4ac9-916e-42be02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-22T08:19:04.000Z", "modified": "2016-10-22T08:19:04.000Z", "description": "Ransom:Win32/Locky - Xchecked via VT: c1ee00884c0f872767992d5348e4de576935d8da", "pattern": "[file:hashes.MD5 = '6f582adb2226db03b8ce9822a0d1b1e8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-10-22T08:19:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--580b20f8-9078-49f7-94bf-4e2502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-10-22T08:19:04.000Z", "modified": "2016-10-22T08:19:04.000Z", "first_observed": "2016-10-22T08:19:04Z", "last_observed": "2016-10-22T08:19:04Z", "number_observed": 1, "object_refs": [ "url--580b20f8-9078-49f7-94bf-4e2502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--580b20f8-9078-49f7-94bf-4e2502de0b81", "value": "https://www.virustotal.com/file/7953b0dbd410a2e216b45671be48a48f472e74fb1a8049afdacaade02e63709b/analysis/1476852064/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }