{ "type": "bundle", "id": "bundle--584a6066-ea54-4894-8e9f-4d6f950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-12T10:48:23.000Z", "modified": "2016-12-12T10:48:23.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--584a6066-ea54-4894-8e9f-4d6f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-12T10:48:23.000Z", "modified": "2016-12-12T10:48:23.000Z", "name": "OSINT - New Scheme: Spread Popcorn Time Ransomware, get chance of free Decryption Key", "published": "2016-12-12T11:10:31Z", "object_refs": [ "observed-data--584a607b-50a8-46d5-b348-467f950d210f", "url--584a607b-50a8-46d5-b348-467f950d210f", "x-misp-attribute--584a608f-74e8-4a52-9211-49be950d210f", "indicator--584a60f6-ab68-4448-88d6-4d3a950d210f", "indicator--584a60f6-4018-46ce-88f3-4b78950d210f", "indicator--584a60f7-1514-40df-9d86-4494950d210f", "indicator--584a60f7-f134-4066-afe2-4bc9950d210f", "indicator--584a60f8-94dc-4a12-89e7-4fba950d210f", "indicator--584a60f8-3a98-4de1-b38a-42b0950d210f", "indicator--584a6119-5538-4879-a2fd-4db0950d210f", "observed-data--584e8000-31e4-4d83-a1cd-42f8950d210f", "url--584e8000-31e4-4d83-a1cd-42f8950d210f", "indicator--584e8077-23fc-4955-951f-4f2102de0b81", "indicator--584e8077-cd94-45f7-9b90-4fcd02de0b81", "observed-data--584e8078-7028-4fe6-baa2-4c1c02de0b81", "url--584e8078-7028-4fe6-baa2-4c1c02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "malware_classification:malware-category=\"Ransomware\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--584a607b-50a8-46d5-b348-467f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-09T07:42:51.000Z", "modified": "2016-12-09T07:42:51.000Z", "first_observed": "2016-12-09T07:42:51Z", "last_observed": "2016-12-09T07:42:51Z", "number_observed": 1, "object_refs": [ "url--584a607b-50a8-46d5-b348-467f950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--584a607b-50a8-46d5-b348-467f950d210f", "value": "https://www.bleepingcomputer.com/news/security/new-scheme-spread-popcorn-time-ransomware-get-chance-of-free-decryption-key/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--584a608f-74e8-4a52-9211-49be950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-09T07:43:11.000Z", "modified": "2016-12-09T07:43:11.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Yesterday a new in-development ransomware was discovered by MalwareHunterTeam called Popcorn Time that intends to give victim's a very unusual, and criminal, way of getting a free decryption key for their files. With Popcorn Time, not only can a victim pay a ransom to get their files back, but they can also try to infect two other people and have them pay the ransom in order to get a free key.\r\n\r\nTo make matters worse, there is unfinished code in the ransomware that may indicate that if a user enters the wrong decryption key 4 times, the ransomware will start deleting files.\r\n\r\nIt should be noted, that this ransomware is not related to the Popcorn Time application that downloads and streams copyrighted movies." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--584a60f6-ab68-4448-88d6-4d3a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-09T07:44:54.000Z", "modified": "2016-12-09T07:44:54.000Z", "pattern": "[file:name = 'restore_your_files.html']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-09T07:44:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--584a60f6-4018-46ce-88f3-4b78950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-09T07:44:54.000Z", "modified": "2016-12-09T07:44:54.000Z", "pattern": "[file:name = 'restore_your_files.txt']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-09T07:44:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--584a60f7-1514-40df-9d86-4494950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-09T07:44:55.000Z", "modified": "2016-12-09T07:44:55.000Z", "pattern": "[file:name = 'popcorn_time.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-09T07:44:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--584a60f7-f134-4066-afe2-4bc9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-09T07:44:55.000Z", "modified": "2016-12-09T07:44:55.000Z", "pattern": "[url:value = 'https://3hnuhydu4pd247qb.onion.to']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-09T07:44:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--584a60f8-94dc-4a12-89e7-4fba950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-09T07:44:56.000Z", "modified": "2016-12-09T07:44:56.000Z", "pattern": "[url:value = 'http://popcorn-time-free.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-09T07:44:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--584a60f8-3a98-4de1-b38a-42b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-09T07:44:56.000Z", "modified": "2016-12-09T07:44:56.000Z", "pattern": "[file:hashes.SHA256 = 'fd370e998215667c31ae1ac6ee81223732d7c7e7f44dc9523f2517adffa58d51']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-09T07:44:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--584a6119-5538-4879-a2fd-4db0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-09T07:45:29.000Z", "modified": "2016-12-09T07:45:29.000Z", "pattern": "[windows-registry-key:key = 'HKCU\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run' AND windows-registry-key:values.data = '\\\\\"Popcorn_Time\\\\\" [path_to]\\\\popcorn_time.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-09T07:45:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Persistence mechanism" } ], "labels": [ "misp:type=\"regkey|value\"", "misp:category=\"Persistence mechanism\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--584e8000-31e4-4d83-a1cd-42f8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-12T10:46:24.000Z", "modified": "2016-12-12T10:46:24.000Z", "first_observed": "2016-12-12T10:46:24Z", "last_observed": "2016-12-12T10:46:24Z", "number_observed": 1, "object_refs": [ "url--584e8000-31e4-4d83-a1cd-42f8950d210f" ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--584e8000-31e4-4d83-a1cd-42f8950d210f", "value": "https://3hnuhydu4pd247qb.onion" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--584e8077-23fc-4955-951f-4f2102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-12T10:48:23.000Z", "modified": "2016-12-12T10:48:23.000Z", "description": "- Xchecked via VT: fd370e998215667c31ae1ac6ee81223732d7c7e7f44dc9523f2517adffa58d51", "pattern": "[file:hashes.SHA1 = 'bf341c440f6e8a3b1eae49fdc480d488a48778a2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-12T10:48:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--584e8077-cd94-45f7-9b90-4fcd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-12T10:48:23.000Z", "modified": "2016-12-12T10:48:23.000Z", "description": "- Xchecked via VT: fd370e998215667c31ae1ac6ee81223732d7c7e7f44dc9523f2517adffa58d51", "pattern": "[file:hashes.MD5 = 'a0fdaf733314a120d9db7617a586f1b4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-12T10:48:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--584e8078-7028-4fe6-baa2-4c1c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-12T10:48:24.000Z", "modified": "2016-12-12T10:48:24.000Z", "first_observed": "2016-12-12T10:48:24Z", "last_observed": "2016-12-12T10:48:24Z", "number_observed": 1, "object_refs": [ "url--584e8078-7028-4fe6-baa2-4c1c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--584e8078-7028-4fe6-baa2-4c1c02de0b81", "value": "https://www.virustotal.com/file/fd370e998215667c31ae1ac6ee81223732d7c7e7f44dc9523f2517adffa58d51/analysis/1481283166/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }