{ "type": "bundle", "id": "bundle--58e60bd5-6874-4210-9419-533c950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-06T17:59:15.000Z", "modified": "2017-04-06T17:59:15.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--58e60bd5-6874-4210-9419-533c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-06T17:59:15.000Z", "modified": "2017-04-06T17:59:15.000Z", "name": "OSINT - LMAOxUS Ransomware: Another Case of Weaponized Open Source Ransomware", "published": "2017-04-06T17:59:52Z", "object_refs": [ "observed-data--58e60be4-3eb8-438c-b619-4e84950d210f", "url--58e60be4-3eb8-438c-b619-4e84950d210f", "indicator--58e60c30-da20-46db-b6b8-193c950d210f", "indicator--58e60c31-fd58-465b-8df0-193c950d210f", "indicator--58e60c32-f300-43d9-8683-193c950d210f", "indicator--58e60c33-dd44-4b36-902d-193c950d210f", "indicator--58e681bd-b1d4-49f1-bffe-4b7202de0b81", "indicator--58e681be-7efc-4fcc-abb8-48d102de0b81", "observed-data--58e681bf-904c-417e-8181-40bc02de0b81", "url--58e681bf-904c-417e-8181-40bc02de0b81", "indicator--58e681c0-bbc4-4c2f-8d97-483502de0b81", "indicator--58e681c1-e104-4aa3-9692-404a02de0b81", "observed-data--58e681c2-db90-4f5b-b88f-4f6b02de0b81", "url--58e681c2-db90-4f5b-b88f-4f6b02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "malware_classification:malware-category=\"Ransomware\"", "type:OSINT", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58e60be4-3eb8-438c-b619-4e84950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-06T17:59:15.000Z", "modified": "2017-04-06T17:59:15.000Z", "first_observed": "2017-04-06T17:59:15Z", "last_observed": "2017-04-06T17:59:15Z", "number_observed": 1, "object_refs": [ "url--58e60be4-3eb8-438c-b619-4e84950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58e60be4-3eb8-438c-b619-4e84950d210f", "value": "https://www.bleepingcomputer.com/news/security/lmaoxus-ransomware-another-case-of-weaponized-open-source-ransomware/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e60c30-da20-46db-b6b8-193c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-06T17:58:16.000Z", "modified": "2017-04-06T17:58:16.000Z", "description": "Binary for first Stolich", "pattern": "[file:hashes.SHA256 = 'd3a00a1101f2fa37b0b01bbee1b3c7f683ccf27fa224611721a863573d6e99da']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-06T17:58:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"", "malware_classification:malware-category=\"Ransomware\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e60c31-fd58-465b-8df0-193c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-06T17:58:16.000Z", "modified": "2017-04-06T17:58:16.000Z", "description": "Binary for LMAUxUS binary", "pattern": "[file:hashes.SHA256 = 'd0d16bb28ed263038358db5c1ae784c43d6ea7993118cf390cb2e7a7466969c2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-06T17:58:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"", "malware_classification:malware-category=\"Ransomware\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e60c32-f300-43d9-8683-193c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-06T17:58:16.000Z", "modified": "2017-04-06T17:58:16.000Z", "description": "Email address used in LMAOxUS ransom note", "pattern": "[email-message:from_ref.value = 'lmfaoxus@safe-mail.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-06T17:58:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"email-src\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e60c33-dd44-4b36-902d-193c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-06T17:58:16.000Z", "modified": "2017-04-06T17:58:16.000Z", "description": "Text-based ransom note", "pattern": "[file:name = 'LMAO_READ_ME.txt']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-06T17:58:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e681bd-b1d4-49f1-bffe-4b7202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-06T17:58:21.000Z", "modified": "2017-04-06T17:58:21.000Z", "description": "Binary for LMAUxUS binary - Xchecked via VT: d0d16bb28ed263038358db5c1ae784c43d6ea7993118cf390cb2e7a7466969c2", "pattern": "[file:hashes.SHA1 = '39691193f80bef53901d1f6589d66e1b35c201fa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-06T17:58:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"", "malware_classification:malware-category=\"Ransomware\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e681be-7efc-4fcc-abb8-48d102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-06T17:58:22.000Z", "modified": "2017-04-06T17:58:22.000Z", "description": "Binary for LMAUxUS binary - Xchecked via VT: d0d16bb28ed263038358db5c1ae784c43d6ea7993118cf390cb2e7a7466969c2", "pattern": "[file:hashes.MD5 = '7083de4397b81eca6d1900133700e89c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-06T17:58:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"", "malware_classification:malware-category=\"Ransomware\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58e681bf-904c-417e-8181-40bc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-06T17:58:23.000Z", "modified": "2017-04-06T17:58:23.000Z", "first_observed": "2017-04-06T17:58:23Z", "last_observed": "2017-04-06T17:58:23Z", "number_observed": 1, "object_refs": [ "url--58e681bf-904c-417e-8181-40bc02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "malware_classification:malware-category=\"Ransomware\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58e681bf-904c-417e-8181-40bc02de0b81", "value": "https://www.virustotal.com/file/d0d16bb28ed263038358db5c1ae784c43d6ea7993118cf390cb2e7a7466969c2/analysis/1490307927/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e681c0-bbc4-4c2f-8d97-483502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-06T17:58:24.000Z", "modified": "2017-04-06T17:58:24.000Z", "description": "Binary for first Stolich - Xchecked via VT: d3a00a1101f2fa37b0b01bbee1b3c7f683ccf27fa224611721a863573d6e99da", "pattern": "[file:hashes.SHA1 = 'ce5d8e0ece4c413757aeb2671e79280d133e30ac']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-06T17:58:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"", "malware_classification:malware-category=\"Ransomware\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e681c1-e104-4aa3-9692-404a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-06T17:58:25.000Z", "modified": "2017-04-06T17:58:25.000Z", "description": "Binary for first Stolich - Xchecked via VT: d3a00a1101f2fa37b0b01bbee1b3c7f683ccf27fa224611721a863573d6e99da", "pattern": "[file:hashes.MD5 = '2de1f14d07370b9867f252c07637ab40']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-06T17:58:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"", "malware_classification:malware-category=\"Ransomware\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58e681c2-db90-4f5b-b88f-4f6b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-06T17:58:26.000Z", "modified": "2017-04-06T17:58:26.000Z", "first_observed": "2017-04-06T17:58:26Z", "last_observed": "2017-04-06T17:58:26Z", "number_observed": 1, "object_refs": [ "url--58e681c2-db90-4f5b-b88f-4f6b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "malware_classification:malware-category=\"Ransomware\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58e681c2-db90-4f5b-b88f-4f6b02de0b81", "value": "https://www.virustotal.com/file/d3a00a1101f2fa37b0b01bbee1b3c7f683ccf27fa224611721a863573d6e99da/analysis/1491230187/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }