{ "type": "bundle", "id": "bundle--5915b22e-c3e8-4f13-9449-7f3fc0a80a8e", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2020-05-01T13:10:17.000Z", "modified": "2020-05-01T13:10:17.000Z", "name": "INCIBE", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5915b22e-c3e8-4f13-9449-7f3fc0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2020-05-01T13:10:17.000Z", "modified": "2020-05-01T13:10:17.000Z", "name": "Ransomware spreading through SMB attacking multiple companies", "published": "2020-10-10T09:07:21Z", "object_refs": [ "observed-data--5915b3c2-fcc0-49fb-be03-7ed3c0a80a8e", "url--5915b3c2-fcc0-49fb-be03-7ed3c0a80a8e", "observed-data--5915b3e4-5928-485f-9795-565fc0a80a8e", "url--5915b3e4-5928-485f-9795-565fc0a80a8e", "x-misp-attribute--5915b926-baf4-4bc1-b930-7f3ec0a80a8e", "indicator--5915b282-0bb4-4057-ab3a-7ed3c0a80a8e", "indicator--5915b30b-6f00-433e-9c26-7f3fc0a80a8e", "indicator--5915b282-b5a4-448f-ba81-7ed3c0a80a8e", "indicator--5915b30b-b388-4106-b603-7f3fc0a80a8e", "indicator--5915b282-27a8-4aa2-b550-7ed3c0a80a8e", "indicator--5915b2f7-7298-4fa9-af0b-557ec0a80a8e", "indicator--5915b30c-5670-438a-81ad-7f3fc0a80a8e", "indicator--5915b33e-bf0c-49c0-bdf9-5582c0a80a8e", "indicator--59164ac8-180c-419c-bf20-0387c0a80a8e", "observed-data--59164b00-ea34-4a56-b2e3-7f3ec0a80a8e", "url--59164b00-ea34-4a56-b2e3-7f3ec0a80a8e", "indicator--59164b98-41d4-4fa5-85d4-7f3fc0a80a8e", "indicator--59164b98-4350-4c3e-a5a2-7f3fc0a80a8e", "indicator--59164b99-5768-454a-b81b-7f3fc0a80a8e", "indicator--59164b99-d354-4572-8500-7f3fc0a80a8e", "indicator--59164b99-d7f0-4703-87c8-7f3fc0a80a8e", "indicator--5917867d-0130-4055-b361-43f4c0a80a8e", "indicator--5917867d-caf8-4e4c-8b5d-43f4c0a80a8e", "indicator--5917867d-1fac-4084-bb8b-43f4c0a80a8e", "indicator--5917867d-ad24-4b97-a77a-43f4c0a80a8e", "indicator--5917867d-8cb8-4905-93f0-43f4c0a80a8e", "indicator--5917867e-db5c-4ca5-8aa8-43f4c0a80a8e", "indicator--5917867e-b8b4-456a-9098-43f4c0a80a8e", "indicator--5917867e-9c90-4715-ae88-43f4c0a80a8e", "indicator--5917867e-4b3c-47f8-978a-43f4c0a80a8e", "observed-data--5917867e-bf70-410e-a68c-43f4c0a80a8e", "file--5917867e-bf70-410e-a68c-43f4c0a80a8e", "indicator--5917867e-6ebc-425a-beae-43f4c0a80a8e", "indicator--5917867e-6488-42f1-abb6-43f4c0a80a8e", "indicator--5917867e-8648-438d-9087-43f4c0a80a8e", "indicator--5917867e-ad3c-48eb-afa9-43f4c0a80a8e", "indicator--5917867e-72fc-4114-b3f2-43f4c0a80a8e", "indicator--5917867d-791c-4fd8-a73e-43f4c0a80a8e", "indicator--591785a7-9470-43b7-acbe-43f2c0a80a8e", "indicator--591785a7-f5a4-4f64-bfb0-43f2c0a80a8e", "indicator--5917858e-99d8-458d-96cb-43f2c0a80a8e", "indicator--5917858f-5e10-4534-b16f-43f2c0a80a8e", "indicator--5917858f-9c64-47de-8999-43f2c0a80a8e", "indicator--5917858f-c9d4-4db1-9950-43f2c0a80a8e", "indicator--5917858f-e220-4492-a1e2-43f2c0a80a8e", "indicator--59178590-2db8-432a-8ca9-43f2c0a80a8e", "indicator--59178590-10a8-4cc1-927b-43f2c0a80a8e", "indicator--59178590-80e0-4c92-a255-43f2c0a80a8e", "indicator--59178590-b68c-4f8c-8b10-43f2c0a80a8e", "indicator--59178590-2638-4f4e-b40e-43f2c0a80a8e", "indicator--59178590-f04c-46b6-97db-43f2c0a80a8e", "indicator--59178590-7ea0-4bfa-abb8-43f2c0a80a8e", "indicator--59178590-8f04-4e97-80dd-43f2c0a80a8e", "indicator--5917859e-0ed0-4445-be26-43f2c0a80a8e", "indicator--5917859e-0268-488a-afa9-43f2c0a80a8e", "indicator--5917859e-f96c-4d4b-b388-43f2c0a80a8e", "indicator--5917859e-21c8-4d66-92c2-43f2c0a80a8e", "indicator--5917859e-3e7c-4c80-ae7b-43f2c0a80a8e", "indicator--5917859e-5aa8-455e-8ebc-43f2c0a80a8e", "indicator--5917859e-96a0-47c6-8a1b-43f2c0a80a8e", "indicator--591785a7-0430-4db2-9490-43f2c0a80a8e", "indicator--591785a7-da0c-494e-b6da-43f2c0a80a8e", "indicator--591785a7-9514-44a9-8dbb-43f2c0a80a8e", "indicator--591785a7-ed1c-4e2b-945d-43f2c0a80a8e", "indicator--591785a7-22a8-42e2-be59-43f2c0a80a8e", "indicator--5918532e-a4a0-4e26-b64e-32f8c0a80a8e", "observed-data--591854fd-1594-4719-9c4d-32fac0a80a8e", "domain-name--591854fd-1594-4719-9c4d-32fac0a80a8e", "observed-data--591854fe-ad74-44ca-a8e1-32fac0a80a8e", "domain-name--591854fe-ad74-44ca-a8e1-32fac0a80a8e", "indicator--5918563e-ba80-4fb7-a058-32fbc0a80a8e", "indicator--5918b327-f48c-44b9-8dc7-32fac0a80a8e", "indicator--5918b47c-1e74-46be-b9a8-32f8c0a80a8e", "indicator--5918bb4a-68a8-4ddc-a39d-5dccc0a80a8e", "indicator--59198616-f304-4e1a-9bab-3a1dc0a80a8e", "observed-data--591c5c09-ffd8-410e-9347-30b5c0a80a8e", "domain-name--591c5c09-ffd8-410e-9347-30b5c0a80a8e", "observed-data--591c5c09-71b4-486b-99ca-30b5c0a80a8e", "domain-name--591c5c09-71b4-486b-99ca-30b5c0a80a8e", "observed-data--591c5c0a-d954-4b78-b7fe-30b5c0a80a8e", "domain-name--591c5c0a-d954-4b78-b7fe-30b5c0a80a8e", "observed-data--591c6c3c-d80c-4ccc-8138-30b6c0a80a8e", "domain-name--591c6c3c-d80c-4ccc-8138-30b6c0a80a8e", "indicator--5c49aed0-fff8-43b4-9172-0ad30a646538", "indicator--5c49aedf-b310-40b5-ba84-0ac40a646538", "indicator--5c49aef1-9c60-4202-8c5a-0b040a646538", "indicator--5c49af06-a53c-496e-83a1-0a740a646538", "indicator--5c49af19-a7c0-4985-8408-0b040a646538", "indicator--5c49af2e-4268-4f6c-8e7e-0a740a646538", "indicator--5c49af3e-6cec-4a29-ac04-0a730a646538", "indicator--5c49af4e-4038-4f74-ba91-0aec0a646538" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "malware_classification:malware-category=\"Ransomware\"", "circl:incident-classification=\"vulnerability\"", "misp-galaxy:ransomware=\"WannaCry\"", "Trj=Doublepulsar", "misp-galaxy:tool=\"ETERNALBLUE\"", "Symantec" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5915b3c2-fcc0-49fb-be03-7ed3c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2020-04-28T14:29:07.000Z", "modified": "2020-04-28T14:29:07.000Z", "first_observed": "2020-04-28T14:29:07Z", "last_observed": "2020-04-28T14:29:07Z", "number_observed": 1, "object_refs": [ "url--5915b3c2-fcc0-49fb-be03-7ed3c0a80a8e" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5915b3c2-fcc0-49fb-be03-7ed3c0a80a8e", "value": "https://www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5915b3e4-5928-485f-9795-565fc0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2020-04-28T14:28:59.000Z", "modified": "2020-04-28T14:28:59.000Z", "first_observed": "2020-04-28T14:28:59Z", "last_observed": "2020-04-28T14:28:59Z", "number_observed": 1, "object_refs": [ "url--5915b3e4-5928-485f-9795-565fc0a80a8e" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5915b3e4-5928-485f-9795-565fc0a80a8e", "value": "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5915b926-baf4-4bc1-b930-7f3ec0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T00:10:06.000Z", "modified": "2017-05-13T00:10:06.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"Network activity\"" ], "x_misp_category": "Network activity", "x_misp_type": "comment", "x_misp_value": "Performs connections to tor network" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5915b282-0bb4-4057-ab3a-7ed3c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-06-09T13:01:31.000Z", "modified": "2017-06-09T13:01:31.000Z", "description": "taskdl.exe", "pattern": "[file:hashes.MD5 = '4fef5e34143e646dbf9907c4374276f5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-09T13:01:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5915b30b-6f00-433e-9c26-7f3fc0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-06-09T13:01:27.000Z", "modified": "2017-06-09T13:01:27.000Z", "description": "taskse.exe", "pattern": "[file:hashes.MD5 = '8495400f199ac77853c53b5a3f278f3e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-09T13:01:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5915b282-b5a4-448f-ba81-7ed3c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2020-05-01T13:10:17.000Z", "modified": "2020-05-01T13:10:17.000Z", "description": "taskdl.exe", "pattern": "[file:hashes.SHA1 = '47a9ad4125b6bd7c55e4e7da251e23f089407b8f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-05-01T13:10:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5915b30b-b388-4106-b603-7f3fc0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-06-09T13:01:46.000Z", "modified": "2017-06-09T13:01:46.000Z", "description": "taskse.exe", "pattern": "[file:hashes.SHA1 = 'be5d6279874da315e3080b06083757aad9b32c23']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-09T13:01:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5915b282-27a8-4aa2-b550-7ed3c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-06-09T13:01:54.000Z", "modified": "2017-06-09T13:01:54.000Z", "description": "taskdl.exe", "pattern": "[file:hashes.SHA256 = '4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-09T13:01:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5915b2f7-7298-4fa9-af0b-557ec0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-06-09T13:01:58.000Z", "modified": "2017-06-09T13:01:58.000Z", "description": "wannacry.exe", "pattern": "[file:hashes.SHA256 = 'ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-09T13:01:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5915b30c-5670-438a-81ad-7f3fc0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-06-09T13:02:01.000Z", "modified": "2017-06-09T13:02:01.000Z", "description": "taskse.exe", "pattern": "[file:hashes.SHA256 = '2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-09T13:02:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5915b33e-bf0c-49c0-bdf9-5582c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-06-09T13:02:06.000Z", "modified": "2017-06-09T13:02:06.000Z", "description": "u.wnry", "pattern": "[file:hashes.SHA256 = 'b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-09T13:02:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59164ac8-180c-419c-bf20-0387c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-12T23:52:40.000Z", "modified": "2017-05-12T23:52:40.000Z", "description": "https://twitter.com/gN3mes1s/status/863149075159543808", "pattern": "[mutex:name = 'MsWinZonesCacheCounterMutexA']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-12T23:52:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"mutex\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59164b00-ea34-4a56-b2e3-7f3ec0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2020-04-28T14:29:05.000Z", "modified": "2020-04-28T14:29:05.000Z", "first_observed": "2020-04-28T14:29:05Z", "last_observed": "2020-04-28T14:29:05Z", "number_observed": 1, "object_refs": [ "url--59164b00-ea34-4a56-b2e3-7f3ec0a80a8e" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59164b00-ea34-4a56-b2e3-7f3ec0a80a8e", "value": "https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59164b98-41d4-4fa5-85d4-7f3fc0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-06-09T13:00:57.000Z", "modified": "2017-06-09T13:00:57.000Z", "description": "C&C tor servers - https://twitter.com/hackerfantastic/status/863115568181850113", "pattern": "[domain-name:value = 'gx7ekbenv2riucmf.onion']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-09T13:00:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59164b98-4350-4c3e-a5a2-7f3fc0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-06-09T13:01:00.000Z", "modified": "2017-06-09T13:01:00.000Z", "description": "C&C tor servers - https://twitter.com/hackerfantastic/status/863115568181850113", "pattern": "[domain-name:value = '57g7spgrzlojinas.onion']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-09T13:01:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59164b99-5768-454a-b81b-7f3fc0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-06-09T13:01:05.000Z", "modified": "2017-06-09T13:01:05.000Z", "description": "C&C tor servers - https://twitter.com/hackerfantastic/status/863115568181850113", "pattern": "[domain-name:value = 'xxlvbrloxvriy2c5.onion']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-09T13:01:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59164b99-d354-4572-8500-7f3fc0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-06-09T13:01:09.000Z", "modified": "2017-06-09T13:01:09.000Z", "description": "C&C tor servers - https://twitter.com/hackerfantastic/status/863115568181850113", "pattern": "[domain-name:value = '76jdd2ir2embyv47.onion']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-09T13:01:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59164b99-d7f0-4703-87c8-7f3fc0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-06-09T13:01:12.000Z", "modified": "2017-06-09T13:01:12.000Z", "description": "C&C tor servers - https://twitter.com/hackerfantastic/status/863115568181850113", "pattern": "[domain-name:value = 'cwwnhwhlz52maqm7.onion']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-09T13:01:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917867d-0130-4055-b361-43f4c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:19:41.000Z", "modified": "2017-05-13T22:19:41.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:name = '176641494574290.bat']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:19:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917867d-caf8-4e4c-8b5d-43f4c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:19:41.000Z", "modified": "2017-05-13T22:19:41.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:name = '@Please_Read_Me@.txt']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:19:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917867d-1fac-4084-bb8b-43f4c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:19:41.000Z", "modified": "2017-05-13T22:19:41.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:name = '@WanaDecryptor@.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:19:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917867d-ad24-4b97-a77a-43f4c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:19:41.000Z", "modified": "2017-05-13T22:19:41.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:name = '@WanaDecryptor@.exe.lnk']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:19:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917867d-8cb8-4905-93f0-43f4c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:19:41.000Z", "modified": "2017-05-13T22:19:41.000Z", "description": "(Older variant) - https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:name = 'Please Read Me!.txt']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:19:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917867e-db5c-4ca5-8aa8-43f4c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-06-09T13:01:17.000Z", "modified": "2017-06-09T13:01:17.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:name = '\\\\%WINDIR\\\\%\\\\tasksche.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-09T13:01:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917867e-b8b4-456a-9098-43f4c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:19:42.000Z", "modified": "2017-05-13T22:19:42.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:name = '\\\\%WINDIR\\\\%\\\\qeriuwjhrf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:19:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917867e-9c90-4715-ae88-43f4c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:19:42.000Z", "modified": "2017-05-13T22:19:42.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:name = '131181494299235.bat']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:19:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917867e-4b3c-47f8-978a-43f4c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:19:42.000Z", "modified": "2017-05-13T22:19:42.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:name = '217201494590800.bat']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:19:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5917867e-bf70-410e-a68c-43f4c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:19:42.000Z", "modified": "2017-05-13T22:19:42.000Z", "first_observed": "2017-05-13T22:19:42Z", "last_observed": "2017-05-13T22:19:42Z", "number_observed": 1, "object_refs": [ "file--5917867e-bf70-410e-a68c-43f4c0a80a8e" ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5917867e-bf70-410e-a68c-43f4c0a80a8e", "name": "[0-9]{15}.bat" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917867e-6ebc-425a-beae-43f4c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:19:42.000Z", "modified": "2017-05-13T22:19:42.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:name = '!WannaDecryptor!.exe.lnk']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:19:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917867e-6488-42f1-abb6-43f4c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:19:42.000Z", "modified": "2017-05-13T22:19:42.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:name = '00000000.pky']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:19:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917867e-8648-438d-9087-43f4c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:19:42.000Z", "modified": "2017-05-13T22:19:42.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:name = '00000000.eky']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:19:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917867e-ad3c-48eb-afa9-43f4c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:19:42.000Z", "modified": "2017-05-13T22:19:42.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:name = '00000000.res']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:19:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917867e-72fc-4114-b3f2-43f4c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:19:42.000Z", "modified": "2017-05-13T22:19:42.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:name = '\\\\%WINDIR\\\\%\\\\system32\\\\taskdl.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:19:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917867d-791c-4fd8-a73e-43f4c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:19:41.000Z", "modified": "2017-05-13T22:19:41.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.MD5 = 'fefe6b30d0819f1a1775e14730a10e0e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:19:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--591785a7-9470-43b7-acbe-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:16:07.000Z", "modified": "2017-05-13T22:16:07.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = '85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:16:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--591785a7-f5a4-4f64-bfb0-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:16:07.000Z", "modified": "2017-05-13T22:16:07.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = '3f3a9dde96ec4107f67b0559b4e95f5f1bca1ec6cb204bfe5fea0230845e8301']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:16:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917858e-99d8-458d-96cb-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:15:42.000Z", "modified": "2017-05-13T22:15:42.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = 'dff26a9a44baa3ce109b8df41ae0a301d9e4a28ad7bd7721bbb7ccd137bfd696']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:15:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917858f-5e10-4534-b16f-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:15:43.000Z", "modified": "2017-05-13T22:15:43.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = '201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:15:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917858f-9c64-47de-8999-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-06-09T13:02:14.000Z", "modified": "2017-06-09T13:02:14.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = 'c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-09T13:02:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917858f-c9d4-4db1-9950-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-06-09T13:02:11.000Z", "modified": "2017-06-09T13:02:11.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = '09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-09T13:02:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917858f-e220-4492-a1e2-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:15:43.000Z", "modified": "2017-05-13T22:15:43.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = 'aae9536875784fe6e55357900519f97fee0a56d6780860779a36f06765243d56']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:15:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59178590-2db8-432a-8ca9-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:15:44.000Z", "modified": "2017-05-13T22:15:44.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = '21ed253b796f63b9e95b4e426a82303dfac5bf8062bfe669995bde2208b360fd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:15:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59178590-10a8-4cc1-927b-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:15:44.000Z", "modified": "2017-05-13T22:15:44.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = '2372862afaa8e8720bc46f93cb27a9b12646a7cbc952cc732b8f5df7aebb2450']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:15:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59178590-80e0-4c92-a255-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-06-09T13:02:19.000Z", "modified": "2017-06-09T13:02:19.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = '24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-09T13:02:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59178590-b68c-4f8c-8b10-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-06-09T13:02:23.000Z", "modified": "2017-06-09T13:02:23.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = 'f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-09T13:02:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59178590-2638-4f4e-b40e-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-06-09T13:02:26.000Z", "modified": "2017-06-09T13:02:26.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = '4b76e54de0243274f97430b26624c44694fbde3289ed81a160e0754ab9f56f32']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-09T13:02:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59178590-f04c-46b6-97db-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-06-09T13:02:29.000Z", "modified": "2017-06-09T13:02:29.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = '9cc32c94ce7dc6e48f86704625b6cdc0fda0d2cd7ad769e4d0bb1776903e5a13']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-09T13:02:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59178590-7ea0-4bfa-abb8-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-06-09T13:02:32.000Z", "modified": "2017-06-09T13:02:32.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = '78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-09T13:02:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59178590-8f04-4e97-80dd-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-06-09T13:02:34.000Z", "modified": "2017-06-09T13:02:34.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = 'be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-09T13:02:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917859e-0ed0-4445-be26-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:15:58.000Z", "modified": "2017-05-13T22:15:58.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = '5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:15:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917859e-0268-488a-afa9-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:15:58.000Z", "modified": "2017-05-13T22:15:58.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = '76a3666ce9119295104bb69ee7af3f2845d23f40ba48ace7987f79b06312bbdf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:15:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917859e-f96c-4d4b-b388-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:15:58.000Z", "modified": "2017-05-13T22:15:58.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = 'fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:15:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917859e-21c8-4d66-92c2-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-06-09T13:02:43.000Z", "modified": "2017-06-09T13:02:43.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = 'eeb9cd6a1c4b3949b2ff3134a77d6736b35977f951b9c7c911483b5caeb1c1fb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-09T13:02:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917859e-3e7c-4c80-ae7b-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:15:58.000Z", "modified": "2017-05-13T22:15:58.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = '043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba1110771f70c2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:15:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917859e-5aa8-455e-8ebc-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-06-09T13:02:45.000Z", "modified": "2017-06-09T13:02:45.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = '57c12d8573d2f3883a8a0ba14e3eec02ac1c61dee6b675b6c0d16e221c3777f4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-09T13:02:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5917859e-96a0-47c6-8a1b-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-06-09T13:02:48.000Z", "modified": "2017-06-09T13:02:48.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = 'ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-09T13:02:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--591785a7-0430-4db2-9490-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:16:07.000Z", "modified": "2017-05-13T22:16:07.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = 'f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:16:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--591785a7-da0c-494e-b6da-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:16:07.000Z", "modified": "2017-05-13T22:16:07.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = '3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:16:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--591785a7-9514-44a9-8dbb-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:16:07.000Z", "modified": "2017-05-13T22:16:07.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = '9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:16:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--591785a7-ed1c-4e2b-945d-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-06-09T13:02:52.000Z", "modified": "2017-06-09T13:02:52.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = '5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-09T13:02:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--591785a7-22a8-42e2-be59-43f2c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-13T22:16:07.000Z", "modified": "2017-05-13T22:16:07.000Z", "description": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/", "pattern": "[file:hashes.SHA256 = '12d67c587e114d8dde56324741a8f04fb50cc3160653769b8015bc5aec64d20b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-13T22:16:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5918532e-a4a0-4e26-b64e-32f8c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-14T12:53:02.000Z", "modified": "2017-05-14T12:53:02.000Z", "description": "https://github.com/felmoltor/rules/blob/master/malware/malw_ms17-010_wannacrypt.yar", "pattern": "[/*\r\n This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.\r\n\r\n*/\r\n\r\nimport \"pe\"\r\n\r\nrule MS17_010_WanaCry_worm {\r\n\tmeta:\r\n\t\tdescription = \"Worm exploiting MS17-010 and dropping WannaCry Ransomware\"\r\n\t\tauthor = \"Felipe Molina (@felmoltor)\"\r\n\t\treference = \"https://www.exploit-db.com/exploits/41987/\"\r\n\t\tdate = \"2017/05/12\"\r\n\tstrings:\r\n\t\t$ms17010_str1=\"PC NETWORK PROGRAM 1.0\"\r\n\t\t$ms17010_str2=\"LANMAN1.0\"\r\n\t\t$ms17010_str3=\"Windows for Workgroups 3.1a\"\r\n\t\t$ms17010_str4=\"__TREEID__PLACEHOLDER__\"\r\n\t\t$ms17010_str5=\"__USERID__PLACEHOLDER__\"\r\n\t\t$wannacry_payload_substr1 = \"h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j\"\r\n\t\t$wannacry_payload_substr2 = \"h54WfF9cGigWFEx92bzmOd0UOaZlM\"\r\n\t\t$wannacry_payload_substr3 = \"tpGFEoLOU6+5I78Toh/nHs/RAP\"\r\n\r\n\tcondition:\r\n\t\tall of them\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2017-05-14T12:53:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--591854fd-1594-4719-9c4d-32fac0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-17T14:22:35.000Z", "modified": "2017-05-17T14:22:35.000Z", "first_observed": "2017-05-17T14:22:35Z", "last_observed": "2017-05-17T14:22:35Z", "number_observed": 1, "object_refs": [ "domain-name--591854fd-1594-4719-9c4d-32fac0a80a8e" ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--591854fd-1594-4719-9c4d-32fac0a80a8e", "value": "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--591854fe-ad74-44ca-a8e1-32fac0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-17T14:21:51.000Z", "modified": "2017-05-17T14:21:51.000Z", "first_observed": "2017-05-17T14:21:51Z", "last_observed": "2017-05-17T14:21:51Z", "number_observed": 1, "object_refs": [ "domain-name--591854fe-ad74-44ca-a8e1-32fac0a80a8e" ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--591854fe-ad74-44ca-a8e1-32fac0a80a8e", "value": "www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5918563e-ba80-4fb7-a058-32fbc0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-14T13:06:06.000Z", "modified": "2017-05-14T13:06:06.000Z", "description": "https://blog.fox-it.com/2017/05/13/faq-on-the-wanacry-ransomware-outbreak/", "pattern": "[windows-registry-key:key = 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\\\\' AND windows-registry-key:values.data = '\\\\tasksche.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-14T13:06:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Persistence mechanism" } ], "labels": [ "misp:type=\"regkey|value\"", "misp:category=\"Persistence mechanism\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5918b327-f48c-44b9-8dc7-32fac0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-14T19:42:31.000Z", "modified": "2017-05-14T19:42:31.000Z", "description": "ifferfsod\u00c3\u00a2\u00e2\u201a\u00ac\u00c2\u00a6 variant", "pattern": "[file:hashes.SHA256 = '32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-14T19:42:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5918b47c-1e74-46be-b9a8-32f8c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-14T19:48:12.000Z", "modified": "2017-05-14T19:48:12.000Z", "description": "Worm-only variant detected by Kaspersky (encryptor is broken) - https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e", "pattern": "[file:hashes.SHA256 = '07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-14T19:48:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5918bb4a-68a8-4ddc-a39d-5dccc0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-14T20:17:14.000Z", "modified": "2017-05-14T20:17:14.000Z", "description": "Stage2 dropped by worm-only variant - https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e", "pattern": "[file:hashes.SHA256 = '2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-14T20:17:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59198616-f304-4e1a-9bab-3a1dc0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-15T10:42:30.000Z", "modified": "2017-05-15T10:42:30.000Z", "description": "diskpart.exe", "pattern": "[file:hashes.SHA256 = '55454390f7be33ab5c11b5e0683800dd9a892ce136f1962b0989526fff5592d5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-15T10:42:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--591c5c09-ffd8-410e-9347-30b5c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-17T14:19:53.000Z", "modified": "2017-05-17T14:19:53.000Z", "first_observed": "2017-05-17T14:19:53Z", "last_observed": "2017-05-17T14:19:53Z", "number_observed": 1, "object_refs": [ "domain-name--591c5c09-ffd8-410e-9347-30b5c0a80a8e" ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--591c5c09-ffd8-410e-9347-30b5c0a80a8e", "value": "www.ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--591c5c09-71b4-486b-99ca-30b5c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-17T14:19:53.000Z", "modified": "2017-05-17T14:19:53.000Z", "first_observed": "2017-05-17T14:19:53Z", "last_observed": "2017-05-17T14:19:53Z", "number_observed": 1, "object_refs": [ "domain-name--591c5c09-71b4-486b-99ca-30b5c0a80a8e" ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--591c5c09-71b4-486b-99ca-30b5c0a80a8e", "value": "www.lazarusse.suiche.sdfjhgosurijfaqwqwqrgwea.com" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--591c5c0a-d954-4b78-b7fe-30b5c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-17T14:19:54.000Z", "modified": "2017-05-17T14:19:54.000Z", "first_observed": "2017-05-17T14:19:54Z", "last_observed": "2017-05-17T14:19:54Z", "number_observed": 1, "object_refs": [ "domain-name--591c5c0a-d954-4b78-b7fe-30b5c0a80a8e" ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--591c5c0a-d954-4b78-b7fe-30b5c0a80a8e", "value": "www.iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--591c6c3c-d80c-4ccc-8138-30b6c0a80a8e", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2017-05-17T15:29:00.000Z", "modified": "2017-05-17T15:29:00.000Z", "first_observed": "2017-05-17T15:29:00Z", "last_observed": "2017-05-17T15:29:00Z", "number_observed": 1, "object_refs": [ "domain-name--591c6c3c-d80c-4ccc-8138-30b6c0a80a8e" ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--591c6c3c-d80c-4ccc-8138-30b6c0a80a8e", "value": "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergweb.com" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c49aed0-fff8-43b4-9172-0ad30a646538", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2019-01-24T12:25:52.000Z", "modified": "2019-01-24T12:25:52.000Z", "description": "Yara rule Wanna_Cry_Ransomware_Generic", "pattern": "[rule Wanna_Cry_Ransomware_Generic {\r\n meta:\r\n description = \"Detects WannaCry Ransomware on disk and in virtual page\"\r\n author = \"US-CERT Code Analysis Team\"\r\n reference = \"not set\" \r\n date = \"2017/05/12\"\r\n hash0 = \"4DA1F312A214C07143ABEEAFB695D904\"\r\n \r\n strings:\r\n $s0 = {410044004D0049004E0024}\r\n $s1 = \"WannaDecryptor\"\r\n $s2 = \"WANNACRY\"\r\n $s3 = \"Microsoft Enhanced RSA and AES Cryptographic\"\r\n $s4 = \"PKS\"\r\n $s5 = \"StartTask\"\r\n $s6 = \"wcry@123\"\r\n $s7 = {2F6600002F72}\r\n $s8 = \"unzip 0.15 Copyrigh\"\r\n\r\n condition:\r\n $s0 and $s1 and $s2 and $s3 or $s4 or $s5 or $s6 or $s7 or $s8\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2019-01-24T12:25:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Payload installation\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c49aedf-b310-40b5-ba84-0ac40a646538", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2019-01-24T12:26:07.000Z", "modified": "2019-01-24T12:26:07.000Z", "description": "Yara rule MS17_010_WanaCry_worm", "pattern": "[rule MS17_010_WanaCry_worm {\r\n meta:\r\n description = \"Worm exploiting MS17-010 and dropping WannaCry Ransomware\"\r\n author = \"Felipe Molina (@felmoltor)\"\r\n reference = \"https://www.exploit-db.com/exploits/41987/\"\r\n date = \"2017/05/12\"\r\n\r\n strings:\r\n $ms17010_str1=\"PC NETWORK PROGRAM 1.0\"\r\n $ms17010_str2=\"LANMAN1.0\"\r\n $ms17010_str3=\"Windows for Workgroups 3.1a\"\r\n $ms17010_str4=\"__TREEID__PLACEHOLDER__\"\r\n $ms17010_str5=\"__USERID__PLACEHOLDER__\"\r\n $wannacry_payload_substr1 = \"h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j\"\r\n $wannacry_payload_substr2 = \"h54WfF9cGigWFEx92bzmOd0UOaZlM\"\r\n $wannacry_payload_substr3 = \"tpGFEoLOU6+5I78Toh/nHs/RAP\"\r\n\r\n condition:\r\n all of them\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2019-01-24T12:26:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Payload installation\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c49aef1-9c60-4202-8c5a-0b040a646538", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2019-01-24T12:26:25.000Z", "modified": "2019-01-24T12:26:25.000Z", "description": "Yara rule wannacry_1 : ransom", "pattern": "[rule wannacry_1 : ransom\r\n{\r\n meta:\r\n author = \"Joshua Cannell\"\r\n description = \"WannaCry Ransomware strings\"\r\n weight = 100\r\n date = \"2017-05-12\"\r\n \r\n strings:\r\n $s1 = \"Ooops, your files have been encrypted!\" wide ascii nocase\r\n $s2 = \"Wanna Decryptor\" wide ascii nocase\r\n $s3 = \".wcry\" wide ascii nocase\r\n $s4 = \"WANNACRY\" wide ascii nocase\r\n $s5 = \"WANACRY!\" wide ascii nocase\r\n $s7 = \"icacls . /grant Everyone:F /T /C /Q\" wide ascii nocase\r\n \r\n condition:\r\n any of them\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2019-01-24T12:26:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Payload installation\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c49af06-a53c-496e-83a1-0a740a646538", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2019-01-24T12:26:46.000Z", "modified": "2019-01-24T12:26:46.000Z", "description": "Yara rule wannacry_2", "pattern": "[rule wannacry_2\r\n{\r\n meta:\r\n author = \"Harold Ogden\"\r\n description = \"WannaCry Ransomware Strings\"\r\n date = \"2017-05-12\"\r\n weight = 100\r\n\r\n strings:\r\n $string1 = \"msg/m_bulgarian.wnry\"\r\n $string2 = \"msg/m_chinese (simplified).wnry\"\r\n $string3 = \"msg/m_chinese (traditional).wnry\"\r\n $string4 = \"msg/m_croatian.wnry\"\r\n $string5 = \"msg/m_czech.wnry\"\r\n $string6 = \"msg/m_danish.wnry\"\r\n $string7 = \"msg/m_dutch.wnry\"\r\n $string8 = \"msg/m_english.wnry\"\r\n $string9 = \"msg/m_filipino.wnry\"\r\n $string10 = \"msg/m_finnish.wnry\"\r\n $string11 = \"msg/m_french.wnry\"\r\n $string12 = \"msg/m_german.wnry\"\r\n $string13 = \"msg/m_greek.wnry\"\r\n $string14 = \"msg/m_indonesian.wnry\"\r\n $string15 = \"msg/m_italian.wnry\"\r\n $string16 = \"msg/m_japanese.wnry\"\r\n $string17 = \"msg/m_korean.wnry\"\r\n $string18 = \"msg/m_latvian.wnry\"\r\n $string19 = \"msg/m_norwegian.wnry\"\r\n $string20 = \"msg/m_polish.wnry\"\r\n $string21 = \"msg/m_portuguese.wnry\"\r\n $string22 = \"msg/m_romanian.wnry\"\r\n $string23 = \"msg/m_russian.wnry\"\r\n $string24 = \"msg/m_slovak.wnry\"\r\n $string25 = \"msg/m_spanish.wnry\"\r\n $string26 = \"msg/m_swedish.wnry\"\r\n $string27 = \"msg/m_turkish.wnry\"\r\n $string28 = \"msg/m_vietnamese.wnry\"\r\n\r\n condition:\r\n any of ($string*)\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2019-01-24T12:26:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Payload installation\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c49af19-a7c0-4985-8408-0b040a646538", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2019-01-24T12:27:05.000Z", "modified": "2019-01-24T12:27:05.000Z", "description": "Yara rule WannaDecryptor: WannaDecryptor", "pattern": "[rule WannaDecryptor: WannaDecryptor\r\n{\r\n meta:\r\n description = \"Detection for common strings of WannaDecryptor\"\r\n\r\n strings:\r\n $id1 = \"taskdl.exe\"\r\n $id2 = \"taskse.exe\"\r\n $id3 = \"r.wnry\"\r\n $id4 = \"s.wnry\"\r\n $id5 = \"t.wnry\"\r\n $id6 = \"u.wnry\"\r\n $id7 = \"msg/m_\"\r\n\r\n condition:\r\n 3 of them\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2019-01-24T12:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Payload installation\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c49af2e-4268-4f6c-8e7e-0a740a646538", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2019-01-24T12:27:26.000Z", "modified": "2019-01-24T12:27:26.000Z", "description": "Yara rule Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549: Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549", "pattern": "[rule Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549: Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549\r\n{\r\n meta:\r\n description = \"Specific sample match for WannaCryptor\"\r\n MD5 = \"84c82835a5d21bbcf75a61706d8ab549\"\r\n SHA1 = \"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\"\r\n SHA256 = \"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"\r\n INFO = \"Looks for 'taskdl' and 'taskse' at known offsets\"\r\n\r\n strings:\r\n $taskdl = { 00 74 61 73 6b 64 6c }\r\n $taskse = { 00 74 61 73 6b 73 65 }\r\n\r\n condition:\r\n $taskdl at 3419456 and $taskse at 3422953\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2019-01-24T12:27:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Payload installation\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c49af3e-6cec-4a29-ac04-0a730a646538", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2019-01-24T12:27:42.000Z", "modified": "2019-01-24T12:27:42.000Z", "description": "Yara rule Wanna_Sample_4da1f312a214c07143abeeafb695d904: Wanna_Sample_4da1f312a214c07143abeeafb695d904", "pattern": "[rule Wanna_Sample_4da1f312a214c07143abeeafb695d904: Wanna_Sample_4da1f312a214c07143abeeafb695d904\r\n{\r\n meta:\r\n description = \"Specific sample match for WannaCryptor\"\r\n MD5 = \"4da1f312a214c07143abeeafb695d904\"\r\n SHA1 = \"b629f072c9241fd2451f1cbca2290197e72a8f5e\"\r\n SHA256 = \"aee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002c\"\r\n INFO = \"Looks for offsets of r.wry and s.wry instances\"\r\n\r\n strings:\r\n $rwnry = { 72 2e 77 72 79 }\r\n $swnry = { 73 2e 77 72 79 }\r\n\r\n condition:\r\n $rwnry at 88195 and $swnry at 88656 and $rwnry at 4495639\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2019-01-24T12:27:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Payload installation\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c49af4e-4038-4f74-ba91-0aec0a646538", "created_by_ref": "identity--56fa4fe4-f528-4480-8332-1ba3c0a80a8c", "created": "2019-01-24T12:27:58.000Z", "modified": "2019-01-24T12:27:58.000Z", "description": "Yara rule NHS_Strain_Wanna: NHS_Strain_Wanna", "pattern": "[rule NHS_Strain_Wanna: NHS_Strain_Wanna\r\n{\r\n meta:\r\n description = \"Detection for worm-strain bundle of Wcry, DOublePulsar\"\r\n MD5 = \"db349b97c37d22f5ea1d1841e3c89eb4\"\r\n SHA1 = \"e889544aff85ffaf8b0d0da705105dee7c97fe26\"\r\n SHA256 = \"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"\r\n INFO = \"Looks for specific offsets of c.wnry and t.wnry strings\"\r\n\r\n strings:\r\n $cwnry = { 63 2e 77 6e 72 79 }\r\n $twnry = { 74 2e 77 6e 72 79 }\r\n\r\n condition:\r\n $cwnry at 262324 and $twnry at 267672 and $cwnry at 284970\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2019-01-24T12:27:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Payload installation\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }