{ "type": "bundle", "id": "bundle--59a3c0d9-6e00-4f61-b768-47d6950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-28T14:23:14.000Z", "modified": "2017-08-28T14:23:14.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--59a3c0d9-6e00-4f61-b768-47d6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-28T14:23:14.000Z", "modified": "2017-08-28T14:23:14.000Z", "name": "OSINT - The ZAYKA and NOOB CryptoMix Ransomware Variants Released in Quick Succession", "published": "2017-08-28T14:23:21Z", "object_refs": [ "observed-data--59a3c0eb-d44c-4133-bf6c-4233950d210f", "url--59a3c0eb-d44c-4133-bf6c-4233950d210f", "x-misp-attribute--59a3c0fa-676c-4413-acb9-495a950d210f", "indicator--59a3c152-41b0-4924-b651-493a950d210f", "indicator--59a3c152-bd44-48cb-964f-4beb950d210f", "indicator--59a3c160-4c58-46a3-b48a-47a5950d210f", "indicator--59a3c160-1068-438a-903f-4069950d210f", "indicator--59a3c1ff-e884-4e50-9e49-44cb950d210f", "indicator--59a4274c-b8f4-464b-b95b-459402de0b81", "indicator--59a4274c-f1e8-46ed-afa7-47f202de0b81", "observed-data--59a4274c-a26c-4940-8ab2-4eb102de0b81", "url--59a4274c-a26c-4940-8ab2-4eb102de0b81", "indicator--59a4274c-9fbc-4261-86dc-44c502de0b81", "indicator--59a4274c-bb90-4eb0-8899-420a02de0b81", "observed-data--59a4274c-fbdc-40d5-ba87-44ae02de0b81", "url--59a4274c-fbdc-40d5-ba87-44ae02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:ransomware=\"CryptoMix\"", "type:OSINT", "malware_classification:malware-category=\"Ransomware\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a3c0eb-d44c-4133-bf6c-4233950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-28T14:23:07.000Z", "modified": "2017-08-28T14:23:07.000Z", "first_observed": "2017-08-28T14:23:07Z", "last_observed": "2017-08-28T14:23:07Z", "number_observed": 1, "object_refs": [ "url--59a3c0eb-d44c-4133-bf6c-4233950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a3c0eb-d44c-4133-bf6c-4233950d210f", "value": "https://www.bleepingcomputer.com/news/security/the-zayka-and-noob-cryptomix-ransomware-variants-released-in-quick-succession/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59a3c0fa-676c-4413-acb9-495a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-28T14:23:07.000Z", "modified": "2017-08-28T14:23:07.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "CryptoMix is releasing new variants very quickly now and is reminiscent of how the Locky developers used to distribute Locky. Yesterday, ID-Ransomware's Michael Gillespie & Malwarebytes malware researcher Marcelo Rivero discovered two new variants of the CryptoMix ransomware being distributed within a week or two of each other. These variants append either the NOOB or ZAYKA extension to encrypted files, but use the same contact email of admin@zayka.pro for payment instructions." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a3c152-41b0-4924-b651-493a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-28T14:23:07.000Z", "modified": "2017-08-28T14:23:07.000Z", "description": "NOOB version", "pattern": "[file:hashes.SHA256 = 'ceaee070d84bb182593787002442520acbbac7a0e5ec6cecde40370d5d744023']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-28T14:23:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a3c152-bd44-48cb-964f-4beb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-28T14:23:07.000Z", "modified": "2017-08-28T14:23:07.000Z", "description": "ZAYKA version", "pattern": "[file:hashes.SHA256 = 'aaf7bdb7445d7d58e597240630b23bd7f3f2c6551de61029e932eaa09e27a685']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-28T14:23:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a3c160-4c58-46a3-b48a-47a5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-28T14:23:07.000Z", "modified": "2017-08-28T14:23:07.000Z", "pattern": "[file:name = '_HELP_INSTRUCTION.TXT']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-28T14:23:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a3c160-1068-438a-903f-4069950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-28T14:23:07.000Z", "modified": "2017-08-28T14:23:07.000Z", "pattern": "[file:name = '\\\\%AppData\\\\%\\\\[random].exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-28T14:23:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a3c1ff-e884-4e50-9e49-44cb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-28T14:23:07.000Z", "modified": "2017-08-28T14:23:07.000Z", "description": "contact mail in the ransom note", "pattern": "[email-message:from_ref.value = 'admin@zayka.pro']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-28T14:23:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"email-src\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a4274c-b8f4-464b-b95b-459402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-28T14:23:08.000Z", "modified": "2017-08-28T14:23:08.000Z", "description": "ZAYKA version - Xchecked via VT: aaf7bdb7445d7d58e597240630b23bd7f3f2c6551de61029e932eaa09e27a685", "pattern": "[file:hashes.SHA1 = '53371fd7a36fcf23d615143ba82045a417850c08']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-28T14:23:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a4274c-f1e8-46ed-afa7-47f202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-28T14:23:08.000Z", "modified": "2017-08-28T14:23:08.000Z", "description": "ZAYKA version - Xchecked via VT: aaf7bdb7445d7d58e597240630b23bd7f3f2c6551de61029e932eaa09e27a685", "pattern": "[file:hashes.MD5 = 'c34e3bcddab6b671cccb1c5e9ba3a881']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-28T14:23:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a4274c-a26c-4940-8ab2-4eb102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-28T14:23:08.000Z", "modified": "2017-08-28T14:23:08.000Z", "first_observed": "2017-08-28T14:23:08Z", "last_observed": "2017-08-28T14:23:08Z", "number_observed": 1, "object_refs": [ "url--59a4274c-a26c-4940-8ab2-4eb102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a4274c-a26c-4940-8ab2-4eb102de0b81", "value": "https://www.virustotal.com/file/aaf7bdb7445d7d58e597240630b23bd7f3f2c6551de61029e932eaa09e27a685/analysis/1500647663/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a4274c-9fbc-4261-86dc-44c502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-28T14:23:08.000Z", "modified": "2017-08-28T14:23:08.000Z", "description": "NOOB version - Xchecked via VT: ceaee070d84bb182593787002442520acbbac7a0e5ec6cecde40370d5d744023", "pattern": "[file:hashes.SHA1 = 'f71297632052974c83b95412dcb07090089b890d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-28T14:23:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a4274c-bb90-4eb0-8899-420a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-28T14:23:08.000Z", "modified": "2017-08-28T14:23:08.000Z", "description": "NOOB version - Xchecked via VT: ceaee070d84bb182593787002442520acbbac7a0e5ec6cecde40370d5d744023", "pattern": "[file:hashes.MD5 = 'a862f5ee210a43fddcb33ad2f01af73f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-28T14:23:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a4274c-fbdc-40d5-ba87-44ae02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-28T14:23:08.000Z", "modified": "2017-08-28T14:23:08.000Z", "first_observed": "2017-08-28T14:23:08Z", "last_observed": "2017-08-28T14:23:08Z", "number_observed": 1, "object_refs": [ "url--59a4274c-fbdc-40d5-ba87-44ae02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a4274c-fbdc-40d5-ba87-44ae02de0b81", "value": "https://www.virustotal.com/file/ceaee070d84bb182593787002442520acbbac7a0e5ec6cecde40370d5d744023/analysis/1503697510/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }