{ "type": "bundle", "id": "bundle--59f049c0-aae0-47d2-a888-4021950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-22T21:19:47.000Z", "modified": "2017-11-22T21:19:47.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--59f049c0-aae0-47d2-a888-4021950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-11-22T21:19:47.000Z", "modified": "2017-11-22T21:19:47.000Z", "name": "OSINT - Bad Rabbit: Not-Petya is back with improved ransomware", "published": "2017-12-28T13:20:54Z", "object_refs": [ "observed-data--59f049cf-329c-4504-a63c-4974950d210f", "url--59f049cf-329c-4504-a63c-4974950d210f", "indicator--59f04b31-f73c-4d20-95b5-4edf950d210f", "x-misp-attribute--59f04b48-223c-4642-a5cf-412c950d210f", "indicator--59f04b70-32f4-4c4b-bd74-4775950d210f", "indicator--59f04b70-a00c-47a5-903e-44f2950d210f", "indicator--59f04c8f-fba0-4775-913a-4a4f950d210f", "indicator--59f04c8f-046c-41dc-a600-4306950d210f", "indicator--59f04d24-9424-49ec-86bc-403c950d210f", "indicator--59f04d24-f6a4-4278-b3b5-406d950d210f", "indicator--59f04d24-0348-4b41-8e40-4887950d210f", "indicator--59f04ddf-4f04-4174-a93d-4c9d950d210f", "indicator--59f04ddf-3e78-47fc-ad92-4866950d210f", "indicator--59f04ddf-9890-46f0-b252-4884950d210f", "indicator--59f04ddf-de28-4f39-a955-43c6950d210f", "indicator--59f04ddf-7564-446e-80f5-4717950d210f", "indicator--59f04ddf-d780-4e3e-a215-44b3950d210f", "indicator--59f04ddf-bcc0-415d-9588-4111950d210f", "indicator--59f04ddf-4838-45fc-b75c-48b9950d210f", "indicator--59f04ddf-4dc8-470d-9268-45bd950d210f", "indicator--59f04ddf-0600-4c83-8d3a-41ae950d210f", "indicator--59f04ddf-7eb8-4933-a170-4c3e950d210f", "indicator--59f04ddf-7b94-4be1-a497-42c2950d210f", "indicator--59f04ddf-fe88-4850-b260-4b7d950d210f", "indicator--59f04ddf-8294-4d84-862f-46d7950d210f", "indicator--59f04ddf-3198-4485-8eae-4833950d210f", "indicator--59f04ddf-9858-4feb-ad80-4183950d210f", "indicator--59f04ddf-7448-4f85-b71a-48d7950d210f", "indicator--59f04ddf-7d48-426d-9d85-4d32950d210f", "indicator--59f04ddf-fc80-4ddf-822f-47b2950d210f", "indicator--59f04ddf-c6e8-4de1-a60a-42c8950d210f", "indicator--59f04ddf-b9c0-485f-b2c3-42cb950d210f", "indicator--59f04ddf-4fc4-4b03-927f-4c92950d210f", "indicator--59f04ddf-e83c-4d61-b9ab-43ea950d210f", "indicator--59f0514a-7310-4dad-b3b1-490002de0b81", "indicator--59f0514a-df70-416c-bfae-445f02de0b81", "observed-data--59f0514a-7f84-4846-ba38-449302de0b81", "url--59f0514a-7f84-4846-ba38-449302de0b81", "indicator--59f0514a-b3d0-4191-a490-440802de0b81", "indicator--59f0514a-1be4-4e5c-8fff-48cc02de0b81", "observed-data--59f0514a-f0d8-4972-9b45-40cb02de0b81", "url--59f0514a-f0d8-4972-9b45-40cb02de0b81", "indicator--59f04c50-0864-406b-b9fd-4797950d210f", "indicator--59f04c7a-1ee8-472b-93b7-4f06950d210f", "indicator--59f04cab-7520-4c5d-b6d7-4f46950d210f", "indicator--59f04cf4-0f54-4525-8d29-453f950d210f", "relationship--8f61cc0f-e736-4a5e-b732-9a1dc5fdf25c", "relationship--7e9f0d94-e9a1-4bf0-929b-90fdcde3de81", "relationship--52e9375e-b591-43d6-9439-cddfb4b154a1" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:ransomware=\"Bad Rabbit\"", "type:OSINT", "malware_classification:malware-category=\"Ransomware\"", "osint:source-type=\"blog-post\"", "misp-galaxy:preventive-measure=\"Backup and Restore Process\"", "misp-galaxy:preventive-measure=\"Restrict Workstation Communication\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59f049cf-329c-4504-a63c-4974950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:33.000Z", "modified": "2017-10-25T08:54:33.000Z", "first_observed": "2017-10-25T08:54:33Z", "last_observed": "2017-10-25T08:54:33Z", "number_observed": 1, "object_refs": [ "url--59f049cf-329c-4504-a63c-4974950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59f049cf-329c-4504-a63c-4974950d210f", "value": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04b31-f73c-4d20-95b5-4edf950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.149.120.3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59f04b48-223c-4642-a5cf-412c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "A new ransomware outbreak today and has hit some major infrastructure in Ukraine including Kiev metro." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04b70-32f4-4c4b-bd74-4775950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "pattern": "[domain-name:value = '1dnscontrol.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04b70-a00c-47a5-903e-44f2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:29:36.000Z", "modified": "2017-10-25T08:29:36.000Z", "pattern": "[file:name = 'install_flash_player.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:29:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04c8f-fba0-4775-913a-4a4f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "Mimikatz (32-bits)", "pattern": "[file:hashes.SHA1 = '413eba3973a15c1a6429d9f170f3e8287f98c21c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04c8f-046c-41dc-a600-4306950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "Mimikatz (64-bits)", "pattern": "[file:hashes.SHA1 = '16605a4a29a101208457c47ebfde788487be788d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04d24-9424-49ec-86bc-403c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "pattern": "[url:value = 'http://caforssztxqzf2nm.onion']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04d24-f6a4-4278-b3b5-406d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "pattern": "[url:value = 'http://185.149.120.3/scholargoogle/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04d24-0348-4b41-8e40-4887950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "pattern": "[url:value = 'http://1dnscontrol.com/flash_install.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04ddf-4f04-4174-a93d-4c9d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "compromised site", "pattern": "[url:value = 'http://argumentiru.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04ddf-3e78-47fc-ad92-4866950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "compromised site", "pattern": "[url:value = 'http://www.fontanka.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04ddf-9890-46f0-b252-4884950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "compromised site", "pattern": "[url:value = 'http://grupovo.bg']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04ddf-de28-4f39-a955-43c6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "compromised site", "pattern": "[url:value = 'http://www.sinematurk.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04ddf-7564-446e-80f5-4717950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "compromised site", "pattern": "[url:value = 'http://www.aica.co.jp']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04ddf-d780-4e3e-a215-44b3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "compromised site", "pattern": "[url:value = 'http://spbvoditel.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04ddf-bcc0-415d-9588-4111950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "compromised site", "pattern": "[url:value = 'http://argumenti.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04ddf-4838-45fc-b75c-48b9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "compromised site", "pattern": "[url:value = 'http://www.mediaport.ua']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04ddf-4dc8-470d-9268-45bd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "compromised site", "pattern": "[url:value = 'http://blog.fontanka.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04ddf-0600-4c83-8d3a-41ae950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "compromised site", "pattern": "[url:value = 'http://an-crimea.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04ddf-7eb8-4933-a170-4c3e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "compromised site", "pattern": "[url:value = 'http://www.t.ks.ua']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04ddf-7b94-4be1-a497-42c2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "compromised site", "pattern": "[url:value = 'http://most-dnepr.info']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04ddf-fe88-4850-b260-4b7d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "compromised site", "pattern": "[url:value = 'http://osvitaportal.com.ua']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04ddf-8294-4d84-862f-46d7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "compromised site", "pattern": "[url:value = 'http://www.otbrana.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04ddf-3198-4485-8eae-4833950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "compromised site", "pattern": "[url:value = 'http://calendar.fontanka.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04ddf-9858-4feb-ad80-4183950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "compromised site", "pattern": "[url:value = 'http://www.grupovo.bg']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04ddf-7448-4f85-b71a-48d7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "compromised site", "pattern": "[url:value = 'http://www.pensionhotel.cz']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04ddf-7d48-426d-9d85-4d32950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "compromised site", "pattern": "[url:value = 'http://www.online812.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04ddf-fc80-4ddf-822f-47b2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "compromised site", "pattern": "[url:value = 'http://www.imer.ro']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04ddf-c6e8-4de1-a60a-42c8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "compromised site", "pattern": "[url:value = 'http://novayagazeta.spb.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04ddf-b9c0-485f-b2c3-42cb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "compromised site", "pattern": "[url:value = 'http://i24.com.ua']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04ddf-4fc4-4b03-927f-4c92950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "compromised site", "pattern": "[url:value = 'http://bg.pensionhotel.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04ddf-e83c-4d61-b9ab-43ea950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "compromised site", "pattern": "[url:value = 'http://ankerch-crimea.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f0514a-7310-4dad-b3b1-490002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "Mimikatz (64-bits) - Xchecked via VT: 16605a4a29a101208457c47ebfde788487be788d", "pattern": "[file:hashes.SHA256 = '2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f0514a-df70-416c-bfae-445f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "Mimikatz (64-bits) - Xchecked via VT: 16605a4a29a101208457c47ebfde788487be788d", "pattern": "[file:hashes.MD5 = '37945c44a897aa42a66adcab68f560e0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59f0514a-7f84-4846-ba38-449302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "first_observed": "2017-10-25T08:54:34Z", "last_observed": "2017-10-25T08:54:34Z", "number_observed": 1, "object_refs": [ "url--59f0514a-7f84-4846-ba38-449302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59f0514a-7f84-4846-ba38-449302de0b81", "value": "https://www.virustotal.com/file/2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035/analysis/1508915760/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f0514a-b3d0-4191-a490-440802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "Mimikatz (32-bits) - Xchecked via VT: 413eba3973a15c1a6429d9f170f3e8287f98c21c", "pattern": "[file:hashes.SHA256 = '301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f0514a-1be4-4e5c-8fff-48cc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "description": "Mimikatz (32-bits) - Xchecked via VT: 413eba3973a15c1a6429d9f170f3e8287f98c21c", "pattern": "[file:hashes.MD5 = '347ac3b6b791054de3e5720a7144a977']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:54:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59f0514a-f0d8-4972-9b45-40cb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:54:34.000Z", "modified": "2017-10-25T08:54:34.000Z", "first_observed": "2017-10-25T08:54:34Z", "last_observed": "2017-10-25T08:54:34Z", "number_observed": 1, "object_refs": [ "url--59f0514a-f0d8-4972-9b45-40cb02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59f0514a-f0d8-4972-9b45-40cb02de0b81", "value": "https://www.virustotal.com/file/301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c/analysis/1508918790/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04c50-0864-406b-b9fd-4797950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:57:41.000Z", "modified": "2017-10-25T08:57:41.000Z", "description": "Diskcoder", "pattern": "[file:hashes.SHA1 = '79116fe99f2b421c52ef64097f0f39b815b20907' AND file:name = 'infpub.dat']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:57:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04c7a-1ee8-472b-93b7-4f06950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:59:32.000Z", "modified": "2017-10-25T08:59:32.000Z", "description": "Lockscreen", "pattern": "[file:hashes.SHA1 = 'afeee8b4acff87bc469a6f0364a81ae5d60a2add' AND file:name = 'dispci.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:59:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04cab-7520-4c5d-b6d7-4f46950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:57:23.000Z", "modified": "2017-10-25T08:57:23.000Z", "description": "Dropper", "pattern": "[file:hashes.SHA1 = 'de5c8d858e6e41da715dca1c019df0bfb92d32c0' AND file:name = 'install_flash_player.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:57:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04cf4-0f54-4525-8d29-453f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:36:04.000Z", "modified": "2017-10-25T08:36:04.000Z", "description": "JavaScript on compromised sites", "pattern": "[file:hashes.SHA1 = '4f61e154230a64902ae035434690bf2b96b4e018' AND file:name = 'page-main.js']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:36:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8f61cc0f-e736-4a5e-b732-9a1dc5fdf25c", "created": "2017-10-25T08:57:38.000Z", "modified": "2017-10-25T08:57:38.000Z", "relationship_type": "dropped-by", "source_ref": "indicator--59f04c50-0864-406b-b9fd-4797950d210f", "target_ref": "indicator--59f04cab-7520-4c5d-b6d7-4f46950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7e9f0d94-e9a1-4bf0-929b-90fdcde3de81", "created": "2017-10-25T08:59:29.000Z", "modified": "2017-10-25T08:59:29.000Z", "relationship_type": "dropped-by", "source_ref": "indicator--59f04c7a-1ee8-472b-93b7-4f06950d210f", "target_ref": "indicator--59f04c50-0864-406b-b9fd-4797950d210f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--52e9375e-b591-43d6-9439-cddfb4b154a1", "created": "2017-10-25T08:57:20.000Z", "modified": "2017-10-25T08:57:20.000Z", "relationship_type": "dropped-by", "source_ref": "indicator--59f04cab-7520-4c5d-b6d7-4f46950d210f", "target_ref": "indicator--59f04cf4-0f54-4525-8d29-453f950d210f" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }