{ "type": "bundle", "id": "bundle--5734dc40-a4f0-45a6-a9e2-4494950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-12T19:42:44.000Z", "modified": "2016-05-12T19:42:44.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5734dc40-a4f0-45a6-a9e2-4494950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-12T19:42:44.000Z", "modified": "2016-05-12T19:42:44.000Z", "name": "OSINT - Chinese-language Ransomware Makes An Appearance", "published": "2016-05-12T19:44:04Z", "object_refs": [ "observed-data--5734dc4c-6cc0-4262-bd2c-4332950d210f", "url--5734dc4c-6cc0-4262-bd2c-4332950d210f", "x-misp-attribute--5734dc5d-47b8-430d-a856-4b2f950d210f", "x-misp-attribute--5734dc70-44b4-40ca-a47c-0d08950d210f", "indicator--5734dc8b-f494-40de-8a2c-434b950d210f", "indicator--5734dc8c-1d70-4209-a722-428d950d210f", "indicator--5734dc8c-1e98-4cdf-afcd-4a9d950d210f", "indicator--5734dc8c-e630-4a98-b5be-4d9a950d210f", "indicator--5734dc8c-028c-49d0-9907-467c950d210f", "indicator--5734dcb4-5a7c-4cbc-a39c-0d03950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "ecsirt:malicious-code=\"ransomware\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5734dc4c-6cc0-4262-bd2c-4332950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-12T19:41:00.000Z", "modified": "2016-05-12T19:41:00.000Z", "first_observed": "2016-05-12T19:41:00Z", "last_observed": "2016-05-12T19:41:00Z", "number_observed": 1, "object_refs": [ "url--5734dc4c-6cc0-4262-bd2c-4332950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5734dc4c-6cc0-4262-bd2c-4332950d210f", "value": "http://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5734dc5d-47b8-430d-a856-4b2f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-12T19:41:17.000Z", "modified": "2016-05-12T19:41:17.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_type": "text", "x_misp_value": "Ransom_SHUJIN.A" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5734dc70-44b4-40ca-a47c-0d08950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-12T19:41:36.000Z", "modified": "2016-05-12T19:41:36.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Whenever a threat is \u00e2\u20ac\u0153localized\u00e2\u20ac\u009d to a specific region, it\u00e2\u20ac\u2122s a sign that attackers believe there is money to be made. Ransomware has made millions of dollars around the world, and it looks like it\u00e2\u20ac\u2122s poking its nose into a new part of the world: China. However, the initial foray into this market made several mistakes.\r\n\r\nWe recently came across multiple samples of what appeared to be Chinese-language ransomware. We detect this as Ransom_SHUJIN.A. All of these samples could be decompressed into the same executable file. While this is not the first time that Chinese-language ransomware has been found, this may be the first time that one used simplified Chinese characters. This character set is favored for use in mainland China. As of this writing, the infection vector of this attack is not yet known." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5734dc8b-f494-40de-8a2c-434b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-12T19:42:03.000Z", "modified": "2016-05-12T19:42:03.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[url:value = 'http://eqlc75eumpb77ced.onion/Decrypt.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-12T19:42:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5734dc8c-1d70-4209-a722-428d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-12T19:42:04.000Z", "modified": "2016-05-12T19:42:04.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[url:value = 'http://eqlc75eumpb77ced.onion/GetMKey.JPG']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-12T19:42:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5734dc8c-1e98-4cdf-afcd-4a9d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-12T19:42:04.000Z", "modified": "2016-05-12T19:42:04.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[url:value = 'http://eqlc75eumpb77ced.onion/btc/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-12T19:42:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5734dc8c-e630-4a98-b5be-4d9a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-12T19:42:04.000Z", "modified": "2016-05-12T19:42:04.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[url:value = 'http://eqlc75eumpb77ced.onion/btc/help.html']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-12T19:42:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5734dc8c-028c-49d0-9907-467c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-12T19:42:04.000Z", "modified": "2016-05-12T19:42:04.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[url:value = 'http://eqlc75eumpb77ced.onion/DeFile.JPG']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-12T19:42:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5734dcb4-5a7c-4cbc-a39c-0d03950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-12T19:42:44.000Z", "modified": "2016-05-12T19:42:44.000Z", "pattern": "[file:hashes.SHA1 = 'd6baa9be02723430eade33432f7718fd93dd838b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-12T19:42:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }