{ "type": "bundle", "id": "bundle--5b84012a-f9d4-4d92-abb3-344f950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-06T12:52:32.000Z", "modified": "2018-09-06T12:52:32.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5b84012a-f9d4-4d92-abb3-344f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-06T12:52:32.000Z", "modified": "2018-09-06T12:52:32.000Z", "name": "OSINT - New Bip Dharma Ransomware Variant Released", "published": "2018-09-06T12:52:58Z", "object_refs": [ "observed-data--5b840189-c774-4f4c-83b7-5fb0950d210f", "url--5b840189-c774-4f4c-83b7-5fb0950d210f", "x-misp-attribute--5b8401a0-d0e4-422e-a664-33af950d210f", "indicator--5b8fe654-8db4-444c-ad10-495f950d210f", "indicator--5b8407bd-2440-40cd-80a2-5fb0950d210f", "indicator--5b84086e-d5ec-4ab2-b371-0716950d210f", "indicator--5b840880-b12c-4619-be47-0716950d210f", "indicator--5b840adc-296c-4705-8c8f-0716950d210f", "indicator--4da3496e-b9b6-48b4-9b2d-42beb59eb7ca", "x-misp-object--499803fa-d2c3-4722-8fb9-f1134171354f", "relationship--565575bb-4fff-4622-8dc5-f1cf74054e38" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:ransomware=\"Dharma Ransomware\"", "malware_classification:malware-category=\"Ransomware\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5b840189-c774-4f4c-83b7-5fb0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-27T14:17:46.000Z", "modified": "2018-08-27T14:17:46.000Z", "first_observed": "2018-08-27T14:17:46Z", "last_observed": "2018-08-27T14:17:46Z", "number_observed": 1, "object_refs": [ "url--5b840189-c774-4f4c-83b7-5fb0950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5b840189-c774-4f4c-83b7-5fb0950d210f", "value": "https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5b8401a0-d0e4-422e-a664-33af950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-27T14:17:56.000Z", "modified": "2018-08-27T14:17:56.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Today, Michael Gillespie noticed what appeared to be a new variant of the Crysis/Dharma Ransomware uploaded to his ID-Ransomware site. Jakub Kroustek then discovered some samples to confirm that it was indeed a new Dharma variant. This new version will append the .Bip extension to encrypted files. It is not known exactly how this variant is being distributed, but in the past Dharma is typically spread by hacking into Remote Desktop Services and manually installing the ransomware." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b8fe654-8db4-444c-ad10-495f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-05T14:21:08.000Z", "modified": "2018-09-05T14:21:08.000Z", "pattern": "[email-message:from_ref.value = 'beamsell@qq.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-05T14:21:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"email-src\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b8407bd-2440-40cd-80a2-5fb0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-27T14:16:29.000Z", "modified": "2018-08-27T14:16:29.000Z", "pattern": "[file:hashes.SHA256 = '208989df29236594c9d889d54b666041bc7df1d0b53cedd16e4f68636e036bb7' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-27T14:16:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b84086e-d5ec-4ab2-b371-0716950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-27T14:19:26.000Z", "modified": "2018-08-27T14:19:26.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Info.hta' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-27T14:19:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b840880-b12c-4619-be47-0716950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-27T14:19:44.000Z", "modified": "2018-08-27T14:19:44.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\[filename.exe]' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-27T14:19:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b840adc-296c-4705-8c8f-0716950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-27T14:29:48.000Z", "modified": "2018-08-27T14:29:48.000Z", "pattern": "[file:name = 'FILES ENCRYPTED.txt' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-27T14:29:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4da3496e-b9b6-48b4-9b2d-42beb59eb7ca", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-06T12:52:24.000Z", "modified": "2018-09-06T12:52:24.000Z", "pattern": "[file:hashes.MD5 = 'b84e41893fa55503a84688b36556db05' AND file:hashes.SHA1 = '94f83bfb5451383b9c7b486d05f38e1856fe62a5' AND file:hashes.SHA256 = '208989df29236594c9d889d54b666041bc7df1d0b53cedd16e4f68636e036bb7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-06T12:52:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--499803fa-d2c3-4722-8fb9-f1134171354f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-06T12:52:29.000Z", "modified": "2018-09-06T12:52:29.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-08-24T17:37:17", "category": "Other", "uuid": "45a6abd8-a4ca-4133-bddb-bdd48c7ac32b" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/208989df29236594c9d889d54b666041bc7df1d0b53cedd16e4f68636e036bb7/analysis/1535132237/", "category": "External analysis", "uuid": "c55fb0f7-f9ce-4a7b-9b44-e99390947433" }, { "type": "text", "object_relation": "detection-ratio", "value": "52/68", "category": "Other", "uuid": "b4c4e081-c8bd-4467-8211-fc83b3779c3f" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--565575bb-4fff-4622-8dc5-f1cf74054e38", "created": "2018-09-06T12:52:35.000Z", "modified": "2018-09-06T12:52:35.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--4da3496e-b9b6-48b4-9b2d-42beb59eb7ca", "target_ref": "x-misp-object--499803fa-d2c3-4722-8fb9-f1134171354f" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }