{ "type": "bundle", "id": "bundle--5b9123c0-1480-4e09-877e-4783950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-12T12:36:30.000Z", "modified": "2018-09-12T12:36:30.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5b9123c0-1480-4e09-877e-4783950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-12T12:36:30.000Z", "modified": "2018-09-12T12:36:30.000Z", "name": "OSINT - Sigma Ransomware Being Distributed Using Fake Craigslist Malspam", "published": "2018-09-12T12:38:00Z", "object_refs": [ "x-misp-attribute--5b912411-f738-46fc-b27c-4ada950d210f", "observed-data--5b912433-50b0-4e96-8d7a-44b1950d210f", "url--5b912433-50b0-4e96-8d7a-44b1950d210f", "indicator--5b912ca6-7264-48c8-afca-40e4950d210f", "indicator--5b927c00-c9c8-4780-84da-abc4950d210f", "indicator--5b912b9e-67d4-45ad-b17d-4020950d210f", "indicator--af63c140-7e55-4ae2-a261-9f126f0195ab", "x-misp-object--6241958e-2b1b-4ccf-8aa5-0aee9e179e50", "indicator--5b927884-8d5c-4a6c-af30-4daa950d210f", "indicator--5b9279c2-40a4-4823-840a-4c03950d210f", "indicator--5b927cc5-d5ac-46df-ace4-4cf8950d210f", "indicator--5b927d28-edcc-445d-869b-42ae950d210f", "indicator--5b927d3b-9628-4e2f-83b3-4cb8950d210f", "indicator--5b927d4a-5334-448b-84e9-4545950d210f", "indicator--5b927edc-e5a4-47e1-86a6-4a0f950d210f", "indicator--5b927f07-0ebc-45ea-9a4c-4791950d210f", "indicator--5b927f19-af00-4e57-bc93-49e9950d210f", "indicator--5b927f4d-5914-4be0-bc7e-4da1950d210f", "indicator--5b927f5e-50ac-4596-b3cb-474b950d210f", "indicator--5b927f6b-0430-4a52-b692-4dba950d210f", "indicator--5b927f7c-32c8-4e30-b9d5-421f950d210f", "indicator--5b927fee-1590-49f2-a2f6-44ca950d210f", "indicator--5b92809a-b468-47e6-a7c7-47c9950d210f", "indicator--5b9280aa-969c-4c3e-ad03-4011950d210f", "indicator--5b9280b9-be58-4c21-a4d2-49ca950d210f", "indicator--5b9280c4-17b4-4114-8017-44e0950d210f", "indicator--5b9280d0-1874-4711-87ed-4299950d210f", "indicator--5b9280db-dfe0-41f0-9f42-44c7950d210f", "indicator--5b9280ea-e38c-41f1-8453-47b9950d210f", "x-misp-object--f04b2156-46a7-4ffe-a470-b0d0ac7ef70e", "relationship--b053152f-768a-4e86-944c-6ed16a52fc41", "relationship--1665f004-1a5d-4089-b7bc-53808e8d6473" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "malware_classification:malware-category=\"Ransomware\"", "osint:source-type=\"blog-post\"", "misp-galaxy:ransomware=\"Sigma Ransomware\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Link - T1192\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Attachment - T1193\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"User Execution - T1204\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Scripting - T1064\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Obfuscated Files or Information - T1027\"", "monarc-threat:unauthorised-actions=\"corruption-of-data\"", "monarc-threat:compromise-of-information=\"malware-infection\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5b912411-f738-46fc-b27c-4ada950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-07T14:06:53.000Z", "modified": "2018-09-07T14:06:53.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Today one of our volunteers, Aura, told me about a new new malspam campaign pretending to be from Craigslist that is under way and distributing the Sigma Ransomware. These spam emails contain password protected Word or RTF documents that download the Sigma Ransomware executable from a remote site and install it on a recipients computer." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5b912433-50b0-4e96-8d7a-44b1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-07T14:07:02.000Z", "modified": "2018-09-07T14:07:02.000Z", "first_observed": "2018-09-07T14:07:02Z", "last_observed": "2018-09-07T14:07:02Z", "number_observed": 1, "object_refs": [ "url--5b912433-50b0-4e96-8d7a-44b1950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5b912433-50b0-4e96-8d7a-44b1950d210f", "value": "https://www.bleepingcomputer.com/news/security/sigma-ransomware-being-distributed-using-fake-craigslist-malspam/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b912ca6-7264-48c8-afca-40e4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-06T13:33:26.000Z", "modified": "2018-09-06T13:33:26.000Z", "pattern": "[url:value = 'http://185.121.139.229/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-06T13:33:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b927c00-c9c8-4780-84da-abc4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-07T13:24:16.000Z", "modified": "2018-09-07T13:24:16.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\taskwgr.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-07T13:24:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b912b9e-67d4-45ad-b17d-4020950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-06T13:29:02.000Z", "modified": "2018-09-06T13:29:02.000Z", "pattern": "[file:hashes.SHA256 = 'b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-06T13:29:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--af63c140-7e55-4ae2-a261-9f126f0195ab", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-12T12:28:55.000Z", "modified": "2018-09-12T12:28:55.000Z", "pattern": "[file:hashes.MD5 = '9afa3302527608a30408958bc48019fc' AND file:hashes.SHA1 = '0d34add7d61e26583dc54e7b89b6d4056d6bf201' AND file:hashes.SHA256 = 'b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-12T12:28:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--6241958e-2b1b-4ccf-8aa5-0aee9e179e50", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-07T06:48:13.000Z", "modified": "2018-09-07T06:48:13.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-08-28T00:23:39", "category": "Other", "uuid": "8d5b54cd-1dfc-435b-8e19-cc4eda5b2288" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864/analysis/1535415819/", "category": "External analysis", "uuid": "18055e03-5add-4a61-9465-9afc972b1cb3" }, { "type": "text", "object_relation": "detection-ratio", "value": "45/67", "category": "Other", "uuid": "e911d120-fdf4-4110-8272-ddb11eedd9ec" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b927884-8d5c-4a6c-af30-4daa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-07T13:09:24.000Z", "modified": "2018-09-07T13:09:24.000Z", "pattern": "[file:name = 'ReadMe.txt' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-07T13:09:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9279c2-40a4-4823-840a-4c03950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-07T13:15:06.000Z", "modified": "2018-09-07T13:15:06.000Z", "pattern": "[windows-registry-key:key = '\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\chrome' AND windows-registry-key:values[0].data_type = 'REG_NONE' AND windows-registry-key:values[0].name = 'Rundll32.exe SHELL32.DLL,ShellExec_RunDLL' AND windows-registry-key:x_misp_root_keys = 'HKCU']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-07T13:15:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"registry-key\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b927cc5-d5ac-46df-ace4-4cf8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-07T13:27:33.000Z", "modified": "2018-09-07T13:27:33.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Data\\\\Tor\\\\geoip' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-07T13:27:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b927d28-edcc-445d-869b-42ae950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-07T13:29:12.000Z", "modified": "2018-09-07T13:29:12.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Data\\\\Tor\\\\geoip6' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-07T13:29:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b927d3b-9628-4e2f-83b3-4cb8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-07T13:29:31.000Z", "modified": "2018-09-07T13:29:31.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\test1.bmp' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-07T13:29:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b927d4a-5334-448b-84e9-4545950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-07T13:29:46.000Z", "modified": "2018-09-07T13:29:46.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\libeay32.dll' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-07T13:29:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b927edc-e5a4-47e1-86a6-4a0f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-07T13:36:28.000Z", "modified": "2018-09-07T13:36:28.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\libevent_core-2-0-5.dll' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-07T13:36:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b927f07-0ebc-45ea-9a4c-4791950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-07T13:37:11.000Z", "modified": "2018-09-07T13:37:11.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\cached-certs' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-07T13:37:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b927f19-af00-4e57-bc93-49e9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-07T13:37:29.000Z", "modified": "2018-09-07T13:37:29.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\cached-microdesc-consensus' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-07T13:37:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b927f4d-5914-4be0-bc7e-4da1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-07T13:38:21.000Z", "modified": "2018-09-07T13:38:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\libssp-0.dll' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-07T13:38:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b927f5e-50ac-4596-b3cb-474b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-07T13:38:38.000Z", "modified": "2018-09-07T13:38:38.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\tor-gencert.exe' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-07T13:38:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b927f6b-0430-4a52-b692-4dba950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-07T13:38:51.000Z", "modified": "2018-09-07T13:38:51.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\svchost.exe' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-07T13:38:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b927f7c-32c8-4e30-b9d5-421f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-07T13:39:08.000Z", "modified": "2018-09-07T13:39:08.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\zlib1.dll' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-07T13:39:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b927fee-1590-49f2-a2f6-44ca950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-07T13:41:02.000Z", "modified": "2018-09-07T13:41:02.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\cached-microdescs.new' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-07T13:41:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b92809a-b468-47e6-a7c7-47c9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-07T13:43:54.000Z", "modified": "2018-09-07T13:43:54.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\libevent-2-0-5.dll' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-07T13:43:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9280aa-969c-4c3e-ad03-4011950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-07T13:44:09.000Z", "modified": "2018-09-07T13:44:09.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\ssleay32.dll' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-07T13:44:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9280b9-be58-4c21-a4d2-49ca950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-07T13:44:25.000Z", "modified": "2018-09-07T13:44:25.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\state' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-07T13:44:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9280c4-17b4-4114-8017-44e0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-07T13:44:36.000Z", "modified": "2018-09-07T13:44:36.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\Desktop\\\\ReadMe.html' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-07T13:44:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9280d0-1874-4711-87ed-4299950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-07T13:44:48.000Z", "modified": "2018-09-07T13:44:48.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\libgcc_s_sjlj-1.dll' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-07T13:44:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9280db-dfe0-41f0-9f42-44c7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-07T13:44:59.000Z", "modified": "2018-09-07T13:44:59.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\660F187B8C71F670E76F70C7EDAFE4E7\\\\Tor\\\\libevent_extra-2-0-5.dll' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-07T13:44:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b9280ea-e38c-41f1-8453-47b9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-07T13:45:14.000Z", "modified": "2018-09-07T13:45:14.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\lock' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-09-07T13:45:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--f04b2156-46a7-4ffe-a470-b0d0ac7ef70e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-12T12:28:55.000Z", "modified": "2018-09-12T12:28:55.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-08-28T00:23:39", "category": "Other", "uuid": "bff3beea-deb5-49b8-a2be-334a5603e8ac" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864/analysis/1535415819/", "category": "External analysis", "uuid": "505d7436-7769-4279-9d1a-b95934d0edc8" }, { "type": "text", "object_relation": "detection-ratio", "value": "45/67", "category": "Other", "uuid": "00c8704b-05af-405d-a5ce-13f8167612d4" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b053152f-768a-4e86-944c-6ed16a52fc41", "created": "2018-09-07T06:48:21.000Z", "modified": "2018-09-07T06:48:21.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--af63c140-7e55-4ae2-a261-9f126f0195ab", "target_ref": "x-misp-object--6241958e-2b1b-4ccf-8aa5-0aee9e179e50" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1665f004-1a5d-4089-b7bc-53808e8d6473", "created": "2018-09-12T12:29:05.000Z", "modified": "2018-09-12T12:29:05.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--af63c140-7e55-4ae2-a261-9f126f0195ab", "target_ref": "x-misp-object--f04b2156-46a7-4ffe-a470-b0d0ac7ef70e" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }