{ "type": "bundle", "id": "bundle--58eb4dde-5254-4163-add1-4d47950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-01T13:47:22.000Z", "modified": "2018-10-01T13:47:22.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--58eb4dde-5254-4163-add1-4d47950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-01T13:47:22.000Z", "modified": "2018-10-01T13:47:22.000Z", "name": "OSINT - Matrix Ransomware Spreads to Other PCs Using Malicious Shortcuts", "published": "2018-10-01T13:47:24Z", "object_refs": [ "observed-data--58eb4dea-9364-46ce-8439-40a9950d210f", "url--58eb4dea-9364-46ce-8439-40a9950d210f", "indicator--58eb4e4d-f894-4d29-95fe-41ac950d210f", "indicator--58eb4e4e-980c-433d-b6c4-44ad950d210f", "indicator--58eb4e4e-fc98-4a37-bcf0-453f950d210f", "indicator--58eb4e4f-a278-437a-bec0-4829950d210f", "indicator--58eb4e50-211c-481d-8df5-4b80950d210f", "indicator--58eb4e51-b0f8-4843-a579-45fc950d210f", "indicator--58eb4e52-9d04-454c-9a72-41ff950d210f", "indicator--58eb4e53-256c-4d94-a211-4712950d210f", "indicator--58eb4e54-a770-44a0-ae81-4cba950d210f", "indicator--58eb4e55-a2d4-4111-8c25-4b7a950d210f", "indicator--58eb4e55-af34-4e10-b1ee-4354950d210f", "indicator--58eb4ea2-e160-4038-af93-40ba950d210f", "indicator--58eb4eb1-8ca0-4613-8c1c-4ed8950d210f", "indicator--58eb4eb3-cef4-46fb-90e7-4bac950d210f", "indicator--58ebcb5a-59b8-49f8-85f8-d16c02de0b81", "indicator--58ebcb5b-ec54-4794-a3f7-d16c02de0b81", "observed-data--58ebcb5c-8d78-496c-92b9-d16c02de0b81", "url--58ebcb5c-8d78-496c-92b9-d16c02de0b81", "indicator--5bb22156-ff94-4d42-a44d-4b17950d210f", "indicator--af9b35e1-17b6-4eaf-a7fd-03acafc0f34b", "x-misp-object--391c62fa-5ed3-4e85-b707-8147a7b44c2f", "relationship--be3f94a9-3a26-4160-acab-fdc1ef755a87" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "malware_classification:malware-category=\"Ransomware\"", "osint:source-type=\"blog-post\"", "misp-galaxy:ransomware=\"Matrix\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58eb4dea-9364-46ce-8439-40a9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-10T18:13:32.000Z", "modified": "2017-04-10T18:13:32.000Z", "first_observed": "2017-04-10T18:13:32Z", "last_observed": "2017-04-10T18:13:32Z", "number_observed": 1, "object_refs": [ "url--58eb4dea-9364-46ce-8439-40a9950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58eb4dea-9364-46ce-8439-40a9950d210f", "value": "https://www.bleepingcomputer.com/news/security/matrix-ransomware-spreads-to-other-pcs-using-malicious-shortcuts/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58eb4e4d-f894-4d29-95fe-41ac950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-10T18:13:32.000Z", "modified": "2017-04-10T18:13:32.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\[random].hta']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-10T18:13:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58eb4e4e-980c-433d-b6c4-44ad950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-10T18:13:32.000Z", "modified": "2017-04-10T18:13:32.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\[victim_id].pek']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-10T18:13:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58eb4e4e-fc98-4a37-bcf0-453f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-10T18:13:32.000Z", "modified": "2017-04-10T18:13:32.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\[victim_id].sek']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-10T18:13:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58eb4e4f-a278-437a-bec0-4829950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-10T18:13:32.000Z", "modified": "2017-04-10T18:13:32.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\errlog.txt']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-10T18:13:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58eb4e50-211c-481d-8df5-4b80950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-10T18:13:32.000Z", "modified": "2017-04-10T18:13:32.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\[random].cmd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-10T18:13:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58eb4e51-b0f8-4843-a579-45fc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-10T18:13:32.000Z", "modified": "2017-04-10T18:13:32.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\[random].afn']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-10T18:13:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58eb4e52-9d04-454c-9a72-41ff950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-10T18:13:32.000Z", "modified": "2017-04-10T18:13:32.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\[random].ast']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-10T18:13:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58eb4e53-256c-4d94-a211-4712950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-10T18:13:32.000Z", "modified": "2017-04-10T18:13:32.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\[random].hta']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-10T18:13:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58eb4e54-a770-44a0-ae81-4cba950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-10T18:13:32.000Z", "modified": "2017-04-10T18:13:32.000Z", "pattern": "[file:name = 'matrix-readme.rtf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-10T18:13:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58eb4e55-a2d4-4111-8c25-4b7a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-10T18:13:32.000Z", "modified": "2017-04-10T18:13:32.000Z", "pattern": "[file:name = 'Bl0cked-ReadMe.rtf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-10T18:13:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58eb4e55-af34-4e10-b1ee-4354950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-10T18:13:32.000Z", "modified": "2017-04-10T18:13:32.000Z", "pattern": "[file:name = 'WhatHappenedWithFiles.rtf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-10T18:13:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58eb4ea2-e160-4038-af93-40ba950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-10T18:13:32.000Z", "modified": "2017-04-10T18:13:32.000Z", "pattern": "[file:hashes.SHA256 = '467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-10T18:13:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58eb4eb1-8ca0-4613-8c1c-4ed8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-10T18:13:32.000Z", "modified": "2017-04-10T18:13:32.000Z", "pattern": "[url:value = 'stat3.s76.r53.com.ua/addrecord.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-10T18:13:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58eb4eb3-cef4-46fb-90e7-4bac950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-10T18:13:32.000Z", "modified": "2017-04-10T18:13:32.000Z", "pattern": "[url:value = 'stat3.s76.r53.com.ua/uploadextlist.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-10T18:13:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ebcb5a-59b8-49f8-85f8-d16c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-10T18:13:46.000Z", "modified": "2017-04-10T18:13:46.000Z", "description": "- Xchecked via VT: 467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be", "pattern": "[file:hashes.SHA1 = '03ce13b4f60d2fc632b67b41b82b5e8cfaf9939f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-10T18:13:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58ebcb5b-ec54-4794-a3f7-d16c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-10T18:13:47.000Z", "modified": "2017-04-10T18:13:47.000Z", "description": "- Xchecked via VT: 467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be", "pattern": "[file:hashes.MD5 = '36a0cefeb8b0a606358142d4140ea7cf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-10T18:13:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58ebcb5c-8d78-496c-92b9-d16c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-10T18:13:48.000Z", "modified": "2017-04-10T18:13:48.000Z", "first_observed": "2017-04-10T18:13:48Z", "last_observed": "2017-04-10T18:13:48Z", "number_observed": 1, "object_refs": [ "url--58ebcb5c-8d78-496c-92b9-d16c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58ebcb5c-8d78-496c-92b9-d16c02de0b81", "value": "https://www.virustotal.com/file/467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be/analysis/1491798251/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5bb22156-ff94-4d42-a44d-4b17950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-01T13:29:58.000Z", "modified": "2018-10-01T13:29:58.000Z", "pattern": "[url:value = 'stat3.s76.r53.com.ua/addrecord.phph' AND url:x_misp_host = 'stat3.s76.r53.com.ua' AND url:x_misp_scheme = 'http' AND url:x_misp_resource_path = 'uploadextlist.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-10-01T13:29:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"url\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--af9b35e1-17b6-4eaf-a7fd-03acafc0f34b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-01T13:47:05.000Z", "modified": "2018-10-01T13:47:05.000Z", "pattern": "[file:hashes.MD5 = '36a0cefeb8b0a606358142d4140ea7cf' AND file:hashes.SHA1 = '03ce13b4f60d2fc632b67b41b82b5e8cfaf9939f' AND file:hashes.SHA256 = '467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-10-01T13:47:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--391c62fa-5ed3-4e85-b707-8147a7b44c2f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-10-01T13:47:14.000Z", "modified": "2018-10-01T13:47:14.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-08-24T19:09:51", "category": "Other", "uuid": "54f701d1-fbf7-495f-878e-fe87b38caa4d" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be/analysis/1535137791/", "category": "External analysis", "uuid": "a002197b-e738-4b1d-89db-293ff8663675" }, { "type": "text", "object_relation": "detection-ratio", "value": "56/68", "category": "Other", "uuid": "fab4c346-e53e-4b19-a858-2b5069dd299b" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--be3f94a9-3a26-4160-acab-fdc1ef755a87", "created": "2018-10-01T13:47:24.000Z", "modified": "2018-10-01T13:47:24.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--af9b35e1-17b6-4eaf-a7fd-03acafc0f34b", "target_ref": "x-misp-object--391c62fa-5ed3-4e85-b707-8147a7b44c2f" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }