{ "type": "bundle", "id": "bundle--5ac6140f-5964-4eb8-81bd-4095950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-08T15:31:47.000Z", "modified": "2018-04-08T15:31:47.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5ac6140f-5964-4eb8-81bd-4095950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-08T15:31:47.000Z", "modified": "2018-04-08T15:31:47.000Z", "name": "OSINT - The DiskWriter or UselessDisk BootLocker May Be A Wiper", "published": "2018-04-08T15:31:53Z", "object_refs": [ "observed-data--5ac61454-3594-46fd-8de1-3be0950d210f", "url--5ac61454-3594-46fd-8de1-3be0950d210f", "x-misp-attribute--5ac61490-bc28-4c77-9fd7-4e33950d210f", "indicator--5ac619b3-39f4-4bdc-a22f-3be0950d210f", "indicator--5ac619b3-b258-4e49-9904-3be0950d210f", "indicator--5ac619b4-3ee4-4c02-9e4c-3be0950d210f", "indicator--5ac619c6-84f0-4be7-b49c-4511950d210f", "x-misp-attribute--5aca35d5-3dd4-487d-bb2a-621b02de0b81", "x-misp-object--5ac618a5-04fc-424c-b54d-43e7950d210f", "indicator--b36edfe1-10b3-4ce6-850c-48fec67da615", "x-misp-object--5d9c2b1a-eb9d-409e-9145-b203188a65aa", "relationship--c08a6918-e45d-428a-8f75-67c7d5b342df" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "osint:source-type=\"blog-post\"", "misp-galaxy:tool=\"UselessDisk\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ac61454-3594-46fd-8de1-3be0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-08T15:13:21.000Z", "modified": "2018-04-08T15:13:21.000Z", "first_observed": "2018-04-08T15:13:21Z", "last_observed": "2018-04-08T15:13:21Z", "number_observed": 1, "object_refs": [ "url--5ac61454-3594-46fd-8de1-3be0950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5ac61454-3594-46fd-8de1-3be0950d210f", "value": "https://www.bleepingcomputer.com/news/security/the-diskwriter-or-uselessdisk-bootlocker-may-be-a-wiper/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5ac61490-bc28-4c77-9fd7-4e33950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-08T15:13:22.000Z", "modified": "2018-04-08T15:13:22.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "A new MBR bootlocker called DiskWriter, or UselessDisk, has been discovered that overwrites the MBR of a victim's computer and then displays a ransom screen on reboot instead of booting into Windows. This ransom note asks for $300 in bitcoins in order to gain access to Windows again." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ac619b3-39f4-4bdc-a22f-3be0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-08T15:13:22.000Z", "modified": "2018-04-08T15:13:22.000Z", "pattern": "[file:name = 'DiskWriter.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-04-08T15:13:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ac619b3-b258-4e49-9904-3be0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-08T15:13:22.000Z", "modified": "2018-04-08T15:13:22.000Z", "pattern": "[file:name = 'UselessDisk.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-04-08T15:13:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ac619b4-3ee4-4c02-9e4c-3be0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-08T15:13:23.000Z", "modified": "2018-04-08T15:13:23.000Z", "pattern": "[file:name = 'E:\\\\Debug\\\\UselessDisk.pdb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-04-08T15:13:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ac619c6-84f0-4be7-b49c-4511950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-05T12:42:46.000Z", "modified": "2018-04-05T12:42:46.000Z", "pattern": "[file:hashes.SHA256 = 'bf664370a287f83a67eb9ec01d575cad3bcdfbec2e2290a5e8d570999566e79e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-04-05T12:42:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5aca35d5-3dd4-487d-bb2a-621b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-08T15:31:33.000Z", "modified": "2018-04-08T15:31:33.000Z", "labels": [ "misp:type=\"pdb\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ], "x_misp_category": "Artifacts dropped", "x_misp_type": "pdb", "x_misp_value": "E:\\Debug\\UselessDisk.pdb" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5ac618a5-04fc-424c-b54d-43e7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-05T12:37:57.000Z", "modified": "2018-04-05T12:37:57.000Z", "labels": [ "misp:name=\"coin-address\"", "misp:meta-category=\"financial\"" ], "x_misp_attributes": [ { "type": "btc", "object_relation": "address", "value": "1GZCw453MzQr8V2VAgJpRmKBYRDUJ8kzco", "category": "Financial fraud", "to_ids": true, "uuid": "5ac618a5-2194-4990-a478-4713950d210f" }, { "type": "text", "object_relation": "symbol", "value": "BTC", "category": "Other", "uuid": "5ac618a6-7594-437a-bcfe-42d5950d210f" } ], "x_misp_meta_category": "financial", "x_misp_name": "coin-address" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b36edfe1-10b3-4ce6-850c-48fec67da615", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-08T15:13:26.000Z", "modified": "2018-04-08T15:13:26.000Z", "pattern": "[file:hashes.MD5 = '577be8c5b73e59fb71570f632349e5fe' AND file:hashes.SHA1 = '363605836bf4ee34d9dfb43a6e71acdfd2b2cebe' AND file:hashes.SHA256 = 'bf664370a287f83a67eb9ec01d575cad3bcdfbec2e2290a5e8d570999566e79e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-04-08T15:13:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5d9c2b1a-eb9d-409e-9145-b203188a65aa", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-04-08T15:13:25.000Z", "modified": "2018-04-08T15:13:25.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/bf664370a287f83a67eb9ec01d575cad3bcdfbec2e2290a5e8d570999566e79e/analysis/1522221142/", "category": "External analysis", "uuid": "5aca3195-62bc-4071-8d07-61c702de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "47/67", "category": "Other", "uuid": "5aca3195-0948-47b7-b12b-61c702de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2018-03-28T07:12:22", "category": "Other", "uuid": "5aca3195-2d94-4f77-8ccd-61c702de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c08a6918-e45d-428a-8f75-67c7d5b342df", "created": "2018-04-08T15:13:26.000Z", "modified": "2018-04-08T15:13:26.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--b36edfe1-10b3-4ce6-850c-48fec67da615", "target_ref": "x-misp-object--5d9c2b1a-eb9d-409e-9145-b203188a65aa" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }