{ "type": "bundle", "id": "bundle--5a3797c2-e770-4722-9435-4350950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T03:00:31.000Z", "modified": "2017-12-20T03:00:31.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5a3797c2-e770-4722-9435-4350950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-20T03:00:31.000Z", "modified": "2017-12-20T03:00:31.000Z", "name": "OSINT - RIG exploit kit distributes Princess ransomware", "published": "2017-12-28T13:31:17Z", "object_refs": [ "observed-data--5a3797dd-f168-4087-b939-4ceb950d210f", "url--5a3797dd-f168-4087-b939-4ceb950d210f", "x-misp-attribute--5a3797e9-6a14-49f6-939e-4b36950d210f", "indicator--5a3798b2-f484-4eec-9213-4d50950d210f", "indicator--5a3798b2-4c88-45c5-8a28-4832950d210f", "indicator--5a3798b2-25d0-43a4-b9b8-4064950d210f", "indicator--5a3798b2-c160-4334-bfa2-4c41950d210f", "indicator--65a56413-80b7-49b7-83e7-1766f5fcb8f4", "x-misp-object--fb3dcb25-eb21-42c9-9dbd-011d260655cd", "relationship--18be6975-6369-4420-9c5e-5a6fc6b8ba91" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:ransomware=\"Princess Locker\"", "type:OSINT", "malware_classification:malware-category=\"Ransomware\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a3797dd-f168-4087-b939-4ceb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T10:49:43.000Z", "modified": "2017-12-18T10:49:43.000Z", "first_observed": "2017-12-18T10:49:43Z", "last_observed": "2017-12-18T10:49:43Z", "number_observed": 1, "object_refs": [ "url--5a3797dd-f168-4087-b939-4ceb950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a3797dd-f168-4087-b939-4ceb950d210f", "value": "https://blog.malwarebytes.com/cybercrime/2017/08/rig-exploit-kit-distributes-princess-ransomware/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5a3797e9-6a14-49f6-939e-4b36950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T10:49:43.000Z", "modified": "2017-12-18T10:49:43.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "We have identified a new drive-by download campaign that distributes the Princess ransomware (AKA PrincessLocker), leveraging compromised websites and the RIG exploit kit. This is somewhat of a change for those tracking malvertising campaigns and their payloads.\r\n\r\nWe had analyzed the PrincessLocker ransomware last November and pointed out that despite similarities with Cerber\u00e2\u20ac\u2122s onion page, the actual code was much different. A new payment page seemed to have been seen in underground forums and is now being used with attacks in the wild." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3798b2-f484-4eec-9213-4d50950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T10:49:43.000Z", "modified": "2017-12-18T10:49:43.000Z", "description": "RIG EK gate", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.198.164.152']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T10:49:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3798b2-4c88-45c5-8a28-4832950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T10:49:43.000Z", "modified": "2017-12-18T10:49:43.000Z", "description": "RIG EK IP address", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '188.225.84.28']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T10:49:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3798b2-25d0-43a4-b9b8-4064950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T10:30:10.000Z", "modified": "2017-12-18T10:30:10.000Z", "description": "PrincessLocker binary", "pattern": "[file:hashes.SHA256 = 'c61f4c072bb1e3c6281a9799c1a3902f35dba652756fe96a97e60d0097a3f9b7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T10:30:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a3798b2-c160-4334-bfa2-4c41950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T10:49:43.000Z", "modified": "2017-12-18T10:49:43.000Z", "description": "PrincessLocker payment page", "pattern": "[domain-name:value = 'royall6qpvndxlsj.onion']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T10:49:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--65a56413-80b7-49b7-83e7-1766f5fcb8f4", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T10:49:46.000Z", "modified": "2017-12-18T10:49:46.000Z", "pattern": "[file:hashes.MD5 = 'e7412ad8301456f3f4e32ab2d2c6f3f7' AND file:hashes.SHA1 = '5e30397f36df1e828ce705b7ec0ce62916451aae' AND file:hashes.SHA256 = 'c61f4c072bb1e3c6281a9799c1a3902f35dba652756fe96a97e60d0097a3f9b7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-12-18T10:49:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--fb3dcb25-eb21-42c9-9dbd-011d260655cd", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-12-18T10:49:44.000Z", "modified": "2017-12-18T10:49:44.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/c61f4c072bb1e3c6281a9799c1a3902f35dba652756fe96a97e60d0097a3f9b7/analysis/1505118111/", "category": "External analysis", "comment": "PrincessLocker binary", "uuid": "5a379d48-c620-4291-9f33-4d4d02de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "48/63", "category": "Other", "comment": "PrincessLocker binary", "uuid": "5a379d48-d8d8-4102-8582-45e402de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-09-11T08:21:51", "category": "Other", "comment": "PrincessLocker binary", "uuid": "5a379d48-f06c-4180-b1b1-40be02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--18be6975-6369-4420-9c5e-5a6fc6b8ba91", "created": "2017-12-28T13:31:17.000Z", "modified": "2017-12-28T13:31:17.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--65a56413-80b7-49b7-83e7-1766f5fcb8f4", "target_ref": "x-misp-object--fb3dcb25-eb21-42c9-9dbd-011d260655cd" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }