{ "type": "bundle", "id": "bundle--b9b6dcfa-0b11-40dc-9bf4-9a36a2c1a046", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631", "created": "2022-10-04T10:50:05.000Z", "modified": "2022-10-04T10:50:05.000Z", "name": "Centre for Cyber security Belgium", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--b9b6dcfa-0b11-40dc-9bf4-9a36a2c1a046", "created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631", "created": "2022-10-04T10:50:05.000Z", "modified": "2022-10-04T10:50:05.000Z", "name": "HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine", "published": "2022-10-04T10:50:06Z", "object_refs": [ "indicator--de0bd41d-ffac-4e5a-8ffd-63c0ba4c6979", "indicator--dc288e70-bf4b-46cc-84aa-515e39f3b433", "indicator--e499240c-bfd1-4e5b-a70b-244c11d69053", "observed-data--194c007c-eb84-4987-ae29-4dca3b02db47", "url--194c007c-eb84-4987-ae29-4dca3b02db47", "observed-data--8c55aae8-9ee3-4488-93e8-ee3998518fce", "windows-registry-key--8c55aae8-9ee3-4488-93e8-ee3998518fce", "indicator--85ca7a94-fcfb-4097-affc-0b102ae4dff5", "x-misp-object--d611f80f-3015-4e5a-ba28-a4219aae2114", "indicator--f6a02b6b-91df-4a01-9115-798e59bc7023", "x-misp-object--d9a1332e-3511-4417-97c8-f30621513106", "indicator--df7db285-8f67-49a0-a570-360c55604d2c", "indicator--6e410e9b-426b-49ce-a8b9-4efdf1656f24", "indicator--c908378a-8f2a-49e1-b592-306424bd139b", "relationship--089560a9-55e5-4077-8340-6e4e2fa8e1cd" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:target-information=\"Ukraine\"", "misp-galaxy:mitre-attack-pattern=\"Data Destruction - T1485\"", "misp-galaxy:mitre-attack-pattern=\"Disk Structure Wipe - T1561.002\"", "misp-galaxy:mitre-attack-pattern=\"Signed Binary Proxy Execution - T1218\"", "misp-galaxy:mitre-attack-pattern=\"Group Policy Modification - T1484.001\"", "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"", "admiralty-scale:source-reliability=\"a\"", "admiralty-scale:information-credibility=\"1\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--de0bd41d-ffac-4e5a-8ffd-63c0ba4c6979", "created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631", "created": "2022-02-24T07:01:11.000Z", "modified": "2022-02-24T07:01:11.000Z", "pattern": "[file:hashes.MD5 = '231b3385ac17e41c5bb1b1fcb59599c4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-02-24T07:01:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--dc288e70-bf4b-46cc-84aa-515e39f3b433", "created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631", "created": "2022-02-24T07:01:11.000Z", "modified": "2022-02-24T07:01:11.000Z", "pattern": "[file:hashes.MD5 = '095a1678021b034903c85dd5acb447ad']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-02-24T07:01:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e499240c-bfd1-4e5b-a70b-244c11d69053", "created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631", "created": "2022-02-24T07:01:11.000Z", "modified": "2022-02-24T07:01:11.000Z", "pattern": "[file:hashes.MD5 = 'eb845b7a16ed82bd248e395d9852f467']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-02-24T07:01:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--194c007c-eb84-4987-ae29-4dca3b02db47", "created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631", "created": "2022-02-24T07:33:42.000Z", "modified": "2022-02-24T07:33:42.000Z", "first_observed": "2022-02-24T07:33:42Z", "last_observed": "2022-02-24T07:33:42Z", "number_observed": 1, "object_refs": [ "url--194c007c-eb84-4987-ae29-4dca3b02db47" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--194c007c-eb84-4987-ae29-4dca3b02db47", "value": "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--8c55aae8-9ee3-4488-93e8-ee3998518fce", "created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631", "created": "2022-02-24T07:35:23.000Z", "modified": "2022-02-24T07:35:23.000Z", "first_observed": "2022-02-24T07:35:23Z", "last_observed": "2022-02-24T07:35:23Z", "number_observed": 1, "object_refs": [ "windows-registry-key--8c55aae8-9ee3-4488-93e8-ee3998518fce" ], "labels": [ "misp:type=\"regkey|value\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "windows-registry-key", "spec_version": "2.1", "id": "windows-registry-key--8c55aae8-9ee3-4488-93e8-ee3998518fce", "key": "SYSTEM\\CurrentControlSet\\Control\\CrashControl CrashDumpEnabled", "values": [ { "data": "0" } ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--85ca7a94-fcfb-4097-affc-0b102ae4dff5", "created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631", "created": "2022-02-24T07:40:59.000Z", "modified": "2022-02-24T07:40:59.000Z", "pattern": "[file:name = 'empntdrv.sys']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-02-24T07:40:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--d611f80f-3015-4e5a-ba28-a4219aae2114", "created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631", "created": "2022-02-24T07:19:05.000Z", "modified": "2022-02-24T07:19:05.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/gui/file/0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da/detection/f-0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da-1645685791", "category": "External analysis", "uuid": "df316954-b61d-436a-8804-d2f38a368eeb" }, { "type": "text", "object_relation": "detection-ratio", "value": "8/71", "category": "Other", "uuid": "8becd4d8-0f4c-429a-a3d4-9e33ac8f55c5" } ], "x_misp_comment": "912342f1c840a42f6b74132f8a7c4ffe7d40fb77: Enriched via the virustotal module", "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f6a02b6b-91df-4a01-9115-798e59bc7023", "created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631", "created": "2022-02-24T07:21:35.000Z", "modified": "2022-02-24T07:21:35.000Z", "description": "912342f1c840a42f6b74132f8a7c4ffe7d40fb77: Enriched via the virustotal module", "pattern": "[file:hashes.MD5 = '84ba0197920fd3e2b7dfa719fee09d2f' AND file:hashes.SHA1 = '912342f1c840a42f6b74132f8a7c4ffe7d40fb77' AND file:hashes.SHA256 = '0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-02-24T06:35:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--d9a1332e-3511-4417-97c8-f30621513106", "created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631", "created": "2022-02-24T07:25:48.000Z", "modified": "2022-02-24T07:25:48.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/gui/file/1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591/detection/f-1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591-1645686225", "category": "External analysis", "uuid": "bafabadb-48ca-48a7-b192-ed30a1ffc57c" }, { "type": "text", "object_relation": "detection-ratio", "value": "28/71", "category": "Other", "uuid": "fecf0286-1c32-478d-93e3-507253b34c26" } ], "x_misp_comment": "61b25d11392172e587d8da3045812a66c3385451: Enriched via the virustotal module", "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--df7db285-8f67-49a0-a570-360c55604d2c", "created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631", "created": "2022-02-24T07:25:57.000Z", "modified": "2022-02-24T07:25:57.000Z", "description": "61b25d11392172e587d8da3045812a66c3385451: Enriched via the virustotal module", "pattern": "[file:hashes.MD5 = '3f4a16b29f2f0532b7ce3e7656799125' AND file:hashes.SHA1 = '61b25d11392172e587d8da3045812a66c3385451' AND file:hashes.SHA256 = '1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-02-24T07:25:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6e410e9b-426b-49ce-a8b9-4efdf1656f24", "created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631", "created": "2022-02-24T07:25:12.000Z", "modified": "2022-02-24T07:25:12.000Z", "pattern": "[file:hashes.MD5 = 'a952e288a1ead66490b3275a807f52e5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2022-02-24T07:25:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c908378a-8f2a-49e1-b592-306424bd139b", "created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631", "created": "2022-02-24T07:43:19.000Z", "modified": "2022-02-24T07:43:19.000Z", "name": "MAL_HERMETIC_WIPER", "description": "HermeticWiper - broad hunting rule", "pattern": "rule MAL_HERMETIC_WIPER {\r\n meta:\r\n desc = \\\\\"HermeticWiper - broad hunting rule\\\\\"\r\n author = \\\\\"Friends @ SentinelLabs\\\\\"\r\n version = \\\\\"1.0\\\\\"\r\n last_modified = \\\\\"02.23.2022\\\\\"\r\n hash = \\\\\"1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\\\\\"\r\n strings:\r\n $string1 = \\\\\"DRV_XP_X64\\\\\" wide ascii nocase\r\n $string2 = \\\\\"EPMNTDRV\\\\\\\\%u\\\\\" wide ascii nocase\r\n $string3 = \\\\\"PhysicalDrive%u\\\\\" wide ascii nocase\r\n $cert1 = \\\\\"Hermetica Digital Ltd\\\\\" wide ascii nocase\r\n condition:\r\n uint16(0) == 0x5A4D and\r\n all of them\r\n}", "pattern_type": "yara", "valid_from": "2022-02-24T07:43:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"yara\"", "misp:meta-category=\"misc\"", "misp:to_ids=\"True\"" ], "x_misp_context": "disk" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--089560a9-55e5-4077-8340-6e4e2fa8e1cd", "created": "2022-10-04T10:50:05.000Z", "modified": "2022-10-04T10:50:05.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--f6a02b6b-91df-4a01-9115-798e59bc7023", "target_ref": "x-misp-object--d611f80f-3015-4e5a-ba28-a4219aae2114" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }