{ "type": "bundle", "id": "bundle--0fadc113-6e22-4524-96b1-7b8fc98fa64c", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:40:28.000Z", "modified": "2020-11-09T09:40:28.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--0fadc113-6e22-4524-96b1-7b8fc98fa64c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:40:28.000Z", "modified": "2020-11-09T09:40:28.000Z", "name": "OSINT - Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware \"one\" Group via Cobalt Strike", "published": "2020-11-09T09:42:55Z", "object_refs": [ "indicator--6b0610ec-fe93-41e9-b23b-379b25e2f544", "indicator--2536fb8b-dd20-41ef-a580-55deb79446af", "indicator--399d130a-0c71-4194-9d11-b3483a5e9041", "indicator--b382bd4c-76c3-4ec2-b768-eb45849ce068", "indicator--1e625f9b-493c-4015-ab47-72b1971202cd", "indicator--4fc21643-6cb7-4e5f-aea7-bad4024e54df", "indicator--c41b1b8f-50e8-45d1-8542-1e26b9908f94", "indicator--3101bc91-74a3-4163-b5ee-2207f757c20c", "indicator--48935a10-cc47-4880-af23-4364c7e7ae37", "indicator--f75c74f9-f2b5-4b5a-8404-57e33c04c014", "indicator--b4c14a73-44cf-4d93-aabc-6175f062786a", "indicator--8459d57b-4d03-4a94-8bec-78cfa1a318a1", "indicator--b177c07b-94c6-4c88-851d-3d3e36bf604b", "indicator--fb90a640-17e3-4c26-b50f-e0861295c262", "indicator--beab0436-d5bf-4625-a71d-9d9bdaf10ad0", "indicator--da14c486-89e5-44c8-8722-0989f7691ecf", "indicator--83bc6856-3a5b-49c7-866a-c8e05d8f49f2", "indicator--a670a832-fa18-4cfb-8e9c-4f4f788542f7", "indicator--f56a75d5-db37-4b15-b8d7-5d09d1f078a2", "indicator--207008f3-f173-4774-86d1-5c1be1cc383b", "indicator--05a70842-6bbc-4441-b5c6-fac100840497", "indicator--128049f4-898d-4d60-821c-b9e80f5b335e", "indicator--f0ef8f00-71d4-411c-96f6-5e3409677484", "indicator--64c4fe90-54c0-49d0-ac60-dbdc6d0015fe", "observed-data--01b3d607-413e-4343-a336-c4684d0aa060", "url--01b3d607-413e-4343-a336-c4684d0aa060" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:ransomware=\"Ryuk ransomware\"", "misp-galaxy:malpedia=\"Cobalt Strike\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6b0610ec-fe93-41e9-b23b-379b25e2f544", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:33:54.000Z", "modified": "2020-11-09T09:33:54.000Z", "pattern": "[domain-name:value = 'check1domains.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-11-09T09:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2536fb8b-dd20-41ef-a580-55deb79446af", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:33:54.000Z", "modified": "2020-11-09T09:33:54.000Z", "pattern": "[domain-name:value = 'sweetmonsterr.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-11-09T09:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--399d130a-0c71-4194-9d11-b3483a5e9041", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:33:54.000Z", "modified": "2020-11-09T09:33:54.000Z", "pattern": "[domain-name:value = 'qascker.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-11-09T09:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b382bd4c-76c3-4ec2-b768-eb45849ce068", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:33:54.000Z", "modified": "2020-11-09T09:33:54.000Z", "pattern": "[domain-name:value = 'remotessa.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-11-09T09:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1e625f9b-493c-4015-ab47-72b1971202cd", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:33:54.000Z", "modified": "2020-11-09T09:33:54.000Z", "pattern": "[domain-name:value = 'havemosts.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-11-09T09:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4fc21643-6cb7-4e5f-aea7-bad4024e54df", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:33:54.000Z", "modified": "2020-11-09T09:33:54.000Z", "pattern": "[domain-name:value = 'unlockwsa.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-11-09T09:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c41b1b8f-50e8-45d1-8542-1e26b9908f94", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:33:54.000Z", "modified": "2020-11-09T09:33:54.000Z", "pattern": "[domain-name:value = 'sobcase.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-11-09T09:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3101bc91-74a3-4163-b5ee-2207f757c20c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:33:54.000Z", "modified": "2020-11-09T09:33:54.000Z", "pattern": "[domain-name:value = 'zhameharden.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-11-09T09:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--48935a10-cc47-4880-af23-4364c7e7ae37", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:33:54.000Z", "modified": "2020-11-09T09:33:54.000Z", "pattern": "[domain-name:value = 'mixunderax.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-11-09T09:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f75c74f9-f2b5-4b5a-8404-57e33c04c014", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:33:54.000Z", "modified": "2020-11-09T09:33:54.000Z", "pattern": "[domain-name:value = 'bugsbunnyy.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-11-09T09:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b4c14a73-44cf-4d93-aabc-6175f062786a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:33:54.000Z", "modified": "2020-11-09T09:33:54.000Z", "pattern": "[domain-name:value = 'fastbloodhunter.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-11-09T09:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8459d57b-4d03-4a94-8bec-78cfa1a318a1", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:33:54.000Z", "modified": "2020-11-09T09:33:54.000Z", "pattern": "[domain-name:value = 'serviceboosterr.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-11-09T09:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b177c07b-94c6-4c88-851d-3d3e36bf604b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:33:54.000Z", "modified": "2020-11-09T09:33:54.000Z", "pattern": "[domain-name:value = 'servicewikii.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-11-09T09:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fb90a640-17e3-4c26-b50f-e0861295c262", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:33:54.000Z", "modified": "2020-11-09T09:33:54.000Z", "pattern": "[domain-name:value = 'secondlivve.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-11-09T09:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--beab0436-d5bf-4625-a71d-9d9bdaf10ad0", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:33:54.000Z", "modified": "2020-11-09T09:33:54.000Z", "pattern": "[domain-name:value = 'luckyhunterrs.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-11-09T09:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--da14c486-89e5-44c8-8722-0989f7691ecf", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:33:54.000Z", "modified": "2020-11-09T09:33:54.000Z", "pattern": "[domain-name:value = 'wodemayaa.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-11-09T09:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--83bc6856-3a5b-49c7-866a-c8e05d8f49f2", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:33:54.000Z", "modified": "2020-11-09T09:33:54.000Z", "pattern": "[domain-name:value = 'hybriqdjs.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-11-09T09:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a670a832-fa18-4cfb-8e9c-4f4f788542f7", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:33:54.000Z", "modified": "2020-11-09T09:33:54.000Z", "pattern": "[domain-name:value = 'gunsdrag.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-11-09T09:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f56a75d5-db37-4b15-b8d7-5d09d1f078a2", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:33:54.000Z", "modified": "2020-11-09T09:33:54.000Z", "pattern": "[domain-name:value = 'gungameon.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-11-09T09:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--207008f3-f173-4774-86d1-5c1be1cc383b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:33:54.000Z", "modified": "2020-11-09T09:33:54.000Z", "pattern": "[domain-name:value = 'servicemount.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-11-09T09:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--05a70842-6bbc-4441-b5c6-fac100840497", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:33:54.000Z", "modified": "2020-11-09T09:33:54.000Z", "pattern": "[domain-name:value = 'servicesupdater.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-11-09T09:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--128049f4-898d-4d60-821c-b9e80f5b335e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:33:54.000Z", "modified": "2020-11-09T09:33:54.000Z", "pattern": "[domain-name:value = 'service-boosterr.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-11-09T09:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f0ef8f00-71d4-411c-96f6-5e3409677484", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:33:54.000Z", "modified": "2020-11-09T09:33:54.000Z", "pattern": "[domain-name:value = 'serviceupdatter.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-11-09T09:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--64c4fe90-54c0-49d0-ac60-dbdc6d0015fe", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:33:54.000Z", "modified": "2020-11-09T09:33:54.000Z", "pattern": "[domain-name:value = 'dotmaingame.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-11-09T09:33:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--01b3d607-413e-4343-a336-c4684d0aa060", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2020-11-09T09:36:33.000Z", "modified": "2020-11-09T09:36:33.000Z", "first_observed": "2020-11-09T09:36:33Z", "last_observed": "2020-11-09T09:36:33Z", "number_observed": 1, "object_refs": [ "url--01b3d607-413e-4343-a336-c4684d0aa060" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--01b3d607-413e-4343-a336-c4684d0aa060", "value": "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }