{ "type": "bundle", "id": "bundle--56dc93a4-5a6c-470d-9c9b-4e9902de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-07T08:35:30.000Z", "modified": "2016-03-07T08:35:30.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--56dc93a4-5a6c-470d-9c9b-4e9902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-07T08:35:30.000Z", "modified": "2016-03-07T08:35:30.000Z", "name": "OSINT - New OS X Ransomware KeRanger Infected Transmission BitTorrent Client Installer", "published": "2016-03-07T08:36:54Z", "object_refs": [ "observed-data--56dc93be-d390-4377-82cb-49cf02de0b81", "url--56dc93be-d390-4377-82cb-49cf02de0b81", "indicator--56dc93e5-4c30-4f24-82fc-434802de0b81", "indicator--56dc93e5-fc70-4680-aa2d-494a02de0b81", "indicator--56dc93e6-86ac-4ac2-98f2-413c02de0b81", "indicator--56dc93e6-adac-4282-a062-485f02de0b81", "indicator--56dc93e6-e290-4489-803f-4b7c02de0b81", "indicator--56dc93e7-2fd0-4b80-b378-4d4702de0b81", "x-misp-attribute--56dc93fc-4dd4-4bfe-894e-48a102de0b81", "indicator--56dc9420-1368-4259-8c98-489a02de0b81", "indicator--56dc9420-f8cc-4387-bc53-450f02de0b81", "indicator--56dc9421-1ccc-46b1-8490-4aa402de0b81", "indicator--56dc9421-5d8c-45fb-ba7d-424e02de0b81", "indicator--56dc9421-e5b4-4527-967d-4fe202de0b81", "indicator--56dc9421-9300-4c6c-be38-478e02de0b81", "indicator--56dc9443-d870-4509-9d9f-434802de0b81", "indicator--56dc9444-7a0c-4639-bbba-4af202de0b81", "observed-data--56dc9444-9d10-4be0-b1d0-4aa002de0b81", "url--56dc9444-9d10-4be0-b1d0-4aa002de0b81", "indicator--56dc9444-dc2c-4d09-81d0-40d402de0b81", "indicator--56dc9445-499c-4bda-bcb6-4af402de0b81", "observed-data--56dc9445-2b00-4197-b2e2-4c3f02de0b81", "url--56dc9445-2b00-4197-b2e2-4c3f02de0b81", "indicator--56dc9445-ce5c-44c4-a315-41cd02de0b81", "indicator--56dc9445-24e0-46a9-b8a8-498b02de0b81", "observed-data--56dc9446-e51c-44cc-99f8-483402de0b81", "url--56dc9446-e51c-44cc-99f8-483402de0b81", "indicator--56dc9446-f4cc-4f5c-8ba7-4bfc02de0b81", "indicator--56dc9446-f628-40c4-abde-46b202de0b81", "observed-data--56dc9447-33e4-4cd8-9ebf-4aa502de0b81", "url--56dc9447-33e4-4cd8-9ebf-4aa502de0b81", "indicator--56dc9447-47e8-4c94-bb95-472102de0b81", "indicator--56dc9447-547c-4cda-9caa-478302de0b81", "observed-data--56dc9447-0350-4947-b63f-4c5802de0b81", "url--56dc9447-0350-4947-b63f-4c5802de0b81", "indicator--56dc9448-9050-44a5-9e8c-4a3302de0b81", "indicator--56dc9448-6488-4152-816e-411d02de0b81", "observed-data--56dc9448-d060-4412-9815-4c3f02de0b81", "url--56dc9448-d060-4412-9815-4c3f02de0b81", "x-misp-attribute--56dc9469-a334-4c0d-9ab7-416402de0b81", "x-misp-attribute--56dd3d52-8768-4ce1-a546-48f0950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56dc93be-d390-4377-82cb-49cf02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:31:58.000Z", "modified": "2016-03-06T20:31:58.000Z", "first_observed": "2016-03-06T20:31:58Z", "last_observed": "2016-03-06T20:31:58Z", "number_observed": 1, "object_refs": [ "url--56dc93be-d390-4377-82cb-49cf02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56dc93be-d390-4377-82cb-49cf02de0b81", "value": "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56dc93e5-4c30-4f24-82fc-434802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:32:37.000Z", "modified": "2016-03-06T20:32:37.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'lclebb6kvohlkcml.onion.link']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-06T20:32:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56dc93e5-fc70-4680-aa2d-494a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:32:37.000Z", "modified": "2016-03-06T20:32:37.000Z", "description": "Imported via the freetext import.", "pattern": "[domain-name:value = 'lclebb6kvohlkcml.onion.nu']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-06T20:32:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56dc93e6-86ac-4ac2-98f2-413c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:32:38.000Z", "modified": "2016-03-06T20:32:38.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'bmacyzmea723xyaz.onion.link']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-06T20:32:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56dc93e6-adac-4282-a062-485f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:32:38.000Z", "modified": "2016-03-06T20:32:38.000Z", "description": "Imported via the freetext import.", "pattern": "[domain-name:value = 'bmacyzmea723xyaz.onion.nu']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-06T20:32:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56dc93e6-e290-4489-803f-4b7c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:32:38.000Z", "modified": "2016-03-06T20:32:38.000Z", "description": "Imported via the freetext import.", "pattern": "[url:value = 'nejdtkok7oz5kjoc.onion.link']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-06T20:32:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56dc93e7-2fd0-4b80-b378-4d4702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:32:39.000Z", "modified": "2016-03-06T20:32:39.000Z", "description": "Imported via the freetext import.", "pattern": "[domain-name:value = 'nejdtkok7oz5kjoc.onion.nu']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-06T20:32:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--56dc93fc-4dd4-4bfe-894e-48a102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:33:00.000Z", "modified": "2016-03-06T20:33:00.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_type": "text", "x_misp_value": "Ransomware.OSX.KeRanger" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56dc9420-1368-4259-8c98-489a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:33:36.000Z", "modified": "2016-03-06T20:33:36.000Z", "description": "Samples of Ransomware.OSX.KeRanger", "pattern": "[file:hashes.SHA256 = 'd1ac55a4e610380f0ab239fcc1c5f5a42722e8ee1554cba8074bbae4a5f6dbe1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-06T20:33:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56dc9420-f8cc-4387-bc53-450f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:33:36.000Z", "modified": "2016-03-06T20:33:36.000Z", "description": "Samples of Ransomware.OSX.KeRanger", "pattern": "[file:hashes.SHA256 = 'e3ad733cea9eba29e86610050c1a15592e6c77820927b9edeb77310975393574']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-06T20:33:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56dc9421-1ccc-46b1-8490-4aa402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:33:37.000Z", "modified": "2016-03-06T20:33:37.000Z", "description": "Samples of Ransomware.OSX.KeRanger", "pattern": "[file:hashes.SHA256 = '31b6adb633cff2a0f34cefd2a218097f3a9a8176c9363cc70fe41fe02af810b9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-06T20:33:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56dc9421-5d8c-45fb-ba7d-424e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:33:37.000Z", "modified": "2016-03-06T20:33:37.000Z", "description": "Samples of Ransomware.OSX.KeRanger", "pattern": "[file:hashes.SHA256 = 'd7d765b1ddd235a57a2d13bd065f293a7469594c7e13ea7700e55501206a09b5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-06T20:33:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56dc9421-e5b4-4527-967d-4fe202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:33:37.000Z", "modified": "2016-03-06T20:33:37.000Z", "description": "Samples of Ransomware.OSX.KeRanger", "pattern": "[file:hashes.SHA256 = 'ddc3dbee2a8ea9d8ed93f0843400653a89350612f2914868485476a847c6484a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-06T20:33:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56dc9421-9300-4c6c-be38-478e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:33:37.000Z", "modified": "2016-03-06T20:33:37.000Z", "description": "Samples of Ransomware.OSX.KeRanger", "pattern": "[file:hashes.SHA256 = '6061a554f5997a43c91f49f8aaf40c80a3f547fc6187bee57cd5573641fcf153']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-06T20:33:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56dc9443-d870-4509-9d9f-434802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:34:11.000Z", "modified": "2016-03-06T20:34:11.000Z", "description": "Samples of Ransomware.OSX.KeRanger - Xchecked via VT: 6061a554f5997a43c91f49f8aaf40c80a3f547fc6187bee57cd5573641fcf153", "pattern": "[file:hashes.SHA1 = '260f02e7dd4a62575eca7c1a09f3e6b152733e40']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-06T20:34:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56dc9444-7a0c-4639-bbba-4af202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:34:12.000Z", "modified": "2016-03-06T20:34:12.000Z", "description": "Samples of Ransomware.OSX.KeRanger - Xchecked via VT: 6061a554f5997a43c91f49f8aaf40c80a3f547fc6187bee57cd5573641fcf153", "pattern": "[file:hashes.MD5 = '861c3da2bbce6c09eda2709c8994f34c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-06T20:34:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56dc9444-9d10-4be0-b1d0-4aa002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:34:12.000Z", "modified": "2016-03-06T20:34:12.000Z", "first_observed": "2016-03-06T20:34:12Z", "last_observed": "2016-03-06T20:34:12Z", "number_observed": 1, "object_refs": [ "url--56dc9444-9d10-4be0-b1d0-4aa002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56dc9444-9d10-4be0-b1d0-4aa002de0b81", "value": "https://www.virustotal.com/file/6061a554f5997a43c91f49f8aaf40c80a3f547fc6187bee57cd5573641fcf153/analysis/1457131054/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56dc9444-dc2c-4d09-81d0-40d402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:34:12.000Z", "modified": "2016-03-06T20:34:12.000Z", "description": "Samples of Ransomware.OSX.KeRanger - Xchecked via VT: ddc3dbee2a8ea9d8ed93f0843400653a89350612f2914868485476a847c6484a", "pattern": "[file:hashes.SHA1 = 'f2fe3ff6da97a5adfc9278c475536883adcef93b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-06T20:34:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56dc9445-499c-4bda-bcb6-4af402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:34:13.000Z", "modified": "2016-03-06T20:34:13.000Z", "description": "Samples of Ransomware.OSX.KeRanger - Xchecked via VT: ddc3dbee2a8ea9d8ed93f0843400653a89350612f2914868485476a847c6484a", "pattern": "[file:hashes.MD5 = '3151d9a085d14508fa9f10d48afc7016']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-06T20:34:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56dc9445-2b00-4197-b2e2-4c3f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:34:13.000Z", "modified": "2016-03-06T20:34:13.000Z", "first_observed": "2016-03-06T20:34:13Z", "last_observed": "2016-03-06T20:34:13Z", "number_observed": 1, "object_refs": [ "url--56dc9445-2b00-4197-b2e2-4c3f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56dc9445-2b00-4197-b2e2-4c3f02de0b81", "value": "https://www.virustotal.com/file/ddc3dbee2a8ea9d8ed93f0843400653a89350612f2914868485476a847c6484a/analysis/1457131063/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56dc9445-ce5c-44c4-a315-41cd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:34:13.000Z", "modified": "2016-03-06T20:34:13.000Z", "description": "Samples of Ransomware.OSX.KeRanger - Xchecked via VT: d7d765b1ddd235a57a2d13bd065f293a7469594c7e13ea7700e55501206a09b5", "pattern": "[file:hashes.SHA1 = 'e2f6d5912565ad3a2c9b3393cf7aff0110738f5c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-06T20:34:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56dc9445-24e0-46a9-b8a8-498b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:34:13.000Z", "modified": "2016-03-06T20:34:13.000Z", "description": "Samples of Ransomware.OSX.KeRanger - Xchecked via VT: d7d765b1ddd235a57a2d13bd065f293a7469594c7e13ea7700e55501206a09b5", "pattern": "[file:hashes.MD5 = '24a8f01cfdc4228b4fc9bb87fedf6eb7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-06T20:34:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56dc9446-e51c-44cc-99f8-483402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:34:14.000Z", "modified": "2016-03-06T20:34:14.000Z", "first_observed": "2016-03-06T20:34:14Z", "last_observed": "2016-03-06T20:34:14Z", "number_observed": 1, "object_refs": [ "url--56dc9446-e51c-44cc-99f8-483402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56dc9446-e51c-44cc-99f8-483402de0b81", "value": "https://www.virustotal.com/file/d7d765b1ddd235a57a2d13bd065f293a7469594c7e13ea7700e55501206a09b5/analysis/1457294776/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56dc9446-f4cc-4f5c-8ba7-4bfc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:34:14.000Z", "modified": "2016-03-06T20:34:14.000Z", "description": "Samples of Ransomware.OSX.KeRanger - Xchecked via VT: 31b6adb633cff2a0f34cefd2a218097f3a9a8176c9363cc70fe41fe02af810b9", "pattern": "[file:hashes.SHA1 = 'fd1f246ee9effafba0811fd692e2e76947e82687']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-06T20:34:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56dc9446-f628-40c4-abde-46b202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:34:14.000Z", "modified": "2016-03-06T20:34:14.000Z", "description": "Samples of Ransomware.OSX.KeRanger - Xchecked via VT: 31b6adb633cff2a0f34cefd2a218097f3a9a8176c9363cc70fe41fe02af810b9", "pattern": "[file:hashes.MD5 = '14a4df1df622562b3bf5bc9a94e6a783']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-06T20:34:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56dc9447-33e4-4cd8-9ebf-4aa502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:34:15.000Z", "modified": "2016-03-06T20:34:15.000Z", "first_observed": "2016-03-06T20:34:15Z", "last_observed": "2016-03-06T20:34:15Z", "number_observed": 1, "object_refs": [ "url--56dc9447-33e4-4cd8-9ebf-4aa502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56dc9447-33e4-4cd8-9ebf-4aa502de0b81", "value": "https://www.virustotal.com/file/31b6adb633cff2a0f34cefd2a218097f3a9a8176c9363cc70fe41fe02af810b9/analysis/1457127744/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56dc9447-47e8-4c94-bb95-472102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:34:15.000Z", "modified": "2016-03-06T20:34:15.000Z", "description": "Samples of Ransomware.OSX.KeRanger - Xchecked via VT: e3ad733cea9eba29e86610050c1a15592e6c77820927b9edeb77310975393574", "pattern": "[file:hashes.SHA1 = 'f4c95047938cd66368f1f0fe7cbf87de8378a1fd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-06T20:34:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56dc9447-547c-4cda-9caa-478302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:34:15.000Z", "modified": "2016-03-06T20:34:15.000Z", "description": "Samples of Ransomware.OSX.KeRanger - Xchecked via VT: e3ad733cea9eba29e86610050c1a15592e6c77820927b9edeb77310975393574", "pattern": "[file:hashes.MD5 = '56b1d956112b0b7bd3e44f20cf1f2c19']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-06T20:34:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56dc9447-0350-4947-b63f-4c5802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:34:15.000Z", "modified": "2016-03-06T20:34:15.000Z", "first_observed": "2016-03-06T20:34:15Z", "last_observed": "2016-03-06T20:34:15Z", "number_observed": 1, "object_refs": [ "url--56dc9447-0350-4947-b63f-4c5802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56dc9447-0350-4947-b63f-4c5802de0b81", "value": "https://www.virustotal.com/file/e3ad733cea9eba29e86610050c1a15592e6c77820927b9edeb77310975393574/analysis/1457127757/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56dc9448-9050-44a5-9e8c-4a3302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:34:16.000Z", "modified": "2016-03-06T20:34:16.000Z", "description": "Samples of Ransomware.OSX.KeRanger - Xchecked via VT: d1ac55a4e610380f0ab239fcc1c5f5a42722e8ee1554cba8074bbae4a5f6dbe1", "pattern": "[file:hashes.SHA1 = '5f8ae46ae82e346000f366c3eabdafbec76e99e9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-06T20:34:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56dc9448-6488-4152-816e-411d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:34:16.000Z", "modified": "2016-03-06T20:34:16.000Z", "description": "Samples of Ransomware.OSX.KeRanger - Xchecked via VT: d1ac55a4e610380f0ab239fcc1c5f5a42722e8ee1554cba8074bbae4a5f6dbe1", "pattern": "[file:hashes.MD5 = '1d6297e2427f1d00a5b355d6d50809cb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-03-06T20:34:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56dc9448-d060-4412-9815-4c3f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:34:16.000Z", "modified": "2016-03-06T20:34:16.000Z", "first_observed": "2016-03-06T20:34:16Z", "last_observed": "2016-03-06T20:34:16Z", "number_observed": 1, "object_refs": [ "url--56dc9448-d060-4412-9815-4c3f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56dc9448-d060-4412-9815-4c3f02de0b81", "value": "https://www.virustotal.com/file/d1ac55a4e610380f0ab239fcc1c5f5a42722e8ee1554cba8074bbae4a5f6dbe1/analysis/1457294749/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--56dc9469-a334-4c0d-9ab7-416402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-06T20:34:49.000Z", "modified": "2016-03-06T20:34:49.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "On March 4, we detected that the Transmission BitTorrent client installer for OS X was infected with ransomware, just a few hours after installers were initially posted. We have named this Ransomware \u00e2\u20ac\u0153KeRanger.\u00e2\u20ac\u009d The only previous ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014. As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform.\r\n\r\nAttackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4. When we identified the issue, the infected DMG files were still available for downloading from the Transmission site (https://download.transmissionbt.com/files/Transmission-2.90.dmg) Transmission is an open source project. It\u00e2\u20ac\u2122s possible that Transmission\u00e2\u20ac\u2122s official website was compromised and the files were replaced by re-compiled malicious versions, but we can\u00e2\u20ac\u2122t confirm how this infection occurred." }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--56dd3d52-8768-4ce1-a546-48f0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-03-07T08:35:30.000Z", "modified": "2016-03-07T08:35:30.000Z", "labels": [ "misp:type=\"btc\"", "misp:category=\"Financial fraud\"" ], "x_misp_category": "Financial fraud", "x_misp_type": "btc", "x_misp_value": "1PGAUBqHNcwSHYKnpHgzCrPkyxNxvsmEof" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }