{ "type": "bundle", "id": "bundle--589b1a8a-1e10-4e76-860a-4cba950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-10T07:48:34.000Z", "modified": "2017-02-10T07:48:34.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--589b1a8a-1e10-4e76-860a-4cba950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-10T07:48:34.000Z", "modified": "2017-02-10T07:48:34.000Z", "name": "Erebus Ransomware Utilizes a UAC Bypass and Request a $90 Ransom Payment", "published": "2017-02-10T07:48:45Z", "object_refs": [ "observed-data--589b1aad-8768-4196-a952-48ec950d210f", "url--589b1aad-8768-4196-a952-48ec950d210f", "x-misp-attribute--589b1ae1-8ea8-4f2f-a702-439d950d210f", "indicator--589b1b4a-3178-4814-9c07-480a950d210f", "indicator--589b1b4b-3bb0-426a-a692-40a3950d210f", "indicator--589b1b4c-6378-410a-a1f1-42cd950d210f", "indicator--589b1b4d-ea20-47d8-8c30-4812950d210f", "indicator--589b1b4d-ff80-4c1d-bed3-440a950d210f", "indicator--589b1b4e-8518-4c9e-ae53-49ab950d210f", "indicator--589b1d73-8c78-4bab-9438-4b7f950d210f", "indicator--589b1d75-2204-45ce-86ea-4f70950d210f", "indicator--589b1d77-d5dc-4c7b-93df-4d66950d210f", "indicator--589b1d77-b140-49f4-901e-4763950d210f", "indicator--589b1d79-fbc4-4600-9f45-4d55950d210f", "indicator--589b1d7a-a8fc-4d0e-b0e9-4974950d210f", "indicator--589b1d7b-29cc-47f9-9524-4258950d210f", "indicator--589b1d7d-2da0-40cc-b997-4b4f950d210f", "indicator--589b1d7e-8c68-47e6-8bc2-4df9950d210f", "indicator--589b1d7f-30fc-425c-b5c8-489f950d210f", "indicator--589b1d81-c620-4c3c-880b-4c58950d210f", "indicator--589b1d82-46ec-431a-8b78-4f53950d210f", "indicator--589b1d83-bb94-4ea8-abfb-4a42950d210f", "indicator--589b1d83-c664-4696-b610-4d9e950d210f", "indicator--589b1d85-349c-45e5-8784-4a8e950d210f", "indicator--589b1d86-a4e8-4ec6-84a3-4dad950d210f", "indicator--589b1d87-c6bc-4a04-960c-4223950d210f", "indicator--589b1d89-6708-44c9-a4be-4236950d210f", "indicator--589b1d89-bbdc-4c8c-be68-4902950d210f", "indicator--589b1d8b-e95c-43c2-8931-45f7950d210f", "indicator--589b1d8c-7ed4-43c0-954b-408f950d210f", "indicator--589b1d8d-5728-467a-aab7-4903950d210f", "indicator--589b1d8f-a378-4f2d-9c37-4c29950d210f", "indicator--589b1d90-0940-421f-b1fe-4839950d210f", "indicator--589b1d91-703c-4383-8aa5-4771950d210f", "indicator--589b1d97-6d60-4d40-a35d-42e0950d210f", "indicator--589b1d98-f3dc-4ed6-a088-4d9a950d210f", "indicator--589b1de4-c14c-483a-b435-4f92950d210f", "indicator--589b1dfc-f4d8-4733-a045-45ed950d210f", "x-misp-attribute--589b2243-c398-4060-8b34-49b8950d210f", "x-misp-attribute--589b225d-ae00-4143-acdb-44d3950d210f", "indicator--589c1de5-25a0-4e89-90c7-442602de0b81", "indicator--589c1de5-4bc4-4beb-9de3-4f7d02de0b81", "observed-data--589c1de7-49c0-44ea-a90c-4e8202de0b81", "url--589c1de7-49c0-44ea-a90c-4e8202de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "malware_classification:malware-category=\"Ransomware\"", "ecsirt:malicious-code=\"ransomware\"", "veris:action:malware:variety=\"Ransomware\"", "enisa:nefarious-activity-abuse=\"ransomware\"", "dnc:malware-type=\"Ransomware\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--589b1aad-8768-4196-a952-48ec950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "first_observed": "2017-02-09T07:44:21Z", "last_observed": "2017-02-09T07:44:21Z", "number_observed": 1, "object_refs": [ "url--589b1aad-8768-4196-a952-48ec950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "type:OSINT", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--589b1aad-8768-4196-a952-48ec950d210f", "value": "https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--589b1ae1-8ea8-4f2f-a702-439d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"", "type:OSINT", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "A sample of a potentially new ransomware called Erebus has been discovered by MalwareHunterTeam on VirusTotal. I say that this is a potentially new ransomware because TrendMicro had reported another ransomware using the same name was previously released back in September 2016. Though I do not have a sample of the original Erebus, from its outward characteristics, the one discovered today looks like either a complete rewrite or a new ransomware using the same name.." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1b4a-3178-4814-9c07-480a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[windows-registry-key:key = 'HKEY_CLASSES_ROOT.msc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Persistence mechanism" } ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"Persistence mechanism\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1b4b-3bb0-426a-a692-40a3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[windows-registry-key:key = 'HKCU\\\\Software\\\\Classes\\\\mscfile']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Persistence mechanism" } ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"Persistence mechanism\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1b4c-6378-410a-a1f1-42cd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[windows-registry-key:key = 'HKCU\\\\Software\\\\Classes\\\\mscfile\\\\shell']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Persistence mechanism" } ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"Persistence mechanism\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1b4d-ea20-47d8-8c30-4812950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[windows-registry-key:key = 'HKCU\\\\Software\\\\Classes\\\\mscfile\\\\shell\\\\open']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Persistence mechanism" } ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"Persistence mechanism\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1b4d-ff80-4c1d-bed3-440a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[windows-registry-key:key = 'HKCU\\\\Software\\\\Classes\\\\mscfile\\\\shell\\\\open\\\\command']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Persistence mechanism" } ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"Persistence mechanism\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1b4e-8518-4c9e-ae53-49ab950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[windows-registry-key:key = 'HKCU\\\\Software\\\\Classes\\\\mscfile\\\\shell\\\\open\\\\command\\\\ \\\\%UserProfile\\\\%\\\\[random].exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Persistence mechanism" } ], "labels": [ "misp:type=\"regkey\"", "misp:category=\"Persistence mechanism\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d73-8c78-4bab-9438-4b7f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d75-2204-45ce-86ea-4f70950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Data\\\\']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d77-d5dc-4c7b-93df-4d66950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Data\\\\Tor\\\\']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d77-b140-49f4-901e-4763950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Data\\\\Tor\\\\geoip']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d79-fbc4-4600-9f45-4d55950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Data\\\\Tor\\\\geoip6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d7a-a8fc-4d0e-b0e9-4974950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Tor\\\\']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d7b-29cc-47f9-9524-4258950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Tor\\\\libeay32.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d7d-2da0-40cc-b997-4b4f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Tor\\\\libevent-2-0-5.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d7e-8c68-47e6-8bc2-4df9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Tor\\\\libevent_core-2-0-5.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d7f-30fc-425c-b5c8-489f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Tor\\\\libevent_extra-2-0-5.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d81-c620-4c3c-880b-4c58950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Tor\\\\libgcc_s_sjlj-1.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d82-46ec-431a-8b78-4f53950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Tor\\\\libssp-0.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d83-bb94-4ea8-abfb-4a42950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Tor\\\\ssleay32.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d83-c664-4696-b610-4d9e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Tor\\\\tor-gencert.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d85-349c-45e5-8784-4a8e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Tor\\\\tor.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d86-a4e8-4ec6-84a3-4dad950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor\\\\Tor\\\\zlib1.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d87-c6bc-4a04-960c-4223950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\tor.zip']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d89-6708-44c9-a4be-4236950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d89-bbdc-4c8c-be68-4902950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\cached-certs']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d8b-e95c-43c2-8931-45f7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\cached-microdesc-consensus']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d8c-7ed4-43c0-954b-408f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\cached-microdescs.new']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d8d-5728-467a-aab7-4903950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\lock']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d8f-a378-4f2d-9c37-4c29950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\AppData\\\\Roaming\\\\tor\\\\state']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d90-0940-421f-b1fe-4839950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\Desktop\\\\test\\\\xor-test.pdf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d91-703c-4383-8aa5-4771950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\Desktop\\\\README.html']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d97-6d60-4d40-a35d-42e0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\Documents\\\\README.html']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1d98-f3dc-4ed6-a088-4d9a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\[random].exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1de4-c14c-483a-b435-4f92950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[url:value = 'http://erebus5743lnq6db.onion/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589b1dfc-f4d8-4733-a045-45ed950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "pattern": "[file:hashes.SHA256 = 'ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--589b2243-c398-4060-8b34-49b8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Artifacts dropped\"" ], "x_misp_category": "Artifacts dropped", "x_misp_type": "text", "x_misp_value": "Files crypted!\r\nEvery important file on this computer was crypted. Please look on your documents or desktop folder for a file called README.html for instructions on how to decrypt them." }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--589b225d-ae00-4143-acdb-44d3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:21.000Z", "modified": "2017-02-09T07:44:21.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Artifacts dropped\"" ], "x_misp_category": "Artifacts dropped", "x_misp_type": "text", "x_misp_value": "Data crypted\r\n\r\nEvery important file (documents,photos,videos etc) on this computer has been encrypted using an unique key for this computer. \r\nIt is impossible to recover your files without this key. You can try to open them they won't work and will stay that way. \r\n\r\nThat is, unless you buy a decryption key and decrypt your files.\r\nClick 'recover my files' below to go to the website allowing you to buy the key. \r\nFrom now on you have 96 hours to recover the key after this time it will be deleted and your files will stay unusable forever \r\nYour id is : '[id]' you can find this page on your desktop and document folder Use it to \r\n\r\nif the button below doesn't work you need to download a web browser called 'tor browser' \r\ndownload by clicking here then install the browser, it's like chrome, firefox or internet explorer except it allows you to browse to special websites. \r\nonce it's launched browse to http://erebus5743lnq6db.onion" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589c1de5-25a0-4e89-90c7-442602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:37.000Z", "modified": "2017-02-09T07:44:37.000Z", "description": "- Xchecked via VT: ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791", "pattern": "[file:hashes.SHA1 = '6e5fca51a018272d1b1003b16dce6ee9e836908c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--589c1de5-4bc4-4beb-9de3-4f7d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:37.000Z", "modified": "2017-02-09T07:44:37.000Z", "description": "- Xchecked via VT: ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791", "pattern": "[file:hashes.MD5 = '0ced87772881b63caf95f1d828ba40c5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-09T07:44:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--589c1de7-49c0-44ea-a90c-4e8202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-09T07:44:39.000Z", "modified": "2017-02-09T07:44:39.000Z", "first_observed": "2017-02-09T07:44:39Z", "last_observed": "2017-02-09T07:44:39Z", "number_observed": 1, "object_refs": [ "url--589c1de7-49c0-44ea-a90c-4e8202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"Payload delivery\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--589c1de7-49c0-44ea-a90c-4e8202de0b81", "value": "https://www.virustotal.com/file/ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791/analysis/1486609351/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }