{ "type": "bundle", "id": "bundle--5952b89d-104c-436d-a8bd-476202de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-27T20:03:01.000Z", "modified": "2017-06-27T20:03:01.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5952b89d-104c-436d-a8bd-476202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-27T20:03:01.000Z", "modified": "2017-06-27T20:03:01.000Z", "name": "OSINT - D\u00c3\u00a9j\u00c3\u00a0 vu: Petya ransomware appears with SMB propagation capabilities", "published": "2017-06-27T20:05:09Z", "object_refs": [ "x-misp-attribute--5952b8a9-0554-49ea-b10b-481602de0b81", "observed-data--5952b951-4e0c-43af-96a9-4d8b02de0b81", "url--5952b951-4e0c-43af-96a9-4d8b02de0b81", "indicator--5952b96c-d99c-4a1c-bbd7-4bf802de0b81", "observed-data--5952b995-7028-4073-bd6b-10ed02de0b81", "url--5952b995-7028-4073-bd6b-10ed02de0b81", "observed-data--5952b995-7fd8-4b6e-8c34-10ed02de0b81", "url--5952b995-7fd8-4b6e-8c34-10ed02de0b81", "observed-data--5952b995-7480-46b3-b11a-10ed02de0b81", "url--5952b995-7480-46b3-b11a-10ed02de0b81", "observed-data--5952b995-2c9c-4ad0-a55b-10ed02de0b81", "url--5952b995-2c9c-4ad0-a55b-10ed02de0b81", "x-misp-attribute--5952b9a4-f444-4b57-a179-10e402de0b81", "indicator--5952b9cc-63e4-4af1-899f-49b502de0b81", "indicator--5952b9cc-d418-44c1-a185-462502de0b81", "observed-data--5952b9cc-0848-4d44-bfac-495302de0b81", "url--5952b9cc-0848-4d44-bfac-495302de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "osint:source-type=\"blog-post\"", "malware_classification:malware-category=\"Ransomware\"", "misp-galaxy:ransomware=\"Petya\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5952b8a9-0554-49ea-b10b-481602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-27T20:02:20.000Z", "modified": "2017-06-27T20:02:20.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "The Petya outbreak recorded on 27 June 2017 has had a significant impact on a number of global organisations, with media outlets reporting impacts as significant as the cessation of activity at the Port of Rotterdam in the Netherlands [1].\r\n\r\nWhile many may be loath to think back six weeks to the trauma of May\u00e2\u20ac\u2122s WannaCry outbreak (https://blogs.forcepoint.com/security-labs/wannacry-post-outbreak-analysis), there are a number of parallels between the two incidents ranging from the global reach of the outbreak to the techniques by which the malware is spread." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5952b951-4e0c-43af-96a9-4d8b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-27T20:02:20.000Z", "modified": "2017-06-27T20:02:20.000Z", "first_observed": "2017-06-27T20:02:20Z", "last_observed": "2017-06-27T20:02:20Z", "number_observed": 1, "object_refs": [ "url--5952b951-4e0c-43af-96a9-4d8b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5952b951-4e0c-43af-96a9-4d8b02de0b81", "value": "https://blogs.forcepoint.com/security-labs/deja-vu-petya-ransomware-appears-smb-propagation-capabilities" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5952b96c-d99c-4a1c-bbd7-4bf802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-27T20:02:20.000Z", "modified": "2017-06-27T20:02:20.000Z", "description": "orcepoint Security Labs has analysed one sample associated with the outbreak", "pattern": "[file:hashes.SHA256 = '027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-27T20:02:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5952b995-7028-4073-bd6b-10ed02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-27T20:02:20.000Z", "modified": "2017-06-27T20:02:20.000Z", "first_observed": "2017-06-27T20:02:20Z", "last_observed": "2017-06-27T20:02:20Z", "number_observed": 1, "object_refs": [ "url--5952b995-7028-4073-bd6b-10ed02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5952b995-7028-4073-bd6b-10ed02de0b81", "value": "http://www.ad.nl/rotterdam/grote-hack-bij-maersk-legt-rotterdamse-containerterminal-plat~a60dd307/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5952b995-7fd8-4b6e-8c34-10ed02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-27T20:02:20.000Z", "modified": "2017-06-27T20:02:20.000Z", "first_observed": "2017-06-27T20:02:20Z", "last_observed": "2017-06-27T20:02:20Z", "number_observed": 1, "object_refs": [ "url--5952b995-7fd8-4b6e-8c34-10ed02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5952b995-7fd8-4b6e-8c34-10ed02de0b81", "value": "https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5952b995-7480-46b3-b11a-10ed02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-27T20:02:20.000Z", "modified": "2017-06-27T20:02:20.000Z", "first_observed": "2017-06-27T20:02:20Z", "last_observed": "2017-06-27T20:02:20Z", "number_observed": 1, "object_refs": [ "url--5952b995-7480-46b3-b11a-10ed02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5952b995-7480-46b3-b11a-10ed02de0b81", "value": "https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5952b995-2c9c-4ad0-a55b-10ed02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-27T20:02:20.000Z", "modified": "2017-06-27T20:02:20.000Z", "first_observed": "2017-06-27T20:02:20Z", "last_observed": "2017-06-27T20:02:20Z", "number_observed": 1, "object_refs": [ "url--5952b995-2c9c-4ad0-a55b-10ed02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5952b995-2c9c-4ad0-a55b-10ed02de0b81", "value": "https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5952b9a4-f444-4b57-a179-10e402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-27T20:02:20.000Z", "modified": "2017-06-27T20:02:20.000Z", "labels": [ "misp:type=\"btc\"", "misp:category=\"Financial fraud\"", "misp:to_ids=\"True\"" ], "x_misp_category": "Financial fraud", "x_misp_type": "btc", "x_misp_value": "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5952b9cc-63e4-4af1-899f-49b502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-27T20:02:20.000Z", "modified": "2017-06-27T20:02:20.000Z", "description": "orcepoint Security Labs has analysed one sample associated with the outbreak - Xchecked via VT: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745", "pattern": "[file:hashes.SHA1 = '34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-27T20:02:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5952b9cc-d418-44c1-a185-462502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-27T20:02:20.000Z", "modified": "2017-06-27T20:02:20.000Z", "description": "orcepoint Security Labs has analysed one sample associated with the outbreak - Xchecked via VT: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745", "pattern": "[file:hashes.MD5 = '71b6a493388e7d0b40c83ce903bc6b04']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-27T20:02:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5952b9cc-0848-4d44-bfac-495302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-27T20:02:20.000Z", "modified": "2017-06-27T20:02:20.000Z", "first_observed": "2017-06-27T20:02:20Z", "last_observed": "2017-06-27T20:02:20Z", "number_observed": 1, "object_refs": [ "url--5952b9cc-0848-4d44-bfac-495302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5952b9cc-0848-4d44-bfac-495302de0b81", "value": "https://www.virustotal.com/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/1498592986/" } ] }