{ "type": "bundle", "id": "bundle--595c89fd-d638-433e-b586-4a60950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-06T07:48:26.000Z", "modified": "2017-07-06T07:48:26.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--595c89fd-d638-433e-b586-4a60950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-06T07:48:26.000Z", "modified": "2017-07-06T07:48:26.000Z", "name": "OSINT - Analysis of TeleBots\u00e2\u20ac\u2122 cunning backdoor", "published": "2017-07-06T07:48:29Z", "object_refs": [ "observed-data--595c8a1b-87b0-47d3-b8c1-4488950d210f", "url--595c8a1b-87b0-47d3-b8c1-4488950d210f", "x-misp-attribute--595c8a34-a9c8-4848-9d2a-4059950d210f", "x-misp-attribute--595c8a44-7348-442b-ad78-4150950d210f", "observed-data--595c8a55-dea4-4b76-91d5-4095950d210f", "domain-name--595c8a55-dea4-4b76-91d5-4095950d210f", "indicator--595c8a67-f748-4d4b-9e6d-4231950d210f", "indicator--595c8a67-f3e8-4c1f-92ef-49aa950d210f", "indicator--595c8a67-873c-4735-a362-4f7d950d210f", "indicator--595c8b18-cad4-4836-b9f1-4c8702de0b81", "indicator--595c8b18-1e74-4a88-adfa-492802de0b81", "observed-data--595c8b18-58b0-4e77-a3b9-4b5402de0b81", "url--595c8b18-58b0-4e77-a3b9-4b5402de0b81", "indicator--595c8b18-85d0-48bd-8690-430602de0b81", "indicator--595c8b18-04d4-4133-b4c6-4b5502de0b81", "observed-data--595c8b18-8d78-458a-bde0-43b902de0b81", "url--595c8b18-8d78-458a-bde0-43b902de0b81", "indicator--595c8b18-91b0-46d6-90d4-415602de0b81", "indicator--595c8b18-0f48-4815-988c-4cbf02de0b81", "observed-data--595c8b18-5990-458f-a79b-440b02de0b81", "url--595c8b18-5990-458f-a79b-440b02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--595c8a1b-87b0-47d3-b8c1-4488950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T06:47:03.000Z", "modified": "2017-07-05T06:47:03.000Z", "first_observed": "2017-07-05T06:47:03Z", "last_observed": "2017-07-05T06:47:03Z", "number_observed": 1, "object_refs": [ "url--595c8a1b-87b0-47d3-b8c1-4488950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--595c8a1b-87b0-47d3-b8c1-4488950d210f", "value": "https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--595c8a34-a9c8-4848-9d2a-4059950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T06:47:03.000Z", "modified": "2017-07-05T06:47:03.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "On the 27th of June 2017, a new cyberattack hit many computer systems in Ukraine, as well as in other countries. That attack was spearheaded by the malware ESET products detect as Diskcoder.C (aka ExPetr, PetrWrap, Petya, or NotPetya). This malware masquerades as typical ransomware: it encrypts the data on the computer and demands $300 bitcoins for recovery. In fact, the malware authors\u00e2\u20ac\u2122 intention was to cause damage, so they did all that they could to make data decryption very unlikely.\r\nIn our previous blogpost, we attributed this attack to the TeleBots group and uncovered details about other similar supply chain attacks against Ukraine. This article reveals details about the initial distribution vector that was used during the DiskCoder.C outbreak." }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--595c8a44-7348-442b-ad78-4150950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T06:45:44.000Z", "modified": "2017-07-05T06:45:44.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_type": "text", "x_misp_value": "MSIL/TeleDoor.A" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--595c8a55-dea4-4b76-91d5-4095950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T06:45:44.000Z", "modified": "2017-07-05T06:45:44.000Z", "first_observed": "2017-07-05T06:45:44Z", "last_observed": "2017-07-05T06:45:44Z", "number_observed": 1, "object_refs": [ "domain-name--595c8a55-dea4-4b76-91d5-4095950d210f" ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--595c8a55-dea4-4b76-91d5-4095950d210f", "value": "upd.me-doc.com.ua" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595c8a67-f748-4d4b-9e6d-4231950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T06:45:44.000Z", "modified": "2017-07-05T06:45:44.000Z", "pattern": "[file:hashes.SHA1 = '7b051e7e7a82f07873fa360958acc6492e4385dd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T06:45:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595c8a67-f3e8-4c1f-92ef-49aa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T06:45:44.000Z", "modified": "2017-07-05T06:45:44.000Z", "pattern": "[file:hashes.SHA1 = '7f3b1c56c180369ae7891483675bec61f3182f27']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T06:45:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595c8a67-873c-4735-a362-4f7d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T06:45:44.000Z", "modified": "2017-07-05T06:45:44.000Z", "pattern": "[file:hashes.SHA1 = '3567434e2e49358e8210674641a20b147e0bd23c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T06:45:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595c8b18-cad4-4836-b9f1-4c8702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T06:45:44.000Z", "modified": "2017-07-05T06:45:44.000Z", "description": "- Xchecked via VT: 3567434e2e49358e8210674641a20b147e0bd23c", "pattern": "[file:hashes.SHA256 = '2fd2863d711a1f18eeee5c7c82f2349c5d4e00465de9789da837fcdca4d00277']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T06:45:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595c8b18-1e74-4a88-adfa-492802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T06:45:44.000Z", "modified": "2017-07-05T06:45:44.000Z", "description": "- Xchecked via VT: 3567434e2e49358e8210674641a20b147e0bd23c", "pattern": "[file:hashes.MD5 = '3efe62f6cb7285153114f888900a0962']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T06:45:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--595c8b18-58b0-4e77-a3b9-4b5402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T06:45:44.000Z", "modified": "2017-07-05T06:45:44.000Z", "first_observed": "2017-07-05T06:45:44Z", "last_observed": "2017-07-05T06:45:44Z", "number_observed": 1, "object_refs": [ "url--595c8b18-58b0-4e77-a3b9-4b5402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--595c8b18-58b0-4e77-a3b9-4b5402de0b81", "value": "https://www.virustotal.com/file/2fd2863d711a1f18eeee5c7c82f2349c5d4e00465de9789da837fcdca4d00277/analysis/1499236176/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595c8b18-85d0-48bd-8690-430602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T06:45:44.000Z", "modified": "2017-07-05T06:45:44.000Z", "description": "- Xchecked via VT: 7f3b1c56c180369ae7891483675bec61f3182f27", "pattern": "[file:hashes.SHA256 = 'd462966166450416d6addd3bfdf48590f8440dd80fc571a389023b7c860ca3ac']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T06:45:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595c8b18-04d4-4133-b4c6-4b5502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T06:45:44.000Z", "modified": "2017-07-05T06:45:44.000Z", "description": "- Xchecked via VT: 7f3b1c56c180369ae7891483675bec61f3182f27", "pattern": "[file:hashes.MD5 = '87db6af04613f4bd70467720239117e5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T06:45:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--595c8b18-8d78-458a-bde0-43b902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T06:45:44.000Z", "modified": "2017-07-05T06:45:44.000Z", "first_observed": "2017-07-05T06:45:44Z", "last_observed": "2017-07-05T06:45:44Z", "number_observed": 1, "object_refs": [ "url--595c8b18-8d78-458a-bde0-43b902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--595c8b18-8d78-458a-bde0-43b902de0b81", "value": "https://www.virustotal.com/file/d462966166450416d6addd3bfdf48590f8440dd80fc571a389023b7c860ca3ac/analysis/1499232770/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595c8b18-91b0-46d6-90d4-415602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T06:45:44.000Z", "modified": "2017-07-05T06:45:44.000Z", "description": "- Xchecked via VT: 7b051e7e7a82f07873fa360958acc6492e4385dd", "pattern": "[file:hashes.SHA256 = 'f9d6fe8bd8aca6528dec7eaa9f1aafbecde15fd61668182f2ba8a7fc2b9a6740']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T06:45:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--595c8b18-0f48-4815-988c-4cbf02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T06:45:44.000Z", "modified": "2017-07-05T06:45:44.000Z", "description": "- Xchecked via VT: 7b051e7e7a82f07873fa360958acc6492e4385dd", "pattern": "[file:hashes.MD5 = '8f5718be4ba2c6e4f8ce1597248bb03f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-05T06:45:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--595c8b18-5990-458f-a79b-440b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-05T06:45:44.000Z", "modified": "2017-07-05T06:45:44.000Z", "first_observed": "2017-07-05T06:45:44Z", "last_observed": "2017-07-05T06:45:44Z", "number_observed": 1, "object_refs": [ "url--595c8b18-5990-458f-a79b-440b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--595c8b18-5990-458f-a79b-440b02de0b81", "value": "https://www.virustotal.com/file/f9d6fe8bd8aca6528dec7eaa9f1aafbecde15fd61668182f2ba8a7fc2b9a6740/analysis/1499234664/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }