{ "type": "bundle", "id": "bundle--59f0462f-41d4-47b4-9e1b-4a07950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T09:04:21.000Z", "modified": "2017-10-25T09:04:21.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--59f0462f-41d4-47b4-9e1b-4a07950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T09:04:21.000Z", "modified": "2017-10-25T09:04:21.000Z", "name": "OSINT - Bad Rabbit ransomware", "published": "2017-10-25T09:04:25Z", "object_refs": [ "indicator--59f04689-1d08-4780-b433-4e4e950d210f", "observed-data--59f04703-4f20-4b4c-9655-4e01950d210f", "url--59f04703-4f20-4b4c-9655-4e01950d210f", "x-misp-attribute--59f047b0-776c-49a7-82e5-4594950d210f", "indicator--59f04853-d364-4c70-a966-496c950d210f", "indicator--59f04854-ee44-43a7-add1-48e2950d210f", "indicator--59f04998-0774-4f90-93ec-42a9950d210f", "indicator--59f049ed-6f9c-4994-b4a2-466c950d210f", "indicator--59f04a1b-b1ac-4bdb-9771-45ff950d210f", "indicator--59f04a1b-9ee4-4318-a764-49df950d210f", "indicator--59f04a1b-4228-4582-ad70-48b4950d210f", "indicator--59f04a1b-5400-4fbd-8027-476b950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:ransomware=\"Bad Rabbit\"", "type:OSINT", "malware_classification:malware-category=\"Ransomware\"", "osint:source-type=\"blog-post\"", "misp-galaxy:preventive-measure=\"Backup and Restore Process\"", "misp-galaxy:preventive-measure=\"Restrict Workstation Communication\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04689-1d08-4780-b433-4e4e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:08:41.000Z", "modified": "2017-10-25T08:08:41.000Z", "description": "The ransomware dropper is distributed from", "pattern": "[url:value = 'http://1dnscontrol.com/flash_install.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:08:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59f04703-4f20-4b4c-9655-4e01950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:11:29.000Z", "modified": "2017-10-25T08:11:29.000Z", "first_observed": "2017-10-25T08:11:29Z", "last_observed": "2017-10-25T08:11:29Z", "number_observed": 1, "object_refs": [ "url--59f04703-4f20-4b4c-9655-4e01950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59f04703-4f20-4b4c-9655-4e01950d210f", "value": "https://securelist.com/bad-rabbit-ransomware/82851/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59f047b0-776c-49a7-82e5-4594950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:13:42.000Z", "modified": "2017-10-25T08:13:42.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "n October 24th we observed notifications of mass attacks with ransomware called Bad Rabbit. It has been targeting organizations and consumers, mostly in Russia but there have also been reports of victims in Ukraine." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04853-d364-4c70-a966-496c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:16:19.000Z", "modified": "2017-10-25T08:16:19.000Z", "description": "downloaded file", "pattern": "[file:name = 'install_flash_player.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:16:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04854-ee44-43a7-add1-48e2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:16:20.000Z", "modified": "2017-10-25T08:16:20.000Z", "description": "malicious DLL", "pattern": "[file:name = '\\\\%WINDIR\\\\%\\\\infpub.dat']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:16:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04998-0774-4f90-93ec-42a9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:21:44.000Z", "modified": "2017-10-25T08:21:44.000Z", "pattern": "[file:name = 'dispci.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:21:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f049ed-6f9c-4994-b4a2-466c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:23:09.000Z", "modified": "2017-10-25T08:23:09.000Z", "pattern": "[file:name = '\\\\%WINDIR\\\\%\\\\cscc.dat']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:23:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04a1b-b1ac-4bdb-9771-45ff950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:23:55.000Z", "modified": "2017-10-25T08:23:55.000Z", "pattern": "[url:value = 'http://1dnscontrol.com/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:23:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04a1b-9ee4-4318-a764-49df950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:23:55.000Z", "modified": "2017-10-25T08:23:55.000Z", "description": "install_flash_player.exe", "pattern": "[file:hashes.MD5 = 'fbbdc39af1139aebba4da004475e8839']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:23:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04a1b-4228-4582-ad70-48b4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:23:55.000Z", "modified": "2017-10-25T08:23:55.000Z", "description": "C:\\Windows\\infpub.dat", "pattern": "[file:hashes.MD5 = '1d724f95c61f1055f0d02c2154bbccd3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:23:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59f04a1b-5400-4fbd-8027-476b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-25T08:23:55.000Z", "modified": "2017-10-25T08:23:55.000Z", "description": "C:\\Windows\\dispci.exe", "pattern": "[file:hashes.MD5 = 'b14d8faf7f0cbcfad051cefe5f39645f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-25T08:23:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }