{ "type": "bundle", "id": "bundle--5b72c78a-274c-43a6-a945-4fd5950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-14T06:33:53.000Z", "modified": "2018-09-14T06:33:53.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "grouping", "spec_version": "2.1", "id": "grouping--5b72c78a-274c-43a6-a945-4fd5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-14T06:33:53.000Z", "modified": "2018-09-14T06:33:53.000Z", "name": "OSINT - New Cmb Dharma Ransomware Variant Released", "context": "suspicious-activity", "object_refs": [ "observed-data--5b72cc0c-7650-45f8-a0b8-480e950d210f", "url--5b72cc0c-7650-45f8-a0b8-480e950d210f", "x-misp-attribute--5b72cc2d-4e18-422b-9e9c-4b04950d210f", "indicator--5b76bb98-be88-4cc7-840e-43e9950d210f", "indicator--5b76be0c-bfb0-476c-8e1a-43c9950d210f", "indicator--5b76bea9-c140-4dc4-b0b9-46a0950d210f", "indicator--5b76bea9-fa40-48bd-814c-4928950d210f", "indicator--5b76bea9-c25c-4a54-b4f1-4562950d210f", "indicator--5b76bea9-862c-401d-bdbd-4339950d210f", "indicator--5b76bea9-38cc-4d10-b9e7-45fc950d210f", "indicator--5b76c113-5bcc-4611-9e46-f168950d210f", "indicator--5b76c113-9c38-43f7-bece-f168950d210f", "indicator--5b76c113-3e70-4f67-baec-f168950d210f", "indicator--a2a92847-3c13-47aa-b8f6-6bc6599ef7b8", "x-misp-object--28d37ac7-5d4e-4dc5-9806-3a0335b4afbd", "relationship--bb50465a-1ad2-4d8d-9941-dcb037c706f6" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:ransomware=\"Dharma Ransomware\"", "malware_classification:malware-category=\"Ransomware\"", "circl:incident-classification=\"malware\"", "osint:source-type=\"blog-post\"", "workflow:state=\"complete\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5b72cc0c-7650-45f8-a0b8-480e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:34:27.000Z", "modified": "2018-08-14T12:34:27.000Z", "first_observed": "2018-08-14T12:34:27Z", "last_observed": "2018-08-14T12:34:27Z", "number_observed": 1, "object_refs": [ "url--5b72cc0c-7650-45f8-a0b8-480e950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5b72cc0c-7650-45f8-a0b8-480e950d210f", "value": "https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5b72cc2d-4e18-422b-9e9c-4b04950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-14T12:33:57.000Z", "modified": "2018-08-14T12:33:57.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "On Thursday a new variant of the Dharma Ransomware was discovered that appends the .cmb extension to encrypted files.\r\n\r\nThe Cmb variant of the Dharma Ransomware was first discovered by Michael Gillespie when he noticed samples uploaded to ID Ransomware, After tweeting about it, Jakub Kroustek replied with a hash to the sample." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b76bb98-be88-4cc7-840e-43e9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-17T12:12:08.000Z", "modified": "2018-08-17T12:12:08.000Z", "pattern": "[file:hashes.SHA256 = 'c2ab289cbd2573572c39cac3f234d77fdf769e48a1715a14feddaea8ae9d9702']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-17T12:12:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b76be0c-bfb0-476c-8e1a-43c9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-17T12:40:43.000Z", "modified": "2018-08-17T12:40:43.000Z", "description": "Contact email mentioned in ransom note", "pattern": "[email-message:from_ref.value = 'paymentbtc@firemail.cc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-17T12:40:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"email-src\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b76bea9-c140-4dc4-b0b9-46a0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-17T12:25:13.000Z", "modified": "2018-08-17T12:25:13.000Z", "pattern": "[file:name = '\\\\%Appdata\\\\%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\Info.hta']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-17T12:25:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b76bea9-fa40-48bd-814c-4928950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-17T12:25:13.000Z", "modified": "2018-08-17T12:25:13.000Z", "pattern": "[file:name = '\\\\%Appdata\\\\%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\cmb_ransomware.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-17T12:25:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b76bea9-c25c-4a54-b4f1-4562950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-17T12:25:13.000Z", "modified": "2018-08-17T12:25:13.000Z", "pattern": "[file:name = '\\\\%Appdata\\\\%\\\\Info.hta']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-17T12:25:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b76bea9-862c-401d-bdbd-4339950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-17T12:25:13.000Z", "modified": "2018-08-17T12:25:13.000Z", "pattern": "[file:name = '\\\\%UserProfile\\\\%\\\\Desktop\\\\FILES ENCRYPTED.txt']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-17T12:25:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b76bea9-38cc-4d10-b9e7-45fc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-17T12:25:13.000Z", "modified": "2018-08-17T12:25:13.000Z", "pattern": "[file:name = '\\\\%PUBLIC\\\\%\\\\Desktop\\\\FILES ENCRYPTED.txt']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-17T12:25:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b76c113-5bcc-4611-9e46-f168950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-17T13:26:26.000Z", "modified": "2018-08-17T13:26:26.000Z", "pattern": "[windows-registry-key:key = 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\cmb_ransomware.exe' AND windows-registry-key:values.data = '\\\\%WINDIR\\\\%\\\\System32\\\\cmb_ransomware.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-17T13:26:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"regkey|value\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b76c113-9c38-43f7-bece-f168950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-17T13:29:31.000Z", "modified": "2018-08-17T13:29:31.000Z", "pattern": "[windows-registry-key:key = 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%WINDIR%\\\\System32\\\\Info.hta mshta.exe' AND windows-registry-key:values.data = '\\\\\"%WINDIR%\\\\System32\\\\Info.hta']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-17T13:29:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"regkey|value\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b76c113-3e70-4f67-baec-f168950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-17T13:29:58.000Z", "modified": "2018-08-17T13:29:58.000Z", "pattern": "[windows-registry-key:key = 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%Appdata%\\\\Info.hta\tmshta.exe' AND windows-registry-key:values.data = '\\\\\"%Appdata%\\\\Info.hta']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-17T13:29:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"regkey|value\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a2a92847-3c13-47aa-b8f6-6bc6599ef7b8", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-17T12:23:44.000Z", "modified": "2018-08-17T12:23:44.000Z", "pattern": "[file:hashes.MD5 = 'd50f69f0d3a73c0a58d2ad08aedac1c8' AND file:hashes.SHA1 = 'c25ff1bb2ea3e0804ab3f370ad2877b0b7c56903' AND file:hashes.SHA256 = 'c2ab289cbd2573572c39cac3f234d77fdf769e48a1715a14feddaea8ae9d9702']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-08-17T12:23:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--28d37ac7-5d4e-4dc5-9806-3a0335b4afbd", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-08-17T12:23:43.000Z", "modified": "2018-08-17T12:23:43.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-08-14 05:47:48", "category": "Other", "uuid": "7b4c2186-d46a-4444-904e-963bbb0fdbae" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/c2ab289cbd2573572c39cac3f234d77fdf769e48a1715a14feddaea8ae9d9702/analysis/1534225668/", "category": "External analysis", "uuid": "94fd6e61-154c-44e8-ac6b-073a54eaaa16" }, { "type": "text", "object_relation": "detection-ratio", "value": "56/68", "category": "Other", "uuid": "2a66be74-d97a-45c3-b2b6-647492a2ddb5" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bb50465a-1ad2-4d8d-9941-dcb037c706f6", "created": "2018-08-17T12:23:44.000Z", "modified": "2018-08-17T12:23:44.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--a2a92847-3c13-47aa-b8f6-6bc6599ef7b8", "target_ref": "x-misp-object--28d37ac7-5d4e-4dc5-9806-3a0335b4afbd" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }