misp-circl-feed/feeds/circl/stix-2.1/5952b89d-104c-436d-a8bd-476202de0b81.json

298 lines
No EOL
13 KiB
JSON

{
"type": "bundle",
"id": "bundle--5952b89d-104c-436d-a8bd-476202de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-27T20:03:01.000Z",
"modified": "2017-06-27T20:03:01.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5952b89d-104c-436d-a8bd-476202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-27T20:03:01.000Z",
"modified": "2017-06-27T20:03:01.000Z",
"name": "OSINT - D\u00c3\u00a9j\u00c3\u00a0 vu: Petya ransomware appears with SMB propagation capabilities",
"published": "2017-06-27T20:05:09Z",
"object_refs": [
"x-misp-attribute--5952b8a9-0554-49ea-b10b-481602de0b81",
"observed-data--5952b951-4e0c-43af-96a9-4d8b02de0b81",
"url--5952b951-4e0c-43af-96a9-4d8b02de0b81",
"indicator--5952b96c-d99c-4a1c-bbd7-4bf802de0b81",
"observed-data--5952b995-7028-4073-bd6b-10ed02de0b81",
"url--5952b995-7028-4073-bd6b-10ed02de0b81",
"observed-data--5952b995-7fd8-4b6e-8c34-10ed02de0b81",
"url--5952b995-7fd8-4b6e-8c34-10ed02de0b81",
"observed-data--5952b995-7480-46b3-b11a-10ed02de0b81",
"url--5952b995-7480-46b3-b11a-10ed02de0b81",
"observed-data--5952b995-2c9c-4ad0-a55b-10ed02de0b81",
"url--5952b995-2c9c-4ad0-a55b-10ed02de0b81",
"x-misp-attribute--5952b9a4-f444-4b57-a179-10e402de0b81",
"indicator--5952b9cc-63e4-4af1-899f-49b502de0b81",
"indicator--5952b9cc-d418-44c1-a185-462502de0b81",
"observed-data--5952b9cc-0848-4d44-bfac-495302de0b81",
"url--5952b9cc-0848-4d44-bfac-495302de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\"",
"malware_classification:malware-category=\"Ransomware\"",
"misp-galaxy:ransomware=\"Petya\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5952b8a9-0554-49ea-b10b-481602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-27T20:02:20.000Z",
"modified": "2017-06-27T20:02:20.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "The Petya outbreak recorded on 27 June 2017 has had a significant impact on a number of global organisations, with media outlets reporting impacts as significant as the cessation of activity at the Port of Rotterdam in the Netherlands [1].\r\n\r\nWhile many may be loath to think back six weeks to the trauma of May\u00e2\u20ac\u2122s WannaCry outbreak (https://blogs.forcepoint.com/security-labs/wannacry-post-outbreak-analysis), there are a number of parallels between the two incidents ranging from the global reach of the outbreak to the techniques by which the malware is spread."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5952b951-4e0c-43af-96a9-4d8b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-27T20:02:20.000Z",
"modified": "2017-06-27T20:02:20.000Z",
"first_observed": "2017-06-27T20:02:20Z",
"last_observed": "2017-06-27T20:02:20Z",
"number_observed": 1,
"object_refs": [
"url--5952b951-4e0c-43af-96a9-4d8b02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5952b951-4e0c-43af-96a9-4d8b02de0b81",
"value": "https://blogs.forcepoint.com/security-labs/deja-vu-petya-ransomware-appears-smb-propagation-capabilities"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5952b96c-d99c-4a1c-bbd7-4bf802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-27T20:02:20.000Z",
"modified": "2017-06-27T20:02:20.000Z",
"description": "orcepoint Security Labs has analysed one sample associated with the outbreak",
"pattern": "[file:hashes.SHA256 = '027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-27T20:02:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5952b995-7028-4073-bd6b-10ed02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-27T20:02:20.000Z",
"modified": "2017-06-27T20:02:20.000Z",
"first_observed": "2017-06-27T20:02:20Z",
"last_observed": "2017-06-27T20:02:20Z",
"number_observed": 1,
"object_refs": [
"url--5952b995-7028-4073-bd6b-10ed02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5952b995-7028-4073-bd6b-10ed02de0b81",
"value": "http://www.ad.nl/rotterdam/grote-hack-bij-maersk-legt-rotterdamse-containerterminal-plat~a60dd307/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5952b995-7fd8-4b6e-8c34-10ed02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-27T20:02:20.000Z",
"modified": "2017-06-27T20:02:20.000Z",
"first_observed": "2017-06-27T20:02:20Z",
"last_observed": "2017-06-27T20:02:20Z",
"number_observed": 1,
"object_refs": [
"url--5952b995-7fd8-4b6e-8c34-10ed02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5952b995-7fd8-4b6e-8c34-10ed02de0b81",
"value": "https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5952b995-7480-46b3-b11a-10ed02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-27T20:02:20.000Z",
"modified": "2017-06-27T20:02:20.000Z",
"first_observed": "2017-06-27T20:02:20Z",
"last_observed": "2017-06-27T20:02:20Z",
"number_observed": 1,
"object_refs": [
"url--5952b995-7480-46b3-b11a-10ed02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5952b995-7480-46b3-b11a-10ed02de0b81",
"value": "https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5952b995-2c9c-4ad0-a55b-10ed02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-27T20:02:20.000Z",
"modified": "2017-06-27T20:02:20.000Z",
"first_observed": "2017-06-27T20:02:20Z",
"last_observed": "2017-06-27T20:02:20Z",
"number_observed": 1,
"object_refs": [
"url--5952b995-2c9c-4ad0-a55b-10ed02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5952b995-2c9c-4ad0-a55b-10ed02de0b81",
"value": "https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5952b9a4-f444-4b57-a179-10e402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-27T20:02:20.000Z",
"modified": "2017-06-27T20:02:20.000Z",
"labels": [
"misp:type=\"btc\"",
"misp:category=\"Financial fraud\"",
"misp:to_ids=\"True\""
],
"x_misp_category": "Financial fraud",
"x_misp_type": "btc",
"x_misp_value": "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5952b9cc-63e4-4af1-899f-49b502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-27T20:02:20.000Z",
"modified": "2017-06-27T20:02:20.000Z",
"description": "orcepoint Security Labs has analysed one sample associated with the outbreak - Xchecked via VT: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745",
"pattern": "[file:hashes.SHA1 = '34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-27T20:02:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5952b9cc-d418-44c1-a185-462502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-27T20:02:20.000Z",
"modified": "2017-06-27T20:02:20.000Z",
"description": "orcepoint Security Labs has analysed one sample associated with the outbreak - Xchecked via VT: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745",
"pattern": "[file:hashes.MD5 = '71b6a493388e7d0b40c83ce903bc6b04']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-06-27T20:02:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5952b9cc-0848-4d44-bfac-495302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-27T20:02:20.000Z",
"modified": "2017-06-27T20:02:20.000Z",
"first_observed": "2017-06-27T20:02:20Z",
"last_observed": "2017-06-27T20:02:20Z",
"number_observed": 1,
"object_refs": [
"url--5952b9cc-0848-4d44-bfac-495302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5952b9cc-0848-4d44-bfac-495302de0b81",
"value": "https://www.virustotal.com/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/1498592986/"
}
]
}