misp-circl-feed/feeds/circl/misp/57c4445b-c548-4654-af0b-4be3950d210f.json

256 lines
No EOL
10 KiB
JSON

{
"type": "bundle",
"id": "bundle--57c4445b-c548-4654-af0b-4be3950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-30T07:10:11.000Z",
"modified": "2016-08-30T07:10:11.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--57c4445b-c548-4654-af0b-4be3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-30T07:10:11.000Z",
"modified": "2016-08-30T07:10:11.000Z",
"name": "Ransomware - Xorist",
"published": "2016-08-30T09:10:31Z",
"object_refs": [
"indicator--57c4448a-bef0-4ba7-a071-444e950d210f",
"indicator--57c4448a-fb04-457d-87e7-4127950d210f",
"indicator--57c4448b-454c-4d17-90d1-4d2f950d210f",
"indicator--57c4448b-3fa4-4d65-9ccc-4afa950d210f",
"x-misp-attribute--57c444c0-8004-48fa-9c33-8aca950d210f",
"x-misp-attribute--57c44648-96f4-45d4-a8eb-453e950d210f",
"observed-data--57c5300c-0560-4146-bfaa-40e802de0b81",
"url--57c5300c-0560-4146-bfaa-40e802de0b81",
"observed-data--57c5310b-dc34-43cb-8b8e-4846950d210f",
"url--57c5310b-dc34-43cb-8b8e-4846950d210f",
"indicator--57c54b0f-27a4-458b-8e63-4455950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"circl:incident-classification=\"malware\"",
"ms-caro-malware:malware-type=\"Ransom\"",
"malware_classification:malware-category=\"Ransomware\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c4448a-bef0-4ba7-a071-444e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T14:19:54.000Z",
"modified": "2016-08-29T14:19:54.000Z",
"description": "Imported via the Freetext Import Tool",
"pattern": "[file:hashes.SHA1 = '77b0c41b7d340b8a3d903f21347bbf06aa766b5b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T14:19:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c4448a-fb04-457d-87e7-4127950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T14:19:54.000Z",
"modified": "2016-08-29T14:19:54.000Z",
"description": "Imported via the Freetext Import Tool",
"pattern": "[file:name = '3Z4wnG9603it23y.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T14:19:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c4448b-454c-4d17-90d1-4d2f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T14:19:55.000Z",
"modified": "2016-08-29T14:19:55.000Z",
"description": "Imported via the Freetext Import Tool",
"pattern": "[file:hashes.MD5 = '0749bae92ca336a02c83d126e04ec628']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T14:19:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c4448b-3fa4-4d65-9ccc-4afa950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T14:19:55.000Z",
"modified": "2016-08-29T14:19:55.000Z",
"description": "Imported via the Freetext Import Tool",
"pattern": "[file:hashes.SHA256 = 'b3c4ae251f8094fa15b510051835c657eaef2a6cea46075d3aec964b14a99f68']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T14:19:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--57c444c0-8004-48fa-9c33-8aca950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T14:20:48.000Z",
"modified": "2016-08-29T14:20:48.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_type": "comment",
"x_misp_value": "UPX packed"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--57c44648-96f4-45d4-a8eb-453e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T14:27:20.000Z",
"modified": "2016-08-29T14:27:20.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Other\""
],
"x_misp_category": "Other",
"x_misp_type": "text",
"x_misp_value": "Key: 85350044dF4AC3518D185678A9414A7F,\r\nEncryption rounds:8,\r\nStart offset: 64,\r\nAlgorithm: TEA"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57c5300c-0560-4146-bfaa-40e802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-30T07:04:44.000Z",
"modified": "2016-08-30T07:04:44.000Z",
"first_observed": "2016-08-30T07:04:44Z",
"last_observed": "2016-08-30T07:04:44Z",
"number_observed": 1,
"object_refs": [
"url--57c5300c-0560-4146-bfaa-40e802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57c5300c-0560-4146-bfaa-40e802de0b81",
"value": "https://www.virustotal.com/file/b3c4ae251f8094fa15b510051835c657eaef2a6cea46075d3aec964b14a99f68/analysis/1469554268/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57c5310b-dc34-43cb-8b8e-4846950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-30T07:10:11.000Z",
"modified": "2016-08-30T07:10:11.000Z",
"first_observed": "2016-08-30T07:10:11Z",
"last_observed": "2016-08-30T07:10:11Z",
"number_observed": 1,
"object_refs": [
"url--57c5310b-dc34-43cb-8b8e-4846950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57c5310b-dc34-43cb-8b8e-4846950d210f",
"value": "http://www.xylibox.com/2011/06/have-fun-with-trojan-ransomwin32xorist.html"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c54b0f-27a4-458b-8e63-4455950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-30T08:59:59.000Z",
"modified": "2016-08-30T08:59:59.000Z",
"pattern": "[windows-registry-key:key = 'Software\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run' AND windows-registry-key:values.data = '\\\\%TEMP\\\\%\\\\3Z4wnG9603it23y.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-30T08:59:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Persistence mechanism"
}
],
"labels": [
"misp:type=\"regkey|value\"",
"misp:category=\"Persistence mechanism\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}