388 lines
No EOL
17 KiB
JSON
388 lines
No EOL
17 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--56f50e98-5804-4496-84e6-faf3950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-25T10:13:08.000Z",
|
|
"modified": "2016-03-25T10:13:08.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--56f50e98-5804-4496-84e6-faf3950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-25T10:13:08.000Z",
|
|
"modified": "2016-03-25T10:13:08.000Z",
|
|
"name": "OSINT - PETYA Crypto-ransomware Overwrites MBR to Lock Users Out of Their Computers",
|
|
"published": "2016-03-25T10:13:22Z",
|
|
"object_refs": [
|
|
"observed-data--56f50ecc-abf8-4148-b783-faf4950d210f",
|
|
"url--56f50ecc-abf8-4148-b783-faf4950d210f",
|
|
"x-misp-attribute--56f50eea-9814-43a6-b0af-4e81950d210f",
|
|
"indicator--56f50f03-ab7c-4d3e-a3a5-faef950d210f",
|
|
"indicator--56f50f04-bbb4-40ab-b2ac-faef950d210f",
|
|
"indicator--56f50f04-2514-43df-b3c5-faef950d210f",
|
|
"indicator--56f50f34-2eb4-490b-9083-faf702de0b81",
|
|
"indicator--56f50f34-76c8-410a-b52c-faf702de0b81",
|
|
"observed-data--56f50f35-e138-4177-bc37-faf702de0b81",
|
|
"url--56f50f35-e138-4177-bc37-faf702de0b81",
|
|
"indicator--56f50f35-467c-417e-bb1f-faf702de0b81",
|
|
"indicator--56f50f35-a370-463a-8844-faf702de0b81",
|
|
"observed-data--56f50f36-1f3c-4177-a3fe-faf702de0b81",
|
|
"url--56f50f36-1f3c-4177-a3fe-faf702de0b81",
|
|
"indicator--56f50f36-a6e8-48e5-ba36-faf702de0b81",
|
|
"indicator--56f50f36-8b14-4efa-98e8-faf702de0b81",
|
|
"observed-data--56f50f36-514c-45de-b825-faf702de0b81",
|
|
"url--56f50f36-514c-45de-b825-faf702de0b81"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"type:OSINT"
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--56f50ecc-abf8-4148-b783-faf4950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-25T10:11:24.000Z",
|
|
"modified": "2016-03-25T10:11:24.000Z",
|
|
"first_observed": "2016-03-25T10:11:24Z",
|
|
"last_observed": "2016-03-25T10:11:24Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--56f50ecc-abf8-4148-b783-faf4950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--56f50ecc-abf8-4148-b783-faf4950d210f",
|
|
"value": "http://blog.trendmicro.com/trendlabs-security-intelligence/petya-crypto-ransomware-overwrites-mbr-lock-users-computers/"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--56f50eea-9814-43a6-b0af-4e81950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-25T10:11:54.000Z",
|
|
"modified": "2016-03-25T10:11:54.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "As if encrypting files and holding them hostage is not enough, cybercriminals who create and spread crypto-ransomware are now resorting to causing blue screen of death (BSoD) and putting their ransom notes at system startup\u00e2\u20ac\u201das in, even before the operating system loads. Imagine turning on your computer and instead of the usual Windows icon loading, you get a flashing red and white screen with a skull-and-crossbones instead.\r\n\r\n\r\n\r\nFigure 1. Petya\u00e2\u20ac\u2122s red skulls-and-crossbones warning\r\n\r\nThis is the routine of a new crypto-ransomware variant dubbed \u00e2\u20ac\u0153Petya\u00e2\u20ac\u009d (detected by Trend Micro as RANSOM_PETYA.A). Not only does this malware have the ability to overwrite the affected system\u00e2\u20ac\u2122s master boot record (MBR) in order to lock users out, it is also interesting to note that it is delivered to victims via a legitimate cloud storage service (in this case, via Dropbox).\r\n\r\nWe do note that this isn\u00e2\u20ac\u2122t the first time that malware has abused a legitimate service for its own gain; however, this is the first time (in a long time) that leads to crypto-ransomware infection. It is also a departure from the typical infection chain, wherein the malicious files are attached to emails or hosted in malicious sites and delivered by exploit kits."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--56f50f03-ab7c-4d3e-a3a5-faef950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-25T10:12:19.000Z",
|
|
"modified": "2016-03-25T10:12:19.000Z",
|
|
"pattern": "[file:hashes.SHA1 = '39b6d40906c7f7f080e6befa93324dddadcbd9fa']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-03-25T10:12:19Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--56f50f04-bbb4-40ab-b2ac-faef950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-25T10:12:20.000Z",
|
|
"modified": "2016-03-25T10:12:20.000Z",
|
|
"pattern": "[file:hashes.SHA1 = 'b0c5fab5d69afcc7fd013fd7aef20660bf0077c2']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-03-25T10:12:20Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--56f50f04-2514-43df-b3c5-faef950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-25T10:12:20.000Z",
|
|
"modified": "2016-03-25T10:12:20.000Z",
|
|
"pattern": "[file:hashes.SHA1 = '755f2652638f87ab517c608a363c4aefb9dd6a5a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-03-25T10:12:20Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--56f50f34-2eb4-490b-9083-faf702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-25T10:13:08.000Z",
|
|
"modified": "2016-03-25T10:13:08.000Z",
|
|
"description": "- Xchecked via VT: 39b6d40906c7f7f080e6befa93324dddadcbd9fa",
|
|
"pattern": "[file:hashes.SHA256 = '26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-03-25T10:13:08Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--56f50f34-76c8-410a-b52c-faf702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-25T10:13:08.000Z",
|
|
"modified": "2016-03-25T10:13:08.000Z",
|
|
"description": "- Xchecked via VT: 39b6d40906c7f7f080e6befa93324dddadcbd9fa",
|
|
"pattern": "[file:hashes.MD5 = 'af2379cc4d607a45ac44d62135fb7015']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-03-25T10:13:08Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--56f50f35-e138-4177-bc37-faf702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-25T10:13:09.000Z",
|
|
"modified": "2016-03-25T10:13:09.000Z",
|
|
"first_observed": "2016-03-25T10:13:09Z",
|
|
"last_observed": "2016-03-25T10:13:09Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--56f50f35-e138-4177-bc37-faf702de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--56f50f35-e138-4177-bc37-faf702de0b81",
|
|
"value": "https://www.virustotal.com/file/26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739/analysis/1458856673/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--56f50f35-467c-417e-bb1f-faf702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-25T10:13:09.000Z",
|
|
"modified": "2016-03-25T10:13:09.000Z",
|
|
"description": "- Xchecked via VT: b0c5fab5d69afcc7fd013fd7aef20660bf0077c2",
|
|
"pattern": "[file:hashes.SHA256 = 'b521767f67630b74e2272ee953295ef56c8b6428da75afa5bbfb05b72b34c69d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-03-25T10:13:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--56f50f35-a370-463a-8844-faf702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-25T10:13:09.000Z",
|
|
"modified": "2016-03-25T10:13:09.000Z",
|
|
"description": "- Xchecked via VT: b0c5fab5d69afcc7fd013fd7aef20660bf0077c2",
|
|
"pattern": "[file:hashes.MD5 = 'a2d6887d8a7b09b86a917a5c61674ab4']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-03-25T10:13:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--56f50f36-1f3c-4177-a3fe-faf702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-25T10:13:10.000Z",
|
|
"modified": "2016-03-25T10:13:10.000Z",
|
|
"first_observed": "2016-03-25T10:13:10Z",
|
|
"last_observed": "2016-03-25T10:13:10Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--56f50f36-1f3c-4177-a3fe-faf702de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--56f50f36-1f3c-4177-a3fe-faf702de0b81",
|
|
"value": "https://www.virustotal.com/file/b521767f67630b74e2272ee953295ef56c8b6428da75afa5bbfb05b72b34c69d/analysis/1458897572/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--56f50f36-a6e8-48e5-ba36-faf702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-25T10:13:10.000Z",
|
|
"modified": "2016-03-25T10:13:10.000Z",
|
|
"description": "- Xchecked via VT: 755f2652638f87ab517c608a363c4aefb9dd6a5a",
|
|
"pattern": "[file:hashes.SHA256 = 'e99eccfc1473800ea6e2e730e733c213f18e817c0c6501209f4ee40408f94951']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-03-25T10:13:10Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--56f50f36-8b14-4efa-98e8-faf702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-25T10:13:10.000Z",
|
|
"modified": "2016-03-25T10:13:10.000Z",
|
|
"description": "- Xchecked via VT: 755f2652638f87ab517c608a363c4aefb9dd6a5a",
|
|
"pattern": "[file:hashes.MD5 = 'f636b3471c9fda3686735223dbb0b2bd']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-03-25T10:13:10Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--56f50f36-514c-45de-b825-faf702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-03-25T10:13:10.000Z",
|
|
"modified": "2016-03-25T10:13:10.000Z",
|
|
"first_observed": "2016-03-25T10:13:10Z",
|
|
"last_observed": "2016-03-25T10:13:10Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--56f50f36-514c-45de-b825-faf702de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--56f50f36-514c-45de-b825-faf702de0b81",
|
|
"value": "https://www.virustotal.com/file/e99eccfc1473800ea6e2e730e733c213f18e817c0c6501209f4ee40408f94951/analysis/1458857995/"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |