192 lines
No EOL
8.5 KiB
JSON
192 lines
No EOL
8.5 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--58d013c1-6abc-472a-bbeb-41ba950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-20T17:41:57.000Z",
|
|
"modified": "2017-03-20T17:41:57.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--58d013c1-6abc-472a-bbeb-41ba950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-20T17:41:57.000Z",
|
|
"modified": "2017-03-20T17:41:57.000Z",
|
|
"name": "OSINT - PetrWrap: the new Petya-based ransomware used in targeted attacks",
|
|
"published": "2017-03-20T17:42:06Z",
|
|
"object_refs": [
|
|
"indicator--58d013ce-8000-4021-8d1b-45ea950d210f",
|
|
"observed-data--58d013e3-c1f0-49d4-8f2d-4bc2950d210f",
|
|
"url--58d013e3-c1f0-49d4-8f2d-4bc2950d210f",
|
|
"x-misp-attribute--58d013f5-522c-481a-9fab-464b950d210f",
|
|
"indicator--58d0141f-9e94-4fea-9020-400b02de0b81",
|
|
"indicator--58d01420-8a3c-4ece-aa5d-4a3602de0b81",
|
|
"observed-data--58d01421-45b8-4f3c-af63-4c6902de0b81",
|
|
"url--58d01421-45b8-4f3c-af63-4c6902de0b81"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"ecsirt:malicious-code=\"ransomware\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58d013ce-8000-4021-8d1b-45ea950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-20T17:40:44.000Z",
|
|
"modified": "2017-03-20T17:40:44.000Z",
|
|
"pattern": "[file:hashes.MD5 = '17c25c8a7c141195ee887de905f33d7b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-20T17:40:44Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58d013e3-c1f0-49d4-8f2d-4bc2950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-20T17:41:20.000Z",
|
|
"modified": "2017-03-20T17:41:20.000Z",
|
|
"first_observed": "2017-03-20T17:41:20Z",
|
|
"last_observed": "2017-03-20T17:41:20Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58d013e3-c1f0-49d4-8f2d-4bc2950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\"",
|
|
"admiralty-scale:source-reliability=\"b\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58d013e3-c1f0-49d4-8f2d-4bc2950d210f",
|
|
"value": "https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--58d013f5-522c-481a-9fab-464b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-20T17:41:21.000Z",
|
|
"modified": "2017-03-20T17:41:21.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\"",
|
|
"admiralty-scale:source-reliability=\"b\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "This year we found a new family of ransomware used in targeted attacks against organizations. After penetrating an organization\u00e2\u20ac\u2122s network the threat actors used the PsExec tool to install ransomware on all endpoints and servers in the organization. The next interesting fact about this ransomware is that the threat actors decided to use the well-known Petya ransomware to encrypt user data. As you may know, this family of ransomware has a RaaS model, but the threat actor decided not to use this ability. To get a workable version of the ransomware, the group behind PetrWrap created a special module that patches the original Petya ransomware \u00e2\u20ac\u0153on the fly\u00e2\u20ac\u009d. This is what makes this new malware so unique."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58d0141f-9e94-4fea-9020-400b02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-20T17:40:47.000Z",
|
|
"modified": "2017-03-20T17:40:47.000Z",
|
|
"description": "- Xchecked via VT: 17c25c8a7c141195ee887de905f33d7b",
|
|
"pattern": "[file:hashes.SHA256 = 'e079fa28ea51fa98644164caf585ae3231d25372fccca1245902fb57488d4660']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-20T17:40:47Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58d01420-8a3c-4ece-aa5d-4a3602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-20T17:40:48.000Z",
|
|
"modified": "2017-03-20T17:40:48.000Z",
|
|
"description": "- Xchecked via VT: 17c25c8a7c141195ee887de905f33d7b",
|
|
"pattern": "[file:hashes.SHA1 = '7fa8079e8dca773574d01839efc623d3cd8e6a47']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-03-20T17:40:48Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload installation"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload installation\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58d01421-45b8-4f3c-af63-4c6902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-03-20T17:40:49.000Z",
|
|
"modified": "2017-03-20T17:40:49.000Z",
|
|
"first_observed": "2017-03-20T17:40:49Z",
|
|
"last_observed": "2017-03-20T17:40:49Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58d01421-45b8-4f3c-af63-4c6902de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58d01421-45b8-4f3c-af63-4c6902de0b81",
|
|
"value": "https://www.virustotal.com/file/e079fa28ea51fa98644164caf585ae3231d25372fccca1245902fb57488d4660/analysis/1489720430/"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |