adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/59a3d08d-5dc8-4153-bc7c-456d950d210f.json

218 lines
No EOL
9.2 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--59a3d08d-5dc8-4153-bc7c-456d950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:24:36.000Z",
"modified": "2017-08-28T14:24:36.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--59a3d08d-5dc8-4153-bc7c-456d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:24:36.000Z",
"modified": "2017-08-28T14:24:36.000Z",
"name": "OSINT - New Arena Crysis Ransomware Variant Released",
"published": "2017-08-28T14:25:29Z",
"object_refs": [
"observed-data--59a3d0bb-a884-438b-b79f-4005950d210f",
"url--59a3d0bb-a884-438b-b79f-4005950d210f",
"x-misp-attribute--59a3d0cd-96f4-4f05-9ec5-40a7950d210f",
"indicator--59a3d176-7af0-4784-a3aa-47b3950d210f",
"indicator--59a3d190-0bb8-4bcd-b0d4-45df950d210f",
"indicator--59a427a0-9500-426e-a8d8-dfd702de0b81",
"indicator--59a427a0-f6f8-4178-9e7d-dfd702de0b81",
"observed-data--59a427a0-16f0-4270-a9a7-dfd702de0b81",
"url--59a427a0-16f0-4270-a9a7-dfd702de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:ransomware=\"Dharma Ransomware\"",
"type:OSINT",
"malware_classification:malware-category=\"Ransomware\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a3d0bb-a884-438b-b79f-4005950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:24:32.000Z",
"modified": "2017-08-28T14:24:32.000Z",
"first_observed": "2017-08-28T14:24:32Z",
"last_observed": "2017-08-28T14:24:32Z",
"number_observed": 1,
"object_refs": [
"url--59a3d0bb-a884-438b-b79f-4005950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a3d0bb-a884-438b-b79f-4005950d210f",
"value": "https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59a3d0cd-96f4-4f05-9ec5-40a7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:24:32.000Z",
"modified": "2017-08-28T14:24:32.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Yesterday, ID-Ransomware's Michael Gillespie discovered a new variant of the Crysis/Dharma ransomware that is appending the .arena extension to encrypted files. It is not known exactly how this variant is being distributed, but in the past Crysis was typically spread by hacking into Remote Desktop Services and manually installing the ransomware."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a3d176-7af0-4784-a3aa-47b3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:24:32.000Z",
"modified": "2017-08-28T14:24:32.000Z",
"pattern": "[file:hashes.SHA256 = 'a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-28T14:24:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a3d190-0bb8-4bcd-b0d4-45df950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:24:32.000Z",
"modified": "2017-08-28T14:24:32.000Z",
"description": "Email to contact in ransom note",
"pattern": "[email-message:from_ref.value = 'chivas@aolonline.top']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-28T14:24:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a427a0-9500-426e-a8d8-dfd702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:24:32.000Z",
"modified": "2017-08-28T14:24:32.000Z",
"description": "- Xchecked via VT: a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e",
"pattern": "[file:hashes.SHA1 = '60cbe0e3a70ef3d56810bd9178ce232529c09c5f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-28T14:24:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59a427a0-f6f8-4178-9e7d-dfd702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:24:32.000Z",
"modified": "2017-08-28T14:24:32.000Z",
"description": "- Xchecked via VT: a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e",
"pattern": "[file:hashes.MD5 = 'f2679bdabe46e10edc6352fff3c829bc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-08-28T14:24:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59a427a0-16f0-4270-a9a7-dfd702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-08-28T14:24:32.000Z",
"modified": "2017-08-28T14:24:32.000Z",
"first_observed": "2017-08-28T14:24:32Z",
"last_observed": "2017-08-28T14:24:32Z",
"number_observed": 1,
"object_refs": [
"url--59a427a0-16f0-4270-a9a7-dfd702de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59a427a0-16f0-4270-a9a7-dfd702de0b81",
"value": "https://www.virustotal.com/file/a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e/analysis/1503922016/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink