210 lines
No EOL
9.3 KiB
JSON
210 lines
No EOL
9.3 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5b28d191-1100-4688-aa5d-48cd950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-24T06:03:37.000Z",
|
|
"modified": "2018-06-24T06:03:37.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--5b28d191-1100-4688-aa5d-48cd950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-24T06:03:37.000Z",
|
|
"modified": "2018-06-24T06:03:37.000Z",
|
|
"name": "OSINT - DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks",
|
|
"published": "2018-06-24T06:04:14Z",
|
|
"object_refs": [
|
|
"observed-data--5b28d1a9-25dc-4c1e-9a3d-4b20950d210f",
|
|
"url--5b28d1a9-25dc-4c1e-9a3d-4b20950d210f",
|
|
"x-misp-attribute--5b28d1d3-e93c-4d14-91d6-42d5950d210f",
|
|
"indicator--5b28dd12-f85c-4ca9-96c7-442e950d210f",
|
|
"indicator--5b28dd13-3b30-458e-a081-4fff950d210f",
|
|
"indicator--5b28dcfb-e79c-49c0-97c1-99d5950d210f",
|
|
"x-misp-object--5a379c38-157a-4c18-9057-75532ff27ea6",
|
|
"x-misp-object--3c02a421-faf6-4b7a-a208-8b505f2a78f7",
|
|
"relationship--d96fd804-56d4-4f86-8678-ccc37c5fbc33"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"malware_classification:malware-category=\"Ransomware\"",
|
|
"circl:incident-classification=\"malware\"",
|
|
"osint:source-type=\"blog-post\"",
|
|
"misp-galaxy:ransomware=\"DBGer Ransomware\"",
|
|
"misp-galaxy:tool=\"ETERNALBLUE\"",
|
|
"misp-galaxy:tool=\"Mimikatz\"",
|
|
"misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5b28d1a9-25dc-4c1e-9a3d-4b20950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-19T09:56:01.000Z",
|
|
"modified": "2018-06-19T09:56:01.000Z",
|
|
"first_observed": "2018-06-19T09:56:01Z",
|
|
"last_observed": "2018-06-19T09:56:01Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5b28d1a9-25dc-4c1e-9a3d-4b20950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5b28d1a9-25dc-4c1e-9a3d-4b20950d210f",
|
|
"value": "https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--5b28d1d3-e93c-4d14-91d6-42d5950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-19T09:55:31.000Z",
|
|
"modified": "2018-06-19T09:55:31.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "The authors of the Satan ransomware have rebranded their \"product\" and they now go by the name of DBGer ransomware, according to security researcher MalwareHunter, who spotted this new version earlier today.\r\n\r\nThe change was not only in name but also in the ransomware's modus operandi. According to the researcher, whose discovery was later confirmed by an Intezer code similarity analysis, the new (Satan) DBGer ransomware now also incorporates Mimikatz, an open-source password-dumping utility.\r\n\r\nThe purpose of DBGer incorporating Mimikatz is for lateral movement inside compromised networks. This fits a recently observed trend in Satan's modus operandi."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b28dd12-f85c-4ca9-96c7-442e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-19T10:38:10.000Z",
|
|
"modified": "2018-06-19T10:38:10.000Z",
|
|
"pattern": "[file:name = '_How_to_decrypt_files.txt']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-06-19T10:38:10Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b28dd13-3b30-458e-a081-4fff950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-19T10:38:11.000Z",
|
|
"modified": "2018-06-19T10:38:11.000Z",
|
|
"pattern": "[email-message:from_ref.value = 'dbger@protonmail.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-06-19T10:38:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-src\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b28dcfb-e79c-49c0-97c1-99d5950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-19T10:37:47.000Z",
|
|
"modified": "2018-06-19T10:37:47.000Z",
|
|
"pattern": "[file:hashes.SHA256 = '1f3509cc11ffa1f7d839df93615cf1ba0819d75cafd5ef59110d9b01fb90addd' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-06-19T10:37:47Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\"",
|
|
"malware_classification:malware-category=\"Ransomware\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--5a379c38-157a-4c18-9057-75532ff27ea6",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-22T08:44:00.000Z",
|
|
"modified": "2018-06-22T08:44:00.000Z",
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\""
|
|
],
|
|
"x_misp_meta_category": "file",
|
|
"x_misp_name": "file"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--3c02a421-faf6-4b7a-a208-8b505f2a78f7",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-22T08:43:59.000Z",
|
|
"modified": "2018-06-22T08:43:59.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--d96fd804-56d4-4f86-8678-ccc37c5fbc33",
|
|
"created": "2018-06-22T08:44:00.000Z",
|
|
"modified": "2018-06-22T08:44:00.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "x-misp-object--5a379c38-157a-4c18-9057-75532ff27ea6",
|
|
"target_ref": "x-misp-object--3c02a421-faf6-4b7a-a208-8b505f2a78f7"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |