749 lines
No EOL
33 KiB
JSON
749 lines
No EOL
33 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5dc3249f-6ebc-44fd-b78d-448d02de0b81",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-11-06T20:00:02.000Z",
|
|
"modified": "2019-11-06T20:00:02.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--5dc3249f-6ebc-44fd-b78d-448d02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-11-06T20:00:02.000Z",
|
|
"modified": "2019-11-06T20:00:02.000Z",
|
|
"name": "OSINT - BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0",
|
|
"published": "2019-11-06T20:02:52Z",
|
|
"object_refs": [
|
|
"indicator--5dc324da-8930-4832-84ae-428102de0b81",
|
|
"indicator--5dc324da-3aa8-4672-a5c8-461502de0b81",
|
|
"indicator--5dc324da-4734-4603-be54-44eb02de0b81",
|
|
"indicator--5dc324da-7284-4a03-880f-4c9d02de0b81",
|
|
"indicator--5dc324da-eef0-4d5e-bc21-4c5402de0b81",
|
|
"indicator--5dc324da-7f9c-4659-abea-402a02de0b81",
|
|
"x-misp-attribute--5dc32571-aa74-4179-8f74-42bc02de0b81",
|
|
"indicator--5dc325b9-7018-496a-b223-4b7602de0b81",
|
|
"indicator--5dc325b9-a748-403f-abcc-428c02de0b81",
|
|
"observed-data--5dc325e5-6214-4a8f-bf43-441102de0b81",
|
|
"url--5dc325e5-6214-4a8f-bf43-441102de0b81",
|
|
"indicator--bca0440a-4555-4587-b5a2-a541bd2a4dc9",
|
|
"x-misp-object--b9af0b6b-5e5d-43a1-84c7-21e1357665f1",
|
|
"indicator--9ae6b1c8-d364-4e47-acf7-f6730fb4465c",
|
|
"x-misp-object--b440661e-36e3-4b91-86ff-fa8760b84317",
|
|
"indicator--756d7b88-3347-4a0c-9fef-01dbddfd34bb",
|
|
"x-misp-object--6d1c9b11-06c8-4813-9485-89269e343f91",
|
|
"indicator--c04e4714-a1ca-4318-98d3-a46cf6d6ad97",
|
|
"x-misp-object--e943e2d5-8dec-4e03-8469-ee47c09f2568",
|
|
"indicator--2a17501a-3480-46f0-b0bd-5888c2ee8c92",
|
|
"x-misp-object--7fb41421-37ea-4910-ac68-319d59bdcbad",
|
|
"indicator--25d7c94e-5aad-4634-878d-15010c84f0aa",
|
|
"x-misp-object--f10bc385-bc29-4069-8374-abc49782561a",
|
|
"relationship--5bd00f93-f89d-4f42-a5c5-3e467f6eff8e",
|
|
"relationship--c0764558-0064-46a3-a6dd-f91589d76b23",
|
|
"relationship--2c3ae759-56fc-4ea5-bec1-11bc8d357eac",
|
|
"relationship--b7f3e89c-e62b-4fb9-9fc6-533c88eee468",
|
|
"relationship--1d04832f-376a-4c7c-9d19-8f6e0a44cd40",
|
|
"relationship--f8324dad-0784-4f4a-8a11-7d922181b406"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"misp-galaxy:malpedia=\"Dridex\"",
|
|
"misp-galaxy:malpedia=\"FriedEx\"",
|
|
"misp-galaxy:ransomware=\"Bitpaymer\"",
|
|
"misp-galaxy:threat-actor=\"INDRIK SPIDER\"",
|
|
"type:OSINT",
|
|
"osint:lifetime=\"perpetual\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5dc324da-8930-4832-84ae-428102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-11-06T19:54:02.000Z",
|
|
"modified": "2019-11-06T19:54:02.000Z",
|
|
"description": "Encrypted PE Files Embedded in DoppelPaymer",
|
|
"pattern": "[file:hashes.SHA256 = '51d8618ec86159327e883615ad8989c7638172cf801f65ab0367e5b2e6af596a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-11-06T19:54:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5dc324da-3aa8-4672-a5c8-461502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-11-06T19:54:02.000Z",
|
|
"modified": "2019-11-06T19:54:02.000Z",
|
|
"description": "Encrypted PE Files Embedded in DoppelPaymer",
|
|
"pattern": "[file:hashes.SHA256 = 'd4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-11-06T19:54:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5dc324da-4734-4603-be54-44eb02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-11-06T19:54:02.000Z",
|
|
"modified": "2019-11-06T19:54:02.000Z",
|
|
"description": "Encrypted PE Files Embedded in DoppelPaymer",
|
|
"pattern": "[file:hashes.SHA256 = '0f97f6d53fff47914174bc3a05fb016e2c02ed0b43c827e5e5aadba2d244aecc']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-11-06T19:54:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5dc324da-7284-4a03-880f-4c9d02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-11-06T19:54:02.000Z",
|
|
"modified": "2019-11-06T19:54:02.000Z",
|
|
"description": "Encrypted PE Files Embedded in DoppelPaymer",
|
|
"pattern": "[file:hashes.SHA256 = 'bfb7e62ba4ad5975e68a1beefb045cb72e056911fd7a8b070a15029dfcbbefe1']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-11-06T19:54:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5dc324da-eef0-4d5e-bc21-4c5402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-11-06T19:54:02.000Z",
|
|
"modified": "2019-11-06T19:54:02.000Z",
|
|
"description": "Encrypted PE Files Embedded in DoppelPaymer",
|
|
"pattern": "[file:hashes.SHA256 = 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-11-06T19:54:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5dc324da-7f9c-4659-abea-402a02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-11-06T19:54:02.000Z",
|
|
"modified": "2019-11-06T19:54:02.000Z",
|
|
"description": "Encrypted PE Files Embedded in DoppelPaymer",
|
|
"pattern": "[file:hashes.SHA256 = '70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-11-06T19:54:02Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--5dc32571-aa74-4179-8f74-42bc02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-11-06T19:56:33.000Z",
|
|
"modified": "2019-11-06T19:56:33.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "CrowdStrike\u00c2\u00ae Intelligence has identified a new ransomware variant identifying itself as BitPaymer. This new variant was behind a series of ransomware campaigns beginning in June 2019, including attacks against the City of Edcouch, Texas and the Chilean Ministry of Agriculture. \r\n\r\nWe have dubbed this new ransomware DoppelPaymer because it shares most of its code with the BitPaymer ransomware operated by INDRIK SPIDER. However, there are a number of differences between DoppelPaymer and BitPaymer, which may signify that one or more members of INDRIK SPIDER have split from the group and forked the source code of both Dridex and BitPaymer to start their own Big Game Hunting ransomware operation."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5dc325b9-7018-496a-b223-4b7602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-11-06T19:57:45.000Z",
|
|
"modified": "2019-11-06T19:57:45.000Z",
|
|
"description": "DoppelPaymer",
|
|
"pattern": "[file:hashes.SHA256 = '801b04a1504f167c25f568f8d7cbac13bdde6440a609d0dcd64ebe225c197f9b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-11-06T19:57:45Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5dc325b9-a748-403f-abcc-428c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-11-06T19:57:45.000Z",
|
|
"modified": "2019-11-06T19:57:45.000Z",
|
|
"description": "Dridex 2.0",
|
|
"pattern": "[file:hashes.SHA256 = '813d8020f32fefe01b66bea0ce63834adef2e725801b4b761f5ea90ac4facd3a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-11-06T19:57:45Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5dc325e5-6214-4a8f-bf43-441102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-11-06T19:58:29.000Z",
|
|
"modified": "2019-11-06T19:58:29.000Z",
|
|
"first_observed": "2019-11-06T19:58:29Z",
|
|
"last_observed": "2019-11-06T19:58:29Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5dc325e5-6214-4a8f-bf43-441102de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5dc325e5-6214-4a8f-bf43-441102de0b81",
|
|
"value": "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--bca0440a-4555-4587-b5a2-a541bd2a4dc9",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-11-06T19:59:15.000Z",
|
|
"modified": "2019-11-06T19:59:15.000Z",
|
|
"pattern": "[file:hashes.MD5 = '1b5c3c458e31bede55145d0644e88d75' AND file:hashes.SHA1 = 'a21c84c6bf2e21d69fa06daaf19b4cc34b589347' AND file:hashes.SHA256 = '70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-11-06T19:59:15Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--b9af0b6b-5e5d-43a1-84c7-21e1357665f1",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-11-06T19:59:15.000Z",
|
|
"modified": "2019-11-06T19:59:15.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-11-05T13:32:39",
|
|
"category": "Other",
|
|
"comment": "Encrypted PE Files Embedded in DoppelPaymer",
|
|
"uuid": "590eabf8-daae-48fa-93f7-a6881b74188d"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4/analysis/1572960759/",
|
|
"category": "Payload delivery",
|
|
"comment": "Encrypted PE Files Embedded in DoppelPaymer",
|
|
"uuid": "7de0a36e-6553-4bca-b8f3-2496fa7c6ae6"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "15/71",
|
|
"category": "Payload delivery",
|
|
"comment": "Encrypted PE Files Embedded in DoppelPaymer",
|
|
"uuid": "28dc293f-7fb7-49e5-9c3e-8bee49d6f3b2"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--9ae6b1c8-d364-4e47-acf7-f6730fb4465c",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-11-06T19:59:15.000Z",
|
|
"modified": "2019-11-06T19:59:15.000Z",
|
|
"pattern": "[file:hashes.MD5 = '68f9b52895f4d34e74112f3129b3b00d' AND file:hashes.SHA1 = 'c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e' AND file:hashes.SHA256 = 'd4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-11-06T19:59:15Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--b440661e-36e3-4b91-86ff-fa8760b84317",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-11-06T19:59:16.000Z",
|
|
"modified": "2019-11-06T19:59:16.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-11-05T15:07:41",
|
|
"category": "Other",
|
|
"comment": "Encrypted PE Files Embedded in DoppelPaymer",
|
|
"uuid": "2d422e88-d201-4694-bbd7-866a38115bf8"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f/analysis/1572966461/",
|
|
"category": "Payload delivery",
|
|
"comment": "Encrypted PE Files Embedded in DoppelPaymer",
|
|
"uuid": "3e29cdd3-6698-46ac-a2e0-37658066a1a7"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "17/71",
|
|
"category": "Payload delivery",
|
|
"comment": "Encrypted PE Files Embedded in DoppelPaymer",
|
|
"uuid": "4d55f6ac-dcd5-4ac6-8eca-d33081e4708a"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--756d7b88-3347-4a0c-9fef-01dbddfd34bb",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-11-06T19:59:16.000Z",
|
|
"modified": "2019-11-06T19:59:16.000Z",
|
|
"pattern": "[file:hashes.MD5 = '6365fe1d37545c71cbe2719ac7831bdd' AND file:hashes.SHA1 = '9356d660cebd2604ec4e72967f44678741331d5a' AND file:hashes.SHA256 = '0f97f6d53fff47914174bc3a05fb016e2c02ed0b43c827e5e5aadba2d244aecc']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-11-06T19:59:16Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--6d1c9b11-06c8-4813-9485-89269e343f91",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-11-06T19:59:17.000Z",
|
|
"modified": "2019-11-06T19:59:17.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-11-04T12:24:35",
|
|
"category": "Other",
|
|
"comment": "Encrypted PE Files Embedded in DoppelPaymer",
|
|
"uuid": "2087010a-da8e-4132-b113-308e02d41f06"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/0f97f6d53fff47914174bc3a05fb016e2c02ed0b43c827e5e5aadba2d244aecc/analysis/1572870275/",
|
|
"category": "Payload delivery",
|
|
"comment": "Encrypted PE Files Embedded in DoppelPaymer",
|
|
"uuid": "d1cd1211-5d23-4442-94c1-6973a0b3e6cf"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "14/70",
|
|
"category": "Payload delivery",
|
|
"comment": "Encrypted PE Files Embedded in DoppelPaymer",
|
|
"uuid": "72338110-8f9a-4c07-ab93-d926bbe4fe0e"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--c04e4714-a1ca-4318-98d3-a46cf6d6ad97",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-11-06T19:59:17.000Z",
|
|
"modified": "2019-11-06T19:59:17.000Z",
|
|
"pattern": "[file:hashes.MD5 = '47bc14f741779c3a7450adeeb66bb7e8' AND file:hashes.SHA1 = '980842b405d6df5385503044e102ad4a5d8b8573' AND file:hashes.SHA256 = '813d8020f32fefe01b66bea0ce63834adef2e725801b4b761f5ea90ac4facd3a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-11-06T19:59:17Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--e943e2d5-8dec-4e03-8469-ee47c09f2568",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-11-06T19:59:17.000Z",
|
|
"modified": "2019-11-06T19:59:17.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-11-04T12:37:45",
|
|
"category": "Other",
|
|
"comment": "Dridex 2.0",
|
|
"uuid": "4bd2567e-f3c3-4af6-8878-5cebbb3ee30f"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/813d8020f32fefe01b66bea0ce63834adef2e725801b4b761f5ea90ac4facd3a/analysis/1572871065/",
|
|
"category": "Payload delivery",
|
|
"comment": "Dridex 2.0",
|
|
"uuid": "f70fc547-6175-4e7d-aa3c-09fdcae120b9"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "54/69",
|
|
"category": "Payload delivery",
|
|
"comment": "Dridex 2.0",
|
|
"uuid": "094fb53d-08d6-44e0-9a00-ca0890f5175d"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--2a17501a-3480-46f0-b0bd-5888c2ee8c92",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-11-06T19:59:18.000Z",
|
|
"modified": "2019-11-06T19:59:18.000Z",
|
|
"pattern": "[file:hashes.MD5 = '9141d1d189afc2e300121e71a211c925' AND file:hashes.SHA1 = 'ee5ac27425616878a932516000c04dedbde5b715' AND file:hashes.SHA256 = '801b04a1504f167c25f568f8d7cbac13bdde6440a609d0dcd64ebe225c197f9b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-11-06T19:59:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--7fb41421-37ea-4910-ac68-319d59bdcbad",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-11-06T19:59:18.000Z",
|
|
"modified": "2019-11-06T19:59:18.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-11-04T23:59:41",
|
|
"category": "Other",
|
|
"comment": "DoppelPaymer",
|
|
"uuid": "0bb87c96-21b6-4b12-997c-d8e329e3678d"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/801b04a1504f167c25f568f8d7cbac13bdde6440a609d0dcd64ebe225c197f9b/analysis/1572911981/",
|
|
"category": "Payload delivery",
|
|
"comment": "DoppelPaymer",
|
|
"uuid": "556bfa2e-6a6d-405a-a050-051f2ba65972"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "54/68",
|
|
"category": "Payload delivery",
|
|
"comment": "DoppelPaymer",
|
|
"uuid": "26ceb39d-61ca-4f10-a6d9-d565989705e2"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--25d7c94e-5aad-4634-878d-15010c84f0aa",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-11-06T19:59:18.000Z",
|
|
"modified": "2019-11-06T19:59:18.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'b365af317ae730a67c936f21432b9c71' AND file:hashes.SHA1 = 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d' AND file:hashes.SHA256 = 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2019-11-06T19:59:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--f10bc385-bc29-4069-8374-abc49782561a",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2019-11-06T19:59:18.000Z",
|
|
"modified": "2019-11-06T19:59:18.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "last-submission",
|
|
"value": "2019-11-05T08:08:47",
|
|
"category": "Other",
|
|
"comment": "Encrypted PE Files Embedded in DoppelPaymer",
|
|
"uuid": "35be71bd-7536-4d04-8ef0-608d868fe3ce"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "permalink",
|
|
"value": "https://www.virustotal.com/file/bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4/analysis/1572941327/",
|
|
"category": "Payload delivery",
|
|
"comment": "Encrypted PE Files Embedded in DoppelPaymer",
|
|
"uuid": "5d316b72-97a1-4935-bf13-366b77f8c6fd"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "detection-ratio",
|
|
"value": "17/71",
|
|
"category": "Payload delivery",
|
|
"comment": "Encrypted PE Files Embedded in DoppelPaymer",
|
|
"uuid": "1d009b4d-d054-4cbe-bef2-6d8b6d5e9112"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--5bd00f93-f89d-4f42-a5c5-3e467f6eff8e",
|
|
"created": "2019-11-06T19:59:18.000Z",
|
|
"modified": "2019-11-06T19:59:18.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--bca0440a-4555-4587-b5a2-a541bd2a4dc9",
|
|
"target_ref": "x-misp-object--b9af0b6b-5e5d-43a1-84c7-21e1357665f1"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--c0764558-0064-46a3-a6dd-f91589d76b23",
|
|
"created": "2019-11-06T19:59:19.000Z",
|
|
"modified": "2019-11-06T19:59:19.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--9ae6b1c8-d364-4e47-acf7-f6730fb4465c",
|
|
"target_ref": "x-misp-object--b440661e-36e3-4b91-86ff-fa8760b84317"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--2c3ae759-56fc-4ea5-bec1-11bc8d357eac",
|
|
"created": "2019-11-06T19:59:19.000Z",
|
|
"modified": "2019-11-06T19:59:19.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--756d7b88-3347-4a0c-9fef-01dbddfd34bb",
|
|
"target_ref": "x-misp-object--6d1c9b11-06c8-4813-9485-89269e343f91"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--b7f3e89c-e62b-4fb9-9fc6-533c88eee468",
|
|
"created": "2019-11-06T19:59:19.000Z",
|
|
"modified": "2019-11-06T19:59:19.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--c04e4714-a1ca-4318-98d3-a46cf6d6ad97",
|
|
"target_ref": "x-misp-object--e943e2d5-8dec-4e03-8469-ee47c09f2568"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--1d04832f-376a-4c7c-9d19-8f6e0a44cd40",
|
|
"created": "2019-11-06T19:59:19.000Z",
|
|
"modified": "2019-11-06T19:59:19.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--2a17501a-3480-46f0-b0bd-5888c2ee8c92",
|
|
"target_ref": "x-misp-object--7fb41421-37ea-4910-ac68-319d59bdcbad"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--f8324dad-0784-4f4a-8a11-7d922181b406",
|
|
"created": "2019-11-06T19:59:20.000Z",
|
|
"modified": "2019-11-06T19:59:20.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "indicator--25d7c94e-5aad-4634-878d-15010c84f0aa",
|
|
"target_ref": "x-misp-object--f10bc385-bc29-4069-8374-abc49782561a"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |