264 lines
No EOL
11 KiB
JSON
264 lines
No EOL
11 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--5b2783ba-57e4-44da-88ee-4c4f950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-10-26T12:57:39.000Z",
|
|
"modified": "2018-10-26T12:57:39.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--5b2783ba-57e4-44da-88ee-4c4f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-10-26T12:57:39.000Z",
|
|
"modified": "2018-10-26T12:57:39.000Z",
|
|
"name": "OSINT - New Donut Ransomware",
|
|
"published": "2018-10-28T09:00:00Z",
|
|
"object_refs": [
|
|
"observed-data--5b2783d2-af20-4e83-90ba-4d58950d210f",
|
|
"url--5b2783d2-af20-4e83-90ba-4d58950d210f",
|
|
"observed-data--5b2783d2-5414-4e5f-834d-49f4950d210f",
|
|
"url--5b2783d2-5414-4e5f-834d-49f4950d210f",
|
|
"indicator--5b278489-ce0c-4e19-9d7e-447f950d210f",
|
|
"x-misp-attribute--5b2784aa-adb0-444f-8bff-9f6f950d210f",
|
|
"x-misp-object--5b27843f-ca3c-48c7-8af0-4c29950d210f",
|
|
"indicator--5b278479-f028-47e9-abfa-207f950d210f",
|
|
"x-misp-object--b673d3aa-4fc7-4820-81cb-2f2a6182d627",
|
|
"x-misp-object--8c4f5afe-91b2-4a24-a417-b06dbf115f12",
|
|
"relationship--5408ff86-8294-4a2b-850f-39f26fbb1bba"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"malware_classification:malware-category=\"Ransomware\"",
|
|
"circl:incident-classification=\"malware\"",
|
|
"osint:source-type=\"blog-post\"",
|
|
"osint:source-type=\"microblog-post\"",
|
|
"misp-galaxy:ransomware=\"Donut\"",
|
|
"workflow:state=\"complete\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5b2783d2-af20-4e83-90ba-4d58950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-18T10:05:35.000Z",
|
|
"modified": "2018-06-18T10:05:35.000Z",
|
|
"first_observed": "2018-06-18T10:05:35Z",
|
|
"last_observed": "2018-06-18T10:05:35Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5b2783d2-af20-4e83-90ba-4d58950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"microblog-post\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5b2783d2-af20-4e83-90ba-4d58950d210f",
|
|
"value": "https://twitter.com/siri_urz/status/1005438610806583296"
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--5b2783d2-5414-4e5f-834d-49f4950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-18T10:05:17.000Z",
|
|
"modified": "2018-06-18T10:05:17.000Z",
|
|
"first_observed": "2018-06-18T10:05:17Z",
|
|
"last_observed": "2018-06-18T10:05:17Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--5b2783d2-5414-4e5f-834d-49f4950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--5b2783d2-5414-4e5f-834d-49f4950d210f",
|
|
"value": "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-15th-2018-dbger-scarab-and-more/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b278489-ce0c-4e19-9d7e-447f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-18T10:08:09.000Z",
|
|
"modified": "2018-06-18T10:08:09.000Z",
|
|
"pattern": "[email-message:from_ref.value = 'donutmmm@tutanota.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-06-18T10:08:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"email-src\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--5b2784aa-adb0-444f-8bff-9f6f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-18T10:08:50.000Z",
|
|
"modified": "2018-06-18T10:08:50.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "S!Ri found a new ransomware called Donut that appends the .donut extension and uses the email donutmmm@tutanota.com."
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--5b27843f-ca3c-48c7-8af0-4c29950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-18T10:06:55.000Z",
|
|
"modified": "2018-06-18T10:06:55.000Z",
|
|
"labels": [
|
|
"misp:name=\"microblog\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "text",
|
|
"object_relation": "post",
|
|
"value": "#Ransomware Donut E76ECA2F7D0450C84417A8AC242B424C .donut donutmmm@tutanota.com",
|
|
"category": "Other",
|
|
"uuid": "5b27843f-9a24-4869-bfb7-4509950d210f"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "type",
|
|
"value": "Twitter",
|
|
"category": "Other",
|
|
"uuid": "5b27843f-1490-410d-b455-49a8950d210f"
|
|
},
|
|
{
|
|
"type": "url",
|
|
"object_relation": "url",
|
|
"value": "https://twitter.com/siri_urz/status/1005438610806583296",
|
|
"category": "Network activity",
|
|
"to_ids": true,
|
|
"uuid": "5b27843f-c050-4923-8097-41a4950d210f"
|
|
},
|
|
{
|
|
"type": "datetime",
|
|
"object_relation": "creation-date",
|
|
"value": "2018-06-09T00:00:00",
|
|
"category": "Other",
|
|
"uuid": "5b278440-040c-4dbf-b857-4426950d210f"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "username",
|
|
"value": "@siri_urz",
|
|
"category": "Other",
|
|
"uuid": "5b278440-8e0c-4ddb-a2a3-40a1950d210f"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "microblog"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--5b278479-f028-47e9-abfa-207f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-18T10:07:53.000Z",
|
|
"modified": "2018-06-18T10:07:53.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'e76eca2f7d0450c84417a8ac242b424c' AND file:x_misp_state = 'Malicious']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2018-06-18T10:07:53Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--b673d3aa-4fc7-4820-81cb-2f2a6182d627",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-18T12:21:05.000Z",
|
|
"modified": "2018-06-18T12:21:05.000Z",
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\""
|
|
],
|
|
"x_misp_meta_category": "file",
|
|
"x_misp_name": "file"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--8c4f5afe-91b2-4a24-a417-b06dbf115f12",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2018-06-18T12:21:05.000Z",
|
|
"modified": "2018-06-18T12:21:05.000Z",
|
|
"labels": [
|
|
"misp:name=\"virustotal-report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "virustotal-report"
|
|
},
|
|
{
|
|
"type": "relationship",
|
|
"spec_version": "2.1",
|
|
"id": "relationship--5408ff86-8294-4a2b-850f-39f26fbb1bba",
|
|
"created": "2018-06-18T12:21:08.000Z",
|
|
"modified": "2018-06-18T12:21:08.000Z",
|
|
"relationship_type": "analysed-with",
|
|
"source_ref": "x-misp-object--b673d3aa-4fc7-4820-81cb-2f2a6182d627",
|
|
"target_ref": "x-misp-object--8c4f5afe-91b2-4a24-a417-b06dbf115f12"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |