adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/e0eaf6f2-a12c-4b31-9d19-f77faf1ea4c9.json

1903 lines
No EOL
85 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--e0eaf6f2-a12c-4b31-9d19-f77faf1ea4c9",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-07T09:35:07.000Z",
"modified": "2021-07-07T09:35:07.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--e0eaf6f2-a12c-4b31-9d19-f77faf1ea4c9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-07T09:35:07.000Z",
"modified": "2021-07-07T09:35:07.000Z",
"name": "Kaseya ransomware attack - indicators and information publicly available",
"published": "2021-07-07T09:47:39Z",
"object_refs": [
"observed-data--0e569e9a-17bd-4af6-b785-f83596b7a97a",
"url--0e569e9a-17bd-4af6-b785-f83596b7a97a",
"observed-data--89531d9a-c947-4bd8-a84c-68b4e89d2446",
"url--89531d9a-c947-4bd8-a84c-68b4e89d2446",
"indicator--580a5488-69c5-4019-83e1-02879ea0ac22",
"indicator--d1092ff9-f976-4029-9c29-7af01d6759b2",
"indicator--34d82c52-13de-4f37-9a70-336feae63b6a",
"indicator--5b08c28f-2d33-4075-b8b2-a8cea74dafa5",
"indicator--6c041cd6-b04e-4130-9aed-3140d3f3b78b",
"indicator--02484f6e-c50d-4b26-bdd2-aa14c3ebab2e",
"indicator--1ae94e8f-be1f-487f-81d6-cd519663ddef",
"indicator--da43a1ec-a1b6-441c-8ea5-48d64cc8e226",
"indicator--75c79264-1974-4aa2-b2c6-480ec8e7970d",
"indicator--3da15a87-1fb3-4d69-aa35-3efa20b7c701",
"indicator--5ae32a41-e5ad-49a0-934f-a0adc913c7d9",
"indicator--ec97ce8b-b674-4689-8720-5100614bcbbb",
"indicator--b5135450-e1fc-4c49-991a-f3042d3f21cf",
"indicator--93d7c230-354b-4378-bb4b-9c9d5fc76265",
"indicator--58593514-a54d-4eeb-807d-a9d448bac80f",
"indicator--aa9d2ada-9102-4ab7-a846-2c53f53db035",
"indicator--27fbdd1c-83e3-421a-bb3b-ae83c8bd24c2",
"indicator--085927fc-1a26-43a9-878e-e6ba9aff2869",
"indicator--d403cb96-0385-4ded-ae2d-2d9c80445eb2",
"indicator--b5946dfb-7a24-471c-b661-150a3f67c2e6",
"indicator--a6382aea-9681-4d3c-b031-cedb56900b78",
"indicator--7e14c5bd-5522-4085-8de9-67885ef022cf",
"indicator--bca4585a-5cb3-45c1-956b-5516f184be9c",
"indicator--2429561d-6b7a-46d3-9d6d-13a0bd99409b",
"indicator--57fc5262-d25d-4c17-b714-8caa54a91e36",
"indicator--7128f692-5453-41ea-9ee3-f3aa47802b39",
"indicator--9cdaccaa-2179-439f-8579-5e8f26e12c92",
"indicator--c4024a8b-c8ea-4cdf-aba7-084fdf316969",
"indicator--32018026-7020-45fa-8e1d-c835a796fa9b",
"indicator--e5faad77-39b0-4d55-b83c-e35302d03d21",
"indicator--5e62790f-3493-449c-acb1-d4adfab3f4a9",
"indicator--46272f67-9303-4f9b-acf0-97ea54e7eae2",
"indicator--7c089669-43c3-42d9-8c2c-7f3d717281aa",
"indicator--a489899c-c4f4-46dd-a596-f9d165cc75f9",
"indicator--cc0a65b6-d4ac-4486-afb1-da22800a25bd",
"indicator--dfac7576-54ff-41ec-a759-a4e362fd78e3",
"indicator--b1c574bc-446c-437d-ac2f-31fe56889df8",
"indicator--bbdf4eb4-3f5f-435e-81a3-27eeea6ab88b",
"indicator--38f1ecc6-4e89-40db-a826-c2eda523f946",
"indicator--3275524c-6128-4a8e-86c5-3aa90362f9e3",
"indicator--9c0ffa35-e772-4341-b04b-8c63a3385982",
"indicator--0dedcd10-8c29-4647-80f1-8eca7d58bef2",
"indicator--575f1379-0074-410a-9433-49b8b9958118",
"observed-data--10036ce7-76fb-44b5-95ec-aa98744391b2",
"url--10036ce7-76fb-44b5-95ec-aa98744391b2",
"observed-data--0a0a5eaa-39aa-474e-91f7-16818eb45441",
"url--0a0a5eaa-39aa-474e-91f7-16818eb45441",
"indicator--86947a18-f1ed-4ef9-bdfc-cd6d5f586179",
"indicator--83cac77f-3395-4e66-8748-4a3c93f13f9f",
"indicator--0bb49474-a26d-448c-a5fe-6a646bae941d",
"indicator--94d2a666-8901-4fdd-b637-12cd14214ed9",
"indicator--382db752-d40a-44b4-8043-8ed41ad534df",
"x-misp-object--f5e08151-622f-4b0f-9a5f-3b329b8da50c",
"indicator--b5e68470-eac8-4708-9c02-bd24d67639d9",
"x-misp-object--6b906ba0-33c1-4070-8962-49359d7ab1e1",
"x-misp-object--66a1099e-fc17-4447-a35a-671d1dce2b3a",
"indicator--b86e6a60-1bc6-4b06-9816-7d253d8136af",
"indicator--92efa833-8ea8-49ee-9d46-5fedbf946d46",
"indicator--22682f05-d593-4378-983c-e247b5f6df07",
"indicator--f1a24c1c-d479-447e-abbe-dfc97c485829",
"indicator--e0115c11-ab7d-4d4c-a7a2-078a8dc6b6dd",
"indicator--80fca50b-89b9-4331-9b9a-6a62e7080126",
"indicator--e489c678-49cd-4f79-a70b-9b3de81bd252",
"indicator--a855e025-6cbb-4c93-9585-95121ea5c55c",
"x-misp-object--f42f63de-36c2-41d3-86d1-d1e3e3508da1",
"x-misp-object--67af034f-5173-445b-ae08-1f1a7e9a7f87",
"x-misp-object--e6a7fd5d-ff89-4a3f-840f-892e99de748b",
"x-misp-object--cd7445c8-4121-45e1-a294-121ec9d35d8e",
"x-misp-object--f722ecce-fb4e-44f6-a2ed-f40f4fd96f11",
"x-misp-object--0ff15772-0b74-45a7-b805-f2a4363639d1",
"relationship--dbcfcd3e-30ad-4b06-9706-8aa58ec59db7",
"relationship--94b81c13-335f-4db3-ac3e-9a744a76e828",
"relationship--118996f6-0362-422d-b14a-ac5c6a5f78aa",
"relationship--3e467bc4-42b6-40d7-9093-966223ebc1dc",
"relationship--43cfe40a-d480-41a6-9cb5-566e310c8030",
"relationship--e6b74d83-acee-441d-a2d2-fe729f060650",
"relationship--95f0e351-2e0a-4a19-a413-a9d7e4b015f6"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"misp-galaxy:ransomware=\"Sodinokibi\"",
"misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--0e569e9a-17bd-4af6-b785-f83596b7a97a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:00:04.000Z",
"modified": "2021-07-05T08:00:04.000Z",
"first_observed": "2021-07-05T08:00:04Z",
"last_observed": "2021-07-05T08:00:04Z",
"number_observed": 1,
"object_refs": [
"url--0e569e9a-17bd-4af6-b785-f83596b7a97a"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--0e569e9a-17bd-4af6-b785-f83596b7a97a",
"value": "https://twitter.com/r3c0nst/status/1411922502553673728"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--89531d9a-c947-4bd8-a84c-68b4e89d2446",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:05:55.000Z",
"modified": "2021-07-05T08:05:55.000Z",
"first_observed": "2021-07-05T08:05:55Z",
"last_observed": "2021-07-05T08:05:55Z",
"number_observed": 1,
"object_refs": [
"url--89531d9a-c947-4bd8-a84c-68b4e89d2446"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--89531d9a-c947-4bd8-a84c-68b4e89d2446",
"value": "https://github.com/cado-security/DFIR_Resources_REvil_Kaseya"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--580a5488-69c5-4019-83e1-02879ea0ac22",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:43.000Z",
"modified": "2021-07-05T08:10:43.000Z",
"pattern": "[domain-name:value = 'ncuccr.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d1092ff9-f976-4029-9c29-7af01d6759b2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:43.000Z",
"modified": "2021-07-05T08:10:43.000Z",
"pattern": "[domain-name:value = '1team.es']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--34d82c52-13de-4f37-9a70-336feae63b6a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:43.000Z",
"modified": "2021-07-05T08:10:43.000Z",
"pattern": "[domain-name:value = '4net.guru']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b08c28f-2d33-4075-b8b2-a8cea74dafa5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:43.000Z",
"modified": "2021-07-05T08:10:43.000Z",
"pattern": "[domain-name:value = '35-40konkatsu.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6c041cd6-b04e-4130-9aed-3140d3f3b78b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:43.000Z",
"modified": "2021-07-05T08:10:43.000Z",
"pattern": "[domain-name:value = '123vrachi.ru']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--02484f6e-c50d-4b26-bdd2-aa14c3ebab2e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = '4youbeautysalon.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--1ae94e8f-be1f-487f-81d6-cd519663ddef",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = '12starhd.online']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--da43a1ec-a1b6-441c-8ea5-48d64cc8e226",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = '101gowrie.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--75c79264-1974-4aa2-b2c6-480ec8e7970d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = '8449nohate.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3da15a87-1fb3-4d69-aa35-3efa20b7c701",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = '1kbk.com.ua']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ae32a41-e5ad-49a0-934f-a0adc913c7d9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = '365questions.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ec97ce8b-b674-4689-8720-5100614bcbbb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = '321play.com.hk']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b5135450-e1fc-4c49-991a-f3042d3f21cf",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'candyhouseusa.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--93d7c230-354b-4378-bb4b-9c9d5fc76265",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'andersongilmour.co.uk']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58593514-a54d-4eeb-807d-a9d448bac80f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'facettenreich27.de']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--aa9d2ada-9102-4ab7-a846-2c53f53db035",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'blgr.be']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--27fbdd1c-83e3-421a-bb3b-ae83c8bd24c2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'fannmedias.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--085927fc-1a26-43a9-878e-e6ba9aff2869",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'southeasternacademyofprosthodontics.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d403cb96-0385-4ded-ae2d-2d9c80445eb2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'filmstreamingvfcomplet.be']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b5946dfb-7a24-471c-b661-150a3f67c2e6",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'smartypractice.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a6382aea-9681-4d3c-b031-cedb56900b78",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'tanzschule-kieber.de']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--7e14c5bd-5522-4085-8de9-67885ef022cf",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'iqbalscientific.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--bca4585a-5cb3-45c1-956b-5516f184be9c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'pasvenska.se']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2429561d-6b7a-46d3-9d6d-13a0bd99409b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'cursosgratuitosnainternet.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57fc5262-d25d-4c17-b714-8caa54a91e36",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'bierensgebakkramen.nl']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--7128f692-5453-41ea-9ee3-f3aa47802b39",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'c2e-poitiers.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9cdaccaa-2179-439f-8579-5e8f26e12c92",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'gonzalezfornes.es']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c4024a8b-c8ea-4cdf-aba7-084fdf316969",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'tonelektro.nl']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--32018026-7020-45fa-8e1d-c835a796fa9b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'milestoneshows.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e5faad77-39b0-4d55-b83c-e35302d03d21",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'blossombeyond50.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e62790f-3493-449c-acb1-d4adfab3f4a9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'thomasvicino.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--46272f67-9303-4f9b-acf0-97ea54e7eae2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'kaotikkustomz.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--7c089669-43c3-42d9-8c2c-7f3d717281aa",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'mindpackstudios.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a489899c-c4f4-46dd-a596-f9d165cc75f9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'faroairporttransfers.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--cc0a65b6-d4ac-4486-afb1-da22800a25bd",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'daklesa.de']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--dfac7576-54ff-41ec-a759-a4e362fd78e3",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'bxdf.info']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b1c574bc-446c-437d-ac2f-31fe56889df8",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'simoneblum.de']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--bbdf4eb4-3f5f-435e-81a3-27eeea6ab88b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'gmto.fr']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--38f1ecc6-4e89-40db-a826-c2eda523f946",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'cerebralforce.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3275524c-6128-4a8e-86c5-3aa90362f9e3",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'myhostcloud.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9c0ffa35-e772-4341-b04b-8c63a3385982",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'fotoscondron.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0dedcd10-8c29-4647-80f1-8eca7d58bef2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'sw1m.ru']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--575f1379-0074-410a-9433-49b8b9958118",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:10:44.000Z",
"modified": "2021-07-05T08:10:44.000Z",
"pattern": "[domain-name:value = 'homng.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:10:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--10036ce7-76fb-44b5-95ec-aa98744391b2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:16:00.000Z",
"modified": "2021-07-05T08:16:00.000Z",
"first_observed": "2021-07-05T08:16:00Z",
"last_observed": "2021-07-05T08:16:00Z",
"number_observed": 1,
"object_refs": [
"url--10036ce7-76fb-44b5-95ec-aa98744391b2"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--10036ce7-76fb-44b5-95ec-aa98744391b2",
"value": "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--0a0a5eaa-39aa-474e-91f7-16818eb45441",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-07T09:35:06.000Z",
"modified": "2021-07-07T09:35:06.000Z",
"first_observed": "2021-07-07T09:35:06Z",
"last_observed": "2021-07-07T09:35:06Z",
"number_observed": 1,
"object_refs": [
"url--0a0a5eaa-39aa-474e-91f7-16818eb45441"
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--0a0a5eaa-39aa-474e-91f7-16818eb45441",
"value": "https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--86947a18-f1ed-4ef9-bdfc-cd6d5f586179",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T07:58:29.000Z",
"modified": "2021-07-05T07:58:29.000Z",
"pattern": "[file:hashes.SHA256 = '8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd' AND file:name = 'mpsvc.dll' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T07:58:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--83cac77f-3395-4e66-8748-4a3c93f13f9f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T07:59:12.000Z",
"modified": "2021-07-05T07:59:12.000Z",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '161.35.239.148')]",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T07:59:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0bb49474-a26d-448c-a5fe-6a646bae941d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:01:00.000Z",
"modified": "2021-07-05T08:01:00.000Z",
"pattern": "[file:hashes.SHA256 = 'd55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e' AND file:name = 'agent.exe' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:01:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--94d2a666-8901-4fdd-b637-12cd14214ed9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:01:41.000Z",
"modified": "2021-07-05T08:01:41.000Z",
"pattern": "[file:hashes.SHA256 = '45aebd60e3c4ed8d3285907f5bf6c71b3b60a9bcb7c34e246c20410cf678fc0c' AND file:name = 'agent.crt']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:01:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--382db752-d40a-44b4-8043-8ed41ad534df",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:02:40.000Z",
"modified": "2021-07-05T08:02:40.000Z",
"pattern": "[file:hashes.MD5 = 'a47cf00aedf769d60d58bfe00c0b5421' AND file:hashes.SHA1 = '656c4d285ea518d90c1b669b79af475db31e30b1' AND file:hashes.SHA256 = '8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:02:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--f5e08151-622f-4b0f-9a5f-3b329b8da50c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:02:41.000Z",
"modified": "2021-07-05T08:02:41.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2021-07-05T07:25:40+00:00",
"category": "Other",
"uuid": "b82380c0-f8d1-4628-93db-30b0329f769c"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd/detection/f-8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd-1625469940",
"category": "Payload delivery",
"uuid": "9928eec8-58f6-4045-bb3e-a262fd2ba91d"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "48/67",
"category": "Payload delivery",
"uuid": "7e59ed0f-cab2-4281-a782-9da359ec6216"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b5e68470-eac8-4708-9c02-bd24d67639d9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:15:24.000Z",
"modified": "2021-07-05T08:15:24.000Z",
"pattern": "[file:hashes.MD5 = '561cffbaba71a6e8cc1cdceda990ead4' AND file:hashes.SHA1 = '5162f14d75e96edb914d1756349d6e11583db0b0' AND file:hashes.SHA256 = 'd55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:15:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--6b906ba0-33c1-4070-8962-49359d7ab1e1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:02:41.000Z",
"modified": "2021-07-05T08:02:41.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2021-07-05T07:38:02+00:00",
"category": "Other",
"uuid": "62f89fbb-f229-43f3-9070-42136d2b9dcf"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e/detection/f-d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e-1625470682",
"category": "Payload delivery",
"uuid": "9f23d9a9-531e-4989-8855-9a9ab929a3b0"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "45/67",
"category": "Payload delivery",
"uuid": "c2ed79ca-fec5-4be8-8c84-2458aba65061"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--66a1099e-fc17-4447-a35a-671d1dce2b3a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:04:38.000Z",
"modified": "2021-07-05T08:04:38.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa",
"category": "External analysis",
"uuid": "3d161d9c-33c4-4e4b-b1e0-9fa940089aab"
},
{
"type": "text",
"object_relation": "summary",
"value": "CISA and the Federal Bureau of Investigation (FBI) continue to respond to the recent supply-chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple managed service providers (MSPs) and their customers. CISA and FBI strongly urge affected MSPs and their customers to follow the guidance below.\r\n\r\nCISA and FBI recommend affected MSPs:\r\n\r\n Download the Kaseya VSA Detection Tool\r\n\r\n . This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present. \r\n Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization, and\u2014to the maximum extent possible\u2014enable and enforce MFA for customer-facing services.\r\n Implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or\r\n Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.\r\n\r\nCISA and FBI recommend MSP customers affected by this attack take immediate action to implement the following cybersecurity best practices. Note: these actions are especially important for MSP customer who do not currently have their RMM service running due to the Kaseya attack.\r\n\r\nCISA and FBI recommend affected MSP customers:\r\n\r\n Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network;\r\n Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available;\r\n Implement:\r\n Multi-factor authentication; and\r\n Principle of least privilege on key network resources admin accounts.",
"category": "Other",
"uuid": "8927e0f4-f8e0-455a-a97c-5fcaf825e8bb"
},
{
"type": "text",
"object_relation": "type",
"value": "Alert",
"category": "Other",
"uuid": "fb986017-9d19-403f-929e-959fe625dbea"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b86e6a60-1bc6-4b06-9816-7d253d8136af",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:06:34.000Z",
"modified": "2021-07-05T08:06:34.000Z",
"pattern": "/* Via https://github.com/bartblaze/Yara-rules/blob/master/rules/ransomware/REvil_Cert.yar\r\n*/\r\n\r\nimport \\\\\"pe\\\\\"\r\nrule REvil_Cert\r\n{\r\nmeta:\r\n\tdescription = \\\\\"Identifies the digital certificate PB03 TRANSPORT LTD, used by REvil in the Kaseya supply chain attack.\\\\\"\r\n\tauthor = \\\\\"@bartblaze\\\\\"\r\n\tdate = \\\\\"2021-07\\\\\"\r\n\treference = \\\\\"https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers\\\\\"\r\n\ttlp = \\\\\"White\\\\\"\r\n\t\r\ncondition:\r\n\tuint16(0) == 0x5a4d and\r\n\t\tfor any i in (0 .. pe.number_of_signatures) : (\r\n\t\tpe.signatures[i].serial == \\\\\"11:9a:ce:ad:66:8b:ad:57:a4:8b:4f:42:f2:94:f8:f0\\\\\"\r\n\t)\r\n}",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:06:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"x_misp_context": "all"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--92efa833-8ea8-49ee-9d46-5fedbf946d46",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:07:06.000Z",
"modified": "2021-07-05T08:07:06.000Z",
"pattern": "/* Via https://github.com/bartblaze/Yara-rules/blob/master/rules/ransomware/REvil_Dropper.yar\r\n*/\r\n\r\nrule REvil_Dropper\r\n{\r\nmeta:\r\n\tdescription = \\\\\"Identifies the dropper used by REvil in the Kaseya supply chain attack.\\\\\"\r\n\tauthor = \\\\\"@bartblaze\\\\\"\r\n\tdate = \\\\\"2021-07\\\\\"\r\n\thash = \\\\\"d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e\\\\\"\r\n \treference = \\\\\"https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers\\\\\"\r\n\ttlp = \\\\\"White\\\\\"\r\n\t\r\nstrings:\r\n $ = { 55 8b ec 56 8b 35 24 d0 40 00 68 04 1c 41 00 6a 65 6a 00 ff \r\n d6 85 c0 0f 84 98 00 00 00 50 6a 00 ff 15 20 d0 40 00 85 c0 0f 84 \r\n 87 00 00 00 50 ff 15 18 d0 40 00 68 14 1c 41 00 6a 66 6a 00 a3 a0 \r\n 43 41 00 ff d6 85 c0 74 6c 50 33 f6 56 ff 15 20 d0 40 00 85 c0 74 \r\n 5e 50 ff 15 18 d0 40 00 68 24 1c 41 00 ba 88 55 0c 00 a3 a4 43 41 \r\n 00 8b c8 e8 9a fe ff ff 8b 0d a0 43 41 00 ba d0 56 00 00 c7 04 ?4 \r\n 38 1c 41 00 e8 83 fe ff ff c7 04 ?4 ec 43 41 00 68 a8 43 41 00 56 \r\n 56 68 30 02 00 00 56 56 56 ff 75 10 c7 05 a8 43 41 00 44 00 00 00 \r\n 50 ff 15 28 d0 40 00 }\r\n\t\r\ncondition:\r\n\tall of them\r\n}",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:07:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"x_misp_context": "all"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--22682f05-d593-4378-983c-e247b5f6df07",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:07:41.000Z",
"modified": "2021-07-05T08:07:41.000Z",
"pattern": "/* Via: https://github.com/Neo23x0/signature-base/blob/master/yara/crime_revil_general.yar\r\n*/\r\n\r\nrule APT_MAL_REvil_Kaseya_Jul21_2 {\r\n meta:\r\n description = \\\\\"Detects malware used in the Kaseya supply chain attack\\\\\"\r\n author = \\\\\"Florian Roth\\\\\"\r\n reference = \\\\\"https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b\\\\\"\r\n date = \\\\\"2021-07-02\\\\\"\r\n hash1 = \\\\\"0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402\\\\\"\r\n hash2 = \\\\\"8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd\\\\\"\r\n hash3 = \\\\\"cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6\\\\\"\r\n hash4 = \\\\\"d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f\\\\\"\r\n hash5 = \\\\\"d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20\\\\\"\r\n hash6 = \\\\\"e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2\\\\\"\r\n strings:\r\n $opa1 = { 8b 4d fc 83 c1 01 89 4d fc 81 7d f0 ff 00 00 00 77 1? ba 01 00 00 00 6b c2 00 8b 4d 08 }\r\n $opa2 = { 89 45 f0 8b 4d fc 83 c1 01 89 4d fc 81 7d f0 ff 00 00 00 77 1? ba 01 00 00 00 6b c2 00 }\r\n $opa3 = { 83 c1 01 89 4d fc 81 7d f0 ff 00 00 00 77 1? ba 01 00 00 00 6b c2 00 8b 4d 08 0f b6 14 01 }\r\n $opa4 = { 89 45 f4 8b 0d ?? ?0 07 10 89 4d f8 8b 15 ?? ?1 07 10 89 55 fc ff 75 fc ff 75 f8 ff 55 f4 }\r\n\r\n $opb1 = { 18 00 10 bd 18 00 10 bd 18 00 10 0e 19 00 10 cc cc cc }\r\n $opb2 = { 18 00 10 0e 19 00 10 cc cc cc cc 8b 44 24 04 }\r\n $opb3 = { 10 c4 18 00 10 bd 18 00 10 bd 18 00 10 0e 19 00 10 cc cc }\r\n condition:\r\n uint16(0) == 0x5a4d and\r\n filesize < 3000KB and ( 2 of ($opa*) or 3 of them )\r\n}",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:07:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"x_misp_context": "all"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f1a24c1c-d479-447e-abbe-dfc97c485829",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:08:01.000Z",
"modified": "2021-07-05T08:08:01.000Z",
"pattern": "/* Via https://github.com/Neo23x0/signature-base/blob/e360605894c12859de36f28fda95140aa330694b/yara/crime_ransom_revil.yar\r\n*/\r\n\r\n\r\nrule MAL_RANSOM_REvil_Oct20_1 {\r\n meta:\r\n description = \\\\\"Detects REvil ransomware\\\\\"\r\n author = \\\\\"Florian Roth\\\\\"\r\n reference = \\\\\"Internal Research\\\\\"\r\n date = \\\\\"2020-10-13\\\\\"\r\n hash1 = \\\\\"5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4\\\\\"\r\n hash2 = \\\\\"f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5\\\\\"\r\n hash3 = \\\\\"f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d\\\\\"\r\n hash4 = \\\\\"fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501\\\\\"\r\n strings:\r\n $op1 = { 0f 8c 74 ff ff ff 33 c0 5f 5e 5b 8b e5 5d c3 8b }\r\n $op2 = { 8d 85 68 ff ff ff 50 e8 2a fe ff ff 8d 85 68 ff }\r\n $op3 = { 89 4d f4 8b 4e 0c 33 4e 34 33 4e 5c 33 8e 84 }\r\n $op4 = { 8d 85 68 ff ff ff 50 e8 05 06 00 00 8d 85 68 ff }\r\n $op5 = { 8d 85 68 ff ff ff 56 57 ff 75 0c 50 e8 2f }\r\n condition:\r\n uint16(0) == 0x5a4d and\r\n filesize < 400KB and\r\n 2 of them or 4 of them\r\n}",
"pattern_type": "yara",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:08:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
],
"x_misp_context": "all"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e0115c11-ab7d-4d4c-a7a2-078a8dc6b6dd",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:11:28.000Z",
"modified": "2021-07-05T08:11:28.000Z",
"pattern": "[windows-registry-key:key = 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\BlackLivesMatter']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:11:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"registry-key\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--80fca50b-89b9-4331-9b9a-6a62e7080126",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:15:24.000Z",
"modified": "2021-07-05T08:15:24.000Z",
"pattern": "[file:hashes.SHA256 = '8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd' AND file:name = 'mpsvc.dll' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:15:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e489c678-49cd-4f79-a70b-9b3de81bd252",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:14:24.000Z",
"modified": "2021-07-05T08:14:24.000Z",
"pattern": "[file:hashes.SHA256 = '33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a' AND file:name = 'msmpeng.exe' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:14:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a855e025-6cbb-4c93-9585-95121ea5c55c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:15:24.000Z",
"modified": "2021-07-05T08:15:24.000Z",
"pattern": "[file:hashes.MD5 = '8cc83221870dd07144e63df594c391d9' AND file:hashes.SHA1 = '3d409b39b8502fcd23335a878f2cbdaf6d721995' AND file:hashes.SHA256 = '33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-07-05T08:15:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--f42f63de-36c2-41d3-86d1-d1e3e3508da1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:15:24.000Z",
"modified": "2021-07-05T08:15:24.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2021-07-05T07:54:28+00:00",
"category": "Other",
"uuid": "d3098b51-a5b4-423d-8300-1d367736f857"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a/detection/f-33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a-1625471668",
"category": "Payload delivery",
"uuid": "d39ee2f9-56f3-42be-8de3-4e464a297c19"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "0/68",
"category": "Payload delivery",
"uuid": "65828223-6628-400c-99c8-cd7a1c4e2de7"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--67af034f-5173-445b-ae08-1f1a7e9a7f87",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:15:24.000Z",
"modified": "2021-07-05T08:15:24.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2021-07-05T08:11:57+00:00",
"category": "Other",
"uuid": "45e226ea-be4f-45ce-8ac1-ccdcc263a1b8"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd/detection/f-8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd-1625472717",
"category": "Payload delivery",
"uuid": "c93ae24c-908f-4dd0-ae98-4b376b9cf2fd"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "48/68",
"category": "Payload delivery",
"uuid": "f8f3e9cd-5ff9-479d-8a71-86f210c79adb"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--e6a7fd5d-ff89-4a3f-840f-892e99de748b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:15:24.000Z",
"modified": "2021-07-05T08:15:24.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2021-07-05T08:12:17+00:00",
"category": "Other",
"uuid": "1b7654f4-816d-462a-a589-1c72eeb110aa"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/gui/file/d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e/detection/f-d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e-1625472737",
"category": "Payload delivery",
"uuid": "43d4b31b-3140-4f05-8b0e-5f0eedd20103"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "47/70",
"category": "Payload delivery",
"uuid": "9d182ba8-8b82-453f-8e0e-91f29ee97d65"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--cd7445c8-4121-45e1-a294-121ec9d35d8e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:19:46.000Z",
"modified": "2021-07-05T08:19:46.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "value",
"value": "\"%WINDIR%\\system32\\cmd.exe\" /c ping 127.0.0.1 -n 6258 > nul & %WINDIR%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y %WINDIR%\\System32\\certutil.exe %WINDIR%\\cert.exe & echo %RANDOM% >> %WINDIR%\\cert.exe & %WINDIR%\\cert.exe -decode c:\\kworking\\agent.crt c:\\kworking\\agent.exe & del /q /f c:\\kworking\\agent.crt %WINDIR%\\cert.exe & c:\\kworking\\agent.exe",
"category": "Other",
"uuid": "cbfcd350-0e50-4e7e-a839-f3869a4ae11e"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--f722ecce-fb4e-44f6-a2ed-f40f4fd96f11",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:19:02.000Z",
"modified": "2021-07-05T08:19:02.000Z",
"labels": [
"misp:name=\"command-line\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "value",
"value": "\"%WINDIR%\\system32\\cmd.exe\" /c ping 127.0.0.1 -n 5693 > nul & %WINDIR%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y %WINDIR%\\System32\\certutil.exe %WINDIR%\\cert.exe & echo %RANDOM% >> %WINDIR%\\cert.exe & %WINDIR%\\cert.exe -decode c:\\kworking\\agent.crt c:\\kworking\\agent.exe & del /q /f c:\\kworking\\agent.crt %WINDIR%\\cert.exe & c:\\kworking\\agent.exe",
"category": "Other",
"uuid": "d27857cb-272f-434f-8236-5a65e4c12acf"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "command-line"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--0ff15772-0b74-45a7-b805-f2a4363639d1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-07-05T08:18:04.000Z",
"modified": "2021-07-05T08:18:04.000Z",
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "fullpath",
"value": "%PROGRAMFILES%\\(x86)\\Kaseya\\<ID>\\AgentMon.exe",
"category": "Other",
"uuid": "a94932af-2266-4478-860f-a16e0162f761"
}
],
"x_misp_meta_category": "file",
"x_misp_name": "file"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--dbcfcd3e-30ad-4b06-9706-8aa58ec59db7",
"created": "2021-07-05T08:02:41.000Z",
"modified": "2021-07-05T08:02:41.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--382db752-d40a-44b4-8043-8ed41ad534df",
"target_ref": "x-misp-object--f5e08151-622f-4b0f-9a5f-3b329b8da50c"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--94b81c13-335f-4db3-ac3e-9a744a76e828",
"created": "2021-07-05T08:02:41.000Z",
"modified": "2021-07-05T08:02:41.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--b5e68470-eac8-4708-9c02-bd24d67639d9",
"target_ref": "x-misp-object--6b906ba0-33c1-4070-8962-49359d7ab1e1"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--118996f6-0362-422d-b14a-ac5c6a5f78aa",
"created": "2021-07-05T08:15:24.000Z",
"modified": "2021-07-05T08:15:24.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--b5e68470-eac8-4708-9c02-bd24d67639d9",
"target_ref": "x-misp-object--e6a7fd5d-ff89-4a3f-840f-892e99de748b"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--3e467bc4-42b6-40d7-9093-966223ebc1dc",
"created": "2021-07-05T08:15:24.000Z",
"modified": "2021-07-05T08:15:24.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--80fca50b-89b9-4331-9b9a-6a62e7080126",
"target_ref": "x-misp-object--67af034f-5173-445b-ae08-1f1a7e9a7f87"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--43cfe40a-d480-41a6-9cb5-566e310c8030",
"created": "2021-07-05T08:15:25.000Z",
"modified": "2021-07-05T08:15:25.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--a855e025-6cbb-4c93-9585-95121ea5c55c",
"target_ref": "x-misp-object--f42f63de-36c2-41d3-86d1-d1e3e3508da1"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e6b74d83-acee-441d-a2d2-fe729f060650",
"created": "2021-07-05T08:19:46.000Z",
"modified": "2021-07-05T08:19:46.000Z",
"relationship_type": "child-of",
"source_ref": "x-misp-object--cd7445c8-4121-45e1-a294-121ec9d35d8e",
"target_ref": "x-misp-object--0ff15772-0b74-45a7-b805-f2a4363639d1"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--95f0e351-2e0a-4a19-a413-a9d7e4b015f6",
"created": "2021-07-05T08:19:02.000Z",
"modified": "2021-07-05T08:19:02.000Z",
"relationship_type": "child-of",
"source_ref": "x-misp-object--f722ecce-fb4e-44f6-a2ed-f40f4fd96f11",
"target_ref": "x-misp-object--0ff15772-0b74-45a7-b805-f2a4363639d1"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink