misp-circl-feed/feeds/circl/misp/584a6066-ea54-4894-8e9f-4d6f950d210f.json

359 lines
No EOL
15 KiB
JSON

{
"type": "bundle",
"id": "bundle--584a6066-ea54-4894-8e9f-4d6f950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-12T10:48:23.000Z",
"modified": "2016-12-12T10:48:23.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--584a6066-ea54-4894-8e9f-4d6f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-12T10:48:23.000Z",
"modified": "2016-12-12T10:48:23.000Z",
"name": "OSINT - New Scheme: Spread Popcorn Time Ransomware, get chance of free Decryption Key",
"published": "2016-12-12T11:10:31Z",
"object_refs": [
"observed-data--584a607b-50a8-46d5-b348-467f950d210f",
"url--584a607b-50a8-46d5-b348-467f950d210f",
"x-misp-attribute--584a608f-74e8-4a52-9211-49be950d210f",
"indicator--584a60f6-ab68-4448-88d6-4d3a950d210f",
"indicator--584a60f6-4018-46ce-88f3-4b78950d210f",
"indicator--584a60f7-1514-40df-9d86-4494950d210f",
"indicator--584a60f7-f134-4066-afe2-4bc9950d210f",
"indicator--584a60f8-94dc-4a12-89e7-4fba950d210f",
"indicator--584a60f8-3a98-4de1-b38a-42b0950d210f",
"indicator--584a6119-5538-4879-a2fd-4db0950d210f",
"observed-data--584e8000-31e4-4d83-a1cd-42f8950d210f",
"url--584e8000-31e4-4d83-a1cd-42f8950d210f",
"indicator--584e8077-23fc-4955-951f-4f2102de0b81",
"indicator--584e8077-cd94-45f7-9b90-4fcd02de0b81",
"observed-data--584e8078-7028-4fe6-baa2-4c1c02de0b81",
"url--584e8078-7028-4fe6-baa2-4c1c02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"malware_classification:malware-category=\"Ransomware\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--584a607b-50a8-46d5-b348-467f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-09T07:42:51.000Z",
"modified": "2016-12-09T07:42:51.000Z",
"first_observed": "2016-12-09T07:42:51Z",
"last_observed": "2016-12-09T07:42:51Z",
"number_observed": 1,
"object_refs": [
"url--584a607b-50a8-46d5-b348-467f950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--584a607b-50a8-46d5-b348-467f950d210f",
"value": "https://www.bleepingcomputer.com/news/security/new-scheme-spread-popcorn-time-ransomware-get-chance-of-free-decryption-key/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--584a608f-74e8-4a52-9211-49be950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-09T07:43:11.000Z",
"modified": "2016-12-09T07:43:11.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Yesterday a new in-development ransomware was discovered by MalwareHunterTeam called Popcorn Time that intends to give victim's a very unusual, and criminal, way of getting a free decryption key for their files. With Popcorn Time, not only can a victim pay a ransom to get their files back, but they can also try to infect two other people and have them pay the ransom in order to get a free key.\r\n\r\nTo make matters worse, there is unfinished code in the ransomware that may indicate that if a user enters the wrong decryption key 4 times, the ransomware will start deleting files.\r\n\r\nIt should be noted, that this ransomware is not related to the Popcorn Time application that downloads and streams copyrighted movies."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--584a60f6-ab68-4448-88d6-4d3a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-09T07:44:54.000Z",
"modified": "2016-12-09T07:44:54.000Z",
"pattern": "[file:name = 'restore_your_files.html']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-09T07:44:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--584a60f6-4018-46ce-88f3-4b78950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-09T07:44:54.000Z",
"modified": "2016-12-09T07:44:54.000Z",
"pattern": "[file:name = 'restore_your_files.txt']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-09T07:44:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--584a60f7-1514-40df-9d86-4494950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-09T07:44:55.000Z",
"modified": "2016-12-09T07:44:55.000Z",
"pattern": "[file:name = 'popcorn_time.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-09T07:44:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--584a60f7-f134-4066-afe2-4bc9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-09T07:44:55.000Z",
"modified": "2016-12-09T07:44:55.000Z",
"pattern": "[url:value = 'https://3hnuhydu4pd247qb.onion.to']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-09T07:44:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--584a60f8-94dc-4a12-89e7-4fba950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-09T07:44:56.000Z",
"modified": "2016-12-09T07:44:56.000Z",
"pattern": "[url:value = 'http://popcorn-time-free.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-09T07:44:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--584a60f8-3a98-4de1-b38a-42b0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-09T07:44:56.000Z",
"modified": "2016-12-09T07:44:56.000Z",
"pattern": "[file:hashes.SHA256 = 'fd370e998215667c31ae1ac6ee81223732d7c7e7f44dc9523f2517adffa58d51']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-09T07:44:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--584a6119-5538-4879-a2fd-4db0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-09T07:45:29.000Z",
"modified": "2016-12-09T07:45:29.000Z",
"pattern": "[windows-registry-key:key = 'HKCU\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run' AND windows-registry-key:values.data = '\\\\\"Popcorn_Time\\\\\" [path_to]\\\\popcorn_time.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-09T07:45:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Persistence mechanism"
}
],
"labels": [
"misp:type=\"regkey|value\"",
"misp:category=\"Persistence mechanism\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--584e8000-31e4-4d83-a1cd-42f8950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-12T10:46:24.000Z",
"modified": "2016-12-12T10:46:24.000Z",
"first_observed": "2016-12-12T10:46:24Z",
"last_observed": "2016-12-12T10:46:24Z",
"number_observed": 1,
"object_refs": [
"url--584e8000-31e4-4d83-a1cd-42f8950d210f"
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--584e8000-31e4-4d83-a1cd-42f8950d210f",
"value": "https://3hnuhydu4pd247qb.onion"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--584e8077-23fc-4955-951f-4f2102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-12T10:48:23.000Z",
"modified": "2016-12-12T10:48:23.000Z",
"description": "- Xchecked via VT: fd370e998215667c31ae1ac6ee81223732d7c7e7f44dc9523f2517adffa58d51",
"pattern": "[file:hashes.SHA1 = 'bf341c440f6e8a3b1eae49fdc480d488a48778a2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-12T10:48:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--584e8077-cd94-45f7-9b90-4fcd02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-12T10:48:23.000Z",
"modified": "2016-12-12T10:48:23.000Z",
"description": "- Xchecked via VT: fd370e998215667c31ae1ac6ee81223732d7c7e7f44dc9523f2517adffa58d51",
"pattern": "[file:hashes.MD5 = 'a0fdaf733314a120d9db7617a586f1b4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-12-12T10:48:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--584e8078-7028-4fe6-baa2-4c1c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-12-12T10:48:24.000Z",
"modified": "2016-12-12T10:48:24.000Z",
"first_observed": "2016-12-12T10:48:24Z",
"last_observed": "2016-12-12T10:48:24Z",
"number_observed": 1,
"object_refs": [
"url--584e8078-7028-4fe6-baa2-4c1c02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--584e8078-7028-4fe6-baa2-4c1c02de0b81",
"value": "https://www.virustotal.com/file/fd370e998215667c31ae1ac6ee81223732d7c7e7f44dc9523f2517adffa58d51/analysis/1481283166/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}