misp-circl-feed/feeds/circl/stix-2.1/57750408-3784-4dfd-a7c7-c82a950d210f.json

293 lines
No EOL
13 KiB
JSON

{
"type": "bundle",
"id": "bundle--57750408-3784-4dfd-a7c7-c82a950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-06-30T11:40:05.000Z",
"modified": "2016-06-30T11:40:05.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--57750408-3784-4dfd-a7c7-c82a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-06-30T11:40:05.000Z",
"modified": "2016-06-30T11:40:05.000Z",
"name": "OSINT - Satana ransomware \u00e2\u20ac\u201c threat coming soon?",
"published": "2016-06-30T11:40:23Z",
"object_refs": [
"observed-data--5775044a-7274-476f-ab3a-d08c950d210f",
"url--5775044a-7274-476f-ab3a-d08c950d210f",
"x-misp-attribute--5775045e-8550-43c6-bbdc-c829950d210f",
"indicator--57750476-4d04-42a9-9282-c823950d210f",
"indicator--5775048a-ed78-4ea4-bccd-4552950d210f",
"indicator--57750516-e764-4744-8cd9-c82702de0b81",
"indicator--57750516-ed2c-47cb-a6c3-c82702de0b81",
"observed-data--57750516-fe34-42ad-88a4-c82702de0b81",
"url--57750516-fe34-42ad-88a4-c82702de0b81",
"indicator--57750517-9c38-4c37-8e76-c82702de0b81",
"indicator--57750517-fec4-4984-a119-c82702de0b81",
"observed-data--57750518-959c-4a94-bde0-c82702de0b81",
"url--57750518-959c-4a94-bde0-c82702de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"circl:incident-classification=\"malware\"",
"ecsirt:malicious-code=\"ransomware\"",
"malware_classification:malware-category=\"Ransomware\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5775044a-7274-476f-ab3a-d08c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-06-30T11:36:42.000Z",
"modified": "2016-06-30T11:36:42.000Z",
"first_observed": "2016-06-30T11:36:42Z",
"last_observed": "2016-06-30T11:36:42Z",
"number_observed": 1,
"object_refs": [
"url--5775044a-7274-476f-ab3a-d08c950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5775044a-7274-476f-ab3a-d08c950d210f",
"value": "https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5775045e-8550-43c6-bbdc-c829950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-06-30T11:37:02.000Z",
"modified": "2016-06-30T11:37:02.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Petya ransomware is quickly becoming a household name and in typical cyber-criminal fashion, copycat families are starting to emerge.\r\n\r\nIn this post, we have the benefit of analyzing \u00e2\u20ac\u0153malware-in-development\u00e2\u20ac\u009d and can observe its growth over the coming weeks. The ransomware is called Satana (devil/satan in Italian) and similar to the Petya and Mischa bundle, Satana works in two modes.\r\n\r\nThe first mode behaves like Petya, a dropper (that is a typical PE file) writes to the beginning of the infected disk a low-level module which is a bootloader with a tiny custom kernel.\r\n\r\nThe second mode behaves like typical ransomware and encrypts files one by one (just like Mischa).\r\n\r\nContrary to the Petya and Mischa bundle, these modes are not used as alternatives, but are both utilized, one after the other, to infect the system."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57750476-4d04-42a9-9282-c823950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-06-30T11:37:26.000Z",
"modified": "2016-06-30T11:37:26.000Z",
"description": "main sample",
"pattern": "[file:hashes.MD5 = '46bfd4f1d581d7c0121d2b19a005d3df']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-06-30T11:37:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5775048a-ed78-4ea4-bccd-4552950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-06-30T11:37:46.000Z",
"modified": "2016-06-30T11:37:46.000Z",
"description": "unpacked",
"pattern": "[file:hashes.MD5 = 'd236fcc8789f94f085137058311e848b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-06-30T11:37:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57750516-e764-4744-8cd9-c82702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-06-30T11:40:06.000Z",
"modified": "2016-06-30T11:40:06.000Z",
"description": "unpacked - Xchecked via VT: d236fcc8789f94f085137058311e848b",
"pattern": "[file:hashes.SHA256 = 'ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-06-30T11:40:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57750516-ed2c-47cb-a6c3-c82702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-06-30T11:40:06.000Z",
"modified": "2016-06-30T11:40:06.000Z",
"description": "unpacked - Xchecked via VT: d236fcc8789f94f085137058311e848b",
"pattern": "[file:hashes.SHA1 = '808061052c9efc7c7255ffeb92c77b02bbb8cfee']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-06-30T11:40:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57750516-fe34-42ad-88a4-c82702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-06-30T11:40:06.000Z",
"modified": "2016-06-30T11:40:06.000Z",
"first_observed": "2016-06-30T11:40:06Z",
"last_observed": "2016-06-30T11:40:06Z",
"number_observed": 1,
"object_refs": [
"url--57750516-fe34-42ad-88a4-c82702de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57750516-fe34-42ad-88a4-c82702de0b81",
"value": "https://www.virustotal.com/file/ee937717efe9a2e076b9497498b628beb0c84a8476bd288105a59c5aeea01f3d/analysis/1467267018/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57750517-9c38-4c37-8e76-c82702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-06-30T11:40:07.000Z",
"modified": "2016-06-30T11:40:07.000Z",
"description": "main sample - Xchecked via VT: 46bfd4f1d581d7c0121d2b19a005d3df",
"pattern": "[file:hashes.SHA256 = '683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-06-30T11:40:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57750517-fec4-4984-a119-c82702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-06-30T11:40:07.000Z",
"modified": "2016-06-30T11:40:07.000Z",
"description": "main sample - Xchecked via VT: 46bfd4f1d581d7c0121d2b19a005d3df",
"pattern": "[file:hashes.SHA1 = '5b063298bbd1670b4d39e1baef67f854b8dcba9d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-06-30T11:40:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57750518-959c-4a94-bde0-c82702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-06-30T11:40:08.000Z",
"modified": "2016-06-30T11:40:08.000Z",
"first_observed": "2016-06-30T11:40:08Z",
"last_observed": "2016-06-30T11:40:08Z",
"number_observed": 1,
"object_refs": [
"url--57750518-959c-4a94-bde0-c82702de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57750518-959c-4a94-bde0-c82702de0b81",
"value": "https://www.virustotal.com/file/683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96/analysis/1467247188/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}