misp-circl-feed/feeds/circl/stix-2.1/5ac7752d-a430-4606-8d2b-06b4950d210f.json

285 lines
No EOL
12 KiB
JSON

{
"type": "bundle",
"id": "bundle--5ac7752d-a430-4606-8d2b-06b4950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-04-08T15:30:50.000Z",
"modified": "2018-04-08T15:30:50.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5ac7752d-a430-4606-8d2b-06b4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-04-08T15:30:50.000Z",
"modified": "2018-04-08T15:30:50.000Z",
"name": "OSINT - The WhiteRose Ransomware Is Decryptable & Tells A Strange Story",
"published": "2018-04-08T15:31:30Z",
"object_refs": [
"observed-data--5ac775d0-9a60-430c-8183-09c1950d210f",
"url--5ac775d0-9a60-430c-8183-09c1950d210f",
"x-misp-attribute--5ac775de-483c-4dc0-909f-47f0950d210f",
"indicator--5ac77748-c2a4-4bc0-bfae-4120950d210f",
"indicator--5ac77749-02a0-40e7-a956-432a950d210f",
"indicator--5ac77749-0d30-4225-82e6-4797950d210f",
"indicator--5ac7774a-d96c-471c-ad31-4e2c950d210f",
"indicator--5ac7774a-6614-43f3-892e-4745950d210f",
"indicator--ce819f0f-cc14-4c81-bf4f-84d9008186d0",
"x-misp-object--fa25d195-ee00-4c65-8d36-df8716a6803d",
"relationship--c5074d9b-2dea-466c-9279-7bd04423deba"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"malware_classification:malware-category=\"Ransomware\"",
"osint:source-type=\"blog-post\"",
"misp-galaxy:ransomware=\"WhiteRose\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5ac775d0-9a60-430c-8183-09c1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-04-08T15:10:23.000Z",
"modified": "2018-04-08T15:10:23.000Z",
"first_observed": "2018-04-08T15:10:23Z",
"last_observed": "2018-04-08T15:10:23Z",
"number_observed": 1,
"object_refs": [
"url--5ac775d0-9a60-430c-8183-09c1950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5ac775d0-9a60-430c-8183-09c1950d210f",
"value": "https://www.bleepingcomputer.com/news/security/the-whiterose-ransomware-is-decryptable-and-tells-a-strange-story/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5ac775de-483c-4dc0-909f-47f0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-04-08T15:10:24.000Z",
"modified": "2018-04-08T15:10:24.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "A new ransomware has been discovered by MalwareHunterTeam that is based off of the InfiniteTear ransomware family, of which BlackRuby and Zenis are members. When this ransomware infects a computer it will encrypt the files, scramble the filenames, and append the .WHITEROSE extension to them.\r\n\r\nIt is not currently known for sure how this ransomware is being distributed, but reports indicate it is being manually installed by hacking into Remote Desktop services. Furthermore, based on the submissions to ID-Ransomware, the developer of this ransomware appears to be targeting European countries, with a strong focus on Spain."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ac77748-c2a4-4bc0-bfae-4120950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-04-06T13:34:00.000Z",
"modified": "2018-04-06T13:34:00.000Z",
"pattern": "[file:hashes.SHA256 = '9614b9bc6cb2d06d261f97ba25743a89df44906e750c52398b5dbdbcb66a9415']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-04-06T13:34:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ac77749-02a0-40e7-a956-432a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-04-08T15:10:24.000Z",
"modified": "2018-04-08T15:10:24.000Z",
"pattern": "[file:name = 'C:\\\\Perfect.sys']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-04-08T15:10:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ac77749-0d30-4225-82e6-4797950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-04-08T15:10:25.000Z",
"modified": "2018-04-08T15:10:25.000Z",
"pattern": "[file:name = 'HOW-TO-RECOVERY-FILES.TXT']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-04-08T15:10:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ac7774a-d96c-471c-ad31-4e2c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-04-08T15:10:25.000Z",
"modified": "2018-04-08T15:10:25.000Z",
"pattern": "[url:value = 'http://torbox3uiot6wchz.onion']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-04-08T15:10:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5ac7774a-6614-43f3-892e-4745950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-04-08T15:10:25.000Z",
"modified": "2018-04-08T15:10:25.000Z",
"pattern": "[email-message:from_ref.value = 'thewhiterose@torbox3uiot6wchz.onion']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-04-08T15:10:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ce819f0f-cc14-4c81-bf4f-84d9008186d0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-04-08T15:10:29.000Z",
"modified": "2018-04-08T15:10:29.000Z",
"pattern": "[file:hashes.MD5 = '00bd67cfccf7141c8fb6c622442bd419' AND file:hashes.SHA1 = '0d642ea85680b932e6dd45620c9c12d1060b46fd' AND file:hashes.SHA256 = '9614b9bc6cb2d06d261f97ba25743a89df44906e750c52398b5dbdbcb66a9415']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-04-08T15:10:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--fa25d195-ee00-4c65-8d36-df8716a6803d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-04-08T15:10:27.000Z",
"modified": "2018-04-08T15:10:27.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/9614b9bc6cb2d06d261f97ba25743a89df44906e750c52398b5dbdbcb66a9415/analysis/1523023058/",
"category": "External analysis",
"uuid": "5aca30e4-71e8-4664-a949-4da402de0b81"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "50/66",
"category": "Other",
"uuid": "5aca30e4-3d0c-43b7-bcaf-48b702de0b81"
},
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-04-06T13:57:38",
"category": "Other",
"uuid": "5aca30e4-d55c-4f4b-a73d-4cb102de0b81"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c5074d9b-2dea-466c-9279-7bd04423deba",
"created": "2018-04-08T15:10:29.000Z",
"modified": "2018-04-08T15:10:29.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--ce819f0f-cc14-4c81-bf4f-84d9008186d0",
"target_ref": "x-misp-object--fa25d195-ee00-4c65-8d36-df8716a6803d"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}