359 lines
No EOL
15 KiB
JSON
359 lines
No EOL
15 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--584a6066-ea54-4894-8e9f-4d6f950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-12T10:48:23.000Z",
|
|
"modified": "2016-12-12T10:48:23.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--584a6066-ea54-4894-8e9f-4d6f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-12T10:48:23.000Z",
|
|
"modified": "2016-12-12T10:48:23.000Z",
|
|
"name": "OSINT - New Scheme: Spread Popcorn Time Ransomware, get chance of free Decryption Key",
|
|
"published": "2016-12-12T11:10:31Z",
|
|
"object_refs": [
|
|
"observed-data--584a607b-50a8-46d5-b348-467f950d210f",
|
|
"url--584a607b-50a8-46d5-b348-467f950d210f",
|
|
"x-misp-attribute--584a608f-74e8-4a52-9211-49be950d210f",
|
|
"indicator--584a60f6-ab68-4448-88d6-4d3a950d210f",
|
|
"indicator--584a60f6-4018-46ce-88f3-4b78950d210f",
|
|
"indicator--584a60f7-1514-40df-9d86-4494950d210f",
|
|
"indicator--584a60f7-f134-4066-afe2-4bc9950d210f",
|
|
"indicator--584a60f8-94dc-4a12-89e7-4fba950d210f",
|
|
"indicator--584a60f8-3a98-4de1-b38a-42b0950d210f",
|
|
"indicator--584a6119-5538-4879-a2fd-4db0950d210f",
|
|
"observed-data--584e8000-31e4-4d83-a1cd-42f8950d210f",
|
|
"url--584e8000-31e4-4d83-a1cd-42f8950d210f",
|
|
"indicator--584e8077-23fc-4955-951f-4f2102de0b81",
|
|
"indicator--584e8077-cd94-45f7-9b90-4fcd02de0b81",
|
|
"observed-data--584e8078-7028-4fe6-baa2-4c1c02de0b81",
|
|
"url--584e8078-7028-4fe6-baa2-4c1c02de0b81"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"type:OSINT",
|
|
"malware_classification:malware-category=\"Ransomware\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--584a607b-50a8-46d5-b348-467f950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-09T07:42:51.000Z",
|
|
"modified": "2016-12-09T07:42:51.000Z",
|
|
"first_observed": "2016-12-09T07:42:51Z",
|
|
"last_observed": "2016-12-09T07:42:51Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--584a607b-50a8-46d5-b348-467f950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--584a607b-50a8-46d5-b348-467f950d210f",
|
|
"value": "https://www.bleepingcomputer.com/news/security/new-scheme-spread-popcorn-time-ransomware-get-chance-of-free-decryption-key/"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--584a608f-74e8-4a52-9211-49be950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-09T07:43:11.000Z",
|
|
"modified": "2016-12-09T07:43:11.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "Yesterday a new in-development ransomware was discovered by MalwareHunterTeam called Popcorn Time that intends to give victim's a very unusual, and criminal, way of getting a free decryption key for their files. With Popcorn Time, not only can a victim pay a ransom to get their files back, but they can also try to infect two other people and have them pay the ransom in order to get a free key.\r\n\r\nTo make matters worse, there is unfinished code in the ransomware that may indicate that if a user enters the wrong decryption key 4 times, the ransomware will start deleting files.\r\n\r\nIt should be noted, that this ransomware is not related to the Popcorn Time application that downloads and streams copyrighted movies."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584a60f6-ab68-4448-88d6-4d3a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-09T07:44:54.000Z",
|
|
"modified": "2016-12-09T07:44:54.000Z",
|
|
"pattern": "[file:name = 'restore_your_files.html']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-09T07:44:54Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584a60f6-4018-46ce-88f3-4b78950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-09T07:44:54.000Z",
|
|
"modified": "2016-12-09T07:44:54.000Z",
|
|
"pattern": "[file:name = 'restore_your_files.txt']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-09T07:44:54Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584a60f7-1514-40df-9d86-4494950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-09T07:44:55.000Z",
|
|
"modified": "2016-12-09T07:44:55.000Z",
|
|
"pattern": "[file:name = 'popcorn_time.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-09T07:44:55Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"filename\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584a60f7-f134-4066-afe2-4bc9950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-09T07:44:55.000Z",
|
|
"modified": "2016-12-09T07:44:55.000Z",
|
|
"pattern": "[url:value = 'https://3hnuhydu4pd247qb.onion.to']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-09T07:44:55Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584a60f8-94dc-4a12-89e7-4fba950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-09T07:44:56.000Z",
|
|
"modified": "2016-12-09T07:44:56.000Z",
|
|
"pattern": "[url:value = 'http://popcorn-time-free.net']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-09T07:44:56Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584a60f8-3a98-4de1-b38a-42b0950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-09T07:44:56.000Z",
|
|
"modified": "2016-12-09T07:44:56.000Z",
|
|
"pattern": "[file:hashes.SHA256 = 'fd370e998215667c31ae1ac6ee81223732d7c7e7f44dc9523f2517adffa58d51']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-09T07:44:56Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584a6119-5538-4879-a2fd-4db0950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-09T07:45:29.000Z",
|
|
"modified": "2016-12-09T07:45:29.000Z",
|
|
"pattern": "[windows-registry-key:key = 'HKCU\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run' AND windows-registry-key:values.data = '\\\\\"Popcorn_Time\\\\\" [path_to]\\\\popcorn_time.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-09T07:45:29Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Persistence mechanism"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"regkey|value\"",
|
|
"misp:category=\"Persistence mechanism\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--584e8000-31e4-4d83-a1cd-42f8950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-12T10:46:24.000Z",
|
|
"modified": "2016-12-12T10:46:24.000Z",
|
|
"first_observed": "2016-12-12T10:46:24Z",
|
|
"last_observed": "2016-12-12T10:46:24Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--584e8000-31e4-4d83-a1cd-42f8950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--584e8000-31e4-4d83-a1cd-42f8950d210f",
|
|
"value": "https://3hnuhydu4pd247qb.onion"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584e8077-23fc-4955-951f-4f2102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-12T10:48:23.000Z",
|
|
"modified": "2016-12-12T10:48:23.000Z",
|
|
"description": "- Xchecked via VT: fd370e998215667c31ae1ac6ee81223732d7c7e7f44dc9523f2517adffa58d51",
|
|
"pattern": "[file:hashes.SHA1 = 'bf341c440f6e8a3b1eae49fdc480d488a48778a2']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-12T10:48:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--584e8077-cd94-45f7-9b90-4fcd02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-12T10:48:23.000Z",
|
|
"modified": "2016-12-12T10:48:23.000Z",
|
|
"description": "- Xchecked via VT: fd370e998215667c31ae1ac6ee81223732d7c7e7f44dc9523f2517adffa58d51",
|
|
"pattern": "[file:hashes.MD5 = 'a0fdaf733314a120d9db7617a586f1b4']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-12-12T10:48:23Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--584e8078-7028-4fe6-baa2-4c1c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-12-12T10:48:24.000Z",
|
|
"modified": "2016-12-12T10:48:24.000Z",
|
|
"first_observed": "2016-12-12T10:48:24Z",
|
|
"last_observed": "2016-12-12T10:48:24Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--584e8078-7028-4fe6-baa2-4c1c02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--584e8078-7028-4fe6-baa2-4c1c02de0b81",
|
|
"value": "https://www.virustotal.com/file/fd370e998215667c31ae1ac6ee81223732d7c7e7f44dc9523f2517adffa58d51/analysis/1481283166/"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |