misp-circl-feed/feeds/circl/stix-2.1/5cd2e198-65ac-4a34-9499-4d17950d210f.json

366 lines
No EOL
16 KiB
JSON

{
"type": "bundle",
"id": "bundle--5cd2e198-65ac-4a34-9499-4d17950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-13T06:51:04.000Z",
"modified": "2019-05-13T06:51:04.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--5cd2e198-65ac-4a34-9499-4d17950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-13T06:51:04.000Z",
"modified": "2019-05-13T06:51:04.000Z",
"name": "OSINT - Sodinokibi ransomware exploits WebLogic Server vulnerability",
"context": "suspicious-activity",
"object_refs": [
"observed-data--5cd2e318-da68-4566-b1ee-4a85950d210f",
"url--5cd2e318-da68-4566-b1ee-4a85950d210f",
"x-misp-attribute--5cd9105e-d090-4402-9abe-1712950d210f",
"indicator--5cd91226-1240-4341-a534-56a6950d210f",
"indicator--5cd91227-2b80-4dd4-a374-56a6950d210f",
"indicator--5cd91227-347c-482c-92d5-56a6950d210f",
"indicator--5cd91227-2c2c-4828-919e-56a6950d210f",
"indicator--5cd9126d-184c-419c-aacc-4db3950d210f",
"indicator--5cd9126e-9e7c-428e-8370-4109950d210f",
"indicator--5cd91190-e1a4-4b13-b0e8-579b950d210f",
"indicator--5cd911ac-d4c4-46f9-9c3f-1713950d210f",
"indicator--5cd911c0-b3e0-4e84-b937-1713950d210f",
"indicator--5cd911f3-2b10-4344-af8b-42c2950d210f",
"indicator--5cd91206-8054-43db-bad1-494c950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"workflow:state=\"incomplete\"",
"malware_classification:malware-category=\"Ransomware\"",
"osint:source-type=\"blog-post\"",
"workflow:todo=\"add-missing-misp-galaxy-cluster-values\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5cd2e318-da68-4566-b1ee-4a85950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-08T14:09:28.000Z",
"modified": "2019-05-08T14:09:28.000Z",
"first_observed": "2019-05-08T14:09:28Z",
"last_observed": "2019-05-08T14:09:28Z",
"number_observed": 1,
"object_refs": [
"url--5cd2e318-da68-4566-b1ee-4a85950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5cd2e318-da68-4566-b1ee-4a85950d210f",
"value": "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5cd9105e-d090-4402-9abe-1712950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-13T06:36:14.000Z",
"modified": "2019-05-13T06:36:14.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Attackers are actively exploiting a recently disclosed vulnerability in Oracle WebLogic to install a new variant of ransomware called \"Sodinokibi.\" Sodinokibi attempts to encrypt data in a user's directory and delete shadow copy backups to make data recovery more difficult. Oracle first patched the issue on April 26, outside of their normal patch cycle, and assigned it CVE-2019-2725. This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Because of this, the bug has a CVSS score of 9.8/10. Attackers have been making use of this exploit in the wild since at least April 17. Cisco's Incident Response (IR) team, along with Cisco Talos, are actively investigating these attacks and Sodinokibi."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd91226-1240-4341-a534-56a6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-13T06:43:50.000Z",
"modified": "2019-05-13T06:43:50.000Z",
"description": "Distribution URL",
"pattern": "[url:value = 'http://188.166.74.218/office.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-13T06:43:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd91227-2b80-4dd4-a374-56a6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-13T06:43:51.000Z",
"modified": "2019-05-13T06:43:51.000Z",
"description": "Distribution URL",
"pattern": "[url:value = 'http://188.166.74.218/radm.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-13T06:43:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd91227-347c-482c-92d5-56a6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-13T06:43:51.000Z",
"modified": "2019-05-13T06:43:51.000Z",
"description": "Distribution URL",
"pattern": "[url:value = 'http://188.166.74.218/untitled.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-13T06:43:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd91227-2c2c-4828-919e-56a6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-13T06:43:51.000Z",
"modified": "2019-05-13T06:43:51.000Z",
"description": "Distribution URL",
"pattern": "[url:value = 'http://45.55.211.79/.cache/untitled.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-13T06:43:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd9126d-184c-419c-aacc-4db3950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-13T06:45:01.000Z",
"modified": "2019-05-13T06:45:01.000Z",
"description": "Attacker IP",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '130.61.54.136']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-13T06:45:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd9126e-9e7c-428e-8370-4109950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-13T06:45:02.000Z",
"modified": "2019-05-13T06:45:02.000Z",
"description": "Attacker domain",
"pattern": "[domain-name:value = 'decryptor.top']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-13T06:45:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd91190-e1a4-4b13-b0e8-579b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-13T06:41:20.000Z",
"modified": "2019-05-13T06:41:20.000Z",
"description": "Ransomware sample",
"pattern": "[file:hashes.SHA256 = '0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-13T06:41:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd911ac-d4c4-46f9-9c3f-1713950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-13T06:41:48.000Z",
"modified": "2019-05-13T06:41:48.000Z",
"description": "Ransomware sample",
"pattern": "[file:hashes.SHA256 = '34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-13T06:41:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd911c0-b3e0-4e84-b937-1713950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-13T06:42:08.000Z",
"modified": "2019-05-13T06:42:08.000Z",
"description": "Ransomware sample",
"pattern": "[file:hashes.SHA256 = '74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-13T06:42:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd911f3-2b10-4344-af8b-42c2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-13T06:42:59.000Z",
"modified": "2019-05-13T06:42:59.000Z",
"description": "Ransomware sample",
"pattern": "[file:hashes.SHA256 = '95ac3903127b74f8e4d73d987f5e3736f5bdd909ba756260e187b6bf53fb1a05' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-13T06:42:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5cd91206-8054-43db-bad1-494c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2019-05-13T06:43:18.000Z",
"modified": "2019-05-13T06:43:18.000Z",
"description": "Ransomware sample",
"pattern": "[file:hashes.SHA256 = 'fa2bccdb9db2583c2f9ff6a536e824f4311c9a8a9842505a0323f027b8b51451' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2019-05-13T06:43:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}