Last active
May 12, 2020 19:18
-
-
Save 2xyo/c6b7d2f528e584e42dd81d1e93fa15a0 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ stix2_validator xfe-collection_e6d351c8e832b560eb84be0f89079285.json --version 2.0 | |
| ================================================================================ | |
| [-] Results for: xfe-collection_e6d351c8e832b560eb84be0f89079285.json | |
| [X] STIX JSON: Invalid | |
| [!] Warning: bundle--a38af589-724f-4e03-98fc-99bf7564a9fe: {101} Custom property 'custom_objects' should have a type that starts with 'x_' followed by a source unique identifier (like a domain name with dots replaced by hyphen), a hyphen and then the name. | |
| [!] Warning: indicator--00d1e89b-636c-ad69-ad8f-46545b6758b8: {214} labels contains a value not in the indicator-label-ov vocabulary. | |
| [!] Warning: indicator--268ee28f-bfe9-164e-e626-ea46d24687f1: {214} labels contains a value not in the indicator-label-ov vocabulary. | |
| [X] bundle--a38af589-724f-4e03-98fc-99bf7564a9fe: objects[0]: {'id': 'indicator--00d1e89b-636c-ad69-ad8f-46545b6758b8', 'type': 'indicator', 'created': '2020-05-05T13:09:07.912Z', 'modified': '2020-05-05T13:09:07.912Z', 'labels': ['xfe-malware-risk-high'], 'name': 'File hash indicator for sha256 hash ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195', 'description': 'File hash indicator for sha256 hash ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195', 'pattern': "[ file:hashes.'SHA-256' = 'ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195' ]", 'valid_from': '2020-05-05T13:09:07.912Z'} is not a valid indicator object | |
| [X] bundle--a38af589-724f-4e03-98fc-99bf7564a9fe: objects[1]: {'id': 'indicator--268ee28f-bfe9-164e-e626-ea46d24687f1', 'type': 'indicator', 'created': '2020-05-05T13:09:07.865Z', 'modified': '2020-05-05T13:09:07.865Z', 'labels': ['xfe-malware-risk-high'], 'name': 'File hash indicator for sha256 hash 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d', 'description': 'File hash indicator for sha256 hash 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d', 'pattern': "[ file:hashes.'SHA-256' = '774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d' ]", 'valid_from': '2020-05-05T13:09:07.865Z'} is not a valid indicator object | |
| [X] bundle--a38af589-724f-4e03-98fc-99bf7564a9fe: objects[2]: {'type': 'report', 'id': 'report--e6d351c8-e832-b560-eb84-be0f89079285', 'created': '2020-05-06T08:47:30.576Z', 'modified': '2020-05-06T08:47:30.576Z', 'labels': [], 'object_marking_refs': [], 'description': '2020-05-06T06:26:10.103Z', 'object_refs': []} is not a valid report object | |
| [X] indicator--00d1e89b-636c-ad69-ad8f-46545b6758b8: id: 'indicator--00d1e89b-636c-ad69-ad8f-46545b6758b8' does not match the id format ([object-type]--[UUID]) | |
| [X] indicator--268ee28f-bfe9-164e-e626-ea46d24687f1: id: 'indicator--268ee28f-bfe9-164e-e626-ea46d24687f1' does not match the id format ([object-type]--[UUID]) | |
| [X] report--e6d351c8-e832-b560-eb84-be0f89079285: id: 'report--e6d351c8-e832-b560-eb84-be0f89079285' does not match the id format ([object-type]--[UUID]) | |
| [X] report--e6d351c8-e832-b560-eb84-be0f89079285: labels: [] is too short | |
| [X] report--e6d351c8-e832-b560-eb84-be0f89079285: object_marking_refs: [] is too short | |
| [X] report--e6d351c8-e832-b560-eb84-be0f89079285: labels: empty arrays are not allowed | |
| [X] report--e6d351c8-e832-b560-eb84-be0f89079285: object_marking_refs: empty arrays are not allowed | |
| [X] report--e6d351c8-e832-b560-eb84-be0f89079285: object_refs: empty arrays are not allowed | |
| [X] report--e6d351c8-e832-b560-eb84-be0f89079285: labels: [] is too short | |
| [X] report--e6d351c8-e832-b560-eb84-be0f89079285: object_refs: [] is too short | |
| [X] report--e6d351c8-e832-b560-eb84-be0f89079285: 'name' is a required property | |
| [X] report--e6d351c8-e832-b560-eb84-be0f89079285: 'published' is a required property |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ stix2_validator xfe-collection_e6d351c8e832b560eb84be0f89079285.json --version 2.1 | |
| ================================================================================ | |
| [-] Results for: xfe-collection_e6d351c8e832b560eb84be0f89079285.json | |
| [X] STIX JSON: Invalid | |
| [!] Warning: bundle--a38af589-724f-4e03-98fc-99bf7564a9fe: {101} Custom property 'spec_version' should have a type that starts with 'x_' followed by a source unique identifier (like a domain name with dots replaced by hyphen), a hyphen and then the name. | |
| [!] Warning: bundle--a38af589-724f-4e03-98fc-99bf7564a9fe: {101} Custom property 'custom_objects' should have a type that starts with 'x_' followed by a source unique identifier (like a domain name with dots replaced by hyphen), a hyphen and then the name. | |
| [!] Warning: indicator--00d1e89b-636c-ad69-ad8f-46545b6758b8: {103} Given ID value indicator--00d1e89b-636c-ad69-ad8f-46545b6758b8 is not a valid UUIDv4 ID. | |
| [!] Warning: indicator--268ee28f-bfe9-164e-e626-ea46d24687f1: {103} Given ID value indicator--268ee28f-bfe9-164e-e626-ea46d24687f1 is not a valid UUIDv4 ID. | |
| [!] Warning: report--e6d351c8-e832-b560-eb84-be0f89079285: {103} Given ID value report--e6d351c8-e832-b560-eb84-be0f89079285 is not a valid UUIDv4 ID. | |
| [!] Warning: x-xfe-collection--e6d351c8-e832-b560-eb84-be0f89079285: {103} Given ID value x-xfe-collection--e6d351c8-e832-b560-eb84-be0f89079285 is not a valid UUIDv4 ID. | |
| [!] Warning: bundle--a38af589-724f-4e03-98fc-99bf7564a9fe: spec_version mismatch with supplied option. Treating as 2.1 content. | |
| [X] bundle--a38af589-724f-4e03-98fc-99bf7564a9fe: objects[0]: {'id': 'indicator--00d1e89b-636c-ad69-ad8f-46545b6758b8', 'type': 'indicator', 'created': '2020-05-05T13:09:07.912Z', 'modified': '2020-05-05T13:09:07.912Z', 'labels': ['xfe-malware-risk-high'], 'name': 'File hash indicator for sha256 hash ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195', 'description': 'File hash indicator for sha256 hash ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195', 'pattern': "[ file:hashes.'SHA-256' = 'ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195' ]", 'valid_from': '2020-05-05T13:09:07.912Z'} is not a valid indicator object | |
| [X] bundle--a38af589-724f-4e03-98fc-99bf7564a9fe: objects[1]: {'id': 'indicator--268ee28f-bfe9-164e-e626-ea46d24687f1', 'type': 'indicator', 'created': '2020-05-05T13:09:07.865Z', 'modified': '2020-05-05T13:09:07.865Z', 'labels': ['xfe-malware-risk-high'], 'name': 'File hash indicator for sha256 hash 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d', 'description': 'File hash indicator for sha256 hash 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d', 'pattern': "[ file:hashes.'SHA-256' = '774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d' ]", 'valid_from': '2020-05-05T13:09:07.865Z'} is not a valid indicator object | |
| [X] bundle--a38af589-724f-4e03-98fc-99bf7564a9fe: objects[2]: {'type': 'report', 'id': 'report--e6d351c8-e832-b560-eb84-be0f89079285', 'created': '2020-05-06T08:47:30.576Z', 'modified': '2020-05-06T08:47:30.576Z', 'labels': [], 'object_marking_refs': [], 'description': '2020-05-06T06:26:10.103Z', 'object_refs': []} is not a valid report object | |
| [X] indicator--00d1e89b-636c-ad69-ad8f-46545b6758b8: id: 'indicator--00d1e89b-636c-ad69-ad8f-46545b6758b8' does not match the id format ([object-type]--[UUID]) | |
| [X] indicator--00d1e89b-636c-ad69-ad8f-46545b6758b8: 'spec_version' is a required property | |
| [X] indicator--00d1e89b-636c-ad69-ad8f-46545b6758b8: 'pattern_type' is a required property | |
| [X] indicator--268ee28f-bfe9-164e-e626-ea46d24687f1: id: 'indicator--268ee28f-bfe9-164e-e626-ea46d24687f1' does not match the id format ([object-type]--[UUID]) | |
| [X] indicator--268ee28f-bfe9-164e-e626-ea46d24687f1: 'spec_version' is a required property | |
| [X] indicator--268ee28f-bfe9-164e-e626-ea46d24687f1: 'pattern_type' is a required property | |
| [X] report--e6d351c8-e832-b560-eb84-be0f89079285: id: 'report--e6d351c8-e832-b560-eb84-be0f89079285' does not match the id format ([object-type]--[UUID]) | |
| [X] report--e6d351c8-e832-b560-eb84-be0f89079285: labels: [] is too short | |
| [X] report--e6d351c8-e832-b560-eb84-be0f89079285: object_marking_refs: [] is too short | |
| [X] report--e6d351c8-e832-b560-eb84-be0f89079285: labels: empty arrays are not allowed | |
| [X] report--e6d351c8-e832-b560-eb84-be0f89079285: object_marking_refs: empty arrays are not allowed | |
| [X] report--e6d351c8-e832-b560-eb84-be0f89079285: object_refs: empty arrays are not allowed | |
| [X] report--e6d351c8-e832-b560-eb84-be0f89079285: 'spec_version' is a required property | |
| [X] report--e6d351c8-e832-b560-eb84-be0f89079285: object_refs: [] is too short | |
| [X] report--e6d351c8-e832-b560-eb84-be0f89079285: 'name' is a required property | |
| [X] report--e6d351c8-e832-b560-eb84-be0f89079285: 'published' is a required property |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "spec_version": "2.0", | |
| "type": "bundle", | |
| "objects": [ | |
| { | |
| "id": "indicator--00d1e89b-636c-ad69-ad8f-46545b6758b8", | |
| "type": "indicator", | |
| "created": "2020-05-05T13:09:07.912Z", | |
| "modified": "2020-05-05T13:09:07.912Z", | |
| "labels": [ | |
| "xfe-malware-risk-high" | |
| ], | |
| "name": "File hash indicator for sha256 hash ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195", | |
| "description": "File hash indicator for sha256 hash ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195", | |
| "pattern": "[ file:hashes.'SHA-256' = 'ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195' ]", | |
| "valid_from": "2020-05-05T13:09:07.912Z" | |
| }, | |
| { | |
| "id": "indicator--268ee28f-bfe9-164e-e626-ea46d24687f1", | |
| "type": "indicator", | |
| "created": "2020-05-05T13:09:07.865Z", | |
| "modified": "2020-05-05T13:09:07.865Z", | |
| "labels": [ | |
| "xfe-malware-risk-high" | |
| ], | |
| "name": "File hash indicator for sha256 hash 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d", | |
| "description": "File hash indicator for sha256 hash 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d", | |
| "pattern": "[ file:hashes.'SHA-256' = '774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d' ]", | |
| "valid_from": "2020-05-05T13:09:07.865Z" | |
| }, | |
| { | |
| "type": "report", | |
| "id": "report--e6d351c8-e832-b560-eb84-be0f89079285", | |
| "created": "2020-05-06T08:47:30.576Z", | |
| "modified": "2020-05-06T08:47:30.576Z", | |
| "labels": [], | |
| "object_marking_refs": [], | |
| "description": "2020-05-06T06:26:10.103Z", | |
| "object_refs": [] | |
| } | |
| ], | |
| "custom_objects": [ | |
| { | |
| "type": "x-xfe-collection", | |
| "id": "x-xfe-collection--e6d351c8-e832-b560-eb84-be0f89079285", | |
| "collectionTitle": "New Version of REvil Ransomware Brings Changes", | |
| "collectionWikiContent": "Summary\nThe ransomware-as-a-service malware, REvil, has released an updated version of their ransomware, version 2.2. Intel 471 analyzed the changes and provided an in-depth review and specifics of the new features.\nThreat Type\nMalware, Ransomware\nOverview\nThe latest version of REvil ransomware brings about significant changes from the last released version. The report for the previous version can be found here: REvil and RaaS. Version 2.2 boasts a new persistence mechanism that is implemented if the arn configuration field is set to true. If it is, a path is written to the registry key SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run. Version 2.1 did not contain this mechanism. Additionally, version 2.2 makes use of the Windows Restart Manager to terminate any services that may lock files identified for encryption. REvil developers implemented strategies used by other ransomware such as SamSam and LockerGoga to perform this operation. Should a file be open when attempting to encrypt it, a sharing violation will occur, triggering the Restart Manager. Also among the changes is a new -silent flag that skips termination of blacklisted processes, services, and shadow copy deletion. It does not, however, impact the Restart Manager functionality. More technical information can be found in the report located within the Reference section below.\nIndicators of Compromise\n ffe7fe45327645a48ca83b7dd4586de22618206001b7a7354d9d285e0308f195 \n 774354fe16764fa513052ff714048858cb315691599a08d13ba56be1c796a16d \nRecommendations\nEnsure anti-virus software and associated files are up to date.\nSearch for existing signs of the indicated IoCs in your environment.\nConsider blocking and or setting up detection for all URL and IP based IoCs.\nKeep applications and operating systems running at the current released patch level.\nExercise caution with attachments and links in emails.\nReference\nhttps://blog.intel471.com/2020/05/04/changes-in-revil-ransomware-version-2-2/ ", | |
| "collectionWikiMarkdown": "2020-05-06T06:26:10.103Z", | |
| "collectionId": "e6d351c8e832b560eb84be0f89079285", | |
| "owner": "", | |
| "tags": [], | |
| "tlp": "", | |
| "created": "2020-05-06T08:47:30.576Z", | |
| "modified": "2020-05-06T08:47:30.576Z" | |
| } | |
| ], | |
| "id": "bundle--a38af589-724f-4e03-98fc-99bf7564a9fe" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment